This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, core169 has been created at 8000bc0a4375ee7afdc1d56023681b8ac9502c3d (commit)
- Log ----------------------------------------------------------------- commit 8000bc0a4375ee7afdc1d56023681b8ac9502c3d Author: Peter Müller peter.mueller@ipfire.org Date: Wed Jun 29 20:28:38 2022 +0000
Core Update 169: Drop entropy.cgi
Since the kernel now always reports 256 bits of entropy to be available, this CGI does not show any useful information anymore. To avoid confusions, it will hereby be removed entirely.
Fixes: #12893 Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit b55842c26a94e9ff42d4f9010bdfcc51cd311dea Author: Peter Müller peter.mueller@ipfire.org Date: Wed Jun 29 20:13:11 2022 +0000
Core Update 169: Delete "random" initscript
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 255873a5f9a564036092a20e4bec7f4965cbd149 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 29 18:32:17 2022 +0000
random: Drop busy-loop script
This is no longer required because the kernel will now try to generate some randomness in an easier way when needed.
This has been added in: b923dd3de0acbf415cee193191250347b733fab8
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 5086ed681da4784474f0f71aaa70ec1d4940897c Author: Peter Müller peter.mueller@ipfire.org Date: Wed Jun 29 19:43:08 2022 +0000
sysctl: Permit ptrace usage for processes with CAP_SYS_PTRACE
https://lists.ipfire.org/pipermail/development/2022-June/013763.html
Reported-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 2fcfe2e1f339c868b5800b61433c803023686371 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 29 18:34:01 2022 +0000
core169: Add initramdisks for armv6l, too
Looks like I have been ahead of time.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 636cf631c925a1492ad49edbc69e5dac32927eda Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 29 18:11:26 2022 +0000
core169: Ship initramdisks
Those were not part of the update which renders any machine that installs it unbootable.
Fixes: #12892 Reported-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5991f392827b3f50958a97b20b50767033276165 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 27 17:30:47 2022 +0000
linux: Update rootfiles to reflect /dev mount option change
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit f5117ab51d8ebb5325b3d6cbae8764b88ae917cb Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 27 11:02:32 2022 +0000
python3-msgpack: Add rootfile for 32-bit ARM
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit d76e142f7c4a43f2ab851671f813e3df6d6a2576 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 27 07:34:16 2022 +0000
Revert "U-Boot: Update to 2022.04"
Arne reported that this introduced regressions on some NanoPi models.
This reverts commit b8a9c9e70a0ff84401e53f1481f3c1eafab76a29.
commit b1217522771c466eaff0ea859499bef70396c403 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 27 07:34:10 2022 +0000
Revert "Core Update 169: Ship U-Boot"
This reverts commit 65264b3ba6358d78d70c2cc7b9e1c883b0b4af4a.
commit 498ea59524c410d6e7dea9c4f923e18947be587b Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 27 07:33:59 2022 +0000
Revert "u-boot: Clarify source URLs and add missing rk3399 firmware"
This reverts commit be5703ef78b6244dcf06b72e6f34ab72b2e7fc55.
commit 706d825587bd152366973c163dde085e937540f5 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 27 07:33:48 2022 +0000
Revert "u-boot: .xz != .gz"
This reverts commit 01b3a62a35a38db9d67121e66f983c0e0a38ca46.
commit 7d5a7fea48ca883f19ad604a7a51820671de82a0 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 27 07:33:40 2022 +0000
Revert "u-boot: Sigh, fix another .xz != .gz"
This reverts commit 480202725b872018667ce0cdc337c25c94cef72b.
commit 0664b1720d2d32f01ad9b9126450e35aa4d357df Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 25 22:20:48 2022 +0000
linux: Amend upstream patch to harden mount points of /dev
This patch, which has been merged into the mainline Linux kernel, but not yet backported to the 5.15.x tree, precisely addresses our situation: IPFire does not use systemd, but CONFIG_DEVTMPFS_MOUNT.
The only explanation I have for bug #12889 arising _now_ is that some component (dracut, maybe) changed its behaviour regarding remounting of already mounted special file systems. As current dracut won't (re)mount any file system already found to be mounted, this means that the mount options decided by the kernel remained untouched for /dev, hence being weak in terms of options hardening possible.
As CONFIG_DEVTMPFS_SAFE would not show up in "make menuconfig", changes to kernel configurations have been simulated.
Fixes: #12889 Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 617bb64f6315b93f7b6dbbe7304ae634ca4fad78 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 25 09:15:17 2022 +0000
Core Update 169: Ship general-functions.pl
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 0b4618f9a3817e6d2c76a96b0db00f50fc8e0b57 Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Jun 24 23:58:57 2022 +0200
general-functions.pl: Fix for bug #12865 - Static IP address pools - Add network - Name wit>
- The fix for bug #12428 removed spaces from the validhostname subroutine as hostnames are not supposed to have spaces - This resulted in spaces no longer being allowed for the Static IP Address Pools names - New subroutine created called validccdname. This allows letters, upper and lower case, numbers, spaces and dashes
Fixes: Bug #12865 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
commit dcc2f7e0f2887e6c15e29971a4d27ecccac884f4 Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Jun 24 23:58:56 2022 +0200
ovpnmain.cgi: Fix for bug #12865 - Static IP address pools - Add network - Name with space
- The fix for bug #12428 removed spaces from the validhostname subroutine as hostnames are not supposed to have spaces - This resulted in spaces no longer being allowed for the Static IP Address Pools names - New subroutine created called validccdname in general-functions.pl
Fixes: Bug #12865 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
commit de6ef4d40adec7e1093b73c4397f042e830db15e Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Jun 24 14:14:26 2022 +0200
python3-msgpack: Required for build and execution of borgbackup 1.2.0
- New python module required for borgbackup. In borgbackup version 1.1.18 or 1.1.19 the old bundled msgpack in borgbackup was removed and a specified version range of python3-msgpack required. - This patch adds the lfs and rootfiles for this module
Signed-off-by: Adolf Belka adolf.belka@ipfire.org
commit 006309eaafb66136193356fc73bf0e5a63ab199e Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Jun 24 14:14:25 2022 +0200
python3-packaging: Moved to rootfiles/packages/ directory
- Required for borgbackup execution
Signed-off-by: Adolf Belka adolf.belka@ipfire.org
commit c9336f7a1f7f8293012b4a23db941039f9572b4c Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Jun 24 14:14:24 2022 +0200
borgbackup: Fix bug #12884 - borgbackup 1.2.0 crashes on running any borg command
- When borgbackup was upgraded from version 1.1.17 to 1.2.0 the build was sucessfully completed but there was no testing feedback till after full release. It turned out that it did not successfully run. - python3-packaging which had been installed for the build of borgbackup needed to also be available for the execution. - When borgbackup was upgraded to 1.2.0 it was noticed that the old python3-msgpack was no longer needed as borgbackup used its own bundled msgpack since around version 1.1.10 What was not seen was that in version 1.1.19 or 1.1.18 the bundled version of msgpack had been removed and that the newer version of python3-msgpack now needed to be installed but the version number has to meet the borgbackup requirements which currently require it to be =<1.0.3 - This patch adds the python3-packaging and python3-msgpack modules as dependencies for borgbackup - The egg-info files are uncommented in the rootfile so that the borgbackup metadata can be found by python. - The updated borgbackup build together with the python3-packaging and python3-msgpack modules were installed into a vm system using the .ipfire packages. Successfully initialised a borgbackup repo and ran two backups to the repo and checked the stats for the backup. Everything ran fine.
Fixes: Bug #12884 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
commit 2a4b5f0ab415e326cb1e5d55327867e440c9d7fc Author: Peter Müller peter.mueller@ipfire.org Date: Thu Jun 23 13:27:46 2022 +0000
python3-botocore: Bump package version
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit de9ae56f4b35e57bfd62b56aa767e7b58a7e72b9 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jun 23 12:31:41 2022 +0000
python3-botocore: Ship interface descriptions
botocore parses any interface descriptions and exposes them to Python. For that to work, we need to ship them.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 92d1e94069a6b3969855786e985d775108694a33 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jun 23 12:31:40 2022 +0000
python3-botocore: Add httpchecksum module
It looks like this has been commented out by mistake
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 68307a76970af612bafcf9354d99f5bd9147b9aa Author: Peter Müller peter.mueller@ipfire.org Date: Thu Jun 23 13:25:00 2022 +0000
Core Update 169: Ship ruleset-sources
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit b77b41a579982fd6ee524f1c8ee45fea03bb9b76 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Jun 23 08:03:19 2022 +0200
ruleset-sources: Update download URL for Talos rulesets.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit f158e71e20867a072d1c1795bea874e68c58c93b Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Jun 22 22:22:36 2022 +0200
ovpnmain.cgi: Fix for bug #12883 - separate .p12 file corrupted
- Patch https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=2feacd989823aa1dbd5844c3... from May 2021 put the variable containing the .p12 content into double quotes which causes the contents to be treated as text whereas the .p12 file is an application file. - Most people must be downloading the zip package of .p12, ovpn.conf and ta.key files so the problem was not noticed till now and flagged up in the forum. https://community.ipfire.org/t/openvpn-p12-password-on-android-problem/8127 - The problem does not occur for the .p12 file in the zip file as the downloading of the zip file does not have the variable name in double quotes. - Putting the zip file variable into double quotes caused the downloaded zip file to be corrupt and not able to be opened as an archive. - Removing the double quotes from the .p12 variable name caused the separate .p12 file download to be able to be correctly opened. - The same quoted variable name is used also for the cacert.pem, cert.pem, servercert.pem and ta.key file downloads. To be consistent the same change has been applied to these.
Fixes: Bug #2883 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 49471f05d53c3df70c47e98d068edb745cf3a816 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jun 23 11:43:56 2022 +0000
misc-progs: Fix passing argument list
The run() function expects all arguments without the basename of the program.
This regression was introduced in a609195a26f2666a177b988a6691bc27b10e6d64.
Fixes: #12886 Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org
commit df9ebc6bbe25b2337927cef9351a1a9d60989f92 Author: Peter Müller peter.mueller@ipfire.org Date: Thu Jun 23 07:42:27 2022 +0000
linux: Align kernel configurations on ARM
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit a924020ea83bad4802ff59dbbcb3bb7d32b29cc2 Author: Peter Müller peter.mueller@ipfire.org Date: Thu Jun 23 07:27:19 2022 +0000
Core Update 169: Restart ntpd to apply configuration changes
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit d9aece2af988012a16a7f446e6f65f4d112744df Author: Peter Müller peter.mueller@ipfire.org Date: Thu Jun 23 06:44:09 2022 +0000
linux: Update rootfile
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit d86d3f223181ab4f98a8925d273942f696a90ea5 Author: Peter Müller peter.mueller@ipfire.org Date: Thu Jun 23 06:38:41 2022 +0000
OpenSSL: Fix rootfile
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 4b9b85215fed1ea4af23100ec51827a059021c1c Author: Peter Müller peter.mueller@ipfire.org Date: Wed Jun 22 18:11:56 2022 +0000
Core Update 169: Ship vulnerabilities.cgi
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 34798dcd50451bd7d5993964385e47f6270468b1 Author: Peter Müller peter.mueller@ipfire.org Date: Wed Jun 22 18:11:11 2022 +0000
vulnerabilities.cgi: Add MMIO Stale Data
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 765da09d4162766f9c63e48c27af748ea2e65afb Author: Peter Müller peter.mueller@ipfire.org Date: Wed Jun 22 15:10:01 2022 +0000
linux: Update to 5.15.49
Changelog can be retrieved from https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.49 .
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit e84497de672c38d17bace334ef6c67dde54c49ff Author: Peter Müller peter.mueller@ipfire.org Date: Wed Jun 22 14:32:39 2022 +0000
Crap, OpenSSL download server returned a corrputed file :-/
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 2f52d27a829a891b3cff549f2b0a0763915f8311 Author: Peter Müller peter.mueller@ipfire.org Date: Wed Jun 22 12:27:02 2022 +0000
Core Update 169: Ship changed initscripts
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 54bd60b67b477e5d5814293a74086dff1c21ac69 Author: Peter Müller peter.mueller@ipfire.org Date: Wed Jun 22 12:23:10 2022 +0000
Explicitly harden mount options of sensitive file systems
These were found to got lost after upgrading to Core Update 169, so we set them explicitly to avoid accidential security downgrades.
https://lists.ipfire.org/pipermail/development/2022-June/013714.html
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 29cf82e6fcdc4019901f9fb170abe44c131764be Author: Peter Müller peter.mueller@ipfire.org Date: Wed Jun 22 12:17:48 2022 +0000
Core Update 169: Ship OpenSSL
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 70c969e94188247bcf3979be248e51806013d242 Author: Peter Müller peter.mueller@ipfire.org Date: Wed Jun 22 12:16:37 2022 +0000
OpenSSL: Update to 1.1.1p
Please refer to https://www.openssl.org/news/openssl-1.1.1-notes.html for the release notes regarding this version.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 2bebb556dc068952a657eba389f5ac8c6a8f5253 Author: Peter Müller peter.mueller@ipfire.org Date: Wed Jun 22 12:12:52 2022 +0000
Update French translation
Signed-off-by: Stéphane Pautrel stephane.pautrel@acb78.com Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 95530b3edb1e42eb1a68988272916c033fc2cd57 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 20 20:44:58 2022 +0000
Core Update 169: Ship NTP configuration changes
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 2234e8aacac2e0d0b06dac4513585c15c2b3b440 Author: Jon Murphy jon.murphy@ipfire.org Date: Thu May 26 19:40:31 2022 -0500
Ship NTP changes
- Device time more accurate. (e.g., +/- 10 seconds per day to < 100 ms on some devices) ( I know we don't need the perfect time server ) - NTP and time will be accurate in manual mode (setting on Time Server > NTP Configuration WebGUI) - Change NTP "prefer" server: - The current preferred NTP server in an Undisciplined Local Clock. - This is intended when no outside source of synchronized time is available. - Change the "prefer" server from 127.127.1.0 to the Primary NTP server specified on the Time Server > NTP Configuration WebGUI page. - Change allows the drift file (located at /etc/ntp/drift) to be populated by ntpd. - The drift file is updated about once per hour which helps correct the device time.
Signed-off-by: Jon Murphy jon.murphy@ipfire.org
commit f62b488f82b5eb6bbbc1b57d90a919d61346ef5f Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 20 20:10:47 2022 +0000
sysctl: Actually arm YAMA
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 2c38893da43383ffb57022575fa56a255b012a93 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 20 19:50:16 2022 +0000
Core Update 169: Ship keyutils
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 2bbfa1b72c32712997183e4813f813d443a48d81 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 20 19:48:55 2022 +0000
Core Update 169: Ship poppler
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 1452738c2e22562d84a7c6af683a2f9bce88fd55 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Jun 19 09:41:05 2022 +0000
Tor: Update to 0.4.7.8
Changes in version 0.4.7.8 - 2022-06-17 This version fixes several bugfixes including a High severity security issue categorized as a Denial of Service. Everyone running an earlier version should upgrade to this version.
o Major bugfixes (congestion control, TROVE-2022-001): - Fix a scenario where RTT estimation can become wedged, seriously degrading congestion control performance on all circuits. This impacts clients, onion services, and relays, and can be triggered remotely by a malicious endpoint. Tracked as CVE-2022-33903. Fixes bug 40626; bugfix on 0.4.7.5-alpha.
o Minor features (fallbackdir): - Regenerate fallback directories generated on June 17, 2022.
o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2022/06/17.
o Minor bugfixes (linux seccomp2 sandbox): - Allow the rseq system call in the sandbox. This solves a crash issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug 40601; bugfix on 0.3.5.11.
o Minor bugfixes (logging): - Demote a harmless warn log message about finding a second hop to from warn level to info level, if we do not have enough descriptors yet. Leave it at notice level for other cases. Fixes bug 40603; bugfix on 0.4.7.1-alpha. - Demote a notice log message about "Unexpected path length" to info level. These cases seem to happen arbitrarily, and we likely will never find all of them before the switch to arti. Fixes bug 40612; bugfix on 0.4.7.5-alpha.
o Minor bugfixes (relay, logging): - Demote a harmless XOFF log message to from notice level to info level. Fixes bug 40620; bugfix on 0.4.7.5-alpha.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org
commit 43b9482a26e7bb265f464180d20cb3beee91b8f4 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Jun 19 09:42:20 2022 +0000
Postfix: Update to 3.7.2
Please refer to https://www.postfix.org/announcements/postfix-3.7.2.html for this versions' release announcement.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org
commit 480202725b872018667ce0cdc337c25c94cef72b Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 18 14:42:10 2022 +0000
u-boot: Sigh, fix another .xz != .gz
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 9f94dc123ae84d9d839ada0808c91c9eb0704650 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 18 14:40:29 2022 +0000
Update rootfiles to reflect OpenVPN 2FA changes
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 01b3a62a35a38db9d67121e66f983c0e0a38ca46 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 18 10:38:40 2022 +0000
u-boot: .xz != .gz
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit be5703ef78b6244dcf06b72e6f34ab72b2e7fc55 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 18 08:16:03 2022 +0000
u-boot: Clarify source URLs and add missing rk3399 firmware
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 39c9a6940625017f0b35fb43453475b9c3f5729f Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 16:49:57 2022 +0000
Run ./make.sh update-contributors
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 531f57d71cec4d2d7564e4c35fc1df187a42349d Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 16:48:44 2022 +0000
Zut alors, uniq 'files' as well
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 609f41867d11619d9996509f6be05d004b2ccb1c Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 16:48:13 2022 +0000
Sort 'files'
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 3cf7a3b15386010871f15256c4f97dce97d9841d Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 16:47:44 2022 +0000
Core Update 169: Ship OpenVPN 2FA changes
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 75c49d6bec65ec865b37f7a44bdb7c46cf264b4c Merge: a0d395668 29df9f89c Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 16:39:40 2022 +0000
Merge branch 'temp-ms-ovpn-2fa' into next
commit 29df9f89c9168e4248076cf9c7e294384c0fd6ae Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 16:30:51 2022 +0000
Core Update 169: Ship libtiff and krb5
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 4c4669041168fa6c8b20d4906c37813820969285 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 16:29:55 2022 +0000
Core Update 169: Remove pakfire metadata for krb5 and libtiff
Both packages have become part of the core system, so these files are not longer needed.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 8d920449d27fe5816fc157f5d101aab0855e76e4 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun May 15 18:02:20 2022 +0200
libtiff: Move into core system.
pango and the PDF tools as core parts are linked against libtiff, therefore this library has to become a part of the core distribution too.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit c13e562b6e403808f90703e90b717a2193a2592f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun May 15 18:02:19 2022 +0200
krb5: Move package into core system.
On one hand, the key.dns_resolver binary is linked against libkrb5, so this library at least is required by the base system.
On the other hand this easily allows different services on the firewall to use kerberos for authentication (ssh etc).
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit fa30456c5e4bc6ff7b735ecbc10dd3deaa8a16e0 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 16:27:42 2022 +0000
kernel: Align x86_64 rootfile for kernel update
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 65264b3ba6358d78d70c2cc7b9e1c883b0b4af4a Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 15:54:10 2022 +0000
Core Update 169: Ship U-Boot
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit b8a9c9e70a0ff84401e53f1481f3c1eafab76a29 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 15:52:45 2022 +0000
U-Boot: Update to 2022.04
https://wiki.ipfire.org/devel/telco/2022-06-13
Cc: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit ed5572536f5fbd3af2383555a87a634fd257a88f Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 11:01:06 2022 +0000
Core Update 169: Ship misc-progs
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit a609195a26f2666a177b988a6691bc27b10e6d64 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 15 09:53:20 2022 +0000
misc-progs: Add path to executable to argv
Otherwise, the first argument would always be swollowed :(
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org
commit b9196b9d62b3c85d11e99c08e720e1007eeb3e7a Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Jun 16 23:31:59 2022 +0200
samba: Ship with CU169
- samba is linked to liblber from openldap. openldap was updated in CU168 but I missed that samba had a dependency to one of its libraries. - find-dependencies was not run on openldap liblber although looking at the openldap rootfile it is clear that an sobump occurred. - This patch increments the samba PAK_VER so that it will be shipped and therefore have the library links updated.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 015ea59a4d3ead64fd84276e9be8d453e96eb1f1 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Jun 16 23:16:36 2022 +0200
netatalk: Ship with CU169 - Fixes bug #12878
- netatalk is linked to liblber from openldap. openldap was updated in CU168 but I missed that netatalk had a dependency to one of its libraries. - find-dependencies was not run on openldap liblber although looking at the openldap rootfile it is clear that an sobump occurred. - This patch increments the netatalk PAK_VER so that it will be shipped and therefore have the library links updated.
Fixes: Bug #12878 Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit a0d3956686f64744d06a5d2f9911a4987d9129ec Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 16:30:51 2022 +0000
Core Update 169: Ship libtiff and krb5
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 3356af4e5c87886388384d703f4b59a8df78aaec Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 16:29:55 2022 +0000
Core Update 169: Remove pakfire metadata for krb5 and libtiff
Both packages have become part of the core system, so these files are not longer needed.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 9aa2c4cc2969bcd32d49399098091fcd05befda3 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun May 15 18:02:20 2022 +0200
libtiff: Move into core system.
pango and the PDF tools as core parts are linked against libtiff, therefore this library has to become a part of the core distribution too.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 4fdd3558802b971bad882eea3abea3de90052d9c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun May 15 18:02:19 2022 +0200
krb5: Move package into core system.
On one hand, the key.dns_resolver binary is linked against libkrb5, so this library at least is required by the base system.
On the other hand this easily allows different services on the firewall to use kerberos for authentication (ssh etc).
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
commit 02882db3022fe56c3b55fa0e1c5592f8ab31b26d Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 16:27:42 2022 +0000
kernel: Align x86_64 rootfile for kernel update
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 99763943424cdd2e6d5855c8c9dcaf2d70f763ba Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 15:54:10 2022 +0000
Core Update 169: Ship U-Boot
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit c16b1b1ab3a5a8378f99e4e7d2810b12178ac54d Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 15:52:45 2022 +0000
U-Boot: Update to 2022.04
https://wiki.ipfire.org/devel/telco/2022-06-13
Cc: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 6b0e6c1b84cbe0cad9b94e779ab28089da909e23 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 11:01:06 2022 +0000
Core Update 169: Ship misc-progs
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 9dc534ddc16203c9033aa99fa8bac46400ee75c3 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 15 09:53:20 2022 +0000
misc-progs: Add path to executable to argv
Otherwise, the first argument would always be swollowed :(
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org
commit 377ffa081183d1f7eadffd434df4bef64116f811 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Jun 16 23:31:59 2022 +0200
samba: Ship with CU169
- samba is linked to liblber from openldap. openldap was updated in CU168 but I missed that samba had a dependency to one of its libraries. - find-dependencies was not run on openldap liblber although looking at the openldap rootfile it is clear that an sobump occurred. - This patch increments the samba PAK_VER so that it will be shipped and therefore have the library links updated.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit a5cdf05acc0e638ff544e1b31f6a0cda5c043985 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Jun 16 23:16:36 2022 +0200
netatalk: Ship with CU169 - Fixes bug #12878
- netatalk is linked to liblber from openldap. openldap was updated in CU168 but I missed that netatalk had a dependency to one of its libraries. - find-dependencies was not run on openldap liblber although looking at the openldap rootfile it is clear that an sobump occurred. - This patch increments the netatalk PAK_VER so that it will be shipped and therefore have the library links updated.
Fixes: Bug #12878 Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 3740b7ad3ade3ff9d645bc3dca709791d012bbc2 Author: Timo Eissler timo.eissler@ipfire.org Date: Thu Jun 16 12:39:45 2022 +0200
ovpnmain.cgi: URI encode OTPAuth String in QRCode
Signed-off-by: Timo Eissler timo.eissler@ipfire.org
commit 6a53c26cf71c49113a1a2d4b810f35ebfa240464 Author: Timo Eissler timo.eissler@ipfire.org Date: Thu Jun 16 12:38:48 2022 +0200
perl-URI-Encode: New package
Simple percent Encoding/Decoding
Signed-off-by: Timo Eissler timo.eissler@ipfire.org
commit 209d62f0058c88e038760bc07773072fed0050da Author: Timo Eissler timo.eissler@ipfire.org Date: Tue Jun 14 20:56:12 2022 +0200
ovpnmain.cgi: Remove trailing newline from OTP secret
Signed-off-by: Timo Eissler timo.eissler@ipfire.org
commit c9dc7fdec09ceec217534cf4a9832338ac9be671 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jun 14 15:57:03 2022 +0000
openvpn-authenticator: Always return general connection data
The function returned different output when TOTP was configured and not which is not what it should do.
This version will now try to add the TOTP configuration, or will add nothing it if fails to do so.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b6f9fff2bcec35a98c4b01a4bab3038ee7813ee2 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Jun 14 15:53:19 2022 +0000
openvpn-authenticator: Don't process configuration when row is too short
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 59f9e413611e6724a039429020fd528b782a5017 Author: Timo Eissler timo.eissler@ipfire.org Date: Tue Jun 7 17:53:23 2022 +0200
openvpn-authenticator: Change event and environment handling
Move reading of environment in it's own function because not all events have a ENV block following and thus always reading the ENV will cause RuntimeError("Unexpected environment line ...").
commit 472cd78269a8d03cfa1447b3c80bed6dd3fd0897 Author: Timo Eissler timo.eissler@ipfire.org Date: Tue Jun 7 12:20:14 2022 +0200
openvpn-authenticator: Fix call of _client_auth_successful
commit a4a42daeeaefed48dd9b40d7001f1fc613978f85 Author: Timo Eissler timo.eissler@ipfire.org Date: Tue Jun 7 12:14:12 2022 +0200
openvpn-authenticator: Return only available data
For connections which have not enabled OTP return connection name and common_name attributes only.
commit 74ab6f9fc03dab8dae8d63c86e036f2b96162f25 Author: Timo Eissler timo.eissler@ipfire.org Date: Tue Jun 7 12:12:20 2022 +0200
openvpn-authenticator: Generate TOTP instead of HOTP codes
commit 10b32d3895e7ca2134d403b2445f9569b1f7f36a Author: Timo Eissler timo.eissler@ipfire.org Date: Tue Jun 7 11:20:56 2022 +0200
ovpnmain.cgi: Fix OTP secret handling
Convert stored hex OTP secret to binary prior to converting to base32.
commit 16d4a5c264d7deec49e3c1ee84541a231c31b5bb Author: Timo Eissler timo.eissler@ipfire.org Date: Tue Jun 7 11:16:31 2022 +0200
ovpnmain.cgi: Fix comparison operators
commit a999886759f360f4747084f1c69768a991766df3 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed May 4 14:58:18 2022 +0100
openvpn-2fa: Configure fake authentication credentials
These configuration option are required to make the client authenticate itself against the server.
The server may then accept those credentials without any further ado or ask for a OTP.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5111dc3df3233720235f40269c2655d6b7e125a0 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed May 4 14:51:51 2022 +0100
openvpn-2fa: Enable management socket for RW server
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6834749d223458d5ee95302732227bea0df62d60 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed May 4 14:49:32 2022 +0100
openvpn-2fa: Drop the previous authentication handler
This has been replaced by the newer authenticator
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 339b84d50910b1c258304bff68d1f875e8b2a25a Author: Michael Tremer michael.tremer@ipfire.org Date: Wed May 4 14:46:41 2022 +0100
openvpn-2fa: Import a prototype of an authenticator
This script runs aside of OpenVPN and connects to the management socket. On the socket, OpenVPN will post any new clients trying to authenticate which will be handled by the authenticator.
If a client has 2FA enabled, it will be challanged for the current token which will then be checked in a second pass.
Clients which do not have 2FA enabled will just be authenticated no matter what and tls-verify will have handled the rest.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c63a54f0908f8dcce2fde30d4476e82dbc2c3bfd Author: Michael Tremer michael.tremer@ipfire.org Date: Tue May 3 11:54:17 2022 +0000
ovpnmain.cgi: Load all modules at the beginning
Although Perl modules tend to take a long time to load, it is better to do this at the beginning so that loading the script will show any errors.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2050be20e1600377914736531307d3fab863285e Author: Michael Tremer michael.tremer@ipfire.org Date: Tue May 3 11:51:11 2022 +0000
ovpnmain.cgi: Disable sending any error messages to the browser again
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f27d021470fb31731844ee2c70d142c6651da0f0 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Apr 15 07:29:10 2022 +0000
openpvn-2fa: Fix rootfiles
Some rootfiles where in the wrong location, some others had some architecture hard-coded.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4b519aa8b0a3314e5cb01c953a517b3da354ea53 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 14 21:02:04 2022 +0000
perl-YAML-Tiny: Update checksum and remove unnecessary fields
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2d44871aa1363990b2f1416d1be65c7e51020c0b Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 14 20:59:10 2022 +0000
perl-Module-ScanDeps: Update checksum and remove unnecessary fields
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6ede67fb5aa54ea5ba9e806f31c3e35077aa71ba Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 14 20:57:33 2022 +0000
perl-Module-Install: Update checksum and remove unnecessary fields
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d7772284a1f9cd82c7672c35ad0b22fb988d1859 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 14 20:55:27 2022 +0000
perl-Module-Build: Update checksum and remove unnecessary fields
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 89bdc5563cc6f829add64b62231349be2912c5ef Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 14 20:53:31 2022 +0000
perl-MIME-Base32: Update checksum and remove unnecessary fields
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4f3f7f57847312aec2d406d9165950faf50d9099 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 14 20:52:12 2022 +0000
perl-Imager-QRCode: Update checksum and remove unnecessary fields
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 42a2a93911fb8bd96f7878dd48eec4a3eab5aa68 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 14 20:50:12 2022 +0000
perl-Imager: Update checksum and remove unnecessary fields
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit aeff5e3fee7f1a0c5816ff47918fce1feb693d6a Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 14 20:48:39 2022 +0000
perl-File-Remove: Update checksum and drop unnecessary fields
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit baf62b83cbf5300055d4bd0fc8073874794a5197 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 14 20:48:20 2022 +0000
oauth-toolkit: Update checksum and drop unnecessary fields
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e0fa8c25e88860df2f1dd9e60a212d9f3a4fbb4d Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Apr 14 19:15:42 2022 +0000
qrencode: Rename package and update checksum
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e1e10515ece3bbe51936d572f32b14f02db6750d Author: Timo Eissler timo.eissler@ipfire.org Date: Fri Apr 8 10:50:20 2022 +0200
OpenVPN: Add support for 2FA / One-Time Password
Add two-factor authentication (2FA) to OpenVPN host connections with one-time passwords.
The 2FA can be enabled or disabled per host connection and requires the client to download it's configuration again after 2FA has beend enabled for it. Additionally the client needs to configure an TOTP application, like "Google Authenticator" which then provides the second factor. To faciliate this every connection with enabled 2FA gets an "show qrcode" button after the "show file" button in the host connection list to show the 2FA secret and an 2FA configuration QRCode.
When 2FA is enabled, the client needs to provide the second factor plus the private key password (if set) to successfully authorize.
This only supports time based one-time passwords, TOTP with 30s window and 6 digits, for now but we may update this in the future.
Signed-off-by: Timo Eissler timo.eissler@ipfire.org
commit dc124917e3a0468ae4f1a4c6fe15ed3c68fc2f62 Author: Timo Eissler timo.eissler@ipfire.org Date: Fri Apr 8 08:11:07 2022 +0200
perl-MIME-Base32: New package
Base32 encoder and decoder
Signed-off-by: Timo Eissler timo.eissler@ipfire.org
commit e97759c292d49a5c397e52fe46a17e4674623f29 Author: Timo Eissler timo.eissler@ipfire.org Date: Mon Apr 4 17:58:19 2022 +0200
perl-Imager-QRCode: New package
Generate QR Code with Imager using libqrencode
Signed-off-by: Timo Eissler timo.eissler@ipfire.org
commit bc8bea129cbd85a8921b1fe47b07da5452f8ed6a Author: Timo Eissler timo.eissler@ipfire.org Date: Mon Apr 4 17:56:44 2022 +0200
perl-Imager: New package
Perl extension for Generating 24 bit Images
Required by perl-Imager-QRCode.
Signed-off-by: Timo Eissler timo.eissler@ipfire.org
commit cb36c0929c6aab35e6c78d90d58e53d2ffc6010d Author: Timo Eissler timo.eissler@ipfire.org Date: Mon Apr 4 17:54:36 2022 +0200
perl-Module-Install: New package
Module::Install configuration system
Required by perl-Imager-QRCode.
Signed-off-by: Timo Eissler timo.eissler@ipfire.org
commit 3aeadfd8bda88ca123cb0bfffc3c6d55c0fb3fdc Author: Timo Eissler timo.eissler@ipfire.org Date: Mon Apr 4 17:49:42 2022 +0200
perl-YAML-Tiny: New package
Read/Write YAML files with as little code as possible
Required by perl-Module-Install.
Signed-off-by: Timo Eissler timo.eissler@ipfire.org
commit bfc889a70ac4e2ef2f7a126611aa927c0efd6c40 Author: Timo Eissler timo.eissler@ipfire.org Date: Mon Apr 4 17:48:32 2022 +0200
perl-Module-ScanDeps: New package
Recursively scan Perl code for dependencies
Required by perl-Module-Install.
Signed-off-by: Timo Eissler timo.eissler@ipfire.org
commit a102cdbae1243c8dd113a0a118ce891e43850ab5 Author: Timo Eissler timo.eissler@ipfire.org Date: Mon Apr 4 17:46:56 2022 +0200
perl-Module-Build: New package
Build and install Perl modules
Required by perl-Module-Install.
Signed-off-by: Timo Eissler timo.eissler@ipfire.org
commit 6f8b1c534ecdb9dd9f8042da5ac7778c5574b154 Author: Timo Eissler timo.eissler@ipfire.org Date: Mon Apr 4 17:45:01 2022 +0200
perl-File-Remove: New package
Remove files and directories
Required by perl-Module-Install.
Signed-off-by: Timo Eissler timo.eissler@ipfire.org
commit 3780b7a4ace485be68c874185ee5dacddd824f9e Author: Timo Eissler timo.eissler@ipfire.org Date: Mon Apr 4 12:47:37 2022 +0200
libqrcode: New package
A fast and compact QR Code encoding library.
Homepage: https://fukuchi.org/works/qrencode/ Source: https://fukuchi.org/works/qrencode/qrencode-4.1.1.tar.gz
Signed-off-by: Timo Eissler timo.eissler@ipfire.org
commit 7e4af6eb54bcbd1fa651610d8f0a99d86270042c Author: Timo Eissler timo.eissler@ipfire.org Date: Mon Apr 4 11:38:43 2022 +0200
oath-toolkit: New package
OATH Toolkit provide components to build one-time password authentication systems.
Homepage: https://www.nongnu.org/oath-toolkit/index.html Source: https://download.savannah.nongnu.org/releases/oath-toolkit/oath-toolkit-2.6....
Signed-off-by: Timo Eissler timo.eissler@ipfire.org
commit 0ffba7d4f6dd4e4e3b67c9e35f10cc495d2db3d9 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 06:59:50 2022 +0000
linux: Update to 5.15.48
Please refer to https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.48 for the changelog of this version.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 961e253e1ada56573f6f79d9901e1dd489e15fa7 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Jun 17 06:56:05 2022 +0000
Core Update 169: Ship bind
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 07bd97edf7cc0be808b5dc215416bbb11b79d6bc Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu Jun 16 14:49:09 2022 +0200
bind: Update to 9.16.30
For details see: https://downloads.isc.org/isc/bind9/9.16.30/doc/arm/html/notes.html#notes-fo...
"Bug Fixes
The fetches-per-server quota is designed to adjust itself downward automatically when an authoritative server times out too frequently. Due to a coding error, that adjustment was applied incorrectly, so that the quota for a congested server was always set to 1. This has been fixed. [GL #3327]
DNSSEC-signed catalog zones were not being processed correctly. This has been fixed. [GL #3380]
Key files were updated every time the dnssec-policy key manager ran, whether the metadata had changed or not. named now checks whether changes were applied before writing out the key files. [GL #3302]"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit bf7bfc3df6a3fc4e55908a9b80bcf06e51e3b46b Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 15 09:51:48 2022 +0000
dnsdist: Update to 1.7.2
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit f391d8628b2a608a7b6f3151ef04d9d34c879d34 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 11 10:52:04 2022 +0000
linux-firmware: Update to 20220610
No changelog is provided, please refer to https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/ for all activity since the previous version.
This patch includes necessary directives for shipping added or modified firmware files with Core Update 169, and deleting appropriate files on existing installations.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 310ad69dc10b5f9db61f693f13e217b875604f8d Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 11 10:55:19 2022 +0000
lynis: Update to 3.0.8
Full changelog as retrived from https://cisofy.com/changelog/lynis/#308:
- MALW-3274 - Detect McAfee VirusScan Command Line Scanner - PKGS-7346 Check Alpine Package Keeper (apk) - PKGS-7395 Check Alpine upgradeable packages - EOL for Alpine Linux 3.14 and 3.15
- AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2) - FILE-7524 - Test enhanced to support symlinks - HTTP-6643 - Support ModSecurity version 2 and 3 - KRNL-5788 - Only run relevant tests and improved logging - KRNL-5820 - Additional path for security/limits.conf - KRNL-5830 - Check for /var/run/needs_restarting (Slackware) - KRNL-5830 - Add a presence check for /boot/vmlinuz - PRNT-2308 - Bugfix that prevented test from storing values correctly - Extended location of PAM files for AARCH64 - Some messages in log improved
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit d819a62b14179854ac95dd444eea4be39233e6fb Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 13 20:45:51 2022 +0000
linux: Update rootfiles
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit c0c8a0899200d2e147a60b601e7eb438236bb706 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 13 20:42:07 2022 +0000
linux: Run make oldconfig for x86_64
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 6d084eb8b1f3364a241a9b33bc701f3b73defe0a Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 13 20:36:13 2022 +0000
xfsprogs: Fix rootfile
For some reason, this particular file's name always comprises of x86_64.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit d462422cc389870eec0184e8bcfa256f367b56aa Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 13 15:52:19 2022 +0000
Core Update 169: Ship tzdata
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 0371726e94c1e82aa11192a285715b1e1061f499 Author: Peter Müller peter.mueller@ipfire.org Date: Tue Jun 7 17:15:31 2022 +0000
tzdata: Update to 2022a
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 80745fb58f832ce4cd7476ab9d7aaf96dd8c8203 Author: Peter Müller peter.mueller@ipfire.org Date: Tue Jun 7 20:22:30 2022 +0000
unbound.conf: Aggressive NSEC is enabled by default since Unbound 1.15.0
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 0360d235c8c4ab2d672b40d745c1b1dc14becadb Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 13 15:49:40 2022 +0000
Core Update 169: Ship and apply sysctl changes
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 84d6e931508cf0c2b31a0b1b7923d6bda84414c2 Author: Peter Müller peter.mueller@ipfire.org Date: Tue Jun 7 20:09:07 2022 +0000
sysctl: For the sake of completeness, do not accept IPv6 redirects
While IPFire 2.x' web interface does not support IPv6, users can technically run it with IPv6 by conducting the necessary configuration changes manually.
To provide these systems as well, we should disable acceptance of ICMPv6 redirect packets - which is apparently not default in Linux, yet. :-/
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit d90b39982baff221ff52ac97cdc9acb1f29e3d82 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 13 15:48:13 2022 +0000
Core Update 169: Ship localnet initscript
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit cf7f5004ac116d90be07e4da36887efc8ef69552 Author: Peter Müller peter.mueller@ipfire.org Date: Tue Jun 7 19:31:57 2022 +0000
localnet: Add "edns0" to /etc/resolv.conf options for RFC 2671 support
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit b41631c1904690c3a6075dc5572a24f39aee2dd4 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 13 15:46:50 2022 +0000
Core Updatw 169: Ship and apply updated Linux kernel
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 17aaad5d968e8486dc83cd65cddb1cc1a7ff5211 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 11 06:47:49 2022 +0000
flash-images: Harden mount options of /boot
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 1fad035a1f20771740faf0dd5e0802d779370b94 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 11 18:42:08 2022 +0000
Kernel: Mitigate Straight-Line-Speculation on x86_64
See https://lwn.net/Articles/877845/ for the rationale behind this. The feature is currently only available on the x86_64 platform.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 883e29630cb1f5b16c8508b585c32d7f54a86e1a Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 11 18:47:31 2022 +0000
Kernel: Disable support for RPC dprintk debugging
This is solely needed for debugging of NFS issues. Due to the attack surface it introduces, grsecurity recommends to disable it; as we do not have a strict necessity for this feature, it is best to follow that recommendation for security reasons.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 9b28e9d02be9c0e0c488434cfd731d47bb227838 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 11 18:53:10 2022 +0000
Kernel: Enable YAMA support
See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for the upstream rationale. Enabling YAMA gives us the benefit of additional hardening options available, without any obvious downsides.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit db8639bbfa41f34fcc33345648d3100ac5da001d Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 11 18:13:57 2022 +0000
linux: Update to 5.15.46
Please refer to https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.46 for the changelog of this version.
Due to operational constraints, ARM rootfile changes are simulated.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 0d84103c04f67d913ee5cd0187f49ab178fb33e1 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 11 18:59:36 2022 +0000
Delete orphaned libcap patch
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 3e7e92652e836c199dc33cfe571bd084d27097a8 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 11 14:35:23 2022 +0000
Core Update 169: Ship ovpnmain.cgi
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 574f4538533bb78a7daea1b7212bc3a80a67b382 Author: Jon Murphy jon.murphy@ipfire.org Date: Thu Jun 9 16:27:23 2022 -0500
ovpnmain.cgi: correct spelling
- change "coment" to "comment"
Signed-off-by: Jon Murphy jon.murphy@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit a56d36b07804b31c555fa5241036c592e682adf8 Author: Peter Müller peter.mueller@ipfire.org Date: Thu Jun 9 19:56:13 2022 +0000
Core Update 169: Ship and restart Apache
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 86f22bc9ba5d364aa082320b53d4df007e669ae7 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu Jun 9 19:46:41 2022 +0200
apache: Update to 2.4.54
Huge changelog, for details see: https://dlcdn.apache.org/httpd/CHANGES_2.4.54
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 0f5b48467f29149e6e494b6b40471ac25dd5268c Author: Peter Müller peter.mueller@ipfire.org Date: Tue Jun 7 16:52:15 2022 +0000
Core Update 169: Ship toolchain changes
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 7dd292543e2d9c7d1f19071939cc28fdbe64303e Author: Peter Müller peter.mueller@ipfire.org Date: Tue Jun 7 16:46:37 2022 +0000
Core Update 169: Ship and restart Squid
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 19f6c5996613f69ae218498fa33f340b19e4148f Author: Matthias Fischer matthias.fischer@ipfire.org Date: Tue Jun 7 17:35:22 2022 +0200
squid: Update to 5.6
For details see: https://github.com/squid-cache/squid/commits/v5
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 3f8263b80a160b9f14bd7015498c61b565029214 Author: Peter Müller peter.mueller@ipfire.org Date: Tue Jun 7 16:44:26 2022 +0000
boost: Fix ARM rootfiles as well
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit b8939e48831fa18bea1360b6b332c5338ac310db Author: Matthias Fischer matthias.fischer@ipfire.org Date: Mon Jun 6 19:04:14 2022 +0200
boost: Fix rootfile for x86_64
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 053189a4c3e61444b173c5dffab18172cd43f43c Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 6 12:11:51 2022 +0000
Core Update 169: Ship lmdb
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 836832af26a954acd298e66f2bf2c4aa3cac71cb Author: Adolf Belka adolf.belka@ipfire.org Date: Tue May 10 12:31:12 2022 +0200
lmdb: Update to version 0.9.29
- Update from version 0.9.24 to 0.9.29 - Update of rootfile not required - Changelog - there is no changelog in the source tarball or on the Symas website or in the github repository. The following are extracted from the short log of the git commits https://github.com/LMDB/lmdb/commits/LMDB_0.9.29/libraries/liblmdb Release (0.9.29) ITS#9500 ITS#9500 fix regression from ITS#8662 ITS#9376 simplify ITS#9469 - Typo fixes ITS#9461 fix typo ITS#9461 refix ITS#9376 Release (0.9.28) ITS#8662 Add -a append option to mdb_load Return to RE Release (0.9.27) ITS#9376 Fixes for repeated deletes with xcursor Return to engineering Release 0.9.26 ITS#9278 Silence stupid fallthru warning ITS#9278 fix robust mutex cleanup for FreeBSD Return to engineering Release 0.9.25 ITS#9155 lmdb: free mt_spill_pgs in non-nested txn on end ITS#9118 - Fix typo in prev commit ITS#9118 add MAP_NOSYNC for FreeBSD return to release engineering, ITS#9068 ITS#9068 fix backslash escaping
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 7567e71c074e4c8d9901607686340f70088cc0ec Merge: 6a11476c2 4a4fc8f19 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Jun 5 16:48:54 2022 +0000
Merge branch 'next' into temp-c169-development
commit 6a11476c282fb86d6d0336f86001a46fe81cf2a4 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 4 09:24:56 2022 +0000
Core Update 169: Ship changes related to manualpages in the webIF
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 64db1faf67c608943a6e045ffdd0c283ecf053fa Author: Leo-Andres Hofmann hofmann@leo-andres.de Date: Mon Apr 25 21:12:45 2022 +0200
manualpages: Add path and file extension to the configuration
This allows to correctly assign an URL to a file without relying on unique base names. A custom read function is required because General::readhash() doesn't allow paths as hash keys. Modifying the existing functions could affect other CGIs and was therefore dismissed.
Fixes: #12806
Signed-off-by: Leo-Andres Hofmann hofmann@leo-andres.de
commit 5f8a1acfe94af5cb15bf3d97ae5a1f566d5fed7c Author: Jon Murphy jon.murphy@ipfire.org Date: Mon May 30 18:50:31 2022 -0500
make.sh-usage: Ship changes to make files
In make.sh-usage document: - updated with descriptions for various commands - removed descriptions for old commands
In make.sh script: - updated make.sh usage line "Usage: $0 [OPTIONS] {build|check-manualpages|..." - removed make.sh clear screen commands in build area and toolchain area
Signed-off-by: Jon Murphy jon.murphy@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 9152d4e453788400c308b20e8fc5695e942407f9 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 4 08:38:41 2022 +0000
Core Update 169: Ship and restart Unbound
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit ba4f3d9a233c8e3fbb461849cd2fa11c8c0ed28b Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu Jun 2 20:44:09 2022 +0200
unbound: Update to 1.16.0
For details see: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-0
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 0585ca7cfdb693156c3aff35b859924f52af63ed Author: Michael Tremer michael.tremer@ipfire.org Date: Tue May 31 11:26:19 2022 +0000
cdrom: Drop menu option for HDT
The Hardware Detection Tool does not work and I do not think it is worth to investigate. It is an ancient piece of software which does not work on EFI systems which are becoming more and more common.
Since this has presumably been broken for a long time which nobody has reported I assume that nobody is using it. There are indeed lots better live CDs out there with much better diagnostic tools.
Fixes: #12870 Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org
commit 63243696ac46764c58ed18db63c6ea0eadc60ce7 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu Jun 2 17:14:37 2022 +0200
tmux: Update to 3.3
For details see: https://raw.githubusercontent.com/tmux/tmux/3.3/CHANGES
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit b2b0bb7d82060a0af9b1aa04ce0769284f6687dd Merge: 8065ec210 de5896985 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 4 08:36:10 2022 +0000
Merge branch 'next' into temp-c169-development
commit 8065ec2108a016f03270d3328d09dafec621ecc2 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:46:45 2022 +0000
Core Update 169: Ship libxslt
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 9bee4ce9156c3cd5a3cf342761c941f3c585c57f Author: Adolf Belka adolf.belka@ipfire.org Date: Tue May 10 12:30:44 2022 +0200
libxslt: Update to version 1.1.35
- Update from version 1.1.34 to 1.1.35 - Update of rootfile - Changelog v1.1.35: Feb 16 2022: - Security: [CVE-2021-30560] Fix use-after-free in xsltApplyTemplates Fix memory leak in xsltDocumentElem (David King) Fix memory leak in xsltCompileIdKeyPattern (David King) Fix double-free with stylesheets containing entity nodes - Fixed regressions: Fix performance regression with predicates in patterns Fix regression in xsltComputeSortResult - Bug fixes: Fix conflict resolution for templates with same priority Fix xsl:number generating invalid UTF-8 Support attribute value templates in xsl:sort lang attributes Don't pass first xsl:sort in xsl:apply-templates twice Fix quadratic runtime with text and xsl:message Don't allow empty EXSLT durations - Improvements: Add xsltproc --huge Argument via libxml XML_PARSE_HUGE (William N. Braswell, Jr.) - Tests, code quality, fuzzing: Remove .travis.yml Fix some misleading indentation (David King) Use actual types for templates in struct _xsltStylesheet Add CI for CMake on MSVC (Markus Rickert) Check for null pointer before calling freelocale Add CI test for Python 3 Don't set maxDepth in XPath contexts Transfer XPath limits to XPtr context Stop using maxParserDepth XPath limit Make long-to-double cast explicit in date.c Disable LeakSanitizer Run clang CI tests with -Wimplicit-int-conversion Fix implicit-int-conversion warning in exslt/crypto.c Fix clang -Wimplicit-int-conversion warning (David Kilzer) Fix clang -Wconditional-uninitialized warning in libxslt/numbers.c (David Kilzer) Fix -Wshadow warnings in libexslt/dynamic.c (David Kilzer) Also search parent dir for source XML when fuzzing - Build system, portability: Add CMake build files (Markus Rickert) Initial support for Python 3 (Suleyman Poyraz) Call ANSI versions of WinAPI functions explicitly Remove redundant flags from pkg-config files Suppress automake warning in tests/XSLTMark Fix linking libexslt dynamic library when using MinGW (Vadim Zeitlin) Added platform specific path separators (Dmitriy Korovkin) win32: allow passing *FLAGS on command line Fix export of xsltExtMarker on Windows (David Kilzer) Fix redundant includes already in libexslt.h (David Kilzer) Minor fixes to configure.js Fix variable syntax in Python configuration Add new EXSLT string tests to EXTRA_DIST Fix xml2-config check in configure script win32: Add configuration for profiler (Chun-wei Fan) Check whether 'xml2-config --dynamic' is supported - Documentation: Add Makefile rule to regenerate xsltproc.html Update links Remove MAINTAINERS Upload documentation to GitLab Pages Add documentation in devhelp format Add --enable-rebuild-docs configure option Fix libexslt header summaries Fix validity of tutorial XML (David King) Use DocBook URL for tutorial DTD (David King) Update libxslt.doap Add missing options to xsltproc man page
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 5d03d99e4cfc83c4fe395ad238ea6573a8c48c37 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:45:55 2022 +0000
Core Update 169: Ship libxml2
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit d30da847cf5d73fb85ccf7c79b39b26bba466031 Author: Adolf Belka adolf.belka@ipfire.org Date: Tue May 10 12:30:32 2022 +0200
libxml2: Update to version 2.9.14
- Update from version 2.9.12 to 2.9.14 - Update of rootfile - Changelog v2.9.14: May 02 2022: - Security: [CVE-2022-29824] Integer overflow in xmlBuf and xmlBuffer Fix potential double-free in xmlXPtrStringRangeFunction Fix memory leak in xmlFindCharEncodingHandler Normalize XPath strings in-place Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars() (David Kilzer) Fix leak of xmlElementContent (David Kilzer) - Bug fixes: Fix parsing of subtracted regex character classes Fix recursion check in xinclude.c Reset last error in xmlCleanupGlobals Fix certain combinations of regex range quantifiers Fix range quantifier on subregex - Improvements: Fix recovery from invalid HTML start tags - Build system, portability: Define LFS macros before including system headers Initialize XPath floating-point globals configure: check for icu DEFS (James Hilliard) configure.ac: produce tar.xz only (GNOME policy) (David Seifert) CMakeLists.txt: Fix LIBXML_VERSION_NUMBER Fix build with older Python versions Fix --without-valid build v2.9.13: Feb 19 2022: - Security: [CVE-2022-23308] Use-after-free of ID and IDREF attributes (Thanks to Shinji Sato for the report) Use-after-free in xmlXIncludeCopyRange (David Kilzer) Fix Null-deref-in-xmlSchemaGetComponentTargetNs (huangduirong) Fix memory leak in xmlXPathCompNodeTest Fix null pointer deref in xmlStringGetNodeList Fix several memory leaks found by Coverity (David King) - Fixed regressions: Fix regression in RelaxNG pattern matching Properly handle nested documents in xmlFreeNode Fix regression with PEs in external DTD Fix random dropping of characters on dumping ASCII encoded XML (Mohammad Razavi) Revert "Make schema validation fail with multiple top-level elements" Fix regression when parsing invalid HTML tags in push mode Fix regression parsing public IDs literals in HTML Fix buffering in xmlOutputBufferWrite Fix whitespace when serializing empty HTML documents Fix XPath recursion limit Fix regression in xmlNodeDumpOutputInternal Work around lxml API abuse - Bug fixes: Fix xmlSetTreeDoc with entity references Fix double counting of CRLF in comments Make sure to grow input buffer in xmlParseMisc Don't ignore xmllint options after "-" Don't normalize namespace URIs in XPointer xmlns() scheme Fix handling of XSD with empty namespace Also register HTML document nodes Make xmllint return an error if arguments are missing Fix handling of ctxt->base in xmlXPtrEvalXPtrPart Fix xmllint --maxmem Fix htmlReadFd, which was using a mix of xml and html context functions (Finn Barber) Move current position before possible calling of ctxt->sax->characters (Yulin Li) Fix parse failure when 4-byte character in UTF-16 BE is split across a chunk (David Kilzer) Patch to forbid epsilon-reduction of final states (Arne Becker) Avoid segfault at exit when using custom memory functions (Mike Dalessio) - Tests, code quality, fuzzing: Remove .travis.yml Make xmlFuzzReadString return a zero size in error case Fix unused function warning in testapi.c Update NewsML DTD in test suite Add more checks for malloc failures in xmllint.c Avoid potential integer overflow in xmlstring.c Run CI tests with UBSan implicit-conversion checks Fix casting of line numbers in SAX2.c Fix integer conversion warnings in hash.c Add explicit casts in runtest.c Fix integer conversion warning in xmlIconvWrapper Add suffix to unsigned constant in xmlmemory.c Add explicit casts in testchar.c Fix integer conversion warnings in xmlstring.c Add explicit cast in xmlURIUnescapeString Remove unused variable in xmlCharEncOutFunc (David King) - Build system, portability: Remove xmlwin32version.h Fix fuzzer test with VPATH build Support custom prefix when installing Python module Remove Makefile.win Remove CVS and SVN-related code Port python 3.x module to Windows and improve distutils (Chun-wei Fan) Correctly install the HTML examples into their subdirectory (Mattia Rizzolo) Refactor the settings of $docdir (Mattia Rizzolo) Remove unused configure checks (Ben Boeckel) python/Makefile.am: use *_LIBADD, not *_LDFLAGS for LIBS (Sam James) Fix check for libtool in autogen.sh Use version in configure.ac for CMake (Timothy Lyanguzov) Add CMake alias targets for embedded projects (Markus Rickert) - Documentation: Remove SVN keyword anchors Rework README Remove README.cvs-commits Remove old ChangeLog Update hyperlinks Remove README.docs Remove MAINTAINERS Remove xmltutorial.pdf Upload documentation to GitLab pages Document how to escape XML_CATALOG_FILES Fix libxml2.doap Update URL for libxml++ C++ binding (Kjell Ahlstedt) Generate devhelp2 index file (Emmanuele Bassi) Mention XML_CATALOG_FILES is space-separated (Jan Tojnar) Add documentaiton for xmllint exit code 10 (Rainer Canavan) Fix some validation errors in the FAQ (David King) Add instructions on how to use CMake to compile libxml (Markus Rickert)
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 1e09fe9b2dc6017298f0f3786af6b83c751247f4 Author: Adolf Belka adolf.belka@ipfire.org Date: Tue May 10 12:30:14 2022 +0200
libvorbis: Update to version 1.3.7
- Update from version 1.3.6 to 1.3.7 - Update of rootfile - Changelog libvorbis 1.3.7 (2020-07-04) * Fix CVE-2018-10393 - out-of-bounds read encoding very low sample rates. * Fix CVE-2017-14160 - out-of-bounds read encoding very low sample rates. * Fix handling invalid bytes per sample arguments. * Fix handling invalid channel count arguments. * Fix invalid free on seek failure. * Fix negative shift reading blocksize. * Fix accepting unreasonable float32 values. * Fix tag comparison depending on locale. * Fix unnecessarily linking libm. * Fix memory leak in test_sharedbook. * Update Visual Studio projects for ogg library filename change. * Distribute CMake build files with the source package. * Remove unnecessary configure --target switch. * Add gitlab CI support. * Add OSS-Fuzz support. * Build system and integration updates.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 071e31535c0d131233764cc82abd05e2dcc81007 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:34:47 2022 +0000
Core Update 169: Ship libyang
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit a173ac37ef35daedcfb5db144e2b18cbfd9606ed Author: Adolf Belka adolf.belka@ipfire.org Date: Tue May 10 12:30:58 2022 +0200
libyang: Update to version 2.0.194
- Update from version 2.0.7 to 2.0.194 - Update of rootfile - Changelog Version 2.0.194 Latest major yanglint improvements minor XPath fixes nested extension handling fixes other minor bugfixes RPM scripts updated Version 2.0.164 Windows support (thanks to @jktjkt) Schema Mount support schema compilation fixes minor schema printer fixes user-ordered list diff bugfix JSON anyxml/anydata format fixed XML parser CDATA support module caching improvements doc improvements many other various bugfixes Version 2.0.112 support for XPath variables minor doxygen improvements LYB format bugfixes many other bugfixes Version 2.0.97 LYB format data length limit of 64kB lifted YANG error-app-tag and error-message improved support XPath * evaluation fix other minor XPath fixes Version 2.0.88 changed compilation to pedantic and use C11 standard major JSON parser fixes LYB format updated and performance improved LYB big-endian fixes opaque node fixes major identity handling fixes schema compilation refactorization and fixes data validation fixes NETCONF RPC filter attribute support many other minor fixes
Signed-off-by: Adolf Belka adolf.belka@ipfire.org
commit b93304aa019f8d27aba86e2c838cb724643cc92c Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:33:43 2022 +0000
Core Update 169: Ship sqlite
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit efb7528e3ff2a0cf8f1a6f6eec4bcb20b3ae7986 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed May 11 10:40:17 2022 +0200
sqlite: Update to version 3380500
- Update from version 3380300 to 3380500 - Update of rootfile not required - Changelog Version 3.38.5 The 3.38.4 patch release included a minor change to the CLI source code that did not work. The release manager only ran a subset of the normal release tests, and hence did not catch the problem. As a result, the CLI will segfault when using columnar output modes in version 3.38.4. This blunder did not affect the core SQLite library. It only affected the CLI. Take-away lesson: Always run all of your tests prior to a release - even a trival patch release. Always. The 3.38.5 patch release fixes the 3.38.4 blunder. Version 3.38.4 Another user-discovered problem in the new Bloom filter optimization is fixed in this patch release. Without the fix, it is possible for a multi-way join that uses a Bloom filters for two or more tables in the join to enter an infinite loop if the key constraint on one of those tables contains a NULL value.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit c31e6689eaacc4539fbbac19ecfa7a12e8c4c993 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:26:59 2022 +0000
Core Update 169: Ship gcc
Further changes are necessary due to toolchain update.
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 89be2a0b3b46a63ff9852bbab37c0fd02f208b86 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed May 25 15:39:13 2022 +0000
gcc: Update to 11.3.0
This is just a bug fix release that we should be using.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org
commit 9c51f71f2f915372b755c0e53998c0595b8bc463 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun May 22 23:43:00 2022 +0200
gdb: Update to version 12.1
- Update from version 11.2 to 12.1 - Update of rootfile - Changelog GDB 12.1 Released! This version of GDB includes the following changes and enhancements: New support for the following native configuration: GNU/Linux/OpenRISC or1k*-*-linux* New support for the following targets: GNU/Linux/LoongArch loongarch*-*-linux* New GDBserver support on the following configuration: GNU/Linux/OpenRISC or1k*-*-linux* Support for the following target has been removed: S+core score-*-* Multithreaded symbol loading is now enabled by default Deprecation Notices: GDB 12 is the last release of GDB that will support building against Python 2 DBX mode is deprecated, and will be removed in GDB 13 GDB/MI changes: The '-add-inferior' with no option flags now inherits the connection of the current inferior, this restores the behaviour of GDB as it was prior to GDB 10. The '-add-inferior' command now accepts a '--no-connection' option, which causes the new inferior to start without a connection. Python API enhancements: It is now possible to add GDB/MI commands implemented in Python New function gdb.Architecture.integer_type() New gdb.events.gdb_exiting event New 'gdb.events.connection_removed' event registry New gdb.TargetConnection object New gdb.Inferior.connection property New read-only attribute gdb.InferiorThread.details New gdb.RemoteTargetConnection.send_packet method New read-only attributes gdb.Type.is_scalar and gdb.Type.is_signed The gdb.Value.format_string method now takes a 'styling' argument Various new function in the "gdb" module Miscellaneous: The FreeBSD native target now supports async mode Improved C++ template support Support for disabling source highlighting through GNU of the Pygments library instead. The "print" command has been changed so as to print floating-point values with a base-modifying formats such as "/x" to display the underlying bytes of the value in the desired base. The "clone-inferior" command now ensures that the TTY, CMD and ARGS settings are copied from the original inferior to the new one. All modifications to the environment variables done using the 'set environment' or 'unset environment' commands are also copied to the new inferior. Various new commands have been introduced GDB 11.2 Released! This is a minor corrective release over GDB 11.1, fixing the following issues: PR sim/28302 (gdb fails to build with glibc 2.34) PR build/28318 (std::thread support configure check does not use CXX_DIALECT) PR gdb/28405 (arm-none-eabi: internal-error: ptid_t remote_target::select_thread_for_ambiguous_stop_reply(const target_waitstatus*): Assertion `first_resumed_thread != nullptr' failed) PR tui/28483 ([gdb/tui] breakpoint creation not displayed) PR build/28555 (uclibc compile failure since commit 4655f8509fd44e6efabefa373650d9982ff37fd6) PR rust/28637 (Rust characters will be encoded using DW_ATE_UTF) PR gdb/28758 (GDB 11 doesn't work correctly on binaries with a SHT_RELR (.relr.dyn) section) PR gdb/28785 (Support SHT_RELR (.relr.dyn) section)
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 75d3718b2443cd0498965f77f5f1de67f2a1a3a7 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:24:02 2022 +0000
Core Update 169: Ship changed cloud initscripts
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 7154d8bfa60a8a18f7cfb827c31bf148d69902bd Author: Michael Tremer michael.tremer@ipfire.org Date: Thu May 19 09:40:27 2022 +0000
aws-cli: Update to 1.23.12
This package and python3-botocore have to match exactly. Amazon does not seem to care too much about compatibility between different versions which is why we need to keep both in sync.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 15194dcc3964265a2e64e9bea155989d96ddf326 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu May 19 09:40:26 2022 +0000
python3-botocore: Update to 1.25.12
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9e413732132a382a55c4af51a548d329185de56b Author: Michael Tremer michael.tremer@ipfire.org Date: Thu May 19 09:40:25 2022 +0000
cloud: Execute user-data scripts at the end of initialization
This is useful when the user-data needs to reboot an instance. Previously, some initialization did not happen which is now being done first before the user-data script is being executed.
This gives users more flexibility about what they are doing in those scripts.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4aab717c073e3ed3cc05f14f0669988f5a0b937c Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:21:25 2022 +0000
Core Update 169: Ship xfsprogs
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 2e4c8a2163d8dd4308329fef4c0b8ca48147c8f5 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed May 11 10:40:30 2022 +0200
xfsprogs: Update to version 5.16.0
- Update from 5.14.2 to 5.16.0 - Update of rootfile - Changelog 5.16.0 This release is almost 100% a libxfs sync. I'm trying to catch up, and the next release will be 5.18.0-rc0, with both 5.17 and 5.18 libxfs changes synced. (there are very few). At that point I'll finally start pulling in more functional changes. xfsprogs-5.16.0 (04 May 2022) - libxfs: remove kernel stubs from xfs_shared.h (Eric Sandeen) - debian: Generate .gitcensus instead of .census (Bastian Germann)) xfsprogs-5.16.0-rc0 (28 Apr 2022) - libxfs changes merged from kernel 5.16
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 1ebf40b37b3d9dcabe5ca40a327b1d55fa66b225 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:20:40 2022 +0000
Core Update 169: Ship OpenVPN due to lzip update
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 42ceefc743f6d4d212720fd5c25e753c468f30bb Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:20:27 2022 +0000
Core Update 169: Ship lzip
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit a742c7f58876497e3956bbc01e6b6bd64f794701 Author: Adolf Belka adolf.belka@ipfire.org Date: Tue May 10 12:31:55 2022 +0200
lzip: Update to version 1.23
- Update from 1.22 to 1.23 - Update of rootfile not required - Changelog Version 1.23 released. * Decompression time has been reduced by 5-12% depending on the file. * main.cc (getnum): Show option name and valid range if error. * Improve several descriptions in manual, '--help', and man page. * lzip.texi: Change GNU Texinfo category to 'Compression'. (Reported by Alfred M. Szmidt).
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit bfd00e341fe94418a7fd3d5269b8ae96788624d1 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:19:52 2022 +0000
Core Update 169: Ship libnetfilter_cthelper
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 79e203acc95c6b4fc1a5da5b22b5ec4f1d6d8220 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed May 11 10:39:35 2022 +0200
libnetfilter_cthelper: Update to version 1.0.1
- Update from version 1.0.0 to 1.0.1 - Update of rootfile not required - Changelog 1.0.1 * Allow build on uclinux * Use after free in nfct_helper_free() * Double free in nfct-helper-add example * Invalid argument error in nftc-helper-add * Incorrect netlink message building with multiple nfct helper policies
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 3307507a4ac4e8ea1bdfe2be51d6a20a2288f297 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:19:34 2022 +0000
Core Update 169: Ship libnetfilter_cttimeout
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit e83cac87ecf5ad6763b16e704011f1faa559ae8c Author: Adolf Belka adolf.belka@ipfire.org Date: Wed May 11 10:40:02 2022 +0200
libnetfilter_cttimeout: Update to version 1.0.1
- Update from 1.0.0 to 1.0.1 - Update of rootfile not required - Changelog 1.0.1 * Warnings with automake-1.12 * Allow building on uclinux * Fix building with clang
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit e53b89a0a01df81f7aa22ba143a439af53685d80 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun May 22 23:43:15 2022 +0200
git: Update to version 2.36.1
- Update from version 2.36.0 to 2.36.1 - Update of rootfile not required - Changelog Git v2.36.1 Release Notes Fixes since v2.36 * "git submodule update" without pathspec should silently skip an uninitialized submodule, but it started to become noisy by mistake. * "diff-tree --stdin" has been broken for about a year, but 2.36 release broke it even worse by breaking running the command with <pathspec>, which in turn broke "gitk" and got noticed. This has been corrected by aligning its behaviour to that of "log". * Regression fix for 2.36 where "git name-rev" started to sometimes reference strings after they are freed. * "git show <commit1> <commit2>... -- <pathspec>" lost the pathspec when showing the second and subsequent commits, which has been corrected. * "git fast-export -- <pathspec>" lost the pathspec when showing the second and subsequent commits, which has been corrected. * "git format-patch <args> -- <pathspec>" lost the pathspec when showing the second and subsequent commits, which has been corrected. * Get rid of a bogus and over-eager coccinelle rule. * Correct choices of C compilers used in various CI jobs. Also contains minor documentation updates and code clean-ups.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 6bea701c49d2130ba53d968746a552f420515e37 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Mon May 16 15:59:57 2022 +0200
clamav: Update to 0.105.0
For details see: https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
commit c3810f44e533175945fd31b3dc8de5c6eaa1f3a2 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:14:28 2022 +0000
Core Update 169: Ship logrotate
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 99516d5836d6d36d9ed00053937adf63ee0d4746 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu May 26 17:25:38 2022 +0200
logrotate: Update to 3.20.1
For details since v3.18.0 see: https://github.com/logrotate/logrotate/releases/tag/3.20.1 https://github.com/logrotate/logrotate/releases/tag/3.20.0 https://github.com/logrotate/logrotate/releases/tag/3.19.0
logrotate-3.20.1
drop world-readable permission on state file even when ACLs are enabled (#446)
logrotate-3.20.0
fix potential DoS from unprivileged users via the state file (CVE-2022-1348) fix a misleading debug message with copytruncate and rotate 0 (#443) add support for unsigned time_t (#438) do not lock state file /dev/null (#433)
logrotate-3.19.0
continue on EINTR in compressLogFile() (#430) enforce stricter parsing of configuration files (#427, #431) avoid confusing error message in debug mode (#426) fix full_write() on incomplete write (#415) do not use alloca() any more (#412) do not rotate hard links unless allowhardlink is used (#407) change directory after dropping privileges (#397) add defence in depth when dropping privileges (#400) remove invalid configuration on error (#408) do not open symbolic link log files by accident (#399) do not write state if state file is /dev/null (#395)
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 73bac85db4c06ee01b758b580d10c76dc347e796 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:13:29 2022 +0000
Core Update 169: Restart firewall engine and require a reboot
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit b86439a2217148814a856758e4ded420a8f5a5fa Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:13:08 2022 +0000
Core Update 169: Ship iptables
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 2cc3995bc5132e66fcd97570307f00dca34f1e9a Author: Adolf Belka adolf.belka@ipfire.org Date: Sun May 22 23:43:28 2022 +0200
iptables: Update to version 1.8.8
- Update from version 1.8.7 to 1.8.8 - Update of rootfile - Changelog Version 1.8.8 extensions: libxt_conntrack: use bitops for state negation extensions: libxt_conntrack: use bitops for status negation xtables: Call init_extensions6() for static builds xtables: Call init_extensions{,a,b}() for static builds iptables-nft: fix -Z option libxtables: exit if called by setuid executeable iptables-nft: allow removal of empty builtin chains extensions: tcpmss: add iptables-translate support nft-shared: set correct register value nft-shared: support native tcp port delinearize nft-shared: support native tcp port range delinearize nft-shared: support native udp port delinearize nft: prefer native expressions instead of udp match nft: prefer native expressions instead of tcp match nft-shared: add tcp flag dissection nft: add support for native tcp flag matching tests: shell: fix bashism nft: fix indentation error. tests: iptables-test: correct misspelt variable extensions: libxt_NFLOG: fix `--nflog-prefix` Python test-cases extensions: libxt_NFLOG: remove extra space when saving targets with prefixes build: replace `AM_PROG_LIBTOOL` and `AC_DISABLE_STATIC` with `LT_INIT` extensions: libxt_NFLOG: fix typo tests: iptables-test: rename variable tests: add `NOMATCH` test result tests: support explicit variant test result tests: NFLOG: enable `--nflog-range` tests xshared: Implement xtables lock timeout using signals extensions: libxt_NFLOG: use nft built-in logging instead of xt_NFLOG extensions: libxt_NFLOG: don't truncate log prefix on print/save extensions: libxt_NFLOG: disable `--nflog-range` Python test-cases fix build for missing ETH_ALEN definition libxtables: extend xlate infrastructure tests: xlate-test: support multiline expectation extensions: libxt_connlimit: add translation extensions: libxt_tcp: rework translation to use flags match representation extensions: libxt_conntrack: simplify translation using negation extensions: libxt_multiport: add translation for -m multiport --ports nft-shared: update context register for bitwise expression nft: pass struct nft_xt_ctx to parse_meta() nft: native mark matching support nft: pass handle to helper functions to build netlink payload nft: prepare for dynamic register allocation nft: split gen_payload() to allocate register and initialize expression configure: bump version for 1.8.8 release ip6tables: masquerade: use fully-random so that nft can understand the rule ebtables: Exit gracefully on invalid table names include: Drop libipulog.h nft: Fix bitwise expression avoidance detection xtables-translate: Fix translation of odd netmasks libxtables: Simplify xtables_ipmask_to_cidr() a bit nft: cache: Sort chains on demand only nft: Increase BATCH_PAGE_SIZE to support huge rulesets extensions: sctp: Explain match types in man page Eliminate inet_aton() and inet_ntoa() nft-arp: Make use of ipv4_addr_to_string() extensions: SECMARK: Implement revision 1 xtables: Make invflags 16bit wide xshared: Eliminate iptables_command_state->invert xshared: Merge invflags handling code ebtables-translate: Use shared ebt_get_current_chain() function Use proto_to_name() from xshared in more places extensions: sctp: Fix nftables translation extensions: sctp: Translate --chunk-types option libxtables: Drop leftover variable in xtables_numeric_to_ip6addr() extensions: libebt_ip6: Drop unused variables libxtables: Fix memleak in xtopt_parse_hostmask() nft: Avoid memleak in error path of nft_cmd_new() nft: Avoid buffer size warnings copying iface names iptables-apply: Drop unused variable extensions: libebt_ip6: Use xtables_ip6parse_any() libxtables: Introduce xtables_strdup() and use it everywhere extensions: libxt_string: Avoid buffer size warning for strncpy() doc: ebtables-nft.8: Adjust for missing atomic-options ebtables: Dump atomic waste nft: Fix for non-verbose check command tests/shell: Assert non-verbose mode is silent extensions: hashlimit: Fix tests with HZ=100 iptables-test: Make netns spawning more robust extensions: libxt_mac: Fix for missing space in listing nft: Use xtables_malloc() in mnl_err_list_node_add() nft: Use xtables_{m,c}alloc() everywhere tests: iptables-test: Fix missing chain case tests: xlate-test: Don't skip any input after the first empty line tests: xlate-test: Print errors to stderr tests: iptables-test: Print errors to stderr tests: xlate-test: Exit non-zero on error tests: iptables-test: Exit non-zero on error tests: shell: Return non-zero on error ebtables: Avoid dropping policy when flushing tests: iptables-test: Fix conditional colors on stderr nft: cache: Avoid double free of unrecognized base-chains nft: Check base-chain compatibility when adding to cache nft-chain: Introduce base_slot field nft: Delete builtin chains compatibly nft: Introduce builtin_tables_lookup() xshared: Store optstring in xtables_globals nft-shared: Introduce init_cs family ops callback xtables: Simplify addr_mask freeing nft: Add family ops callbacks wrapping different nft_cmd_* functions xtables-standalone: Drop version number from init errors libxtables: Introduce xtables_globals print_help callback arptables: Use standard data structures when parsing nft-arp: Introduce post_parse callback nft-shared: Make nft_check_xt_legacy() family agnostic xtables: Derive xtables_globals from family xtables: arptables accepts empty interface names nft: Merge xtables-arp-standalone.c into xtables-standalone.c Unbreak xtables-translate xlate-test: Print full path if testing all files extensions: hashlimit: Fix tests with HZ=1000 xshared: Merge and share parse_chain() nft: Change whitespace printing in save_rule callback xshared: Share print_iface() function xshared: Share save_rule_details() with legacy xshared: Share save_ipv{4,6}_addr() with legacy xshared: Share print_rule_details() with legacy xshared: Share print_fragment() with legacy xshared: Share print_header() with legacy iptables nft-shared: Drop unused function print_proto() xshared: Make load_proto() static xshared: Share print_match_save() between legacy ip*tables xshared: Share a common printhelp function xshared: Share exit_tryhelp() xtables_globals: Embed variant name in .program_version libxtables: Extend basic_exit_err() iptables-*-restore: Drop pointless line reference xtables: Drop xtables' family on demand feature xtables: Pull table validity check out of do_parse() xtables: Move struct nft_xt_cmd_parse to xshared.h xtables: Pass xtables_args to check_empty_interface() xtables: Pass xtables_args to check_inverse() xtables: Do not pass nft_handle to do_parse() xshared: Move do_parse to shared space xshared: Store parsed wait and wait_interval in xtables_args nft: Move proto_parse and post_parse callbacks to xshared iptables: Use xtables' do_parse() function ip6tables: Use the shared do_parse, too extensions: *NAT: Kill multiple IPv4 range support xshared: Fix response to unprivileged users nft: Use verbose flag to toggle debug output iptables-restore: Support for extra debug output nft: Set NFTNL_CHAIN_FAMILY in new chains ebtables: Support verbose mode nft: Add debug output to table creation nft: cache: Dump rules if debugging tests: iptables-test: Support variant deviation iptables.8: Describe the effect of multiple -v flags libxtables: Register only the highest revision extension Improve error messages for unsupported extensions nft: Simplify immediate parsing nft: Speed up immediate parsing xshared: Prefer xtables_chain_protos lookup over getprotoent nft: Don't pass command state opaque to family ops callbacks libxtables: Fix for warning in xtables_ipmask_to_numeric Simplify static build extension loading nft: Review static extension loading tests: shell: Fix 0004-return-codes_0 for static builds nft: Reject standard targets as chain names when restoring libxtables: Implement notargets hash table libxtables: Boost rule target checks by announcing chain names xlate-test: Fix for empty source line on failure man: DNAT: Describe shifted port range feature Revert "libipt_[SD]NAT: avoid false error about multiple destinations specified" extensions: ipt_DNAT: Merge v1 and v2 parsers extensions: ipt_DNAT: Merge v1/v2 print/save code extensions: ipt_DNAT: Combine xlate functions also extensions: DNAT: Rename from libipt to libxt extensions: Merge IPv4 and IPv6 DNAT targets extensions: Merge REDIRECT into DNAT extensions: man: Document service name support in DNAT and REDIRECT extensions: MARK: Drop extra newline at end of help xshared: Move arp_opcodes into shared space xshared: Extend xtables_printhelp() for arptables libxtables: Drop xtables_globals 'optstring' field libxtables: Revert change to struct xtables_pprot extensions: DNAT: Merge core printing functions man: *NAT: Review --random* option descriptions extensions: LOG: Document --log-macdecode in man page nft: Fix EPERM handling for extensions without rev 0 xtables-translate: add missing argument and option to usage Fix a few doc typos iptables-test.py: print with color escapes only when stdout isatty
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 922013ca2adeb19d1d79e98fb3736b9ca2fac365 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:11:22 2022 +0000
Core Update 169: Ship fuse
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 37ddc46691899bd95f781bfcdf3a836ea4d3f51c Author: Adolf Belka adolf.belka@ipfire.org Date: Sun May 22 23:42:40 2022 +0200
fuse: Update to version 3.11.0
- Update from 3.10.4 to 3.11.0 - Update of rootfile - Changelog fuse 3.11.0 (2022-05-02) * Add support for flag FOPEN_NOFLUSH for avoiding flush on close. * Fixed returning an error condition to ioctl(2) fuse 3.10.5 (2021-09-06) * Various improvements to make unit tests more robust.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 8cd9c344393f5a1b56acfe55f669f4230faad9db Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:10:53 2022 +0000
Core Update 169: Ship curl
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 247d9e685e4c49d22446443a9064902987c50fef Author: Adolf Belka adolf.belka@ipfire.org Date: Sun May 22 23:42:17 2022 +0200
curl: Update to version 7.83.1
- Update from version 7.83.0 to 7.83.1 - Update of rootfile not required - Changelog version 7.83.1 This release includes the following bugfixes: o altsvc: fix host name matching for trailing dots [31] o cirrus: Update to FreeBSD 12.3 [24] o cirrus: Use pip for Python packages on FreeBSD [23] o conn: fix typo 'connnection' -> 'connection' in two function names [1] o cookies: make bad_domain() not consider a trailing dot fine [26] o curl: free resource in error path [3] o curl: guard against size_t wraparound in no-clobber code [4] o CURLOPT_DOH_URL.3: mention the known bug [19] o CURLOPT_HSTS*FUNCTION.3: document the involved structs as well [20] o CURLOPT_SSH_AUTH_TYPES.3: fix the default [18] o data/test376: set a proper name o GHA/mbedtls: enabled nghttp2 in the build [11] o gha: build msh3 [5] o gskit: fixed bogus setsockopt calls [17] o gskit: remove unused function set_callback [2] o hsts: ignore trailing dots when comparing hosts names [28] o HTTP-COOKIES: add missing CURLOPT_COOKIESESSION [40] o http: move Curl_allow_auth_to_host() [9] o http_proxy/hyper: handle closed connections [34] o hyper: fix test 357 [32] o Makefile: fix "make ca-firefox" [37] o mbedtls: bail out if rng init fails [14] o mbedtls: fix compile when h2-enabled [12] o mbedtls: fix some error messages o misc: use "autoreconf -fi" instead buildconf [22] o msh3: get msh3 version from MsH3Version [6] o msh3: print boolean value as text representation [10] o msh3: psss remote_port to MsH3ConnectionOpen [7] o ngtcp2: add ca-fallback support for OpenSSL backend [35] o nss: return error if seemingly stuck in a cert loop [30] o openssl: define HAVE_SSL_CTX_SET_EC_CURVES for libressl [8] o post_per_transfer: remove the updated file name [27] o sectransp: bail out if SSLSetPeerDomainName fails [33] o tests/server: declare variable 'reqlogfile' static [39] o tests: fix markdown formatting in README [38] o test{898,974,976}: add 'HTTP proxy' keywords [16] o tls: check more TLS details for connection reuse [25] o url: check SSH config match on connection reuse [21] o urlapi: address (harmless) UndefinedBehavior sanitizer warning [15] o urlapi: reject percent-decoding host name into separator bytes [29] o x509asn1: make do_pubkey handle EC public keys [13]
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 3f6238f7c1ed0dfb8804ae8ddc6af2147e5ac2ca Merge: 690d42084 71d53192d Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 19:09:46 2022 +0000
Merge branch 'next' into temp-c169-development
commit 690d420840754fc6f2518d5d2f0be38df471a718 Author: Peter Müller peter.mueller@ipfire.org Date: Wed May 18 14:32:32 2022 +0000
Start Core 169
Signed-off-by: Peter Müller peter.mueller@ipfire.org
-----------------------------------------------------------------------
hooks/post-receive -- IPFire 2.x development tree