This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via f2d5cb7c99835285d3fdef10f21fdcf6fb98aa51 (commit) via f6615f3025aa54603b733987da48c0263afe29b1 (commit) via 69d7702ddedb0ea43d6d01250881f7a921532f4d (commit) via 45496ad1903a512b67be2119bd2ef4901330913d (commit) via de614755846114de689bd94ae4c32e0e164fa6bb (commit) from 2e63b7128e519657d445b0cbfc473725fc13a3a4 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit f2d5cb7c99835285d3fdef10f21fdcf6fb98aa51 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Jul 21 06:01:29 2023 +0000
kernel: update to 6.1.39
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f6615f3025aa54603b733987da48c0263afe29b1 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Jul 21 05:47:57 2023 +0000
kernel: fix rootfile
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 69d7702ddedb0ea43d6d01250881f7a921532f4d Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Jul 21 09:33:34 2023 +0000
core177: Ship & restart OpenSSH
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 45496ad1903a512b67be2119bd2ef4901330913d Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Jul 20 18:04:39 2023 +0200
openssh: Update to version 9.3p2 - Fixes CVE-2023-38408
- Update from version 9.3p1 to 9.3p2 - Update of rootfile not required - Changelog 9.3p2 (2023-07-19) This release fixes a security bug. Security Fix CVE-2023-38408 - a condition where specific libaries loaded via ssh-agent(1)'s PKCS#11 support could be abused to achieve remote code execution via a forwarded agent socket if the following conditions are met: * Exploitation requires the presence of specific libraries on the victim system. * Remote exploitation requires that the agent was forwarded to an attacker-controlled system. Exploitation can also be prevented by starting ssh-agent(1) with an empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring an allowlist that contains only specific provider libraries. This vulnerability was discovered and demonstrated to be exploitable by the Qualys Security Advisory team. In addition to removing the main precondition for exploitation, this release removes the ability for remote ssh-agent(1) clients to load PKCS#11 modules by default (see below). Potentially-incompatible changes * ssh-agent(8): the agent will now refuse requests to load PKCS#11 modules issued by remote clients by default. A flag has been added to restore the previous behaviour "-Oallow-remote-pkcs11". Note that ssh-agent(8) depends on the SSH client to identify requests that are remote. The OpenSSH >=8.9 ssh(1) client does this, but forwarding access to an agent socket using other tools may circumvent this restriction.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit de614755846114de689bd94ae4c32e0e164fa6bb Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Jul 18 16:17:36 2023 +0200
sudo: Update to version 1.9.14p2
- Update from version 1.9.14 to 1.9.14p2 - Update of rootfile not required - Changelog 1.9.14p2 * Fixed a crash on Linux systems introduced in version 1.9.14 when running a command with a NULL argv[0] if "log_subcmds" or "intercept" is enabled in sudoers. * Fixed a problem with "stair-stepped" output when piping or redirecting the output of a sudo command that takes user input. * Fixed a bug introduced in sudo 1.9.14 that affects matching sudoers rules containing a Runas_Spec with an empty Runas user. These rules should only match when sudo's -g option is used but were matching even without the -g option. GitHub issue #290. 1.9.14p1 * Fixed an invalid free bug in sudo_logsrvd that was introduced in version 1.9.14 which could cause sudo_logsrvd to crash. * The sudoers plugin no longer tries to send the terminal name to the log server when no terminal is present. This bug was introduced in version 1.9.14.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- config/rootfiles/common/aarch64/linux | 2 ++ config/rootfiles/common/x86_64/linux | 2 ++ .../{oldcore/100 => core/177}/filelists/openssh | 0 config/rootfiles/core/177/update.sh | 1 + lfs/linux | 4 ++-- lfs/openssh | 4 ++-- lfs/rtl8812au | 1 + lfs/rtl8822bu | 1 + lfs/sudo | 4 ++-- .../remove_regulatory_ignore_stale_kickoff.patch | 17 +++++++++++++++++ 12 files changed, 32 insertions(+), 8 deletions(-) copy config/rootfiles/{oldcore/100 => core/177}/filelists/openssh (100%) create mode 100644 src/patches/rtl8812au/remove_regulatory_ignore_stale_kickoff.patch
Difference in files: diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index bc07256b6..9ad75c92b 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 6.1.38-ipfire Kernel Configuration +# Linux/arm64 6.1.39-ipfire Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.1.0" CONFIG_CC_IS_GCC=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index eeda765dd..e40181dc6 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 6.1.38-ipfire Kernel Configuration +# Linux/x86 6.1.39-ipfire Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.1.0" CONFIG_CC_IS_GCC=y diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux index 49bbc7c57..230e419d3 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -7229,6 +7229,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/BTRFS_FS #lib/modules/KVER-ipfire/build/include/config/BTRFS_FS_POSIX_ACL #lib/modules/KVER-ipfire/build/include/config/BUG +#lib/modules/KVER-ipfire/build/include/config/BUG_ON_DATA_CORRUPTION #lib/modules/KVER-ipfire/build/include/config/BUILDTIME_TABLE_SORT #lib/modules/KVER-ipfire/build/include/config/BUILD_SALT #lib/modules/KVER-ipfire/build/include/config/CACHEFILES @@ -7624,6 +7625,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/DEBUG_BUGVERBOSE #lib/modules/KVER-ipfire/build/include/config/DEBUG_INFO_NONE #lib/modules/KVER-ipfire/build/include/config/DEBUG_KERNEL +#lib/modules/KVER-ipfire/build/include/config/DEBUG_LIST #lib/modules/KVER-ipfire/build/include/config/DEBUG_MISC #lib/modules/KVER-ipfire/build/include/config/DEBUG_PREEMPT #lib/modules/KVER-ipfire/build/include/config/DEBUG_SHIRQ diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux index 512246b73..3db69b01c 100644 --- a/config/rootfiles/common/x86_64/linux +++ b/config/rootfiles/common/x86_64/linux @@ -6985,6 +6985,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/BTRFS_FS_POSIX_ACL #lib/modules/KVER-ipfire/build/include/config/BTT #lib/modules/KVER-ipfire/build/include/config/BUG +#lib/modules/KVER-ipfire/build/include/config/BUG_ON_DATA_CORRUPTION #lib/modules/KVER-ipfire/build/include/config/BUILDTIME_MCOUNT_SORT #lib/modules/KVER-ipfire/build/include/config/BUILDTIME_TABLE_SORT #lib/modules/KVER-ipfire/build/include/config/BUILD_SALT @@ -7328,6 +7329,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER-ipfire/build/include/config/DEBUG_BUGVERBOSE #lib/modules/KVER-ipfire/build/include/config/DEBUG_INFO_NONE #lib/modules/KVER-ipfire/build/include/config/DEBUG_KERNEL +#lib/modules/KVER-ipfire/build/include/config/DEBUG_LIST #lib/modules/KVER-ipfire/build/include/config/DEBUG_MISC #lib/modules/KVER-ipfire/build/include/config/DEBUG_PREEMPT #lib/modules/KVER-ipfire/build/include/config/DEBUG_WX diff --git a/config/rootfiles/core/177/filelists/openssh b/config/rootfiles/core/177/filelists/openssh new file mode 120000 index 000000000..d8c77fd8e --- /dev/null +++ b/config/rootfiles/core/177/filelists/openssh @@ -0,0 +1 @@ +../../../common/openssh \ No newline at end of file diff --git a/config/rootfiles/core/177/update.sh b/config/rootfiles/core/177/update.sh index a98d39f2d..818079940 100644 --- a/config/rootfiles/core/177/update.sh +++ b/config/rootfiles/core/177/update.sh @@ -121,6 +121,7 @@ ldconfig /usr/local/bin/filesystem-cleanup
# Start services +/etc/init.d/sshd restart /etc/init.d/unbound reload /etc/init.d/ntp restart if [ -f /var/ipfire/proxy/enable ]; then diff --git a/lfs/linux b/lfs/linux index e9a50fba5..75fa0c00f 100644 --- a/lfs/linux +++ b/lfs/linux @@ -24,7 +24,7 @@
include Config
-VER = 6.1.38 +VER = 6.1.39
ARM_PATCHES = 6.1.y-ipfire2
@@ -76,7 +76,7 @@ objects = \ $(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE) arm-multi-patches-$(ARM_PATCHES).patch.xz = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
-$(DL_FILE)_BLAKE2 = 43f0fe3f8aeb03e5a2bf46b358b8dc4515765b70f56fb136847c78a80889bc2e163768d941500c285f40f705634b5fd3d6e0d81c10521fc351596c95db62490e +$(DL_FILE)_BLAKE2 = 36bb549b14ccff3bd1751ff8475e74a77f8f65d9531ca2379b1dd2ccfe9adcf6852a764d615c42b3ad8a91c0d96668ae970085ab889dd98e21789f54a2f7641e arm-multi-patches-$(ARM_PATCHES).patch.xz_BLAKE2 = 7afc460562fb24bcd75784fc79de768f9b60780aedd88d1a847927169e31920bbb475b1ac1466c4a224a7876d16bd8d465b96202de12b74f6e2ccbfcec731ad3
install : $(TARGET) diff --git a/lfs/openssh b/lfs/openssh index 5a18edd70..83c94ffdc 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -24,7 +24,7 @@
include Config
-VER = 9.3p1 +VER = 9.3p2
THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d +$(DL_FILE)_BLAKE2 = 38f8d4ada263112b318fafccabf0a33a004d8290a867434004eb3d37127c9bdabe6e0225fca9d6d68fb54338fec81dcc9313ca7c91d3a033311db44174dc9f6f
install : $(TARGET)
diff --git a/lfs/rtl8812au b/lfs/rtl8812au index d9cfbe073..e18ba8b5f 100644 --- a/lfs/rtl8812au +++ b/lfs/rtl8812au @@ -77,6 +77,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/rtl8812au/enable_usbmodeswitch.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/rtl8812au/remove_regulatory_ignore_stale_kickoff.patch cd $(DIR_APP) && CONFIG_RTL8812AU=m make $(MAKETUNING) \ -C /lib/modules/$(KVER)-$(VERSUFIX)/build/ M=$(DIR_APP)/ modules
diff --git a/lfs/rtl8822bu b/lfs/rtl8822bu index b7221f101..e6462727e 100644 --- a/lfs/rtl8822bu +++ b/lfs/rtl8822bu @@ -76,6 +76,7 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/rtl8812au/remove_regulatory_ignore_stale_kickoff.patch cd $(DIR_APP) && CONFIG_RTL8822BU=m make $(MAKETUNING) \ -C /lib/modules/$(KVER)-$(VERSUFIX)/build/ M=$(DIR_APP)/ modules
diff --git a/lfs/sudo b/lfs/sudo index 3a55174d3..cf68bf923 100644 --- a/lfs/sudo +++ b/lfs/sudo @@ -24,7 +24,7 @@
include Config
-VER = 1.9.14 +VER = 1.9.14p2
THISAPP = sudo-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 5731eda1cabb23dd3b77851ce1fcde8e1b7efc1b4fa27fe65522c7b8e23c0330003eb2d4ebb47d63416fb3a52db478b2f60ca22da6a2d66cb27c52ea5264749e +$(DL_FILE)_BLAKE2 = a350136731c1c6eca1317a852ce243b270df61ba275608bd0d0ec11760babdb2f9f489b818529484c15a43345fa53c96efd1aa47ab7cc0591c45928ba75c4c85
install : $(TARGET)
diff --git a/src/patches/rtl8812au/remove_regulatory_ignore_stale_kickoff.patch b/src/patches/rtl8812au/remove_regulatory_ignore_stale_kickoff.patch new file mode 100644 index 000000000..933700049 --- /dev/null +++ b/src/patches/rtl8812au/remove_regulatory_ignore_stale_kickoff.patch @@ -0,0 +1,17 @@ +# This feature was removed in kernel 6.5 and the patch was backported to 6.1.39 + +diff --git a/8812au-20210629-07ac856293e247347b891c5dbd13f3ab8321132d.org/os_dep/linux/wifi_regd.c b/8812au-20210629-07ac856293e247347b891c5dbd13f3ab8321132d/os_dep/linux/wifi_regd.c +index 81e1dc7..b4b0bcd 100644 +--- a/os_dep/linux/wifi_regd.c ++++ b/os_dep/linux/wifi_regd.c +@@ -405,10 +405,6 @@ int rtw_regd_init(struct wiphy *wiphy) + wiphy->regulatory_flags &= ~REGULATORY_DISABLE_BEACON_HINTS; + #endif + +-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 19, 0)) +- wiphy->regulatory_flags |= REGULATORY_IGNORE_STALE_KICKOFF; +-#endif +- + return 0; + } + #endif /* CONFIG_IOCTL_CFG80211 */
hooks/post-receive -- IPFire 2.x development tree