This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 3.x development tree".

The branch, master has been updated via 240f3900577f54e8a9b2b680db464bfdd86e4044 (commit) via c713847494a39f1e427551bd2a59e6aa98c3f7a5 (commit) via 68b16b24c5870294f7ec41187c3c6bb39da4dc2e (commit) via 204f04953e1c78c9d55637ed6fa1ff5b6aa1b44f (commit) via 91f30fafa1763436bcfddd7010f1c28f50a44c51 (commit) via d6957a7ccd7673093a4601d580d169e5bb03676d (commit) from d153cb021eb45df6286af91af64024bf3d3fb7d8 (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit 240f3900577f54e8a9b2b680db464bfdd86e4044 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Nov 30 13:36:48 2023 +0100

p11-kit: Update to version 0.25.3

- IPFire-3.x - Update from version 0.25.0 to 0.25.3 - Changelog 0.25.3 rpc: fix serialization of NULL mechanism pointer [#601] fix meson build failure in macOS (appleframeworks not found) [#603] 0.25.2 fix error code checking of readpassphrase for --login option [#595] build fixes [#594] test fixes [#596] 0.25.1 fix probing of C_GetInterface [#535] p11-kit: add command to list tokens [#581] p11-kit: add command to list mechanisms supported by a token [#576] p11-kit: add command to generate private-public keypair on a token [#551, #582] p11-kit: add commands to import/export certificates and public keys into/from a token [#543, #549, #568, #588] p11-kit: add commands to list and delete objects of a token [#533, #544, #571] p11-kit: add --login option to login into a token with object and profile management commands [#587] p11-kit: adjust behavior of PKCS#11 profile management commands [#558, #560, #583, #591] p11-kit: print PKCS#11 URIs in list-modules [#532] bug and build fixes [#528 #529, #534, #537, #540, #541, #545, #547, #550, #557, #572, #575, #579, #585, #586, #590] test fixes [#553, #580]

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit c713847494a39f1e427551bd2a59e6aa98c3f7a5 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Nov 30 13:21:36 2023 +0100

pango: Update to version 1.51.0

- IPFire-3.x - Update from version 1.50.12 to 1.51.0 - Changelog 1.51.0 - itemize: Improve script itemization - build: Check for cairo DWrite dependency - win32: Fix various issues and crashes - layout: Add a missing switch case 1.50.14 - Fix underline thickness in scaled contexts 1.50.13 - win32: Add back fallback for empty fontsets - win32: Improve DirectWrite support - Fix word segmentation for Japanese - Don't set backspace-deletes-char for math symbols - coretext: Fix a crash - cairo: Apply metrics hinting to underlines too - Treat COLRv1 fonts as color fonts

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 68b16b24c5870294f7ec41187c3c6bb39da4dc2e Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Nov 30 12:57:13 2023 +0100

patchelf: Update to version 0.18.0

- IPFire-3.x - Update from version 0.17.2 to 0.18.0 - Changelog 0.18.0 Add options to print, clear and set executable stack state by @cgzones in #456 Modernizations and strictness improvements by @cgzones in #464 Add feature to rename dynamic symbols by @brenoguim in #459 Adjust roundUp for 0 as input by @cgzones in #466 Avoid overlapping program header table with section header table #457 by @brenoguim in #460 Other switches might set changed as true. Use extraStrings size. #416 by @brenoguim in #473 Use the largest segment alignment for libraries requiring non-standard alignments #474 by @brenoguim in #475 Add one extra page to avoid overlapping with next page if its rounded… by @brenoguim in #469 Add zsh completion by @Freed-Wu in #490 Do not let modifyRPath taint shared strings in strtab. Fix #315 by @brenoguim in #481 Resize segment mapping rewritten sections if needed #482 by @brenoguim in #485

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 204f04953e1c78c9d55637ed6fa1ff5b6aa1b44f Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Nov 30 12:31:18 2023 +0100

polkit: Update to version 123

- IPFire-3.x - Update from version 122 to 123 - Changelog 123 Highlights: - better safety with deeper resctiction of the configuration files - better safety with restricting the daemon's owner under systemd - better safety with the systemd unit sandboxing - less thread races during upload of the configuration Changes * prevent wrongful termination of runaway thread * Stop installing /usr/share/polkit-1/rules.d as 700/polkitd * set User/Group and don't change uid/gid if already set * general and/or buildsystem fixes * systemd service hardening * Packit service integration * pkcheck: manpage and help sync * general fixes * Packit service integration * change of ownership of custom configs * general fixes * localization

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 91f30fafa1763436bcfddd7010f1c28f50a44c51 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Nov 30 12:11:47 2023 +0100

samba: Update to version 4.19.3

- IPFire-3.x - Upfate from version 4.19.0 to 4.19.3 - Changelog 4.19.3 This is the latest stable release of the Samba 4.19 release series. It contains the security-relevant bugfix CVE-2018-14628: Wrong ntSecurityDescriptor values for "CN=Deleted Objects" allow read of object tombstones over LDAP (Administrator action required!) https://www.samba.org/samba/security/CVE-2018-14628.html Description of CVE-2018-14628 All versions of Samba from 4.0.0 onwards are vulnerable to an information leak (compared with the established behaviour of Microsoft's Active Directory) when Samba is an Active Directory Domain Controller. When a domain was provisioned with an unpatched Samba version, the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object instead of being very strict (as on a Windows provisioned domain). This means also non privileged users can use the LDAP_SERVER_SHOW_DELETED_OID control in order to view, the names and preserved attributes of deleted objects. No information that was hidden before the deletion is visible, but in with the correct ntSecurityDescriptor value in place the whole object is also not visible without administrative rights. There is no further vulnerability associated with this error, merely an information disclosure. Action required in order to resolve CVE-2018-14628! The patched Samba does NOT protect existing domains! The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain: samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix The above requires manual interaction in order to review the changes before they are applied. Typicall question look like this: Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default? Owner mismatch: SY (in ref) DA(in current) Group mismatch: SY (in ref) DA(in current) Part dacl is different between reference and current here is the detail: (A;;LCRPLORC;;;AU) ACE is not present in the reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current (A;;LCRP;;;BA) ACE is not present in the current [y/N/all/none] y Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org' The change should be confirmed with 'y' for all objects starting with 'CN=Deleted Objects'. 4.19.2 o Jeremy Allison jra@samba.org * BUG 15423: Use-after-free in aio_del_req_from_fsp during smbd shutdown after failed IPC FSCTL_PIPE_TRANSCEIVE. * BUG 15426: clidfs.c do_connect() missing a "return" after a cli_shutdown() call. o Ralph Boehme slow@samba.org * BUG 15463: macOS mdfind returns only 50 results. o Volker Lendecke vl@samba.org * BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with previous cache entry value. o Stefan Metzmacher metze@samba.org * BUG 15464: libnss_winbind causes memory corruption since samba-4.18, impacts sendmail, zabbix, potentially more. o Martin Schwenke mschwenke@ddn.com * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs. o Joseph Sutton josephsutton@catalyst.net.nz * BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the Heimdal KDC in Samba 4.19 * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is in use. 4.19.1 This is a security release in order to address the following defects: o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to existing unix domain sockets on the file system. https://www.samba.org/samba/security/CVE-2023-3961.html o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes" https://www.samba.org/samba/security/CVE-2023-4091.html o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all attributes, including secrets and passwords. Additionally, the access check fails open on error conditions. https://www.samba.org/samba/security/CVE-2023-4154.html o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the server block for a user-defined amount of time, denying service. https://www.samba.org/samba/security/CVE-2023-42669.html o CVE-2023-42670: Samba can be made to start multiple incompatible RPC listeners, disrupting service on the AD DC. https://www.samba.org/samba/security/CVE-2023-42670.html

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit d6957a7ccd7673093a4601d580d169e5bb03676d Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Nov 30 09:48:11 2023 +0100

strace: Update to version 6.6

- IPFire-3.x - Update from version 6.5 to 6.6 - Changelog 6.6 Improvements Implemented --kill-on-exit option that instructs the tracer to set PTRACE_O_EXITKILL option to all tracee processes and not to detach them on cleanup so they will not be left running after the tracer exit. Implemented automatic activation of --kill-on-exit option when --seccomp-bpf is enabled and -p/--attach option is not used. Implemented decoding of map_shadow_stack syscall. Implemented decoding of FSCONFIG_CMD_CREATE_EXCL fsconfig command. Implemented decoding of IFLA_BRPORT_BACKUP_NHID netlink attribute. Implemented decoding of SECCOMP_IOCTL_NOTIF_SET_FLAGS ioctl. Implemented decoding of UFFDIO_CONTINUE, UFFDIO_POISON, and UFFDIO_WRITEPROTECT ioctls. Updated lists of ARCH_*, BPF_*, DEVCONF_*, IORING_*, KEXEC_*, MAP_*, NT_*, PTRACE_*, QFMT_*, SEGV_*, UFFD_*, V4L2_*, and XDP_* constants. Updated lists of ioctl commands from Linux 6.6.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

-----------------------------------------------------------------------

Summary of changes: p11-kit/p11-kit.nm | 2 +- pango/pango.nm | 4 ++-- patchelf/patchelf.nm | 4 ++-- polkit/polkit.nm | 2 +- samba/samba.nm | 2 +- strace/strace.nm | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-)

Difference in files: diff --git a/p11-kit/p11-kit.nm b/p11-kit/p11-kit.nm index 00afe62d0..ac39fc572 100644 --- a/p11-kit/p11-kit.nm +++ b/p11-kit/p11-kit.nm @@ -4,7 +4,7 @@ ###############################################################################

name = p11-kit -version = 0.25.0 +version = 0.25.3 release = 1

groups = System/Libraries diff --git a/pango/pango.nm b/pango/pango.nm index 7498d0f17..9d5a400ff 100644 --- a/pango/pango.nm +++ b/pango/pango.nm @@ -5,8 +5,8 @@

name = pango version = %{ver_major}.%{ver_minor} -ver_major = 1.50 -ver_minor = 12 +ver_major = 1.51 +ver_minor = 0 release = 1

groups = System/Libraries diff --git a/patchelf/patchelf.nm b/patchelf/patchelf.nm index f33c5721f..a86e22ce0 100644 --- a/patchelf/patchelf.nm +++ b/patchelf/patchelf.nm @@ -4,8 +4,8 @@ ###############################################################################

name = patchelf -version = 0.17.2 -release = 2 +version = 0.18.0 +release = 1

groups = Development/Tools url = http://nixos.org/patchelf.html diff --git a/polkit/polkit.nm b/polkit/polkit.nm index c5a585fe9..4698a2c2a 100644 --- a/polkit/polkit.nm +++ b/polkit/polkit.nm @@ -4,7 +4,7 @@ ###############################################################################

name = polkit -version = 122 +version = 123 release = 1

groups = System/Libraries diff --git a/samba/samba.nm b/samba/samba.nm index 205439fea..a97809d3f 100644 --- a/samba/samba.nm +++ b/samba/samba.nm @@ -4,7 +4,7 @@ ###############################################################################

name = samba -version = 4.19.0 +version = 4.19.3 release = 1

groups = Networking/Daemons diff --git a/strace/strace.nm b/strace/strace.nm index 30b596894..bec6c24c1 100644 --- a/strace/strace.nm +++ b/strace/strace.nm @@ -4,7 +4,7 @@ ###############################################################################

name = strace -version = 6.5 +version = 6.6 release = 1

groups = Development/Debuggers

hooks/post-receive -- IPFire 3.x development tree