This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, core168 has been created at 4a4fc8f19a8734a7d92895da3772027550e80f01 (commit)

- Log ----------------------------------------------------------------- commit 4a4fc8f19a8734a7d92895da3772027550e80f01 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Jun 4 08:43:15 2022 +0000

Core Update 168: Ship fcrontab and rebuild it from scratch

This is necessary due to IDSv4 changes introducing changes to fcrontab. While this patch will cause any custom cron jobs configured there to be lost, it is better to start with a defined state rather than sed'ing on this file.

Cc: Michael Tremer michael.tremer@ipfire.org Cc: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit de5896985ccb3c9c732315ddd17106e5c4b1bafe Author: Peter Müller peter.mueller@ipfire.org Date: Tue May 31 17:21:54 2022 +0000

intel-microcode: Update rootfile

Reported-by: Jon Murphy jcmurphy26@gmail.com Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 4f4b7fbc13d3fcc50d0acc93ae20ecef7c4466dc Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 30 20:00:53 2022 +0000

Update contributor list

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 71d53192d37db0d86a9dc04b11aa40016ba09b47 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu May 19 08:56:34 2022 +0000

core168: Add script to automatically repair MDRAID arrays

Please see the header of the script for more details.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 69aac83da960bc89783aa8dc5373b907cccc60f8 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu May 19 08:56:33 2022 +0000

core168: Add rd.auto to kernel command line

This parameter will enable dracut to automatically launch any MDRAID arrays at boot time.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 8077bacb826bb336d98d90c628ad8fece098dc16 Author: Peter Müller peter.mueller@ipfire.org Date: Wed May 18 17:49:00 2022 +0000

strongSwan: Bring back firewall rules for permitting IP-in-IP, ESP and AH traffic

Fixes: #12866 Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org

commit b630a9a8a8dab5e558c0929191ee25da2e9d5068 Author: Peter Müller peter.mueller@ipfire.org Date: Wed May 18 17:42:24 2022 +0000

Core Update 168: fcrontab != crontab

Silly me.

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 1c1d9fd7bfdf5495069c3119982753a9ddc5fe24 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon May 16 14:48:14 2022 +0000

dracut: Enable automatic assembly of any RAID/LVM devices

This has changed in dracut 24 and we have used various hacks to enable this behaviour again when it would have been so easy to just enable this parameter.

Fixes: #12862 - Upgrade from Core 166 to 167 does not use RAID anymore Reported-by: Dirk Sihling dsihling@web.de Reported-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit bbd4767fcf3086800e96aa449c6fa526ad662288 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 16 07:12:23 2022 +0000

Core Update 168: Ship liburcu

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 4eb6ba2bd56029a8756d75b2a34c9fbe68650740 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri May 13 23:26:34 2022 +0200

poppler: Fix rootfile.

libpoppler.so.120.0.0 contains all the functions and symbols which are required by the tools linked against it.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org

commit 691a83f2374d85f834c24d3d82525bc554ad4f25 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri May 13 23:20:44 2022 +0200

libinih: Fix rootfile.

Some tools of the xfsprogs are linked against libinih and therefore we need to ship those libs.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org

commit 0f3b6da86d3e239badea7c46aca05189a940b469 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri May 13 23:17:48 2022 +0200

liburcu: Fix rootfile.

At least the xfsprogs is linked agains the urcu libraries and therefore requires them to run and deal with xfs filesystems.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org

commit e2f4f99e498a89157e85e8e4b983e61568956e9e Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri May 13 19:10:44 2022 +0200

update-ids-ruleset: Silent script if no providers settings file exists.

Only try to read-in the providers settings file, in case it exists. Otherwise the script produces an error message, about the missing file, each time it gets executed.

Because of the fcron job this would be twice a day in most cases.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org

commit ceb8b07b2cfedc5ec84576dd85db80bd83ce7ab1 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri May 13 18:55:48 2022 +0200

pango: Fix rootfile.

The main libraries libpangocairo and libpangosoft2 accidently have been marked to be not shipped or part of the system.

They are required by collecty and various other libraries or binaries.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 9f42266a5957dd9da1f6eb68a8602429a3e993da Author: Peter Müller peter.mueller@ipfire.org Date: Fri May 13 09:22:35 2022 +0000

strongswan: Update rootfile

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 8615d42ce7d77016aed51ea0528119f38e589e5d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri May 13 06:30:57 2022 +0200

expat: Fix rootfile.

The libexpat.so.1 file is just a symlink to libexpat.so.1.8.8 which contains all the functions and symbols required by the binaries, linked against it. Therefore this file needs to be present on the systems.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 27d1dc083ecc49cd11f57b975f8daf599eb436f4 Author: Peter Müller peter.mueller@ipfire.org Date: Thu May 12 18:06:59 2022 +0000

Core Update 168: Ship and restart strongSwan

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit b074ebd6ad688124d5dfdcc2ed614040553afd7e Author: Peter Müller peter.mueller@ipfire.org Date: Thu May 12 18:04:52 2022 +0000

strongSwan: Update to 5.9.6

See: https://github.com/strongswan/strongswan/releases/tag/5.9.6

Since this addresses security issues, and also with regards to reports such as https://community.ipfire.org/t/core-update-167-ipsec-issue/7893, I take the liberty to push this straight into Core Update 168.

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 1ad192722a9ecd0b0f0afc008da020b9534e57d6 Author: Peter Müller peter.mueller@ipfire.org Date: Thu May 12 17:53:50 2022 +0000

intel-microcode: Update to 20220510

Please refer to https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases... for further details.

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 675849974918df21c717c26bf6e974fa2f9d7f67 Author: Peter Müller peter.mueller@ipfire.org Date: Thu May 12 17:27:34 2022 +0000

Core Update 168: Ship core-files

https://community.ipfire.org/t/core-168-testing-working/7901/7

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 91f1aaaa869df6fe9a04d3aefb36f021e9945ad7 Author: Peter Müller peter.mueller@ipfire.org Date: Tue May 10 14:12:53 2022 +0000

nagios-plugins: Bump package version for OpenLDAP update

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 64fb91fedf733518c5a4c3ea638c1b6f29f1e36d Author: Peter Müller peter.mueller@ipfire.org Date: Tue May 10 14:12:21 2022 +0000

Core Update 168: Ship necessary dependencies

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 7dc85dec948bd6250a9f2845ccc919828b76a83d Author: Peter Müller peter.mueller@ipfire.org Date: Tue May 10 13:56:59 2022 +0000

Core Update 168: Ship coreutils

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 672582488b302da48c35e0652dd8609f5954d8e2 Author: Peter Müller peter.mueller@ipfire.org Date: Tue May 10 13:54:25 2022 +0000

Core Update 168: Ship GnuPG

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 0e48c84c42407fc326bafba6c6166a38a0c3a3a4 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun May 8 15:23:03 2022 +0200

suricata: Perform ruleset update every 12 hours.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 3b926424278d9f0d2f89c9684b8d7bbf86de858c Author: Peter Müller peter.mueller@ipfire.org Date: Sun May 8 14:16:10 2022 +0000

Update rootfiles

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit dc871930f600677514cefca5fb7befa4e809442e Author: Peter Müller peter.mueller@ipfire.org Date: Sun May 8 13:14:16 2022 +0000

Core Update 168: Ship pakfire.cgi

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 2b5253bbbb3acb6f276040ffe095f7380ea3991d Author: Leo-Andres Hofmann hofmann@leo-andres.de Date: Sun May 8 14:09:52 2022 +0200

pakfire.cgi: Cosmetic fixes

Add formatting to improve readability of dependencies list header.

Signed-off-by: Leo-Andres Hofmann hofmann@leo-andres.de Acked-by: Peter Müller peter.muelle@ipfire.org

commit 3706e0a5b34f65baa7b6bfaad38ac6bd0496d50c Author: Leo-Andres Hofmann hofmann@leo-andres.de Date: Sun May 8 14:09:51 2022 +0200

pakfire.cgi: Discard tac stderr output

Prevents meaningless "broken pipe" messages in the httpd error log.

Signed-off-by: Leo-Andres Hofmann hofmann@leo-andres.de Acked-by: Peter Müller peter.muelle@ipfire.org

commit 85d570843ef7b4b1a428dadf93e5a2a8410348ca Author: Leo-Andres Hofmann hofmann@leo-andres.de Date: Sun May 8 14:09:50 2022 +0200

pakfire.cgi: Implement Post/Redirect/Get pattern

Refreshing the Pakfire page may cause a command to be executed multiple times and induce odd errors.

This patch implements a HTTP 303 redirect after form processing, which causes the browser to discard the POST form data. Navigating backward or reloading the page now does not trigger multiple executions anymore.

Fixes: #12781

Signed-off-by: Leo-Andres Hofmann hofmann@leo-andres.de Acked-by: Peter Müller peter.muelle@ipfire.org

commit 3cdb83939bc69d7e3d4ca911361d84f54301f4b8 Author: Leo-Andres Hofmann hofmann@leo-andres.de Date: Sun May 8 14:09:49 2022 +0200

pakfire.cgi: Notify user if Pakfire is already performing a task

Signed-off-by: Leo-Andres Hofmann hofmann@leo-andres.de Acked-by: Peter Müller peter.muelle@ipfire.org

commit 4b5d1f3001e5f47399d3c1a6eabcd18c1a318996 Author: Leo-Andres Hofmann hofmann@leo-andres.de Date: Sun May 8 14:09:48 2022 +0200

pakfire.cgi: Show error and log messages earlier

The main page cannot be used while an installation is running. Therefore it makes more sense to generate the log output first.

Signed-off-by: Leo-Andres Hofmann hofmann@leo-andres.de Acked-by: Peter Müller peter.muelle@ipfire.org

commit 0f506a130c67a67c833530b2b8ad44f811df5ac6 Author: Leo-Andres Hofmann hofmann@leo-andres.de Date: Sun May 8 14:09:47 2022 +0200

pakfire.cgi: Fix indentation

Signed-off-by: Leo-Andres Hofmann hofmann@leo-andres.de Acked-by: Peter Müller peter.muelle@ipfire.org

commit cd521e78b815e84c31683b3cc2ec085f6f97d939 Author: Leo-Andres Hofmann hofmann@leo-andres.de Date: Sun May 8 14:09:46 2022 +0200

pakfire.cgi: Separate command processing and HTML generation

Move most of the command execution away from the HTML output. This makes it easier to modify or extend individual commands.

Also load Pakfire settings earlier to ensure that they are available during command execution.

Signed-off-by: Leo-Andres Hofmann hofmann@leo-andres.de Acked-by: Peter Müller peter.muelle@ipfire.org

commit c7105c6e66bdc9ed1c42d4248926c0e7b654b414 Author: Peter Müller peter.mueller@ipfire.org Date: Sun May 8 12:05:53 2022 +0000

spectre-meltdown-checker: Update to 0.45

Please refer to https://github.com/speed47/spectre-meltdown-checker/releases/tag/v0.45 for the release announcements of this version.

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit d79814485fba7eb410497ec8e904dc717ef4a065 Author: Peter Müller peter.mueller@ipfire.org Date: Sun May 8 12:03:18 2022 +0000

Core Update 168: Delete orphaned symlinks to Suricata ruleset updater

Reported-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit fd1e3e3c7417c14809b1fbbf8f7620c99053009b Author: Peter Müller peter.mueller@ipfire.org Date: Sun May 8 12:00:10 2022 +0000

Core Update 168: Stop services before extracting files

https://lists.ipfire.org/pipermail/development/2022-May/013398.html

On a general note, we should do so for every Core Update, as it is more sane to stop services before deleting or overwriting any files.

Reported-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 0ab31dfdb1b3fce7aa4f3db0373de8808fa02acb Author: Peter Müller peter.mueller@ipfire.org Date: Sun May 8 11:42:19 2022 +0000

make.sh: Sigh, bump core update version

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 3e2e9c159389db191989ad2cb0553d5b9a2bae9f Author: Peter Müller peter.mueller@ipfire.org Date: Sun May 8 11:41:09 2022 +0000

Core Update 168: Ship intel-microcodes and rebuild initrds

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 822076e0c2109c4a59a93be9c2592f8475726c87 Author: Peter Müller peter.mueller@ipfire.org Date: Sun May 8 11:24:06 2022 +0000

intel-microcode: Update to 20220419

Please refer to https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases... for the release announcement.

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 40811ff383dc358e77afa9c482199336a4ffdca6 Author: Peter Müller peter.mueller@ipfire.org Date: Sun May 8 09:01:24 2022 +0000

Suricata: Install Core Update 167 converter script

My fault, again. :-/

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 99a79bcbd89de07e108b836fe7d19bd26aeb02c3 Author: Peter Müller peter.mueller@ipfire.org Date: Thu May 5 21:17:47 2022 +0000

Revert "Core Update 168: Ship boost and delete orphaned libraries"

This reverts commit 3bd471b8203b878e9e270d833d49e08921c584e3.

commit 568215c84bb52ad09d7df43492eb61d99e343ac3 Author: Peter Müller peter.mueller@ipfire.org Date: Thu May 5 21:16:45 2022 +0000

Revert "boost: Fix rootfile entries that referred to python3.8 instead of 3.10"

This reverts commit 05a1fe1362b633b82b696a88801bb29fb1070872.

For some reason, the rootfile changes introduced with this patch break the build, as they do not seem to be present. Needs further investigation.

commit 5ecf056d52b007a413db0477254a3600fef1d81c Author: Peter Müller peter.mueller@ipfire.org Date: Thu May 5 16:47:44 2022 +0000

Drop libusb-compat

This was solely needed for NUT, which has now been updated, and does not require an older libusb version to be carried around.

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit b2f707cb025bccf4417b0848e1140fc610e76fd6 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu May 5 18:39:53 2022 +0200

nut: Update to version 2.8.0

- Update from version 2.7.4 to 2.8.0 - 2.7.4 was released in 2016 and since then not a lot of progress was made with it but since the start of 2022 new work on nut has ocurred culminating in this release - Update of rootfile - Ran find-dependencies on the old libraries due to the sobump to confirm that nothing else than nut used them, which was the case. - Changelog After a long and windy trip since the last official release v2.7.4 half a dozen years ago, we the community, contributors and maintainers are proud to announce at last the general availability of NUT v2.8.0! As always, the new release includes numerous new drivers, sub-drivers, protocols and bug-fixes, with many companies and individuals chipping in with contributions of code.Thanks to everyone involved in making this happen, inspiring the changes, and providing the open-source friendly infrastructure. This release also culminates a significant effort in improvements of NUT QA and CI, and as a result -- in codebase quality and portability across a decade or two of recent platforms, third-party tools and other dependencies. As a side effect, public API (in headers and libraries) has changed a bit, hence a new semantic "minor" number is claimed for this major body of work. During this time, the https://networkupstools.org/ web site has changed to a rolling-release model to serve current information to match the evolving codebase. There are now special Sub-sites for historic releases to keep documentation snapshots relevant for users of packages which are typically based on official NUT releases. We recognize that NUT is an important piece of infrastructure which gets built into all sorts of devices, projects and operating systems -- some of which the team never heard of until they pop up in a question, and others we haven't heard of for years -- so we take a seriously omnivorous stance towards covering many versions and implementations of compiler suites, C/C++ revisions, make programs, shell and other scripted language interpreters, OSes and CPUs, and other similar variables tamed with our new NUT CI farm test matrix dynamically driven by currently registered build agents and their declared capabilities. Sections in the NEWS and UPGRADING files about changes since last release are several pages long, so would not all be repeated here. A few important highlights for distribution packagers and custom builders follow, however: NUT now supports more i2c and modbus devices, as well as libusb-1.0 support as an alternative to earlier libusb-0.1 (so new dependency-based categories of packages for drivers may be due); NUT Python modules and scripts (e.g. NUT-Monitor variants) should work with python-2.7 and with python-3.x, so covering historic distro releases as well as new ones (and so your distro can deliver one or both, probably in several packages with different dependencies in the latter case); NUT provides revised reference systemd and SMF service unit definitions, including support of drivers wrapped into individual service instances with varying dependencies based on different media required (networked stack, USB stack, etc.), and many daemons include -F option for running "in foreground" to avoid extra forking after one already done by a service framework - you may want to use those in your packaged deliverables; NUT newly provides the "nut-driver-enumerator" script and service, which allows it to follow edition of ups.conf and dynamically define+(re)start and stop+undefine service instances for drivers - there are several ways it can be integrated for different use-cases; There are several new configuration keywords and CLI options - so while new NUT builds should work with old configs and scripts, the opposite is not necessarily true (old binaries may reject configurations taking advantage of new features); There are several new protocol keywords - but old and new NUT daemons (data server and clients) should be able to communicate both ways; It is assumed that API/ABI changes may require third-party NUT clients (library consumers of libnutclient, libupsclient, libnutscan... -- their version info was bumped accordingly) to get rebuilt, in order to work with the new NUT release in a stable fashion; The dummy-ups driver used in automated testing now processes *.dev filename patterns once and does not loop, like it still does for *.seq and other files (by default); USB code is now more strict about logical minimum/maximum ranges for data reported from devices, and some devices were already found to make mistakes - so there is also a mechanism for turning a blind eye to known issues and fix-up such report descriptors to produce intended sane values; New documentation page docs/config-prereqs.txt highlights packaged dependencies installable on a large range of platforms to build as much of NUT as possible (incidentally, ones NUT CI farm uses to test every iteration); Finally, we hope that NUT codebase might be able to cater for everyone "out of the box" (it also simplifies local builds from GitHub sources on any systems, for troubleshooting and checking pre-release enhancements): if you as a packager have to apply patches for your distribution, give it a thought -- whether they address a common issue best solved upstream once and behave similarly for everyone (and conversely, if your platform can do with existing solutions already tracked in the NUT version du-jour). PRs welcome! Or at least Wiki entries to list all the distro efforts for cross-pollination

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit b6fe8ee88dafb5ebb02a787b11da602de016969d Author: Peter Müller peter.mueller@ipfire.org Date: Thu May 5 16:24:20 2022 +0000

Run ./make.sh update-contributors

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 5b1299f71717a59f50ea5b7aa7796dfe27afd080 Author: Peter Müller peter.mueller@ipfire.org Date: Thu May 5 16:22:51 2022 +0000

oinkmaster: Delete remnants

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 68725035744de0253f19e0b3550799799a44f80d Author: Peter Müller peter.mueller@ipfire.org Date: Thu May 5 16:21:23 2022 +0000

Core Update 168: Ship and apply IDSv4 changes

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 4d4f5df0c8b4e212cec1fd1206616308584df18e Merge: e47f7c829 1a9e81ce7 Author: Peter Müller peter.mueller@ipfire.org Date: Thu May 5 16:07:41 2022 +0000

Merge branch 'temp-stevee-idsv4' into next

commit e47f7c8295ef92b6ee40ce88154d4449c4b29f19 Author: Peter Müller peter.mueller@ipfire.org Date: Thu May 5 15:31:16 2022 +0000

Core Update 168: Ship freetype

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit c78f6e33f8415bdefb5be953032eba111d3585ff Author: Adolf Belka adolf.belka@ipfire.org Date: Wed May 4 21:51:00 2022 +0200

freetype: Update to version 2.12.1

- Update from version 2.11.1 to 2.12.1 - Update of rootfile - Changelog CHANGES BETWEEN 2.12.0 and 2.12.1 I. IMPORTANT BUG FIXES - Loading CFF fonts sometimes made FreeType crash (bug introduced in version 2.12.0) - Loading a fully hinted TrueType glyph a second time (without caching) sometimes yielded different rendering results if TrueType hinting was active (bug introduced in version 2.12.0). - The generation of the pkg-config file `freetype2.pc` was broken if the build was done with cmake (bug introduced in version 2.12.0). II. MISCELLANEOUS - New option `--with-librsvg` for the `configure` script for better FreeType demo support. - The meson build no longer enforces both static and dynamic versions of the library by default. - The internal zlib library was updated to version 1.2.12. Note, however, that FreeType is *not* affected by CVE-2018-25032 since it only does decompression. CHANGES BETWEEN 2.11.1 and 2.12.0 I. IMPORTANT CHANGES - FreeType now handles OT-SVG fonts, to be controlled with `FT_CONFIG_OPTION_SVG` configuration macro. By default, it can only load the 'SVG ' table of an OpenType font. However, by using the `svg-hooks` property of the new 'ot-svg' module it is possible to register an external SVG rendering engine. The FreeType demo programs have been set up to use 'librsvg' as the rendering library. This work was Moazin Khatti's GSoC 2019 project. II. MISCELLANEOUS - The handling of fonts with an 'sbix' table has been improved. - Corrected bitmap offsets. - A new tag `FT_PARAM_TAG_IGNORE_SBIX` for `FT_Open_Face` makes FreeType ignore an 'sbix' table in a font, allowing applications to access the font's outline glyphs. - `FT_FACE_FLAG_SBIX` and `FT_FACE_FLAG_SBIX_OVERLAY` together with their corresponding preprocessor macros `FT_HAS_SBIX` and `FT_HAS_SBIX_OVERLAY` enable applications to treat 'sbix' tables as described in the OpenType specification. - The internal 'zlib' code has been updated to be in sync with the current 'zlib' version (1.2.11). - The previously internal load flag `FT_LOAD_SBITS_ONLY` is now public. - Some minor improvements of the building systems, in particular handling of the 'zlib' library (internal vs. external). - Support for non-desktop Universal Windows Platform. - Various other minor bug and documentation fixes. - The `ftdump` demo program shows more information for Type1 fonts if option `-n` is given. - `ftgrid` can now display embedded bitmap strikes.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 6f3da00c53ac58dcbb833740b7a6f069166ee98f Author: Adolf Belka adolf.belka@ipfire.org Date: Wed May 4 21:51:28 2022 +0200

sdl2: Update to version 2.0.22

- Update from version 2.0.20 to 2.0.22 - Update of rootfile - Changelog 2.0.22: General: * Added SDL_RenderGetWindow() to get the window associated with a renderer * Added floating point rectangle functions: * SDL_PointInFRect() * SDL_FRectEmpty() * SDL_FRectEquals() * SDL_FRectEqualsEpsilon() * SDL_HasIntersectionF() * SDL_IntersectFRect() * SDL_UnionFRect() * SDL_EncloseFPoints() * SDL_IntersectFRectAndLine() * Added SDL_IsTextInputShown() which returns whether the IME window is currently shown * Added SDL_ClearComposition() to dismiss the composition window without disabling IME input * Added SDL_TEXTEDITING_EXT event for handling long composition text, and a hint SDL_HINT_IME_SUPPORT_EXTENDED_TEXT to enable it * Added the hint SDL_HINT_MOUSE_RELATIVE_MODE_CENTER to control whether the mouse should be constrained to the whole window or the center of the window when relative mode is enabled * The mouse is now automatically captured when mouse buttons are pressed, and the hint SDL_HINT_MOUSE_AUTO_CAPTURE allows you to control this behavior * Added the hint SDL_HINT_VIDEO_FOREIGN_WINDOW_OPENGL to let SDL know that a foreign window will be used with OpenGL * Added the hint SDL_HINT_VIDEO_FOREIGN_WINDOW_VULKAN to let SDL know that a foreign window will be used with Vulkan * Added the hint SDL_HINT_QUIT_ON_LAST_WINDOW_CLOSE to specify whether an SDL_QUIT event will be delivered when the last application window is closed * Added the hint SDL_HINT_JOYSTICK_ROG_CHAKRAM to control whether ROG Chakram mice show up as joysticks Windows: * Added support for SDL_BLENDOPERATION_MINIMUM and SDL_BLENDOPERATION_MAXIMUM to the D3D9 renderer Linux: * Compiling with Wayland support requires libwayland-client version 1.18.0 or later * Added the hint SDL_HINT_X11_WINDOW_TYPE to specify the _NET_WM_WINDOW_TYPE of SDL windows * Added the hint SDL_HINT_VIDEO_WAYLAND_PREFER_LIBDECOR to allow using libdecor with compositors that support xdg-decoration Android: * Added SDL_AndroidSendMessage() to send a custom command to the SDL java activity

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 401a2f3db0303e404987d06890296f23966c8ae8 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed May 4 21:51:15 2022 +0200

hplip: Update to version 3.22.4

- Update from version 3.22.2 to 3.22.4 - Update of rootfile - Changelog HPLIP 3.22.4 - This release has the following changes: Added support for following new Distro's: Manjaro 21.2 Added support for the following new Printers: HP LaserJet Pro 4001ne HP LaserJet Pro 4001n HP LaserJet Pro 4001dne HP LaserJet Pro 4001dn HP LaserJet Pro 4001dwe HP LaserJet Pro 4001dw HP LaserJet Pro 4001d HP LaserJet Pro 4001de HP LaserJet Pro 4002ne HP LaserJet Pro 4002n HP LaserJet Pro 4002dne HP LaserJet Pro 4002dn HP LaserJet Pro 4002dwe HP LaserJet Pro 4002dw HP LaserJet Pro 4002d HP LaserJet Pro 4002de HP LaserJet Pro 4003dn HP LaserJet Pro 4003dw HP LaserJet Pro 4003n HP LaserJet Pro 4003d HP LaserJet Pro 4004d HP LaserJet Pro 4004dn HP LaserJet Pro 4004dw HP LaserJet Pro MFP 4101dwe HP LaserJet Pro MFP 4101dw HP LaserJet Pro MFP 4101fdn HP LaserJet Pro MFP 4101fdne HP LaserJet Pro MFP 4101fdw HP LaserJet Pro MFP 4101fdwe HP LaserJet Pro MFP 4102dwe HP LaserJet Pro MFP 4102dw HP LaserJet Pro MFP 4102fdn HP LaserJet Pro MFP 4102fdw HP LaserJet Pro MFP 4102fdwe HP LaserJet Pro MFP 4102fdne HP LaserJet Pro MFP 4102fnw HP LaserJet Pro MFP 4102fnwe HP LaserJet Pro MFP 4103dw HP LaserJet Pro MFP 4103dn HP LaserJet Pro MFP 4103fdn HP LaserJet Pro MFP 4103fdw HP LaserJet Pro MFP 4104dw HP LaserJet Pro MFP 4104fdw HP LaserJet Pro MFP 4104fdn HP ScanJet Pro 3600 f1 HP ScanJet Pro N4600 fnw1 HP ScanJet Pro 2600 f1 HP ScanJet Enterprise Flow N6600 fnw1 HPLIP 3.22.2 - This release has the following changes: Added support for following new Distro's: Elementary OS 6.1 RHEL 8.5 Linux Mint 20.3 Added support for the following new Printers: HP LaserJet Tank MFP 1602a HP LaserJet Tank MFP 1602w HP LaserJet Tank MFP 1604w HP LaserJet Tank MFP 2602dn HP LaserJet Tank MFP 2602sdn HP LaserJet Tank MFP 2602sdw HP LaserJet Tank MFP 2602dw HP LaserJet Tank MFP 2604dw HP LaserJet Tank MFP 2604sdw HP LaserJet Tank MFP 2603dw HP LaserJet Tank MFP 2603sdw HP LaserJet Tank MFP 2605sdw HP LaserJet Tank MFP 2606dn HP LaserJet Tank MFP 2606sdn HP LaserJet Tank MFP 2606sdw HP LaserJet Tank MFP 2606dw HP LaserJet Tank MFP 2606dc HP LaserJet Tank MFP 1005 HP LaserJet Tank MFP 1005w HP LaserJet Tank MFP 1005nw HP LaserJet Tank 1502a HP LaserJet Tank 1502w HP LaserJet Tank 1504w HP LaserJet Tank 2502dw HP LaserJet Tank 2502dn HP LaserJet Tank 2504dw HP LaserJet Tank 2503dw HP LaserJet Tank 2506dw HP LaserJet Tank 2506d HP LaserJet Tank 2506dn HP LaserJet Tank 1020 HP LaserJet Tank 1020w HP LaserJet Tank 1020nw

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit c36610e051b931b4ae497b633ca41713e03d53e7 Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Apr 12 12:33:36 2022 +0200

haproxy: Update to version 2.5.5

- Update from 2.4.15 to 2.5.5 - Update of rootfile not required - Changelog 2.5.5 - CI: github actions: add the output of $CC -dM -E- - CI: github actions: use cache for OpenTracing - CI: refactor OpenTracing build script - CI: github actions: use cache for SSL libs - CI: Consistently use actions/checkout@v2 - BUILD: atomic: make the old HA_ATOMIC_LOAD() support const pointers - BUILD: tree-wide: mark a few numeric constants as explicitly long long - BUG/MEDIUM: mux-fcgi: Don't rely on SI src/dst addresses for FCGI health-checks - BUG/MEDIUM: htx: Fix a possible null derefs in htx_xfer_blks() - REGTESTS: fix the race conditions in normalize_uri.vtc - REGTESTS: fix the race conditions in secure_memcmp.vtc - BUG/MEDIUM: httpclient/lua: infinite appctx loop with POST - BUG/MINOR: pool: always align pool_heads to 64 bytes - BUG/MEDIUM: pools: fix ha_free() on area in the process of being freed - BUILD: fix kFreeBSD build. - MINOR: pools: add a new global option "no-memory-trimming" - MINOR: stats: Add dark mode support for socket rows - BUILD: pools: fix backport of no-memory-trimming on non-linux OS - BUILD: fix recent build breakage of freebsd caused by kFreeBSD build fix - BUG/MINOR: add missing modes in proxy_mode_str() - BUG/MINOR: cli: shows correct mode in "show sess" - BUG/MINOR: httpclient: Set conn-stream/channel EOI flags at the end of request - BUG/MINOR: hlua: Set conn-stream/channel EOI flags at the end of request - BUG/MINOR: stats: Set conn-stream/channel EOI flags at the end of request - BUG/MINOR: cache: Set conn-stream/channel EOI flags at the end of request - BUG/MINOR: promex: Set conn-stream/channel EOI flags at the end of request - BUG/MEDIUM: stream: Use the front analyzers for new listener-less streams - DEBUG: cache: Update underlying buffer when loading HTX message in cache applet - BUG/MEDIUM: mcli: Properly handle errors and timeouts during reponse processing - DEBUG: stream: Add the missing descriptions for stream trace events - DEBUG: stream: Fix stream trace message to print response buffer state - BUG/MAJOR: mux-pt: Always destroy the backend connection on detach - BUG/MINOR: session: fix theoretical risk of memleak in session_accept_fd() - BUG/MEDIUM: httpclient: don't consume data before it was analyzed - CLEANUP: htx: remove unused co_htx_remove_blk() - BUG/MINOR: httpclient: consume partly the blocks when necessary - BUG/MINOR: httpclient: remove the UNUSED block when parsing headers - BUG/MEDIUM: httpclient: must manipulate head, not first - REGTESTS: fix the race conditions in be2hex.vtc 2.5.4 - BUG/MEDIUM: htx: Be sure to have a buffer to perform a raw copy of a message - BUG/MEDIUM: mux-h1: Don't wake h1s if mux is blocked on lack of output buffer - BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer - DOC: Fix usage/examples of deprecated ACLs - BUG/MINOR: proxy: preset the error message pointer to NULL in parse_new_proxy() - REGTESTS: fix the race conditions in 40be_2srv_odd_health_checks - CI: github: enable pool debugging by default - BUG/MEDIUM: stream: Abort processing if response buffer allocation fails 2.5.3 - MINOR: sock: move the unused socket cleaning code into its own function - BUG/MEDIUM: mworker: close unused transferred FDs on load failure - BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload - BUG/MINOR: sink: Use the right field in appctx context in release callback - BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names - BUG/MEDIUM: fd: always align fdtab[] to 64 bytes - BUG/MAJOR: compiler: relax alignment constraints on certain structures - MINOR: httpclient: Don't limit data transfer to 1024 bytes - BUG/MINOR: httpclient: reinit flags in httpclient_start() - BUG/MINOR: mailers: negotiate SMTP, not ESMTP - BUG/MINOR: ssl: Add missing return value check in ssl_ocsp_response_print - BUG/MINOR: ssl: Fix leak in "show ssl ocsp-response" CLI command - BUG/MINOR: ssl: Missing return value check in ssl_ocsp_response_print - CLEANUP: httpclient/cli: fix indentation alignment of the help message - BUG/MINOR: tools: url2sa reads ipv4 too far - BUG/MEDIUM: httpclient: limit transfers to the maximum available room - DEBUG: buffer: check in __b_put_blk() whether the buffer room is respected 2.5.2 - BUG/MEDIUM: connection: properly leave stopping list on error - BUG/MEDIUM: htx: Adjust length to add DATA block in an empty HTX buffer - BUG/MINOR: httpclient: don't send an empty body - BUG/MINOR: httpclient: set default Accept and User-Agent headers - BUG/MINOR: httpclient/lua: don't pop the lua stack when getting headers - BUILD/MINOR: fix solaris build with clang. - BUG/MEDIUM: server: avoid changing healthcheck ctx with set server ssl - DOC: management: mark "set server ssl" as deprecated - MEDIUM: cli: yield between each pipelined command - MINOR: channel: add new function co_getdelim() to support multiple delimiters - BUG/MINOR: cli: avoid O(bufsize) parsing cost on pipelined commands - MEDIUM: h2/hpack: emit a Dynamic Table Size Update after settings change - BUG/MEDIUM: cli: Never wait for more data on client shutdown - BUG/MEDIUM: mcli: do not try to parse empty buffers - BUG/MEDIUM: mcli: always realign wrapping buffers before parsing them - BUG/MINOR: stream: make the call_rate only count the no-progress calls - DEBUG: cli: add a new "debug dev fd" expert command - BUILD: debug/cli: condition test of O_ASYNC to its existence - DEBUG: pools: add new build option DEBUG_POOL_INTEGRITY - REGTESTS: ssl: Fix ssl_errors regtest with OpenSSL 1.0.2 - BUG/MEDIUM: mworker: don't lose the stats socket on failed reload - BUG/MINOR: mworker: does not add the -sf in wait mode - BUG/MINOR: pools: always flush pools about to be destroyed - DEBUG: pools: add extra sanity checks when picking objects from a local cache - DEBUG: pools: let's add reverse mapping from cache heads to thread and pool - DEBUG: pools: replace the link pointer with the caller's address on pool_free() - BUG/MAJOR: sched: prevent rare concurrent wakeup of multi-threaded tasks - BUG/MINOR: mworker: does not erase the pidfile upon reload - DEBUG: fd: make sure we never try to insert/delete an impossible FD number - MINOR: listener: replace the listener's spinlock with an rwlock - BUG/MEDIUM: listener: read-lock the listener during accept() - BUG/MINOR: httpclient: Revisit HC request and response buffers allocation - BUG/MEDIUM: httpclient: Xfer the request when the stream is created - BUG/MINOR: ssl: Remove empty lines from "show ssl ocsp-response <id>" output - BUG/MINOR: jwt: Double free in deinit function - BUG/MINOR: jwt: Missing pkey free during cleanup - BUG/MINOR: jwt: Memory leak if same key is used in multiple jwt_verify calls - BUG/MINOR: httpclient/cli: display junk characters in vsn - BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies - BUG/MAJOR: spoe: properly detach all agents when releasing the applet - REGTESTS: server: close an occasional race on dynamic_server_ssl.vtc - REGTESTS: peers: leave a bit more time to peers to synchronize - BUG/MEDIUM: h2/hpack: fix emission of HPACK DTSU after settings change - BUG/MINOR: mux-h2: update the session's idle delay before creating the stream 2.5.1 - BUG/MINOR: cache: Fix loop on cache entries in "show cache" - BUG/MINOR: httpclient: allow to replace the host header - BUG/MINOR: lua: don't expose internal proxies - BUG/MINOR: lua: remove loop initial declarations - BUG/MEDIUM: cli: Properly set stream analyzers to process one command at a time - BUILD: evports: remove a leftover from the dead_fd cleanup - BUG/MINOR: vars: Fix the set-var and unset-var converters - BUG/MINOR: server: Don't rely on last default-server to init server SSL context - BUG/MEDIUM: resolvers: Detach query item on response error - BUG/MAJOR: segfault using multiple log forward sections. - BUG/MEDIUM: h1: Properly reset h1m flags when headers parsing is restarted - BUG/MEDIUM: mworker: FD leak of the eventpoll in wait mode - BUG/MINOR: mworker: deinit of thread poller was called when not initialized - MINOR: mux-h1: Improve H1 traces by adding info about http parsers - BUILD: bug: Fix error when compiling with -DDEBUG_STRICT_NOCRASH - BUG/MEDIUM: sample: Fix memory leak in sample_conv_jwt_member_query - MINOR: cli: "show version" displays the current process version - BUILD: tree-wide: avoid warnings caused by redundant checks of obj_types - IMPORT: slz: use the correct CRC32 instruction when running in 32-bit mode - MINOR: http-rules: Add capture action to http-after-response ruleset - BUG/MINOR: cli/server: Don't crash when a server is added with a custom id - DOC: spoe: Clarify use of the event directive in spoe-message section - DOC: config: Specify %Ta is only available in HTTP mode - DOC: config: retry-on list is space-delimited - DOC: config: fix error-log-format example - BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt mode - MINOR: ssl: Remove empty lines from "show ssl ocsp-response" output - MINOR: pools: work around possibly slow malloc_trim() during gc - BUG/MEDIUM: backend: fix possible sockaddr leak on redispatch - BUG/MEDIUM: peers: properly skip conn_cur from incoming messages - BUG/MEDIUM: mux-h1: Fix splicing by properly detecting end of message - BUG/MINOR: mux-h1: Fix splicing for messages with unknown length - BUILD: ssl: unbreak the build with newer libressl - DOC: fix misspelled keyword "resolve_retries" in resolvers - DEBUG: ssl: make sure we never change a servername on established connections - BUILD: opentracing: display warning in case of using OT_USE_VARS at compile time - BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server - REGTESTS: ssl: fix ssl_default_server.vtc - MINOR: compat: detect support for dl_iterate_phdr() - MINOR: debug: add ability to dump loaded shared libraries - MINOR: debug: add support for -dL to dump library names at boot - MINOR: proxy: add option idle-close-on-response - MINOR: cpuset: switch to sched_setaffinity for FreeBSD 14 and above. - BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning - CI: Github Actions: do not show VTest failures if build failed - BUG/MINOR: ssl: free the fields in srv->ssl_ctx - BUG/MEDIUM: ssl: free the ckch instance linked to a server - REGTESTS: ssl: update of a crt with server deletion - BUILD/MINOR: cpuset FreeBSD 14 build fix. - CI: github actions: update OpenSSL to 3.0.1 - BUILD/MINOR: tools: solaris build fix on dladdr. - BUG/MINOR: cli: fix _getsocks with musl libc - BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry - BUG/MEDIUM: mworker: don't use _getsocks in wait mode - BUG/MINOR: ssl: Store client SNI in SSL context in case of ClientHello error - BUG/MAJOR: mux-h1: Don't decrement .curr_len for unsent data - BUILD: cpuset: fix build issue on macos introduced by previous change - CI: github actions: clean default step conditions 2.5.0 - BUILD: SSL: add quictls build to scripts/build-ssl.sh - BUILD: SSL: add QUICTLS to build matrix - CLEANUP: sock: Wrap `accept4_broken = 1` into additional parenthesis - BUILD: cli: clear a maybe-unused warning on some older compilers - BUG/MEDIUM: cli: make sure we can report a warning from a bind keyword - BUG/MINOR: ssl: make SSL counters atomic - CLEANUP: assorted typo fixes in the code and comments - BUG/MINOR: ssl: free correctly the sni in the backend SSL cache - MINOR: version: mention that it's stable now

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 3bd471b8203b878e9e270d833d49e08921c584e3 Author: Peter Müller peter.mueller@ipfire.org Date: Thu May 5 14:23:30 2022 +0000

Core Update 168: Ship boost and delete orphaned libraries

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 05a1fe1362b633b82b696a88801bb29fb1070872 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed May 4 13:14:29 2022 +0200

boost: Fix rootfile entries that referred to python3.8 instead of 3.10

- In Jan 2022 I updated python from 3.8 to 3.10 but I missed that boost had rootfile entries with python38 in it. - Running a build just now for another package it got flagged up that the rootfile for boost had been changed and the logfile now had the entries with python310 instead of python38 - Not clear why it only flagged this up now but this patch is to correct that error - Running find-dependencies on both the pyton38 and python310 versions of the libraries flagged nothing as being linked to either, so probably lucky with this being missed first time around. - Boost will need to be shipped with a Core Update

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit ce386d20ab8c5eea847038fb83dc8396bbbe2c04 Author: Peter Müller peter.mueller@ipfire.org Date: Thu May 5 14:18:46 2022 +0000

Core Update 168: Ship OpenSSL

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit a694737a131fccbc791ab70693a0da8b1c5d550b Author: Adolf Belka adolf.belka@ipfire.org Date: Wed May 4 12:59:48 2022 +0200

openssl: Update to version 1.1.1o

- Update from version 1.1.1n to 1.1.1o - Update of rootfile not required - This patch is to go into CU168 as this update is for fixing a moderate severity CVE - Changelog 1.1.1o [3 May 2022] (CVE-2022-1292) Fixed a bug in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit d97295c680de05d7528471077115a46f3a48f600 Merge: 98b761a55 c22d834ca Author: Peter Müller peter.mueller@ipfire.org Date: Thu May 5 14:18:13 2022 +0000

Merge branch 'master' into next

commit 98b761a5576204b9cd0c8a441f2eeb4d530cadd6 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 2 20:26:46 2022 +0000

download-rust-crate: Switch from MD5 to BLAKE2

https://wiki.ipfire.org/devel/telco/2022-05-02

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit eac8a6fbb86b8befb00adc318d0675a1c4748ed5 Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Apr 29 14:05:22 2022 +0200

mpc: Update to version 0.34

- Update from version 0.33 to 0.34 - Combined this patch with update to mpd as mpc depends on mpd - Changelog 0.34 (2021/11/30) * add commands "albumart", "readpicture" * don't print status after error * custom status format * support grouping "list" results * meson: auto-build libmpdclient if not available * require libmpdclient 2.16 or newer * require MPD 0.21 or newer

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 66c022d88741a79228575189aadbd106abe668f6 Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Apr 29 14:05:21 2022 +0200

fmt: Addition of new build time dependency for mpd

- lfs and rootfile created - Added fmt to make.sh

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 944454beecf07808814a3cd9271883e1a4b2e22b Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Apr 29 14:05:20 2022 +0200

mpd: Update to version 0.23.6

- Update from version 0.22.6 to 0.23.6 - Update of rootfile not required - Since version 0.23 there is a new build time dependency for libfmt so a separate patch has been created to add fmt to the system but only for build - Changelog ver 0.23.6 (2022/03/14) * protocol - support filename "cover.webp" for "albumart" command - support "readcomments" and "readpicture" on CUE tracks * decoder - ffmpeg: fix end-of-file check (update stuck at empty files) - opus: fix "readpicture" on Opus files * output - pipewire: fix crash bug if setting volume before playback starts - wasapi: fix resume after pause ver 0.23.5 (2021/12/01) * protocol - support relative offsets for "searchadd" - fix "searchaddpl" bug (bogus error "Bad position") * database - upnp: fix crash bug * tags - fix MixRamp support * migrate to PCRE2 * GCC 12 build fixes ver 0.23.4 (2021/11/11) * protocol - add optional position parameter to "searchaddpl" * decoder - ffmpeg: support libavcodec 59 * output - alsa: add option "thesycon_dsd_workaround" to work around device bug * fix crash on debug builds if startup fails * systemd - remove "RuntimeDirectory" directive because it caused problems - ignore the "pid_file" setting if started as systemd service * Windows - enable the "openmpt" decoder plugin ver 0.23.3 (2021/10/31) * protocol - add optional position parameter to "add" and "playlistadd" - allow range in "playlistdelete" * database - fix scanning files with question mark in the name - inotify: fix use-after-free bug * output - alsa: add option "stop_dsd_silence" to work around DSD DAC noise * macOS: fix libfmt related build failure * systemd: add "RuntimeDirectory" directive ver 0.23.2 (2021/10/22) * protocol - fix "albumart" timeout bug * input - nfs: fix playback bug * output - pipewire: send artist and title to PipeWire - pipewire: DSD support * neighbor - mention failed plugin name in error message * player - fix cross-fade regression * fix crash with libfmt versions older than 7 ver 0.23.1 (2021/10/19) * protocol - use decimal notation instead of scientific notation - "load" supports relative positions * output - emit "mixer" idle event when replay gain changes volume - pipewire: emit "mixer" idle events on external volume change - pipewire: attempt to change the graph sample rate - snapcast: fix time stamp bug which caused "Failed to get chunk" * fix libfmt linker problems * fix broken password authentication ver 0.23 (2021/10/14) * protocol - new command "getvol" - show the audio format in "playlistinfo" - support "listfiles" with arbitrary storage plugins - support relative positions in "addid" - fix relative positions in "move" and "moveid" - add "position" parameter to "findadd" and "searchadd" - add position parameter to "load" * database - proxy: require MPD 0.20 or later - proxy: require libmpdclient 2.11 or later - proxy: split search into chunks to avoid exceeding the output buffer - simple: add option to hide CUE target songs - upnp: support libnpupnp instead of libupnp * archive - zzip, iso9660: ignore file names which are invalid UTF-8 * decoder - openmpt: new plugin - wavpack: fix WVC file support * player - do not cross-fade songs shorter than 20 seconds * output - oss: support DSD over PCM - pipewire: new plugin - snapcast: new plugin * tags - new tags "ComposerSort", "Ensemble", "Movement", "MovementNumber", and "Location" * split permission "player" from "control" * add option "host_permissions" * new build-time dependency: libfmt ver 0.22.11 (2021/08/24) * protocol - fix "albumart" crash * filter - ffmpeg: pass "channel_layout" instead of "channels" to buffersrc - ffmpeg: fix "av_buffersink_get_frame() failed: Resource temporarily unavailable" - ffmpeg: support double-precision samples (by converting to single precision) * Android - build with NDK r23 - playlist_directory defaults to "/sdcard/Android/data/org.musicpd/files/playlists" ver 0.22.10 (2021/08/06) * protocol - support "albumart" for virtual tracks in CUE sheets * database - simple: fix crash bug - simple: fix absolute paths in CUE "as_directory" entries - simple: prune CUE entries from database for non-existent songs * input - curl: fix crash bug after stream with Icy metadata was closed by peer - tidal: remove defunct unmaintained plugin * tags - fix crash caused by bug in TagBuilder and a few potential reference leaks * output - httpd: fix missing tag after seeking into a new song - oss: fix channel order of multi-channel files * mixer - alsa: fix yet more rounding errors ver 0.22.9 (2021/06/23) * database - simple: load all .mpdignore files of all parent directories * tags - fix "readcomments" and "readpicture" on remote files with ID3 tags * decoder - ffmpeg: support the tags "sort_album", "album-sort", "artist-sort" - ffmpeg: fix build failure with FFmpeg 3.4 * Android - fix auto-start on boot in Android 8 or later * Windows - fix build failure with SQLite ver 0.22.8 (2021/05/22) * fix crash bug in "albumart" command (0.22.7 regression) ver 0.22.7 (2021/05/19) * protocol - don't use glibc extension to parse time stamps - optimize the "albumart" command * input - curl: send user/password in the first request, save one roundtrip * decoder - ffmpeg: fix build problem with FFmpeg 3.4 - gme: support RSN files * storage - curl: don't use glibc extension * database - simple: fix database corruption bug * output - fix crash when pausing with multiple partitions - jack: enable on Windows - httpd: send header "Access-Control-Allow-Origin: *" - wasapi: add algorithm for finding usable audio format - wasapi: use default device only if none was configured - wasapi: add DoP support

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 69a72eb43924e14164d2a5ec142e1f544219198b Author: Adolf Belka adolf.belka@ipfire.org Date: Sun May 1 16:00:00 2022 +0200

apcupsd: Force update to get new libgd library

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 1d683be87622e80b3c672b252c89c9d6c376bed5 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun May 1 15:59:59 2022 +0200

icinga: Force update to get new libgd library

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 45bae9ac918b3ff937a8805506f3cf2084ee214b Author: Adolf Belka adolf.belka@ipfire.org Date: Sun May 1 15:59:58 2022 +0200

sarg: Force update to get new libgd library

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit e1ea4c0ad2ccda7ecd09c581203f7ebce12f6c5c Author: Adolf Belka adolf.belka@ipfire.org Date: Sun May 1 15:47:13 2022 +0200

gcc: Update mpfr with patches for use in toolchain build

- Added mpfr consolidated patches file to mpfr in gcc. mpfr is built internally for use in the toolchain. - Confirmed working by running./make toolchain which ran successfully confirmed from the _build.toolchain.log file that the patches were successfully implemented for gcc pass 1, gcc pass L and gcc pass 2 - Full toolchain build successfully completed.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 2784c87b0e5978a6c49c814625a7e949298b57bb Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 2 05:38:27 2022 +0000

Core Update 168: Fix permissions of /etc/sudoers.d/

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit a260900c8d160192adc96234bb8a125f69b28c30 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 30 10:05:44 2022 +0000

Do not permit world-readability of /etc/sudoers.d/

Lynis (rightly) complains about this directory and its contents being world-readable on current IPFire installations. Since there is no necessity for this, we might as well chmod them to 750 / 640.

Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org

commit 64567c94232a7f015b07d5a280f63fd7c6df696d Author: Jon Murphy jon.murphy@ipfire.org Date: Sun May 1 18:16:23 2022 -0500

pcengines-apu-firmware: Update to version 4.16.0.3

- Update from 4.15.0.1 to 4.16.0.3 - Update of rootfile - Changelog v4.16.0.3 - Release date: 2022-04-21 Rebased with official coreboot repository commit 2c4b426557 See: https://github.com/pcengines/coreboot/compare/v4.16.0.2...v4.16.0.3 v4.16.0.2 - Release date: 2022-03-29 Rebased with official coreboot repository commit 66f99f7fa7 See: https://github.com/pcengines/coreboot/compare/v4.16.0.1...v4.16.0.2 v4.16.0.1 - Release date: 2022-03-08 Rebased with official coreboot repository commit b4ba289fa5 Disabled loglevel prefixes introduced in coreboot 4.16 Disabled ANSI escape sequences introduced in coreboot 4.16 Fixed AMD PSP CCP as entropy source v4.15.0.3 - Release date: 2022-02-16 Rebased with official coreboot repository commit 36425312ee Added checking hardware matrix before regression tests Fixed the hard disk not visible in the Seabios Boot Menu v4.15.0.2 - Release date: 2022-01-11 rebased with official coreboot repository commit 3990da0b disabled SMM enabled parallel AP initialization for apu2-6 for faster boot time

Signed-off-by: Jon Murphy jon.murphy@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 52209fedab107907a1a8225b9cdc9edf4c54d251 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 2 05:35:12 2022 +0000

langs: Add missing link

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit d4afd45e1138adf32ef87c483224f387d6566cfe Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 2 05:30:08 2022 +0000

Core Update 168: Ship and apply sysctl changes

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 1af975dcebb2892a13775d344109508e46bb0be4 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 30 09:45:27 2022 +0000

sysctl: Use strict Reverse Path Filtering

The strict mode, as specified in RFC 3704, section 2.2, causes packets to be dropped by the kernel if they arrive with a source IP address that is not expected on the interface they arrived in. This prevents internal spoofing attacks, and is considered best practice among the industry.

After a discussion with Michael, we reached the conclusion that permitting users to configure the operating mode of RPF in IPFire causes more harm than good. The scenarios where strict RPF is not usable are negligible, and the vast majority of IPFire's userbase won't even notice a difference.

This supersedes 495b4ca2-5a4b-2ffa-8306-38f152889582@ipfire.org.

Suggested-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org

commit 01cb6d794baf9f19c47e4037e7e0bf3e7b7710f3 Author: Peter Müller peter.mueller@ipfire.org Date: Mon May 2 05:28:32 2022 +0000

cups: Bump package version

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 2a14689ba86fa0acc222c6bffdb911d674ce34f8 Author: Daniel Weismueller daniel.weismueller@ipfire.org Date: Thu Apr 28 16:24:16 2022 +0200

cups: for now cups make a backup on uninstall

and a restore on install / update

The include file that was added in a previous commit allowed to manually create a backup, but none was created when the addon was installed, uninstalled or updated.

Signed-off-by: Daniel Weismueller daniel.weismueller@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org

commit 01eb9debf3bc28880912b6596ad6cb659b9c3a3b Author: Peter Müller peter.mueller@ipfire.org Date: Fri Apr 29 15:24:59 2022 +0000

Tor: Update to 0.4.7.7

Please refer to https://gitweb.torproject.org/tor.git/plain/ChangeLog?h=tor-0.4.7.7 for the changelog of this version.

Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org

commit e1e94ae75b5cb4835d9a35a7c054db66778a8114 Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Apr 30 19:34:58 2022 +0200

minidlna: Addition of patches to fix CVE-2022-26505

- CVE-2022-26505 A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1 allows a remote web server to exfiltrate media files. CVE created on 6th March 2022 - minidlna have created the patches to fix CVE-2022-26505 and have created a git tag for version 1.3.1 but have not provided any 1.3.1 source tarballs. A ticket was raised on 14th March 2022 in the source forge support system asking to "Please publish a tarball for 1.3.1" but there was no reply from the developer so far. - In the NIST National Vulnerability Database it refers to a fix implemented in 1.3.1 but the link to the sourceforge page is only the patches applied for the fix - I used those diff descriptions to create a patch to implement on the existing 1.3.0 version in IPFire and this patch submission applies that fix - Incremented the lfs PAK_VER

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 53736cfe67a21848b095746b123119c96b2d5dac Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Apr 30 19:34:42 2022 +0200

man-pages: Update to version 5.13

- Update from version 2.34 (2006) to 5.13 (2021) - Update of rootfile - Changelog is too long to include here (~50000 lines) Details for version 5.13 can be found in the file Changes in the source tarball Details for version back to 2.34 can be found in the file Changes.old in the source tarball

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 908a25c644c1d1dd87bc0dca8cc2698fb30c87a0 Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Apr 30 19:34:14 2022 +0200

libpipeline: Addition as build dependency for man

- Created lfs and rootfile - Added entry into make.sh

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit f5b9dcd1ccc930255aca4992023097cf1ef496cf Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Apr 30 19:34:13 2022 +0200

man: Update to version 2.10.2

- Update from version 2.4.3 (2005) to 2.10.2 (2022) - Update of rootfile - Addition of libpipeline as a build dependency - separate patch for that. - Changelog is too long to include here (~14000 lines) Details back to 2013 can be found in the file ChangeLog in the source tarball Details from 2013 back to version 2.4.3 can be found in the file ChangeLog-2013 in the source tarball 90 bug fixes listed in ChangeLog 128 bug fixes listed in Changelog-2013 back to the version after 2.4.3

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit eecf8445e23a5d9061c18c4bee88090a3a47e0ec Author: Peter Müller peter.mueller@ipfire.org Date: Sun May 1 08:36:10 2022 +0000

Core Update 168: Ship iana-etc

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit f4d1ada17054d4d0f08c270ce50dfc90f917307c Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Apr 30 19:33:46 2022 +0200

iana-etc: Update to version 20220414

- Update from version 20220207 to 20220414 - Update of rootfile not required - Changelog Add new iana release 20220414

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 0f907074168a0c7db05b9d25e48999a05a489ac9 Author: Peter Müller peter.mueller@ipfire.org Date: Sun May 1 08:35:18 2022 +0000

Core Update 168: Ship curl

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit f61ced49e9b2452bee1448f3a42a050c793194a4 Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Apr 30 19:33:31 2022 +0200

curl: Update to version 7.83.0

- Update from 7.82.0 to 7.83.0 - Update of rootfile - Changelog 7.83.0 Changes: o curl: add %header{name} experimental support in -w handling o curl: add %{header_json} experimental support in -w handling o curl: add --no-clobber [28] o curl: add --remove-on-error [11] o header api: add curl_easy_header and curl_easy_nextheader [56] o msh3: add support for QUIC and HTTP/3 using msh3 [84] Bugfixes: o appveyor: add Cygwin build [77] o appveyor: only add MSYS2 to PATH where required [78] o BearSSL: add CURLOPT_SSL_CIPHER_LIST support [27] o BearSSL: add CURLOPT_SSL_CTX_FUNCTION support [26] o BINDINGS.md: add Hollywood binding [34] o CI: Do not use buildconf. Instead, just use: autoreconf -fi [42] o CI: install Python package impacket to run SMB test 1451 [5] o configure.ac: move -pthread CFLAGS setting back where it used to be [14] o configure: bump the copyright year range int the generated output o conncache: include the zone id in the "bundle" hashkey [112] o connecache: remove duplicate connc->closure_handle check [90] o connect: make Curl_getconnectinfo work with conn cache from share handle [22] o connect: use TCP_KEEPALIVE only if TCP_KEEPIDLE is not defined [6] o cookie.d: clarify when cookies are sent o cookies: improve errorhandling for reading cookiefile [123] o curl/system.h: update ifdef condition for MCST-LCC compiler [4] o curl: error out if -T and -d are used for the same URL [99] o curl: error out when options need features not present in libcurl [18] o curl: escape '?' in generated --libcurl code [117] o curl: fix segmentation fault for empty output file names. [60] o curl_easy_header: fix typos in documentation [74] o CURLINFO_PRIMARY_PORT.3: clarify which port this is [126] o CURLOPT*TLSAUTH.3: they only work with OpenSSL or GnuTLS [105] o CURLOPT_DISALLOW_USERNAME_IN_URL.3: use uppercase URL o CURLOPT_PREQUOTE.3: only works for FTP file transfers, not dirs [79] o CURLOPT_PROGRESSFUNCTION.3: fix typo in example [63] o CURLOPT_UNRESTRICTED_AUTH.3: extended explanation [127] o CURLSHOPT_UNLOCKFUNC.3: fix the callback prototype [9] o docs/HYPER.md: updated to reflect current hyper build needs o docs/opts: Mention Schannel client cert type is P12 [50] o docs: Fix missing semicolon in example code [102] o docs: lots of minor language polish [51] o English: use American spelling consistently [95] o fail.d: tweak the description [101] o firefox-db2pem.sh: make the shell script safer [47] o ftp: fix error message for partial file upload [61] o gen.pl: change wording for mutexed options [98] o GHA: add openssl3 jobs moved over from zuul [88] o GHA: build hyper with nightly rustc [7] o GHA: move bearssl jobs over from zuul [85] o gha: move the event-based test over from Zuul [59] o gtls: fix build for disabled TLS-SRP [48] o http2: handle DONE called for the paused stream [69] o http2: RST the stream if we stop it on our own will [67] o http: avoid auth/cookie on redirects same host diff port [110] o http: close the stream (not connection) on time condition abort [68] o http: reject header contents with nul bytes [41] o http: return error on colon-less HTTP headers [31] o http: streamclose "already downloaded" [57] o hyper: fix status_line() return code [13] o hyper: fix tests 580 and 581 for hyper [107] o hyper: no h2c support [33] o infof: consistent capitalization of warning messages [103] o ipv4/6.d: clarify that they are about using IP addresses [3] o json.d: fix typo (overriden -> overridden) [24] o keepalive-time.d: It takes many probes to detect brokenness [29] o lib/warnless.[ch]: only check for WIN32 and ignore _WIN32 [45] o lib670: avoid double check result [71] o lib: #ifdef on USE_HTTP2 better [65] o lib: fix some misuse of curlx_convert_wchar_to_UTF8 [38] o lib: remove exclamation marks [100] o libssh2: compare sha256 strings case sensitively [114] o libssh2: make the md5 comparison fail if wrong length [111] o libssh: fix build with old libssh versions [12] o libssh: fix double close [124] o libssh: Improve fix for missing SSH_S_ stat macros [10] o libssh: unstick SFTP transfers when done event-based [58] o macos: set .plist version in autoconf [122] o mbedtls: remove 'protocols' array from backend when ALPN is not used [66] o mbedtls: remove server_fd from backend [91] o mk-ca-bundle.pl: Use stricter logic to process the certificates [39] o mk-ca-bundle.vbs: delete this script in favor of mk-ca-bundle.pl [8] o mlc_config.json: add file to ignore known troublesome URLs [35] o mqtt: better handling of TCP disconnect mid-message [55] o ngtcp2: add client certificate authentication for OpenSSL [15] o ngtcp2: avoid busy loop in low CWND situation [119] o ngtcp2: deal with sub-millisecond timeout [116] o ngtcp2: disconnect the QUIC connection proper [19] o ngtcp2: enlarge H3_SEND_SIZE [82] o ngtcp2: fix HTTP/3 upload stall and avoid busy loop [83] o ngtcp2: fix memory leak [80] o ngtcp2: fix QUIC_IDLE_TIMEOUT [94] o ngtcp2: make curl 1ms faster [93] o ngtcp2: remove remote_addr which is not used in a meaningful way [81] o ngtcp2: update to work after recent ngtcp2 updates [62] o ngtcp2: use token when detecting :status header field [92] o nonblock: restore setsockopt method to curlx_nonblock [20] o openssl: check SSL_get_peer_cert_chain return value [1] o openssl: enable CURLOPT_SSL_EC_CURVES with BoringSSL [23] o openssl: fix CN check error code [21] o options: remove mistaken space before paren in prototype o perl: removed a double semicolon at end of line [64] o pop3/smtp: return *WEIRD_SERVER_REPLY when not understood [43] o projects/README: converted to markdown [76] o projects: Update VC version names for VS2017, VS2022 [52] o rtsp: don't let CSeq error override earlier errors [37] o runtests: add 'bearssl' as testable feature [87] o runtests: make 'oldlibssh' be before 0.9.4 [2] o schannel: remove dead code that will never run [89] o scripts/copyright.pl: ignore the new mlc_config.json file o scripts: move three scripts from lib/ to scripts/ [44] o test1135: sync with recent API updates [54] o test1459: disable for oldlibssh [53] o test375: fix line endings on Windows [40] o test386: Fix an incorrect test markup tag o test718: edited slightly to return better HTTP [32] o tests/server/util.h: align WIN32 condition with util.c [46] o tests: refactor server/socksd.c to support --unix-socket [96] o timediff.[ch]: add curlx helper functions for timeval conversions [86] o tls: make mbedtls and NSS check for h2, not nghttp2 [70] o tool and tests: force flush of all buffers at end of program [17] o tool_cb_hdr: Turn the Location: into a terminal hyperlink [30] o tool_getparam: error out on missing -K file [115] o tool_listhelp.c: uppercase URL o tool_operate: fix a scan-build warning [16] o tool_paramhlp: use feof(3) to identify EOF correctly when using fread(3) [97] o transfer: redirects to other protocols or ports clear auth [109] o unit1620: call global_init before calling Curl_open [125] o url: check sasl additional parameters for connection reuse. [113] o vtls: provide a unified APLN-disagree string for all backends [75] o vtls: use a backend standard message for "ALPN: offers %s" [73] o vtls: use a generic "ALPN, server accepted" message [72] o winbuild/README.md: fixup dead link [36] o winbuild: Add a Visual Studio example to the README [49] o wolfssl: fix compiler error without IPv6 [25]

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 56b9ee7e7e63fffba6bbe09c11bd57aa1df88d4b Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Apr 27 19:17:56 2022 +0200

libseccomp: Update to version 2.5.4

- Update from version 2.5.3 to 2.5.4 - Update of rootfile - Changelog Version 2.5.4 - April 21, 2022 - Update the syscall table for Linux v5.17 - Fix minor issues with binary tree testing and with empty binary trees - Minor documentation improvements including retiring the mailing list

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit b314ad9e78d333109a7e8c43d4461d13ccbaea19 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 30 08:56:38 2022 +0000

Core Update 168: Ship libaio

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit efa6f1e2dc1f7d9c93444b70ca1d19cf78d96a11 Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Apr 22 22:10:12 2022 +0200

libaio: Update to version 0.3.113

- Update from version 0.3.112 to 0.3.113 - Update of rootfile - Changelog 0.3.113 harness: add test for aio poll missed events Verify structure padding is correct at build time Fix struct io_iocb_sockaddr padding for 32bit architectures Fix struct io_iocb_vector padding for 32bit architectures Use generic syscall number schema for loongarch Add endian detection and bit width detection for loongarch Add loongarch to supported architectures in libaio.spec cases/16.t: loongarch only supports eventfd2 Fix test issue with gcc-11 harness: Skip the test if io_pgetevents() is not implemented harness: Print better error messages on error conditions in 22.t harness: Fix PROT_WRITE mmap check harness: fix read into PROT_WRITE mmap test harness: skip 22.p if async_poll isn't supported harness: Handle -ENOTSUP from io_submit() with RWF_NOWAIT harness: Add fallback code for filesystems not supporting O_DIRECT harness: add support for skipping tests harness: Make the test exit with a code matching the pass/fail state harness: Make RISC-V use SYS_eventfd2 instead of unavailable SYS_eventfd harness: Use run-time _SC_PAGE_SIZE instead of build-time PAGESIZE harness: Use destination strncpy() expression for sizeof() argument Use ctx consistently for io_context_t instead of ctx_id man: Escape verbatim \n in order to make it through roff man: Fold short lines man: Fix markup man: Fix title header man: Fix typos man: Add "None" to empty sections man: Remove spurious text man: Remove spurious spaces man: Fix period formatting man: Fix casing man: End sentences with a period man: Refer to libaio.h instead of libio.h man: Use the correct troff macro for comments man: Add missing space in man page references harness: allow running tests against the installed library

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 585ab8755129e0cccfb48c2e1fabdaaaf1f39c0f Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 30 08:56:07 2022 +0000

Core Update 168: Ship libcap

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit d9538fbcc4a5f2547a3cedab9b5d2aad307cd2b3 Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Apr 22 22:10:30 2022 +0200

libcap: Update to version 2.64

- Update from version 2.63 to 2.64 - Update of rootfile - Change sed line to ensure removal of static libs - environment names for static libraries changed. - Changelog 2.64 Fix memory leak in libpsx at program exit. (Bug: 215551 reported by Kalen Hall) Be more resilient to CGo configuration with Go compiler when building tests. (Bug: 215603) Fix cap_*prctl() return code/errno handling. (Bug: 215772 reported by Anderson Toshiyuki Sasaki) Minor clarification to cap_get_pid() man page concerning pid value within namespaces. (Bug: 215812)

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit fab835851530b6dafacc16f43c4488ba597376c4 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 30 08:55:35 2022 +0000

Core Update 168: Ship libcap-ng

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 535607ac934efbd27cb11c8c201dc528f53bac9e Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Apr 22 22:10:47 2022 +0200

libcap-ng: Update to version 0.8.3

- Update from 0.8.2 to 0.8.3 - Update of rootfile not required - Changelog 0.8.3 - Fix parameters to capng_updatev python bindings to be signed - Detect capability options at runtime to make containerization easier (ntkme) - Initialize the library when linked statically - Add gcc function attributes for deallocation

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 3661b4cb467232082bed7ceebe0cff1882c38d5d Author: Adolf Belka adolf.belka@ipfire.org Date: Mon Apr 25 14:40:16 2022 +0200

nginx: Update to version 1.21.6

- Update from version 1.19.2 to 1.21.6 - Update of rootfile not required - Changelog Changes with nginx 1.21.6 25 Jan 2022 *) Bugfix: when using EPOLLEXCLUSIVE on Linux client connections were unevenly distributed among worker processes. *) Bugfix: nginx returned the "Connection: keep-alive" header line in responses during graceful shutdown of old worker processes. *) Bugfix: in the "ssl_session_ticket_key" when using TLSv1.3. Changes with nginx 1.21.5 *) Change: now nginx is built with the PCRE2 library by default. *) Change: now nginx always uses sendfile(SF_NODISKIO) on FreeBSD. *) Feature: support for sendfile(SF_NOCACHE) on FreeBSD. *) Feature: the $ssl_curve variable. *) Bugfix: connections might hang when using HTTP/2 without SSL with the "sendfile" and "aio" directives. Changes with nginx 1.21.4 *) Change: support for NPN instead of ALPN to establish HTTP/2 connections has been removed. *) Change: now nginx rejects SSL connections if ALPN is used by the client, but no supported protocols can be negotiated. *) Change: the default value of the "sendfile_max_chunk" directive was changed to 2 megabytes. *) Feature: the "proxy_half_close" directive in the stream module. *) Feature: the "ssl_alpn" directive in the stream module. *) Feature: the $ssl_alpn_protocol variable. *) Feature: support for SSL_sendfile() when using OpenSSL 3.0. *) Feature: the "mp4_start_key_frame" directive in the ngx_http_mp4_module. Thanks to Tracey Jaquith. *) Bugfix: in the $content_length variable when using chunked transfer encoding. *) Bugfix: after receiving a response with incorrect length from a proxied backend nginx might nevertheless cache the connection. Thanks to Awdhesh Mathpal. *) Bugfix: invalid headers from backends were logged at the "info" level instead of "error"; the bug had appeared in 1.21.1. *) Bugfix: requests might hang when using HTTP/2 and the "aio_write" directive. Changes with nginx 1.21.3 *) Change: optimization of client request body reading when using HTTP/2. *) Bugfix: in request body filters internal API when using HTTP/2 and buffering of the data being processed. Changes with nginx 1.21.2 *) Change: now nginx rejects HTTP/1.0 requests with the "Transfer-Encoding" header line. *) Change: export ciphers are no longer supported. *) Feature: OpenSSL 3.0 compatibility. *) Feature: the "Auth-SSL-Protocol" and "Auth-SSL-Cipher" header lines are now passed to the mail proxy authentication server. Thanks to Rob Mueller. *) Feature: request body filters API now permits buffering of the data being processed. *) Bugfix: backend SSL connections in the stream module might hang after an SSL handshake. *) Bugfix: the security level, which is available in OpenSSL 1.1.0 or newer, did not affect loading of the server certificates when set with "@SECLEVEL=N" in the "ssl_ciphers" directive. *) Bugfix: SSL connections with gRPC backends might hang if select, poll, or /dev/poll methods were used. *) Bugfix: when using HTTP/2 client request body was always written to disk if the "Content-Length" header line was not present in the request. Changes with nginx 1.21.1 *) Change: now nginx always returns an error for the CONNECT method. *) Change: now nginx always returns an error if both "Content-Length" and "Transfer-Encoding" header lines are present in the request. *) Change: now nginx always returns an error if spaces or control characters are used in the request line. *) Change: now nginx always returns an error if spaces or control characters are used in a header name. *) Change: now nginx always returns an error if spaces or control characters are used in the "Host" request header line. *) Change: optimization of configuration testing when using many listening sockets. *) Bugfix: nginx did not escape """, "<", ">", "", "^", "`", "{", "|", and "}" characters when proxying with changed URI. *) Bugfix: SSL variables might be empty when used in logs; the bug had appeared in 1.19.5. *) Bugfix: keepalive connections with gRPC backends might not be closed after receiving a GOAWAY frame. *) Bugfix: reduced memory consumption for long-lived requests when proxying with more than 64 buffers. Changes with nginx 1.21.0 *) Security: 1-byte memory overwrite might occur during DNS server response processing if the "resolver" directive was used, allowing an attacker who is able to forge UDP packets from the DNS server to cause worker process crash or, potentially, arbitrary code execution (CVE-2021-23017). *) Feature: variables support in the "proxy_ssl_certificate", "proxy_ssl_certificate_key" "grpc_ssl_certificate", "grpc_ssl_certificate_key", "uwsgi_ssl_certificate", and "uwsgi_ssl_certificate_key" directives. *) Feature: the "max_errors" directive in the mail proxy module. *) Feature: the mail proxy module supports POP3 and IMAP pipelining. *) Feature: the "fastopen" parameter of the "listen" directive in the stream module. Thanks to Anbang Wen. *) Bugfix: special characters were not escaped during automatic redirect with appended trailing slash. *) Bugfix: connections with clients in the mail proxy module might be closed unexpectedly when using SMTP pipelining. Changes with nginx 1.19.10 *) Change: the default value of the "keepalive_requests" directive was changed to 1000. *) Feature: the "keepalive_time" directive. *) Feature: the $connection_time variable. *) Workaround: "gzip filter failed to use preallocated memory" alerts appeared in logs when using zlib-ng. Changes with nginx 1.19.9 *) Bugfix: nginx could not be built with the mail proxy module, but without the ngx_mail_ssl_module; the bug had appeared in 1.19.8. *) Bugfix: "upstream sent response body larger than indicated content length" errors might occur when working with gRPC backends; the bug had appeared in 1.19.1. *) Bugfix: nginx might not close a connection till keepalive timeout expiration if the connection was closed by the client while discarding the request body. *) Bugfix: nginx might not detect that a connection was already closed by the client when waiting for auth_delay or limit_req delay, or when working with backends. *) Bugfix: in the eventport method. Changes with nginx 1.19.8 *) Feature: flags in the "proxy_cookie_flags" directive can now contain variables. *) Feature: the "proxy_protocol" parameter of the "listen" directive, the "proxy_protocol" and "set_real_ip_from" directives in mail proxy. *) Bugfix: HTTP/2 connections were immediately closed when using "keepalive_timeout 0"; the bug had appeared in 1.19.7. *) Bugfix: some errors were logged as unknown if nginx was built with glibc 2.32. *) Bugfix: in the eventport method. Changes with nginx 1.19.7 *) Change: connections handling in HTTP/2 has been changed to better match HTTP/1.x; the "http2_recv_timeout", "http2_idle_timeout", and "http2_max_requests" directives have been removed, the "keepalive_timeout" and "keepalive_requests" directives should be used instead. *) Change: the "http2_max_field_size" and "http2_max_header_size" directives have been removed, the "large_client_header_buffers" directive should be used instead. *) Feature: now, if free worker connections are exhausted, nginx starts closing not only keepalive connections, but also connections in lingering close. *) Bugfix: "zero size buf in output" alerts might appear in logs if an upstream server returned an incorrect response during unbuffered proxying; the bug had appeared in 1.19.1. *) Bugfix: HEAD requests were handled incorrectly if the "return" directive was used with the "image_filter" or "xslt_stylesheet" directives. *) Bugfix: in the "add_trailer" directive. Changes with nginx 1.19.6 *) Bugfix: "no live upstreams" errors if a "server" inside "upstream" block was marked as "down". *) Bugfix: a segmentation fault might occur in a worker process if HTTPS was used; the bug had appeared in 1.19.5. *) Bugfix: nginx returned the 400 response on requests like "GET http://example.com?args HTTP/1.0". *) Bugfix: in the ngx_http_flv_module and ngx_http_mp4_module. Thanks to Chris Newton. Changes with nginx 1.19.5 *) Feature: the -e switch. *) Feature: the same source files can now be specified in different modules while building addon modules. *) Bugfix: SSL shutdown did not work when lingering close was used. *) Bugfix: "upstream sent frame for closed stream" errors might occur when working with gRPC backends. *) Bugfix: in request body filters internal API. Changes with nginx 1.19.4 *) Feature: the "ssl_conf_command", "proxy_ssl_conf_command", "grpc_ssl_conf_command", and "uwsgi_ssl_conf_command" directives. *) Feature: the "ssl_reject_handshake" directive. *) Feature: the "proxy_smtp_auth" directive in mail proxy. Changes with nginx 1.19.3 *) Feature: the ngx_stream_set_module. *) Feature: the "proxy_cookie_flags" directive. *) Feature: the "userid_flags" directive. *) Bugfix: the "stale-if-error" cache control extension was erroneously applied if backend returned a response with status code 500, 502, 503, 504, 403, 404, or 429. *) Bugfix: "[crit] cache file ... has too long header" messages might appear in logs if caching was used and the backend returned responses with the "Vary" header line. *) Workaround: "[crit] SSL_write() failed" messages might appear in logs when using OpenSSL 1.1.1. *) Bugfix: "SSL_shutdown() failed (SSL: ... bad write retry)" messages might appear in logs; the bug had appeared in 1.19.2. *) Bugfix: a segmentation fault might occur in a worker process when using HTTP/2 if errors with code 400 were redirected to a proxied location using the "error_page" directive. *) Bugfix: socket leak when using HTTP/2 and subrequests in the njs module.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 810dbe76aeda67dd339e3150a7dede4af07c1a08 Author: Adolf Belka adolf.belka@ipfire.org Date: Mon Apr 25 14:40:33 2022 +0200

oci-cli: Update to version 3.7.3

- Update from 3.4.2 to 3.7.3 - Update of rootfile - Changelog is too large to include here ~600 lines long More details can be found in the CHANGELOG.rst file in the source tarball

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org

commit 85a250d6369357d8405a24dd6ccff22a04c5525d Author: Adolf Belka adolf.belka@ipfire.org Date: Mon Apr 25 14:40:48 2022 +0200

oci-python-sdk: Update to version 2.64.0

- Update from 2.54.0 to 2.64.0 - Update of rootfile - Changelog 2.64.0 - 2022-04-19 Added * Support for the Stack Monitoring service * Support for stack monitoring on external databases in the Database service * Support for upgrading VM database systems in place in the Database service * Support for viewing supported VMWare software versions when listing host shapes in the VMWare Solution service * Support for choosing compute shapes when creating SDDCs and ESXi hosts in the VMWare Solution service * Support for work requests on delete operations in the Vulnerability Scanning service * Support for additional scan metadata in reports, including CVE descriptions, in the Vulnerability Scanning service * Support for redemption codes in the Usage service Breaking * Param `type` in model `DiscoveryDetails` assumes the value of `UNKNOWN_ENUM_VALUE` if it is assigned a value that is not of the allowed_values. It will not raise a `ValueError`. 2.63.0 - 2022-04-12 Added * Support for bringing your own IPv6 addresses in the Networking service * Support for specifying database edition and maximum CPU core count when creating or updating an autonomous database in the Database service * Support for enabling and disabling data collection options when creating or updating Exadata Cloud at Customer VM clusters in the Database service Breaking * Support for retries by default on operations in the Identity service * Support for retries by default on operations in the Operations Insights service 2.62.1 - 2022-04-05 Added * Fixed the lifecycle state values for target databases in the Data Safe service * Support for content length and content type response headers when downloading PDFs in the Account Management service * Support for creating Enterprise Manager-based zLinux host targets, creating alarms, and viewing top process analytics in the Operations Insights service * Support for diagnostic reboots on VM instances in the Compute service 2.62.0 - 2022-03-29 Added * Support for returning the number of network ports as part of listing shapes in the Compute service * Support for Java runtime removal and custom logs in the Java Management service * Support for new parameters for BGP admin state and enabling/disabling BFD in the Networking service * Support for private OKE clusters and blue-green deployments in the DevOps service * Support for international customers to consume and launch third-party paid listings in the Marketplace service * Support for additional fields on entities, attributes, and folders in the Data Catalog service Breaking * Support for retries by default on operations in the Marketplace service 2.61.0 - 2022-03-22 Added * Support for getting the storage utilization of a deployment on deployment list and get operations in the GoldenGate service * Support for virtual machines, bare metal machines, and Exadata databases with private endpoints in the Operations Insights service * Support for setting deletion policies on database systems in the MySQL Database service Breaking * Support for retries by default on operations in the Data Labeling service (data plane and control plane) 2.60.1 - 2022-03-15 Added * Support for Ubuntu platforms and unlimited installation keys in the Management Agent Cloud service * Support for shielded instances in the VMWare Solution service * Support for application resources in the Data Integration service * Support for multi-AVM on Exadata Cloud at Customer infrastructure in the Database service * Support for heterogeneous (VM and AVM) clusters on Exadata Cloud at Customer infrastructure in the Database service * Support for custom maintenance schedules for AVM clusters on Exadata Cloud at Customer infrastructure in the Database service * Support for listing vulnerabilities, vulnerability-impacted containers, and vulnerability-impacted hosts in the Vulnerability Scanning service * Support for specifying an image count when creating or updating container scan recipes in the Vulnerability Scanning service 2.60.0 - 2022-03-08 Added * Support for the Sales Accelerator license option in the Content Management service * Support for VCN hostname cluster endpoints in the Container Engine for Kubernetes service * Support for optionally specifying an admin username and password when creating a database system during a restore operation in the MySQL Database service * Support for automatic tablespace creation on non-autonomous and autonomous database dedicated targets in the Database Migration service * Support for reporting excluded objects based on static exclusion rules and dynamic exclusion settings in the Database Migration service * Support for removing, listing, and adding database objects reported by the Cloud Premigration Advisor Tool (CPAT) in the Database Migration service * Support for migrating Oracle databases from the AWS RDS service to OCI as autonomous databases, using the AWS S3 service and DBLINK for data transfer, in the Database Migration service * Support for querying additional fields of a resource using return clauses in the Search service * Support for clusters and station clusters in the Roving Edge Infrastructure service * Support for creating database systems and database homes using customer-managed keys in the Database service Breaking * Support for retries enabled by default on operations in the Container Engine for Kubernetes service * Support for retries enabled by default on operations in the Resource Manager service * Support for retries enabled by default on operations in the Search service 2.59.0 - 2022-03-01 Added * Support for DRG route distribution statements to be specified with a new match type 'MATCH_ALL' for matching criteria in the Networking service * Support for VCN route types on DRG attachments for deciding whether to import VCN CIDRs or subnet CIDRs into route rules in the Networking service * Support for CPS offline reports in the Database service * Support for infrastructure patching v2 features in the Database service * Support for auto-scaling the storage of an autonomous database, as well as shrinking an autonomous database, in the Database service * Support for managed egress via a default networking option on jobs and notebooks in the Data Science service * Support for more types of saved search enums in the Management Dashboard service Breaking * Support for retries enabled by default on some operations in the AI Vision service 2.58.0 - 2022-02-22 Added * Support for the Data Connectivity Management service * Support for the AI Speech service * Support for disabling crash recovery in the MySQL Database service * Support for detector recipes of type "threat", new detector rule of type "rogue user", and sightings operations in the Cloud Guard service * Support for more VM shape configurations when listing shapes in the Compute service * Support for customer-managed encryption keys in the Analytics Cloud service * Support for FastConnect device information in the Networking service Breaking * Support for retries enabled by default on all operations in the Application Performance Monitoring control plane service 2.57.0 - 2022-02-15 Added * Support for the AI Vision service * Support for the Threat Intelligence service * Support for creation of NoSQL database tables with on-demand throughput capacity in the NoSQL Database Cloud service * Support for tagging features in the Oracle Container Engine for Kubernetes (OKE) service * Support for trace snapshots in the Application Performance Monitoring service * Support for auditing and alerts in the Data Safe service * Support for data discovery and data masking in the Data Safe service * Support for customized subscriptions and delivery of announcements by email and SMS in the Announcements service Breaking * The API `query_old` was removed from `query_client` in the Application Performance Monitoring service 2.56.0 - 2022-02-08 Added * Support for managing tablespaces in the Database Management service * Support for upgrading and managing payment for subscriptions in the Account Management service * Support for listing fast launch job configurations in the Data Science service Breaking changes * Support for retries enabled by default on all operations in the Application Performance Monitoring service * The type for the `bill_to_address` parameter was changed from `Address` to `BillToAddress` in the invoice model of the Account Management service * `payment_method` was made a required property of the `payment_detail` model of the Account Management service 2.55.1 - 2022-02-01 Added * Support for calling Oracle Cloud Infrastructure services in the ap-dcc-canberra-1 region * Support for the Console Dashboard service * Support for capacity reservation in the Container Engine for Kubernetes service * Support for tagging in the Container Engine for Kubernetes service * Support for fetching listings by image OCID in the Marketplace service * Support for underscores and hyphens in project resource names in the DevOps service * Support for cross-region cloning in the Database service 2.55.0 - 2022-01-25 Added * Support for OneSubscription services * Support for specifying if a run or application is streaming or batch in the Data Flow service * Support for updating the Instance Configuration of an Instance Pool within a Cluster Network in the Compute Management service * Updated documentation for Cross Region ADG feature for Autonomous Database in the Database service Breaking * Support for retries enabled by default on all operations in the Object Storage service 2.54.1 - 2022-01-18 Added * Support for calling Oracle Cloud Infrastructure services in the me-dcc-muscat-1 region * Support for the Visual Builder service * Support for cross-region replication of volume groups in the Block Storage service * Support for boot volume encryption in the Container Engine for Kubernetes service * Support for adding metadata to records when creating and updating records in the Data Labeling service * Support for global export formats in snapshot datasets in the Data Labeling service * Support for adding labeling instructions to datasets in the Data Labeling service * Support for updating autonomous dataguard associations for autonomous container databases in the Database service * Support for setting up automatic failover when creating autonomous container databases in the Database service * Support for setting the RECO storage size when updating a database system in the Database service * Support for reconnecting refreshable clones to source for autonomous databases on shared infrastructure in the Database service * Support for checking if an autonomous database on shared infrastructure can be reconnected to source, in the Database service

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org

commit a2a05a470649a6ade7d00d82436c2834ababe7ab Author: Adolf Belka adolf.belka@ipfire.org Date: Mon Apr 25 14:39:59 2022 +0200

nfs: Update to version 2.6.1

- Update from version 2.5.3 to 2.6.1 - Update of rootfile not required - Changelog is not available in the source tarball or on the website. Follwoing list of changes obtained from git shortlog listing Release: 2.6.1 nfs-utils-2-6-1 mount: removed unused lable tools/rpcgen: fix build on macos arm64 (stat64 issue) mount: Remove NFS v2 support from mount.nfs nfs.man: Remove references to NFS v2 from the man pages nfsd: Remove the ability to enable NFS v2. mount: don't bind a socket needlessly. Add --disable-sbin-override for when /sbin is a symlink mountstats: division by zero error on new mount when... mountd: only do NFSv4 logging on supported kernels. Move version.h into a common include directory install-dep: Use command -v instead of which nfs.man: adding new mount option max_connect cacheio.c:216:21: warning: unused variable 'stb' [... gssd: fix crash in debug message. systemd generators: Install depending on location for... systemd/Makefile: Drop exlicit setting of unit_dir nfs-utils: add install-dep for installing all dependencies nfs-utils: Fix mem leak in mountd nfs-utils: Fix mem leaks in krb5_util nfs-utils: Fix mem leaks in gssd nfs-utils: Fix potential memory leaks in idmap nfsdcltrack: Use uint64_t instead of time_t systemd: Fix non-default statedir paths. nfsdcltrack/nfsdcltrack.c: Fix printf format nfsdcltrack/sqlite: Fix printf format mount.nfs: Fix the sloppy option processing Release: 2.5.4 gssd: Cleaned up debug messages mount.nfs: insert 'sloppy' at beginning of the options nfs(5): Correct the spelling of "kernel_source" nfs(5): Fix missing mentions of "rdma6" netid gssd: add timeout for upcall threads gssd: deal with failed thread creation configure: check for rpc/rpc.h presence README: update git repository URL Move declaration of etab and rmtab into libraries Remove 'force' arg from cache_flush() Fix NFSv4 export of tmpfs filesystems gssd: use mutex to protect decrement of refcount nfs-utils: Enable the retrieval of raw config settings... nfs-utils: Factor out common structure cleanup calls Replace all /var/run with /run Fix `statx()` emulation breaking exports mountd/exports: Fix typo in the man page NFS server should enable RDMA by default mountd/exportd: only log confirmed clients, and poll... exportfs: fix unexporting of '/' nfsdclnts: Ignore SIGPIPE signal mountd: add logging of NFSv4 clients attaching and... mountd: make default ttl settable by option mountd: add --cache-use-ipaddr option to force use_ipaddr mountd: add logging for authentication results for... mountd/exports: update man page mountd: Don't proactively add export info when fh info... mountd: reject unknown client IP when !use_ipaddr. gssd: Add options to rpc.gssd to allow for the use... exportd: server-side gid management

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 9efdbe103b8d98b80125407443e906373c534269 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Apr 29 19:48:26 2022 +0000

Core Update 168: Ship changed rules.pl

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 8b97a537f5f9e798a1ab307b2c32bd9a8b0f6913 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Apr 25 21:04:53 2022 +0200

rules.pl: Fix automatic ipset sets cleanup.

The array of used/loaded ipsets needs to be reloaded before the cleanup can be started to also handle sets which are loaded during runtime.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org

commit 2f908d96489d6de9f1acc783c23f7fbe0057ed1d Author: Peter Müller peter.mueller@ipfire.org Date: Fri Apr 29 19:47:31 2022 +0000

Core Update 168: Ship libinih

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit f02dc11a38c1144fcef322cf34fc6417aae4355f Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Apr 27 19:17:42 2022 +0200

libinih: Update to version r55

- Update from version r53 to r55 - Update of rootfile not required - Changelog inih version 55 Added "version" to meson.build config: #135 (but bumped up to 55 in a subsequent commit, for this release). inih version 54 Mainly #134, adding the visibility symbols to the Meson build config, but also other small tweaks to tests and so on.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 3421b1abd824d680c68948a83123469737b1bbfa Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Apr 27 19:18:11 2022 +0200

meson: Update to version 0.62.1

- Update from version 0.60.1 to 0.62.1 - Update of rootfile - Changelog is too long to include here. More details can be read at the following link https://mesonbuild.com/Release-notes-for-0-62-0.html

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 7481abecc3ae49406b8312af1dff521755f72428 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 23 14:59:09 2022 +0000

mcelog: Update to 181

No changelog or release notes are provided. Please refer to https://git.kernel.org/pub/scm/utils/cpu/mce/mcelog.git/log/ for the source code history since the 175 release of mcelog.

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 8f855e933d52e7d8eca1cbfe947ab56ee9202232 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 23 14:47:00 2022 +0000

Postfix: Update to 3.7.1

Please refer to https://www.postfix.org/announcements/postfix-3.7.1.html for this versions' release notes.

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 9d5c3d36e08f4b459e17534c40cbbf3dd07d1d57 Author: Adolf Belka adolf.belka@ipfire.org Date: Mon Apr 25 14:41:54 2022 +0200

openvmtools: Update to version stable-12.0.0

- Update from version stable-11.3.0 to stable-12.0.0 - Update of rootfile - Changelog is a bit too long to include here. More details can be found at https://github.com/vmware/open-vm-tools/blob/stable-12.0.0/ReleaseNotes.md https://github.com/vmware/open-vm-tools/blob/stable-11.3.5/ReleaseNotes.md - In version 11.3.5 mount.vmhgfs was removed from openvmtools It has been replaced by hgfs-fuse

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit b7d80a2767f42a6bb8df65084f27a34803ee77de Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 28 23:25:41 2022 +0200

nasm: Update to version 2.15.05

- Update from version 2.14.02 (Dec 2018) to 2.15.05 (Aug 2020) - Most recent commit in git was Dec 2021 - Update of rootfile not required - Changelog in source tarball and in git repository was last updated in 2007. Only option to see changes is to review the commits in https://github.com/netwide-assembler/nasm/commits/master

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 8de58edc738a0405eda7f691bab1c4fdaf02f83f Author: Peter Müller peter.mueller@ipfire.org Date: Fri Apr 29 19:32:56 2022 +0000

Core Update 168: Ship relevant linux-firmware changes

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 5a48b4a23b66c25c63f1bc503f54c6babac8794a Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 23 19:28:30 2022 +0000

linux-firmware: Update to 20220411

See https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/... for changes since the last linux-firmware version tag.

Also, please note that this patch does not feature any directives for shipping files via a Core Update - these need to be done separately.

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 7138d1747ced95690e0acd76f7370d34ae3a399b Author: Peter Müller peter.mueller@ipfire.org Date: Fri Apr 29 19:01:46 2022 +0000

Core Update 168: Ship openjpeg

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit ca98d29a86a6eb9734d60eb7fb334395be0a29bd Author: Adolf Belka adolf.belka@ipfire.org Date: Mon Apr 25 14:41:29 2022 +0200

openjpeg: Update to version 2.4.0

- Update from version 2.3.1 to 2.4.0 - Update of rootfile - Changelog 2.4.0 **Closed issues:** - OPENJPEG_INSTALL_DOC_DIR does not control a destination directory where HTML docs would be installed. [#1309](https://github.com/uclouvain/openjpeg/issues/1309) - Heap-buffer-overflow in lib/openjp2/pi.c:312 [#1302](https://github.com/uclouvain/openjpeg/issues/1302) - Heap-buffer-overflow in lib/openjp2/t2.c:973 [#1299](https://github.com/uclouvain/openjpeg/issues/1299) - Heap-buffer-overflow in lib/openjp2/pi.c:623 [#1293](https://github.com/uclouvain/openjpeg/issues/1293) - Global-buffer-overflow in lib/openjp2/dwt.c:1980 [#1286](https://github.com/uclouvain/openjpeg/issues/1286) - Heap-buffer-overflow in lib/openjp2/tcd.c:2417 [#1284](https://github.com/uclouvain/openjpeg/issues/1284) - Heap-buffer-overflow in lib/openjp2/mqc.c:499 [#1283](https://github.com/uclouvain/openjpeg/issues/1283) - Openjpeg could not encode 32bit RGB float image [#1281](https://github.com/uclouvain/openjpeg/issues/1281) - Openjpeg could not encode 32bit RGB float image [#1280](https://github.com/uclouvain/openjpeg/issues/1280) - ISO/IEC 15444-1:2019 (E) compared with 'cio.h' [#1277](https://github.com/uclouvain/openjpeg/issues/1277) - Test-suite failure due to hash mismatch [#1264](https://github.com/uclouvain/openjpeg/issues/1264) - Heap use-after-free [#1261](https://github.com/uclouvain/openjpeg/issues/1261) - Memory leak when failing to allocate object... [#1259](https://github.com/uclouvain/openjpeg/issues/1259) - Memory leak of Tier 1 handle when OpenJPEG fails to set it as TLS... [#1257](https://github.com/uclouvain/openjpeg/issues/1257) - Any plan to build release for CVE-2020-8112/CVE-2020-6851 [#1247](https://github.com/uclouvain/openjpeg/issues/1247) - failing to convert 16-bit file: opj_t2_encode_packet(): only 5251 bytes remaining in output buffer. 5621 needed. [#1243](https://github.com/uclouvain/openjpeg/issues/1243) - CMake+VS2017 Compile OK, thirdparty Compile OK, but thirdparty not install [#1239](https://github.com/uclouvain/openjpeg/issues/1239) - New release to solve CVE-2019-6988 ? [#1238](https://github.com/uclouvain/openjpeg/issues/1238) - Many tests fail to pass after the update of libtiff to version 4.1.0 [#1233](https://github.com/uclouvain/openjpeg/issues/1233) - Another heap buffer overflow in libopenjp2 [#1231](https://github.com/uclouvain/openjpeg/issues/1231) - Heap buffer overflow in libopenjp2 [#1228](https://github.com/uclouvain/openjpeg/issues/1228) - Endianness of binary volume (JP3D) [#1224](https://github.com/uclouvain/openjpeg/issues/1224) - New release to resolve CVE-2019-12973 [#1222](https://github.com/uclouvain/openjpeg/issues/1222) - how to set the block size,like 128,256 ? [#1216](https://github.com/uclouvain/openjpeg/issues/1216) - compress YUV files to motion jpeg2000 standard [#1213](https://github.com/uclouvain/openjpeg/issues/1213) - Repair/update Java wrapper, and include in release [#1208](https://github.com/uclouvain/openjpeg/issues/1208) - abc [#1206](https://github.com/uclouvain/openjpeg/issues/1206) - Slow decoding [#1202](https://github.com/uclouvain/openjpeg/issues/1202) - Installation question [#1201](https://github.com/uclouvain/openjpeg/issues/1201) - Typo in test_decode_area - *ptilew is assigned instead of *ptileh [#1195](https://github.com/uclouvain/openjpeg/issues/1195) - Creating a J2K file with one POC is broken [#1191](https://github.com/uclouvain/openjpeg/issues/1191) - Make fails on Arch Linux [#1174](https://github.com/uclouvain/openjpeg/issues/1174) - Heap buffer overflow in opj_t1_clbl_decode_processor() triggered with Ghostscript [#1158](https://github.com/uclouvain/openjpeg/issues/1158) - opj_stream_get_number_byte_left: Assertion `p_stream->m_byte_offset >= 0' failed. [#1151](https://github.com/uclouvain/openjpeg/issues/1151) - The fuzzer ignores too many inputs [#1079](https://github.com/uclouvain/openjpeg/issues/1079) - out of bounds read [#1068](https://github.com/uclouvain/openjpeg/issues/1068) **Merged pull requests:** - Change defined WIN32 [#1310](https://github.com/uclouvain/openjpeg/pull/1310) ([Jamaika1](https://github.com/Jamaika1)) - docs: fix simple typo, producted -> produced [#1308](https://github.com/uclouvain/openjpeg/pull/1308) ([timgates42](https://github.com/timgates42)) - Set ${OPENJPEG_INSTALL_DOC_DIR} to DESTINATION of HTMLs [#1307](https://github.com/uclouvain/openjpeg/pull/1307) ([lemniscati](https://github.com/lemniscati)) - Use INC_DIR for OPENJPEG_INCLUDE_DIRS (fixes uclouvain#1174) [#1306](https://github.com/uclouvain/openjpeg/pull/1306) ([matthew-sharp](https://github.com/matthew-sharp)) - pi.c: avoid out of bounds access with POC (fixes #1302) [#1304](https://github.com/uclouvain/openjpeg/pull/1304) ([rouault](https://github.com/rouault)) - Encoder: grow again buffer size [#1303](https://github.com/uclouvain/openjpeg/pull/1303) ([zodf0055980](https://github.com/zodf0055980)) - opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only) [#1301](https://github.com/uclouvain/openjpeg/pull/1301) ([rouault](https://github.com/rouault)) - pi.c: avoid out of bounds access with POC (refs https://github.com/uclouvain/openjpeg/issues/1293%5C#issuecomment-737122836%...) [#1300](https://github.com/uclouvain/openjpeg/pull/1300) ([rouault](https://github.com/rouault)) - opj_t2_encode_packet(): avoid out of bound access of #1297, but likely not the proper fix [#1298](https://github.com/uclouvain/openjpeg/pull/1298) ([rouault](https://github.com/rouault)) - opj_t2_encode_packet(): avoid out of bound access of #1294, but likely not the proper fix [#1296](https://github.com/uclouvain/openjpeg/pull/1296) ([rouault](https://github.com/rouault)) - opj_j2k_setup_encoder(): validate POC compno0 and compno1 (fixes #1293) [#1295](https://github.com/uclouvain/openjpeg/pull/1295) ([rouault](https://github.com/rouault)) - Encoder: avoid global buffer overflow on irreversible conversion when… [#1292](https://github.com/uclouvain/openjpeg/pull/1292) ([rouault](https://github.com/rouault)) - Decoding: deal with some SPOT6 images that have tiles with a single tile-part with TPsot == 0 and TNsot == 0, and with missing EOC [#1291](https://github.com/uclouvain/openjpeg/pull/1291) ([rouault](https://github.com/rouault)) - Free p_tcd_marker_info to avoid memory leak [#1288](https://github.com/uclouvain/openjpeg/pull/1288) ([zodf0055980](https://github.com/zodf0055980)) - Encoder: grow again buffer size [#1287](https://github.com/uclouvain/openjpeg/pull/1287) ([zodf0055980](https://github.com/zodf0055980)) - Encoder: avoid uint32 overflow when allocating memory for codestream buffer (fixes #1243) [#1276](https://github.com/uclouvain/openjpeg/pull/1276) ([rouault](https://github.com/rouault)) - Java compatibility from 1.5 to 1.6 [#1263](https://github.com/uclouvain/openjpeg/pull/1263) ([jiapei100](https://github.com/jiapei100)) - opj_decompress: fix double-free on input directory with mix of valid and invalid images [#1262](https://github.com/uclouvain/openjpeg/pull/1262) ([rouault](https://github.com/rouault)) - openjp2: Plug image leak when failing to allocate codestream index. [#1260](https://github.com/uclouvain/openjpeg/pull/1260) ([sebras](https://github.com/sebras)) - openjp2: Plug memory leak when setting data as TLS fails. [#1258](https://github.com/uclouvain/openjpeg/pull/1258) ([sebras](https://github.com/sebras)) - openjp2: Error out if failing to create Tier 1 handle. [#1256](https://github.com/uclouvain/openjpeg/pull/1256) ([sebras](https://github.com/sebras)) - Testing for invalid values of width, height, numcomps [#1254](https://github.com/uclouvain/openjpeg/pull/1254) ([szukw000](https://github.com/szukw000)) - Single-threaded performance improvements in forward DWT for 5-3 and 9-7 (and other improvements) [#1253](https://github.com/uclouvain/openjpeg/pull/1253) ([rouault](https://github.com/rouault)) - Add support for multithreading in encoder [#1248](https://github.com/uclouvain/openjpeg/pull/1248) ([rouault](https://github.com/rouault)) - Add support for generation of PLT markers in encoder [#1246](https://github.com/uclouvain/openjpeg/pull/1246) ([rouault](https://github.com/rouault)) - Fix warnings about signed/unsigned casts in pi.c [#1244](https://github.com/uclouvain/openjpeg/pull/1244) ([rouault](https://github.com/rouault)) - opj_decompress: add sanity checks to avoid segfault in case of decoding error [#1240](https://github.com/uclouvain/openjpeg/pull/1240) ([rouault](https://github.com/rouault)) - ignore wrong icc [#1236](https://github.com/uclouvain/openjpeg/pull/1236) ([szukw000](https://github.com/szukw000)) - Implement writing of IMF profiles [#1235](https://github.com/uclouvain/openjpeg/pull/1235) ([rouault](https://github.com/rouault)) - tests: add alternate checksums for libtiff 4.1 [#1234](https://github.com/uclouvain/openjpeg/pull/1234) ([rouault](https://github.com/rouault)) - opj_tcd_init_tile(): avoid integer overflow [#1232](https://github.com/uclouvain/openjpeg/pull/1232) ([rouault](https://github.com/rouault)) - tests/fuzzers: link fuzz binaries using $LIB_FUZZING_ENGINE. [#1230](https://github.com/uclouvain/openjpeg/pull/1230) ([Dor1s](https://github.com/Dor1s)) - opj_j2k_update_image_dimensions(): reject images whose coordinates are beyond INT_MAX (fixes #1228) [#1229](https://github.com/uclouvain/openjpeg/pull/1229) ([rouault](https://github.com/rouault)) - Fix resource leaks [#1226](https://github.com/uclouvain/openjpeg/pull/1226) ([dodys](https://github.com/dodys)) - abi-check.sh: fix false postive ABI error, and display output error log [#1218](https://github.com/uclouvain/openjpeg/pull/1218) ([rouault](https://github.com/rouault)) - pi.c: avoid integer overflow, resulting in later invalid access to memory in opj_t2_decode_packets() [#1217](https://github.com/uclouvain/openjpeg/pull/1217) ([rouault](https://github.com/rouault)) - Add check to validate SGcod/SPcoc/SPcod parameter values. [#1211](https://github.com/uclouvain/openjpeg/pull/1211) ([sebras](https://github.com/sebras)) - Fix buffer overflow reading an image file less than four characters [#1196](https://github.com/uclouvain/openjpeg/pull/1196) ([robert-ancell](https://github.com/robert-ancell)) - compression: emit POC marker when only one single POC is requested (f… [#1192](https://github.com/uclouvain/openjpeg/pull/1192) ([rouault](https://github.com/rouault)) - Fix several potential vulnerabilities [#1185](https://github.com/uclouvain/openjpeg/pull/1185) ([Young-X](https://github.com/Young-X)) - openjp2/j2k: Report error if all wanted components are not decoded. [#1164](https://github.com/uclouvain/openjpeg/pull/1164) ([sebras](https://github.com/sebras))

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 0a1d567ce82a6e8f1d103d9481ebf67088b8591c Author: Peter Müller peter.mueller@ipfire.org Date: Fri Apr 29 19:01:10 2022 +0000

Core Update 168: Ship openldap

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit c4f3bb4b08f5ee743cf984770d5f205cd75a7ec3 Author: Adolf Belka adolf.belka@ipfire.org Date: Mon Apr 25 14:41:41 2022 +0200

openldap: Update to version 2.6.1

- Update from version 2.4.49 to 2.6.1 - Update of rootfile - Update of consolidated patch to 2.6.1 - Removal of old patches - Changelog OpenLDAP 2.6.1 Release (2022/01/20) Fixed libldap to init client socket port (ITS#9743) Fixed libldap with referrals (ITS#9781) Added slapd config keyword for logfile format (ITS#9745) Fixed slapd to allow objectClass edits with no net change (ITS#9772) Fixed slapd configtable population (ITS#9576) Fixed slapd to only set loglevel in server mode (ITS#9715) Fixed slapd logfile-rotate use of uninitialized variable (ITS#9730) Fixed slapd passwd scheme handling with slapd.conf (ITS#9750) Fixed slapd postread support for modrdn (ITS#7080) Fixed slapd syncrepl recreation of deleted entries (ITS#9282) Fixed slapd syncrepl replication with ODSEE (ITS#9707) Fixed slapd syncrepl to properly replicate glue entries (ITS#9647) Fixed slapd syncrepl to reject REFRESH for precise resync (ITS#9742) Fixed slapd syncrepl to avoid busy loop during refresh (ITS#9584) Fixed slapd syncrepl when X-ORDERED is specified (ITS#9761) Fixed slapd syncrepl to better handle out of order delete ops (ITS#9751) Fixed slapd syncrepl to correctly close connections when config is deleted (ITS#9776) Fixed slapd-mdb to update indices correctly on replace ops (ITS#9753) Fixed slapd-wt to set correct flags (ITS#9760) Fixed slapo-accesslog to fix assertion due to deprecated code (ITS#9738) Fixed slapo-accesslog to fix inconsistently normalized minCSN (ITS#9752) Fixed slapo-accesslog delete handling of multi-valued config attrs (ITS#9493) Fixed slapo-autogroup to maintain values in insertion order (ITS#9766) Fixed slapo-constraint to maintain values in insertion order (ITS#9770) Fixed slapo-dyngroup to maintain values in insertion order (ITS#9762) Fixed slapo-dynlist compare operation for static groups (ITS#9747) Fixed slapo-dynlist static group filter with multiple members (ITS#9779) Fixed slapo-ppolicy when not built modularly (ITS#9733) Fixed slapo-refint to maintain values in insertion order (ITS#9763) Fixed slapo-retcode to honor requested insert position (ITS#9759) Fixed slapo-sock cn=config support (ITS#9758) Fixed slapo-syncprov memory leak (ITS#8039) Fixed slapo-syncprov to generate a more accurate accesslog query (ITS#9756) Fixed slapo-syncprov to allow empty DB to host persistent syncrepl connections (ITS#9691) Fixed slapo-syncprov to consider all deletes for sycnInfo messages (ITS#5972) Fixed slapo-translucent to warn on invalid config (ITS#9768) Fixed slapo-unique to warn on invalid config (ITS#9767) Fixed slapo-valsort to maintain values in insertion order (ITS#9764) Build Environment Fix test022 to preserve DELAY search output (ITS#9718) Fix slapd-watcher to allow startup when servers are down (ITS#9727) Contrib Fixed slapo-lastbind to work with 2.6 lastbind-precision configuration (ITS#9725) Documentation Fixed slapd.conf(5)/slapd-config(5) documentation on lastbind-precision (ITS#9728) Fixed slapo-accesslog(5) to clarify logoldattr usage (ITS#9749) OpenLDAP 2.6.0 Release (2021/10/25) Initial release for "general use". OpenLDAP 2.5.7 Release (2021/08/18) Fixed lloadd client state tracking (ITS#9624) Fixed slapd bconfig to canonicalize structuralObjectclass (ITS#9611) Fixed slapd-ldif duplicate controls response (ITS#9497) Fixed slapd-mdb multival crash when attribute is missing an equality matchingrule (ITS#9621) Fixed slapd-mdb compatibility with OpenLDAP 2.4 MDB databases (ITS#8958) Fixed slapd-mdb idlexp maximum size handling (ITS#9637) Fixed slapd-monitor number of ops executing with asynchronous backends (ITS#9628) Fixed slapd-sql to add support for ppolicy attributes (ITS#9629) Fixed slapd-sql to close transactions after bind and search (ITS#9630) Fixed slapo-accesslog to make reqMod optional (ITS#9569) Fixed slapo-ppolicy logging when pwdChangedTime attribute is not present (ITS#9625) Documentation slapd-mdb(5) note max idlexp size is 30, not 31 (ITS#9637) slapo-accesslog(5) note that reqMod is optional (ITS#9569) Add ldapvc(1) man page (ITS#9549) Add guide section on load balancer (ITS#9443) Updated guide to document multiprovider as replacement for mirrormode (ITS#9200) Updated guide to clarify slapd-mdb upgrade requirements (ITS#9200) Updated guide to document removal of deprecated options from client tools (ITS#9200) OpenLDAP 2.5.6 Release (2021/07/27) Fixed libldap buffer overflow (ITS#9578) Fixed libldap missing mutex unlock on connection alloc failure (ITS#9590) Fixed lloadd cn=config olcBkLloadClientMaxPending setting (ITS#8747) Fixed slapd multiple config defaults (ITS#9363) Fixed slapd ipv6 addresses to work with tcp wrappers (ITS#9603) Fixed slapo-syncprov delete of nonexistent sessionlog (ITS#9608) Build Fixed library symbol versioning on Solaris (ITS#9591) Fixed compile warning in libldap/tpool.c (ITS#9601) Fixed compile warning in libldap/tls_o.c (ITS#9602) Contrib Fixed ppm module for sysconfdir (ITS#7832) Documentation Updated guide to document multival, idlexp, and maxentrysize (ITS#9613, ITS#9614) OpenLDAP 2.5.5 Release (2021/06/03) Added libldap LDAP_OPT_TCP_USER_TIMEOUT support (ITS#9502) Added lloadd tcp-user-timeout support (ITS#9502) Added slapd-asyncmeta tcp-user-timeout support (ITS#9502) Added slapd-ldap tcp-user-timeout support (ITS#9502) Added slapd-meta tcp-user-timeout support (ITS#9502) Fixed incorrect control OIDs for AuthZ Identity (ITS#9542) Fixed libldap typo in util-int.c (ITS#9541) Fixed libldap double free of LDAP_OPT_DEFBASE (ITS#9530) Fixed libldap better TLS1.3 cipher suite handling (ITS#9521, ITS#9546) Fixed lloadd multiple issues (ITS#8747) Fixed slapd slap_op_time to avoid duplicates across restarts (ITS#9537) Fixed slapd typo in daemon.c (ITS#9541) Fixed slapd slapi compilation (ITS#9544) Fixed slapd to handle empty DN in extended filters (ITS#9551) Fixed slapd syncrepl searches with empty base (ITS#6467) Fixed slapd syncrepl refresh on startup (ITS#9324, ITS#9534) Fixed slapd abort due to typo (ITS#9561) Fixed slapd-asyncmeta quarantine handling (ITS#8721) Fixed slapd-asyncmeta to have a default operations timeout (ITS#9555) Fixed slapd-ldap quarantine handling (ITS#8721) Fixed slapd-mdb deletion of context entry (ITS#9531) Fixed slapd-mdb off-by-one affecting search scope (ITS#9557) Fixed slapd-meta quarantine handling (ITS#8721) Fixed slapo-accesslog to record reqNewDN for modRDN ops (ITS#9552) Fixed slapo-pcache locking during expiration (ITS#9529) Build Fixed slappw-argon2 module installation (ITS#9548) Contrib Update ldapc++/ldaptcl to use configure.ac (ITS#9554) Documentation ldap_first_attribute(3) - Document ldap_get_attribute_ber (ITS#8820) ldap_modify(3) - Delete non-existent mod_next parameter (ITS#9559) OpenLDAP 2.5.4 Release (2021/04/29) Initial release for "general use". OpenLDAP 2.4.57 Release (2021/01/18) Fixed ldapexop to use correct return code (ITS#9417) Fixed slapd to remove asserts in UUIDNormalize (ITS#9391) Fixed slapd to remove assert in csnValidate (ITS#9410) Fixed slapd validity checks for issuerAndThisUpdateCheck (ITS#9411, ITS#9427) Fixed slapd validity checks for serialNumberAndIssuerCheck (ITS#9404, ITS#9424) Fixed slapd AVA sort with invalid RDN (ITS#9412) Fixed slapd ldap_X509dn2bv to check for invalid BER after RDN count (ITS#9423, ITS#9425) Fixed slapd saslauthz to remove asserts in validation (ITS#9406, ITS#9407) Fixed slapd saslauthz to use slap_sl_free on normalized DN (ITS#9409) Fixed slapd saslauthz SEGV in slap_parse_user (ITS#9413) Fixed slapd modrdn memory leak (ITS#9420) Fixed slapd double-free in vrfilter (ITS#9408) Fixed slapd cancel operation to correctly terminate (ITS#9428) Fixed slapd-ldap fix binds on retry with closed connection (ITS#9400) Fixed slapo-syncprov to ignore duplicate sessionlog entries (ITS#9394) OpenLDAP 2.4.56 Release (2020/11/10) Fixed slapd to remove assert in certificateListValidate (ITS#9383) Fixed slapd to remove assert in csnNormalize23 (ITS#9384) Fixed slapd to better parse ldapi listener URIs (ITS#9379) OpenLDAP 2.4.55 Release (2020/10/26) Fixed slapd normalization handling with modrdn (ITS#9370) Fixed slapd-meta to check ldap_install_tls return code (ITS#9366) Contrib Fixed nssov misplaced semicolon (ITS#8731, ITS#9368) OpenLDAP 2.4.54 Release (2020/10/12) Fixed slapd delta-syncrepl to ignore delete ops on deleted entry (ITS#9342) Fixed slapd delta-syncrepl to be fully serialized (ITS#9330) Fixed slapd delta-syncrepl MOD on zero-length context entry (ITS#9352) Fixed slapd syncrepl to be fully serialized (ITS#8102) Fixed slapd syncrepl to call check_syncprov on fresh consumer (ITS#9345) Fixed slapd syncrepl to propagate errors from overlay_entry_get_ov (ITS#9355) Fixed slapd syncrepl to not create empty ADD ops (ITS#9359) Fixed slapd syncrepl replace usage on single valued attrs (ITS#9295) Fixed slapd-monitor fix monitor_back_register_database for empty suffix DB (ITS#9353) Fixed slapo-accesslog normalizer for reqStart (ITS#9358) Fixed slapo-accesslog to not generate new contextCSN on purge (ITS#9361) Fixed slapo-syncprov contextCSN generation with empty suffix (ITS#9015) Fixed slapo-syncprov sessionlog to use a TAVL tree (ITS#8486) OpenLDAP 2.4.53 Release (2020/09/07) Added slapd syncrepl additional SYNC logging (ITS#9043) Fixed slapd syncrepl segfault on NULL cookie on REFRESH (ITS#9282) Fixed slapd syncrepl to use fresh connection on REFRESH fallback (ITS#9338) Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302,ITS#9334) Build Require OpenSSL 1.0.2 or later (ITS#9323) Fixed libldap compilation issue with broken C compilers (ITS#9332) OpenLDAP 2.4.52 Release (2020/08/28) Added libldap LDAP_OPT_X_TLS_REQUIRE_SAN option (ITS#9318) Added libldap OpenSSL support for multiple EECDH curves (ITS#9054) Added slapd OpenSSL support for multiple EECDH curves (ITS#9054) Fixed librewrite malloc/free corruption (ITS#9249) Fixed libldap hang when using UDP and server down (ITS#9328) Fixed slapd syncrepl rare deadlock due to network issues (ITS#9324) Fixed slapd syncrepl regression that could trigger an assert (ITS#9329) Fixed slapd-mdb index error with collapsed range (ITS#9135) OpenLDAP 2.4.51 Release (2020/08/11) Added slapo-ppolicy implement Netscape password policy controls (ITS#9279) Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650) Fixed libldap to use getaddrinfo in ldap_pvt_get_fqdn (ITS#9287) Fixed slapd to enforce singular existence of some overlays (ITS#9309) Fixed slapd syncrepl to not delete non-replicated attrs (ITS#9227) Fixed slapd syncrepl to correctly delete entries on resync (ITS#9282) Fixed slapd syncrepl to use replace on single valued attrs (ITS#9294, ITS#9295) Fixed slapd-perl dynamic config with threaded slapd (ITS#7573) Fixed slapo-ppolicy to expose the ppolicy control (ITS#9285) Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302) Fixed slapo-ppolicy so it can only exist once per DB (ITS#9309) Fixed slapo-chain to check referral (ITS#9262) Build Environment Fix test064 so it no longer uses bashisms (ITS#9263) Contrib Fix default prefix value for pw-argon2, pw-pbkdf2 modules (ITS#9248) slapo-allowed - Fix usage of unitialized variable (ITS#9308) Documentation ldap_parse_result(3) - Document ldap_parse_intermediate (ITS#9271) OpenLDAP 2.4.50 Release (2020/04/28) Fixed client benign typos (ITS#8890) Fixed libldap type cast (ITS#9175) Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650) Fixed libldap_r race on Windows mutex initialization (ITS#9181) Fixed liblunicode memory leak (ITS#9198) Fixed slapd benign typos (ITS#8890) Fixed slapd to limit depth of nested filters (ITS#9202) Fixed slapd-mdb memory leak in dnSuperiorMatch (ITS#9214) Fixed slapo-pcache database initialization (ITS#9182) Fixed slapo-ppolicy callback (ITS#9171) Build Fix olcDatabaseDummy initialization for windows (ITS#7074) Fix detection for ws2tcpip.h for windows (ITS#8383) Fix back-mdb types for windows (ITS#7878) Contrib Update ldapc++ config.guess and config.sub to support newer architectures (ITS#7855) Added pw-argon2 module (ITS#9233, ITS#8575, ITS#9203, ITS#9206) Documentation slapd-ldap(5) - Clarify idassert-authzfrom behavior (ITS#9003) slapd-meta(5) - Remove client-pr option (ITS#8683) slapindex(8) - Fix truncate option information for back-mdb (ITS#9230)

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 174778b20266c2c24f15784e090e7e8d10118642 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Apr 29 18:59:21 2022 +0000

Core Update 168: Ship sqlite

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 8596273dca625444ef1b28a7a7e61a1354c23c47 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 28 13:14:25 2022 +0200

sqlite: Update to version 3380300

- Update from version 3380000 to 3380300 - Update of rootfile not required - Changelog 3.38.3 (2022-04-27): Fix a case of the query planner be overly aggressive with optimizing automatic-index and Bloom-filter construction, using inappropriate ON clause terms to restrict the size of the automatic-index or Bloom filter, and resulting in missing rows in the output. Forum thread 0d3200f4f3bcd3a3. Other minor patches. See the timeline for details. 3.38.2 (2022-03-26): Fix a user-discovered problem with the new Bloom filter optimization that might cause an incorrect answer when doing a LEFT JOIN with a WHERE clause constraint that says that one of the columns on the right table of the LEFT JOIN is NULL. See forum thread 031e262a89b6a9d2. Other minor patches. See the timeline for details. 3.38.1 (2022-03-12): Fix problems with the new Bloom filter optimization that might cause some obscure queries to get an incorrect answer. Fix the localtime modifier of the date and time functions so that it preserves fractional seconds. Fix the sqlite_offset SQL function so that it works correctly even in corner cases such as when the argument is a virtual column or the column of a view. Fix row value IN operator constraints on virtual tables so that they work correctly even if the virtual table implementation relies on bytecode to filter rows that do not satisfy the constraint. Other minor fixes to assert() statements, test cases, and documentation. See the source code timeline for details.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 94e680c36d2f16577e16dc7748721c990efde492 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Apr 29 18:58:43 2022 +0000

Core Update 168: Ship mpfr

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit ca0458ce1577f5793acaec9e25167b329fec43a3 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 28 23:24:34 2022 +0200

mpfr: Update to version 4.1.0 plus patches 1 to 13

- Update from version 4.1.0 to 4.1.0 plus patches 1 to 13 - Version 4.1.0 was released on 10-07-2020. However patches have been progressively issued to fix various bugs that have been identified. - Currently 13 patches have been issued and mpfr provide a cumulative patches file to use to patch the source file. - Update of rootfile - Patch changelog 1 With GCC (the only tested compiler with software _Decimal128), conversions of double to _Decimal128 yield an increase of 2 to 3 MB for the generated library code when the decimal encoding is BID (designed for software implementations), even though the conversions done in MPFR are very simple. Details about this GCC issue. The decimal128-conv patch avoids these conversions by directly using _Decimal128 constants. Note that fixing the issue entirely would require to get rid of all the decimal128 operations; in the mean time, decimal support (i.e. mpfr_get_decimal128 and mpfr_set_decimal128 functions) could be disabled at configure time. Corresponding changeset in the 4.1 branch: 14094. 2 The random_deviate.c file contains non-portable code. This is fixed by the random_deviate patch. Corresponding changeset in the 4.1 branch: 14126. 3 In the mpfr_set_z_2exp function, a huge mpz_t value can yield an integer overflow. This is fixed by the set_z_2exp-overflow patch (with testcases). Note that in practice, an integer overflow may occur only with a 32-bit ABI. Moreover, with a usual compilation, an integer overflow should here not yield any particular issue, assuming that the processor does signed addition and multiplication modulo 2^32 (as usual). However, UBsan would detect the overflow, and LTO might have unpredictable effects. Corresponding changesets in the 4.1 branch: 14147, 14151. 4 Some function prototypes are slightly inconsistent. This is valid C code, but these inconsistencies are unintended and possibly confusing, and they trigger diagnostics with the -Warray-parameter option of the future GCC 11 (included in -Wall). This causes issues when testing MPFR. And since mpfr.h is concerned, this might also affect user code. This is fixed by the prototypes patch. Corresponding changeset in the 4.1 branch: 14411. 5 In uncommon cases, the mpfr_digamma function needs to use an intermediate precision equal to the exponent of the input value, which may be huge. This is inefficient, and the code can request more memory than available, yielding a crash. The digamma-hugemem patch improves the implementation by making such a need much rarer; it also provides testcases showing a crash on 64-bit machines (at least). Corresponding changeset in the 4.1 branch: 14424. 6 The mpfr_digamma function may have an erratic behavior in some cases (an assertion failure in debug mode). This is fixed by the digamma-interm-zero patch (with testcase). Corresponding changeset in the 4.1 branch: 14425. 7 The Bessel functions (mpfr_j0, mpfr_j1, mpfr_jn, mpfr_y0, mpfr_y1, mpfr_yn) may have an erratic behavior in some cases (an assertion failure in debug mode). This is fixed by the jn-interm-zero patch (with testcase). Corresponding changeset in the 4.1 branch: 14426. 8 The mpfr_digamma function may have an erratic behavior in some cases (an assertion failure in debug mode) when the reflection formula is used, i.e. when x < 1/2. This is fixed by the digamma-interm-zero2 patch (with testcase). Corresponding changeset in the 4.1 branch: 14435. 9 The Bessel functions (mpfr_j0, mpfr_j1, mpfr_jn, mpfr_y0, mpfr_y1, mpfr_yn) may have an erratic behavior in some cases (an assertion failure in debug mode) when the asymptotic expansion is needed. This is fixed by the jyn_asympt-interm-zero patch (with testcase). Corresponding changeset in the 4.1 branch: 14436. 10 Some functions are also implemented as macros, and such a macro should behave exactly like the corresponding function (if the code is valid for the function call). However, the following macros do not behave as if their argument were implicitly converted to the type from the function prototype: mpfr_nan_p, mpfr_inf_p, mpfr_zero_p, mpfr_regular_p, mpfr_get_prec, mpfr_get_exp, mpfr_copysign (third argument), mpfr_signbit and mpfr_set (second argument). For instance, providing an argument of type void * instead of mpfr_ptr or mpfr_srcptr will yield a compilation failure. Note that this issue does not exist in C++, which does not support such implicit conversions. Moreover, the mpfr_set macro evaluates its second argument twice (reported by David McCooey), which is incorrect if this evaluation has side effects. This is fixed by the macros patch (with testcases). Macros for the custom interface, which are explicitly documented as provided, do not follow these rules; the patch clarifies this point in the MPFR manual. Corresponding changesets in the 4.1 branch: 14468, 14469. 11 The test programs tset_si and tset_sj fail if MPFR_USE_NO_MACRO is defined (e.g., via -DMPFR_USE_NO_MACRO in CFLAGS). This is fixed by the tset_sij patch. Corresponding changeset in the 4.1 branch: 14470. 12 The mpfr_get_str_ndigits function may raise the inexact flag. In a very reduced exponent range (e.g. in which the result would not be representable as a MPFR number), it has undefined behavior: it may return an incorrect value, crash, or loop, taking more and more memory. This is fixed by the get_str_ndigits patch, which also updates the tests to check these issues. Corresponding changeset in the 4.1 branch: 14490. 13 The code for the formatted output functions (mpfr_printf, etc.) contains an incorrect assertion, checked only in debug mode, i.e. when MPFR has been configured with --enable-assert; this assertion failure occurs when the integer 0 (of either a native type or mpfr_prec_t with the length specifier P) is output with the precision field equal to 0, i.e. when the corresponding string to output is empty. Otherwise, there should be no side effects since the code is actually valid in this case; but since the code incorrectly instructs the compiler that some variable cannot be 0, there might be an issue with some optimizations (very unlikely, though). This bug is fixed by the vasprintf-prec-zero patch, which also provides testcases. Corresponding changesets in the 4.1 branch: 14524, 14525.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 4b113aa68ebc522686c4c70155d6c69507d4d7d1 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 28 23:25:00 2022 +0200

mtr: Update to version 0.95

- Update from version 0.94 to 0.95 - Update of rootfile not required - Changelog V0.95 Aaron Lipinski (27): move net_send_batch call to its caller addr -> hostent for consistency re-init source too additional call from net_reopen refactor - group local, remote inits reset ctl address family at net_reopen accept only value used in structure tell dns process if we want 4 or 6 resolve ipv6 only if we have ipv6 remove wrapper only function init structures correctly wired up prepare host with h_addr_list remove temporaries extract convert_addrinfo_to_hostent function move conversion call to caller use addrinfo remove conversion function switch gui to addrinfo export DEFAULT_AF reset addr family before searching again freeaddrinfo export get_hostent_from_name make Hostname as const rename function dont show json option if not available Egor Panov (1): Updated Readme R.E. Wolff (2): Slight cleanup, but no fix for code that came up in a bugreport. increased max length suggested by YVS2014 Roger Wolff (12): Rogier Wolff (2): Code formatting for Zenithal pull added clarification to readme suggested by Zenithal Sergei Trofimovich (1): ui/curses: always use "%s"-style format for printf()-style functions Vincent Bernat (3): ui: don't cast to void* when calling display_rawhost() net: fix MPLS display for curses and report report: fix display of MPLS labels when using --report Zenithal (1): Add display of destination with resolved addr under curses mode a1346054 (5): fix wrong bash completion flag fix shellcheck warnings unify codestyle fix spelling trim trailing whitespace gaamox@tutanota.com (1): Report secondary servers when CSV + wide report is enabled

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 9ee219315c2eb419126afd621e6664c6aefc36cb Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 28 23:25:13 2022 +0200

multipath-tools: Update to version 0.8.9

- Update from commit 386d288, bumped to version 0.7.7 (May 2018) to version 0.8.9 (Feb 2022) - Update of rootfile - Changelog No changelog file in the source tarball or on website. Changelog is the commit tree see https://github.com/opensvc/multipath-tools/commits/master for more details

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit b4294a6a0959127003f4c2cb99887f3e64dc8c09 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Apr 29 18:56:38 2022 +0000

Core Update 168: Ship nano

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 4b502cf0c2d4388d5b29c5656a35e75e34b4fafe Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 28 23:25:28 2022 +0200

nano: Update to version 6.3

- Update from version 6.2 to 6.3 - Update of rootfile not required - Changelog Changes between v6.2 and v6.3: Benno Schulenberg (41): build: add the --disable-maintainer-mode option to ./configure build: fix compilation for --enable-{tiny,nanorc,color} build: fix compilation when configured with --disable-color build: remove an obsolete check -- the dependent code was deleted bump version numbers and add a news item for the 6.3 release display: suppress spotlight yellow and error red when NO_COLOR is set docs: add an example binding for copying text to the system clipboard execute: clear an anchor only when the whole buffer gets filtered execute: don't crash when an empty buffer is piped through a command execute: stay on the same line number when filtering the whole buffer feedback: show extra warning when writing failed due to "No space left" files: do not change to a higher directory when the working one is gone files: show a warning when the working directory is gone (when used) files: when the working directory exists, still check its accessibility filtering: close all output descriptors, so that 'xsel' will terminate formatting: change cursor position only after saving it in the undo item gnulib: pull in the workaround for a build problem on NetBSD gnulib: update to its current upstream state justify: stay at the same line number when doing a full justification painting: colorize text also after an unterminated start match painting: look for another start match only after the actual end match painting: recalculate the multidata when making large strides or changes painting: stop coloring an extremely long line after 2000 bytes painting: tighten the check for a lacking end match on a colored line syntax: xml: colorize /> properly, and colorize prolog tags differently syntax: xml: colorize user-defined entities differently tweaks: avoid a function call when two plain assignments will do tweaks: change the indentation of a list, to match other indentations tweaks: don't leave an orphaned temporary file behind when writing fails tweaks: elide an unneeded call of strlen() tweaks: exclude the extra truncation warning from the tiny version tweaks: make the triggering of the recalculation of multidata less eager tweaks: move the saving and restoring of flags to where it is needed tweaks: normalize the indentation after the previous change tweaks: prevent the adding of an unwanted newline in a different way tweaks: remove redundant braces, and add two translator hints tweaks: remove some stray spaces before a comma tweaks: simplify a bit of code, eliding two labels and three gotos tweaks: simplify a fragment of code, and fold two lines together tweaks: trim a few comments, rename a function, and reshuffle some code verbatim: with --zero, keep cursor in viewport when it was on bottom row Mike Frysinger (1): general: fix building for Windows

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit ff76241b271dc7fdceb7431c95cee299678c90f8 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 28 23:25:55 2022 +0200

ncdu: Update to version 1.17

- Update from version 1.16 to 1.17 - Update of rootfile not required - Changelog 1.17 - 2022-04-28 - ncdu-1.17.tar.gz Add ‘dark-bg’ color scheme and use that by default Use natural sort order when sorting by file name Improve compatibility with C89 environments Fix wrong assumption about errno not being set by realloc()

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 843314ba98e0d6b8ab3d1760f49f256ff5cebb61 Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Apr 23 23:25:34 2022 +0200

parted: Update to version 3.5

- Update from 3.4 to 3.5 - Update of rootfile - Changelog * Noteworthy changes in release 3.5 (2022-04-18) [stable] ** New Features Update to latest gnulib for 3.5 release * Noteworthy changes in release 3.4.64.2 (2022-04-05) [alpha] ** Bug Fixes usage: remove the mention of "a particular partition" * Noteworthy changes in release 3.4.64 (2022-03-30) [alpha] ** New Features Add --fix to --script mode to automatically fix problems like the backup GPT header not being at the end of a disk. Add use of the swap partition flag to msdos disk labeled disks. Allow the partition name to be an empty string when set in script mode. Add --json command line switch to output the details of the disk as JSON. Add support for the Linux home GUID using the linux-home flag. ** Bug Fixes Decrease disk sizes used in tests to make it easier to run the test suite on systems with less memory. Largest filesystem is now 267MB (fat32). The rest are only 10MB. Add aarch64 and mips64 as valid machines for testing. Escape colons and backslashes in the machine output. Device path, model, and partition name could all include these. They are now escaped with a backslash. Use libdevmapper's retry remove option when the device is BUSY. This prevents libdevmapper from printing confusin output when trying to remove a busy partition. Keep GUID specific attributes when writing the GPT header. Previously they were set to 0.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 9a39b090cc292ac815c912c198935a20e742959f Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 28 13:52:30 2022 +0200

ncurses-compat: remove orphaned lfs file

- ncurses-compat was removed from make.sh in Core Update 119 together with the rootfile --ncurses-compat lfs file was left behind at that time

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 3d767c8aad82ac8a4d8b164569136a138e19d9cf Author: Peter Müller peter.mueller@ipfire.org Date: Tue Apr 26 11:25:59 2022 +0000

borgbackup: Fix rootfile on 32-bit ARM

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 1a9e81ce7f999628536c5fa33928f3e79a7d84cc Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Apr 26 05:24:47 2022 +0200

ids.cgi: Remove etag data when deleting a provider.

Otherwise the same provider could not be added again at a later time if the stored etag is still valid.

In this case the server will not offer the rules and the provider could not be added.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 504fb53bcc1eb03af782d800b77ee6a1b6e4077b Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Apr 26 05:23:44 2022 +0200

ids-functions.pl: Add remove_from_etags() function.

This function is used to drop the stored etags data of a given provider.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 91a8664b662ed506a7896b638c6d9d140485a5aa Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Apr 25 21:15:23 2022 +0200

Revert "ruleset-sources: Remove support for PT Attack Team Detection rules."

The ruleset provider has recovered his github presence.

This reverts commit c8adaee1958ed0c382341e08949d5cb88bd58c7e.

commit b7a2d742b44aaac6b56ad73cbdab860debad345d Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Apr 23 23:26:41 2022 +0200

powertop: Update to version 2.14

- Update from v2.10 to 2.14 - added ./autogen.sh to create configure file - Update of rootfile - Changelog No changelog provided anywhere. For details of changes see commits in the github repository - https://github.com/fenrus75/powertop/commits/master

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 3098182fa7145490c4f1ee00db17f64e04c2299b Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 25 18:40:17 2022 +0000

Samba: Update ARM rootfiles

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 249d796b4b873fde6e4bf270b7028afe8073abc2 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Apr 25 20:12:19 2022 +0200

convert-ids-backend-files: Wait until suricata has stopped sucessfully.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit aa2ab8c40b1cf5dcdcbe3c4ac9d44b8e0997db7d Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 24 19:14:49 2022 +0000

Run ./make.sh update-contributors

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 2b9af93313e1f6f0a782a94131e87237debc42b7 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 24 19:14:08 2022 +0000

Core Update 168: Ship wakeonlan.cgi

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 154dfcb7a2ec7ab399f8ca5393987bfa8defefa9 Author: Leo-Andres Hofmann hofmann@leo-andres.de Date: Wed Apr 20 14:13:09 2022 +0200

wakeonlan.cgi: Fix meta refresh tag

This fixes an HTML error that is briefly visible on the "magic packet sent" page.

Signed-off-by: Leo-Andres Hofmann hofmann@leo-andres.de Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 52224df18d06515d17b6dd7e1d309364d38b4335 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 24 19:13:37 2022 +0000

Core Update 168: Ship pcre2

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit f86e23906ee01f5b9c9b4eea84957b78481e0048 Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Apr 23 23:26:13 2022 +0200

pcre2: Update to version 10.40

- Update from 10.39 to 10.40 - Update of rootfile - Changelog Version 10.40 15-April-2022 1. Merged patch from @carenas (GitHub #35, 7db87842) to fix pcre2grep incorrect handling of multiple passes. 2. Merged patch from @carenas (GitHub #36, dae47509) to fix portability issue in pcre2grep with buffered fseek(stdin). 3. Merged patch from @carenas (GitHub #37, acc520924) to fix tests when -S is not supported. 4. Revert an unintended change in JIT repeat detection. 5. Merged patch from @carenas (GitHub #52, b037bfa1) to fix build on GNU Hurd. 6. Merged documentation and comments patches from @carenas (GitHub #47). 7. Merged patch from @carenas (GitHub #49) to remove obsolete JFriedl test code from pcre2grep. 8. Merged patch from @carenas (GitHub #48) to fix CMake install issue #46. 9. Merged patch from @carenas (GitHub #53) fixing NULL checks in matching and substituting. 10. Add null_subject and null_replacement modifiers to pcre2test. 11. Add check for NULL subject to POSIX regexec() function. 12. Add check for NULL replacement to pcre2_substitute(). 13. For the subject arguments of pcre2_match(), pcre2_dfa_match(), and pcre2_substitute(), and the replacement argument of the latter, if the pointer is NULL and the length is zero, treat as an empty string. Apparently a number of applications treat NULL/0 in this way. 14. Added support for Bidi_Class and a number of binary Unicode properties, including Bidi_Control. 15. Fix some minor issues raised by clang sanitize. 16. Very minor code speed up for maximizing character property matches. 17. A number of changes to script matching for \p and \P: (a) Script extensions for a character are now coded as a bitmap instead of a list of script numbers, which should be faster and does not need a loop. (b) Added the syntax \p{script:xxx} and \p{script_extensions:xxx} (synonyms sc and scx). (c) Changed \p{scriptname} from being the same as \p{sc:scriptname} to being the same as \p{scx:scriptname} because this change happened in Perl at release 5.26. (d) The standard Unicode 4-letter abbreviations for script names are now recognized. (e) In accordance with Unicode and Perl's "loose matching" rules, spaces, hyphens, and underscores are ignored in property names, which are then matched independent of case. 18. The Python scripts in the maint directory have been refactored. There are now three scripts that generate pcre2_ucd.c, pcre2_ucp.h, and pcre2_ucptables.c (which is #included by pcre2_tables.c). The data lists that used to be duplicated are now held in a single common Python module. 19. On CHERI, and thus Arm's Morello prototype, pointers are represented as hardware capabilities, which consist of both an integer address and additional metadata, meaning they are twice the size of the platform's size_t type, i.e. 16 bytes on a 64-bit system. The ovector member of heapframe happens to only be 8 byte aligned, and so computing frame_size ended up with a multiple of 8 but not 16. Whilst the first frame was always suitably aligned, this then misaligned the frame that follows, resulting in an alignment fault when storing a pointer to Fecode at the start of match. Patch to fix this issue by Jessica Clarke PR#72. 20. Added -LP and -LS listing options to pcre2test. 21. A user discovered that the library names in CMakeLists.txt for MSVC debugger (PDB) files were incorrect - perhaps never tried for PCRE2? 22. An item such as [Aa] is optimized into a caseless single character match. When this was quantified (e.g. [Aa]{2}) and was also the last literal item in a pattern, the optimizing "must be present for a match" character check was not being flagged as caseless, causing some matches that should have succeeded to fail. 23. Fixed a unicode properrty matching issue in JIT. The character was not fully read in caseless matching. 24. Fixed an issue affecting recursions in JIT caused by duplicated data transfers. 25. Merged patch from @carenas (GitHub #96) which fixes some problems with pcre2test and readline/readedit: * Use the right header for libedit in FreeBSD with autoconf * Really allow libedit with cmake * Avoid using readline headers with libedit

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 854241e108ecf798a43fb9b30a53f1119783c149 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 24 19:09:23 2022 +0000

Core Update 168: Ship media.cgi

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 52f8118635b64f1edf5bfdd92d1351f5ec0959af Author: Matthias Fischer matthias.fischer@ipfire.org Date: Wed May 13 18:40:34 2020 +0200

media.cgi: Added translation for 'inodes'

For details see: https://en.wikipedia.org/wiki/Inode

or

http://www.linfo.org/inode.html ;-)

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org

commit d6fc413aea8c863587a4793b320ab2db6c29eb5d Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Apr 12 12:34:11 2022 +0200

ipvsadm: Update to version 1.31

- Update from 1.29 to 1.31 - Update of rootfile not required - Changelog Version 1.31 In ipvsadm(8) add using nft or an eBPF program to set a packet mark Add --pe sip option in ipvsadm(8) man page ipvsadm: allow tunneling with gre encapsulation Merge branch 'GUE-encap' ipvsadm: allow tunneling with gue encapsulation ipvsadm: convert options to unsigned long long Version 1.30 Merge: ipvsadm: Document/add support for fo/ovf/mh schedulers Add support for mh scheduler Document support of ovf scheduler Document support of fo scheduler libipvs: fix some buffer sizes libipvs: discrepancy with libnl genlmsg_put ipvsadm: catch the original errno from netlink answer Version 1.29 ipvsadm: new attributes for sync daemon ipvsadm: support 64-bit stats and rates

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit b8ffb101f86d40c68482c8a305b760a382036d78 Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Apr 12 12:34:28 2022 +0200

keepalived: Update to version 2.2.7

- Update from 2.2.4 to 2.2.7 - Update of rootfile - Changelog Release 2.2.7 brings lots of improvements and fix some minor issues reported. It add some new VRRP features as well. Stability has been even more extended. New ipvs: Add support to twos scheduler. vrrp: Add vrf option for unicast without specifying an interface. vrrp: Add option unicast_fault_no_peer. Previously if unicast_src_ip (or any other unicast option) was specified, but no unicast peers were configured, then the VRRP instance would operate in multicast mode. A user has identified that, due to automatic configuration generation, they could have a configuration that should operate in unicast mode, but that no unicast peers were configured. In this case, they did not want the VRRP instance to revert to multicast mode. In order to maintain backward compatibility, keepalived can’t simply change to not allowing no unicast peers. Instead, this commit adds the configuration option “unicast_fault_no_peer”, which if specified causes the VRRP instance to go to fault state if no unicast peers are configured. vrrp: Allow specification of multicast address to be used. vrrp: Add vrf option to static and vrrp routes. vrrp: Add option to resend vrrp states on fifos after reload. Since keepalived restarts FIFOs scripts it is managing when a reload occurs, it can be helpful to send the VRRP instance and group states after a reload. This commit adds option fifo_write_vrrp_states_on_reload to do that, and it means that what is written to the FIFOs with default configuration does not change. vrrp: Allow duplication of VRIDs on an interface with unicast peers. If two VRRP instances are using unicast peers and there is no overlap of unicast peers between the vrrp instances, then the vrrp instances can use the same VRIDs. global: Don’t assume running as user root. systemd: Add keepalived-non-root.service systemd service file. keepalived-non-root.service allows keepalived to be run as a non root user, but with specific added capabilities to allow all the functionality that keepalived needs. Improvements vrrp: Stop receiving any data on garp and ndisc sockets. This is a send-only channel. vrrp: Open gratuitous ARP socket as an ARP socket rather than RARP. Now that the receiving of packets on the garp socket has been stopped, we can open the socket with the correct type of binding, and we won’t have a queue of received messages build up. vrrp: Extend cBPF filtering code to support standard definition. vrrp: Optimise nftables configuration to limit some rules to macvlans. If we are moving messages that have been generated on a macvlan, we nftables rules can be optimised to restrict them to macvlan interfaces. vrrp: Drop ICMPV6 Router Solicitation messages from vmac interfaces. When we create a vmac interface, a short time afterwards the kernel sends a router solicition message with the source MAC address of the vmac interface. The problem is that this will upset snooping switches if the VRRP instance is in backup state. Furthermore, we can’t simply move the packet onto the underlying interface since the ICMPV6 payload also contains the MAC address of the vmac interface. We can’t just change the MAC address in the ICMPV6 message, since there is also a checksum which would need to be recalculated. The only solution at the moment is to drop the packet. This shouldn’t be a problem since the underlying interface should have sent a Router solicitation message when it came up. vrrp: Add option to specify MAC address for VMACs. vrrp: Don’t lose some configuration faults. The following errors were being detected in vrrp_complete_instance() and the VRRP instance was then supposed to be put into fault state since it couldn’t operate. However, the need to go to fault state was subsequently being lost. The configuration errors that were being lost were: (a) Configuring use of a VMAC on a non Ethernet interface (b) Attempting to use multicast on an interface that doesn’t support it (c) Using an ipvlan without a source IP address (d) ipvlan address family not matching VRRP isntance’s (e) VRID conflicts on an interface which could be deleted an recreated on a different interface (f) An interface specified for a VIP is the same as the VRRP instance’s VMAC or another VRRP instance’s VMAC. This improvement ensures that the VRRP instance will be put into, and remain in, fault state, since it cannot successfully operate. As can be seen from the list of circumstances above, they were very unlikely to occur, but were possible. vrrp: Bind IPv6 socket to multicast address. Previously IPv6 sockets were being bound to the ::1 address, since trying to bind to the multicast address was failing. The reason for failing has now been discovered to be that the scope_id needed to be set (i.e. the interface index), since the multicast addresses that we use are link-local multicast addresses. This improvement now sets the scope_id, so the socket can successfully be bound to the multicast address. vrrp: Set IPV6_MULTICAST_ALL on IPv6 sockets if available. vrrp: Some SNMP extension and improvements: - Correct FastOpenNoCookie and L3Mdev variable types - Don’t write multicast address to SNMP when using unicast. - Don’t write unconfigured LVS sync daemon address to SNMP. - Define and use SNMP_TruthValue. - Define and use SNMP_InetAddressType. - Correct reporting accept mode for VRRPv3 SNMP. vrrp: Misc DBus improvements (Opening, logging, data_dir, policy, …) vrrp: Handle VMAC’s interface changing on reload properly. vrrp: If accept traffic for VIPs changes on reload, update firewall. vrrp: Stop going to backup if reload IPv6 and change vmac_xmit_base. vrrp: Add add/prepend/append options to static and virtual routes. The kernel by default prepends routes, whereas the ip (iproute2) utility be default adds routes (adding a route does not allow duplicates whereas appending or prepending does). keepalived previously has not set the flags relating to this, and so has always prepended routes. This means that duplicate routes could be created. lib: Update Red Black tree code to Linux 5.15-rc4. script: Extend sample_notify_fifo.sh. doc: Misc documentation updates. docker: Upate docker file. init: Init handling extensions. Make parent process exit with meaningful status on error. Ensure systemd is not notified of successful start if failed. fix building without systemd notify suport. bfd: handle unexpected closure of pipe to checker and vrrp processes. If the parent process abnormally terminates and then the BFD process terminates due to PDEATHSIG before the vrrp or checker processes terminate, the vrrp and checker processes can get a read error on the pipes used to communicate with the BFD process. bfd: make BFD work when IPv6 disabled on system. Fixes lib: Fix calculating CLOCK_REALTIME and CLOCK_MONOTONIC offsets. lib: scheduler: Handle cancelling timer thread on ready queue. The timer thread on the ready queue, if cancelled, was corrupting the read list_head, since it assumed it was on a red black tree. snap: Fix building snaps. ipvs: Fix building with glibc prior to v2.19 (released 2014). bfd: Handle interface down/address missing when keepalived starts. This resolves a segfault, and also makes bfd retry once per minute to create send socket if it cannot do so due to no address to bind to on an interface. vrrp: Fix unicast with interface in a VRF domain. vrrp: Fix moving excess VIPs to eVIPs, by properly handling vip_cnt. vrrp: Fix configured IPv6 multicast addresses with VMACs. Using different multicast addresses with IPv6 on the same interface without using VMACs is only supported if the kernel supports IPV6_MULTICAST_ALL (from Linux v4.20). vrrp: Fix checking for unicast with VMAC/ipvlan and no peers. vrrp: Fix checking if have unicast ppers if unicast_ttl specified. vrrp: Don’t segfault if duplicate VMAC name, but ignore second name. vrrp: Don’t delete and recreate VMAC on reload if only VRID has changed. There seems to be an issue deleting and then immediately recreating a VMAC on the same interface. This commit therefore simply changes the MAC address if the only change is the VRID. vrrp: Fix nftables config if VMAC interface changed on reload. vrrp: Don’t segfault if don’t have permission for ARP/NDISC socket. vrrp: Fix IPv6 with vmac_xmit_base. vrrp: fix disabling vmac-xmit-base with VRRPv3 IPv6 use_vmac. vrrp: Fix specifying user/group for vrrp_scripts.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 28fdd8ede6b241144e1aa3a05ac2c5ac82d56ae3 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 24 19:01:13 2022 +0000

Core Update 168: Ship procps

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 0469187ca03c808f23521caf5e4749a41d3a95b2 Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Apr 23 23:26:55 2022 +0200

procps: Update to version v4.0.0

- Update from v3.3.16 to v4.0.0 - added --disable-static to ./configure to remove static libs from rootfile - Update of rootfile - Changed lib name. Ran ./make.sh find-dependencies. No dependencies on old libraries - Changelog procps-ng-4.0.0 * Rename pwait to pidwait * free: Add committed line option merge #25 * free: Fix -h --si combined options issue #133, #223 * free: Fix first column justification issue #229, #204, #206, Debian #1001689 * free: Better spacing for Chinese language issue #213 * library: renamed to libproc-2 and reset to 0:0:0 * library: add support for accessing smaps_rollup issue #112, #201 * library: add support for accessing autogroups * library: add support for LIBPROC_HIDE_KERNEL env var merge #147 * library: add support for cpu utilization to pids i/f * pkill: Check for lt- variants of program name issue #192 * pgrep: Add newline after regex error message merge #91 * pgrep: Fix selection where uid/gid > 2^31 merge !146 * pgrep: Select on cgroup v2 paths issue #168 * ps: Add OOM and OOMADJ fields issue #198 * ps: Add IO Accounting fields issue #184 * ps: Add PSS and USS fields issue #112 * ps: Add two new autogroup fields * ps: Ignore SIGURG merge !142 * slabtop: Don't combine d and o options issue #160 * sysctl: Add support for systemd glob patterns issue #191 * sysctl: Check resolved path to be under /proc/sys issue #179 * sysctl: return non-zero if EINVAL return for write merge #76 * sysctl.conf.5: Note max line length issue #77 * top: added LOGID similar to 3.3.13 ps LUID * top: added EXE identical to 3.3.17 ps EXE * top: exploit some library smaps_rollup provisions issue #112 * top: added four new IO accounting fields issue #184 * top: 'F' key is now a new forest view 'focus' toggle * top: summary area memory lines can print two abreast * top: added two new autogroup fields * top: added long versions of command line options * top: added cpu utilization & 2 time related fields * top: the time related fields can now be user scaled * uptime: print short/pretty format correctly issue #217 * vmstat: add -y option to remove first line merge !72 procps-ng-3.3.17 * library: Incremented to 8:3:0 (no removals or additions, internal changes only) * all: properly handle utf8 cmdline translations issue #176 * kill: Pass int to signalled process merge #32 * pgrep: Pass int to signalled process merge #32 * pgrep: Check sanity of SG_ARG_MAX issue #152 * pgrep: Add older than selection merge #79 * pidof: Quiet mode merge #83 * pidof: show worker threads Redhat #1803640 * ps.1: Mention stime alias issue #164 * ps: check also match on truncated 16 char comm names * ps: Add exe output option Redhat #1399206 * pwait: New command waits for a process merge #97 * sysctl: Match systemd directory order Debian #950788 * sysctl: Document directory order Debian #951550 * top: ensure config file backward compatibility Debian #951335 * top: add command line 'e' for symmetry with 'E' issue #165 * top: add '4' toggle for two abreast cpu display issue #172 * top: add '!' toggle for combining multiple cpus * top: fix potential SEGV involving -p switch merge #114 * vmstat: Wide mode gives wider proc columns merge #48 * watch: Add environment variable for interval merge #62 * watch: Add no linewrap option issue #182 * watch: Support more colors merge #106,#109 * free,uptime,slabtop: complain about extra ops issue #181

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 3a5ba6cf97322c9c931b841d72a3642109b2718c Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 24 16:29:49 2022 +0000

Core Update 168: Ship pango

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 0487d6a5754fb2121dfcd61ca98d6e3a902cf0a9 Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Apr 5 15:47:47 2022 +0200

pango: Update to version 1.50.6

- Update from 1.50.4 to 1.50.6 - Update of rootfile - Changelog Overview of changes in 1.50.6, 19-03-2022 - Drop hb-glib dependency - Fix test font configuration - Maintain order in pango_attr_list_change - Fix a use-after-free in pango_attr_list_change Overview of changes in 1.50.5, 03-03-2022 * Fix compiler warnings * Enable cairo by default * pango-view: Show more baselines * layout: Handle baselines * Windows: build cleanups

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit b26c72d569ebf1ee00f54e4d6363f5cbfd59abf3 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 24 16:08:12 2022 +0000

Core Update 168: Ship logwatch

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit ab473dd36372980a7603ece7f1c766fd848d74f2 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Apr 16 13:07:00 2022 +0200

logwatch: Update to 7.6

The developers do not provide a changelog, the only comment I could find was on:

https://packetstormsecurity.com/files/165672/Logwatch-7.6.html

"Changes: Fixed bugs."

Running here on Core 166. No seen problems.

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org

commit cdf0522ec2b944ce0b6aac5d6baa49c96930d660 Author: Leo-Andres Hofmann hofmann@leo-andres.de Date: Sun Apr 24 12:43:16 2022 +0200

HTML: Add language attribute

This attribute is recommended by W3C, because it is used by screen readers to provide the correct pronunciation.

Signed-off-by: Leo-Andres Hofmann hofmann@leo-andres.de Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 7b5f057a485be990445fe0d5448abdd3946bca84 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 21 09:51:46 2022 +0200

perl-JSON: Installation of new package required by samba

- Installation of lfs and rootfile for perl-JSON - required by samba-4.16.0

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit e8e8b6ae29176e605143c8927ba402078cdc4f54 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 21 09:51:45 2022 +0200

samba: Update to version 4.16.0

- Update from version 4.15.5 to 4.16.0 - Update of rootfile - perl-JSON now added to samba requirements. Additional patch combined with this on for install of perl-JSON - Changelog Release Notes for Samba 4.16.0 NEW FEATURES/CHANGES New samba-dcerpcd binary to provide DCERPC in the member server setup In order to make it much easier to break out the DCERPC services from smbd, a new samba-dcerpcd binary has been created. samba-dcerpcd can be used in two ways. In the normal case without startup script modification it is invoked on demand from smbd or winbind --np-helper to serve DCERPC over named pipes. Note that in order to run in this mode the smb.conf [global] section has a new parameter "rpc start on demand helpers = [true|false]". This parameter is set to "true" by default, meaning no changes to smb.conf files are needed to run samba-dcerpcd on demand as a named pipe helper. It can also be used in a standalone mode where it is started separately from smbd or winbind but this requires changes to system startup scripts, and in addition a change to smb.conf, setting the new [global] parameter "rpc start on demand helpers = false". If "rpc start on demand helpers" is not set to false, samba-dcerpcd will refuse to start in standalone mode. Note that when Samba is run in the Active Directory Domain Controller mode the samba binary that provides the AD code will still provide its normal DCERPC services whilst allowing samba-dcerpcd to provide services like SRVSVC in the same way that smbd used to in this configuration. The parameters that allowed some smbd-hosted services to be started externally are now gone (detailed below) as this is now the default setting. samba-dcerpcd can also be useful for use outside of the Samba framework, for example, use with the Linux kernel SMB2 server ksmbd or possibly other SMB2 server implementations. Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos implementation. This snapshot has now been updated and will closely match what will be released as Heimdal 8.0 shortly. This is a major update, previously we used a snapshot of Heimdal from 2011, and brings important new Kerberos security features such as Kerberos request armoring, known as FAST. This tunnels ticket requests and replies that might be encrypted with a weak password inside a wrapper built with a stronger password, say from a machine account. In Heimdal and MIT modes Samba's KDC now supports FAST, for the support of non-Windows clients. Windows clients will not use this feature however, as they do not attempt to do so against a server not advertising domain Functional Level 2012. Samba users are of course free to modify how Samba advertises itself, but use with Windows clients is not supported "out of the box". Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of the FAST protocol. A future version will align this more closely with Microsoft AD behaviour. If FAST needs to be disabled on your Samba KDC, set kdc enable fast = no in the smb.conf. Certificate Auto Enrollment Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy. To enable Certificate Auto Enrollment, Samba's group policy will need to be enabled by setting the smb.conf option `apply group policies` to Yes. Samba Certificate Auto Enrollment depends on certmonger, the cepces certmonger plugin, and sscep. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates. Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs. Ability to add ports to dns forwarder addresses in internal DNS backend The internal DNS server of Samba forwards queries non-AD zones to one or more configured forwarders. Up until now it has been assumed that these forwarders listen on port 53. Starting with this version it is possible to configure the port using host:port notation. See smb.conf for more details. Existing setups are not affected, as the default port is 53. CTDB changes * The "recovery master" role has been renamed "leader" Documentation and logs now refer to "leader". The following ctdb tool command names have changed: recmaster -> leader setrecmasterrole -> setleaderrole Command output has changed for the following commands: status getcapabilities The "[legacy] -> recmaster capability" configuration option has been renamed and moved to the cluster section, so this is now: [cluster] -> leader capability * The "recovery lock" has been renamed "cluster lock" Documentation and logs now refer to "cluster lock". The "[cluster] -> recovery lock" configuration option has been deprecated and will be removed in a future version. Please use "[cluster] -> cluster lock" instead. If the cluster lock is enabled then traditional elections are not done and leader elections use a race for the cluster lock. This avoids various conditions where a node is elected leader but can not take the cluster lock. Such conditions included: - At startup, a node elects itself leader of its own cluster before connecting to other nodes - Cluster filesystem failover is slow The abbreviation "reclock" is still used in many places, because a better abbreviation eludes us (i.e. "clock" is obvious bad) and changing all instances would require a lot of churn. If the abbreviation "reclock" for "cluster lock" is confusing, please consider mentally prefixing it with "really excellent". * CTDB now uses leader broadcasts and an associated timeout to determine if an election is required The leader broadcast timeout can be configured via new configuration option [cluster] -> leader timeout This specifies the number of seconds without leader broadcasts before a node calls an election. The default is 5. REMOVED FEATURES Older SMB1 protocol SMBCopy command removed SMB is a nearly 30-year old protocol, and some protocol commands that while supported in all versions, have not seen widespread use. One of those is SMBCopy, a feature for a server-side copy of a file. This feature has been so unmaintained that Samba has no testsuite for it. The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was introduced in the LAN Manager 1.0 dialect and it was rendered obsolete in the NT LAN Manager dialect. Therefore it has been removed from the Samba smbd server. We do note that a fully supported and tested server-side copy is present in SMB2, and can be accessed with "scopy" subcommand in smbclient) SMB1 server-side wildcard expansion removed Server-side wildcard expansion is another feature that sounds useful, but is also rarely used and has become problematic - imposing extra work on the server (both in terms of code and CPU time). In actual OS design, wildcard expansion is handled in the local shell, not at the remote server using SMB wildcard syntax (which is not shell syntax). In Samba 4.16 the ability to process file name wildcards in requests using the SMB1 commands SMB_COM_RENAME (SMB1 command number 0x7), SMB_COM_NT_RENAME (SMB1 command number 0xA5) and SMB_COM_DELETE (SMB1 command number 0x6) has been removed. SMB1 protocol has been deprecated, particularly older dialects We take this opportunity to remind that we have deprecated and disabled by default, but not removed, the whole SMB1 protocol since Samba 4.11. If needed for security purposes or code maintenance we will continue to remove older protocol commands and dialects that are unused or have been replaced in more modern SMB1 versions. We specifically deprecate the older dialects older than "NT LM 0.12" (also known as "NT LANMAN 1.0" and "NT1"). Please note that "NT LM 0.12" is the dialect used by software as old as Windows 95, Windows NT and Samba 2.0, so this deprecation applies to DOS and similar era clients. We do reassure that that 'simple' operation of older clients than these (eg DOS) will, while untested, continue for the near future, our purpose is not to cripple use of Samba in unique situations, but to reduce the maintaince burden. Eventually SMB1 as a whole will be removed, but no broader change is announced for 4.16. In the rare case where the above changes cause incompatibilities, users requiring support for these features will need to use older versions of Samba. No longer using Linux mandatory locks for sharemodes smbd mapped sharemodes to Linux mandatory locks. This code in the Linux kernel was broken for a long time, and is planned to be removed with Linux 5.15. This Samba release removes the usage of mandatory locks for sharemodes and the "kernel share modes" config parameter is changed to default to "no". The Samba VFS interface is kept, so that file-system specific VFS modules can still use private calls for enforcing sharemodes. smb.conf changes Parameter Name Description Default -------------- ----------- ------- kernel share modes New default No dns forwarder Changed rpc_daemon Removed rpc_server Removed rpc start on demand helpers Added true

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 8b84073efb4113afe48e6ca12e1c04ed934bd855 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 21 21:31:30 2022 +0200

git: Update to version 2.36.0

- Update from 2.35.1 to 2.36.0 - Update of rootfile - Changelog 2.36 Release Notes These are too long to include here. To see the details go to the following link https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.36... 2.35.3.txt Release Notes This release merges up the fixes that appear in v2.35.3. 2.35.2 Release Notes This release merges up the fixes that appear in v2.30.3, v2.31.2, v2.32.1, v2.33.2 and v2.34.2 to address the security issue CVE-2022-24765; see the release notes for these versions for details.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 2e9899036a64e4d1fcccedb1a2eeefca0af7a7e2 Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Apr 12 12:35:26 2022 +0200

stunnel: Update to version 5.63

- Update from version 5.62 to 5.63 - Update of rootfile not required - Changelog Version 5.63, 2022.03.15 * Security bugfixes - OpenSSL DLLs updated to version 3.0.2. * New features - Updated stunnel.spec to support bash completion * Bugfixes - Fixed possible PRNG initialization crash (thx to Gleydson Soares).

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 6dd63f5e7f33d2948132f7412f75cd4473e7b148 Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Apr 12 12:35:10 2022 +0200

stress: Update to version 1.0.5

- Update from version 1.0.4 to 1.0.5 - Update of rootfile not required - Changelog Version 1.0.5 * Added CI test for GitHub. * Migrated manpage system to txt2man. * Modernized system install. * Set right permissions to source code. * Updated README and added a CONTRIBUTING file. * Other minor changes and improvements.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit ac8da780aa611e2b86e49ec02a7d0c4c4b9bfc26 Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Apr 12 12:34:58 2022 +0200

strace: Update to version 5.17

- Update from 5.14 to 5.17 - Update of rootfile not required - Changelog Noteworthy changes in release 5.17 (2022-03-26) * Improvements * Added 64-bit LoongArch architecture support. * Extended personality designation syntax of syscall specification expressions to support all@pers and %class@pers. * Enhanced rejection of invalid syscall numbers in syscall specification expressions. * Implemented decoding of set_mempolicy_home_node syscall, introduced in Linux 5.17. * Implemented decoding of IFLA_GRO_MAX_SIZE and TCA_ACT_IN_HW_COUNT netlink attributes. * Implemented decoding of PR_SET_VMA operation of prctl syscall. * Implemented decoding of siginfo_t.si_pkey field. * Implemented decoding of LIRC ioctl commands. * Updated lists of FAN_*, IORING_*, IOSQE_*, KEY_*, KVM_*, MODULE_INIT_*, TCA_ACT_*, and *_MAGIC constants. * Updated lists of ioctl commands from Linux 5.17. Noteworthy changes in release 5.16 (2022-01-10) * Improvements * Implemented --secontext=mismatch option to find mismatches in SELinux contexts. * Implemented decoding of futex_waitv syscall introduced in Linux 5.16. * Implemented decoding of BPF_LINK_GET_NEXT_ID and BPF_LINK_GET_FD_BY_ID bpf syscall commands. * Enhanced decoding of BPF_MAP_CREATE, BPF_PROG_TEST_RUN, and BPF_PROG_LOAD bpf syscall commands. * Enhanced decoding of BTRFS_IOC_FS_INFO ioctl command. * Updated lists of AUDIT_*, BPF_*, BTRFS_*, DEVCONF_*, FAN_*, ETH_P_*, IPV4_DEVCONF_*, KVM_*, NDA_*, SO_*, and V4L2_* constants. * Updated lists of ioctl commands from Linux 5.16. * Bug fixes * Fixed build for older Android. Noteworthy changes in release 5.15 (2021-12-01) * Improvements * Implemented --strings-in-hex=non-ascii-chars option for using hexadecimal numbers instead of octal ones in escape sequences in the output strings. * Implemented --decode-pids=comm option (and its alias -Y) for printing command names for PIDs. * Implemented --decode-pids=pidns as an alias to --pidns-translation option. * Implemented printing of current working directory when AT_FDCWD constant is used with --decode-fds=path option enabled. * Improved printing of syscall names in places where the associated AUDIT_ARCH_* value is present (ptrace PTRACE_GET_SYSCALL_INFO request, SIGSYS siginfo_t). * Implemented decoding of process_mrelease syscall, introduced in Linux 5.15. * Implemented decoding of SECCOMP_GET_NOTIF_SIZES operation of seccomp syscall. * Implemented decoding of HDIO_*, KD*, and SECCOMP_* ioctl commands. * Implemented decoding of RTM_NEWCACHEREPORT, RTM_{NEW,DEL,GET}NEXTHOP, and RTM_{NEW,GET}STATS NETLINK_ROUTE netlink messages. * Implemented decoding of AF_ALG, AF_IEEE802154, AF_MCTP, AF_NFC, AF_QIPCRTR, AF_RRPC, AF_VSOCK, and AF_XDP socket addresses. * Implemented decoding of AF_BRIDGE and AF_MCTP protocols for IFLA_AF_SPEC netlink attribute. * Implemented decoding of IFLA_BR_MCAST_QUERIER_STATE, IFLA_BR_MULTI_BOOLOPT, IFLA_INET6_RA_MTU, IFLA_INFO_SLAVE_DATA, and IFLA_VFINFO_LIST netlink attributes. * Enhanced decoding of io_uring_register and times syscalls. * Enhanced IFLA_BR_FORWARD_DELAY, IFLA_BR_MAX_AGE, IFLA_EXT_MASK, IFLA_PROTINFO, *_INTVL, and *_TIMER netlink attribute decoding. * Enhanced decoding of AF_IPX and AF_NETLINK socket addresses. * Updated lists o AF_*, ARPHRD_*, BTRFS_*, DEVCONF_*, DM_*, ETH_P_*, FAN_REPORT_*, IORING_*, MOVE_MOUNT_*, MPOL_*, PACKET_*, RTM_*, SO_*, and XFRM_MSG_* constants. * Updated lists of ioctl commands from Linux 5.15. * Bug fixes * Fixed printing of struct bpf_prog_info.map_ids array. * Fixed behaviour of "dev", "pidfd", and "socket" arguments of the --print-fds option to no longer imply the "path" argument. * Fixed insufficient buffer size used for network interface name printing, that previously led to assertions on attempts of printing interface names that require quoting, for example, names longer than 4 characters in -xx mode (addresses RHBZ bug #2028146).

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 2a85fc7a124c918d6b431c04e255e03f364cc84b Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Apr 12 12:34:42 2022 +0200

lcdproc: Update to version 0.5.9

- Update from version 0.5.7 (2016) to 0.5.9 (2017) - Update of rootfile - This patch brings lcdproc up to date with the most recent release. - Although there are no new releases there are continuing ongoing commits and issue fixes being done in the repository with the last commit being in Dec 2021. Not sure why no new releases are being done. It looks like any of the commits that fix issuse people have raised have to be patched by the interested people. - Changelog 0.5.9 This is mostly a code cleanup, bugfix and maintainance release. Drivers supporting new hardware or additional functionality HD44780 connection type "serial" supports Portwell EZIO-100 and EZIO-300 HD44780 connection type "gpio" supports dual controller displays. This connection type is now a full replacement for the obsolete "rpi" connection type. Removed configure flags enable-permissive-menu-goto is replaced by a setting in LCDd.conf enable-seamless-hbars is now selected by drivers that need it automatically Other important changes The build system now specifies the language as C99. API: drivers need to include "shared/report.h" instead of "report.h" libftdi1 is used if it is available instead of obsolete libftdi display update interval is selectable from LCDd.conf 0.5.8 New drivers futaba: for Futaba TOSD-5711BB VFDisplay commonly used on Elonex Artisan, Fujitsu Scaleo E and FIC Spectra Media Centre PCs linux_input: supporting event devices from the linux input subsystem Olimex_MOD_LCD1x9: for Olimex MOD-LCD1x9 yard2LCD: for yard2 New connection types for hd44780 driver lcm162 is a differently wired 8 bit connection type used on Nextgate NSA network appliances gpio is using the linux sysfs gpio interface to control a display in 4-bit mode. To build this sub-driver you need libugpio, which is a new dependency for lcdproc. Obsolete connection types for hd44780 driver The following connection types are obsolete and probably won't get bug and security fixes: raspberrypi: use the gpio connection type instead piplate: use the gpio connection type together with the gpio-mcp23s08 kernel module. pifacecad: use the gpio connection type together with the gpio-mcp23s08 kernel module. i2c: support for this sub-driver might continue for the users of non-linux operating systems. On linux systems it is recommended to use the gpio connection type together with the gpio-pcf857x kernel module. Drivers supporting new hardware or additional functionality icp_a106 now also supports A125 displays NoritakeVFD added some non-essential features Other important changes Development of lcdproc moved to github. Some internal data structures have changed. If you have custom LCDd drivers, you will need to recompile them against the new version. Of course submitting such drivers in pull requests is appreciated. For a detailed list of bug fixes, see the ChangeLog.md included in the distribution archive.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit fd4c9f98b8eba436ae16a03b2487ea308aaa94e7 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 24 14:17:24 2022 +0000

Core Update 168: Ship ipset

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 1b16f712c6895c462973f4c021be67cd80aabd8f Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Apr 12 12:33:58 2022 +0200

ipset: Update to version 7.15

- Update from 7.11 to 7.15 - Update of rootfile - Changelog 7.15 Kernel part changes netfilter: ipset: Fix maximal range check in hash_ipportnet4_uadt() 7.14 Userspace changes Add missing function to libipset.map and bump library version Kernel part changes 64bit division isn't allowed on 32bit, replace it with shift 7.13 Userspace changes When parsing protocols by number, do not check it in /etc/protocols. Add missing hunk to patch "Allow specifying protocols by number" Kernel part changes Limit the maximal range of consecutive elements to add/delete fix 7.12 Userspace changes Allow specifying protocols by number Fix example in ipset.8 manpage tests: add tests ipset to nftables add ipset to nftables translation infrastructur lib: Detach restore routine from parser lib: split parser from command execution Fix patch "Parse port before trying by service name" Kernel part changes Limit the maximal range of consecutive elements to add/delete Backport "netfilter: use nfnetlink_unicast()" Backport "netfilter: nfnetlink: consolidate callback type" Backport "netfilter: nfnetlink: add struct nfnl_info and pass it to callbacks" Backport "netfilter: add helper function to set up the nfnetlink header and use it"

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 22ceda82b63226570ae7a79da99cec84855d8f25 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 24 14:15:30 2022 +0000

Core Update 168: Ship harfbuzz

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit f5ebb58ab484b0d966f951e7aaf9dd6eb0611418 Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Apr 5 15:47:30 2022 +0200

harfbuzz: Update to version 4.2.0

- Update from 3.4.0 to 4.2.0 - Update of rootfile - Changelog Overview of changes leading to 4.2.0 Wednesday, March 30, 2022 - Source code reorganization, splitting large hb-ot-layout files into smaller, per-subtable ones under OT/Layout/*. Code for more tables will follow suit in later releases. (Garret Rieger, Behdad Esfahbod) - Revert Indic shaper change in previous release that broke some fonts and instead make per-syllable restriction of “GSUB” application limited to script-specific Indic features, while applying them and discretionary features in one go. (Behdad Esfahbod) - Fix decoding of private in gvar table. (Behdad Esfahbod) - Fix handling of contextual lookups that delete too many glyphs. (Behdad Esfahbod) - Make “morx” deleted glyphs don’t block “GPOS” application. (Behdad Esfahbod) - Various build fixes. (Chun-wei Fan, Khaled Hosny) - New API +hb_set_next_many() (Andrew John) Overview of changes leading to 4.1.0 Wednesday, March 23, 2022 - Various OSS-Fuzz fixes. (Behdad Esfahbod) - Make fallback vertical-origin match FreeType’s. (Behdad Esfahbod) - Treat visible viramas like dependent vowels in USE shaper. (David Corbett) - Apply presentation forms features and discretionary features in one go in Indic shaper, which seems to match Uniscribe and CoreText behaviour. (Behdad Esfahbod, David Corbett) - Various bug fixes. - New API +hb_set_add_sorted_array() (Andrew John) Overview of changes leading to 4.0.1 Friday, March 11, 2022 - Update OpenType to AAT mappings for “hist” and “vrtr” features. (Florian Pircher) - Update IANA Language Subtag Registry to 2022-03-02. (David Corbett) - Update USE shaper to allow any non-numeric tail in a symbol cluster, and remove obsolete data overrides. (David Corbett) - Fix handling of baseline variations to return correctly scaled values. (Matthias Clasen) - A new experimental hb_subset_repack_or_fail() to repack an array of objects, eliminating offset overflows. The API is not available unless HarfBuzz is built with experimental APIs enabled. (Qunxin Liu) - New experimental API +hb_link_t +hb_object_t +hb_subset_repack_or_fail() Overview of changes leading to 4.0.0 Tuesday, March 1, 2022 - New public API to create subset plan and gather information on things like glyph mappings in the final subset. The plan can then be passed on to perform the subsetting operation. (Garret Rieger) - Draw API for extracting glyph shapes have been extended and finalized and is no longer an experimental API. The draw API supports glyf, CFF and CFF2 glyph outlines tables, and applies variation settings set on the font as well as synthetic slant. The new public API is not backward compatible with the previous, non-public, experimental API. (Behdad Esfahbod) - The hb-view tool will use HarfBuzz draw API to render the glyphs instead of cairo-ft when compiled with Cairo 1.17.5 or newer, setting HB_DRAW environment variable to 1 or 0 will force using or not use the draw API, respectively. (Behdad Esfahbod) - The hb-shape and hb-view tools now default to using HarfBuzz’s own font loading functions (ot) instead of FreeType ones (ft). They also have a new option, --font-slant, to apply synthetic slant to the font. (Behdad Esfahbod) - HarfBuzz now supports more than 65535 (the OpenType limit) glyph shapes and metrics. See https://github.com/be-fonts/boring-expansion-spec/issues/6 and https://github.com/be-fonts/boring-expansion-spec/issues/7 for details. (Behdad Esfahbod) - New API to get the dominant horizontal baseline tag for a given script. (Behdad Esfahbod) - New API to get the baseline positions from the font, and synthesize missing ones. As well as new API to get font metrics and synthesize missing ones. (Matthias Clasen) - Improvements to finding dependencies on Windows when building with Visual Studio. (Chun-wei Fan) - New buffer flag, HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT, that must be set during shaping for HB_GLYPH_FLAG_UNSAFE_TO_CONCAT flag to be reliably produced. This is to limit the performance hit of producing this flag to when it is actually needed. (Behdad Esfahbod) - Documentation improvements. (Matthias Clasen) - New API - General: +HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT +hb_var_num_t - Draw: +hb_draw_funcs_t +hb_draw_funcs_create() +hb_draw_funcs_reference() +hb_draw_funcs_destroy() +hb_draw_funcs_is_immutable() +hb_draw_funcs_make_immutable() +hb_draw_move_to_func_t +hb_draw_funcs_set_move_to_func() +hb_draw_line_to_func_t +hb_draw_funcs_set_line_to_func() +hb_draw_quadratic_to_func_t +hb_draw_funcs_set_quadratic_to_func() +hb_draw_cubic_to_func_t +hb_draw_funcs_set_cubic_to_func() +hb_draw_close_path_func_t +hb_draw_funcs_set_close_path_func() +hb_draw_state_t +HB_DRAW_STATE_DEFAULT +hb_draw_move_to() +hb_draw_line_to() +hb_draw_quadratic_to() +hb_draw_cubic_to() +hb_draw_close_path() +hb_font_get_glyph_shape_func_t +hb_font_funcs_set_glyph_shape_func() +hb_font_get_glyph_shape() - OpenType layout +HB_OT_LAYOUT_BASELINE_TAG_IDEO_FACE_CENTRAL +HB_OT_LAYOUT_BASELINE_TAG_IDEO_EMBOX_CENTRAL +hb_ot_layout_get_horizontal_baseline_tag_for_script() +hb_ot_layout_get_baseline_with_fallback() - Metrics: +hb_ot_metrics_get_position_with_fallback() - Subset: +hb_subset_plan_t +hb_subset_plan_create_or_fail() +hb_subset_plan_reference() +hb_subset_plan_destroy() +hb_subset_plan_set_user_data() +hb_subset_plan_get_user_data() +hb_subset_plan_execute_or_fail() +hb_subset_plan_unicode_to_old_glyph_mapping() +hb_subset_plan_new_to_old_glyph_mapping() +hb_subset_plan_old_to_new_glyph_mapping()

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 5d18c0a5704ae55ae1eab6734574b9c8b3678235 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 24 14:15:04 2022 +0000

Core Update 168: Ship poppler

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit c35d3ac6a1569c1a3b7aae4981396ed6faed8f9f Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Apr 5 15:48:00 2022 +0200

poppler: Update to version 22.04.0

- Update from 22.02.0 to 22.04.0 - Update of rootfile - Changelog Release 22.04.0: core: * Fix underline sometimes being drawn only partially * Fix Adobe Reader not reading some of the contents we write correctly * Fix code that workarounds some broken-ish files * FoFiTrueType: Parse CFF2 fonts too * FoFiTrueType: Support cmap types 2 and 13 * Fix a few small memory leaks * code improvements qt: * Handle SaveAs named action * Annotations: don't change the text color when changing the font utils: * pdftotext: print creation and modification date when using htmlmeta param glib: * Fix returning internal data of temporary strings cpp: * Fix code incompatibility with MSVC build system: * poppler internal library is no longer forced to static on MSVC * Error out if iconv is not available and the cpp frontend is enabled * Require FreeType 2.8 Release 22.03.0: core: * Signature: Fix finding Signatures that are in Pages not not in the global the Forms object * Signature: Improve getting the path to the firefox certificate database * Splash: Fix rendering of some joints. Issue #1212 * Fix get_poppler_localdir for relocatable Windows builds * Minor code improvements qt: * Minor code improvements utils: * pdfimages: Fix the wrong Stream being passed for drawMaskedImage build system: * Small code improvements

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit df326d08fe914dcffa5779f59ed34c247a279282 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 24 14:07:52 2022 +0000

Core Update 168: Ship fribidi

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit a21c2a4cc4cd48f31fb9396065cedb0802994038 Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Apr 23 13:17:16 2022 +0200

fribidi: Update to version 1.0.12

- Update from 1.0.11 to 1.0.12 - Update of rootfile not required - Changelog Overview of changes between 1.0.11 and 1.0.12 * Various fuzzing fixes. - Looking at the details in the commits it looks like fribidi's use of the word fuzzing fixes basically means bug fixes. Included are fixes for a segmentation violation and a stack buffer overflow

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit b0aa87ac73a1d92579b2659020b8b3e8c915226d Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 24 14:07:19 2022 +0000

Core Update 168: Ship pciutils

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit ffe6661c0b892eb9387a8d0d6059f560db919e84 Author: Adolf Belka adolf.belka@ipfire.org Date: Sat Apr 23 23:25:58 2022 +0200

pciutils: Update to version 3.8.0

- Update from 3.7.0 to 3.8.0 - Update of rootfile - Changelog * Released as 3.8.0. * Filters can now match devices based on partially specified class code and also on the programming interface. * Reporting of link speeds, power limits, and virtual function tags has been updated to the current PCIe specification. * We decode the Data Object Exchange capability. * Bus mapping mode works in non-zero domains. * pci_fill_info() can fetch more fields: bridge bases, programming interface, revision, subsystem vendor and device ID, OS driver, and also parent bridge. Internally, the implementation was rewritten, significantly reducing the number of corner cases to be handled. * The Windows port was revived and greatly improved by Pali Rohár. It requires less magic to compile. More importantly, it runs on both old and recent Windows systems (see README.Windows for details). * Added a new Windows back-end using the cfgmgr32 interface. It does not provide direct access to the configuration space, but basic information about the device is reported via pci_fill_info(). For back-ends of this type, we now provide an emulated read-only config space. * If the configuration space is not readable for some reason (e.g., the cfgmgr32 back-end, but also badly implemented sleep mode of some devices), lspci prints only information provided by the OS. * The Hurd back-end was greatly improved thanks to Joan Lledó. * Various minor bug fixes and improvements. * We officially require a working C99 compiler. Sorry, MSVC. * As usually, updated pci.ids to the current snapshot of the database.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 87dcb206d025556d9c939fd7f003ad75ff93b61f Merge: a6d1108e7 bad8659d8 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 24 10:27:59 2022 +0000

Merge branch 'temp-c168-development' into next

commit bad8659d80520b2cdbd043efa0b5b15d8580c2c5 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 23 19:36:57 2022 +0000

Do not mark CGI files as executable, second round

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit c04309ef012b19e3bdc98384cad28af407cc62ac Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 23 19:35:37 2022 +0000

Do not mark CGI files as executable

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 2420f4775b77f4692cfc1625c2d7318fb5e1876f Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 23 14:35:19 2022 +0000

Core Update 168: Ship WebIF-related changes

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit c13060fd4cda278ea79dd8d547291dbbc31840c1 Author: Leo-Andres Hofmann hofmann@leo-andres.de Date: Wed Apr 20 15:32:34 2022 +0200

menu: Fix warnings, clean code

This patch adds default values and removes a missing translation to fix "uninitialized value" and "odd number of elements" warnings.

Removes function calls from functions.pl that have already been handled by the header before it is loaded by eval().

Signed-off-by: Leo-Andres Hofmann hofmann@leo-andres.de Reviewed-by: Bernhard Bitsch bbitsch@ipfire.org

commit a04b39daa75022e5e6e12da32398bee71b73b150 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 23 14:32:00 2022 +0000

Core Update 168: Ship efibootmgr on x86_64 and aarch64

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 28894b78260b8194ff1df4ef0700c5d21031a8d4 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 18 19:49:32 2022 +0000

efibootmgr: Update to 17

Full changelog as per https://github.com/rhboot/efibootmgr/releases/tag/17:

various CI updates Make.defaults: fix pkg-config invocation for LDFLAGS make_linux_load_option(): add some more efi_error() calls Change the default partition choice. Don't set LIBEFIBOOT_REPORT_GPT_ERRORS=1 Make it easier to build with a devel branch of efivar efibootmgr -e: improve parsing for efivar-36 compat Fix an invalid free() Propogate verbosity to libefivar 36's internal logging facility Add a bit more logging

Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org

commit 2f4148ccd3cab052c39a6eb77314bd789f0abd9c Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 23 14:29:08 2022 +0000

Core Update 168: Ship and restart OpenSSH

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 7a981d94cb2c3e48ecaf07c506c8353a2c839d79 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 18 20:40:41 2022 +0000

SSH: do not send spoofable TCP keep alive messages

By default, both SSH server and client rely on TCP-based keep alive messages to detect broken sessions, which can be spoofed rather easily in order to keep a broken session opened (and vice versa).

Since we rely on SSH-based keep alive messages, which are not vulnerable to this kind of tampering, there is no need to double-check connections via TCP keep alive as well.

This patch thereof disables using TCP keep alive for both SSH client and server scenario. For usability reasons, a timeout of 5 minutes (10 seconds * 30 keep alive messages = 300 seconds) will be used for both client and server configuration, as 60 seconds were found to be too short for unstable connectivity scenarios.

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 018f80c6cd609184b72c08c1967b143a0637cc7f Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 18 20:40:20 2022 +0000

SSH: Add sntrup761x25519-sha512@openssh.com key exchange to configurations

This algorithm was introduced in OpenSSH 9.0p1; also, align the curve25519-sha256* key exchanges to keep things tidy.

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 7554e857eebdd6593f986b2a0b840e73db65aa19 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 18 20:40:00 2022 +0000

OpenSSH: Update to 9.0p1

Relevant changelog part, as retrieved from https://www.openssh.com/txt/release-9.0:

Changes since OpenSSH 8.9 =========================

This release is focused on bug fixing.

Potentially-incompatible changes --------------------------------

This release switches scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side.

This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol.

Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this.

In case of incompatibility, the scp(1) client may be instructed to use the legacy scp/rcp using the -O flag.

New features ------------

* ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo.

We are making this change now (i.e. ahead of cryptographically- relevant quantum computers) to prevent "capture now, decrypt later" attacks where an adversary who can record and store SSH session ciphertext would be able to decrypt it once a sufficiently advanced quantum computer is available.

* sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. bz2948

* sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies.

Bugfixes --------

* ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's output fd closes without data in the channel buffer. bz3405 and bz3411

* sshd(8): pack pollfd array in server listen/accept loop. Could cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE

* ssh-keygen(1): avoid NULL deref via the find-principals and check-novalidate operations. bz3409 and GHPR#307 respectively.

* scp(1): fix a memory leak in argument processing. bz3404

* sshd(8): don't try to resolve ListenAddress directives in the sshd re-exec path. They are unused after re-exec and parsing errors (possible for example if the host's network configuration changed) could prevent connections from being accepted.

* sshd(8): when refusing a public key authentication request from a client for using an unapproved or unsupported signature algorithm include the algorithm name in the log message to make debugging easier.

Portability -----------

* sshd(8): refactor platform-specific locked account check, fixing an incorrect free() on platforms with both libiaf and shadow passwords (probably only Unixware) GHPR#284,

* ssh(1), sshd(8): Fix possible integer underflow in scan_scaled(3) parsing of K/M/G/etc quantities. bz#3401.

* sshd(8): provide killpg implementation (mostly for Tandem NonStop) GHPR#301.

* Check for missing ftruncate prototype. GHPR#301

* sshd(8): default to not using sandbox when cross compiling. On most systems poll(2) does not work when the number of FDs is reduced with setrlimit, so assume it doesn't when cross compiling and we can't run the test. bz#3398.

* sshd(8): allow ppoll_time64 in seccomp sandbox. Should fix sandbox violations on some (at least i386 and armhf) 32bit Linux platforms. bz#3396.

* Improve detection of -fzero-call-used-regs=all support in configure script.

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 420e8a85d0141198a04af0cb8000739c2bc4a108 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 18 20:53:35 2022 +0000

lynis: Update to 3.0.7

Full changelog as retrieved from https://cisofy.com/changelog/lynis/#307:

- MALW-3290 - Show status of malware components - OS detection for RHEL 6 and Funtoo Linux - Added service manager openrc

- DBS-1804 - Added alias for MariaDB - FINT-4316 - Support for newer Ubuntu versions - MALW-3280 - Added Trend Micro malware agent - NETW-3200 - Allow unknown number of spaces in modprobe blacklists - PKGS-7320 - Support for Garuda Linux and arch-audit - Several improvements for busybox shell - Russian translation of Lynis extended

Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org

commit a808de4c17fea4453817d6dde9de7a0581f3e60d Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 23 14:27:01 2022 +0000

Core Update 168: Ship bind

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit ffa5629d06f3ee08ba49ecf6ef6c298cc98d91c4 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Apr 22 09:55:36 2022 +0200

bind: Update to 9.16.28

For details see: https://downloads.isc.org/isc/bind9/9.16.28/doc/arm/html/notes.html#notes-fo...

"Notes for BIND 9.16.28 New Features

Add a new configuration option reuseport to disable load balancing on sockets in situations where processing of Response Policy Zones (RPZ), Catalog Zones, or large zone transfers can cause service disruptions. See the BIND 9 ARM for more detail. [GL #3249]

Bug Fixes

Invalid dnssec-policy definitions, where the defined keys did not cover both KSK and ZSK roles for a given algorithm, were being accepted. These are now checked, and the dnssec-policy is rejected if both roles are not present for all algorithms in use. [GL #3142]

Handling of TCP write timeouts has been improved to track the timeout for each TCP write separately, leading to a faster connection teardown in case the other party is not reading the data. [GL #3200]"

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org

commit 701e63c222f7e09cd27c8198c02ce0279627c7d8 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 23 14:26:05 2022 +0000

Core Update 168: Ship libhtp and Suricata, restart the latter

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 30f306a3e28d63d63e126b709d8866cfc9b80803 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Apr 22 10:21:48 2022 +0200

suricata: Update to 5.0.9

Changelog:

"5.0.9 -- 2022-04-21

Security #4889: ftp: SEGV at flow cleanup due to protocol confusion Security #5025: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input Security #5028: smtp: GetLine function buffers data indefinitely if 0x0a was not found in the frag'd input Security #5253: Infinite loop in JsonFTPLogger Feature #4644: pthreads: set minimum stack size Bug #4466: dataset file not written when run as user Bug #4678: Configuration test mode succeeds when reference.config file contains invalid content Bug #4745: Absent app-layer protocol is always enabled by default Bug #4819: tcp: insert_data_normal_fail can hit without triggering memcap Bug #4823: conf: quadratic complexity Bug #4825: pppoe decoder fails when protocol identity field is only 1 byte Bug #4827: packetpool: packets in pool may have capture method ReleasePacket callbacks set Bug #4838: af-packet: cluster_id is not used when trying to set fanout support Bug #4878: datasets: memory leak in 5.0.x Bug #4887: dnp3: buffer over read in logging base64 empty objects Bug #4891: protodetect: SMB vs TLS protocol detection in midstream Bug #4893: TFTP: memory leak due to missing detect state Bug #4895: Memory leak with signature using file_data and NFS Bug #4897: profiling: Invalid performance counter when using sampling Bug #4901: eve: memory leak related to dns Bug #4932: smtp: smtp transaction not logged if no email is present Bug #4955: stream: too aggressive pruning in lossy streams Bug #4957: SMTP assertion triggered Bug #4959: suricatasc loop if recv returns no data Bug #4961: dns: transaction not created when z-bit set Bug #4963: Run stream reassembly on both directions upon receiving a FIN packet Bug #5058: dns: probing/parser can return error when it should return incomplete Bug #5063: Not keyword matches in Kerberos requests Bug #5096: output: timestamp missing usecs on Arm 32bit + Musl Bug #5099: htp: server personality radix handling issue Bug #5101: defrag: policy config can setup radix incorrectly Bug #5103: Application log cannot to be re-opened when running as non-root user Bug #5105: iprep: cidr support can set up radix incorrectly Bug #5107: detect/iponly: rule parsing does not always apply netmask correctly Bug #5109: swf: coverity warning Bug #5115: detect/ip_proto: inconsistent behavior when specifying protocol by string Bug #5117: detect/iponly: mixing netblocks can lead to FN/FP Bug #5119: smb: excessive CPU utilization and higher packet processing latency due to excessive calls to Vec::extend_from_slice() Bug #5137: smb: excessive memory use during file transfer Bug #5150: nfs: Integer underflow in NFS Bug #5157: xbits: noalert is allowed in rule language with other commands Bug #5164: iprep: use_cnt can get desynchronized (SIGABRT) Bug #5171: detect/iponly: non-cidr netmask settings can lead incorrect radix tree Bug #5193: SSL : over allocation for certificates Bug #5213: content:"22 2 22"; is parsed without error Bug #5227: 5.0.x: SMB: Wrong buffer being checked for possible overflow. Bug #5251: smb: integer underflows and overflows Task #5006: libhtp 0.5.40"

Additionally, I moved the 'suricata' patch files into a separate directory. Apart from some line numbers, nothing else was changed.

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org

commit c2ead0c78ddce8e82969ceaab172d3f6bc5e84d4 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Apr 22 10:21:47 2022 +0200

libhtp: Update to 0.5.40 - needed for 'suricata'

For details see: https://github.com/OISF/libhtp/releases/tag/0.5.40

"uri: optionally allows spaces in uri ints: integer handling improvements headers: continue on nul byte headers: consistent trailing space handling list: fix integer overflow util: remove unused htp_utf8_decode fix 100-continue with CL 0 lzma: don't do unnecessary realloc"

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org

commit af8c9da4e525c3d0c896398d33e8e891180fc163 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 23 14:24:25 2022 +0000

Core Update 168: Ship knot

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit e56de75e336c84784d46c16f715950b088080adb Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Apr 22 10:03:54 2022 +0200

knot: Update to 3.1.7

For changes since v3.1.1 see: https://gitlab.nic.cz/knot/knot-dns/raw/v3.1.7/NEWS

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org

commit 166efe4cb5c5ccd8888ce521857b36b3169b1f5a Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Apr 22 13:32:28 2022 +0200

mc: Update to 4.8.28

For details see: http://midnight-commander.org/wiki/NEWS-4.8.28

Summary:

"Major changes since 4.8.27 Core VFS Remove SMB support (#1)

Editor Add syntax highlighting: Ngspice/SPICE (http://ngspice.sourceforge.net/) (#4316, #4319) DOT/Graphviz (https://graphviz.org/doc/info/lang.html) (#4322)

Viewer Support file/dir macros from mc.ect for standalone viewer (#4150)

Misc Minimal version of "check" utility is 0.9.10. Code cleanup (#4270, #4330) Support Shift+Fn keys for KiTTY (#4325) Filehighlight: graphical formats: avif, jp2, jxl, heic, heif, psb, psd (#4328) Markdown (#4351)

Fixes FTBFS with ncurses build with --disable-widec (#4200) There is no exit on Ubuntu PPC64 big endian (#3887) Segfault on change panel mode (#4323) Accelerator conflict in Left/Right? menu (#4284) move a lot of files across filesystems is slow (#4287) mc.ext: wrong order of rules: general matches are made before more specific ones (#4273) mc.ext: compressed man pages are shown unformatted (#4272) ext.d/misc.sh: invoking /bin/cat on systems that have no /bin/cat (like NixOS) (#4298) mcedit: errors in syntax definitions (#4286) VFS: FISH: when uploading a symbolic link, it creates both the link and its target (#4281) VFS: SFTP: timestamps are not preserved for uploaded symlink (#4285) VFS: EXTFS: incorrect test of isoinfo (#4326) Typo in skin files (#3146)"

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Adolf Belka adolf.belka@ipfire.org

commit 1f326847a36c80b4c65952d06687bf6819a2d6e8 Merge: 0676b7b77 7e6efc89e Author: Peter Müller peter.mueller@ipfire.org Date: Sat Apr 23 14:23:04 2022 +0000

Merge branch 'next' into temp-c168-development

commit adce5b1c8fc21916c77d7e8a40cbed2baac1f2a2 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 22 13:31:51 2022 +0200

convert-ids-backend-files: Stop and start suricata during runtime.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 615fd78f9294b2843e396f3e70b2181d8491725d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 22 09:13:41 2022 +0200

convert-ids-backend-files: Set correct ownership for suricata used rulefiles file.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit c8adaee1958ed0c382341e08949d5cb88bd58c7e Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 22 05:47:21 2022 +0200

ruleset-sources: Remove support for PT Attack Team Detection rules.

All of a sudden this ruleset provider has dissapeared from Github.

I was not able to find any further details or web page or the ruleset anymore.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 1febad2ad41578d3e77195929076e3cbbc28a89f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 22 05:45:56 2022 +0200

ids.cgi: Avoid doubble locking the page when forcing a ruleset update.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 07dc722f611685c6018630f927ad4b65f44988d1 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 22 05:44:23 2022 +0200

ids.cgi: Make the page lock in oinkmaster_web() function optional.

This allows to call and release the page lock manually.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit e41ee3e0f24cb89b20a758e2281531ed76577ef4 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 22 05:31:28 2022 +0200

ids-functions.pl: Avoid suricata from loading rulesfiles of an unsupported provider.

Modify the write_used_rulefiles_file() function to skip the rulesfiles of unsupported providers.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit c62121c7e4ef9ec5688e16b04ef59e21276e1bd0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Apr 20 20:58:04 2022 +0200

ids-functions.pl: Try to enumerate the dl_rulesfile if a provider is not supported anymore.

In this case the details about the file suffix is not available in the ruleset-sources file anymore. In this case now the function tries to enumerate the correct filename.

This allows to display the correct stats in the WUI and to extract and use the downloaded ruleset of the provider until it got deleted by the user.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 782418e226434fbd7fbd236699a45bce328dcd6d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Apr 19 15:10:31 2022 +0200

Add missing german translation strings.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 0676b7b777e7d93d80103ca463567b89c8344841 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 18 21:16:03 2022 +0000

borgbackup: Add missing 'python3-pkgconfig' dependency

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 9196f2a4483ca9a12485c9d511d9946ccc00a0d7 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Apr 13 19:07:57 2022 +0200

python3-pkgconfig: Install this new python module for borgbackup

- Instal the python pkgconfig module - required for borgbackup - Install of rootfile

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 8b27f672f80f2364fd28b13466d3a555b5c076f1 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Apr 13 19:07:56 2022 +0200

borgbackup: Update to version 1.2.0

- Update from 1.1.17 to 1.2.0 - Update of rootfile - v2 version has x86_64 replaced by xxxMACHINExxx in the rootfile - borgbackup now requires the python module pkgconfig, installed as a set with this patch - Changelog Compatibility notes: dropped support / testing for older Pythons, minimum requirement is 3.8. In case your OS does not provide Python >= 3.8, consider using our binary, which does not need an external Python interpreter. Or continue using borg 1.1.x, which is still supported. freeing repository space only happens when “borg compact” is invoked. mount: the default for --numeric-ids is False now (same as borg extract) borg create --noatime is deprecated. Not storing atime is the default behaviour now (use --atime if you want to store the atime). list: corrected mix-up of “isomtime” and “mtime” formats. Previously, “isomtime” was the default but produced a verbose human format, while “mtime” produced a ISO-8601-like format. The behaviours have been swapped (so “mtime” is human, “isomtime” is ISO-like), and the default is now “mtime”. “isomtime” is now a real ISO-8601 format (“T” between date and time, not a space). create/recreate --list: file status for all files used to get announced AFTER the file (with borg < 1.2). Now, file status is announced BEFORE the file contents are processed. If the file status changes later (e.g. due to an error or a content change), the updated/final file status will be printed again. removed deprecated-since-long stuff (deprecated since): command “borg change-passphrase” (2017-02), use “borg key …” option “--keep-tag-files” (2017-01), use “--keep-exclude-tags” option “--list-format” (2017-10), use “--format” option “--ignore-inode” (2017-09), use “--files-cache” w/o “inode” option “--no-files-cache” (2017-09), use “--files-cache=disabled” removed BORG_HOSTNAME_IS_UNIQUE env var. to use borg you must implement one of these 2 scenarios: the combination of FQDN and result of uuid.getnode() must be unique and stable (this should be the case for almost everybody, except when having duplicate FQDN and MAC address or all-zero MAC address) if you are aware that 1) is not the case for you, you must set BORG_HOST_ID env var to something unique. exit with 128 + signal number, #5161. if you have scripts expecting rc == 2 for a signal exit, you need to update them to check for >= 128. Fixes: diff: reduce memory consumption, fix is_hardlink_master, #6295 compact: fix / improve freeable / freed space log output derive really freed space from quota use before/after, #5679 do not say “freeable”, but “maybe freeable” (based on hint, unsure) fix race conditions in internal SaveFile function, #6306 #6028 implement internal safe_unlink (was: truncate_and_unlink) function more safely: usually it does not truncate any more, only under “disk full” circumstances and only if there is only one hardlink. see: https://github.com/borgbackup/borg/discussions/6286 Other changes: info: use a pre12-meta cache to accelerate stats for borg < 1.2 archives. the first time borg info is invoked on a borg 1.1 repo, it can take a rather long time computing and caching some stats values for 1.1 archives, which borg 1.2 archives have in their archive metadata structure. be patient, esp. if you have lots of old archives. following invocations are much faster due to the cache. related change: add archive name to calc_stats progress display. docs: add borg 1.2 upgrade notes, #6217 link to borg placeholders and borg patterns help init: explain the encryption modes better clarify usage of patternfile roots put import-tar docs into same file as export-tar docs explain the difference between a path that ends with or without a slash, #6297

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 0312f9294255755d4a94dcf3fd4b455e25e0324c Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 18 21:13:09 2022 +0000

wio: Bump package version

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit aee369fea30e210bf1088e88116610f8ce970a4b Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Apr 13 10:00:20 2022 +0200

wio.cgi: Remove code lines that are commented out

- These lines were introduced with another patch related to removing IPFire start/stop capability from wio - The lines were introduced in commented out form and so are doing nothing. - It looks like they were added as part of a debugging or investigation work on wio

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Bernhard Bitsch bbitsch@ipfire.org

commit 12fbbc61e568b208f007df3b02c28b0bb6fe14e7 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Apr 13 10:00:19 2022 +0200

wio.pl: Fix bug 12799 - Remove code scanning for all potential IP's on RED interface

- The lines to scan the red interface were introduced at the time of a patch to remove the IPFire start/stop function from wio. These lines are not related to that change but were included in the patch with no commit message. The same lines were also added into wio.cgi in the same patch set but in that case the lines were all commented out. - These lines look like they were most likely added to the code for investigation or debugging purposes. Looking at the lines in wio.pl the results obtained are not used elsewhere in wio for obtaining info on the status of the red interface. Deleting the lines did not affect anything related to the scanning, setup or monitoring of systems by wio. - The lines were wasting space but generally not creating a huge impact on pertformance. On my production system it scans my red and comes up with a list of 1022 IP's because of the subnet my ISP uses - xxx.yy.216.0/20 - Scanning those 1022 IP's and sorting them takes my system about 3 seconds. Without sorting it is around the same level. - In Bug#12799 the originator has an ISP that is using a private network that has a defined subnet of 10.0.0.0/8 This is 16,777,214 IP's to be scanned. Even without sorting my system would end up taking around 13 hours to do that. The bug originator found that on certain machines that he had IPFire on wio just never stopped scanning. - As these lines just seem to collect a large amount of IP's on red that are not related to the actual running red IP, as there was no commit message related to their introduction and as removing the lines on vm's running dhcp and static red interfaces and also on my running production system for 4 weeks has shown no impact on the monitoring capability this patch is being submitted to remove these lines from wio

Fixes: Bug#12799 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Bernhard Bitsch bbitsch@ipfire.org

commit 2e68dcd6eb10cccda976d2dfe1f8204cb066eecb Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Apr 12 12:35:40 2022 +0200

tshark: Update to version 3.6.3

- Update from 3.4.7 to 3.6.3 - Update of rootfile - find-dependencies run due to sobump - nothing reported - Changelog - a range of changes including many bug fixes and several vulnerabilities Wireshark 3.6.3 Release Notes Bug Fixes • Fuzz job crash output: fuzz-2022-01-19-7399.pcap Issue 17894[1]. • TLS dissector incorrectly reports JA3 values Issue 17942[2]. • "Wiki Protocol page" in packet details menu is broken - wiki pages not migrated to GitLab? Issue 17944[3]. • Dissector bug, protocol PFCP display Flow Description IE value error in Additional Flow Description of PFD Management Request Message Issue 17951[4]. • Bluetooth: Fails to open Log file for SCO connection Issue 17964[5]. • Fuzz job crash output: fuzz-2022-03-07-10896.pcap Issue 17984[6]. • libwiretap: Save as ERF causes segmentation fault Issue 17989[7]. • HTTP server returning multiple early hints shows too many responses in "Follow HTTP Stream" Issue 18006[8]. New and Updated Features Updated Protocol Support CSN.1, HTTP, IEEE 802.11, NTLM SSP, PFCP, PKTLOG, SSDP, TLS, and USB HID New and Updated Capture File Support pcap and pcapng Wireshark 3.6.2 Release Notes Bug Fixes The following vulnerabilities have been fixed: • wnpa-sec-2022-01[1] RTMPT dissector infinite loop. Issue 17813[2]. • wnpa-sec-2022-02[3] Large loops in multiple dissectors. Issue 17829[4], Issue 17842[5], Issue 17847[6], Issue 17855[7], Issue 17891[8], Issue 17925[9], Issue 17926[10], Issue 17931[11], Issue 17932[12], Issue 17933[13]. • wnpa-sec-2022-03[14] PVFS dissector crash. Issue 17840[15]. • wnpa-sec-2022-04[16] CSN.1 dissector crash. Issue 17882[17]. • wnpa-sec-2022-05[18] CMS dissector crash. Issue 17935[19]. The following bugs have been fixed: • Support for GSM SMS TPDU in HTTP2 body Issue 17784[20]. • Wireshark 3.6.1 broke the ABI by removing ws_log_default_writer from libwsutil Issue 17822[21]. • Fedora RPM package build failing with RPATH of /usr/local/lib64 Issue 17830[22]. • macos-setup.sh: ftp.pcre.org no longer exists Issue 17834[23]. • nmap.org/npcap → npcap.com: domain/URL change Issue 17838[24]. • MPLS ECHO FEC stack change TLV not dissected correctly Issue 17868[25]. • Attempting to open a systemd journal export file segfaults Issue 17875[26]. • Dissector bug on 802.11ac packets Issue 17878[27]. • The Info column shows only one NGAP/S1AP packet of several packets inside an SCTP packet Issue 17886[28]. • Uninstalling Wireshark 3.6.1 on Windows 10 fails to remove the installation directory because it doesn’t remove the User’s Guide subdirectory and all its contents. Issue 17898[29]. • 3.6 doesn’t build without zlib Issue 17899[30]. • SIP Statistics no longer properly reporting method type accounting Issue 17904[31]. • Fuzz job crash output: fuzz-2022-01-26-6940.pcap Issue 17909[32]. • SCTP retransmission detection broken for the first data chunk of each association with relative TSN Issue 17917[33]. • “Show In Folder” doesn’t work correctly for filenames with spaces Issue 17927[34]. New and Updated Features Updated Protocol Support AMP, ASN.1 PER, ATN-ULCS, BGP, BP, CFLOW, CMS, CSN.1, GDSDB, GSM RP, GTP, HTTP3, IEEE 802.11 Radiotap, IPDC, ISAKMP, Kafka, MP2T, MPEG PES, MPEG SECT, MPLS ECHO, NGAP, NTLMSSP, OpenFlow 1.4, OpenFlow 1.5, P_MUL, PN-RT, PROXY, PTP, PVFS, RSL, RTMPT, rtnetlink, S1AP, SCTP, Signal PDU, SIP, TDS, USB, WAP, and ZigBee ZCL New and Updated Capture File Support BLF and libpcap Wireshark 3.6.1 Release Notes Bug Fixes The following vulnerabilities have been fixed: • wnpa-sec-2021-17[1] RTMPT dissector infinite loop. Issue 17745[2]. CVE-2021-4185[3]. • wnpa-sec-2021-18[4] BitTorrent DHT dissector infinite loop. Issue 17754[5]. CVE-2021-4184[6]. • wnpa-sec-2021-19[7] pcapng file parser crash. Issue 17755[8]. CVE-2021-4183[9]. • wnpa-sec-2021-20[10] RFC 7468 file parser infinite loop. Issue 17801[11]. CVE-2021-4182[12]. • wnpa-sec-2021-21[13] Sysdig Event dissector crash. CVE-2021-4181[14]. • wnpa-sec-2021-22[15] Kafka dissector infinite loop. Issue 17811[16]. The following bugs have been fixed: • Allow sub-second timestamps in hexdumps Issue 15562[17]. • GRPC: An unnecessary empty Protobuf tree item is displayed if the GRPC message body length is 0 Issue 17675[18]. • Can’t install "ChmodBPF.pkg" or "Add Wireshark to the system path.pkg" on M1 MacBook Air Monterey without Rosetta 2 Issue 17757[19]. • TECMP: LIN Payload is cut off by 1 byte Issue 17760[20]. • Wireshark crashes if a 64 bit field of type BASE_CUSTOM is applied as a column Issue 17762[21]. • Command line option "-o console.log.level" causes wireshark and tshark to exit on start Issue 17763[22]. • Setting WIRESHARK_LOG_LEVEL=debug breaks interface capture Issue 17764[23]. • Unable to build without tshark Issue 17766[24]. • IEEE 802.11 action frames are not getting parsed and always seen as malformed Issue 17767[25]. • IEC 60870-5-101 link address field is 1 byte, but should have configurable length of 0,1 or 2 bytes Issue 17775[26]. • dfilter: 'tcp.port not in {1}' crashes Wireshark Issue 17785[27]. New and Updated Features • The 'console.log.level' preference was removed in Wireshark 3.6.0. This release adds an '-o console.log.level:' backward-compatibilty option on the CLI that maps to the new logging sub-system. Note that this does not have bitmask semantics and does not correspond to any actual preference. It is just a transition mechanism for users that were relying on this CLI option and will be removed in the future. To see the new diagnostic output options consult the manpages or the output of '--help'. Updated Protocol Support ANSI A I/F, AT, BitTorrent DHT, FF, GRPC, IEC 101/104, IEEE 802.11, IEEE 802.11 Radiotap, IPsec, Kafka, QUIC, RTMPT, RTSP, SRVLOC, Sysdig Event, and TECMP New and Updated Capture File Support BLF and RFC 7468 Wireshark 3.6.0 Release Notes Many improvements have been made. See the “New and Updated Features” section below for more details. You might want to pay particular attention to the display filter syntax updates. New and Updated Features The following features are new (or have been significantly updated) since version 3.6.0rc3: • The macOS Intel packages now ship with Qt 5.15.3 and require macOS 10.13 or later. The following features are new (or have been significantly updated) since version 3.6.0rc2: • Display filter set elements must now be comma-separated. See below for more details. The following features are new (or have been significantly updated) since version 3.6.0rc1: • The display filter expression “a != b” now has the same meaning as “!(a == b)”. The following features are new (or have been significantly updated) since version 3.5.0: • Nothing of note. The following features are new (or have been significantly updated) since version 3.4.0: • Several changes have been made to the display filter syntax: • The expression “a != b” now always has the same meaning as “!(a == b)”. In particular this means filter expressions with multi-value fields like “ip.addr != 1.1.1.1” will work as expected (the result is the same as typing “ip.src != 1.1.1.1 and ip.dst != 1.1.1.1”). This avoids the contradiction (a == b and a != b) being true. • It is possible to use the syntax “a ~= b” or “a any_ne b” to recover the previous (inconsistent with "==") logic for not equal. • Literal strings can now be specified using raw string syntax, identical to raw strings in the Python programming language. This can be used to avoid the complexity of using two levels of character escapes with regular expressions. • Set elements must now be separated using a comma. A filter such as http.request.method in {"GET" "HEAD"} must be written as …​ in {"GET", "HEAD"}. Whitespace is not significant. The previous use of whitespace as separator is deprecated and will be removed in a future version. • Support for the syntax "a not in b" with the same meaning as "not a in b" has been added. • Packaging updates: • A macOS Arm 64 (Apple Silicon) package is now available. • The macOS Intel packages now ship with Qt 5.15.3 and require macOS 10.13 or later. • The Windows installers now ship with Npcap 1.55. • A 64-bit Windows PortableApps package is now available. • TCP conversations now support a completeness criteria, which facilitates the identification of TCP streams having any of opening or closing handshakes, a payload, in any combination. It can be accessed with the new tcp.completeness filter. • Protobuf fields that are not serialized on the wire or otherwise missing in capture files can now be displayed with default values by setting the new “add_default_value” preference. The default values might be explicitly declared in “proto2” files, or false for bools, first value for enums, zero for numeric types. • Wireshark now supports reading Event Tracing for Windows (ETW). A new extcap named ETW reader is created that now can open an etl file, convert all events in the file to DLT_ETW packets and write to a specified FIFO destination. Also, a new packet_etw dissector is created to dissect DLT_ETW packets so Wireshark can display the DLT_ETW packet header, its message and packet_etw dissector calls packet_mbim sub_dissector if its provider matches the MBIM provider GUID. • “Follow DCCP stream” feature to filter for and extract the contents of DCCP streams. • Wireshark now supports dissecting RTP packets with OPUS payloads. • Importing captures from text files based on regular expressions is now possible. By specifying a regex capturing a single packet including capturing groups for relevant fields a textfile can be converted to a libpcap capture file. Supported data encodings are plain-hexadecimal, -octal, -binary and base64. Also the timestamp format now allows the second-fractions to be placed anywhere in the timestamp and it will be stored with nanosecond instead of microsecond precision. • The RTP Player has been significatnly redesigned and improved. See Playing VoIP Calls[1] and RTP Player Window[2] in the User’s Guide for more details. • The RTP Player can play many streams in row. • The UI is more responsive. • The RTP Player maintains playlist and other tools can add and remove streams to and from it. • Every stream can be muted or routed to the left or right channel for replay. • The option to save audio has been moved from the RTP Analysis dialog to the RTP Player. The RTP Player also saves what was played, and it can save in multichannel .au or .wav. • The RTP Player is now accessible from the Telephony › RTP › RTP Player menu. • The VoIP dialogs (VoIP Calls, RTP Streams, RTP Analysis, RTP Player, SIP Flows) are non-modal and can stay opened on background. • The same tools are provided across all dialogs (Prepare Filter, Analyse, RTP Player …​) • The “Follow Stream” dialog is now able to follow SIP calls based on their Call-ID value. • The “Follow Stream” dialog’s YAML output format has been updated to add timestamps and peers information For more details see Following Protocol Streams[3] in the User’s Guide. • IP fragments between public IPv4 addresses are now reassembled even if they have different VLAN IDs. Reassembly of IP fragments where one endpoint is a private (RFC 1918 section 3) or link-local (RFC 3927) IPv4 address continues to take the VLAN ID into account, as those addresses can be reused. To revert to the previous behavior and not reassemble fragments with different VLAN IDs, turn on the “Enable stricter conversation tracking heuristics” top level protocol preference. • USB Link Layer reassembly has been added, which allows hardware captures to be analyzed at the same level as software captures. • TShark can now export TLS session keys with the --export-tls-session-keys option. • Wireshark participated in the Google Season of Docs 2020 and the User’s Guide has been extensively updated. • The “RTP Stream Analysis” dialog CSV export format was slightly changed. The first line of the export contains column titles as in other CSV exports. • Wireshark now supports the Turkish language. • The settings in the “Import from Hex Dump” dialog is now stored in a profile import_hexdump.json file. • Analyze › Reload Lua Plugins has been improved to properly support FileHandler. • The “RTP Stream Analysis” and “IAX2 Stream Analysis” dialogs now show correct calculation mean jitter calculations. • RTP streams are now created based on Skinny protocol messages in addition to other types of messages. • The “VoIP Calls Flow Sequence” window shows more information about various Skinny messages. • Initial support for building Wireshark on Windows using GCC and MinGW-w64 has been added. See README.msys2 in the sources for more information. New File Format Decoding Support Vector Informatik Binary Log File (BLF) New Protocol Support 5G Lawful Interception (5GLI), Bluetooth Link Manager Protocol (BT LMP), Bundle Protocol version 7 (BPv7), Bundle Protocol version 7 Security (BPSec), CBOR Object Signing and Encryption (COSE), E2 Application Protocol (E2AP), Event Tracing for Windows (ETW), EXtreme extra Eth Header (EXEH), High-Performance Connectivity Tracer (HiPerConTracer), ISO 10681, Kerberos SPAKE, Linux psample protocol, Local Interconnect Network (LIN), Microsoft Task Scheduler Service, O-RAN E2AP, O-RAN fronthaul UC-plane (O-RAN), Opus Interactive Audio Codec (OPUS), PDU Transport Protocol, R09.x (R09), RDP Dynamic Channel Protocol (DRDYNVC), RDP Graphic pipeline channel Protocol (EGFX), RDP Multi-transport (RDPMT), Real-Time Publish-Subscribe Virtual Transport (RTPS-VT), Real-Time Publish-Subscribe Wire Protocol (processed) (RTPS-PROC), Shared Memory Communications (SMC), Signal PDU, SparkplugB, State Synchronization Protocol (SSyncP), Tagged Image File Format (TIFF), TP-Link Smart Home Protocol, UAVCAN DSDL, UAVCAN/CAN, UDP Remote Desktop Protocol (RDPUDP), Van Jacobson PPP compression (VJC), World of Warcraft World (WOWW), and X2 xIRI payload (xIRI) Updated Protocol Support Too many protocols have been updated to list here. New and Updated Capture File Support Vector Informatik Binary Log File (BLF) Wireshark 3.4.9 Release Notes Bug Fixes • TShark PDML output embeds "proto" elements within other "proto" elements Issue 10588[1]. • Filter expressions comparing against single-octet hex strings where the hex digit string equals a protocol name don’t work Issue 12810[2]. • AMQP 0.9: dissector fails to handle Content-Body frame split across TCP packets Issue 14217[3]. • IEEE 802.15.4: Missing check on "PAN ID Present" bit of the Multipurpose Frame Control field Issue 17496[4]. • Wireshark ignored some character in filename when exporting SMB objects. Issue 17530[5]. • tshark -z credentials: assertion failed: (allocator→in_scope) Issue 17576[6]. • IS-IS Extended IP Reachability Prefix-SID not decoded properly Issue 17610[7]. • Error when reloading lua plugins with a capture file loaded via a custom lua file handler Issue 17615[8]. • Absolute time UTC field filters are constructed incorrectly, don’t match the packet Issue 17617[9]. • GUI freezes when clicking on large (non-capture) file in File chooser Issue 17620[10]. • Crash after selecting a different profile while capturing Issue 17622[11]. • BT-DHT reports malformed packets that are actually uTP on same connection Issue 17626[12]. Updated Protocol Support AMQP, Aruba IAP, BGP, BT-DHT, CoAP, DCERPC SPOOLSS, Diameter, EPL, GSM A-bis OML, GSM A-I/F COMMON, GSM SIM, IEEE 1905.1a, IEEE 802.15.4, IMAP, InfiniBand, ISIS LSP, ISObus VT, JPEG, MP2T, NORDIC_BLE, QUIC, RTCP, SDP, SMB, TWAMP-Control, USB HID, and VSS Monitoring New and Updated Capture File Support CAM Inspector, Ixia IxVeriWave, pcapng, and USBDump Wireshark 3.4.8 Release Notes Bug Fixes • Dissector bug reported for Bluetooth Cycling Power Measurement characteristic for extreme angles value Issue 17505[1]. • vcruntime140_1.dll deleted on Wireshark update/install Issue 17506[2]. • Raknet Addresses are incorrectly identified. Issue 17509[3]. • Editcap saving files as ethernet when specifying '-T ieee-802-11-*' Issue 17520[4]. • CoAP dissector confuses Content-Format with Accept Issue 17536[5]. Updated Protocol Support BT ATT, BT LE LL, CoAP, DLM3, GSM SIM, iLBC, and RakNet

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit bdd2566f7bbda478769006871c6f515fc6230940 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Apr 10 13:18:20 2022 +0200

python3-urllib3: Update to version 1.26.9

- Update from 1.26.7 to 1.26.9 - Update of rootfile - Changelog 1.26.9 (2022-03-16) * Changed ``urllib3[brotli]`` extra to favor installing Brotli libraries that are still receiving updates like ``brotli`` and ``brotlicffi`` instead of ``brotlipy``. This change does not impact behavior of urllib3, only which dependencies are installed. * Fixed a socket leaking when ``HTTPSConnection.connect()`` raises an exception. * Fixed ``server_hostname`` being forwarded from ``PoolManager`` to ``HTTPConnectionPool`` when requesting an HTTP URL. Should only be forwarded when requesting an HTTPS URL. 1.26.8 (2022-01-07) * Added extra message to ``urllib3.exceptions.ProxyError`` when urllib3 detects that a proxy is configured to use HTTPS but the proxy itself appears to only use HTTP. * Added a mention of the size of the connection pool when discarding a connection due to the pool being full. * Added explicit support for Python 3.11. * Deprecated the ``Retry.MAX_BACKOFF`` class property in favor of ``Retry.DEFAULT_MAX_BACKOFF`` to better match the rest of the default parameter names. ``Retry.MAX_BACKOFF`` is removed in v2.0. * Changed location of the vendored ``ssl.match_hostname`` function from ``urllib3.packages.ssl_match_hostname`` to ``urllib3.util.ssl_match_hostname`` to ensure Python 3.10+ compatibility after being repackaged by downstream distributors. * Fixed absolute imports, all imports are now relative.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 76227aaf7181296f58969a00b91ad2c80d800cfa Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Apr 10 13:18:19 2022 +0200

python3-typing-extensions: Update to version 4.1.1

- Update from 4.0.1 to 4.1.1 - Update of rootfile - Changelog # Release 4.1.1 (February 13, 2022) - Fix importing `typing_extensions` on Python 3.7.0 and 3.7.1. Original patch by Nikita Sobolev (@sobolevn). # Release 4.1.0 (February 12, 2022) - Runtime support for PEP 646, adding `typing_extensions.TypeVarTuple` and `typing_extensions.Unpack`. - Add interaction of `Required` and `NotRequired` with `__required_keys__`, `__optional_keys__` and `get_type_hints()`. Patch by David Cabot (@d-k-bo). - Runtime support for PEP 675 and `typing_extensions.LiteralString`. - Add `Never` and `assert_never`. Backport from bpo-46475. - `ParamSpec` args and kwargs are now equal to themselves. Backport from bpo-46676. Patch by Gregory Beauregard (@GBeauregard). - Add `reveal_type`. Backport from bpo-46414. - Runtime support for PEP 681 and `typing_extensions.dataclass_transform`. - `Annotated` can now wrap `ClassVar` and `Final`. Backport from bpo-46491. Patch by Gregory Beauregard (@GBeauregard). - Add missed `Required` and `NotRequired` to `__all__`. Patch by Yuri Karabas (@uriyyo). - The `@final` decorator now sets the `__final__` attribute on the decorated object to allow runtime introspection. Backport from bpo-46342. - Add `is_typeddict`. Patch by Chris Moradi (@chrismoradi) and James Hilton-Balfe (@Gobot1234).

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit f9563f97c63e0c5c4249cea00ddeb82f5e2450f4 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Apr 10 13:18:18 2022 +0200

python3-tomli: Update to version 2.0.1

- Update from 2.0.0 to 2.0.1 - Update of rootfile - Changelog 2.0.1 Improve Make bundling easier by using relative imports internally and adding license and copyright notice to source files. Make error messages more uniform Raise a friendly TypeError for wrong file mode Allow parse_float to return objects having the append attr Eagerly raise an error if parse_float returns an illegal type Packaging Move from pytest testing framework to unittest and remove python-dateutil test dependency. Tests now only require Python interpreter.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 75363dc20ffbb2aa17518b757eec2a4e09f9be65 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Apr 10 13:18:17 2022 +0200

python3-setuptools: Update to version 62.0.0

- Update from 59.5.0 to 62.0.0 - Update of rootfile - Changelog v62.0.0 Breaking Changes * #3151: Made ``setup.py develop --user`` install to the user site packages directory even if it is disabled in the current interpreter. Changes * #3153: When resolving requirements use both canonical and normalized names -- by :user:`ldaniluk` * #3167: Honor unix file mode in ZipFile when installing wheel via ``install_as_egg`` -- by :user:`delijati` Misc * #3088: Fixed duplicated tag with the ``dist-info`` command. * #3247: Fixed problem preventing ``readme`` specified as dynamic in ``pyproject.toml`` from being dynamically specified in ``setup.py``. v61.3.1 Misc * #3233: Included missing test file ``setupcfg_examples.txt`` in ``sdist``. * #3233: Added script that allows developers to download ``setupcfg_examples.txt`` prior to running tests. By caching these files it should be possible to run the test suite offline. v61.3.0 Changes * #3229: Disabled automatic download of ``trove-classifiers`` to facilitate reproducibility. Misc * #3229: Updated ``pyproject.toml`` validation via ``validate-pyproject`` v0.7.1. * #3229: New internal tool made available for updating the code responsible for the validation of ``pyproject.toml``. This tool can be executed via ``tox -e generate-validation-code``. v61.2.0 Changes * #3215: Ignored a subgroup of invalid ``pyproject.toml`` files that use the ``[project]`` table to specify only ``requires-python`` (**transitional**). .. warning:: Please note that future releases of setuptools will halt the build process if a ``pyproject.toml`` file that does not match doc:`the PyPA Specification PyPUG:specifications/declaring-project-metadata` is given. * #3215: Updated ``pyproject.toml`` validation, as generated by ``validate-pyproject==0.6.1``. * #3218: Prevented builds from erroring if the project specifies metadata via ``pyproject.toml``, but uses other files (e.g. ``setup.py``) to complement it, without setting ``dynamic`` properly. .. important:: This is a **transitional** behaviour. Future releases of ``setuptools`` may simply ignore externally set metadata not backed by ``dynamic`` or even halt the build with an error. * #3224: Merge changes from pypa/distutils@e1d5c9b1f6 Documentation changes * #3217: Fixed typo in ``pyproject.toml`` example in Quickstart -- by :user:`pablo-cardenas`. Misc * #3223: Fixed missing requirements with environment markers when ``optional-dependencies`` is set in ``pyproject.toml``. v61.1.1 Misc * #3212: Fixed missing dependencies when running ``setup.py install``. Note that calling ``setup.py install`` directly is still deprecated and will be removed in future versions of ``setuptools``. Please check the release notes for :ref:`setup_install_deprecation_note`. v61.1.0 Deprecations * #3206: Changed ``setuptools.convert_path`` to an internal function that is not exposed as part of setuptools API. Future releases of ``setuptools`` are likely to remove this function. Changes * #3202: Changed behaviour of auto-discovery to not explicitly expand ``package_dir`` for flat-layouts and to not use relative paths starting with ``./``. * #3203: Prevented ``pyproject.toml`` parsing from overwriting ``dist.include_package_data`` explicitly set in ``setup.py`` with default value. * #3208: Added a warning for non existing files listed with the ``file`` directive in ``setup.cfg`` and ``pyproject.toml``. * #3208: Added a default value for dynamic ``classifiers`` in ``pyproject.toml`` when files are missing and errors being ignored. * #3211: Disabled auto-discovery when distribution class has a ``configuration`` attribute (e.g. when the ``setup.py`` script contains ``setup(..., configuration=...)``). This is done to ensure extension-only packages created with ``numpy.distutils.misc_util.Configuration`` are not broken by the safe guard behaviour to avoid accidental multiple top-level packages in a flat-layout. .. note:: Users that don't set ``packages``, ``py_modules``, or ``configuration`` are still likely to observe the auto-discovery behavior, which may halt the build if the project contains multiple directories and/or multiple Python files directly under the project root. To disable auto-discovery please explicitly set either ``packages`` or ``py_modules``. Alternatively you can also configure :ref:`custom-discovery`. v61.0.0 Deprecations * #3068: Deprecated ``setuptools.config.read_configuration``, ``setuptools.config.parse_configuration`` and other functions or classes from ``setuptools.config``. Users that still need to parse and process configuration from ``setup.cfg`` can import a direct replacement from ``setuptools.config.setupcfg``, however this module is transitional and might be removed in the future (the ``setup.cfg`` configuration format itself is likely to be deprecated in the future). Breaking Changes * #2894: If you purposefully want to create an *"empty distribution"*, please be aware that some Python files (or general folders) might be automatically detected and included. Projects that currently don't specify both ``packages`` and ``py_modules`` in their configuration and contain extra folders or Python files (not meant for distribution), might see these files being included in the wheel archive or even experience the build to fail. You can check details about the automatic discovery (and how to configure a different behaviour) in :doc:`/userguide/package_discovery`. * #3067: If the file ``pyproject.toml`` exists and it includes project metadata/config (via ``[project]`` table or ``[tool.setuptools]``), a series of new behaviors that are not backward compatible may take place: - The default value of ``include_package_data`` will be considered to be ``True``. - Setuptools will attempt to validate the ``pyproject.toml`` file according to PEP 621 specification. - The values specified in ``pyproject.toml`` will take precedence over those specified in ``setup.cfg`` or ``setup.py``. Changes * #2887: **[EXPERIMENTAL]** Added automatic discovery for ``py_modules`` and ``packages`` -- by :user:`abravalheri`. Setuptools will try to find these values assuming that the package uses either the *src-layout* (a ``src`` directory containing all the packages or modules), the *flat-layout* (package directories directly under the project root), or the *single-module* approach (an isolated Python file, directly under the project root). The automatic discovery will also respect layouts that are explicitly configured using the ``package_dir`` option. For backward-compatibility, this behavior will be observed **only if both** ``py_modules`` **and** ``packages`` **are not set**. (**Note**: specifying ``ext_modules`` might also prevent auto-discover from taking place) If setuptools detects modules or packages that are not supposed to be in the distribution, please manually set ``py_modules`` and ``packages`` in your ``setup.cfg`` or ``setup.py`` file. If you are using a *flat-layout*, you can also consider switching to *src-layout*. * #2887: **[EXPERIMENTAL]** Added automatic configuration for the ``name`` metadata -- by :user:`abravalheri`. Setuptools will adopt the name of the top-level package (or module in the case of single-module distributions), **only when** ``name`` **is not explicitly provided**. Please note that it is not possible to automatically derive a single name when the distribution consists of multiple top-level packages or modules. * #3066: Added vendored dependencies for :pypi:`tomli`, :pypi:`validate-pyproject`. These dependencies are used to read ``pyproject.toml`` files and validate them. * #3067: **[EXPERIMENTAL]** When using ``pyproject.toml`` metadata, the default value of ``include_package_data`` is changed to ``True``. * #3068: **[EXPERIMENTAL]** Add support for ``pyproject.toml`` configuration (as introduced by :pep:`621`). Configuration parameters not covered by standards are handled in the ``[tool.setuptools]`` sub-table. In the future, existing ``setup.cfg`` configuration may be automatically converted into the ``pyproject.toml`` equivalent before taking effect (as proposed in #1688). Meanwhile users can use automated tools like :pypi:`ini2toml` to help in the transition. Please note that the legacy backend is not guaranteed to work with ``pyproject.toml`` configuration. -- by :user:`abravalheri` * #3125: Implicit namespaces (as introduced in :pep:`420`) are now considered by default during :doc:`package discovery </userguide/package_discovery>`, when ``setuptools`` configuration and project metadata are added to the ``pyproject.toml`` file. To disable this behaviour, use ``namespaces = False`` when explicitly setting the ``[tool.setuptools.packages.find]`` section in ``pyproject.toml``. This change is backwards compatible and does not affect the behaviour of configuration done in ``setup.cfg`` or ``setup.py``. * #3152: **[EXPERIMENTAL]** Added support for ``attr:`` and ``cmdclass`` configurations in ``setup.cfg`` and ``pyproject.toml`` when ``package_dir`` is implicitly found via auto-discovery. * #3178: Postponed importing ``ctypes`` when hiding files on Windows. This helps to prevent errors in systems that might not have ``libffi`` installed. * #3179: Merge with pypa/distutils@267dbd25ac Documentation changes * #3172: Added initial documentation about configuring ``setuptools`` via ``pyproject.toml`` (using standard project metadata). Misc * #3065: Refactored ``setuptools.config`` by separating configuration parsing (specific to the configuration file format, e.g. ``setup.cfg``) and post-processing (which includes directives such as ``file:`` that can be used across different configuration formats). v60.10.0 Changes * #2971: Deprecated upload_docs command, to be removed in the future. * #3137: Use samefile from stdlib, supported on Windows since Python 3.2. * #3170: Adopt nspektr (vendored) to implement Distribution._install_dependencies. Documentation changes * #3144: Added documentation on using console_scripts from setup.py, which was previously only shown in setup.cfg -- by :user:`xhlulu` * #3148: Added clarifications about ``MANIFEST.in``, that include links to PyPUG docs and more prominent mentions to using a revision control system plugin as an alternative. * #3148: Removed mention to ``pkg_resources`` as the recommended way of accessing data files, in favour of importlib.resources. Additionally more emphasis was put on the fact that *package data files* reside **inside** the *package directory* (and therefore should be *read-only*). Misc * #3120: Added workaround for intermittent failures of backend tests on PyPy. These tests now are marked with `XFAIL https://docs.pytest.org/en/stable/how-to/skipping.html`_, instead of erroring out directly. * #3124: Improved configuration for :pypi:`rst-linker` (extension used to build the changelog). * #3133: Enhanced isolation of tests using virtual environments - PYTHONPATH is not leaking to spawned subprocesses -- by :user:`befeleme` * #3147: Added options to provide a pre-built ``setuptools`` wheel or sdist for being used during tests with virtual environments. Paths for these pre-built distribution files can now be set via the environment variables: ``PRE_BUILT_SETUPTOOLS_SDIST`` and ``PRE_BUILT_SETUPTOOLS_WHEEL``. v60.9.3 Misc * #3093: Repaired automated release process. v60.9.2 Misc * #3035: When loading distutils from the vendored copy, rewrite ``__name__`` to ensure consistent importing from inside and out. v60.9.1 Misc * #3102: Prevent vendored importlib_metadata from loading distributions from older importlib_metadata. * #3103: Fixed issue where string-based entry points would be omitted. * #3107: Bump importlib_metadata to 4.11.1 addressing issue with parsing requirements in egg-info as found in PyPy. v60.9.0 Changes * #2876: In the build backend, allow single config settings to be supplied. * #2993: Removed workaround in distutils hack for get-pip now that pypa/get-pip#137 is closed. * #3085: Setuptools no longer relies on ``pkg_resources`` for entry point handling. * #3098: Bump vendored packaging to 21.3. * Removed bootstrap script. v60.8.2 Misc * #3091: Make ``concurrent.futures`` import lazy in vendored ``more_itertools`` package to a avoid importing threading as a side effect (which caused `gevent/gevent#1865 https://github.com/gevent/gevent/issues/1865`__). -- by :user:`maciejp-ro` v60.8.1 Misc * #3084: When vendoring jaraco packages, ensure the namespace package is converted to a simple package to support zip importer. v60.8.0 Changes * #3085: Setuptools now vendors importlib_resources and importlib_metadata and jaraco.text. Setuptools no longer relies on pkg_resources for ensure_directory nor parse_requirements. v60.7.1 Misc * #3072: Remove lorem_ipsum from jaraco.text when vendored. v60.7.0 Changes * #3061: Vendored jaraco.text and use line processing from that library in pkg_resources. Misc * #3070: Avoid AttributeError in easy_install.create_home_path when sysconfig.get_config_vars values are not strings. v60.6.0 Changes * #3043: Merge with pypa/distutils@bb018f1ac3 including consolidated behavior in sysconfig.get_platform (pypa/distutils#104). * #3057: Don't include optional ``Home-page`` in metadata if no ``url`` is specified. -- by :user:`cdce8p` * #3062: Merge with pypa/distutils@b53a824ec3 including improved support for lib directories on non-x64 Windows builds. Documentation changes * #2897: Added documentation about wrapping ``setuptools.build_meta`` in a in-tree custom backend. This is a :pep:`517`-compliant way of dynamically specifying build dependencies (e.g. when platform, OS and other markers are not enough). -- by :user:`abravalheri` * #3034: Replaced occurrences of the defunct distutils-sig mailing list with pointers to GitHub Discussions. -- by :user:`ashemedai` * #3056: The documentation has stopped suggesting to add ``wheel`` to :pep:`517` requirements -- by :user:`webknjaz` Misc * #3054: Used Py3 syntax ``super().__init__()`` -- by :user:`imba-tjd` v60.5.4 Misc * #3009: Remove filtering of distutils warnings. * #3031: Suppress distutils replacement when building or testing CPython. v60.5.3 Misc * #3026: Honor sysconfig variables in easy_install. v60.5.2 Misc * #2993: In _distutils_hack, for get-pip, simulate existence of setuptools. v60.5.1 Misc * #2918: Correct support for Python 3 native loaders. v60.5.0 Changes * #2990: Set the ``.origin`` attribute of the ``distutils`` module to the module's ``__file__``. v60.4.0 Changes * #2839: Removed ``requires`` sorting when installing wheels as an egg dir. * #2953: Fixed a bug that easy install incorrectly parsed Python 3.10 version string. * #3006: Fixed startup performance issue of Python interpreter due to imports of costly modules in ``_distutils_hack`` -- by :user:`tiran` Documentation changes * #2674: Added link to additional resources on packaging in Quickstart guide * #3008: "In-tree" Sphinx extension for "favicons" replaced with ``sphinx-favicon``. * #3008: SVG images (logo, banners, ...) optimised with the help of the ``scour`` package. Misc * #2862: Added integration tests that focus on building and installing some packages in the Python ecosystem via ``pip`` -- by :user:`abravalheri` * #2952: Modified "vendoring" logic to keep license files. * #2968: Improved isolation for some tests that where inadvertently using the project root for builds, and therefore creating directories (e.g. ``build``, ``dist``, ``*.egg-info``) that could interfere with the outcome of other tests -- by :user:`abravalheri`. * #2968: Introduced new test fixtures ``venv``, ``venv_without_setuptools``, ``bare_venv`` that rely on the ``jaraco.envs`` package. These new test fixtures were also used to remove the (currently problematic) dependency on the ``pytest_virtualenv`` plugin. * #2968: Removed ``tmp_src`` test fixture. Previously this fixture was copying all the files and folders under the project root, including the ``.git`` directory, which is error prone and increases testing time. Since ``tmp_src`` was used to populate virtual environments (installing the version of ``setuptools`` under test via the source tree), it was replaced by the new ``setuptools_sdist`` and ``setuptools_wheel`` fixtures (that are build only once per session testing and can be shared between all the workers for read-only usage). v60.3.1 Misc * #3002: Suppress AttributeError when detecting get-pip. v60.3.0 Changes * #2993: In _distutils_hack, bypass the distutils exception for pip when get-pip is being invoked, because it imports setuptools. Misc * #2989: Merge with pypa/distutils@788cc159. Includes fix for config vars missing from sysconfig. v60.2.0 Changes * #2974: Setuptools now relies on the Python logging infrastructure to log messages. Instead of using ``distutils.log.*``, use ``logging.getLogger(name).*``. * #2987: Sync with pypa/distutils@2def21c5d74fdd2fe7996ee4030ac145a9d751bd, including fix for missing get_versions attribute (#2969), more reliance on sysconfig from stdlib. Misc * #2962: Avoid attempting to use local distutils when the presiding version of Setuptools on the path doesn't have one. * #2983: Restore 'add_shim' as the way to invoke the hook. Avoids compatibility issues between different versions of Setuptools with the distutils local implementation. v60.1.1 Misc * #2980: Bypass distutils loader when setuptools module is no longer available on sys.path. v60.1.0 Changes * #2958: In distutils_hack, only add the metadata finder once. In ensure_local_distutils, rely on a context manager for reliable manipulation. * #2963: Merge with pypa/distutils@a5af364910. Includes revisited fix for pypa/distutils#15 and improved MinGW/Cygwin support from pypa/distutils#77. v60.0.5 Misc * #2960: Install schemes fall back to default scheme for headers. v60.0.4 Misc * #2954: Merge with pypa/distutils@eba2bcd310. Adds platsubdir to config vars available for substitution. v60.0.3 Misc * #2940: Avoid KeyError in distutils hack when pip is imported during ensurepip. v60.0.2 Misc * #2938: Select 'posix_user' for the scheme unless falling back to stdlib, then use 'unix_user'. v60.0.1 Misc * #2944: Add support for extended install schemes in easy_install. v60.0.0 Breaking Changes * #2896: Setuptools once again makes its local copy of distutils the default. To override, set SETUPTOOLS_USE_DISTUTILS=stdlib. v59.8.0 Changes * #2935: Merge pypa/distutils@460b59f0e68dba17e2465e8dd421bbc14b994d1f. v59.7.0 Changes * #2930: Require Python 3.7 v59.6.0 Changes * #2925: Merge with pypa/distutils@92082ee42c including introduction of deprecation warning on Version classes.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 7eeeb60373dd381db51505002b3de89d7c33f948 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Apr 10 13:18:16 2022 +0200

python3-setuptools-scm: Update to version 6.4.2

- Update from version 6.3.2 to 6.4.2 - Update rootfile - Changelog v6.4.2 * fix #671 : NoReturn is not avaliable in painfully dead python 3.6 v6.4.1 * fix regression #669: restore get_version signature * fix #668: harden the selftest for distribution extras v6.4.0 * compatibility adjustments for setuptools >58 * only put minimal setuptools version into toml extra to warn people with old strict pins * coorectly handle hg-git self-use * better mercurial detection * modernize packaging setup * python 3.10 support * better handling of setuptools install command deprecation * consider ``pyproject.tomls`` when running as command * use list in git describe command to avoid shell expansions while supporting both windows and posix * add ``--strip-dev`` flag to ``python -m setuptools_scm`` to print the next guessed version cleanly * ensure no-guess-dev will fail on bad tags instead of generating invalid versions * ensure we use utc everywhere to avoid confusion

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit a790b010770eb5839055c117f71e44bc9b8d3538 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Apr 10 13:18:15 2022 +0200

python3-setuptools-rust: Update to version 1.2.0

- Update from 1.1.2 to 1.2.0 - Update of rootfile - Changelog ## 1.2.0 (2022-03-22) ### Packaging - Drop support for Python 3.6. [#209] ### Added - Add support for `kebab-case` executable names. [#205] - Add support for custom cargo profiles. [#216] ### Fixed - Fix building macOS arm64 wheel with cibuildwheel. [#217]

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit dba994e86f185585e656c0fa5dc5c2c5f6b15116 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Apr 10 13:18:14 2022 +0200

python3-semantic-version: Update to version 2.9.0

- Update from 2.8.5 to 2.9.0 - Update of rootfile - Changelog 2.9.0 (2022-02-06) *New:* * Add support for Django 3.1, 3.2, 4.0 * Add support for Python 3.7 / 3.8 / 3.9 / 3.10

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 98c7df65620a424c1980730bb6118098a685f1ea Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Apr 10 13:18:13 2022 +0200

python3-s3transfer: Update to version 0.5.2

- Update from 0.5.0 to 0.5.2 - Update of rootfile - Changelog There is no changelog in the source tarball or in PyPi or in the github repository. To see the changes you have to read through the individual commits in the github repository. https://github.com/boto/s3transfer/commits/develop

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 40556f0946c26163d852d973b71f2818ad555198 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Apr 10 13:18:12 2022 +0200

python3-pytz: Update to version 2022.1

- Update from 2021.3 to 2022.1 - Update of rootfile - Changelog pytz 2022.1 with the 2022a timezone database has been released. There are no code changes.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit b9758326128d343afe0a80db8aef7b308a9f4ba9 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Apr 10 13:18:11 2022 +0200

python3-jmespath: Update to version 1.0.0

- Update from 0.10.0 to 1.0.0 - Update of rootfile - Changelog This python module does not have a changelog in its source file or on its PyPi page or on its github page. To see what changes have occurred you have to look at the individual commits in github https://github.com/jmespath/jmespath.py/commits/develop

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit e9fecdc0397044c268c8c7ef34bcd924a2daa4a7 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Apr 10 13:18:10 2022 +0200

python3-flit: Update to version 3.7.1

- Update from 3.6.0 to 3.7.1 - Update of rootfile - Changelog Version 3.7.1 Fix building packages which need execution to get the version number, and have a relative import in __init__.py (PR #531). Version 3.7 Support for external data files such as man pages or Jupyter extension support files (PR #510). Project names are now lowercase in wheel filenames and .dist-info folder names, in line with the specifications (PR #498). Improved support for bootstrapping a Python environment, e.g. for downstream packagers (PR #511). flit_core.wheel is usable with python -m to create wheels before the build tool is available, and flit_core sdists also include a script to install itself from a wheel before installer is available. Use newer importlib APIs, fixing some deprecation warnings (PR #499).

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 441e92695515b32beafb009e513b11661eaa210d Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Apr 10 13:18:09 2022 +0200

python3-click: Update to version 8.1.2

- Update from 8.0.3 to 8.1.2 - Update of rootfile - Changelog Version 8.1.2 - Fix error message for readable path check that was mixed up with the executable check. :pr:`2236` - Restore parameter order for ``Path``, placing the ``executable`` parameter at the end. It is recommended to use keyword arguments instead of positional arguments. :issue:`2235` Version 8.1.1 - Fix an issue with decorator typing that caused type checking to report that a command was not callable. :issue:`2227` Version 8.1.0 - Drop support for Python 3.6. :pr:`2129` - Remove previously deprecated code. :pr:`2130`

- ``Group.resultcallback`` is renamed to ``result_callback``. - ``autocompletion`` parameter to ``Command`` is renamed to ``shell_complete``. - ``get_terminal_size`` is removed, use ``shutil.get_terminal_size`` instead. - ``get_os_args`` is removed, use ``sys.argv[1:]`` instead.

- Rely on :pep:`538` and :pep:`540` to handle selecting UTF-8 encoding instead of ASCII. Click's locale encoding detection is removed. :issue:`2198` - Single options boolean flags with ``show_default=True`` only show the default if it is ``True``. :issue:`1971` - The ``command`` and ``group`` decorators can be applied with or without parentheses. :issue:`1359` - The ``Path`` type can check whether the target is executable. :issue:`1961` - ``Command.show_default`` overrides ``Context.show_default``, instead of the other way around. :issue:`1963` - Parameter decorators and ``@group`` handles ``cls=None`` the same as not passing ``cls``. ``@option`` handles ``help=None`` the same as not passing ``help``. :issue:`#1959` - A flag option with ``required=True`` requires that the flag is passed instead of choosing the implicit default value. :issue:`1978` - Indentation in help text passed to ``Option`` and ``Command`` is cleaned the same as using the ``@option`` and ``@command`` decorators does. A command's ``epilog`` and ``short_help`` are also processed. :issue:`1985` - Store unprocessed ``Command.help``, ``epilog`` and ``short_help`` strings. Processing is only done when formatting help text for output. :issue:`2149` - Allow empty str input for ``prompt()`` when ``confirmation_prompt=True`` and ``default=""``. :issue:`2157` - Windows glob pattern expansion doesn't fail if a value is an invalid pattern. :issue:`2195` - It's possible to pass a list of ``params`` to ``@command``. Any params defined with decorators are appended to the passed params. :issue:`2131`. - ``@command`` decorator is annotated as returning the correct type if a ``cls`` argument is used. :issue:`2211` - A ``Group`` with ``invoke_without_command=True`` and ``chain=False`` will invoke its result callback with the group function's return value. :issue:`2124` - ``to_info_dict`` will not fail if a ``ParamType`` doesn't define a ``name``. :issue:`2168` - Shell completion prioritizes option values with option prefixes over new options. :issue:`2040` - Options that get an environment variable value using ``autoenvvar_prefix`` treat an empty value as ``None``, consistent with a direct ``envvar``. :issue:`2146` Version 8.0.4 - ``open_file`` recognizes ``Path("-")`` as a standard stream, the same as the string ``"-"``. :issue:`2106` - The ``option`` and ``argument`` decorators preserve the type annotation of the decorated function. :pr:`2155` - A callable default value can customize its help text by overriding ``__str__`` instead of always showing ``(dynamic)``. :issue:`2099` - Fix a typo in the Bash completion script that affected file and directory completion. If this script was generated by a previous version, it should be regenerated. :issue:`2163` - Fix typing for ``echo`` and ``secho`` file argument. :issue:`2174, 2185`

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 4d2a20f407110fa91b2ceb9f38c6c0bae1add405 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Apr 10 13:18:08 2022 +0200

python3-charset-vomalizer: Update to version 2.0.12

- Update from 2.0.10 to 2.0.12 - Update of rootfile - Changelog ## [2.0.12] ### Fixed - ASCII miss-detection on rare cases (PR #170) ## [2.0.11] ### Added - Explicit support for Python 3.11 (PR #164) ### Changed - The logging behavior have been completely reviewed, now using only TRACE and DEBUG levels (PR #163 #165)

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit b3ae0e6695fb3e9dbffa6f15a66c6fdc4a62af23 Author: Adolf Belka adolf.belka@ipfire.org Date: Sun Apr 10 13:18:07 2022 +0200

python3-botocore: Update to version 1.24.37

- Update from 1.23.21 to 1.24.37 - Update of rootfile - Changelog 1.24.37 api-change:mediaconvert: AWS Elemental MediaConvert SDK has added support for the pass-through of WebVTT styling to WebVTT outputs, pass-through of KLV metadata to supported formats, and improved filter support for processing 444/RGB content. api-change:wafv2: Add a new CurrentDefaultVersion field to ListAvailableManagedRuleGroupVersions API response; add a new VersioningSupported boolean to each ManagedRuleGroup returned from ListAvailableManagedRuleGroups API response. api-change:mediapackage-vod: This release adds ScteMarkersSource as an available field for Dash Packaging Configurations. When set to MANIFEST, MediaPackage will source the SCTE-35 markers from the manifest. When set to SEGMENTS, MediaPackage will source the SCTE-35 markers from the segments. 1.24.36 api-change:apigateway: ApiGateway CLI command get-usage now includes usagePlanId, startDate, and endDate fields in the output to match documentation. api-change:personalize: This release provides tagging support in AWS Personalize. api-change:pi: Adds support for DocumentDB to the Performance Insights API. api-change:events: Update events client to latest version api-change:docdb: Added support to enable/disable performance insights when creating or modifying db instances api-change:sagemaker: Amazon Sagemaker Notebook Instances now supports G5 instance types 1.24.35 bugfix:Proxy: Fix failure case for IP proxy addresses using TLS-in-TLS. boto/botocore#2652 api-change:config: Add resourceType enums for AWS::EMR::SecurityConfiguration and AWS::SageMaker::CodeRepository api-change:panorama: Added Brand field to device listings. api-change:lambda: This release adds new APIs for creating and managing Lambda Function URLs and adds a new FunctionUrlAuthType parameter to the AddPermission API. Customers can use Function URLs to create built-in HTTPS endpoints on their functions. api-change:kendra: Amazon Kendra now provides a data source connector for Box. For more information, see https://docs.aws.amazon.com/kendra/latest/dg/data-source-box.html 1.24.34 api-change:securityhub: Added additional ASFF details for RdsSecurityGroup AutoScalingGroup, ElbLoadBalancer, CodeBuildProject and RedshiftCluster. api-change:fsx: Provide customers more visibility into file system status by adding new "Misconfigured Unavailable" status for Amazon FSx for Windows File Server. api-change:s3control: Documentation-only update for doc bug fixes for the S3 Control API docs. api-change:datasync: AWS DataSync now supports Amazon FSx for OpenZFS locations. 1.24.33 api-change:iot: AWS IoT - AWS IoT Device Defender adds support to list metric datapoints collected for IoT devices through the ListMetricValues API api-change:servicecatalog: This release adds ProvisioningArtifictOutputKeys to DescribeProvisioningParameters to reference the outputs of a Provisioned Product and deprecates ProvisioningArtifactOutputs. api-change:sms: Revised product update notice for SMS console deprecation. api-change:proton: SDK release to support tagging for AWS Proton Repository resource enhancement:AWSCRT: Upgrade awscrt version to 0.13.8 1.24.32 api-change:connect: This release updates these APIs: UpdateInstanceAttribute, DescribeInstanceAttribute and ListInstanceAttributes. You can use it to programmatically enable/disable multi-party conferencing using attribute type MULTI_PARTY_CONFERENCING on the specified Amazon Connect instance. 1.24.31 api-change:cloudcontrol: SDK release for Cloud Control API in Amazon Web Services China (Beijing) Region, operated by Sinnet, and Amazon Web Services China (Ningxia) Region, operated by NWCD api-change:pinpoint-sms-voice-v2: Amazon Pinpoint now offers a version 2.0 suite of SMS and voice APIs, providing increased control over sending and configuration. This release is a new SDK for sending SMS and voice messages called PinpointSMSVoiceV2. api-change:workspaces: Added APIs that allow you to customize the logo, login message, and help links in the WorkSpaces client login page. To learn more, visit https://docs.aws.amazon.com/workspaces/latest/adminguide/customize-branding.... api-change:route53-recovery-cluster: This release adds a new API "ListRoutingControls" to list routing control states using the highly reliable Route 53 ARC data plane endpoints. api-change:databrew: This AWS Glue Databrew release adds feature to support ORC as an input format. api-change:auditmanager: This release adds documentation updates for Audit Manager. The updates provide data deletion guidance when a customer deregisters Audit Manager or deregisters a delegated administrator. api-change:grafana: This release adds tagging support to the Managed Grafana service. New APIs: TagResource, UntagResource and ListTagsForResource. Updates: add optional field tags to support tagging while calling CreateWorkspace. 1.24.30 api-change:iot-data: Update the default AWS IoT Core Data Plane endpoint from VeriSign signed to ATS signed. If you have firewalls with strict egress rules, configure the rules to grant you access to data-ats.iot.[region].amazonaws.com or data-ats.iot.[region].amazonaws.com.cn. api-change:ec2: This release simplifies the auto-recovery configuration process enabling customers to set the recovery behavior to disabled or default api-change:fms: AWS Firewall Manager now supports the configuration of third-party policies that can use either the centralized or distributed deployment models. api-change:fsx: This release adds support for modifying throughput capacity for FSx for ONTAP file systems. api-change:iot: Doc only update for IoT that fixes customer-reported issues. 1.24.29 api-change:organizations: This release provides the new CloseAccount API that enables principals in the management account to close any member account within an organization. 1.24.28 api-change:medialive: This release adds support for selecting a maintenance window. api-change:acm-pca: Updating service name entities 1.24.27 api-change:ec2: This is release adds support for Amazon VPC Reachability Analyzer to analyze path through a Transit Gateway. api-change:ssm: This Patch Manager release supports creating, updating, and deleting Patch Baselines for Rocky Linux OS. api-change:batch: Bug Fix: Fixed a bug where shapes were marked as unboxed and were not serialized and sent over the wire, causing an API error from the service. 1.24.26 api-change:lambda: Adds support for increased ephemeral storage (/tmp) up to 10GB for Lambda functions. Customers can now provision up to 10 GB of ephemeral storage per function instance, a 20x increase over the previous limit of 512 MB. api-change:config: Added new APIs GetCustomRulePolicy and GetOrganizationCustomRulePolicy, and updated existing APIs PutConfigRule, DescribeConfigRule, DescribeConfigRuleEvaluationStatus, PutOrganizationConfigRule, DescribeConfigRule to support a new feature for building AWS Config rules with AWS CloudFormation Guard api-change:transcribe: This release adds an additional parameter for subtitling with Amazon Transcribe batch jobs: outputStartIndex. 1.24.25 api-change:redshift: This release adds a new [--encrypted | --no-encrypted] field in restore-from-cluster-snapshot API. Customers can now restore an unencrypted snapshot to a cluster encrypted with AWS Managed Key or their own KMS key. api-change:ebs: Increased the maximum supported value for the Timeout parameter of the StartSnapshot API from 60 minutes to 4320 minutes. Changed the HTTP error code for ConflictException from 503 to 409. api-change:gamesparks: Released the preview of Amazon GameSparks, a fully managed AWS service that provides a multi-service backend for game developers. api-change:elasticache: Doc only update for ElastiCache api-change:transfer: Documentation updates for AWS Transfer Family to describe how to remove an associated workflow from a server. api-change:auditmanager: This release updates 1 API parameter, the SnsArn attribute. The character length and regex pattern for the SnsArn attribute have been updated, which enables you to deselect an SNS topic when using the UpdateSettings operation. api-change:ssm: Update AddTagsToResource, ListTagsForResource, and RemoveTagsFromResource APIs to reflect the support for tagging Automation resources. Includes other minor documentation updates. 1.24.24 api-change:location: Amazon Location Service now includes a MaxResults parameter for GetDevicePositionHistory requests. api-change:polly: Amazon Polly adds new Catalan voice - Arlet. Arlet is available as Neural voice only. api-change:lakeformation: The release fixes the incorrect permissions called out in the documentation - DESCRIBE_TAG, ASSOCIATE_TAG, DELETE_TAG, ALTER_TAG. This trebuchet release fixes the corresponding SDK and documentation. api-change:ecs: Documentation only update to address tickets api-change:ce: Added three new APIs to support tagging and resource-level authorization on Cost Explorer resources: TagResource, UntagResource, ListTagsForResource. Added optional parameters to CreateCostCategoryDefinition, CreateAnomalySubscription and CreateAnomalyMonitor APIs to support Tag On Create. 1.24.23 api-change:ram: Document improvements to the RAM API operations and parameter descriptions. api-change:ecr: This release includes a fix in the DescribeImageScanFindings paginated output. api-change:quicksight: AWS QuickSight Service Features - Expand public API support for group management. api-change:chime-sdk-meetings: Add support for media replication to link multiple WebRTC media sessions together to reach larger and global audiences. Participants connected to a replica session can be granted access to join the primary session and can switch sessions with their existing WebRTC connection api-change:mediaconnect: This release adds support for selecting a maintenance window. 1.24.22 enhancement:jmespath: Add env markers to get working version of jmespath for python 3.6 api-change:glue: Added 9 new APIs for AWS Glue Interactive Sessions: ListSessions, StopSession, CreateSession, GetSession, DeleteSession, RunStatement, GetStatement, ListStatements, CancelStatement 1.24.21 enhancement:Dependency: Added support for jmespath 1.0 api-change:amplifybackend: Adding the ability to customize Cognito verification messages for email and SMS in CreateBackendAuth and UpdateBackendAuth. Adding deprecation documentation for ForgotPassword in CreateBackendAuth and UpdateBackendAuth api-change:acm-pca: AWS Certificate Manager (ACM) Private Certificate Authority (CA) now supports customizable certificate subject names and extensions. api-change:ssm-incidents: Removed incorrect validation pattern for IncidentRecordSource.invokedBy api-change:billingconductor: This is the initial SDK release for AWS Billing Conductor. The AWS Billing Conductor is a customizable billing service, allowing you to customize your billing data to match your desired business structure. api-change:s3outposts: S3 on Outposts is releasing a new API, ListSharedEndpoints, that lists all endpoints associated with S3 on Outpost, that has been shared by Resource Access Manager (RAM). 1.24.20 api-change:robomaker: This release deprecates ROS, Ubuntu and Gazbeo from RoboMaker Simulation Service Software Suites in favor of user-supplied containers and Relaxed Software Suites. api-change:dataexchange: This feature enables data providers to use the RevokeRevision operation to revoke subscriber access to a given revision. Subscribers are unable to interact with assets within a revoked revision. api-change:ec2: Adds the Cascade parameter to the DeleteIpam API. Customers can use this parameter to automatically delete their IPAM, including non-default scopes, pools, cidrs, and allocations. There mustn't be any pools provisioned in the default public scope to use this parameter. api-change:cognito-idp: Updated EmailConfigurationType and SmsConfigurationType to reflect that you can now choose Amazon SES and Amazon SNS resources in the same Region. enhancement:AWSCRT: Upgrade awscrt extra to 0.13.5 api-change:location: New HERE style "VectorHereExplore" and "VectorHereExploreTruck". api-change:ecs: Documentation only update to address tickets api-change:keyspaces: Fixing formatting issues in CLI and SDK documentation api-change:rds: Various documentation improvements 1.24.19 api-change:kendra: Amazon Kendra now provides a data source connector for Slack. For more information, see https://docs.aws.amazon.com/kendra/latest/dg/data-source-slack.html api-change:timestream-query: Amazon Timestream Scheduled Queries now support Timestamp datatype in a multi-measure record. enhancement:Stubber: Added support for modeled exception fields when adding errors to a client stub. Implements boto/boto3`#3178 https://github.com/boto/botocore/issues/3178`__. api-change:elasticache: Doc only update for ElastiCache api-change:config: Add resourceType enums for AWS::ECR::PublicRepository and AWS::EC2::LaunchTemplate 1.24.18 api-change:outposts: This release adds address filters for listSites api-change:lambda: Adds PrincipalOrgID support to AddPermission API. Customers can use it to manage permissions to lambda functions at AWS Organizations level. api-change:secretsmanager: Documentation updates for Secrets Manager. api-change:connect: This release adds support for enabling Rich Messaging when starting a new chat session via the StartChatContact API. Rich Messaging enables the following formatting options: bold, italics, hyperlinks, bulleted lists, and numbered lists. api-change:chime: Chime VoiceConnector Logging APIs will now support MediaMetricLogs. Also CreateMeetingDialOut now returns AccessDeniedException. 1.24.17 api-change:transcribe: Documentation fix for API StartMedicalTranscriptionJobRequest, now showing min sample rate as 16khz api-change:transfer: Adding more descriptive error types for managed workflows api-change:lexv2-models: Update lexv2-models client to latest version 1.24.16 api-change:comprehend: Amazon Comprehend now supports extracting the sentiment associated with entities such as brands, products and services from text documents. 1.24.15 api-change:eks: Introducing a new enum for NodeGroup error code: Ec2SubnetMissingIpv6Assignment api-change:keyspaces: Adding link to CloudTrail section in Amazon Keyspaces Developer Guide api-change:mediaconvert: AWS Elemental MediaConvert SDK has added support for reading timecode from AVCHD sources and now provides the ability to segment WebVTT at the same interval as the video and audio in HLS packages. 1.24.14 api-change:chime-sdk-meetings: Adds support for Transcribe language identification feature to the StartMeetingTranscription API. api-change:ecs: Amazon ECS UpdateService API now supports additional parameters: loadBalancers, propagateTags, enableECSManagedTags, and serviceRegistries api-change:migration-hub-refactor-spaces: AWS Migration Hub Refactor Spaces documentation update. 1.24.13 api-change:synthetics: Allow custom handler function. api-change:transfer: Add waiters for server online and offline. api-change:devops-guru: Amazon DevOps Guru now integrates with Amazon CodeGuru Profiler. You can view CodeGuru Profiler recommendations for your AWS Lambda function in DevOps Guru. This feature is enabled by default for new customers as of 3/4/2022. Existing customers can enable this feature with UpdateEventSourcesConfig. api-change:macie: Amazon Macie Classic (macie) has been discontinued and is no longer available. A new Amazon Macie (macie2) is now available with significant design improvements and additional features. api-change:ec2: Documentation updates for Amazon EC2. api-change:sts: Documentation updates for AWS Security Token Service. api-change:connect: This release updates the *InstanceStorageConfig APIs so they support a new ResourceType: REAL_TIME_CONTACT_ANALYSIS_SEGMENTS. Use this resource type to enable streaming for real-time contact analysis and to associate the Kinesis stream where real-time contact analysis segments will be published. 1.24.12 api-change:greengrassv2: Doc only update that clarifies Create Deployment section. api-change:fsx: This release adds support for data repository associations to use root ("/") as the file system path api-change:kendra: Amazon Kendra now suggests spell corrections for a query. For more information, see https://docs.aws.amazon.com/kendra/latest/dg/query-spell-check.html api-change:appflow: Launching Amazon AppFlow Marketo as a destination connector SDK. api-change:timestream-query: Documentation only update for SDK and CLI 1.24.11 api-change:gamelift: Minor updates to address errors. api-change:cloudtrail: Add bytesScanned field into responses of DescribeQuery and GetQueryResults. api-change:athena: This release adds support for S3 Object Ownership by allowing the S3 bucket owner full control canned ACL to be set when Athena writes query results to S3 buckets. api-change:keyspaces: This release adds support for data definition language (DDL) operations api-change:ecr: This release adds support for tracking images lastRecordedPullTime. 1.24.10 api-change:mediapackage: This release adds Hybridcast as an available profile option for Dash Origin Endpoints. api-change:rds: Documentation updates for Multi-AZ DB clusters. api-change:mgn: Add support for GP3 and IO2 volume types. Add bootMode to LaunchConfiguration object (and as a parameter to UpdateLaunchConfigurationRequest). api-change:kafkaconnect: Adds operation for custom plugin deletion (DeleteCustomPlugin) and adds new StateDescription field to DescribeCustomPlugin and DescribeConnector responses to return errors from asynchronous resource creation. 1.24.9 api-change:finspace-data: Add new APIs for managing Users and Permission Groups. api-change:amplify: Add repositoryCloneMethod field for hosting an Amplify app. This field shows what authorization method is used to clone the repo: SSH, TOKEN, or SIGV4. api-change:fsx: This release adds support for the following FSx for OpenZFS features: snapshot lifecycle transition messages, force flag for deleting file systems with child resources, LZ4 data compression, custom record sizes, and unsetting volume quotas and reservations. api-change:fis: This release adds logging support for AWS Fault Injection Simulator experiments. Experiment templates can now be configured to send experiment activity logs to Amazon CloudWatch Logs or to an S3 bucket. api-change:route53-recovery-cluster: This release adds a new API option to enable overriding safety rules to allow routing control state updates. api-change:amplifyuibuilder: We are adding the ability to configure workflows and actions for components. api-change:athena: This release adds support for updating an existing named query. api-change:ec2: This release adds support for new AMI property 'lastLaunchedTime' api-change:servicecatalog-appregistry: AppRegistry is deprecating Application and Attribute-Group Name update feature. In this release, we are marking the name attributes for Update APIs as deprecated to give a heads up to our customers. 1.24.8 api-change:elasticache: Doc only update for ElastiCache api-change:panorama: Added NTP server configuration parameter to ProvisionDevice operation. Added alternate software fields to DescribeDevice response 1.24.7 api-change:route53: SDK doc update for Route 53 to update some parameters with new information. api-change:databrew: This AWS Glue Databrew release adds feature to merge job outputs into a max number of files for S3 File output type. api-change:transfer: Support automatic pagination when listing AWS Transfer Family resources. api-change:s3control: Amazon S3 Batch Operations adds support for new integrity checking capabilities in Amazon S3. api-change:s3: This release adds support for new integrity checking capabilities in Amazon S3. You can choose from four supported checksum algorithms for data integrity checking on your upload and download requests. In addition, AWS SDK can automatically calculate a checksum as it streams data into S3 api-change:fms: AWS Firewall Manager now supports the configuration of AWS Network Firewall policies with either centralized or distributed deployment models. This release also adds support for custom endpoint configuration, where you can choose which Availability Zones to create firewall endpoints in. api-change:lightsail: This release adds support to delete and create Lightsail default key pairs that you can use with Lightsail instances. api-change:autoscaling: You can now hibernate instances in a warm pool to stop instances without deleting their RAM contents. You can now also return instances to the warm pool on scale in, instead of always terminating capacity that you will need later. 1.24.6 api-change:transfer: The file input selection feature provides the ability to use either the originally uploaded file or the output file from the previous workflow step, enabling customers to make multiple copies of the original file while keeping the source file intact for file archival. api-change:lambda: Lambda releases .NET 6 managed runtime to be available in all commercial regions. api-change:textract: Added support for merged cells and column header for table response. 1.24.5 api-change:translate: This release enables customers to use translation settings for formality customization in their synchronous translation output. api-change:wafv2: Updated descriptions for logging configuration. api-change:apprunner: AWS App Runner adds a Java platform (Corretto 8, Corretto 11 runtimes) and a Node.js 14 runtime. 1.24.4 api-change:imagebuilder: This release adds support to enable faster launching for Windows AMIs created by EC2 Image Builder. api-change:customer-profiles: This release introduces apis CreateIntegrationWorkflow, DeleteWorkflow, ListWorkflows, GetWorkflow and GetWorkflowSteps. These apis are used to manage and view integration workflows. api-change:dynamodb: DynamoDB ExecuteStatement API now supports Limit as a request parameter to specify the maximum number of items to evaluate. If specified, the service will process up to the Limit and the results will include a LastEvaluatedKey value to continue the read in a subsequent operation. 1.24.3 api-change:transfer: Properties for Transfer Family used with SFTP, FTP, and FTPS protocols. Display Banners are bodies of text that can be displayed before and/or after a user authenticates onto a server using one of the previously mentioned protocols. api-change:gamelift: Increase string list limit from 10 to 100. api-change:budgets: This change introduces DescribeBudgetNotificationsForAccount API which returns budget notifications for the specified account 1.24.2 api-change:iam: Documentation updates for AWS Identity and Access Management (IAM). api-change:redshift: SDK release for Cross region datasharing and cost-control for cross region datasharing api-change:evidently: Add support for filtering list of experiments and launches by status api-change:backup: AWS Backup add new S3_BACKUP_OBJECT_FAILED and S3_RESTORE_OBJECT_FAILED event types in BackupVaultNotifications events list. 1.24.1 api-change:ec2: Documentation updates for EC2. api-change:budgets: Adds support for auto-adjusting budgets, a new budget method alongside fixed and planned. Auto-adjusting budgets introduces new metadata to configure a budget limit baseline using a historical lookback average or current period forecast. api-change:ce: AWS Cost Anomaly Detection now supports SNS FIFO topic subscribers. api-change:glue: Support for optimistic locking in UpdateTable api-change:ssm: Assorted ticket fixes and updates for AWS Systems Manager. 1.24.0 api-change:appflow: Launching Amazon AppFlow SAP as a destination connector SDK. feature:Parser: Adding support for parsing int/long types in rest-json response headers. api-change:rds: Adds support for determining which Aurora PostgreSQL versions support Babelfish. api-change:athena: This release adds a subfield, ErrorType, to the AthenaError response object in the GetQueryExecution API when a query fails. 1.23.54 api-change:ssm: Documentation updates for AWS Systems Manager. 1.23.53 api-change:cloudformation: This SDK release adds AWS CloudFormation Hooks HandlerErrorCodes api-change:lookoutvision: This release makes CompilerOptions in Lookout for Vision's StartModelPackagingJob's Configuration object optional. api-change:pinpoint: This SDK release adds a new paramater creation date for GetApp and GetApps Api call api-change:sns: Customer requested typo fix in API documentation. api-change:wafv2: Adds support for AWS WAF Fraud Control account takeover prevention (ATP), with configuration options for the new managed rule group AWSManagedRulesATPRuleSet and support for application integration SDKs for Android and iOS mobile apps. 1.23.52 api-change:cloudformation: This SDK release is for the feature launch of AWS CloudFormation Hooks. 1.23.51 api-change:kendra: Amazon Kendra now provides a data source connector for Amazon FSx. For more information, see https://docs.aws.amazon.com/kendra/latest/dg/data-source-fsx.html api-change:apprunner: This release adds support for App Runner to route outbound network traffic of a service through an Amazon VPC. New API: CreateVpcConnector, DescribeVpcConnector, ListVpcConnectors, and DeleteVpcConnector. Updated API: CreateService, DescribeService, and UpdateService. api-change:s3control: This release adds support for S3 Batch Replication. Batch Replication lets you replicate existing objects, already replicated objects to new destinations, and objects that previously failed to replicate. Customers will receive object-level visibility of progress and a detailed completion report. api-change:sagemaker: Autopilot now generates an additional report with information on the performance of the best model, such as a Confusion matrix and Area under the receiver operating characteristic (AUC-ROC). The path to the report can be found in CandidateArtifactLocations. 1.23.50 api-change:auditmanager: This release updates 3 API parameters. UpdateAssessmentFrameworkControlSet now requires the controls attribute, and CreateAssessmentFrameworkControl requires the id attribute. Additionally, UpdateAssessmentFramework now has a minimum length constraint for the controlSets attribute. api-change:synthetics: Adding names parameters to the Describe APIs. api-change:ssm-incidents: Update RelatedItem enum to support SSM Automation api-change:events: Update events client to latest version enhancement:Lambda Request Header: Adding request header for Lambda recursion detection. 1.23.49 api-change:athena: You can now optionally specify the account ID that you expect to be the owner of your query results output location bucket in Athena. If the account ID of the query results bucket owner does not match the specified account ID, attempts to output to the bucket will fail with an S3 permissions error. api-change:rds: updates for RDS Custom for Oracle 12.1 support api-change:lakeformation: Add support for calling Update Table Objects without a TransactionId. 1.23.48 api-change:ec2: adds support for AMIs in Recycle Bin api-change:robomaker: The release deprecates the use various APIs of RoboMaker Deployment Service in favor of AWS IoT GreenGrass v2.0. api-change:meteringmarketplace: Add CustomerAWSAccountId to ResolveCustomer API response and increase UsageAllocation limit to 2500. api-change:rbin: Add EC2 Image recycle bin support. 1.23.47 api-change:emr: Update emr client to latest version api-change:personalize: Adding minRecommendationRequestsPerSecond attribute to recommender APIs. enhancement:Request headers: Adding request headers with retry information. api-change:appflow: Launching Amazon AppFlow Custom Connector SDK. api-change:dynamodb: Documentation update for DynamoDB Java SDK. api-change:iot: This release adds support for configuring AWS IoT logging level per client ID, source IP, or principal ID. api-change:comprehend: Amazon Comprehend now supports sharing and importing custom trained models from one AWS account to another within the same region. api-change:ce: Doc-only update for Cost Explorer API that adds INVOICING_ENTITY dimensions api-change:fis: Added GetTargetResourceType and ListTargetResourceTypesAPI actions. These actions return additional details about resource types and parameters that can be targeted by FIS actions. Added a parameters field for the targets that can be specified in experiment templates. api-change:es: Allows customers to get progress updates for blue/green deployments api-change:glue: Launch Protobuf support for AWS Glue Schema Registry api-change:elasticache: Documentation update for AWS ElastiCache 1.23.46 api-change:appconfigdata: Documentation updates for AWS AppConfig Data. api-change:athena: This release adds a field, AthenaError, to the GetQueryExecution response object when a query fails. api-change:appconfig: Documentation updates for AWS AppConfig api-change:cognito-idp: Doc updates for Cognito user pools API Reference. api-change:secretsmanager: Feature are ready to release on Jan 28th api-change:sagemaker: This release added a new NNA accelerator compilation support for Sagemaker Neo. 1.23.45 api-change:ec2: X2ezn instances are powered by Intel Cascade Lake CPUs that deliver turbo all core frequency of up to 4.5 GHz and up to 100 Gbps of networking bandwidth api-change:kafka: Amazon MSK has updated the CreateCluster and UpdateBrokerStorage API that allows you to specify volume throughput during cluster creation and broker volume updates. api-change:connect: This release adds support for configuring a custom chat duration when starting a new chat session via the StartChatContact API. The default value for chat duration is 25 hours, minimum configurable value is 1 hour (60 minutes) and maximum configurable value is 7 days (10,080 minutes). api-change:amplify: Doc only update to the description of basicauthcredentials to describe the required encoding and format. api-change:opensearch: Allows customers to get progress updates for blue/green deployments 1.23.44 api-change:frauddetector: Added new APIs for viewing past predictions and obtaining prediction metadata including prediction explanations: ListEventPredictions and GetEventPredictionMetadata api-change:ebs: Documentation updates for Amazon EBS Direct APIs. api-change:codeguru-reviewer: Added failure state and adjusted timeout in waiter api-change:securityhub: Adding top level Sample boolean field api-change:sagemaker: API changes relating to Fail steps in model building pipeline and add PipelineExecutionFailureReason in PipelineExecutionSummary. 1.23.43 api-change:fsx: This release adds support for growing SSD storage capacity and growing/shrinking SSD IOPS for FSx for ONTAP file systems. api-change:efs: Update efs client to latest version api-change:connect: This release adds support for custom vocabularies to be used with Contact Lens. Custom vocabularies improve transcription accuracy for one or more specific words. api-change:guardduty: Amazon GuardDuty expands threat detection coverage to protect Amazon Elastic Kubernetes Service (EKS) workloads. 1.23.42 api-change:route53-recovery-readiness: Updated documentation for Route53 Recovery Readiness APIs. 1.23.41 enhancement:Exceptions: ProxyConnectionError previously provided the full proxy URL. User info will now be appropriately masked if needed. api-change:mediaconvert: AWS Elemental MediaConvert SDK has added support for 4K AV1 output resolutions & 10-bit AV1 color, the ability to ingest sidecar Dolby Vision XML metadata files, and the ability to flag WebVTT and IMSC tracks for accessibility in HLS. api-change:transcribe: Add support for granular PIIEntityTypes when using Batch ContentRedaction. 1.23.40 api-change:guardduty: Amazon GuardDuty findings now include remoteAccountDetails under AwsApiCallAction section if instance credential is exfiltrated. api-change:connect: This release adds tagging support for UserHierarchyGroups resource. api-change:mediatailor: This release adds support for multiple Segment Delivery Configurations. Users can provide a list of names and URLs when creating or editing a source location. When retrieving content, users can send a header to choose which URL should be used to serve content. api-change:fis: Added action startTime and action endTime timestamp fields to the ExperimentAction object api-change:ec2: C6i, M6i and R6i instances are powered by a third-generation Intel Xeon Scalable processor (Ice Lake) delivering all-core turbo frequency of 3.5 GHz 1.23.39 api-change:macie2: This release of the Amazon Macie API introduces stricter validation of requests to create custom data identifiers. api-change:ec2-instance-connect: Adds support for ED25519 keys. PushSSHPublicKey Availability Zone parameter is now optional. Adds EC2InstanceStateInvalidException for instances that are not running. This was previously a service exception, so this may require updating your code to handle this new exception. 1.23.38 api-change:ivs: This release adds support for the new Thumbnail Configuration property for Recording Configurations. For more information see https://docs.aws.amazon.com/ivs/latest/userguide/record-to-s3.html api-change:storagegateway: Documentation update for adding bandwidth throttling support for S3 File Gateways. api-change:location: This release adds the CalculateRouteMatrix API which calculates routes for the provided departure and destination positions. The release also deprecates the use of pricing plan across all verticals. api-change:cloudtrail: This release fixes a documentation bug in the description for the readOnly field selector in advanced event selectors. The description now clarifies that users omit the readOnly field selector to select both Read and Write management events. api-change:ec2: Add support for AWS Client VPN client login banner and session timeout. 1.23.37 enhancement:Configuration: Adding support for defaults_mode configuration. The defaults_mode will be used to determine how certain default configuration options are resolved in the SDK. 1.23.36 api-change:config: Update ResourceType enum with values for CodeDeploy, EC2 and Kinesis resources api-change:application-insights: Application Insights support for Active Directory and SharePoint api-change:honeycode: Added read and write api support for multi-select picklist. And added errorcode field to DescribeTableDataImportJob API output, when import job fails. api-change:ram: This release adds the ListPermissionVersions API which lists the versions for a given permission. api-change:lookoutmetrics: This release adds a new DeactivateAnomalyDetector API operation. 1.23.35 api-change:pinpoint: Adds JourneyChannelSettings to WriteJourneyRequest api-change:lexv2-runtime: Update lexv2-runtime client to latest version api-change:nimble: Amazon Nimble Studio now supports validation for Launch Profiles. Launch Profiles now report static validation results after create/update to detect errors in network or active directory configuration. api-change:glue: This SDK release adds support to pass run properties when starting a workflow run api-change:ssm: AWS Systems Manager adds category support for DescribeDocument API api-change:elasticache: AWS ElastiCache for Redis has added a new Engine Log LogType in LogDelivery feature. You can now publish the Engine Log from your Amazon ElastiCache for Redis clusters to Amazon CloudWatch Logs and Amazon Kinesis Data Firehose. 1.23.34 api-change:lexv2-models: Update lexv2-models client to latest version api-change:elasticache: Doc only update for ElastiCache api-change:honeycode: Honeycode is releasing new APIs to allow user to create, delete and list tags on resources. api-change:ec2: Hpc6a instances are powered by a third-generation AMD EPYC processors (Milan) delivering all-core turbo frequency of 3.4 GHz api-change:fms: Shield Advanced policies for Amazon CloudFront resources now support automatic application layer DDoS mitigation. The max length for SecurityServicePolicyData ManagedServiceData is now 8192 characters, instead of 4096. api-change:pi: This release adds three Performance Insights APIs. Use ListAvailableResourceMetrics to get available metrics, GetResourceMetadata to get feature metadata, and ListAvailableResourceDimensions to list available dimensions. The AdditionalMetrics field in DescribeDimensionKeys retrieves per-SQL metrics. 1.23.33 api-change:finspace-data: Documentation updates for FinSpace. api-change:rds: This release adds the db-proxy event type to support subscribing to RDS Proxy events. api-change:ce: Doc only update for Cost Explorer API that fixes missing clarifications for MatchOptions definitions api-change:kendra: Amazon Kendra now supports advanced query language and query-less search. api-change:workspaces: Introducing new APIs for Workspaces audio optimization with Amazon Connect: CreateConnectClientAddIn, DescribeConnectClientAddIns, UpdateConnectClientAddIn and DeleteConnectClientAddIn. api-change:iotevents-data: This release provides documentation updates for Timer.timestamp in the IoT Events API Reference Guide. api-change:ec2: EC2 Capacity Reservations now supports RHEL instance platforms (RHEL with SQL Server Standard, RHEL with SQL Server Enterprise, RHEL with SQL Server Web, RHEL with HA, RHEL with HA and SQL Server Standard, RHEL with HA and SQL Server Enterprise) 1.23.32 api-change:ec2: New feature: Updated EC2 API to support faster launching for Windows images. Optimized images are pre-provisioned, using snapshots to launch instances up to 65% faster. api-change:compute-optimizer: Adds support for new Compute Optimizer capability that makes it easier for customers to optimize their EC2 instances by leveraging multiple CPU architectures. api-change:lookoutmetrics: This release adds FailureType in the response of DescribeAnomalyDetector. api-change:databrew: This SDK release adds support for specifying a Bucket Owner for an S3 location. api-change:transcribe: Documentation updates for Amazon Transcribe. 1.23.31 api-change:medialive: This release adds support for selecting the Program Date Time (PDT) Clock source algorithm for HLS outputs. 1.23.30 api-change:ec2: This release introduces On-Demand Capacity Reservation support for Cluster Placement Groups, adds Tags on instance Metadata, and includes documentation updates for Amazon EC2. api-change:mediatailor: This release adds support for filler slate when updating MediaTailor channels that use the linear playback mode. api-change:opensearch: Amazon OpenSearch Service adds support for Fine Grained Access Control for existing domains running Elasticsearch version 6.7 and above api-change:iotwireless: Downlink Queue Management feature provides APIs for customers to manage the queued messages destined to device inside AWS IoT Core for LoRaWAN. Customer can view, delete or purge the queued message(s). It allows customer to preempt the queued messages and let more urgent messages go through. api-change:es: Amazon OpenSearch Service adds support for Fine Grained Access Control for existing domains running Elasticsearch version 6.7 and above api-change:mwaa: This release adds a "Source" field that provides the initiator of an update, such as due to an automated patch from AWS or due to modification via Console or API. api-change:appsync: AppSync: AWS AppSync now supports configurable batching sizes for AWS Lambda resolvers, Direct AWS Lambda resolvers and pipeline functions 1.23.29 api-change:cloudtrail: This release adds support for CloudTrail Lake, a new feature that lets you run SQL-based queries on events that you have aggregated into event data stores. New APIs have been added for creating and managing event data stores, and creating, running, and managing queries in CloudTrail Lake. api-change:iot: This release adds an automatic retry mechanism for AWS IoT Jobs. You can now define a maximum number of retries for each Job rollout, along with the criteria to trigger the retry for FAILED/TIMED_OUT/ALL(both FAILED an TIMED_OUT) job. api-change:ec2: This release adds a new API called ModifyVpcEndpointServicePayerResponsibility which allows VPC endpoint service owners to take payer responsibility of their VPC Endpoint connections. api-change:snowball: Updating validation rules for interfaces used in the Snowball API to tighten security of service. api-change:lakeformation: Add new APIs for 3rd Party Support for Lake Formation api-change:appstream: Includes APIs for App Entitlement management regarding entitlement and entitled application association. api-change:eks: Amazon EKS now supports running applications using IPv6 address space api-change:quicksight: Multiple Doc-only updates for Amazon QuickSight. api-change:ecs: Documentation update for ticket fixes. api-change:sagemaker: Amazon SageMaker now supports running training jobs on ml.g5 instance types. api-change:glue: Add Delta Lake target support for Glue Crawler and 3rd Party Support for Lake Formation 1.23.28 api-change:rekognition: This release introduces a new field IndexFacesModelVersion, which is the version of the face detect and storage model that was used when indexing the face vector. api-change:s3: Minor doc-based updates based on feedback bugs received. enhancement:JSONFileCache: Add support for __delitem__ in JSONFileCache api-change:s3control: Documentation updates for the renaming of Glacier to Glacier Flexible Retrieval. 1.23.27 api-change:sagemaker: The release allows users to pass pipeline definitions as Amazon S3 locations and control the pipeline execution concurrency using ParallelismConfiguration. It also adds support of EMR jobs as pipeline steps. api-change:rds: Multiple doc-only updates for Relational Database Service (RDS) api-change:mediaconvert: AWS Elemental MediaConvert SDK has added strength levels to the Sharpness Filter and now permits OGG files to be specified as sidecar audio inputs. api-change:greengrassv2: This release adds the API operations to manage the Greengrass role associated with your account and to manage the core device connectivity information. Greengrass V2 customers can now depend solely on Greengrass V2 SDK for all the API operations needed to manage their fleets. api-change:detective: Added and updated API operations to support the Detective integration with AWS Organizations. New actions are used to manage the delegated administrator account and the integration configuration. 1.23.26 api-change:nimble: Amazon Nimble Studio adds support for users to upload files during a streaming session using NICE DCV native client or browser. api-change:chime-sdk-messaging: The Amazon Chime SDK now supports updating message attributes via channel flows api-change:imagebuilder: Added a note to infrastructure configuration actions and data types concerning delivery of Image Builder event messages to encrypted SNS topics. The key that's used to encrypt the SNS topic must reside in the account that Image Builder runs under. api-change:workmail: This release allows customers to change their email monitoring configuration in Amazon WorkMail. api-change:transfer: Property for Transfer Family used with the FTPS protocol. TLS Session Resumption provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. api-change:lookoutmetrics: This release adds support for Causal Relationships. Added new ListAnomalyGroupRelatedMetrics API operation and InterMetricImpactDetails API data type api-change:mediaconnect: You can now use the Fujitsu-QoS protocol for your MediaConnect sources and outputs to transport content to and from Fujitsu devices. api-change:qldb: Amazon QLDB now supports journal exports in JSON and Ion Binary formats. This release adds an optional OutputFormat parameter to the ExportJournalToS3 API. 1.23.25 api-change:customer-profiles: This release adds an optional parameter, ObjectTypeNames to the PutIntegration API to support multiple object types per integration option. Besides, this release introduces Standard Order Objects which contain data from third party systems and each order object belongs to a specific profile. api-change:sagemaker: This release adds a new ContentType field in AutoMLChannel for SageMaker CreateAutoMLJob InputDataConfig. api-change:forecast: Adds ForecastDimensions field to the DescribeAutoPredictorResponse api-change:securityhub: Added new resource details objects to ASFF, including resources for Firewall, and RuleGroup, FirewallPolicy Added additional details for AutoScalingGroup, LaunchConfiguration, and S3 buckets. api-change:location: Making PricingPlan optional as part of create resource API. api-change:redshift: This release adds API support for managed Redshift datashares. Customers can now interact with a Redshift datashare that is managed by a different service, such as AWS Data Exchange. api-change:apigateway: Documentation updates for Amazon API Gateway api-change:devops-guru: Adds Tags support to DescribeOrganizationResourceCollectionHealth api-change:imagebuilder: This release adds support for importing and exporting VM Images as part of the Image Creation workflow via EC2 VM Import/Export. api-change:datasync: AWS DataSync now supports FSx Lustre Locations. api-change:finspace-data: Make dataset description optional and allow s3 export for dataviews 1.23.24 api-change:secretsmanager: Documentation updates for Secrets Manager 1.23.23 api-change:lexv2-models: Update lexv2-models client to latest version api-change:network-firewall: This release adds support for managed rule groups. api-change:route53-recovery-control-config: This release adds tagging supports to Route53 Recovery Control Configuration. New APIs: TagResource, UntagResource and ListTagsForResource. Updates: add optional field tags to support tagging while calling CreateCluster, CreateControlPanel and CreateSafetyRule. api-change:ec2: Adds waiters support for internet gateways. api-change:sms: This release adds SMS discontinuation information to the API and CLI references. api-change:route53domains: Amazon Route 53 domain registration APIs now support filtering and sorting in the ListDomains API, deleting a domain by using the DeleteDomain API and getting domain pricing information by using the ListPrices API. api-change:savingsplans: Adds the ability to specify Savings Plans hourly commitments using five digits after the decimal point. 1.23.22 api-change:lookoutvision: This release adds new APIs for packaging an Amazon Lookout for Vision model as an AWS IoT Greengrass component. api-change:sagemaker: This release added a new Ambarella device(amba_cv2) compilation support for Sagemaker Neo. api-change:comprehendmedical: This release adds a new set of APIs (synchronous and batch) to support the SNOMED-CT ontology. api-change:health: Documentation updates for AWS Health api-change:logs: This release adds AWS Organizations support as condition key in destination policy for cross account Subscriptions in CloudWatch Logs. api-change:outposts: This release adds the UpdateOutpost API. api-change:support: Documentation updates for AWS Support. api-change:iot: This release allows customer to enable caching of custom authorizer on HTTP protocol for clients that use persistent or Keep-Alive connection in order to reduce the number of Lambda invocations.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 159f9214a6852328f4edb327b33d2268ac4bac3f Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 18 21:08:28 2022 +0000

Core Update 168: Ship and restart OpenVPN

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 75072c7702208179b392570485d5b301673525a0 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 14 10:21:12 2022 +0200

openvpn: Update to version 2.5.6

- Update from version 2.5.4 to 2.5.6 - Update of rootfile not required - No changes related to ciphers or options - Source tarball changed from .xz to .gz as for version 2.5.6 the xz options was not available. Raised on Openvpn forum but response was that they also didn't know why xz option was not available but they thought it was not a big deal as the gz version is only slightly larger. - Changelog Overview of changes in 2.5.6 User-visible Changes update copyright year to 2022 New features new plugin (sample-plugin/defer/multi-auth.c) to help testing with multiple parallel plugins that succeed/fail in direct/deferred mode various build improvements (github actions etc) upgrade pkcs11-helper to release 1.28.4 Bugfixes CVE-2022-0547 see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements If openvpn is configured with multiple authentication plugins and more than one plugin tries to do deferred authentication, the result is not well-defined - creating a possible authentication bypass. In this situation the server process will now abort itself with a clear log message. Only one plugin is allowed to do deferred authentication. Fix "--mtu-disc maybe|yes" on Linux Due to configure/syshead.h/#ifdef confusion, the code in question was not compiled-in since a long time. Fixed. Trac: #1452 Fix $common_name variable passed to scripts when username-as-common-name is in effect. This was not consistently set - sometimes, OpenVPN exported the username, sometimes the common name from the client cert. Fixed. Trac: #1434 Fix potential memory leaks in add_route() and add_route_ipv6(). Apply connect-retry backoff only to one side of the connection in p2p mode. Without that fix/enhancement, two sides could end up only sending packets when the other end is not ready. Trac: #1010, #1384 remove unused sitnl.h file clean up msvc build files, remove unused MSVC build .bat files repair "--inactive" handling with a 'bytes' parameter larger than 2 Gbytes due to integer overflow, this ended up being "0" on Linux, but on Windows with MSVC it ends up being "always 2 Gbyte", both not doing what is requested. Trac: #1448 repair handling of EC certificates on Windows with pkcs11-helper (wrong compile-time defines for OpenSSL 1.1.1) Documentation documentation improvements related to DynDNS. Trac: #1417 clean up documentation for --proto and related options rebuild rst docs if input files change (proper dependency handling) Overview of changes in 2.5.5 User-visible Changes SWEET32/64bit cipher deprecation change was postponed to 2.7 Windows: use network address for emulated DHCP server as default this enables use of a /30 subnet, which is needed when connecting to OpenVPN Cloud. require EC support in windows builds (this means it's no longer possible to build a Windows OpenVPN binary with an OpenSSL lib without EC support) New features Windows build: use CFG and Spectre mitigations on MSVC builds bring back OpenSSL config loading to Windows builds. OpenSSL config is loaded from %installdir%\ssl\openssl.cnf (typically: c:\program files\openvpn\ssl\openssl.cnf) if it exists. This is important for some hardware tokens which need special OpenSSL config for correct operation. Trac #1296 Bugfixes Windows build: enable EKM Windows build: improve various vcpkg related build issues Windows build: fix regression related to non-writeable status files (Trac #1430) Windows build: fix regression that broke OpenSSL EC support Windows build: fix "product version" display (2.5..4 -> 2.5.4) Windows build: fix regression preventing use of PKCS12 files improve "make check" to notice if "openvpn --show-cipher" crashes improve argv unit tests ensure unit tests work with mbedTLS builds without BF-CBC ciphers include "--push-remove" in the output of "openvpn --help" fix error in iptables syntax in example firewall.sh script fix "resolvconf -p" invocation in example "up" script fix "common_name" environment for script calls when "--username-as-common-name" is in effect (Trac #1434) Documentation move "push-peer-info" documentation from "server options" to "client" (where it belongs) correct "foreign_option_{n}" typo in manpage update IRC information in CONTRIBUTING.rst (libera.chat) README.down-root: fix plugin module name

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 0f447b470a929bb8f565e4cc5eb2697f074ddd7a Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 14 10:20:57 2022 +0200

bird: Update to version 2.0.9

- Update from version 2.0.8 to 2.0.9 - Update of rootfile not required - Changelog Version 2.0.9 (2022-02-09) o BGP: Flowspec validation procedure o Babel: MAC authentication support o Routing table configuration blocks o Optional prefix trie in routing table for faster LPM/interval queries o CLI: New 'show route in <prefix>' command o Filter: Faster (16-way) prefix sets o Filter: MPLS label route attribute o Filter: Operators to pick community components o Filter: Operators to find minimum and maximum element of lists o BGP: New 'free bind' option o BGP: Log route updates that were changed to withdraws o BGP: Improved 'invalid next hop' error reporting o OSPF: Allow ifaces with host address as unnumbered PtP or PtMP ifaces o OSPF: All packets on PtP networks should be sent to AllSPFRouters address o Scripts for apkg-powered upstream packaging for deb and rpm o Support for Blake2s and Blake2b hash functions o Security keys / passwords can be entered in hexadecimal digits o Memory statistics split into Effective and Overhead o Linux: New option 'netlink rx buffer' to specify netlink socket buffer size o BSD: Assume onlink flag on ifaces with only host addresses o Many bugfixes Notes: - For OSPF on PtP network, BIRD now sends all packets to multicast AllSPFRouters address (as required in RFC 2328 8.1). This likely breaks setups with multiple neighbors on a network configured as PtP, which worked in previous versions. Such links should be configured as PtMP. - Since Linux 5.3, netlink socket can be flooded by route cache entries during route table scan. This version mitigates that issue by using strict netlink filtering.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 5e792900bc14070f877e7d2c1e406bebd60fac19 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 18 21:05:49 2022 +0000

Core Update 168: Ship and restart Squid

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit f56b5ce8af9a71296bd20c7b47208781b1574caa Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Apr 15 13:07:14 2022 +0200

squid: Update to 5.5

For details see: http://lists.squid-cache.org/pipermail/squid-users/2022-April/024725.html

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit b101f8e842f221113377f69b6a0471ffd24d15e7 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 18 21:04:38 2022 +0000

Core Update 168: Ship and restart vnstat

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit c516ba3b01b93cd4d549cf92b70f4eb58fd95d20 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Apr 16 16:53:47 2022 +0200

vnstat: Update to 2.9

Triggered by Bug #12846 - in this context I noticed that vnstat had been updated to version 2.9.

For details see: https://humdi.net/vnstat/CHANGES

"2.9 / 23-Jan-2022

- Fixed - RescanDatabaseOnSave configuration option wasn't being read from the configuration file resulting in the feature always being enabled - Hourly graph image output using large fonts didn't correctly fade out the x-axis line for hours not having data available - New - Add --alert for producing output and/or specific exit status when configured condition and transfer limit is exceeded, can also be used for "quota remaining" type of queries depending on used parameters - Add configuration option InterfaceMatchMethod which allows configuring the possibility of specifying an interface for database queries by using its alias instead of system provided interface name, enabled by default to support case insensitive matching of the beginning of interface aliases (vnstat and vnstati) - Image output file extension allows selecting the used image file format as long as the used LibGD supports it, PNG is no longer the only option - Add configuration option HourlyGraphMode for changing the output mode of the graph, 0 = 24 hour sliding window (default, as in previous releases), 1 = graph begins from midnight - Add mode parameter for -hg / --hoursgraph options for overriding the HourlyGraphMode configuration option setting from the command line - Add vertical line to image output hourly graph to visualize midnight - Add -t / --timestamp options to daemon for enabling timestamps to prints when the daemon is running in the foreground attached to a terminal - Accept ; as comment character in configuration file in addition to # - Comment out keywords which are using default values with ; character in provided configuration file and --showconfig output

2.8 / 4-Sep-2021

- Fixed - Using a combination of --live and --json wasn't flushing stdout after each line resulting in buffered output if the output was being piped - Image output would fail to show the last line bar graph in list outputs if EstimateStyle was 0, BarColumnShowsRate was 1 and the last line had a higher traffic rate than other lines - Image output didn't correctly horizontally align the "no data available" message in 5 minute graph depending on the width of the image - Image output related configuration warnings could get shown when image output wasn't being used - Warnings of mismatches between image output and data retention configuration didn't provide relevant details for solving the issues - BandwidthDetection was being used for tun interfaces even when the Linux kernel had the information hardcoded to 10 Mbit regardless of the used real interface, interface specific MaxBW will now be used instead or MaxBandwidth as fallback - Configured interface specific MaxBW values were getting overridden by BandwidthDetection when something could be detected - Image output horizontal rx/tx bars often had one pixel too much width in the tx section resulting in slightly wrong ratio getting shown - Top days list wasn't always sorting entries with exactly the same traffic sum using ascending date - 64bitInterfaceCounters with value -2 always assumed 32-bit on Linux systems until a 64-bit value was seen if kernel headers weren't available when binaries were built - New - Add the possibility of specifying an interface without using the -i / --iface options (vnstat and vnstati) - The daemon can discover added interfaces from the database without requiring a restart, configurable with option RescanDatabaseOnSave - Add configuration option UseUTC for using UTC as timezone for database entries instead of following the system timezone configuration - --iflist uses user configured interface specific MaxBW values in the output when available instead of showing only the kernel provided information when detected - Add configuration option AlwaysAddNewInterfaces to expose the daemon --alwaysadd command line option which gains an optional mode parameter - Image output uses LibGD filled arc bug workaround only for LibGD versions that are known to be broken - Image output example cgi (examples/vnstat.cgi) improvements - Automatically lists all monitored interfaces instead of requiring the list to be filled manually, server name in page title comes from hostname command by default - Provides links for most available images to more detailed or longer versions of each image - Allows direct interface specific page access with /interfacename suffix for the cgi if the used httpd supports PATH_INFO - Page auto refresh can be enabled with configurable interval"

Please note: As mentioned above, the default values in 2.9 are commented out. I have reversed this by adding a simple 'sed' command to the lfs file.

Another possibility would have been to extend the existing sed commands. If this is desired differently, please report.

As - nearly - always: running here with no seen problems...

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 31e85ef336ccfc2abb724d08e497c40c55b52762 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Mon Apr 18 11:12:43 2022 +0200

rsync: Update to 3.2.4

For details see: https://download.samba.org/pub/rsync/NEWS#3.2.4

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit c74f7aa6d94337fec1d83e10e6d63c90b3d7aa72 Merge: a95bb24fe 31592610c Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 18 16:38:47 2022 +0000

Merge branch 'next' into temp-c168-development

commit 38cf581405290ac9781793e8785cbdf0e210dced Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Apr 17 16:38:21 2022 +0200

ids-functions.pl: Remove temporary files if the downloader aborts.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit eaf5364413ab44dff0640396653fef4e39ace4d7 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Apr 17 15:21:20 2022 +0200

ids.cgi: Disable manual update button if a provider is not longer supported.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 6bef05b9ed1eacb57f66f565def49bbfe6400946 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Apr 17 15:03:56 2022 +0200

ids.cgi: Proper handle providers which are not longer supported.

They will be shown with a different background colour to get the users attention.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 7c4b8df7163e60bc05867531e3d2a7001eb2af59 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Apr 17 15:02:41 2022 +0200

update-ids-ruleset: Skip unsupported providers.

In case a configured provider is not longer supported, simply skip it and do not try to perform an update.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit da5c7c24f022751ff4d8dfb68c65d0e60801a626 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Apr 16 16:02:28 2022 +0200

ids.cgi: Remove orphaned headline.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit b3dbe9ef6462b90198f969dcf42bb17f9c4b427f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Apr 16 15:57:34 2022 +0200

backup.pl: Run convert-ids-backend-files converter.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 7bc15b982c7ce3bd0b6d3cf752e1e42abba4fe1d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Apr 16 15:54:44 2022 +0200

backup: Add files for new IDS backend.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit f7eedacb43e81dd8acd031f1ed7680fd0bf3b2b9 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Apr 16 15:51:06 2022 +0200

convert-ids-backend-files: Restart suricata if the IDS is running.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 5bad33e9a4bae9e15979087df3420c30dd5afd6c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Apr 16 15:32:27 2022 +0200

ids.cgi: Display return code on download error, when adding a new provider.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 00271ed769a64e309498c8c5ab2267c0e5982957 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Apr 16 15:30:03 2022 +0200

ids.cgi: Handle "Not modified" when forcing an ruleset update.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit b645f7fc8675a9caa014b83dff6e7d012a4802c8 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Apr 16 15:12:58 2022 +0200

ids.cgi: Do not longer use hard-coded status messages in oinkmaster_web() function.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 93af000b8b3f86008040cb5a62405b158c270fe7 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Apr 16 14:54:11 2022 +0200

oinkmaster: Drop package.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit d2bf4d377f698076e53a56a9784a0b70d8ed3388 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Apr 16 14:51:48 2022 +0200

suricata: Rootfile update.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 0d99255c0614d0218912724b97f6cfdb4811a895 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Apr 16 14:49:52 2022 +0200

suricata: Create empty threshold.config file.

The file is referenced in the suricata config file and if not present some ugly warnings will be displayed/logged during startup.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit d44d4ccf34132b77c8cf3d4ace7eab99a4717a53 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Apr 16 14:48:35 2022 +0200

suricata: Create directory to store the downloaded ruleset files.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit b75baeff28412bec16dd72e4251d24c371c3fd5d Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Apr 16 14:42:22 2022 +0200

suricata: Do not longer install YAML file for default rules.

This file got obsolete, because it's content will be generated dynamically by the backend code.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 2e558477da7438d2bd79411279ae1502f044c787 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Apr 16 14:39:09 2022 +0200

convert-ids-backend-files: Convert MONITOR_TRAFFIC_ONLY settings.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit a2c56ead7367995ff743cc5c75aec8c4fb195f83 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 15 06:02:49 2022 +0200

ids-functions.pl: Remove read_enabled_disabled_sids_file() function.

Not longer needed and therefore dead code.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit a15c9b16b404bc1970fd016104560e8fd24b5edb Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 15 05:59:33 2022 +0200

IDS: Move autoupdate logic to cron.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit c2eac6fcd4281834409700066b25061d15ca0d6c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 15 05:52:01 2022 +0200

convert-ids-backend-files: Move already downloaded files to new location.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit b570d35c0aff4c1d126be539bbb009830a1fbb7f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 15 05:19:20 2022 +0200

ids-functions.pl: Change location for downloaded rulesfiles to "/var/cache/suricata/".

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 4f513522feeb88a447a861d414eead6432ce784f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 15 05:18:37 2022 +0200

ids-functions.pl: Do not use a hard-code temporary download location.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit c215cfd8873130362b0665696e06a79279f79abd Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 15 05:13:23 2022 +0200

convert-ids-backend-files: Remove old backend related files.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 70b1672d94f3f6c3cfe82bf65df65125df0b0014 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 15 05:12:56 2022 +0200

convert-ids-backend-files: Remove converted files.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 9f7702544abc0a906d14ccdcf0e4b03239a8fc33 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Apr 15 05:10:45 2022 +0200

convert-ids-backend-files: Regenerate ruleset and used rulesets file.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit c00609ce56cab337d352e69599144683192dec8f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Apr 14 05:47:55 2022 +0200

convert-ids-backend-files: Successor of the convert-ids-modifications-files converter.

This converter also will convert the used rulesfiles file for the providers.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 2f154264a02a560b0ef4ff6777833330a110f2a4 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Apr 14 05:16:25 2022 +0200

ids.cg: Regeneate ruleset if the ruleset action (mode) of a provider get changed.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 39b5adb9404ae1b986e75437c4203752da8e9167 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Apr 11 05:57:05 2022 +0200

update-ids-ruleset: Only regenerate and reload ruleset on at least one successfull update.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 990d111d70b7f5276b5ff3b6729773f1066fcee7 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Apr 11 05:48:17 2022 +0200

ids-functions.pl: Add support for Etags.

Etags are used to itentify if an ressource has been changed by sending a special request and an Etag value to the server.

If the ressource has changed the server will serve the new content otherwise it will return the 304 (Not-Modified) code.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 149a3291df07c0b1ba0384b83509bb6a62a1eae2 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Apr 11 05:47:15 2022 +0200

ids.cgi: Do not double display a working notice when removing a ruleset provider.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit a95bb24fe13e4e7837bfbf2e75e255f61985df7d Author: Peter Müller peter.mueller@ipfire.org Date: Tue Apr 5 09:02:40 2022 +0000

nginx: Update to 1.20.2

The 1.20.x series is the current stable one, please refer to https://nginx.org/en/CHANGES-1.20 for its changelog.

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 6fd8dd43b63d32acd119c06682bb19a2ee10966d Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Apr 5 15:47:01 2022 +0200

dbus: Update to version 1.14.0

- Update from 1.12.20 to 1.14.0 - Update of rootfile - Changelog 1.14.x is a new stable branch, superseding 1.12.x. Summary of major changes between 1.12.x and 1.14.0 Dependencies: • dbus now requires at least a basic level of support for C99 variadic macros, as implemented in gcc >= 3, all versions of Clang, and MSVC >= 2005. In practice this requirement has existed since version 1.9.2, but it is now official. • dbus now requires a C99-compatible va_copy() macro (or a __va_copy() macro with the same behaviour), except when building for Windows using MSVC and CMake. • On Unix platforms, if getpwnam_r() and getgrnam_r() are implemented, they must be POSIX-conformant. The non-POSIX signature seen in ancient Solaris versions will no longer work. • All Windows builds now require Windows Vista or later. (Note that we do not recommend or support use of dbus on operating systems outside their vendor's security support lifetime, such as Vista.) • GLib >= 2.38 is required if full test coverage is enabled (reduced from 2.40 in dbus 1.12.x.) • Building using CMake now requires CMake 3.4. • Building documentation using CMake now requires xsltproc, Docbook DTDs (for example docbook-xml on Debian derivatives), and Docbook XSLT stylesheets (for example docbook-xsl on Debian derivatives). Using KDE's meinproc4 documentation processor is no longer supported. Build-time configuration changes: • Move CMake build system to top level, matching normal practice for CMake projects Deprecations: **Looking through these I don't believe they will cause a problem as they are deprecations and not yet removed.In the future if needed we might need to set datadir to /etc to keep the location the same as with syscondir. This won't be needed if we don't use the system.d directory for dbus policies. • Third-party software should install default dbus policies for the system bus into ${datadir}/dbus-1/system.d (this has been supported since dbus 1.10, released in August 2015). Installing default dbus policies in ${sysconfdir}/dbus-1/system.d is now considered to be deprecated. Policy files in ${sysconfdir}/dbus-1/system.d continue to be read, but this directory should only be used by system administrators wishing to override the default policies. The ${datadir} applicable to dbus is usually /usr/share and the ${sysconfdir} is usually /etc. • A similar pattern applies to the session bus policies in session.d. • The dbus-send(1) man page now documents --bus and --peer instead of the old --address synonym for --peer, which has been deprecated since the introduction of --bus and --peer in 1.7.6 • The dbus-daemon man page now has scarier warnings about <allow_anonymous/> and non-local TCP, which are insecure and should not be used, particularly for the standard system and session buses • DBusServer (and hence the dbus-daemon) no longer accepts usernames (login names) for the recommended EXTERNAL authentication mechanism, only numeric user IDs or the empty string. See 1.13.0 release notes for full details. New features: • On Linux 4.13 or later when built against a suitable glibc version, GetConnectionCredentials() now includes UnixGroupIDs, the effective group IDs of the initiator of the connection, taken from SO_PEERGROUPS. • On Linux 4.13 or later, <policy group="…"> now uses the SO_PEERGROUPS credentials-passing socket option to get the effective group IDs of the initiator of the connection. See 1.13.4 release notes for details. • Add a --sender option to dbus-send, which requests a name and holds it until the signal has been sent • dbus-daemon <allow> and <deny> rules can now specify a send_destination_prefix attribute, which is like a combination of send_destination and the arg0namespace keyword in match rules. See 1.13.12 release notes for more details • The dbus-daemon now filters the messages that it relays, removing header fields that it does not understand. Clients must not rely on this behaviour unless they have confirmed that they are connected to a suitable message bus implementation, for example by querying its Features property. • The dbus-daemon now emits a signal, ActivatableServicesChanged, when the list of activatable services may have changed. Support for this signal can be discovered by querying the Features property. • It is now possible to disable traditional (non-systemd) service activation at build-time (Autotools: --disable-traditional-activation, CMake: -DENABLE_TRADITIONAL_ACTIVATION=OFF). See 1.13.10 release notes for details. • The API reference manual can be built as a Qt compiled help file if qhelpgenerator(-qt5) is available. See 1.13.16 release notes for details. Miscellaneous behaviour changes: • When using the "user bus" (--enable-user-session), put the dbus-daemon in the session slice • Several environment variables set by systemd are no longer passed on to activated services • If the dbus-daemon is compiled for Linux with systemd support, it now informs systemd that it is ready for use via the sd_notify() mechanism • Tarball releases no longer contain pre-2007 changelogs and are now compressed with xz, making them around 35% smaller.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org

commit 77be7ab63b0fb4be4eeaa3059d7860ab3a701729 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 10 10:20:31 2022 +0000

Core Update 168: Ship expat

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 54fe871c8305649b00dbd7e67bb68ccfc4c43f7d Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Apr 5 15:47:15 2022 +0200

expat: Update to version 2.4.8

- Update from 2.4.6 to 2.4.8 - Update of rootfile - Changelog Release 2.4.8 Mon March 28 2022 Other changes: #587 pkg-config: Move "-lm" to section "Libs.private" #587 CMake|MSVC: Fix pkg-config section "Libs" #55 #582 CMake|macOS: Start using linker arguments "-compatibility_version <version>" and "-current_version <version>" in a way compatible with GNU Libtool #590 #591 Version info bumped from 9:7:8 to 9:8:8; see https://verbump.de/ for what these numbers do Infrastructure: #589 CI: Upgrade Clang from 13 to 14 Release 2.4.7 Fri March 4 2022 Bug fixes: #572 #577 Relax fix to CVE-2022-25236 (introduced with release 2.4.5) with regard to all valid URI characters (RFC 3986), i.e. the following set (excluding whitespace): ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz 0123456789 % -._~ :/?#[]@ !$&'()*+,;= Other changes: #555 #570 #581 CMake|Windows: Store Expat version in the DLL #577 Document consequences of namespace separator choices not just in doc/reference.html but also in header <expat.h> #577 Document Expat's lack of validation of namespace URIs against RFC 3986, and that the XML 1.0r4 specification doesn't require Expat to validate namespace URIs, and that Expat may do more in that regard in future releases. If you find need for strict RFC 3986 URI validation on application level today, https://uriparser.github.io/ may be of interest. #579 Fix documentation of XML_EndDoctypeDeclHandler in <expat.h> #575 Document that a call to XML_FreeContentModel can be done at a later time from outside the element declaration handler #574 Make hardcoded namespace URIs easier to find in code #573 Update documentation on use of XML_POOR_ENTOPY on Solaris #569 #571 tests: Resolve use of macros NAN and INFINITY for GNU G++ 4.8.2 on Solaris. #578 #580 Version info bumped from 9:6:8 to 9:7:8; see https://verbump.de/ for what these numbers do

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 9c4e7e3b4956eb886acaaf039d31b4a26dbece8c Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 10 10:20:11 2022 +0000

Core Update 168: Ship libgcrypt

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 2a8de00c6fbc7625d385ebd04ad466ee8a024a12 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Apr 6 15:06:12 2022 +0200

libgcrypt: Update to version 1.10.1

- Update from 1.9.4 to 1.10.1 - Update of rootfile - Changelog Noteworthy changes in version 1.10.1 (2022-03-28) [C24/A4/R1] * Bug fixes: - Fix minor memory leaks in FIPS mode. - Build fixes for MUSL libc. [rCffaef0be61] * Other: - More portable integrity check in FIPS mode. [rC9fa4c8946a,T5835] - Add X9.62 OIDs to sha256 and sha512 modules. [rC52fd2305ba] Noteworthy changes in version 1.10.0 (2022-02-01) [C24/A4/R0] * New and extended interfaces: - New control codes to check for FIPS 140-3 approved algorithms. - New control code to switch into non-FIPS mode. - New cipher modes SIV and GCM-SIV as specified by RFC-5297. - Extended cipher mode AESWRAP with padding as specified by RFC-5649. [T5752] - New set of KDF functions. - New KDF modes Argon2 and Balloon. - New functions for combining hashing and signing/verification. [T4894] * Performance: - Improved support for PowerPC architectures. - Improved ECC performance on zSeries/s390x by using accelerated scalar multiplication. - Many more assembler performance improvements for several architectures. * Bug fixes: - Fix Elgamal encryption for other implementations. [R5328,CVE-2021-40528] - Fix alignment problem on macOS. [T5440] - Check the input length of the point in ECDH. [T5423] - Fix an abort in gcry_pk_get_param for "Curve25519". [T5490] * Other features: - The control code GCRYCTL_SET_ENFORCED_FIPS_FLAG is ignored because it is useless with the FIPS 140-3 related changes. - Update of the jitter entropy RNG code. [T5523] - Simplification of the entropy gatherer when using the getentropy system call. * Interface changes relative to the 1.10.0 release: GCRYCTL_SET_DECRYPTION_TAG NEW control code. GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER NEW control code. GCRYCTL_FIPS_SERVICE_INDICATOR_KDF NEW control code. GCRYCTL_NO_FIPS_MODE = 83 NEW control code. GCRY_CIPHER_MODE_SIV NEW mode. GCRY_CIPHER_MODE_GCM_SIV NEW mode. GCRY_CIPHER_EXTENDED NEW flag. GCRY_SIV_BLOCK_LEN NEW macro. gcry_cipher_set_decryption_tag NEW macro. GCRY_KDF_ARGON2 NEW constant. GCRY_KDF_BALLOON NEW constant. GCRY_KDF_ARGON2D NEW constant. GCRY_KDF_ARGON2I NEW constant. GCRY_KDF_ARGON2ID NEW constant. gcry_kdf_hd_t NEW type. gcry_kdf_job_fn_t NEW type. gcry_kdf_dispatch_job_fn_t NEW type. gcry_kdf_wait_all_jobs_fn_t NEW type. struct gcry_kdf_thread_ops NEW struct. gcry_kdf_open NEW function. gcry_kdf_compute NEW function. gcry_kdf_final NEW function. gcry_kdf_close NEW function. gcry_pk_hash_sign NEW function. gcry_pk_hash_verify NEW function. gcry_pk_random_override_new NEW function.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit bf1defce5579ed2db91d8fae4eb5549bc8471311 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 10 10:18:50 2022 +0000

Core Update 168: Ship libnml

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit d6aead033a752d7965a3bed6c98dcf5d289707b2 Author: Adolf Belka adolf.belka@ipfire.org Date: Wed Apr 6 15:06:28 2022 +0200

libmnl: Update to version 1.0.5

- Update from 1.0.4 to 1.0.5 - Update of rootfile not required - Changelog Version 1.0.5 changes from git commits src: doc: Fix messed-up Netlink message batch diagram build: If doxygen is not available, be sure to report "doxygen: no" to ./conf... build: doc: get rid of the need for manual updating of Makefile build: doc: "make" builds & installs a full set of man pages doxygen: Fixed link to the git source tree on the website. include: add MNL_SOCKET_DUMP_SIZE definition doxygen: remove EXPORT_SYMBOL from the output nlmsg: Fix a missing doxygen section trailer src: fix doxygen function documentation examples: Add rtnl-addr-add.c examples: reduce LOCs during neigh attributes validation examples: fix print line format examples: fix neigh max attributes examples: add arp cache dump example libmnl: zero attribute padding examples: rtnl-addr-dump: fix typo callback: mark cb_ctl_array 'const' in mnl_cb_run2() examples: nfct-daemon: Fix test building on musl libc

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 88e01ab8553e9fc7d7d64d2de2b3e7f03c515177 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 10 10:18:01 2022 +0000

Core Update 168: Remove netbpm add-on, if installed

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 00c31b29184dac2f5dadc21f9457b427a6ee3cb6 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 10 10:13:32 2022 +0000

Core Update 168: Remove libnl files

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 8841ef19685bcb148fdbcdd5c75b8eb96b2bb244 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 7 18:35:04 2022 +0200

netpbm: Removal from IPFire

- This is an addon whose purpose is defined as :- Netpbm is a toolkit for manipulation of graphic images, including conversion of images between a variety of different formats. There are over 300 separate tools in the package including converters for about 100 graphics formats. Examples of the sort of image manipulation we're talking about are: Shrinking an image by 10%; Cutting the top half off of an image; Making a mirror image; Creating a sequence of images that fade from one image to another. - None of the above seems to be a purpose related to a Firewall. Additionally it is available in a huge number of distributions, including Linux, BSD,Windows, MacOS X/Darwin, Solaris, AIX etc - This package seems to be better used on a system in the lan protected by IPFire than used on IPFire itself

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 411cd0ca9c52b8a57fc288b2e992d13b3ffb1215 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 7 18:35:03 2022 +0200

libnl: Removal from IPFire

- This is the legacy version of libnl - 1.1.4 and was released in 2013 - libnl-3 is the running stable version - 3.5.0 - Nothing in IPFire has libnl as a dependency. Large number of programs have libnl-3 as a dependency - libnl developer indicates that libnl-3 should be used if in any way possible and that the legacy version is for situations that fail to work with libnl-3 - As everything in IPFire looks to already be using libnl-3 this patch is to remove the legacy version

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 22ac250b37bbce6f56ea7920e55d5ca9a70f71d3 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 10 10:05:38 2022 +0000

Core Update 168: Ship perl-libwww

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit c002bd1f44f4ae0c33691be3896456dc8fbd221f Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Apr 8 20:49:41 2022 +0200

perl-libwww: Update to 6.62

- Update from 6.61 to 6.62 - Update of rootfile not required - Changelog 6.62 2022-04-05 01:04:17Z - Allow downloading to a filehandle (GH#400) (Andrew Fresh)

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit 6ac573bd8f4a1070e56769e1d74e8268ce8bf19f Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 10 10:04:42 2022 +0000

Core Update 168: Ship whois

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit f09b8111142c5d27466d40668d1bd92f60003596 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Apr 9 11:00:16 2022 +0200

whois: Update to 5.5.13

For details see: https://raw.githubusercontent.com/rfc1036/whois/next/debian/changelog

whois (5.5.13) unstable; urgency=medium

* Added the .sd TLD server. * Updated the list of new gTLDs. * Added the Turkish translation, contributed by Oguz Ersen.

-- Marco d'Itri md@linux.it Fri, 08 Apr 2022 01:08:55 +0200

whois (5.5.12) unstable; urgency=medium

* Updated the .pro TLD server, which was totally broken. * Fixed the detection of Japanese locales using $LC_MESSAGES. * Implemented providing partial salt strings to mkpasswd. * Removed 2 new gTLDs which are no longer active. * Updated one or more translations. (Closes: #1003597) * Enabled full hardening in debian/rules.

-- Marco d'Itri md@linux.it Wed, 23 Feb 2022 01:03:11 +0100

whois (5.5.11) unstable; urgency=medium

* Implemented a --no-recursion command line option to disable recursion from registrar to registry servers. * Updated the .pro, .vu and .xxx TLD servers. * Updated the list of new gTLDs. * Removed 7 new gTLDs which are no longer active. * Updated make_version_h.pl to support Ubuntu no-change uploads, contributed by Matthias Klose. (Closes: #995873)

-- Marco d'Itri md@linux.it Mon, 03 Jan 2022 18:18:36 +0100

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit da8ca3b1216906d2f009ee6ee09131fa9c7e65de Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 10 09:56:44 2022 +0000

Core Update 168: Ship changed networking initscripts

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 5806ff0cc5af4b361b3e32cb9e32d97d1f07d400 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu Apr 7 18:46:54 2022 +0200

Deleted 'vnstat' calls in initscripts - those options were removed and we're using 'vnstatd', not 'vnstat'.

Fixes: 12831

Jonatan Schlag reported that the command line options of 'vnstat' had changed "...and seemed to be broken a long time". => https://bugzilla.ipfire.org/show_bug.cgi?id=12831#c0

Several command line switches used in networking initscripts were obviously removed.

Affected commands in '.../networking/any' and '.../networking/red'):

... /usr/bin/vnstat -u -i ${DEVICE} -r --enable --force > /dev/null 2>&1 ... /usr/bin/vnstat -u -i ${DEVICE} -r --disable > /dev/null 2>&1 ...

and ... /usr/bin/vnstat -u -i ppp0 -r --disable > /dev/null 2>&1 ...

Adolf Belka tested this, "looked through the changelogs" and found - besides that the switch '--enable' had been removed "in version 2.0 in 2018" - that '--enable', '--update' and '--reset' switches are either not needed or not supported anymore. "The old man page indicates that none of those options are used when the vnstat daemon is running."

Since we only start and run 'vnstatd' in IPFire it was decided to remove these commands.

Reported-by: jonatan.schlag jonatan.schlag@ipfire.org Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org

commit 18ed846002a02d51a9122133dc2314cbb6d5b04e Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Apr 8 20:49:56 2022 +0200

python3-pyparsing: Update to version 3.0.7

- Update from 3.0.6 to 3.0.7 - Update of rootfile - Changelog Version 3.0.7 - - Fixed bug #345, in which delimitedList changed expressions in place using expr.streamline(). Reported by Kim Gräsman, thanks! - Fixed bug #346, when a string of word characters was passed to WordStart or WordEnd instead of just taking the default value. Originally posted as a question by Parag on StackOverflow, good catch! - Fixed bug #350, in which White expressions could fail to match due to unintended whitespace-skipping. Reported by Fu Hanxi, thank you! - Fixed bug #355, when a QuotedString is defined with characters in its quoteChar string containing regex-significant characters such as ., *, ?, [, ], etc. - Fixed bug in ParserElement.run_tests where comments would be displayed using with_line_numbers. - Added optional "min" and "max" arguments to `delimited_list`. PR submitted by Marius, thanks! - Added new API change note in `whats_new_in_pyparsing_3_0_0`, regarding a bug fix in the `bool()` behavior of `ParseResults`. Prior to pyparsing 3.0.x, the `ParseResults` class implementation of `__bool__` would return `False` if the `ParseResults` item list was empty, even if it contained named results. In 3.0.0 and later, `ParseResults` will return `True` if either the item list is not empty *or* if the named results dict is not empty. # generate an empty ParseResults by parsing a blank string with # a ZeroOrMore result = Word(alphas)[...].parse_string("") print(result.as_list()) print(result.as_dict()) print(bool(result)) Prints: [] {} False # add a results name to the result result["name"] = "empty result" print(result.as_list()) print(result.as_dict()) print(bool(result)) Prints: [] {'name': 'empty result'} True In previous versions, the second call to `bool()` would return `False`. - Minor enhancement to Word generation of internal regular expression, to emit consecutive characters in range, such as "ab", as "ab", not "a-b". - Fixed character ranges for search terms using non-Western characters in booleansearchparser, PR submitted by tc-yu, nice work! - Additional type annotations on public methods.

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit b86bd4f90adc4111db864cb8c1365a0d115a6675 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 10 09:51:22 2022 +0000

Core Update 168: Remove libevent files

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit e2e51070a18073d6087429daa6036f8eb510886e Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Apr 8 23:55:24 2022 +0200

libevent: Remove from IPFire

- Build worked without libevent without problems - Nothing shows up as dependent on the libevent (legacy) libraries - Lots of dependencies on the the libevent2 libraries

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org

commit 943ce57701d39352f51a6b09906cd945a421829c Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 10 09:49:55 2022 +0000

Core Update 168: Ship libnfnetlink

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit 5dcca14b51b845a56ea3d99e1772f569a259e949 Author: Adolf Belka adolf.belka@ipfire.org Date: Fri Apr 8 20:49:03 2022 +0200

libnfnetlink: Update to version 1.0.2

- Update from 1.0.1 to 1.0.2 - Update of rootfile not required - Changelog Version 1.0.2 * Warnings with automake-1.12 * Update header comments to reflect GPLv2+ license * Allow building on uclinux * Valgrind warnings due to uninitialized padding in netlink messages * Hide private library symbols * Support builds with newer doxygen versions * Failing calls to getsockname() were left unnoticed

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org

commit d258332f5bb062394f524dc485153d1841e55436 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 10 09:49:02 2022 +0000

Core Update 168: Remove orphaned files

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit a6d966e1b79de3b052f92569f8f67b2b0753df49 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 7 13:04:49 2022 +0200

sdparm: Removal from IPFire

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Acked-by: Michael Tremer michael.tremer@ipfire.org

commit 9624937d9112b92cd735391bc15b3d7aef5bedd5 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 7 13:04:48 2022 +0200

pigz: Removal from IPFire

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Acked-by: Michael Tremer michael.tremer@ipfire.org

commit 85967534723f8da3f6077814dc1f04f8ffb87874 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 7 13:04:47 2022 +0200

libsolv: Removal from IPFire

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Acked-by: Michael Tremer michael.tremer@ipfire.org

commit adee5528664883cf48fd83873c978b51b11a7342 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 7 13:04:46 2022 +0200

libpri: Removal from IPFire

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Acked-by: Michael Tremer michael.tremer@ipfire.org

commit 03216bd01c57262e1fa753ee4ed86cf050fc2212 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 7 13:04:45 2022 +0200

libdnet: Removal from IPFire

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Acked-by: Michael Tremer michael.tremer@ipfire.org

commit 758162bdc4f5d58cd10afd3f5efbdf7a3034b5b8 Author: Adolf Belka adolf.belka@ipfire.org Date: Thu Apr 7 13:04:44 2022 +0200

libart: Removal from IPFire

Signed-off-by: Adolf Belka adolf.belka@ipfire.org Acked-by: Michael Tremer michael.tremer@ipfire.org

commit 77c3824f285e7df66ce4a26be11dc336bc17633d Author: Peter Müller peter.mueller@ipfire.org Date: Sun Apr 10 09:42:56 2022 +0000

Start Core Update 168

Signed-off-by: Peter Müller peter.mueller@ipfire.org

commit faa8c62f6377cf6efa2b4edef1bbe77ede248867 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Apr 10 11:25:36 2022 +0200

ids.cgi: Use new oinkmaster_web function instead the silent one from ids-functions.

This will print some nice status messages while the page is locked and the IDS rules get regenerated/altered.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 44d41fd692ea695708c9cd51ecbf1fab2c7a5c28 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Apr 10 11:23:49 2022 +0200

ids.cgi: Add oinkmaster_web () function.

This function is used to regenerate the entire ruleset similar to the one from ids-functions, but is enhanced to print additional status messages.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 1aaa347774a96e54daf26ff0762e63731e94a629 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Apr 10 11:19:41 2022 +0200

ids.cgi: Allow to split working_notice function into two parts.

This allows to open the notice and close it at a later time.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 25652a75d485eaf500a60326373f66e56b902c70 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Apr 10 11:17:05 2022 +0200

ids.cgi: Keep IDS/IPS mode settings when enabling/disabling a provider or autoupdate for it.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 30c4a9ff35117388ce3061ad44280967e1f4cf86 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Apr 9 14:46:39 2022 +0200

ids.cgi: Adjust code to use new used-rulesfiles backend.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 8d6714edc8c957214506bc483bc51edc06c94554 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Apr 9 13:11:18 2022 +0200

ids-functions.pl: Change backend to use one file to load the used rulefiles.

Suricata seems to struggle when using multiple and/or nested includes in the same config section. This results in a only partially loaded confguration where not all rulefiles are loaded and used.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit fa7663a1b594dcfd4bf542eb34a0869d5280e38f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Mar 26 12:26:35 2022 +0100

ids.cgi: Remove newly added provider if the rules could not be downloaded.

When adding a new provider and in case the rules file or tarball can not be downloaded, the provider remains as configured.

To avoid that, the provider needs to be removed again.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 81144407528319a53fd0e8ea6852158c56ab7612 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 20 18:59:42 2022 +0100

convert-ids-modification-files: New converter.

This converter is responsible to convert the old oinkmaster modification files into the new files and format.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 432b8ed21e0fa9c0ee4cca360dfd881348ba62a0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Mar 26 11:54:19 2022 +0100

ids.cgi: Drop last fragments from old modify sids backend.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 849fc8ea15a861a97f2e4d9c74804115fd15ecf5 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 20 18:08:49 2022 +0100

ids-functions.pl: Drop oinkmaster related functions and declarations.

They are not longer needed and safely can be dropped.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 443ad51d1c33550eafc62320865046510b7be8fc Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 20 16:52:19 2022 +0100

ids.cgi: Allow to configure IDS/IPS mode individually for each provider.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 4c98be8bd21c95b9bb576e211e633bf507388234 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 20 16:33:20 2022 +0100

ids.cgi: Use new provider modifications backend.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 9f353f8518b93fb1b4f76663088d36d321e8e3f2 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 20 16:11:12 2022 +0100

ids.cgi: Use new backend to store the ruleset modifications of a provider.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 2deba6bf4a6b866713ee000a91457802101fa893 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 20 16:10:01 2022 +0100

ids-functions.pl: Use "enabled/disabled" to mark if a rule should be altered.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 794469483f26e514e13648a07483d19e2372ecb7 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 20 15:47:52 2022 +0100

ids-functions.pl: Replace call of external oinkmaster.pl to newly introduced process_ruleset function.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 5a6c7bbe85a24faddf3c5f495d28a6ae6004514f Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 20 15:44:37 2022 +0100

ids-functions.pl: Add process_ruleset() function.

This function is going to replace the part which currently the oinkmaster.pl script does.

It will read in the extracted ruleset, remove duplicates and alter the rules to alert or drop in case they match. Also rules will be enabled or disabled if the used requested this.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 518cbdd38905ed7909f7dfe218957cbc828a004c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 20 15:34:57 2022 +0100

ids-functions.pl: Add get_provider_ruleset_modifications_file().

This function will obosolete the old oinkmaster modifications files.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit e246285af4c98647217fe96a48d794f959ebf3d8 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 20 15:34:10 2022 +0100

ids-functions.pl: Add private function to obtain the sid and rev of a rule.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit e0eb5bc737fa807a574b4f5bf5c42977d55201fb Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 20 15:33:09 2022 +0100

ids-functions.pl: Add get_providers_mode() function.

This function is used to gather the modes of the configured providers and return them as hash.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit ff780d8b3fa6b91fe9d8560684232381b81b5498 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Mar 26 11:27:01 2022 +0100

update-ids-ruleset: Fix typo in return code.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 74019d3044117bc84646fec22e6a88833a131790 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Mar 26 11:23:44 2022 +0100

update-ids-ruleset: Skip providers which are not enabled.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 9a3f9c2b234457e6cfda54f7ee3746781ba503b5 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Mar 26 11:22:50 2022 +0100

update-ids-ruleset: Log and abort if to less free disk space is available.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit c9c3eadbbffeee8a4f46365e917f619939dee9f1 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Mar 26 11:22:08 2022 +0100

update-ids-ruleset: Add logging for various events.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit d1f7542659cc7ecaaad551f813b0cb32a4734351 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Mar 26 11:18:38 2022 +0100

update-ids-ruleset: Add function to iherit with the syslog daemon.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 65e3aef5835a5e681bdd2af292e4c547c0d196d0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Mar 26 11:17:06 2022 +0100

ids-functionsn.pl: Remove logging calls when checking free diskspace.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 52a557a848c3f744278aec91d7e16ff1f5c24833 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sat Mar 26 11:14:40 2022 +0100

ids-functions.pl: Remove logging calls from downloader.

The download script should not directly do the logging stuff.

It simply should download the files for the requested provider and return an error code on fail.

The logging should be done at another place.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit e26edcc1c7cac6235f7d60c527f980895fc3fe5a Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Mar 25 06:03:40 2022 +0100

ids-functions.pl: Provide better return codes, if the downloader fails.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 0f2c5211f6d8b183a8496ff208c20ca5ddc0c6c6 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Mar 24 21:17:59 2022 +0100

ids-functions.pl: Limit downloader to only one provider.

Remove the option and required code to download the rulesets for all configured and enabled providers by just calling the downloader function.

This cause a lot of troubles and if required, directly should be handled by the processing script.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 235e3e92a32a95339c177a94371b22c4bc0877a6 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Mar 24 21:17:08 2022 +0100

ids-functions.pl: Add get_subscription_code() function.

This function can be used to obtain the subscription code of a given configured provider.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 061391e77601082727e64e40dfa352f89be18ce1 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Mar 24 20:51:56 2022 +0100

ids-functions.pl: Use If-Modified-Since header to reduce file downloads.

When using the "If-Modified-Since" header, the server can be requested if a modified version of the file can be served.

In case that is true, the file will be sent and stored by the downloader function. If the file has not been touched since the last time, the server will respond with the code "304" (Not modified).

This tells us, that the current stored file is the latest one (still up-to-date) and we safely can skip the download attempt for this provider.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit f264adda359ec58846840e60d9743ca522fa4004 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Mar 24 20:29:21 2022 +0100

ids-functions.pl: Re-order download request handler creation.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 7d8956083b76babafef3c8e82fb32c4f243424c3 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Thu Mar 24 20:18:58 2022 +0100

ids-functions.pl: Early load required perl modules.

This will help us to determine if all required perl modules and their dependencies are avail and load-able.

It also prevents us from doubble loading modules and makes development and maintainance more easy.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit 304ce130fd1e19de6a4faf9834784e0d821c02c1 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Mar 21 20:21:21 2022 +0100

ids-functions.pl: Remove temporary file, if the download failed.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit e71804fb821acf84ef4ad06fcaf80dda6fe8af0c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Mar 21 20:19:25 2022 +0100

ids-functions.pl: Allow "3" download attempts for each provider before fail.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

commit de1199e2a32e9f177ea237392b0ae22b5f8a2b87 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Mar 21 19:52:04 2022 +0100

ids-functions.pl: Drop downloader code for sourcefire based ruleset.

Even if the servers do not support HEAD requests, the remote filesize (content_length) can be obtained from the connection headers.

This generic method works for all servers and therefore we do not need the code for handle sourcefire servers in a different way anymore.

Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org

-----------------------------------------------------------------------

hooks/post-receive -- IPFire 2.x development tree