This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via b88f6c476b45c173db54ce31d59dc42202c56e34 (commit) via be52d700f160b1201d83fb942a0280f3f2d0f16a (commit) via c04ebdccee35ddac7cc483efb182982f7345052f (commit) via c4c756333578fc43d7f712cbc262fc3f3bf1fc52 (commit) from aa60fd7b3e61aeb08c68b67f615f8c94e6545447 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit b88f6c476b45c173db54ce31d59dc42202c56e34 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Oct 25 16:55:26 2021 +0000
core161: add curl
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit be52d700f160b1201d83fb942a0280f3f2d0f16a Author: Adolf Belka adolf.belka@ipfire.org Date: Mon Sep 27 17:32:40 2021 +0200
curl: Update to version 7.79.1
- Update from 7.78.0 to 7.79.1 - Update of rootfile not required - Changelog Fixed in 7.79.1 - September 22 2021 Bugfixes: Curl_http2_setup: don't change connection data on repeat invokes curl_multi_fdset: make FD_SET() not operate on sockets out of range dist: provide lib/.checksrc in the tarball FAQ: add GOPHERS + curl works on data, not files hsts: CURLSTS_FAIL from hsts read callback should fail transfer hsts: handle unlimited expiry http: fix the broken >3 digit response code detection strerror: use sys_errlist instead of strerror on Windows test1184: disable tests/sshserver.pl: make it work with openssh-8.7p1 Fixed in 7.79.0 - September 15 2021 Changes: bearssl: support CURLOPT_CAINFO_BLOB http: consider cookies over localhost to be secure secure transport: support CURLINFO_CERTINFO Bugfixes: CVE-2021-22945: clear the leftovers pointer when sending succeeds CVE-2021-22946: do not ignore --ssl-reqd CVE-2021-22947: reject STARTTLS server response pipelining ares: use ares_getaddrinfo() asyn-ares.c: move all version number checks to the top auth: do not append zero-terminator to authorisation id in kerberos auth: properly handle byte order in kerberos security message auth: use sasl authzid option in kerberos auth: we do not support a security layer after kerberos authentication BINDINGS.md: update links to use https where available build: fix compiler warnings c-hyper: deal with Expect: 100-continue combined with POSTFIELDS c-hyper: fix header value passed to debug callback c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection c-hyper: initial step for 100-continue support c-hyper: initial support for "dumping" 1xx HTTP responses c-hyper: remove the hyper_executor_poll() loop from Curl_http CI/cirrus: reduce compile time with increased parallism CI: use GitHub Container Registry instead of Docker Hub cirrus: Add FreeBSD 13.0 job and disable sanitizer build cmake: avoid poll() on macOS cmake: sync CURL_DISABLE options codeql: fix error "Resource not accessible by integration" compressed.d: it's a request, not an order config.d: escape the backslash properly config.d: note that curlrc is used even when --config config: get rid of the unused HAVE_SIG_ATOMIC_T et. al. configure.ac: revert bad nghttp2 library detection improvements configure: error out if both ngtcp2 and quiche are specified configure: make --disable-hsts work configure: set classic mingw minimum OS version to XP configure: tweak nghttp2 library name fix connect: get local port + ip also when reusing connections connect: remove superfluous conditional curl-openssl.m4: check lib64 for the pkg-config file curl-openssl.m4: show correct output for OpenSSL v3 curl.1: mention "global" flags curl.1: provide examples for each option curl: add warning for ignored data after quoted form parameter curl: add warning for incompatible parameters usage curl: better error message when -O fails to get a good name curl: stop retry if Retry-After: is longer than allowed curl_easy_setopt.3: improve the string copy wording Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited curl_setup.h: sync values for HTTP_ONLY curl_url_get.3: clarify about path and query CURLMOPT_TIMERFUNCTION.3: remove misplaced "time" CURLOPT_DOH_URL.3: CURLOPT_OPENSOCKETFUNCTION is not inherited CURLOPT_SSL_CTX_*.3: tidy up the example CURLOPT_UNIX_SOCKET_PATH.3: remove nginx reference, add see also docs/MQTT: update state of username/password support docs: remove experimental mentions from HSTS and MQTT docs: the security list is reached at security at curl.se now easy: use a custom implementation of wcsdup on Windows examples/*hiperfifo.c: fix calloc arguments to match function proto examples/cookie_interface: avoid printfing time_t directly examples/cookie_interface: fix scan-build printf warning examples/ephiperfifo.c: simplify signal handler FAQ: add two dev related questions getparameter: fix the --local-port number parser happy-eyeballs-timeout-ms.d: polish the wording hostip: Make Curl_ipv6works function independent of getaddrinfo http2: Curl_http2_setup needs to init stream data in all invokes http2: revert a change that broke upgrade to h2c http2: revert call the handle-closed function correctly on closed stream http: disallow >3-digit response codes http: ignore content-length if any transfer-encoding is used http_proxy: clear 'sending' when the outgoing request is sent http_proxy: fix the User-Agent inclusion in CONNECT http_proxy: fix user-agent and custom headers for CONNECT with hyper http_proxy: only wait for writable socket while sending request INTERNALS: bump c-ares requirement to 1.16.0 INTERNALS: c-ares has a new home: c-ares.org lib: don't use strerror() libcurl-errors.3: clarify two CURLUcode errors limit-rate.d: clarify base unit mailing lists: move from cool.haxx.se to lists.haxx.se mbedtls: avoid using a large buffer on the stack mbedTLS: initial 3.0.0 support mbedtls_threadlock: fix unused variable warning mksymbolsmanpage.pl: Fix showing symbol's last used version mksymbolsmanpage.pl: match symbols case insenitively multi: fix compiler warning with `CURL_DISABLE_WAKEUP` ngtcp2: compile with the latest ngtcp2 and nghttp3 ngtcp2: fix build with ngtcp2 and nghttp3 ngtcp2: remove the acked_crypto_offset struct field init ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read ngtcp2: reset the oustanding send buffer again when drained ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream ngtcp2: stop buffering crypto data ngtcp2: utilize crypto API functions to simplify openssl: annotate SSL3_MT_SUPPLEMENTAL_DATA openssl: when creating a new context, there cannot be an old one opt-docs: make sure all man pages have examples opt-docs: verify man page sections + order opts docs: unify phrasing in NAME header output.d: add method to suppress response bodies page-header: add GOPHERS, simplify wording in the 1st para progress: fix a compile warning on some systems progress: make trspeed avoid floats runtests: add option -u to error on server unexpectedly alive schannel: Work around typo in classic mingw macro scripts: invoke interpreters through /usr/bin/env setopt: enable CURLOPT_IGNORE_CONTENT_LENGTH for hyper strerror.h: remove the #include from files not using it symbols-in-versions: fix CURLSSLBACKEND_QSOSSL last used version test1138: remove trailing space to make work with hyper test1173: check references to libcurl options test1280: CRLFify the response to please hyper test1565: fix windows build errors test365: verify response with chunked AND Content-Length headers tests/*server.pl: flush output before executing subprocess tests/*server.py: remove pidfile on server termination tests/runtests.pl: cleanup copy&paste mistakes and unused code tests/server/*.c: align handling of portfile argument and file tests: adjust the tftpd output to work with hyper mode tests: be explicit about using 'python3' instead of 'python' tests: enable test 1129 for hyper builds tests: make three tests pass until 2037 tool/tests: fix potential year 2038 issues tool_operate: Fix --fail-early with parallel transfers url: fix compiler warning in no-verbose builds urlapi.c:seturl: assert URL instead of using if-check vtls: fix typo in schannel_verify.c winbuild/README.md: clarify GEN_PDB option wolfssl: clean up wolfcrypt error queue write-out.d: clarify size_download/upload x509asn1: fix heap over-read when parsing x509 certificates
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit c04ebdccee35ddac7cc483efb182982f7345052f Author: Arne Fitzenreiter arne_f@ipfire.org Date: Mon Oct 25 16:52:15 2021 +0000
core161: add strongswan changes to update.
this core also stops strongwan before extracting because the updown script is changed.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit c4c756333578fc43d7f712cbc262fc3f3bf1fc52 Author: Peter Müller peter.mueller@ipfire.org Date: Sat Oct 23 14:49:52 2021 +0200
strongSwan: update to 5.9.4
Release notes as per https://github.com/strongswan/strongswan/releases/tag/5.9.4:
Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990. Please refer to our blog for details. Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991. Please refer to our blog for details. Fixed a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure. AUTH_LIFETIME notifies are now only sent by a responder if it can't reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs. Several corner cases with reauthentication have been fixed (48fbe1d, 36161fe, 0d373e2). Serial number generation in several pki sub-commands has been fixed so they don't start with an unintended zero byte (#631). Loading SSH public keys via vici has been improved (#467). Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl configs and other data is properly wiped from memory. Use a longer dummy key to initialize HMAC instances in the openssl plugin in case it's used in FIPS-mode (#557). The --enable-tpm option now implies --enable-tss-tss2 as the plugin doesn't do anything without a TSS 2.0. libtpmtss is initialized in all programs and libraries that use it. Migrated testing scripts to Python 3. The testing environment uses images based on Debian bullseye by default (support for jessie was removed).
To my understanding, IPFire is not affected by CVE-2021-41990, as we do not support creation of IPsec connections using RSASSA-PSS (please correct me if we do :-). In contrast, CVE-2021-41991 affects IPFire installations indeed.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/{oldcore/104 => core/161}/filelists/curl | 0 config/rootfiles/core/161/filelists/files | 1 - .../106/filelists/strongswan => core/161/filelists/stronswan} | 0 config/rootfiles/core/161/update.sh | 5 +++++ lfs/curl | 4 ++-- lfs/strongswan | 4 ++-- 6 files changed, 9 insertions(+), 5 deletions(-) copy config/rootfiles/{oldcore/104 => core/161}/filelists/curl (100%) copy config/rootfiles/{oldcore/106/filelists/strongswan => core/161/filelists/stronswan} (100%)
Difference in files: diff --git a/config/rootfiles/core/161/filelists/curl b/config/rootfiles/core/161/filelists/curl new file mode 120000 index 000000000..4b84bef53 --- /dev/null +++ b/config/rootfiles/core/161/filelists/curl @@ -0,0 +1 @@ +../../../common/curl \ No newline at end of file diff --git a/config/rootfiles/core/161/filelists/files b/config/rootfiles/core/161/filelists/files index 544b08d17..3d0a9d1bd 100644 --- a/config/rootfiles/core/161/filelists/files +++ b/config/rootfiles/core/161/filelists/files @@ -14,7 +14,6 @@ srv/web/ipfire/cgi-bin/speed.cgi usr/bin/2to3 usr/bin/hexdump usr/lib/firewall/rules.pl -usr/libexec/ipsec/_updown usr/local/bin/hddshutdown usr/local/bin/makegraphs var/ipfire/backup/exclude diff --git a/config/rootfiles/core/161/filelists/stronswan b/config/rootfiles/core/161/filelists/stronswan new file mode 120000 index 000000000..90c727e26 --- /dev/null +++ b/config/rootfiles/core/161/filelists/stronswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/161/update.sh b/config/rootfiles/core/161/update.sh index 889950824..db0dc1e98 100644 --- a/config/rootfiles/core/161/update.sh +++ b/config/rootfiles/core/161/update.sh @@ -96,6 +96,7 @@ rm -rf /usr/lib/python2* rm -rf /usr/lib/collectd/python.so
# Stop services +/etc/init.d/ipsec stop
# Extract files extract_files @@ -119,6 +120,9 @@ ldconfig /usr/local/bin/filesystem-cleanup
# Start services +if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then + /etc/init.d/ipsec start +fi
# Delete orphaned pppd 2.4.8 shared object files rm -rf \ @@ -162,3 +166,4 @@ sync
# Don't report the exitcode last command exit 0 +# Stop services diff --git a/lfs/curl b/lfs/curl index 1d516664c..70465bb35 100644 --- a/lfs/curl +++ b/lfs/curl @@ -24,7 +24,7 @@
include Config
-VER = 7.78.0 +VER = 7.79.1
THISAPP = curl-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 419c2461366cf404160a820f7a902b7e +$(DL_FILE)_MD5 = 74d3c4ca8aaa6c0619806d6e246e65fb
install : $(TARGET)
diff --git a/lfs/strongswan b/lfs/strongswan index 46c0309fb..45ff8f426 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@
include Config
-VER = 5.9.3 +VER = 5.9.4
THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 80ecabe0ce72d550d2d5de0118f89143 +$(DL_FILE)_MD5 = 9c387eb77f0159fdefbcf7e81c905c35
install : $(TARGET)
hooks/post-receive -- IPFire 2.x development tree