* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. f2d5cb7c99835285d3fdef10f21fdcf6fb98aa51
@ 2023-07-21 9:47 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2023-07-21 9:47 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 14767 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via f2d5cb7c99835285d3fdef10f21fdcf6fb98aa51 (commit)
via f6615f3025aa54603b733987da48c0263afe29b1 (commit)
via 69d7702ddedb0ea43d6d01250881f7a921532f4d (commit)
via 45496ad1903a512b67be2119bd2ef4901330913d (commit)
via de614755846114de689bd94ae4c32e0e164fa6bb (commit)
from 2e63b7128e519657d445b0cbfc473725fc13a3a4 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit f2d5cb7c99835285d3fdef10f21fdcf6fb98aa51
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Fri Jul 21 06:01:29 2023 +0000
kernel: update to 6.1.39
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit f6615f3025aa54603b733987da48c0263afe29b1
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Fri Jul 21 05:47:57 2023 +0000
kernel: fix rootfile
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 69d7702ddedb0ea43d6d01250881f7a921532f4d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Jul 21 09:33:34 2023 +0000
core177: Ship & restart OpenSSH
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 45496ad1903a512b67be2119bd2ef4901330913d
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Thu Jul 20 18:04:39 2023 +0200
openssh: Update to version 9.3p2 - Fixes CVE-2023-38408
- Update from version 9.3p1 to 9.3p2
- Update of rootfile not required
- Changelog
9.3p2 (2023-07-19)
This release fixes a security bug.
Security
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
* Remote exploitation requires that the agent was forwarded
to an attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.
This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.
In addition to removing the main precondition for exploitation,
this release removes the ability for remote ssh-agent(1) clients
to load PKCS#11 modules by default (see below).
Potentially-incompatible changes
* ssh-agent(8): the agent will now refuse requests to load PKCS#11
modules issued by remote clients by default. A flag has been added
to restore the previous behaviour "-Oallow-remote-pkcs11".
Note that ssh-agent(8) depends on the SSH client to identify
requests that are remote. The OpenSSH >=8.9 ssh(1) client does
this, but forwarding access to an agent socket using other tools
may circumvent this restriction.
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit de614755846114de689bd94ae4c32e0e164fa6bb
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Tue Jul 18 16:17:36 2023 +0200
sudo: Update to version 1.9.14p2
- Update from version 1.9.14 to 1.9.14p2
- Update of rootfile not required
- Changelog
1.9.14p2
* Fixed a crash on Linux systems introduced in version 1.9.14 when
running a command with a NULL argv[0] if "log_subcmds" or
"intercept" is enabled in sudoers.
* Fixed a problem with "stair-stepped" output when piping or
redirecting the output of a sudo command that takes user input.
* Fixed a bug introduced in sudo 1.9.14 that affects matching
sudoers rules containing a Runas_Spec with an empty Runas user.
These rules should only match when sudo's -g option is used but
were matching even without the -g option. GitHub issue #290.
1.9.14p1
* Fixed an invalid free bug in sudo_logsrvd that was introduced
in version 1.9.14 which could cause sudo_logsrvd to crash.
* The sudoers plugin no longer tries to send the terminal name
to the log server when no terminal is present. This bug was
introduced in version 1.9.14.
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/kernel/kernel.config.aarch64-ipfire | 2 +-
config/kernel/kernel.config.x86_64-ipfire | 2 +-
config/rootfiles/common/aarch64/linux | 2 ++
config/rootfiles/common/x86_64/linux | 2 ++
.../{oldcore/100 => core/177}/filelists/openssh | 0
config/rootfiles/core/177/update.sh | 1 +
lfs/linux | 4 ++--
lfs/openssh | 4 ++--
lfs/rtl8812au | 1 +
lfs/rtl8822bu | 1 +
lfs/sudo | 4 ++--
.../remove_regulatory_ignore_stale_kickoff.patch | 17 +++++++++++++++++
12 files changed, 32 insertions(+), 8 deletions(-)
copy config/rootfiles/{oldcore/100 => core/177}/filelists/openssh (100%)
create mode 100644 src/patches/rtl8812au/remove_regulatory_ignore_stale_kickoff.patch
Difference in files:
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index bc07256b6..9ad75c92b 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm64 6.1.38-ipfire Kernel Configuration
+# Linux/arm64 6.1.39-ipfire Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.1.0"
CONFIG_CC_IS_GCC=y
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index eeda765dd..e40181dc6 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 6.1.38-ipfire Kernel Configuration
+# Linux/x86 6.1.39-ipfire Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 13.1.0"
CONFIG_CC_IS_GCC=y
diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux
index 49bbc7c57..230e419d3 100644
--- a/config/rootfiles/common/aarch64/linux
+++ b/config/rootfiles/common/aarch64/linux
@@ -7229,6 +7229,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/BTRFS_FS
#lib/modules/KVER-ipfire/build/include/config/BTRFS_FS_POSIX_ACL
#lib/modules/KVER-ipfire/build/include/config/BUG
+#lib/modules/KVER-ipfire/build/include/config/BUG_ON_DATA_CORRUPTION
#lib/modules/KVER-ipfire/build/include/config/BUILDTIME_TABLE_SORT
#lib/modules/KVER-ipfire/build/include/config/BUILD_SALT
#lib/modules/KVER-ipfire/build/include/config/CACHEFILES
@@ -7624,6 +7625,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/DEBUG_BUGVERBOSE
#lib/modules/KVER-ipfire/build/include/config/DEBUG_INFO_NONE
#lib/modules/KVER-ipfire/build/include/config/DEBUG_KERNEL
+#lib/modules/KVER-ipfire/build/include/config/DEBUG_LIST
#lib/modules/KVER-ipfire/build/include/config/DEBUG_MISC
#lib/modules/KVER-ipfire/build/include/config/DEBUG_PREEMPT
#lib/modules/KVER-ipfire/build/include/config/DEBUG_SHIRQ
diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux
index 512246b73..3db69b01c 100644
--- a/config/rootfiles/common/x86_64/linux
+++ b/config/rootfiles/common/x86_64/linux
@@ -6985,6 +6985,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/BTRFS_FS_POSIX_ACL
#lib/modules/KVER-ipfire/build/include/config/BTT
#lib/modules/KVER-ipfire/build/include/config/BUG
+#lib/modules/KVER-ipfire/build/include/config/BUG_ON_DATA_CORRUPTION
#lib/modules/KVER-ipfire/build/include/config/BUILDTIME_MCOUNT_SORT
#lib/modules/KVER-ipfire/build/include/config/BUILDTIME_TABLE_SORT
#lib/modules/KVER-ipfire/build/include/config/BUILD_SALT
@@ -7328,6 +7329,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER-ipfire/build/include/config/DEBUG_BUGVERBOSE
#lib/modules/KVER-ipfire/build/include/config/DEBUG_INFO_NONE
#lib/modules/KVER-ipfire/build/include/config/DEBUG_KERNEL
+#lib/modules/KVER-ipfire/build/include/config/DEBUG_LIST
#lib/modules/KVER-ipfire/build/include/config/DEBUG_MISC
#lib/modules/KVER-ipfire/build/include/config/DEBUG_PREEMPT
#lib/modules/KVER-ipfire/build/include/config/DEBUG_WX
diff --git a/config/rootfiles/core/177/filelists/openssh b/config/rootfiles/core/177/filelists/openssh
new file mode 120000
index 000000000..d8c77fd8e
--- /dev/null
+++ b/config/rootfiles/core/177/filelists/openssh
@@ -0,0 +1 @@
+../../../common/openssh
\ No newline at end of file
diff --git a/config/rootfiles/core/177/update.sh b/config/rootfiles/core/177/update.sh
index a98d39f2d..818079940 100644
--- a/config/rootfiles/core/177/update.sh
+++ b/config/rootfiles/core/177/update.sh
@@ -121,6 +121,7 @@ ldconfig
/usr/local/bin/filesystem-cleanup
# Start services
+/etc/init.d/sshd restart
/etc/init.d/unbound reload
/etc/init.d/ntp restart
if [ -f /var/ipfire/proxy/enable ]; then
diff --git a/lfs/linux b/lfs/linux
index e9a50fba5..75fa0c00f 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -24,7 +24,7 @@
include Config
-VER = 6.1.38
+VER = 6.1.39
ARM_PATCHES = 6.1.y-ipfire2
@@ -76,7 +76,7 @@ objects = \
$(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE)
arm-multi-patches-$(ARM_PATCHES).patch.xz = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
-$(DL_FILE)_BLAKE2 = 43f0fe3f8aeb03e5a2bf46b358b8dc4515765b70f56fb136847c78a80889bc2e163768d941500c285f40f705634b5fd3d6e0d81c10521fc351596c95db62490e
+$(DL_FILE)_BLAKE2 = 36bb549b14ccff3bd1751ff8475e74a77f8f65d9531ca2379b1dd2ccfe9adcf6852a764d615c42b3ad8a91c0d96668ae970085ab889dd98e21789f54a2f7641e
arm-multi-patches-$(ARM_PATCHES).patch.xz_BLAKE2 = 7afc460562fb24bcd75784fc79de768f9b60780aedd88d1a847927169e31920bbb475b1ac1466c4a224a7876d16bd8d465b96202de12b74f6e2ccbfcec731ad3
install : $(TARGET)
diff --git a/lfs/openssh b/lfs/openssh
index 5a18edd70..83c94ffdc 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -24,7 +24,7 @@
include Config
-VER = 9.3p1
+VER = 9.3p2
THISAPP = openssh-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 45578edf98bba3d23c7cefe60d8a7d3079e7c6676459f7422ace7a2461ab96943fbcadb478633a80f40bc098f2435722850b563714adb78b14922be53cb5753d
+$(DL_FILE)_BLAKE2 = 38f8d4ada263112b318fafccabf0a33a004d8290a867434004eb3d37127c9bdabe6e0225fca9d6d68fb54338fec81dcc9313ca7c91d3a033311db44174dc9f6f
install : $(TARGET)
diff --git a/lfs/rtl8812au b/lfs/rtl8812au
index d9cfbe073..e18ba8b5f 100644
--- a/lfs/rtl8812au
+++ b/lfs/rtl8812au
@@ -77,6 +77,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/rtl8812au/enable_usbmodeswitch.patch
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/rtl8812au/remove_regulatory_ignore_stale_kickoff.patch
cd $(DIR_APP) && CONFIG_RTL8812AU=m make $(MAKETUNING) \
-C /lib/modules/$(KVER)-$(VERSUFIX)/build/ M=$(DIR_APP)/ modules
diff --git a/lfs/rtl8822bu b/lfs/rtl8822bu
index b7221f101..e6462727e 100644
--- a/lfs/rtl8822bu
+++ b/lfs/rtl8822bu
@@ -76,6 +76,7 @@ $(subst %,%_BLAKE2,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/rtl8812au/remove_regulatory_ignore_stale_kickoff.patch
cd $(DIR_APP) && CONFIG_RTL8822BU=m make $(MAKETUNING) \
-C /lib/modules/$(KVER)-$(VERSUFIX)/build/ M=$(DIR_APP)/ modules
diff --git a/lfs/sudo b/lfs/sudo
index 3a55174d3..cf68bf923 100644
--- a/lfs/sudo
+++ b/lfs/sudo
@@ -24,7 +24,7 @@
include Config
-VER = 1.9.14
+VER = 1.9.14p2
THISAPP = sudo-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 5731eda1cabb23dd3b77851ce1fcde8e1b7efc1b4fa27fe65522c7b8e23c0330003eb2d4ebb47d63416fb3a52db478b2f60ca22da6a2d66cb27c52ea5264749e
+$(DL_FILE)_BLAKE2 = a350136731c1c6eca1317a852ce243b270df61ba275608bd0d0ec11760babdb2f9f489b818529484c15a43345fa53c96efd1aa47ab7cc0591c45928ba75c4c85
install : $(TARGET)
diff --git a/src/patches/rtl8812au/remove_regulatory_ignore_stale_kickoff.patch b/src/patches/rtl8812au/remove_regulatory_ignore_stale_kickoff.patch
new file mode 100644
index 000000000..933700049
--- /dev/null
+++ b/src/patches/rtl8812au/remove_regulatory_ignore_stale_kickoff.patch
@@ -0,0 +1,17 @@
+# This feature was removed in kernel 6.5 and the patch was backported to 6.1.39
+
+diff --git a/8812au-20210629-07ac856293e247347b891c5dbd13f3ab8321132d.org/os_dep/linux/wifi_regd.c b/8812au-20210629-07ac856293e247347b891c5dbd13f3ab8321132d/os_dep/linux/wifi_regd.c
+index 81e1dc7..b4b0bcd 100644
+--- a/os_dep/linux/wifi_regd.c
++++ b/os_dep/linux/wifi_regd.c
+@@ -405,10 +405,6 @@ int rtw_regd_init(struct wiphy *wiphy)
+ wiphy->regulatory_flags &= ~REGULATORY_DISABLE_BEACON_HINTS;
+ #endif
+
+-#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3, 19, 0))
+- wiphy->regulatory_flags |= REGULATORY_IGNORE_STALE_KICKOFF;
+-#endif
+-
+ return 0;
+ }
+ #endif /* CONFIG_IOCTL_CFG80211 */
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-07-21 9:47 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-07-21 9:47 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. f2d5cb7c99835285d3fdef10f21fdcf6fb98aa51 Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox