From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 772c150bf3cd894d68ef1a8e82713009153429e9
Date: Tue, 12 Mar 2024 09:32:41 +0000 [thread overview]
Message-ID: <4Tv7j601nBz2xhc@people01.haj.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 9777 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 772c150bf3cd894d68ef1a8e82713009153429e9 (commit)
via 721c70139b1680cdeb9afa2b180a8cbad77df5a7 (commit)
via 716b8fb503b5c02ac921cd843f8c646892c4cf55 (commit)
via 5a7342fc285425d226e52d988c0e35c23cd7547b (commit)
from 4f39eaeb793547386ab45879c999eaae9b24b577 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 772c150bf3cd894d68ef1a8e82713009153429e9
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Mar 12 09:32:15 2024 +0000
core185: Ship openssh
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 721c70139b1680cdeb9afa2b180a8cbad77df5a7
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Tue Mar 12 09:55:14 2024 +0100
openssh: Update to version 9.7p1
- Update from version 9.6p1 to 9.7p1
- Update of rootfile not required
- Changelog
9.7p1
Future deprecation notice
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025 and compile-time disable it later this year.
DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is only 80 bits symmetric equivalent.
OpenSSH has disabled DSA keys by default since 2015 but has retained
run-time optional support for them. DSA was the only mandatory-to-
implement algorithm in the SSHv2 RFCs[3], mostly because alternative
algorithms were encumbered by patents when the SSHv2 protocol was
specified.
This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining DSA in
OpenSSH to be justified and hope that removing it from OpenSSH can
accelerate its wider deprecation in supporting cryptography
libraries.
This release makes DSA support in OpenSSH compile-time optional,
defaulting to on. We intend the next release to change the default
to disable DSA at compile time. The first OpenSSH release of 2025
will remove DSA support entirely.
This release contains mostly bugfixes.
New features
* ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
all open channels and will close all open channels if there is no
traffic on any of them for the specified interval. This is in
addition to the existing per-channel timeouts added recently.
This supports situations like having both session and x11
forwarding channels open where one may be idle for an extended
period but the other is actively used. The global timeout could
close both channels when both have been idle for too long.
* All: make DSA key support compile-time optional, defaulting to on.
Bugfixes
* sshd(8): don't append an unnecessary space to the end of subsystem
arguments (bz3667)
* ssh(1): fix the multiplexing "channel proxy" mode, broken when
keystroke timing obfuscation was added. (GHPR#463)
* ssh(1), sshd(8): fix spurious configuration parsing errors when
options that accept array arguments are overridden (bz3657).
* ssh-agent(1): fix potential spin in signal handler (bz3670)
* Many fixes to manual pages and other documentation, including
GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
* Greatly improve interop testing against PuTTY.
Portability
* Improve the error message when the autoconf OpenSSL header check
fails (bz#3668)
* Improve detection of broken toolchain -fzero-call-used-regs support
(bz3645).
* Fix regress/misc/fuzz-harness fuzzers and make them compile without
warnings when using clang16
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 716b8fb503b5c02ac921cd843f8c646892c4cf55
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Mon Mar 11 13:19:09 2024 +0100
dns.cgi: Fixes bug#12395 - German umlauts not correctly displayed in remarks
- If Freifunk München e.V. is entered as a remark it gets converted to
Freifunk München e.V.
- This is because cleanhtml is used on the UTF-8 remark text before saving it to the file
and the HTML::Entities::encode_entities command that is run on that remark text does
not work with UTF-8 text.
- If the UTF-8 text in the remark is decoded before running through the cleanhtml command
then the characters with diacritical marks are correctly shown.
- Have tested out the fix on a remark with a range of different characters with
diacritical marks and all of the ones tested were displayed correctly with the fix while
in the original form they were mangled.
Fixes: Bug#12395
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 5a7342fc285425d226e52d988c0e35c23cd7547b
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Mon Mar 11 13:19:08 2024 +0100
dns.cgi: Revert "dns.cgi: Fixes bug#12395 - German umlauts not correctly displayed in remarks"
- This reverts commit 7c6ff5ff12331a53f416080a44c8d6145e78bfac
- That commit removed the cleanhtml command which is not advised, based on feedback from
Michael Tremer from other patch submissions as it creates a potential security problem.
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/{oldcore/100 => core/185}/filelists/openssh | 0
config/rootfiles/core/185/update.sh | 1 +
html/cgi-bin/dns.cgi | 9 +++++++++
lfs/openssh | 6 +++---
4 files changed, 13 insertions(+), 3 deletions(-)
copy config/rootfiles/{oldcore/100 => core/185}/filelists/openssh (100%)
Difference in files:
diff --git a/config/rootfiles/core/185/filelists/openssh b/config/rootfiles/core/185/filelists/openssh
new file mode 120000
index 000000000..d8c77fd8e
--- /dev/null
+++ b/config/rootfiles/core/185/filelists/openssh
@@ -0,0 +1 @@
+../../../common/openssh
\ No newline at end of file
diff --git a/config/rootfiles/core/185/update.sh b/config/rootfiles/core/185/update.sh
index a24f61692..b19f2e054 100644
--- a/config/rootfiles/core/185/update.sh
+++ b/config/rootfiles/core/185/update.sh
@@ -85,6 +85,7 @@ chmod -v 640 /etc/sudoers.d/*
# Start services
telinit u
+/etc/init.d/sshd restart
/etc/init.d/suricata restart
/etc/init.d/unbound restart
/etc/init.d/ntp start
diff --git a/html/cgi-bin/dns.cgi b/html/cgi-bin/dns.cgi
index f3dd5c7a9..eb6f908d5 100644
--- a/html/cgi-bin/dns.cgi
+++ b/html/cgi-bin/dns.cgi
@@ -141,6 +141,15 @@ if (($cgiparams{'SERVERS'} eq $Lang::tr{'save'}) || ($cgiparams{'SERVERS'} eq $L
# Go further if there was no error.
if ( ! $errormessage) {
+ # Check if a remark has been entered.
+
+ # decode the UTF-8 text so that characters with diacritical marks such as
+ # umlauts are treated correctly by the following cleanhtml command
+ $cgiparams{'REMARK'} = decode("UTF-8", $cgiparams{'REMARK'});
+
+ # run the REMARK text through cleanhtml to ensure all unsafe html characters
+ # are correctly encoded to their html entities
+ $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
my %dns_servers = ();
my $id;
diff --git a/lfs/openssh b/lfs/openssh
index 3833f2ca7..315b1a70b 100644
--- a/lfs/openssh
+++ b/lfs/openssh
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2024 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 9.6p1
+VER = 9.7p1
THISAPP = openssh-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = dd7f6747fe89f7b386be4faaf7fc43398a9bf439e45608ae61c2126cf8743c64ef7b5af45c75e9007b0bda525f8809261ca0f2fc47ce60177ba769a5324719dd
+$(DL_FILE)_BLAKE2 = 520859fcbdf678808fc8515b64585ab9a90a8055fa869df6fbba3083cb7f73ddb81ed9ea981e131520736a8aed838f85ae68ca63406a410df61039913c5cb48b
install : $(TARGET)
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2024-03-12 9:32 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4Tv7j601nBz2xhc@people01.haj.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox