From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4bZ5LR1mk7z2ywd for ; Sat, 5 Jul 2025 09:49:03 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4bZ5LR1X6jz2xZn for ; Sat, 5 Jul 2025 09:49:03 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4bZ5LP6f5lz28k for ; Sat, 5 Jul 2025 09:49:01 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1751708941; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=v5LQFLkeeBsPtb3h4C/jV0u5krShMzUHVsz8Kx0QUQU=; b=xY3/oX4CbPNzKFIbiOu7ols5dSTN1lJrWi2r+rIoIAQjqYCxCTeDnq8VvYJ3NMu4+zJdqR 9tnC9GHjFP3U4tAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1751708941; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=v5LQFLkeeBsPtb3h4C/jV0u5krShMzUHVsz8Kx0QUQU=; b=rMJbIGsuzyxbDWV9zDaaB+uPaO4x86jbXEYoXVW/+eQgraHPWhuECcCajto2vZrrOQSOo6 Wtf7eyw1yoU5pmEPkJWHLI41HDSjuabtQm3E2R7tkzmUqOMUg3tDXsHNHK0ZvRFFuzCKYQ v/z5RlSBIcI0LKOh6DhVmHx5etMl6IBCMtFb7Y5k+yai87IFWzM3vLFL57QNkDcx5ZcuxH fvFktdUl2KQUE2mu9GvTv32AETa//GYjmVN5FzK+GK46d4EALUHtgAgd7/tilCQoT+xw+l gT6dEV8fDHkom4fQ5AXhopBLBoaF0k7lYfxhUpgxVLWJwcyvQB/+64iVukwiyA== Received: by people01.haj.ipfire.org (Postfix, from userid 1000) id 4bZ5LP5XMhz2xbl; Sat, 5 Jul 2025 09:49:01 +0000 (UTC) To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 35d1649a3e3f6d382e8fe8eb7bc71c89781aa7b9 X-Git-Refname: refs/heads/next X-Git-Reftype: branch X-Git-Oldrev: efeb1d3bda767bbea062da70105fcbda59cbc594 X-Git-Newrev: 35d1649a3e3f6d382e8fe8eb7bc71c89781aa7b9 Message-Id: <4bZ5LP5XMhz2xbl@people01.haj.ipfire.org> Date: Sat, 5 Jul 2025 09:49:01 +0000 (UTC) From: Michael Tremer Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 35d1649a3e3f6d382e8fe8eb7bc71c89781aa7b9 (commit) via 54bf2ee02bf1d5220b95a63a97688c9d2f53c63b (commit) via c55c499f6f94b1aae6183eb9fbb4b1fc7d0270fd (commit) via 06000889149d81d0f9b350bcb664f95b400a669a (commit) via 9e9c059a1816fb7c756c7df9aab5d5898270b5f2 (commit) via 9af3d99a92ba1d0c359485fecc60269e7297e723 (commit) from efeb1d3bda767bbea062da70105fcbda59cbc594 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 35d1649a3e3f6d382e8fe8eb7bc71c89781aa7b9 Author: Adolf Belka Date: Fri Jul 4 18:33:04 2025 +0200 core197: Ship libunistring Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 54bf2ee02bf1d5220b95a63a97688c9d2f53c63b Author: Adolf Belka Date: Fri Jul 4 18:33:03 2025 +0200 core197: Ship libtasn1 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit c55c499f6f94b1aae6183eb9fbb4b1fc7d0270fd Author: Adolf Belka Date: Fri Jul 4 18:33:02 2025 +0200 core197: Ship gnutls Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 06000889149d81d0f9b350bcb664f95b400a669a Author: Adolf Belka Date: Fri Jul 4 18:33:01 2025 +0200 libunistring: New package to replace bundled version in gnutls Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 9e9c059a1816fb7c756c7df9aab5d5898270b5f2 Author: Adolf Belka Date: Fri Jul 4 18:33:00 2025 +0200 libtasn1: Update to version 4.20.0 & move before gnutls - Update from version 4.19.0 to 4.20.0 - Update of rootfile - Move earlier in make.sh so that the library can be used by gnutls in place of the gnutls bundled version. - Fix for a CVE - Changelog 4.20.0 - The release tarball is now reproducible. - We publish a minimal source-only tarball generated by 'git archive'. - Update gnulib files and various build/maintenance fixes. - Fix CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or SET OF elements Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 9af3d99a92ba1d0c359485fecc60269e7297e723 Author: Adolf Belka Date: Fri Jul 4 18:32:59 2025 +0200 gnutls: Update to version 3.8.9 - Update from version 3.8.8 to 3.8.9 - Update of rootfile - I found that gnutls was using its own bundled versions of libtasn1 and libunistring and that there had been some CVE's with libtasn1 which were then fixed later in the gnutls bundled version together with some fixes in the gnutls code. So this patch, as well updating the version has also removed the options to use the included versions of the libtasn1 and libunistring libraries. libtasn1 was already in IPFire and just needed to be moved to before gnutls. libunistring had to be added in. - The disable-guile option was removed as the guile bindings were removed in gnutls-3.8.0 and the option is no longer recognised. - Changelog 3.8.9 ** libgnutls: leancrypto was added as an interim option for PQC The library can now be built with leancrypto instead of liboqs for post-quantum cryptography (PQC), when configured with --with-leancrypto option instead of --with-liboqs. ** libgnutls: Experimental support for ML-DSA signature algorithm The library and certtool now support ML-DSA signature algorithm as defined in FIPS 204 and based on draft-ietf-lamps-dilithium-certificates-04. This feature is currently marked as experimental and can only be enabled when compiled with --with-leancrypto or --with-liboqs. Contributed by David Dudas. ** libgnutls: Support for ML-KEM-1024 key encapsulation mechanism The support for ML-KEM post-quantum key encapsulation mechanisms has been extended to cover ML-KEM-1024, in addition to ML-KEM-768. MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per draft-kwiatkowski-tls-ecdhe-mlkem-03. ** libgnutls: Fix potential DoS in handling certificates with numerous name constraints, as a follow-up of CVE-2024-12133 in libtasn1. The bundled copy of libtasn1 has also been updated to the latest 4.20.0 release to complete the fix. Reported by Bing Shi (#1553). [GNUTLS-SA-2025-02-07, CVSS: medium] [CVE-2024-12243] ** API and ABI modifications: GNUTLS_PK_MLDSA44: New enum member of gnutls_pk_algorithm_t GNUTLS_PK_MLDSA65: New enum member of gnutls_pk_algorithm_t GNUTLS_PK_MLDSA87: New enum member of gnutls_pk_algorithm_t GNUTLS_SIGN_MLDSA44: New enum member of gnutls_sign_algorithm_t GNUTLS_SIGN_MLDSA65: New enum member of gnutls_sign_algorithm_t GNUTLS_SIGN_MLDSA87: New enum member of gnutls_sign_algorithm_t Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/rootfiles/common/gnutls | 2 +- config/rootfiles/common/libtasn1 | 2 +- config/rootfiles/common/libunistring | 53 ++++++++++++++++++++++ .../{oldcore/110 => core/197}/filelists/gnutls | 0 .../{oldcore/160 => core/197}/filelists/libtasn1 | 0 config/rootfiles/core/197/filelists/libunistring | 1 + lfs/gnutls | 8 ++-- lfs/libtasn1 | 10 ++-- lfs/{libarchive => libunistring} | 17 ++++--- make.sh | 3 +- 10 files changed, 74 insertions(+), 22 deletions(-) create mode 100644 config/rootfiles/common/libunistring copy config/rootfiles/{oldcore/110 => core/197}/filelists/gnutls (100%) copy config/rootfiles/{oldcore/160 => core/197}/filelists/libtasn1 (100%) create mode 120000 config/rootfiles/core/197/filelists/libunistring copy lfs/{libarchive => libunistring} (90%) Difference in files: diff --git a/config/rootfiles/common/gnutls b/config/rootfiles/common/gnutls index 4f496435f..824631734 100644 --- a/config/rootfiles/common/gnutls +++ b/config/rootfiles/common/gnutls @@ -32,7 +32,7 @@ usr/lib/libgnutls-dane.so.0.4.1 #usr/lib/libgnutls.la #usr/lib/libgnutls.so usr/lib/libgnutls.so.30 -usr/lib/libgnutls.so.30.40.2 +usr/lib/libgnutls.so.30.40.3 #usr/lib/libgnutlsxx.la #usr/lib/libgnutlsxx.so usr/lib/libgnutlsxx.so.30 diff --git a/config/rootfiles/common/libtasn1 b/config/rootfiles/common/libtasn1 index 87fd4ce5f..fad23cf03 100644 --- a/config/rootfiles/common/libtasn1 +++ b/config/rootfiles/common/libtasn1 @@ -5,7 +5,7 @@ #usr/lib/libtasn1.la #usr/lib/libtasn1.so usr/lib/libtasn1.so.6 -usr/lib/libtasn1.so.6.6.3 +usr/lib/libtasn1.so.6.6.4 #usr/lib/pkgconfig/libtasn1.pc #usr/share/info/libtasn1.info #usr/share/man/man1/asn1Coding.1 diff --git a/config/rootfiles/common/libunistring b/config/rootfiles/common/libunistring new file mode 100644 index 000000000..0811a695d --- /dev/null +++ b/config/rootfiles/common/libunistring @@ -0,0 +1,53 @@ +#usr/include/unicase.h +#usr/include/uniconv.h +#usr/include/unictype.h +#usr/include/unigbrk.h +#usr/include/unilbrk.h +#usr/include/unimetadata.h +#usr/include/uniname.h +#usr/include/uninorm.h +#usr/include/unistdio.h +#usr/include/unistr.h +#usr/include/unistring +#usr/include/unistring/cdefs.h +#usr/include/unistring/iconveh.h +#usr/include/unistring/inline.h +#usr/include/unistring/localcharset.h +#usr/include/unistring/stdint.h +#usr/include/unistring/version.h +#usr/include/unistring/woe32dll.h +#usr/include/unitypes.h +#usr/include/uniwbrk.h +#usr/include/uniwidth.h +#usr/lib/libunistring.la +#usr/lib/libunistring.so +usr/lib/libunistring.so.5 +usr/lib/libunistring.so.5.2.0 +#usr/share/doc/libunistring +#usr/share/doc/libunistring/libunistring_1.html +#usr/share/doc/libunistring/libunistring_10.html +#usr/share/doc/libunistring/libunistring_11.html +#usr/share/doc/libunistring/libunistring_12.html +#usr/share/doc/libunistring/libunistring_13.html +#usr/share/doc/libunistring/libunistring_14.html +#usr/share/doc/libunistring/libunistring_15.html +#usr/share/doc/libunistring/libunistring_16.html +#usr/share/doc/libunistring/libunistring_17.html +#usr/share/doc/libunistring/libunistring_18.html +#usr/share/doc/libunistring/libunistring_19.html +#usr/share/doc/libunistring/libunistring_2.html +#usr/share/doc/libunistring/libunistring_20.html +#usr/share/doc/libunistring/libunistring_21.html +#usr/share/doc/libunistring/libunistring_22.html +#usr/share/doc/libunistring/libunistring_23.html +#usr/share/doc/libunistring/libunistring_3.html +#usr/share/doc/libunistring/libunistring_4.html +#usr/share/doc/libunistring/libunistring_5.html +#usr/share/doc/libunistring/libunistring_6.html +#usr/share/doc/libunistring/libunistring_7.html +#usr/share/doc/libunistring/libunistring_8.html +#usr/share/doc/libunistring/libunistring_9.html +#usr/share/doc/libunistring/libunistring_abt.html +#usr/share/doc/libunistring/libunistring_fot.html +#usr/share/doc/libunistring/libunistring_toc.html +#usr/share/info/libunistring.info diff --git a/config/rootfiles/core/197/filelists/gnutls b/config/rootfiles/core/197/filelists/gnutls new file mode 120000 index 000000000..8dbe60bc3 --- /dev/null +++ b/config/rootfiles/core/197/filelists/gnutls @@ -0,0 +1 @@ +../../../common/gnutls \ No newline at end of file diff --git a/config/rootfiles/core/197/filelists/libtasn1 b/config/rootfiles/core/197/filelists/libtasn1 new file mode 120000 index 000000000..b6297f1fe --- /dev/null +++ b/config/rootfiles/core/197/filelists/libtasn1 @@ -0,0 +1 @@ +../../../common/libtasn1 \ No newline at end of file diff --git a/config/rootfiles/core/197/filelists/libunistring b/config/rootfiles/core/197/filelists/libunistring new file mode 120000 index 000000000..9a892f438 --- /dev/null +++ b/config/rootfiles/core/197/filelists/libunistring @@ -0,0 +1 @@ +../../../common/libunistring \ No newline at end of file diff --git a/lfs/gnutls b/lfs/gnutls index ad8269338..cc5b255fb 100644 --- a/lfs/gnutls +++ b/lfs/gnutls @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2024 IPFire Team # +# Copyright (C) 2007-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 3.8.8 +VER = 3.8.9 THISAPP = gnutls-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = d1498b0b9f14789599fd5b984d5370b632611f2702e9f4fc504ddba2a3e0dd4137bec858eb6150d031f9f50e6b3a3a7d905864f0a9f50a1f01e5ea8f37a44ba8 +$(DL_FILE)_BLAKE2 = 0fd4751e24649a9c4b8ee7616350a4b6a504ec10b3ef39b450af25abc4935f30df9e8f732435166516f89c692ac7cb7a0aafb76c4c86c1faff53119840d26ae7 install : $(TARGET) @@ -73,8 +73,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && \ ./configure \ --prefix=/usr \ - --with-included-libtasn1 \ - --with-included-unistring \ --without-p11-kit \ --disable-openssl-compatibility \ --disable-guile diff --git a/lfs/libtasn1 b/lfs/libtasn1 index 86c436306..aeb3c8b87 100644 --- a/lfs/libtasn1 +++ b/lfs/libtasn1 @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team # +# Copyright (C) 2007-2024 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 4.19.0 +VER = 4.20.0 THISAPP = libtasn1-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -42,7 +42,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 6e8232590cd87da3bfd9182ed44eccdfbdfcc85e88d8cf19fffdb3d600e04694b77079b95bbd822d2c3fff29458ddae0f0440f9c1c19c711923a2507bd19270f +$(DL_FILE)_BLAKE2 = 3219b48e691abd7f6f4e32164ab708bc7c29832a2a7669aa03751d4a519dffb78d5a5f94530a3f35cd6516b39400da9e634d7f46245ab934465c305a1d387561 install : $(TARGET) @@ -74,8 +74,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) $(UPDATE_AUTOMAKE) cd $(DIR_APP) && ./configure \ - --prefix=/usr \ - --disable-static + --prefix=/usr \ + --disable-static cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install @rm -rf $(DIR_APP) diff --git a/lfs/libunistring b/lfs/libunistring new file mode 100644 index 000000000..1ea398d39 --- /dev/null +++ b/lfs/libunistring @@ -0,0 +1,82 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2025 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 1.3 + +THISAPP = libunistring-$(VER) +DL_FILE = $(THISAPP).tar.xz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +CFLAGS += -fcommon + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_BLAKE2 = 213d24ea4ba5e960a030bd83fc1b6c9d9a5e33d63ade8874e2a15d1b7a0acbe4b2d03df18065f6c17f01bfed94f7e70ef474e713f5c5ad2375cf2438457b0379 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +b2 : $(subst %,%_BLAKE2,$(objects)) + +############################################################################### +# Downloading, checking, b2sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_BLAKE2,$(objects)) : + @$(B2SUM) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + $(UPDATE_AUTOMAKE) + cd $(DIR_APP) && ./configure \ + --prefix=/usr \ + --disable-static + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 486937997..1bcb4f42c 100755 --- a/make.sh +++ b/make.sh @@ -1535,6 +1535,8 @@ build_system() { lfsmake2 apr lfsmake2 aprutil lfsmake2 unbound + lfsmake2 libtasn1 + lfsmake2 libunistring lfsmake2 gnutls lfsmake2 libuv lfsmake2 liburcu @@ -1665,7 +1667,6 @@ build_system() { lfsmake2 mandoc lfsmake2 efivar lfsmake2 efibootmgr - lfsmake2 libtasn1 lfsmake2 p11-kit lfsmake2 ca-certificates lfsmake2 fireinfo hooks/post-receive -- IPFire 2.x development tree