commit 465f1e2328cb37cd8ee5dba7fc9cb47dec9f5ce7 Author: Vincent Li Date: Thu May 15 21:28:01 2025 +0000 Perl: add Net-ISP-Balance addon Perl Net-ISP-Balance can be used for ISP Internet connection load balancing [0], it depends on Net-Netmask module. [0]: https://lstein.github.io/Net-ISP-Balance/ Signed-off-by: Vincent Li 5 files changed, 214 insertions(+) commit 3b672339ef023aac519c1cc753202158987241d0 Author: Vincent Li Date: Thu May 15 19:30:25 2025 +0000 keepalived: remove keepalived.conf.sample keepalived configuration is moved to /var/ipfire/keepalived fix: https://github.com/vincentmli/BPFire/issues/92 Reported-by: Harvey Li Signed-off-by: Vincent Li 1 file changed, 1 deletion(-) commit 33f4a2b1b14ca66d8f03eeb65d345f7bb0464443 Author: Vincent Li Date: Thu May 15 19:25:02 2025 +0000 haproxy: remove /etc/haproxy/haproxy.cfg remove /etc/haproxy/haproxy.cfg since lfs/haproxy installed haproxy.cfg to /var/ipfire/haproxy fix: https://github.com/vincentmli/BPFire/issues/92 Reported-by: Harvey Li Signed-off-by: Vincent Li 1 file changed, 1 deletion(-) commit 0879d828a7efd99c72f87f5f3b8432ea769d3a62 Author: Vincent Li Date: Wed May 14 21:24:34 2025 +0000 README: use TLS url for bpfire.net 1 file changed, 1 insertion(+), 1 deletion(-) commit 1726f3bd3bc0fae5e822d03052310e74dece7fb9 Author: Vincent Li Date: Wed May 14 20:53:17 2025 +0000 strace: sync strace 6.12 upgrade from ipfire sync strace upgrade from ipfire strace 6.12 fix: https://github.com/vincentmli/BPFire/issues/90 Reported-by: Harvey Li Signd-off-by: Vincent Li 1 file changed, 6 insertions(+), 4 deletions(-) commit 18ec4f2b8776db9f5c1e308b1e2d3b323bf2f541 Author: Vincent Li Date: Wed May 14 20:32:07 2025 +0000 udev: sync update from ipfire commit d19b71301d08db94341eae1d62500a928a8f6712 Author: Arne Fitzenreiter Date: Thu Dec 26 10:19:20 2024 +0100 udev: patch to handle pidfs and bcachefs this is needed to build udev with kernel 6.12 headers Signed-off-by: Arne Fitzenreiter fix: https://github.com/vincentmli/BPFire/issues/89 Reported-by: Harvey Li Signd-off-by: Vincent Li 2 files changed, 20 insertions(+) commit 93a5a7af7b0dd00a43eee6afba1dd8ae42d887ed Author: Vincent Li Date: Mon May 12 21:37:47 2025 +0000 xdp-tools: rebased on upstream 1.5.4 included recent changes: 1 fix for xdp-dns for [0] 2 tc-loader to load tc ebpf program [0]: https://github.com/vincentmli/BPFire/issues/87 Signed-off-by: Vincent Li 2 files changed, 6 insertions(+), 4 deletions(-) commit 25421aed06b7e1e229afd4ea5ae5342e29eaf518 Author: Vincent Li Date: Sat May 10 03:35:08 2025 +0000 logo: add missing bpfire logo commit f89feeb19 "kernel: use BPFire logo in kernel" replaced ipfire logo with bpfire logo, but forgot to add the bpfire logo file and remove the ipfire logo file Signed-off-by: Vincent Li 2 files changed, 883 insertions(+), 15124 deletions(-) commit c25bc27049b77c853bc4175f1eca31adcfe26cee Author: Vincent Li Date: Mon May 5 03:36:44 2025 +0000 dnsdist: upgrade to 1.9.9 Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit 58e92cbb361d33fdbfee76763c13cd592c8ef192 Author: Vincent Li Date: Tue Apr 29 19:46:01 2025 +0000 loxilb: upgrade to 0.9.8.3 Signed-off-by: Vincent Li 1 file changed, 3 insertions(+), 3 deletions(-) commit 8af09f38e00979ff2970104b6b1a731ea2d55679 Author: Vincent Li Date: Sat Apr 26 16:21:25 2025 +0000 README: update README Signed-off-by: Vincent Li 2 files changed, 29 insertions(+), 20 deletions(-) commit e2856c1c7e2b1d336be324ea78edf8c9e64777a3 Author: Vincent Li Date: Mon Mar 3 17:16:06 2025 +0000 loxilb-tc: remove loxilb-tc loxilb 0.9.8 load tc BPF program through libbpf so iproute tc utility is not needed. Signed-off-by: Vincent Li 3 files changed, 82 deletions(-) commit 83cf08dfa0f71e06690b7315cc216b58967ed134 Author: Vincent Li Date: Mon Mar 3 17:11:34 2025 +0000 loxilb: upgrade loxilb to 0.9.8.1 0.9.8.1 release workaround linux kernel 6.12 bpf verifier issue. git clone --recurse-submodules --branch v0.9.8.1 https://github.com/loxilb-io/loxilb.git cd loxilb go mod vendor cd .. mv loxilb loxilb-0.9.8.1 tar czvf loxilb-0.9.8.1.tar.gz loxilb-0.9.8.1 see https://github.com/loxilb-io/loxilb/issues/953 Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit 0e2047f0808e78ae78617b10ff9c25a3e9e78bbf Author: Vincent Li Date: Sun Feb 23 04:36:14 2025 +0000 linux: enable bootparam hardlockup/softlockup Signed-off-by: Vincent Li 2 files changed, 4 insertions(+), 4 deletions(-) commit 1cbd76f7185e95ea18fc57813aecdbf94cca5d2b Author: Vincent Li Date: Tue Feb 11 23:44:14 2025 +0000 linux: upgrade kernel to 6.12.5 loxilb dev branch has fix for kernel 6.12. now we can upgrade kernel to 6.12.5 Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit fe2ad5da663e26545eb2148de06cfd21aaa1dfc2 Author: Vincent Li Date: Tue Feb 11 23:39:21 2025 +0000 loxilb: upgrade to loxilb dev main branch test out the new loxilb with fix for kernel 6.12 issue git clone --recurse-submodules https://github.com/loxilb-io/loxilb.git mv loxilb loxilb-0.9.9 tar czvf loxilb-0.9.9.tar.gz loxilb-0.9.9 mv loxilb-0.9.9.tar.gz /cache Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit f3881747be870cd84be78ae56c3c2f5ff0a2f86f Author: Vincent Li Date: Mon Feb 10 17:40:11 2025 +0000 loxilb: change default loxilb firewall setting loxilb 0.9.8 requires --egress flag for firewall rule to masquerade/SNAT GREEN network source IP for Internet access. to access host in RED network another firewall rule is required. see [0]. [0]: https://github.com/loxilb-io/loxilb/issues/957 Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit 2daee785d49c2699da3e154497beeb127db811dd Author: Vincent Li Date: Tue Feb 4 17:07:13 2025 +0000 lunatik: remove lunatik Signed-off-by: Vincent Li 3 files changed, 54 deletions(-) commit 064136634c8c2f2291e6090713e2eee819e973be Author: Vincent Li Date: Tue Feb 4 16:56:51 2025 +0000 linux: downgrade kernel to 6.10.11 workaround https://github.com/vincentmli/BPFire/issues/75 Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit b040fb1c8aa7e0852919ec4c66b0480958876575 Author: Vincent Li Date: Tue Feb 4 16:47:07 2025 +0000 llvm-project: upgrade to 19.1.7 Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit 4e9bff5b577f78edf6606ddb2711c91b4a39b2c8 Author: Vincent Li Date: Wed Jan 29 19:23:55 2025 +0000 loxicmd: upgrade loxicmd to 0.9.8 git clone --branch v0.9.8 https://github.com/loxilb-io/loxicmd.git cd loxicmd go mod vendor cd .. mv loxicmd loxicmd-0.9.8 tar czvf loxicmd-0.9.8.tar.gz loxicmd-0.9.8 Signed-off-by: Vincent Li 1 file changed, 3 insertions(+), 3 deletions(-) commit 017a03c86bbaf1d23f6dacc0e2455e3226151521 Author: Vincent Li Date: Tue Jan 28 19:14:49 2025 +0000 loxilb: upgrade loxilb to 0.9.8 when upgrading loxilb to 0.9.7, running into issue https://github.com/loxilb-io/loxilb/issues/948 following method to prepare the loxilb source tar ball resolves the issue git clone --recurse-submodules --branch v0.9.8 https://github.com/loxilb-io/loxilb.git cd loxilb go mod vendor cd .. mv loxilb loxilb-0.9.8 tar zcvf loxilb-0.9.8.tar.gz loxilb-0.9.8 mv loxilb-0.9.8.tar.gz /cache/ fix: https://github.com/vincentmli/BPFire/issues/74 also backported libbpf 1.2.3 lonngarch64 to libbpf 0.8 for loxilb Signed-off-by: Vincent Li 1 file changed, 3 insertions(+), 2 deletions(-) commit bad31e01b91ed2e6f6e690066e33e1516d233d53 Author: Vincent Li Date: Sun Jan 12 03:42:49 2025 +0000 xdp-tools: xdpsni/xdpdns init bpf path argument now x86 and loongarch64 share same user space xdp_sni xdp_dns program with path argument to bpf map, change xdpsni and xdpdns init script with bpf path argument. Signed-off-by: Vincent Li 2 files changed, 4 insertions(+), 4 deletions(-) commit 17d49c9d641bf292c560fc2ab293267a81f68fd8 Author: Vincent Li Date: Thu Jan 2 18:11:19 2025 +0000 linux: upgrade kernel to 6.12.5 Signed-off-by: Vincent Li 1 file changed, 4 insertions(+), 4 deletions(-) commit 0ba17ebe5d0583f49f4431f8128e0c938e9e4739 Author: Vincent Li Date: Tue Dec 3 03:44:14 2024 +0000 lfs/linux: perf tool install missed perf tool is built alone with Linux, but missed to install the perf tool in image fix: https://github.com/vincentmli/BPFire/issues/65 Signed-off-by: Vincent Li 1 file changed, 1 insertion(+) commit 1bfeb4b322eb40a5f45e3e13cb1068ce14a51eb9 Author: Vincent Li Date: Tue Dec 3 02:44:14 2024 +0000 lfs/linux: enable CONFIG_FPROBE for multi kprobe pwru is an utility to trouble shoot network issue, and to speed up pwru kprobe attachement, kernel needs to have CONFIG_FPROBE. running pwru also result in: Opening kprobe-multi: invalid argument \ (missing kernel symbol or prog's AttachType not AttachTraceKprobeMulti?) need following to avoid above invalid argument echo -1 > /proc/sys/kernel/perf_event_paranoid echo 0 > /proc/sys/kernel/kptr_restrict see https://github.com/cilium/pwru/issues/460 Signed-off-by: Vincent Li 1 file changed, 1 insertion(+) commit 09c182c75a4a5a0a8a3ce649ac5a078713ee445c Author: Vincent Li Date: Tue Nov 26 03:21:15 2024 +0000 xdp-tools: XDP UDP DDoS for online game protection UDP DDoS has pattern of flooding game server with random source IP and UDP with random payload. game server UDP traffic requires certain payload pattern, so this XDP program can serve as example to stop UDP DDoS attack with UDP payload that does not match game UDP traffic payload pattern. without UDP DDoS protection, under DDoS attack: BPFire UI RED Traffic: in 9xx Mbit/s. with UDP DDoS protection, under DDoS attack: BPFire UI RED Traffic: in 1xx Mbit/s. Tested-by: Muhammad Haikal Signed-off-by: Vincent Li 2 files changed, 2 insertions(+), 1 deletion(-) commit db7b863fa44fe11ab23aa5d03d186b9780089f57 Author: Vincent Li Date: Thu Nov 14 20:29:09 2024 +0000 README: add image download link and discord Signed-off-by: Vincent Li 1 file changed, 12 insertions(+), 21 deletions(-) commit 92324f8cbd8f92b67b80eb2d30dabd9e39dbd773 Author: Vincent Li Date: Thu Nov 14 18:30:29 2024 +0000 ddos: set net.ipv4.tcp_syncookies to 1 set tcp_syncookies to 1 alone with iptables SYNPROXY module reduce latency, this improves situation when XDP acceleration is not enabled and just let iptables SYNPROXY handles SYN flood attack, see [0] [0]: https://bugzilla.kernel.org/show_bug.cgi?id=219500 Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit eac34c42100b814be8b771439af199b96fe1f875 Author: Vincent Li Date: Tue Nov 12 02:08:28 2024 +0000 ddos: disable XDP SYNACK window scale option disable window scaling for XDP generated SYNACK in ddos script by default Signed-off-by: Vincent Li 1 file changed, 7 insertions(+), 3 deletions(-) commit 5de3f44cc7c904bb66b2dc0068f1e98f75e7f21c Author: Vincent Li Date: Sun Nov 10 20:25:04 2024 +0000 xdp-synproxy: enable or disable window scaling XDP generated SYNACK tcp options with window scaling and timestamp could intermittently cause small packet transmission on DDoS protected server. allow user to disable window scaling when such problem occurs. see [0] [0]: https://github.com/vincentmli/xdp-tools/issues/7 Reported-by: DNSPROXY.ORG LLC Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit 20c65fa4ec8e0476a709f1b00fce8b012030ca65 Author: Vincent Li Date: Wed Nov 6 20:28:40 2024 +0000 kernel: enable signature force config Kernel module signature force is disabled for lunatik kernel module build, enable it for now. Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit 30d6e75af19c7d6ac8ec4591290fd16baca07b19 Author: Vincent Li Date: Fri Nov 1 02:28:19 2024 +0000 haproxy: add HAProxy UI draft patch Signed-off-by: Vincent Li 1 file changed, 289 insertions(+) commit d94f83d1bf4035d1e4299c96a381f1f288c98c37 Author: Vincent Li Date: Wed Oct 30 17:42:01 2024 +0000 haproxy: add safe call to haproxy init script Signed-off-by: Vincent Li 2 files changed, 44 insertions(+), 1 deletion(-) commit 0a726a99ac6ba8f41f495c7fdfbe0f3c52dee78a Author: Vincent Li Date: Sun Oct 27 01:21:55 2024 +0000 haproxy: move haproxy to core package move haproxy to core package prepare /var/ipfire/haproxy for haproxy UI, use /var/ipfire/haproxy/haproxy.cfg Signed-off-by: Vincent Li 6 files changed, 21 insertions(+), 7 deletions(-) commit a600787c67a8489cd7495db907e20d3688c96717 Author: Vincent Li Date: Fri Oct 25 20:35:33 2024 +0000 xdp-synproxy: drop IP don't fragment check When XDP DDoS syncookie program is attached to red0 interface, green network client internet connection to website like gmail/youtube... failed. it is because these sites does not have IP DF flag set for each tcp packet, and syncookie_xdp program would drop these packets when they arrived at red0 interface. see https://github.com/vincentmli/BPFire/issues/59 Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit b935dd5b1d71214c5856a611361613f90c61da6f Author: Vincent Li Date: Tue Oct 22 18:07:33 2024 +0000 xdp-sni UI: allow UI to enable/disable XDP SNI Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit 25da9eb46708d352e647a91875c1cf2d2b920518 Author: Vincent Li Date: Tue Oct 22 18:06:01 2024 +0000 ddos: Load/Attach XDP DDoS when reboot fix: https://github.com/vincentmli/BPFire/issues/58 Signed-off-by: Vincent Li 2 files changed, 2 insertions(+) commit eadd07412266d2480fc7740b6141a0056db1f181 Author: Vincent Li Date: Fri Oct 18 20:04:35 2024 +0000 README: add Suricata multi XDP attachment support Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 1 deletion(-) commit 8b29912521946d529abd6e324a37ec40766f60ba Author: Vincent Li Date: Fri Oct 18 17:11:43 2024 +0000 suricata-xdp: resolve memlock and stack smashing suricata XDP support requires xdp-tools with libbpf 1.4 to resolve stack smash issue. also workaround memlock operation not permitted by running suricata as root since load/attach XDP program requires root privilige anyway. see: https://github.com/vincentmli/BPFire/issues/54 Usage scenario: since suricata IPS XDP capture mode works as layer 2 bridge, BPFire netfilter firewall, NAT IP route will be bypassed. no IP address should be assigned to red0 and green0 interface. 172.16.1.0/24 inline 172.16.1.0/24 red network<-->red0(xdp)<-->green0(xdp)<-->green network we can run setup command to assign IP/Mask 0.0.0.0/0.0.0.0 to red0 and green0, then reboot BPFire, BPFire DHCP will stops working after reboot. green network client can get DHCP IP from upstream dhcp server. start suricata manually suricata -c /etc/suricata/suricata-xdp.yaml --af-packet xdp_filter.bpf program will be attached to red0 and gree0 interface not sure if we should add GUI for suricata XDP capture mode since this is not common use case. Signed-off-by: Vincent Li 3 files changed, 5 insertions(+), 5 deletions(-) commit 3e17c7b30b24affc6353909ef83a6bba0359a195 Author: Vincent Li Date: Fri Oct 18 17:10:04 2024 +0000 xdp-tools: build xdp-tools with libbpf 1.4.6 Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 1 deletion(-) commit 40c097ff8a9491376046ff646c326a3b86183c36 Author: Vincent Li Date: Fri Oct 18 16:06:36 2024 +0000 libbpf: upgrade to 1.4.6 xdp-tools libxdb requires libbpf 1.4.0 and above to fix stack smashing issue. see: https://github.com/xdp-project/xdp-tools/issues/446 Signed-off-by: Vincent Li 2 files changed, 3 insertions(+), 3 deletions(-) commit 1eceb143ed27a745f95d1b6b1a3e0731f752fd1c Author: Vincent Li Date: Thu Oct 17 02:11:19 2024 +0000 suricata: add suricata ebpf xdp capture mode Signed-off-by: Vincent Li 3 files changed, 1066 insertions(+), 3 deletions(-) commit f689a70b7ebb963f9a1fe645a43623940fbeee37 Author: Vincent Li Date: Tue Oct 15 15:25:50 2024 +0000 Revert "Revert "lunatik: 'bpf_luaxdp_run': BTF not found in kernel"" This reverts commit 0e29b7370312f228bb8e7b1cf9a1e0a1dc1d7c75. switch to libbpf 1.3 2 files changed, 6 insertions(+), 5 deletions(-) commit 88e5d0aba73b36a06bebb6511c3598dbf6e20bc0 Author: Vincent Li Date: Sun Oct 13 22:17:54 2024 +0000 xdp-geoip: move location block sub menu to BPFire Signed-off-by: Vincent Li 4 files changed, 9 insertions(+), 9 deletions(-) commit 8d6014683fd4b572a62fc387a4870e03e560ab7f Author: Vincent Li Date: Sun Oct 13 20:45:24 2024 +0000 xdp-geoip: safe call to xdpgeoip init script Signed-off-by: Vincent Li 4 files changed, 49 insertions(+), 1 deletion(-) commit 9c28bd419d9570d0c62f3b3c86ba6c030ab8ab08 Author: Vincent Li Date: Sun Oct 13 20:35:44 2024 +0000 xdp-geoip: Add XDP GeoIP location init Add XDP GeoIP country/region location block init script Signed-off-by: Vincent Li 4 files changed, 112 insertions(+) commit 1bf1cdc1909ebf52d2014dd2559ba0d83950b9f8 Author: Vincent Li Date: Sun Oct 13 02:10:50 2024 +0000 xdp-geoip UI: location block ipset to XDP change location-block UI from calling ipset to calling xdp_geoip to update geoip_map bpf map. see https://github.com/vincentmli/BPFire/issues/53 Signed-off-by: Vincent Li 3 files changed, 75 insertions(+), 20 deletions(-) commit 86a9264a25e0e121e137b29b898fc3c3f718d610 Author: Vincent Li Date: Sat Oct 12 18:49:01 2024 +0000 xdp-geoip: add XDP GeoIP program Add XDP GeoIP program to do location IP block in XDP. Signed-off-by: Vincent Li 2 files changed, 3 insertions(+), 1 deletion(-) commit f204528cf4ffd88724777bea8ae1c0f635ca6e4f Author: Vincent Li Date: Sat Oct 12 04:44:41 2024 +0000 README: Add XDP GeoIP/Country blocklist Vincent Li 1 file changed, 4 insertions(+), 1 deletion(-) commit b21febe3e13df93199cf02d4a63612a0c5e98103 Author: Vincent Li Date: Wed Oct 9 20:38:13 2024 +0000 xdp-sni UI: XDP TLS/SSL SNI UI management XDP TLS/SSL SNI UI to manage the web blocklist Signed-off-by: Vincent Li 5 files changed, 452 insertions(+) commit a118df606066394a822360090c50e48817b918f1 Author: Vincent Li Date: Wed Oct 9 02:48:38 2024 +0000 xdp-sni: switch LPM trie map to hash map switch xdp_sni.bpf.o LPM trie map to hash map to reduce code complexity and avoid verifier error now need to add domain and its sub domain to hash map to block each domain and its sub domain site. Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit 5db52b1717ffc901368557b7217220a04ff2a8fc Author: Vincent Li Date: Tue Oct 8 18:13:50 2024 +0000 xdp-sni UI: XDP TLS/SSL SNI log view from UI Signed-off-by: Vincent Li Date: Tue Oct 8 17:41:17 2024 +0000 xdp-sni: safe call wrapper program to xdpsni init safe call wrapper program to xdpsni init script for UI to call Signed-off-by: Vincent Li 3 files changed, 42 insertions(+), 1 deletion(-) commit 34f9da85dd7760650bacf035788f7c7534f2770e Author: Vincent Li Date: Tue Oct 8 02:21:17 2024 +0000 xdp-sni: add XDP TLS SNI init script xdpsni add xdpsni init script and enable XDP TLS SNI by default on first boot and reboot. Signed-off-by: Vincent Li 7 files changed, 107 insertions(+), 2 deletions(-) commit d334d39e3f7849bf6e36816dd0ed3060398629a8 Author: Vincent Li Date: Mon Oct 7 22:23:27 2024 +0000 xdp-sni: add XDP TLS SNI logging add XDP TLS SNI logging with bpf ringbuf drop xdp_sni.bpf.o reverse_string due to bpf verifier complaining program is too large. Signed-off-by: Vincent Li 2 files changed, 2 insertions(+), 1 deletion(-) commit 07c6172576e2e988d0e58958cf1ea455673c8d3a Author: Vincent Li Date: Mon Oct 7 00:24:06 2024 +0000 xdp-dns: missing xdpdns-settings and domainfile add the missing config/cfgroot/xdpdns-settings file and use ENABLE_DNSBLOCK=on by default, so XDP DNS Blocklist is enabled by default. also add domainfile so when BPFire reboot first time and when xdpdns init startup, it will not complain missing domainfile Signed-off-by: Vincent Li 2 files changed, 2 insertions(+), 1 deletion(-) commit 4d6f8d68a37ca4219e0994ffb5d74a964127ed0b Author: Vincent Li Date: Sat Oct 5 23:08:30 2024 +0000 xdp-dns UI: change running state check Status relies on checking if xdp_dns_log is running, but xdp_dns_log could mysteriously disappear at some point, which result in XDP DNS Blocklist shows Stopped, let /etc/rc.d/init.d/xdpdns status relies on if the xdp_dns_denylist XDP program is still attached to green0 interface. two related issues https://github.com/vincentmli/BPFire/issues/50 https://github.com/vincentmli/BPFire/issues/49 Signed-off-by: Vincent Li 2 files changed, 11 insertions(+), 2 deletions(-) commit 4c2fd11de2bf7fb0fd6a74aa0407f89c597744cb Author: Vincent Li Date: Sat Oct 5 21:35:16 2024 +0000 xdp-dns UI: rename deny to blocklist Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit 8b3cdb2ebe194cefe9b327eb914786535a0c1e42 Author: Vincent Li Date: Fri Oct 4 20:21:44 2024 +0000 xdp-tools: fix xdp-dns XDP program byte reverse domain name in xdp_dns.bpf.o not reversed properly result in domain name mismatch with domain inserted from user space xdp_dns Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit 2c233eac638759053faf10172f6c41b151891b58 Author: Vincent Li Date: Fri Oct 4 17:48:39 2024 +0000 xdp-dns log UI: view DNS query log allow user to view DNS query logged by xdp_dns_log from UI Signed-off-by: Vincent Li 4 files changed, 423 insertions(+) commit 2f4174b5609b4ec06faa9c058179ae768472e81f Author: Vincent Li Date: Fri Oct 4 17:31:12 2024 +0000 xdp-dns: xdpdns init script to populate denylist run xdp_dns in xdpdns init script to populate domain_denylist from domainfile saved from UI. either xdpdns restart or bpfire reboot, the domain_denylist is restored with domain blocklist Signed-off-by: Vincent Li 1 file changed, 7 insertions(+) commit ccf49b110519b575ba3608de94a3cc57b61458d8 Author: Vincent Li Date: Fri Oct 4 02:52:38 2024 +0000 xdp-dns: update xdp_dns to correct map change xdp_dns to use /sys/fs/bpf/xdp-dns-denylist/domain_denylist Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit a1655951168225e1e082ea3eb263108d25227119 Author: Vincent Li Date: Fri Oct 4 02:47:24 2024 +0000 xdp-dns: allow UI to run xdp_dns to update map Signed-off-by: Vincent Li 1 file changed, 2 insertions(+) commit cdbaa413646d57140fe33f6cf1b1b2cb06b8ec9b Author: Vincent Li Date: Fri Oct 4 02:06:31 2024 +0000 xdp-dns UI: web interface to add XDP DNS blocklist Signed-off-by: Vincent Li 5 files changed, 452 insertions(+) commit cc8ccb35bf69c89f283f339428bac793a3450241 Author: Vincent Li Date: Thu Oct 3 17:29:16 2024 +0000 xdp-dns: enable XDP DNS block when reboot if XDP DNS is enabled, and BPFire reboot, XDP DNS program should be attached and DNS query being monitored after reboot. Signed-off-by: Vincent Li 2 files changed, 2 insertions(+) commit 92cd7ca9703a816579a7104031c1341a8d533f99 Author: Vincent Li Date: Thu Oct 3 00:48:43 2024 +0000 llvm-project: upgrade to 18.1.0 xdp_dns.bpf.o failed to load with verifier error program too large, upgrade llvm/clang to 18.1.0 resolves the issue fix: https://github.com/vincentmli/BPFire/issues/47 Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit 13530fa1ef8e342e1fa719037b69ed8a87cf78f1 Author: Vincent Li Date: Wed Oct 2 20:20:48 2024 +0000 xdp-tools: remove dns query from xdp-dnsrrl also change user space xdp_dns_log program to use map /sys/fs/bpf/xdp-dns-denylist/dns_ringbuf Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit f9c82590500358d21b80ba12f0686c2bb860fbbd Author: Vincent Li Date: Wed Oct 2 18:28:58 2024 +0000 Add xdpdnsctrl program for safe execution add xdpdnsctrl to start/stop/status XDP program from xdpdns.cgi safely. permission of xdpdnsctrl chown root.nobody /usr/local/bin/xdpdnsctrl chmod u+s /usr/local/bin/xdpdnsctrl result: -rwsr-x--- 1 root nobody 14672 Mar 19 09:58 /usr/local/bin/xdpdnsctrl 3 files changed, 42 insertions(+), 1 deletion(-) commit d30a7b2318233088f28b93dec4e5263b91d578f7 Author: Vincent Li Date: Wed Oct 2 18:19:08 2024 +0000 xdp-dns: add start/stop init script and settings add xdpdns init script to load/unload xdp_dns_denylist program and run xdp_dns_log to log dns query to system log rm log/configroot log/initscripts to build image Signed-off-by: Vincent Li 4 files changed, 86 insertions(+), 2 deletions(-) commit 652ab98e1adba29ec89b8e3b1f720af2c5b4f925 Author: Vincent Li Date: Tue Oct 1 23:42:01 2024 +0000 xdp-tools: add xdp-dns system logging add bpf ringbuf to xdp-dns program and user space program to log DNS query to system log. Signed-off-by: Vincent Li 2 files changed, 2 insertions(+), 1 deletion(-) commit 17d5413bc2fcb07c1a37f6bb5af374aad0b117f4 Author: Vincent Li Date: Tue Oct 1 00:28:37 2024 +0000 README: update TLS/SSL SNI blocklist to XDP Lunatik sni filter currently does not work for BPFire when chrome browser is used due to clienthello > 1500 bytes, XDP TLS/SSL has the same issue, to block domain access, it appears XDP DNS domain blocking works more reliable than SNI, so if there is need to block chrome browser for some domain, use XDP DNS domain blocking as mitigation. see https://github.com/vincentmli/BPFire/issues/40 Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit c1281a47ea3ec2de4d51af84368e71cea827ea79 Author: Vincent Li Date: Mon Sep 30 16:28:51 2024 +0000 lunatik: checksum update Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit 32c15c3fe309b5ceabcd8005c8ae8f7d270c0607 Author: Vincent Li Date: Mon Sep 30 03:24:30 2024 +0000 xdp-tools: add xdp-sni add XDP TLS/SSL SNI parsing Signed-off-by: Vincent Li 2 files changed, 3 insertions(+), 1 deletion(-) commit 781187a6d3a4900e3aa25ff589933280cf02aeac Author: Selboo Date: Thu Sep 26 17:33:50 2024 +0800 修复: 前端端口和后端端口显示错位问题 1 file changed, 2 insertions(+), 2 deletions(-) commit 2cf44838bfd41c2eac98cd0d8c6bb842aea7ae4f Author: Vincent Li Date: Mon Sep 23 23:41:10 2024 +0000 lfs/linux: install perf tool from linux source compile and install perf tool from linux source for performance monitoring. change the setting before run perf echo -1 > /proc/sys/kernel/perf_event_paranoid echo 0 > /proc/sys/kernel/kptr_restrict Signed-off-by: Vincent Li 1 file changed, 6 insertions(+) commit 6f60c4696fd351b3e0dd9ca4ed3de9c111403f2b Author: Vincent Li Date: Mon Sep 23 17:56:26 2024 +0000 lfs/flash-images: missing serial linux command Add the missing serial linux command so the flash image can be converted to qcow2, the bpfire qcow2 image can be deployed in KVM virtual environment through serial console installation. for exmaple: virsh define BPFire-VM.xml virsh start BPFire-VM virsh console BPFire-VM we will have serial console access to BPFire VM and the installation will start. Signed-off-by: Vincent Li 1 file changed, 1 insertion(+) commit f89feeb1977569a136e0aa4e68bd050c5e03f1cd Author: Vincent Li Date: Sat Sep 21 00:31:57 2024 +0000 kernel: use BPFire logo in kernel how to generate logo format: apt-get install netpbm 1 convert png format to ppm format pngtopnm bpfire-logo.png > bpfire-logo.ppm 2 reduce the color count to 224 ppmquant 224 bpfire-logo.ppm > bpfire-logo-224.ppm 3 convert ppm raw format to ascii format pnmnoraw bpfire-logo-224.ppm > bpfire-logo-ascii.ppm cp bpfire-logo-ascii.ppm config/kernel/ Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit e5ee2e812770433f10251ae8fe94659834269aef Author: Vincent Li Date: Fri Sep 20 22:16:18 2024 +0000 grub2: use bpfire logo in grub2 splash Signed-off-by: Vincent Li 1 file changed, 0 insertions(+), 0 deletions(-) commit 89baa34b8da44d07d72b9a8b88969c7c6c61bb06 Author: Vincent Li Date: Fri Sep 20 22:13:30 2024 +0000 Revert "grub: replace ipfire logo with bpfire logo" This reverts commit bb773a05d55eed858e947a42c7b0d7ed3051ca16. drivers/video/logo/logo_linux_clut224.ppm: Binary PNM is not supported Use pnmnoraw(1) to convert it to ASCII PNM make[6]: *** [drivers/video/logo/Makefile:31: drivers/video/logo/logo_linux_clut224.c] Error 1 make[5]: *** [scripts/Makefile.build:485: drivers/video/logo] Error 2 make[4]: *** [scripts/Makefile.build:485: drivers/video] Error 2 Signed-off-by: Vincent Li 2 files changed, 0 insertions(+), 0 deletions(-) commit ecad4000f2eaf10188c2afe21eefbce1c51f2f81 Author: Vincent Li Date: Fri Sep 20 18:02:46 2024 +0000 lunatik: change /lib/modules kernel path to 6.10 whenever compile kernel due to kernel change lunatik needs to be recompiled too since lunatik depends on kernel change filter example Makefile to depend on current kernel build version diff --git a/examples/filter/Makefile b/examples/filter/Makefile index f7eb0f6d..e30566a2 100644 --- a/examples/filter/Makefile +++ b/examples/filter/Makefile @@ -1,10 +1,12 @@ # SPDX-FileCopyrightText: (c) 2023-2024 Ring Zero Desenvolvimento de Software LTDA # SPDX-License-Identifier: MIT OR GPL-2.0-only +VMLINUX_BTF_PATH = /lib/modules/${shell uname -r}/build + all: vmlinux https.o vmlinux: - bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h + bpftool btf dump file $(VMLINUX_BTF_PATH)/vmlinux format c > vmlinux.h Signed-off-by: Vincent Li 2 files changed, 19 insertions(+), 19 deletions(-) commit 1f42b720d05d8fff5cf471f60c38be957db5eee1 Author: Vincent Li Date: Fri Sep 20 17:56:38 2024 +0000 kernel: upgrade to 6.10.11 upgrade kernel to recent stable release 6.10.11 1, scripts/kconfig/merge_config.sh does not work for 6.10.11 2, vmlinux BTF binary name changed in 6.10.11 3, remove rtl8812au for now since it has compiling error 4, remove 5.15 nfqueue patch since it does not apply cleanly also see [0] [0]: https://github.com/vincentmli/BPFire/issues/41 Signed-off-by: Vincent Li 3 files changed, 15 insertions(+), 9 deletions(-) commit bb773a05d55eed858e947a42c7b0d7ed3051ca16 Author: Vincent Li Date: Fri Sep 20 03:36:41 2024 +0000 grub: replace ipfire logo with bpfire logo Signed-off-by: Vincent Li 2 files changed, 0 insertions(+), 0 deletions(-) commit 7586e5e517fa8775e455eb2715e2120003fafa0f Author: Vincent Li Date: Wed Sep 18 22:27:39 2024 +0000 kernel: disable BTF mismatch BTF mismatch is not an issue since we addressed lunatik kernel module BTF mismatch issue using the same chroot binary vmlinux BTF. Signed-off-by: Vincent Li 1 file changed, 1 deletion(-) commit e5464739c98335a7075627cfda2bd793a181c8f5 Author: Vincent Li Date: Tue Sep 17 23:28:25 2024 +0000 README: update XDP DNS and SNI blocklist feature Signed-off-by: Vincent Li 1 file changed, 3 insertions(+), 2 deletions(-) commit 0e29b7370312f228bb8e7b1cf9a1e0a1dc1d7c75 Author: Vincent Li Date: Tue Sep 17 17:23:27 2024 +0000 Revert "lunatik: 'bpf_luaxdp_run': BTF not found in kernel" This reverts commit cacf5f209d41c13928a3117f1472eb1eb89fd64f. libbpf version is irrelevant, revert the change Signed-off-by: Vincent Li 2 files changed, 5 insertions(+), 6 deletions(-) commit 67231124987d0f9d9a8d5995928bbdc78a35e039 Author: Vincent Li Date: Tue Sep 17 17:22:22 2024 +0000 lunatik: missing module BTF kfuncs not regstered error when run lunatik which loads lunatik kernel modules root@bpfire-2 lua]# lunatik run examples/filter/sni false [root@bpfire-2 lua]# dmesg [ 330.411665] lunatik: loading out-of-tree module taints kernel. [ 330.411680] lunatik: module verification failed: signature and/or required key missing - tainting kernel [ 330.433955] Kernel module BTF mismatch detected, BTF debug info may be unavailable for some modules [ 330.767701] missing module BTF, cannot register kfuncs BPFire chroot build mount /sys/kernel/btf/vmlinux which is the host binary vmlinux BTF to build against lunatik kernel module, which result in above error. adjust BPFire kernel build to save the binary vmlinux BTF to chroot /lib/modules/6.6.15-ipfire/build/vmlinux for lunatik kernel module. create the vmlinux.h from the same binary vmlinux BTF for the ebpf https.o lunatik kernel module is depending on kernel build, adjust the lunatik build accordingly when kerne upgrade in future. See https://github.com/vincentmli/BPFire/issues/40 see https://github.com/luainkernel/lunatik/issues/189 Signed-off-by: Vincent Li 2 files changed, 5 insertions(+), 3 deletions(-) commit cacf5f209d41c13928a3117f1472eb1eb89fd64f Author: Vincent Li Date: Mon Sep 16 01:00:40 2024 +0000 lunatik: 'bpf_luaxdp_run': BTF not found in kernel xdp-loader to load https.o result in error below: libbpf: loading kernel BTF '/sys/kernel/btf/vmlinux': 0 libbpf: extern (func ksym) 'bpf_luaxdp_run': not found in kernel or module BTFs libbpf: failed to load object '/usr/lib/bpf/https.o' libxdp: Failed to load program filter_https: Invalid argument Couldn't attach XDP program on iface 'green0': Invalid argument(-22) xdp-tools/xdp-loader is built statically with libbpf 1.2 should not be xdp-loader libbpf issue still try to upgrade bpfire libbpf to 1.3.0 for testing Signed-off-by: Vincent Li 2 files changed, 6 insertions(+), 5 deletions(-) commit dc97ffb40eb16408585cb4a0a3c5a0e60bb67af6 Author: Vincent Li Date: Sun Sep 15 18:36:47 2024 +0000 lunatik: Unknown symbol in module lunatik requires lunatik_sym.h before build generate the symbols in chroot build. remove lunatik_sym.h in origin lunatik source Makefile root@r210:/home/vincent/go/src/github.com/vincentmli/BPFire/cache/lunatik-5.3.2# git diff diff --git a/Makefile b/Makefile index ec172541..1c72f3e1 100644 --- a/Makefile +++ b/Makefile @@ -3,14 +3,14 @@ MODULES_INSTALL_PATH = /lib/modules/${shell uname -r} SCRIPTS_INSTALL_PATH = /lib/modules/lua -LUNATIK_INSTALL_PATH = /usr/local/sbin -LUA_API = lua/lua.h lua/lauxlib.h lua/lualib.h +LUNATIK_INSTALL_PATH = /usr/sbin +LUNATIK_EBPF_INSTALL_PATH = /usr/lib/bpf KDIR ?= ${MODULES_INSTALL_PATH}/build RM = rm -f MKDIR = mkdir -p -m 0755 INSTALL = install -o root -g root -all: lunatik_sym.h +all: ${MAKE} -C ${KDIR} M=${PWD} CONFIG_LUNATIK=m \ CONFIG_LUNATIK_RUN=m CONFIG_LUNATIK_RUNTIME=y CONFIG_LUNATIK_DEVICE=m \ CONFIG_LUNATIK_LINUX=m CONFIG_LUNATIK_NOTIFIER=m CONFIG_LUNATIK_SOCKET=m \ @@ -46,6 +46,7 @@ examples_install: ${INSTALL} -m 0644 examples/echod/*.lua ${SCRIPTS_INSTALL_PATH}/examples/echod ${MKDIR} ${SCRIPTS_INSTALL_PATH}/examples/filter ${INSTALL} -m 0644 examples/filter/*.lua ${SCRIPTS_INSTALL_PATH}/examples/filter + ${INSTALL} -m 0644 examples/filter/*.o ${LUNATIK_EBPF_INSTALL_PATH} ${MKDIR} ${SCRIPTS_INSTALL_PATH}/examples/dnsblock ${INSTALL} -m 0644 examples/dnsblock/*.lua ${SCRIPTS_INSTALL_PATH}/examples/dnsblock ${MKDIR} ${SCRIPTS_INSTALL_PATH}/examples/dnsdoctor @@ -69,7 +70,3 @@ install: scripts_install modules_install uninstall: scripts_uninstall modules_uninstall depmod -a - -lunatik_sym.h: $(LUA_API) - ${shell ./gensymbols.sh $(LUA_API) > lunatik_sym.h} - Signed-off-by: Vincent Li 2 files changed, 5 insertions(+), 2 deletions(-) commit 133baf8fc0a71c2df0d849e6f5fafa4e6a6e96e4 Author: Vincent Li Date: Sun Sep 15 00:40:51 2024 +0000 lunatik : kernel config change kernel requires module to be signed, disable force signing for now. insmod: ERROR: could not insert module /lib/modules/6.6.15-ipfire/lunatik/lunatik.ko: Key was rejected by service set CONFIG_MODULE_SIG_FORCE=n failed to validate module [lunatik] BTF: -22 set CONFIG_MODULE_ALLOW_BTF_MISMATCH=y Signed-off-by: Vincent Li 1 file changed, 2 insertions(+) commit 7212a66761e8d6ec1ca9a154132af1d2460e28b6 Author: Vincent Li Date: Sun Sep 15 00:39:23 2024 +0000 lunatik: re-arrange lunatik and kernel build order lunatik kernel modules requires kernel to be built first so /lib/modules is available for lunatik lunatik also requires resolve_btfids under: /lib/modules/$(VER)-$(VERSUFIX)/build/tools/bpf/resolve_btfids/ Signed-off-by: Vincent Li 2 files changed, 4 insertions(+), 1 deletion(-) commit c690c0c4476d228884dae1d73bad018694de26dc Author: Vincent Li Date: Sat Sep 14 15:33:34 2024 +0000 lunatik: add lunatik addon lunatik has LuaXDP that supports scripting XDP for TLS SNI parsing and many other scripting featuers for kernel. see lunatik build workaround in detail https://github.com/luainkernel/lunatik/issues/189 https://github.com/vincentmli/BPFire/issues/40 Signed-off-by: Vincent Li 3 files changed, 129 insertions(+) commit 74cf8a3943902594d19d00ff1dd382d89b4cb4e8 Author: Vincent Li Date: Thu Sep 12 17:12:16 2024 +0000 xdp-tools: add XDP DNS domain denylist upgrade xdp-tools and add XDP DNS domain denylist bpf and user space program. Signed-off-by: Vincent Li 2 files changed, 5 insertions(+), 3 deletions(-) commit 49d330f2a82557260a2b5ad311b455a4d9a4328b Author: Vincent Li Date: Mon Sep 9 17:31:29 2024 +0000 LoxiLB: increase the default session timeout increase default inactive timeout for established sessions like ssh session diff --git a/pkg/loxinet/rules.go b/pkg/loxinet/rules.go index a67d974..27a9c08 100644 --- a/pkg/loxinet/rules.go +++ b/pkg/loxinet/rules.go @@ -85,7 +85,7 @@ const ( DflHostProbeTimeout = 60 // Default probe timeout for end-point host InitHostProbeTimeout = 15 // Initial probe timeout for end-point host MaxHostProbeTime = 24 * 3600 // Max possible host health check duration - LbDefaultInactiveTimeout = 4 * 60 // Default inactive timeout for established sessions + LbDefaultInactiveTimeout = 10 * 60 // Default inactive timeout for established sessions LbDefaultInactiveNSTimeout = 20 // Default inactive timeout for non-session oriented protocols LbMaxInactiveTimeout = 24 * 3600 // Maximum inactive timeout for established sessions MaxEndPointCheckers = 4 // Maximum helpers to check endpoint health Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit 3e3b5c0e89e8a803e418536f345f496f10da7f32 Author: Vincent Li Date: Mon Sep 9 14:36:01 2024 +0000 UI: adjust credits for BPFire/IPFire support Signed-off-by: Vincent Li 3 files changed, 19 insertions(+), 9 deletions(-) commit 6047d1079b0c93e05ec719c0136bf73e058ecf06 Author: Vincent Li Date: Sun Sep 8 16:34:11 2024 +0000 fireinfo: remove fireinfo profile collection should not send bpfire user profile to ipfire to confuse ipfire community, bpfire could setup such profile collection in the future. Signed-off-by: Vincent Li 1 file changed, 5 deletions(-) commit c834aa67d45cbe2b443fece79422075d81acbc78 Author: Vincent Li Date: Sun Sep 8 16:23:34 2024 +0000 WebUI: change donation link to bpfire maintainer Signed-off-by: Vincent Li 3 files changed, 4 insertions(+), 4 deletions(-) commit 24d3822f82b971bc54a3fee166e2155e3e07afe0 Author: Vincent Li Date: Sun Sep 8 16:19:45 2024 +0000 WebUI: remove ipfire release update info User should not update ipfire because that would remove all BPFire eBPF applications Signed-off-by: Vincent Li 1 file changed, 5 deletions(-) commit 3579fd95a14406135c21edbd29e0dc49499cc2d3 Author: Vincent Li Date: Wed Sep 4 19:04:42 2024 +0000 xdp-dns: attach xdp-dns prog to green0 interface To block or rate limit DNS query from green network client, the xdp-dns program should be attached to green0 interface to scan the DNS query. attach to red0 interface only get the DNS response packet from red0(WAN), not matching the DNS query we want. Signed-off-by: Vincent Li 1 file changed, 6 insertions(+), 7 deletions(-) commit a6f4f1dc2e0fbac696751c657eacb17a1aabd076 Author: Vincent Li Date: Sun Sep 1 16:34:50 2024 +0000 README: update BPFire project README Signed-off-by: Vincent Li 1 file changed, 34 insertions(+), 5 deletions(-) commit 85540f1359669a3f7b13aedaa5b92e0e32fc40a5 Author: Vincent Li Date: Wed Aug 28 21:05:18 2024 +0000 loxilib: upgrade to current development tree test new loxilb features like fullproxy L7 Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit 17f5f3d6cfcd109f0090bf813e8a73e4c2a1082f Author: Vincent Li Date: Wed Aug 28 21:03:55 2024 +0000 loxicmd: upgrade to current development tree test new loxilb features like fullproxy L7 proxy Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit be30db19f35dd815ff1aec63e6436a58d39ac2c6 Author: Vincent Li Date: Wed Aug 28 15:38:27 2024 +0000 golang: upgrade golang to 1.23.0 release when add loxilb development tree, loxilb requires go >= 1.23.0 ranlib libloxilbdp.a make[3]: Leaving directory '/usr/src/loxilb-0.9.x/loxilb-ebpf/kernel' make[2]: Leaving directory '/usr/src/loxilb-0.9.x/loxilb-ebpf' go: go.mod requires go >= 1.23.0 (running go 1.22.0) make[1]: *** [Makefile:14: build] Error 1 make[1]: Leaving directory '/usr/src/loxilb-0.9.x' make: *** [loxilb:76: /usr/src/log/loxilb-0.9.x] Error 2 after upgrading golang to 1.23.0, loxilb development tree result in error make[2]: Leaving directory '/usr/src/loxilb-0.9.x/loxilb-ebpf' # runtime /usr/lib/go/src/runtime/mbitmap_noallocheaders.go:53:2: mallocHeaderSize redeclared in this block /usr/lib/go/src/runtime/mbitmap.go:71:2: other declaration of mallocHeaderSize /usr/lib/go/src/runtime/mbitmap_noallocheaders.go:54:2: minSizeForMallocHeader redeclared in this block the workaround is to remove build/usr/lib/go directory, then rm log/go-1.23.0, ./make.sh build to re-add go 1.23.0 Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit 5f9125b0443c2bc7db1298f51da9b237dd7c574a Author: Vincent Li Date: Sun Aug 25 14:25:19 2024 +0000 loxilb UI: save loxilb configuration save IP/LB/FW configuration from loxilb UI so when loxilb restart or bpfire reboot, the configuration can be restored. Signed-off-by: Vincent Li 3 files changed, 36 insertions(+), 2 deletions(-) commit 84eba5982a6cdc847e72fbf621481e6633000dc7 Author: Vincent Li Date: Fri Aug 23 18:49:51 2024 +0000 loxicmd: upgrade to 0.9.6 release adopted loxicmd changes in https://github.com/vincentmli/BPFire/issues/30 to work out the UI permission issue. Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit cc0eebaa2f0b5a4eb6148f0cfa8ac94728e84418 Author: Vincent Li Date: Fri Aug 23 18:16:26 2024 +0000 LoxiLB: upgrade to loxilb 0.9.6 upgrade loxilb to 0.9.6 release Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit acc96d072698da8d23e5e124fc243991d5904547 Author: Vincent Li Date: Sat Jul 13 01:28:07 2024 +0000 kernel: enable CONFIG_DEBUG_FS allow syscall tracing with eBPF like bcc libbpf-tools opensnoop to trouble shoot open syscall for UI user nobody unable to run loxicmd save -a -c /var/ipfire/loxilib/ see https://github.com/vincentmli/BPFire/issues/30 mount -t debugfs none /sys/kernel/debug/ Signed-off-by: Vincent Li 1 file changed, 3 insertions(+) commit 6d3717d9c7f6359f4467ee16a1108e41fe3a988a Author: Vincent Li Date: Wed Jul 10 20:00:33 2024 +0000 keepalived UI: add dummy ip for HA state tracking add dummy ip 192.0.2.1 in virutal_ipaddress from (TEST-NET-1) according to https://www.rfc-editor.org/rfc/rfc5737#section-3 for keepalived HA state tracking, the Master will always have the dummy ip assigned to green0. add refresh button for HA state refresh Signed-off-by: Vincent Li 3 files changed, 21 insertions(+), 2 deletions(-) commit 56a1588f96ead31fdfd503552d9ece6836da4c3e Author: Vincent Li Date: Tue Jul 9 02:01:54 2024 +0000 vim: Disable vim automatic visual mode on mouse select when mouse select, vim automatically turns into visual mode, this is not convienent when copy and paste in vim with mouse select. create this setting for root user. Signed-off-by: Vincent Li 3 files changed, 3 insertions(+), 2 deletions(-) commit aa7d243558b5340bccdaf15e92b23f0fb07bd0d1 Author: Vincent Li Date: Mon Jul 8 19:08:23 2024 +0000 langs: installer/setup Chinese translation complete the chinese translation referenced below https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=ca149dc8e2e24f3cfcf7bbc1e2333b2b6d43e0e4 Asked ChatGPT to translate English in msgid to msgstr in Chinese and ChatGPT did the translation automatically with correct format. copied from ChatGPT and pasted in po.zh Signed-off-by: Vincent Li 7 files changed, 227 insertions(+), 162 deletions(-) commit dcb6b5e11750bd61a63fccb43ab62c16e6c75c8e Author: Vincent Li Date: Sun Jul 7 23:45:49 2024 +0000 LoxiLB UI: get VIP from ipconfigfile in HA scenario, the shared/floating VIP is not configured on the red0 interface when setup LoxiLB lb from the UI in standby BPFire, some VIPs are missing since these VIPs are only configured in the active BPFire. get VIPs from /var/ipfire/loxilb/ipconfigfile Signed-off-by: Vincent Li 1 file changed, 26 insertions(+), 1 deletion(-) commit 067bbaf136f15ddac7c2a9156cc8aa0a31ae209b Author: Vincent Li Date: Sun Jul 7 19:49:07 2024 +0000 LoxiLB: rename UI ipconfig to ipconfigfile when run loxicmd save -a -c /var/ipfire/loxilb/ ipconfig directory will be created, which conflicts with loxilb UI that also save virtual ip to /var/ipfire/loxilb/ipconfig, so rename ipconfig to ipconfigfile. Signed-off-by: Vincent Li 3 files changed, 3 insertions(+), 3 deletions(-) commit 02724e742755bbde859e9c5cd133940b2a547774 Author: Vincent Li Date: Sat Jul 6 23:27:54 2024 +0000 LoxiLB: enable firewall SNAT for green network when loxilb is enabled and started, enable the firewall SNAT for green network so green network could have initiate outgoing traffic like internet access. we can achieve this by restoring firewall SNAT setting from default /var/ipfire/loxilb/FWconfig.txt when loxilb start up with --config-path=/var/ipfire/loxilb thanks to the enhancement addressed in issue: https://github.com/loxilb-io/loxilb/issues/706 Signed-off-by: Vincent Li 3 files changed, 9 insertions(+), 1 deletion(-) commit 9f7cd8358fe702a8d3d3f279fe6ff5d7909947f9 Author: Vincent Li Date: Sat Jul 6 17:31:14 2024 +0000 LoxiLB: upgrade to loxilb development branch LoxiLB 0.9.4 lack of SNAT feature for egress traffic initiated from BPFire green network, when loxilb is enabled, it breaks BPFire green network client Internet access, this issue is fixed in the loxilb development branch, temporarily I make loxilb development branch as 0.9.5 in BPFire so I could test the SNAT feature and it works. see detail in https://github.com/loxilb-io/loxilb/issues/718 Signed-off-by: Vincent Li 2 files changed, 4 insertions(+), 4 deletions(-) commit a06eab4ae134727bf538788fbb352a8fc0187a1f Author: Vincent Li Date: Fri Jul 5 03:49:46 2024 +0000 keepalived vs/rs UI: add virtual/real server UI Signed-off-by: Vincent Li 2 files changed, 895 insertions(+), 1 deletion(-) commit 0f54cfef92e1dc946b213fcc32229945475745c4 Author: Vincent Li Date: Tue Jul 2 20:52:49 2024 +0000 keepalived/ipvs: move ipvsadm to core package prepare keepalived with ipvs for layer 4 load balancer Signed-off-by: Vincent Li 2 files changed, 2 insertions(+), 2 deletions(-) commit fa69bf1da315f7def15cb0701e2b4a0874b75c56 Author: Vincent Li Date: Tue Jul 2 19:36:16 2024 +0000 openssh: update openssh due to CVE-2024-6387 Update from version 9.7p1 to 9.8p1 Signed-off-by: Vincent Li 2 files changed, 3 insertions(+), 2 deletions(-) commit e7e1e67fc707c3a392f1c29e611e68a48fb81d6c Author: Vincent Li Date: Mon Jul 1 15:22:55 2024 +0000 initscripts: start loxilb keepalived after reboot When loxilb and keepalived are enabled, after BPFire rebooted, loxilb and keepalived failed to start and shows as "STOPPED" from UI, this is not expected since we want to loxilb and keepalived to continue to be enabled after reboot based on the enabled state of loxilb and keepalived before reboot. Signed-off-by: Vincent Li 4 files changed, 11 insertions(+), 4 deletions(-) commit fae6f15fbe555ee768415a67842ec72b914fb90c Author: Vincent Li Date: Mon Jul 1 04:14:51 2024 +0000 LoxiLB UI: remove @nosaved items remove @nosaved from /var/ipfire/loxilb/settings as it could interfere with running state of loxilb Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 1 deletion(-) commit ebdd4d59b4021b59571652e8bf2fff9843ae23b1 Author: Vincent Li Date: Mon Jul 1 00:16:30 2024 +0000 keepalived UI: remove @nosaved item remove @nosaved item from form submission before writehash to each setting file because it could interfere with each other. for example, when change keepalived configuration for green or red interface from the UI, without removing @nosaved which has 'ENABLE_HA' before writehash, 'ENABLE_HA=off' would be saved in '/var/ipfire/keepalived/settings', this would trigger the UI to show keepalived being "STOPPED" or it could actually stopoped keepalived. Signed-off-by: Vincent Li 1 file changed, 7 insertions(+), 1 deletion(-) commit 6f8ab2d9ec6431cd30702cfade22f601dad320d3 Author: Vincent Li Date: Sun Jun 30 15:05:49 2024 +0000 menu: remove pakfire menu pakfire addon install may cause conflict with BPFire, remove it for now. Signed-off-by: Vincent Li 1 file changed, 5 deletions(-) commit 4363971e05e5f10ca7fe592510dd438f9c05563c Author: Vincent Li Date: Thu Jun 27 16:26:38 2024 +0000 dhcp: allow user to specify router IP In BPFire HA deployment, a floating/shared router IP is required for backend/endpoint server. by default BPFire uses the primary IP on green0 when running setup script. Now the floating/shared router IP can be added to green0 interface as secondary IP through loxilb UI, keepalived UI can configure the secondary IP as virtual ipaddress, when HA failover happens, keepalived will move the virtual ipaddress to new active BPFire. Signed-off-by: Vincent Li 2 files changed, 58 insertions(+), 6 deletions(-) commit 2cddcb14f66fbdec8649f625e667a283f24ce40a Author: Vincent Li Date: Wed Jun 26 21:24:07 2024 +0000 keepalived: add keepalivedctrl program Signed-off-by: Vincent Li 3 files changed, 42 insertions(+), 1 deletion(-) commit ed89f965bf75c9e0080db6138ee2861ccfbdbd77 Author: Vincent Li Date: Tue Jun 25 17:20:58 2024 +0000 keepalived UI: add keepalived UI BPFire red0 does not support multicast, need to have unicast peer configured, then the virtual ipaddress can be added to red0 interface. the UI requires /var/ipfire/keepalived/runsettings /var/ipfire/keepalived/settings to be created, so add them lfs/configroot Signed-off-by: Vincent Li 7 files changed, 391 insertions(+), 1 deletion(-) commit 07750a74ba51c3efab11c4f7125e153f04598d30 Author: Vincent Li Date: Sat Jun 22 15:42:34 2024 +0000 LoxiLB UI: add required field mark Signed-off-by: Vincent Li 2 files changed, 8 insertions(+), 6 deletions(-) commit 59550878878e647f84d6c88eca474ded256851ef Author: Vincent Li Date: Fri Jun 21 00:54:17 2024 +0000 keepalived: move keepalived to core package change keepalived default config to /var/ipfire/keepalived/keepalived.conf so keepalived WebUI could read/write the configuration file. also add /var/ipfire/keepalived directory Signed-off-by: Vincent Li keepalived: create /var/ipfire/keepalived 3 files changed, 4 insertions(+), 3 deletions(-) commit 61d054216da934f7275eb761b463504bd454b230 Author: Vincent Li Date: Wed Jun 19 18:20:57 2024 +0000 LoxiLB UI: select virtual ip from red0 interface since we added loxilb ip management to add ip on red0 interface, we can select the virtual ip from red0 interface. Signed-off-by: Vincent Li 2 files changed, 36 insertions(+), 2 deletions(-) commit 780f556e9c057b93dba2fc9f1835282bb7ceea3f Author: Vincent Li Date: Wed Jun 19 02:46:25 2024 +0000 LoxiLB UI: add loxilb ip management Signed-off-by: Vincent Li 3 files changed, 365 insertions(+), 12 deletions(-) commit 3f1e411f959e1c83e1ca20833ad9f3b48fcdd444 Author: Vincent Li Date: Tue Jun 18 03:14:29 2024 +0000 move tcpdump and strace to core package tcpdump and strace are essential for trouble shooting ship it as core package Signed-off-by: Vincent Li 2 files changed, 0 insertions(+), 0 deletions(-) commit 7e5fd9e655f48eaaf508ad831aa00527466ef8b2 Author: Vincent Li Date: Sun Jun 16 02:55:13 2024 +0000 Revert "make.sh: change ipfire name to bpfire name" This reverts commit 2624a47e88a697ba26dec9abba82dfb8676cf9e3. the name change seems making the iso build downloading image from upstream ipfire image during instalation. revert it Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit 8f4062f4da0f09df9200510190b40683a0bade64 Author: Vincent Li Date: Sat Jun 15 20:52:48 2024 +0000 LoxiLB UI: show loxilb server running status Signed-off-by: Vincent Li 5 files changed, 30 insertions(+), 11 deletions(-) commit 2624a47e88a697ba26dec9abba82dfb8676cf9e3 Author: Vincent Li Date: Sat Jun 15 02:49:21 2024 +0000 make.sh: change ipfire name to bpfire name this change would build iso/img with bpfire name. note make.sh has toolchain name with ipfire, so this rename may break something, revert this commit if running into issue in future. Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit 56461e0173639e519eed15bad2a5e42961ea1c9b Author: Vincent Li Date: Sat Jun 15 02:14:22 2024 +0000 errormessage: use red color for errormessage Signed-off-by: Vincent Li 2 files changed, 2 insertions(+), 2 deletions(-) commit 4bbf33e119ec1a7a9a1da89efe5bc23fab5bfeb6 Author: Vincent Li Date: Sat Jun 15 00:39:22 2024 +0000 LoxiLB: lb config requires lb name since now we delete lb by name, so lb name is required field. Signed-off-by: Vincent Li 3 files changed, 6 insertions(+), 1 deletion(-) commit e928445c913af72575e6e73407b9270f2663c1a0 Author: Vincent Li Date: Fri Jun 14 22:14:16 2024 +0000 LoxiLB: delete lb by name since loxilb is upgraded to 0.9.4 which allows loxicmd delete lb by name. fix: https://github.com/vincentmli/BPFire/issues/26 Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 4 deletions(-) commit 94f960449341223ef9f2e98b923e74cbe4471d09 Author: Vincent Li Date: Fri Jun 14 22:06:19 2024 +0000 LoxiLB: remove workaround in loxilbconfig.cgi now loxilb is upgraded to 0.9.4, it fixes: https://github.com/vincentmli/BPFire/issues/25 Signed-off-by: Vincent Li 1 file changed, 1 deletion(-) commit a221be18181c936792e4a2b97273d2f2420ac35d Author: Vincent Li Date: Fri Jun 14 18:09:52 2024 +0000 LoxiLB: upgrade loxicmd to 0.9.4 upgrade procedure: git clone https://github.com/loxilb-io/loxicmd.git cd loxicmd git checkout -b v0.9.4 v0.9.4 go mod vendor cd .. mv loxicmd loxicmd-0.9.4 tar cvf loxicmd-0.9.4.tar loxicmd-0.9.4 gzip loxicmd-0.9.4.tar cp loxicmd-0.9.4.tar.gz /cache/ b2sum /cache/loxicmd-0.9.4.tar.gz modify lfs/loxicmd to change the version and b2sum checksum Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit b9b523d29345a377535b0f03e0693451bc04c5bf Author: Vincent Li Date: Fri Jun 14 18:09:07 2024 +0000 Loxilb: upgrade loxilb to 0.9.4 upgrade procedure: git clone --recurse-submodules https://github.com/loxilb-io/loxilb.git cd loxilb git checkout -b v0.9.4 v0.9.4 go mod vendor cd .. mv loxilb loxilb-0.9.4 tar cvf loxilb-0.9.4.tar loxilb-0.9.4 gzip loxilb-0.9.4.tar cp loxilb-0.9.4.tar.gz /cache/ b2sum /cache/loxilb-0.9.4.tar.gz modify lfs/loxilb to change the version and b2sum checksum Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit 0003dd9c8c023b964426eefff1a0a4299afa48fc Author: Vincent Li Date: Wed Jun 12 19:47:50 2024 +0000 Loxilb UI: add loxilb firewall UI Signed-off-by: Vincent Li 5 files changed, 678 insertions(+) commit 63c3e67c0791852de0fb352aaa7063affb232062 Author: Vincent Li Date: Sun Jun 2 01:54:02 2024 +0000 loxilb UI: fix updating existing LB mode/sel fix: https://github.com/vincentmli/BPFire/issues/24 Signed-off-by: Vincent Li 1 file changed, 1 insertion(+) commit 6df412401c09b333feabdffd5e7af5f0682d89f6 Author: Vincent Li Date: Sat Jun 1 21:09:54 2024 +0000 loxilb UI: add backend monitor option Signed-off-by: Vincent Li 3 files changed, 40 insertions(+), 5 deletions(-) commit 284b13c137e0779ba9e2d3dc862f11a1a61cf65b Author: Vincent Li Date: Sat Jun 1 17:27:43 2024 +0000 loxilb UI: use select drop down option learned from ChatGPT to print dynamic options. add semi column ';' right after heredoc like: print < 1 file changed, 73 insertions(+), 6 deletions(-) commit c946e2d2634942e51f90da693a1590918084286a Author: Vincent Li Date: Thu May 30 17:35:53 2024 +0000 README: update load balancer screen shot Signed-off-by: Vincent Li 3 files changed, 4 insertions(+) commit 8608700ba9ff0ad52c29a0beda714dae5f53650f Author: Vincent Li Date: Thu May 30 17:18:21 2024 +0000 menu: adjust menu titles Signed-off-by: Vincent Li 3 files changed, 11 insertions(+), 3 deletions(-) commit 6994edf40b6073521edf1ec430af31ec0039a21b Author: Vincent Li Date: Wed May 29 21:52:50 2024 +0000 Add loxilb lb config UI Signed-off-by: Vincent Li 4 files changed, 582 insertions(+) commit f60a419e84148703fc4760cfb309a8ac3686434d Author: Vincent Li Date: Wed May 29 18:18:31 2024 +0000 BPFire menu re-arrange Re-arrange the menu to have BPF centric main menu, this also easy the developing of loxilb load balancer GUI since loxilb will have multiple functions like enable loxilb, create loxilb lb, create loxilb ip ...etc, so each loxilb function has their own CGI UI. Signed-off-by: Vincent Li 4 files changed, 13 insertions(+), 13 deletions(-) commit 280869f883f9ae23203d0a3d1ac518a7dbd29a70 Author: Vincent Li Date: Tue May 28 18:12:51 2024 +0000 Do not attach loxilb TC to ethX devices see [0] loxilb attach TC program to all devices by default. [0]:https://github.com/vincentmli/BPFire/issues/22 Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit 9c58dcd1450487144835217a64d4a4137321d49d Author: Vincent Li Date: Sun May 26 03:43:36 2024 +0000 Add WebUI loxilb.cgi for ebpf load balancer Signed-off-by: Vincent Li 4 files changed, 119 insertions(+), 2 deletions(-) commit a9c944483b2a90b117dfb551bb1d404076da241d Author: Vincent Li Date: Sun May 26 00:31:09 2024 +0000 Add loxilb load balancer menu run command below when update language menu perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" Signed-off-by: Vincent Li 4 files changed, 8 insertions(+) commit 61caf1c5eb162593b6752bb12e8ab750b6a2a801 Author: Vincent Li Date: Wed May 22 01:59:16 2024 +0000 Add loxilb safe call program when rebuild image: do rm log/misc-progs Signed-off-by: Vincent Li 3 files changed, 40 insertions(+), 1 deletion(-) commit 0c2b5101304855b04ac15674c6e58194012ee159 Author: Vincent Li Date: Tue May 21 18:00:35 2024 +0000 add loxilb start/stop init script and settings when rebuid the image, do: rm log/configroot rm log/initscripts Signed-off-by: Vincent Li 6 files changed, 68 insertions(+), 3 deletions(-) commit 01b41130e5c424873bd4b1bdf7dab6e989aea132 Author: Vincent Li <3729694+vincentmli@users.noreply.github.com> Date: Thu May 16 17:37:08 2024 -0700 Update README.md Signed-off-by: Vincent Li 1 file changed, 4 insertions(+), 5 deletions(-) commit fb763397b42903ca334475219d78e98d4b349b3b Author: Vincent Li Date: Mon May 13 18:00:30 2024 +0000 loxilb: add loxilb load balancer addon build loxilb in BPFire requires golang 1.22.0, but then had issue [0], run go mod vendor to prepare the loxilb to download golang dependencies package beforehand to avoid issue [0] loxilb-ebpf build also requires gnu/stubs-32.h use [1] as workaround [0]: https://github.com/vincentmli/BPFire/issues/18 [1]: https://github.com/vincentmli/BPFire/issues/16 Signed-off-by: Vincent Li 3 files changed, 89 insertions(+) commit a7ed289c040c60031b8e0e58d7b7c4050002f1dd Author: Vincent Li Date: Mon May 13 14:24:51 2024 +0000 golang: upgrade from 1.20.4 to 1.22.0 meet loxilb 1.22.0 requirements see https://github.com/vincentmli/BPFire/issues/19 Signed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit 927b3dfe54b72d8ba0bc67aab0f5f6add7b05f57 Author: Vincent Li Date: Sun May 12 16:18:45 2024 +0000 loxicmd addon Avoid downloading golang dependency packages during build time due to issue [0], run go mod vendor so loxicmd source include vendor directory to include golang dependency packages [0]: https://github.com/vincentmli/BPFire/issues/18 Signed-off-by: Vincent Li 3 files changed, 80 insertions(+) commit 0000eed2952fdf77e462ee4847c3db411c1eb440 Author: Vincent Li Date: Sat May 11 17:41:01 2024 +0000 Add Loxilb ntc and libmd libbsd addon Signed-off-by: Vincent Li 7 files changed, 256 insertions(+) commit 49df562431fbea326dfcbd121ef897e05a53cf19 Author: Vincent Li Date: Wed May 8 03:26:51 2024 +0000 ebpf: Enable kernel BPF_EVENTS loxilb or other ebpf program could use bpf_printk for debugging, bpf_printk requires BPF_EVENTS to be enabled, see [0] [0] https://github.com/loxilb-io/loxilb/issues/666#issuecomment-2097850413 Signed-off-by: Vincent Li 1 file changed, 3 insertions(+), 1 deletion(-) commit d544247a5366a3cb8f227fd41dd01b528d00a9d2 Author: Vincent Li Date: Fri May 3 16:56:06 2024 +0000 linux: change kernel NR_CPUS to 512 loxilb MAX_CPUS for cpu_map set to 128, BPFire original NR_CPUS 64 result in error: libbpf: map 'cpu_map': failed to create: Argument list too long see https://github.com/loxilb-io/loxilb/issues/661 Signed-off-by: Vincent Li 1 file changed, 3 insertions(+), 3 deletions(-) commit 04cb6cc6ffcd844758332751dbfb10e4ab760893 Author: Vincent Li Date: Fri May 3 16:52:40 2024 +0000 libbpf: switch to libbpf 0.8.3 use libbpf 0.8.3 for loxilb Signed-off-by: Vincent Li 2 files changed, 5 insertions(+), 6 deletions(-) commit 4d35e1845b74b9be158965a5569ed97da6a5103b Author: Vincent Li Date: Tue Apr 30 15:47:47 2024 +0000 update README build Signed-off-by: Vincent Li 1 file changed, 3 insertions(+), 3 deletions(-) commit c463d1d203fd220e7d71255f4239ecbfa6d79bbb Author: Vincent Li Date: Sun Apr 28 22:16:45 2024 +0000 Add DPDK Pktgen 10G SYN flood test throughput 1 file changed, 5 insertions(+) commit 1aac7c1a4ca6f42ea2b96dcc26cb8ecd6f4e9486 Author: Vincent Li Date: Wed Apr 24 16:08:34 2024 +0000 Add BPFire runnig in Microsoft HyperV pictures Signed-off-by: Vincent Li 3 files changed, 10 insertions(+) commit 8031d30ad259152c36dde89a6fe2060b1b909000 Author: Vincent Li Date: Tue Apr 23 21:50:34 2024 +0000 ddos init: add ratelimit 3 files changed, 19 insertions(+) commit ad771dfe3ba7dd9cfea7dab926cfb20e91c16716 Author: Vincent Li Date: Tue Apr 23 21:39:43 2024 +0000 ddos.cgi add ratelimit UI 1 file changed, 9 insertions(+) commit 00cd284e542486c80b1fbf70fd08d8b2d327cd2d Author: Vincent Li Date: Tue Apr 23 21:23:31 2024 +0000 Revert "ddos.cgi remove duplicate code" This reverts commit 8ca6049b32470f1a03d58ccc560c755ee86265d3. 1 file changed, 214 insertions(+), 141 deletions(-) commit a925c32ecb6c81818743f835bc5cfa5b3375df4a Author: Vincent Li Date: Tue Apr 23 21:22:57 2024 +0000 Revert "ddos.cgi add ratelimit UI" This reverts commit e3ea91ca5898f0d32cd2733efcd3297d30ffa80e. 4 files changed, 27 deletions(-) commit be1fc5ce77b6de9e7c6d76f6931f0acc55fd8ca5 Author: Vincent Li Date: Tue Apr 23 16:43:40 2024 +0000 xdp-tools: add xdp-udp Signed-off-by: Vincent Li 2 files changed, 4 insertions(+), 1 deletion(-) commit 6accd9056f0f524728cfe9c20c33c2d0fbc9b471 Author: Vincent Li Date: Mon Apr 22 21:44:47 2024 +0000 ddos.cgi add ratelimit UI add ratelimit UI for xdp dns and udp program Signed-off-by: Vincent Li 4 files changed, 27 insertions(+) commit 1cd908092b6ff87d05413d8abb6c1a2ce044b658 Author: Vincent Li Date: Fri Apr 19 17:29:15 2024 +0000 Add XDP DDoS README UI screenshot Signed-off-by: Vincent Li 5 files changed, 14 insertions(+) commit 9d9f3b7afb43855f41f6b1c4674e16b9fa65d7ea Author: Vincent Li Date: Fri Apr 19 17:15:28 2024 +0000 Add Chinese translation for ddos.cgi Signed-off-by: Vincent Li 1 file changed, 5 insertions(+), 2 deletions(-) commit 8ca6049b32470f1a03d58ccc560c755ee86265d3 Author: Vincent Li Date: Thu Apr 18 17:49:04 2024 +0000 ddos.cgi remove duplicate code improve ddos.cgi by making a few sub routines to remove duplicate code Signed-off-by: Vincent Li 1 file changed, 141 insertions(+), 214 deletions(-) commit fcdc42ea400cb11b77f14ee40f8fbd2f13fa5b75 Author: Vincent Li Date: Thu Apr 18 02:29:27 2024 +0000 ddos.cgi add DNS DDoS UI Signed-off-by: Vincent Li 5 files changed, 84 insertions(+), 1 deletion(-) commit 56c5212374a0797c9bbb18fa2a962dc0a487a19d Author: Vincent Li Date: Wed Apr 17 15:55:40 2024 +0000 firewall.cgi XDP SYNPROXY UI option only show XDP SYNPROXY option when protocol TCP is selected. Signed-off-by: Vincent Li 2 files changed, 10 insertions(+), 2 deletions(-) commit 13bb8928c9337d4c581a3d41ecf834969c870d83 Author: Vincent Li Date: Wed Apr 17 01:26:16 2024 +0000 Change header from IPFire_ to BPFire_ Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit 0bece3c17aafeddad855a744ed07b06434c81e01 Author: Vincent Li Date: Tue Apr 16 20:40:02 2024 +0000 Workaround ddos init script to xdp skb mode if interface does not support native mode re-run xdp-loader with skb mode, got error Attaching XDP program in native mode not supported - try SKB mode. TCP Native mode not supported, try SKB Replacing allowed ports Added port 80 Added port 8090 libxdp: Retried more than 11 times, giving up Couldn't attach XDP program on iface 'lo': Device or resource busy(-16) UDP Native mode not supported, try SKB Replacing allowed udp ports Added port 10408 but it looks loaded ok Signed-off-by: Vincent Li 1 file changed, 20 insertions(+), 8 deletions(-) commit 9924b857738572bf7b0d721caa51036872f90bc7 Author: Vincent Li Date: Tue Apr 16 16:57:23 2024 +0000 ddos init script to load/unload TCP/UDP XDP prog make ddos init script to load/unload TCP/UDP XDP program according to TCP/UDP setting Signed-off-by: Vincent Li 1 file changed, 69 insertions(+), 24 deletions(-) commit 8b50f8d07c6cf459cba3c75fa1f0809fdd784182 Author: Vincent Li Date: Mon Apr 15 18:46:34 2024 +0000 Rename FireBeeOS to BPFire Signed-off-by: Vincent Li 1 file changed, 11 insertions(+), 11 deletions(-) commit 9a53289a232fe976a1e81c39323e4e8663aba25f Author: Vincent Li Date: Sun Apr 14 16:27:52 2024 +0000 ddos.cgi add UDP DDoS WebUI Signed-off-by: Vincent Li 6 files changed, 214 insertions(+), 35 deletions(-) commit 6e718706480fbffad2c8fdbeb9122a7640bdb924 Author: Vincent Li Date: Sat Apr 13 23:29:24 2024 +0000 ddos.cgi clean up and fix write to /var/ipfire/ddos/settings file before enable ddos to allow /etc/rc.d/init.d/ddos script start up ddos according to the setting from /var/ipfire/ddos/settings Signed-off-by: Vincent Li 1 file changed, 15 insertions(+), 19 deletions(-) commit d7544e619290e0a37b5806689f33838a3d04da6c Author: Vincent Li Date: Tue Apr 9 01:50:14 2024 +0000 Enable kernel BPF without tracing capability enable kernel BPF XDP/TC capability, no tracing Signed-off-by: Vincent Li 2 files changed, 8 insertions(+) commit d9a8ed29e874cac4ff32021c550bc69d8a9155ea Author: Vincent Li Date: Mon Apr 8 19:32:11 2024 +0000 Revert "Enable kernel BPF/BTF" We need to disable BPF trace capability and disallow unprivileged BPF so This reverts commit d0bd3cc0331faaa493e81233432e4ae91a87c431. Signed-off-by: Vincent Li 1 file changed, 70 insertions(+), 86 deletions(-) commit 9f86b661cba473157437d4479bf8d9cbb48b9e48 Author: Vincent Li Date: Mon Apr 8 16:32:13 2024 +0000 Add xdp dns rate limit program with bpf_printk deleted XDP dns rate limit program has static tail call which requires revert xdp-tool commit: (039bdea "xdp-loader: Only load the BPF program we need from object files") XDP dns rate limit program also uses bpf_printk helper which is not supported on FireBeeOS since kernel CONFIG_BPF_EVENTS which allows user to do kprobe, uprobe, tracepoint is not enabled, so bpf_printk helper is not available, so removed bpf_printk see discussion in [0] xdp-loader load xdp program with bpf tail call result in Bad file descriptor(-9) [0] https://github.com/xdp-project/xdp-tools/issues/377 Signed-off-by: Vincent Li 2 files changed, 2 insertions(+), 1 deletion(-) commit 33cc594e398491469d8f8b232affa5aaac0fa177 Author: Vincent Li Date: Sun Apr 7 22:15:12 2024 +0000 mount bpffs for xdp-tools for ISO build xdp-loader will only load the XDP program without xdp dispatcher if bpffs is not mounted, flash image has bpffs mounted already, add bpffs mount for ISO image Signed-off-by: Vincent Li 1 file changed, 5 insertions(+) commit 35f1987b1494e709832ab2932291ff69c823774a Author: Vincent Li Date: Sun Apr 7 15:22:00 2024 +0000 Revert "Add ecapture add-on" This reverts commit 0864b3a5bac19fb4eec9ee4402a75af043ac9126. User might be concerned firewall admin user capture SSL clear text, so remove ecapture. Signed-off-by: Vincent Li 3 files changed, 80 deletions(-) commit ff7a42718948935d0d0e653a040186b031d6b1b9 Author: Vincent Li Date: Thu Apr 4 23:52:50 2024 +0000 strip kernel module to reduce image size set strip option to 1 which is to strip modules debug info. tried to strip all but result in file system not found during iso installation. fix: https://github.com/vincentmli/FireBeeOS/issues/3 Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit 7b90358c1efa11b822f7d15462fc77160fb033d2 Author: Vincent Li Date: Wed Apr 3 22:13:48 2024 +0000 Add missing xdp-tools utilities Signed-off-by: Vincent Li 1 file changed, 30 insertions(+) commit ef347b3a28f3914eed8c0b3172d629d22cd85cc3 Author: Vincent Li Date: Wed Apr 3 14:34:24 2024 +0000 Revert "Enable serial console in default grub" This reverts commit 7773f82726f8a93591216867b2862b37242864a0. After ISO installation in real hardware and reboot, the boot process appears to be "stucking" in "dracut: Switching root". see https://github.com/vincentmli/FireBeeOS/issues/1 revert the commit resolves the issue, I suspect maybe the output after "dractu: Switching root" is directed to serial console? anyway revert this change temporarily. flash image build still need to have serial console access for better user experience when trying flash image in KVM/Libvirt virtual environment. Signed-off-by: Vincent Li 1 file changed, 1 insertion(+), 3 deletions(-) commit 0c908cf913dcdff8ae8b9cfaf61b47ce95346199 Author: Vincent Li Date: Fri Mar 22 02:58:49 2024 +0000 Update README with demo link and download link Signed-off-by: Vincent Li 1 file changed, 22 insertions(+), 3 deletions(-) commit 1688d250dc21657dafa20381c90043dd7c43bee0 Author: Vincent Li Date: Wed Mar 20 00:15:06 2024 +0000 Add chinese for XDP UI 1 file changed, 11 insertions(+) commit 8f4b665fb328a1ed944fc9cfa5e51e9b22657a9c Author: Vincent Li Date: Tue Mar 19 21:02:59 2024 +0000 populate ddos port map in ddos init script Signed-off-by: Vincent Li 1 file changed, 42 insertions(+), 8 deletions(-) commit addfe66863d3d5d3c74848f853da6bdd9a90f408 Author: Vincent Li Date: Tue Mar 19 18:27:55 2024 +0000 Change ddos.cgi to call ddosctrl call ddosctrl with safety from ddos.cgi Signed-off-by: Vincent Li 1 file changed, 46 insertions(+), 23 deletions(-) commit 93534968645f55e76486a603ce857b4f695bede1 Author: Vincent Li Date: Tue Mar 19 16:44:14 2024 +0000 Add ddosctrl program for safe execution add ddosctrl to start/stop/status XDP program from ddos.cgi safely. permission of ddosctrl chown root.nobody /usr/local/bin/ddosctrl chmod u+s /usr/local/bin/ddosctrl result: -rwsr-x--- 1 root nobody 14672 Mar 19 09:58 /usr/local/bin/ddosctrl Signed-off-by: Vincent Li 3 files changed, 42 insertions(+), 1 deletion(-) commit 936c1a4fa02cbd7a469cfa489acb4dcddfe1f0c5 Author: Vincent Li Date: Tue Mar 19 16:16:46 2024 +0000 Add XDP program load/unload script Signed-off-by: Vincent Li 3 files changed, 66 insertions(+) commit 8e4e24a9b943f911d30ffb7e31a1fd099c5258bc Author: Vincent Li Date: Sun Mar 17 01:49:10 2024 +0000 Add XDP DDoS ddos.cgi Signed-off-by: Vincent Li 7 files changed, 338 insertions(+), 3 deletions(-) commit 31f89d181365d8de5b149091ea1ffef04b54e7f7 Author: Vincent Li Date: Sat Mar 16 15:54:04 2024 +0000 Add eBPF XDP DDoS menu Signed-off-by: Vincent Li 3 files changed, 9 insertions(+) commit dbb9b7014fe9ea65a869cb979f77d0ad5219b7a9 Author: Vincent Li Date: Sat Mar 16 00:41:25 2024 +0000 fix remote.cgi code style Signed-off-by: Vincent Li 1 file changed, 11 insertions(+), 11 deletions(-) commit e48a29a3f143e2c3d872eb2214fc16e93a12a8d5 Author: Vincent Li Date: Fri Mar 15 02:49:35 2024 +0000 Add XDP SYNPROXY rules in raw and filter table XDP SYNPROXY requires setting up iptables rule in raw table PREROUTING chain and filter table INPUT chain. Signed-off-by: Vincent Li 1 file changed, 43 insertions(+) commit 1f16691715d92d7711faa9daeac06179ce7c5826 Author: Vincent Li Date: Fri Mar 15 00:27:07 2024 +0000 Add custom XDP SYNPROXY chain XDP SYNPROXY rules needs to be first in filter table INPUT user defined chain and raw table PREROUTING user defined chain. To list the custom chain evaluation order for example: iptables -L INPUT --line-numbers Chain INPUT (policy DROP) num target prot opt source destination 1 INSYNPROXY all -- anywhere anywhere 2 IPSBYPASS all -- anywhere anywhere mark match 0xc0000000/0xc0000000 3 BADTCP tcp -- anywhere anywhere 4 CUSTOMINPUT all -- anywhere anywhere 5 HOSTILE all -- anywhere anywhere 6 BLOCKLISTIN !icmp -- anywhere anywhere 7 GUARDIAN all -- anywhere anywhere 8 OVPNBLOCK all -- anywhere anywhere 9 IPS_INPUT all -- anywhere anywhere mark match 0x0/0xc0000000 10 IPTVINPUT all -- anywhere anywhere 11 ICMPINPUT all -- anywhere anywhere 12 LOOPBACK all -- anywhere anywhere 13 CAPTIVE_PORTAL all -- anywhere anywhere 14 CONNTRACK all -- anywhere anywhere 15 DHCPGREENINPUT all -- anywhere anywhere 16 TOR_INPUT all -- anywhere anywhere 17 LOCATIONBLOCK all -- anywhere anywhere 18 IPSECINPUT all -- anywhere anywhere 19 GUIINPUT all -- anywhere anywhere 20 WIRELESSINPUT all -- anywhere anywhere ctstate NEW 21 OVPNINPUT all -- anywhere anywhere 22 INPUTFW all -- anywhere anywhere 23 REDINPUT all -- anywhere anywhere 24 POLICYIN all -- anywhere anywhere iptables -t raw -L PREROUTING --line-numbers Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 RAWSYNPROXY all -- anywhere anywhere Signed-off-by: Vincent Li 1 file changed, 6 insertions(+) commit baf1d4a6043c0024a09e82b65ad7f5428b979dcf Author: Vincent Li Date: Thu Mar 14 20:12:06 2024 +0000 Disable vim automatic visual mode on mouse select when mouse select, vim automatically turns into visual mode, this is not convienent when copy and paste in vim with mouse select. Signed-off-by: Vincent Li 1 file changed, 2 insertions(+) commit 968fd0ca40306b84631cbb4ad90374bd27fbde06 Author: Vincent Li Date: Wed Mar 13 02:25:38 2024 +0000 make sub routine for various rule check with routine, we could reuse the code if possible. Signed-off-by: Vincent Li 1 file changed, 75 insertions(+), 52 deletions(-) commit 852567122e0aff5233032a74296f41c67626570a Author: Vincent Li Date: Fri Mar 8 18:36:49 2024 +0000 Add XDP SYNPROXY iptables rule UI option Signed-off-by: Vincent Li 3 files changed, 23 insertions(+), 4 deletions(-) commit eefbd2ef876ea364abd20f5bf5a45da41a0ff742 Author: Vincent Li Date: Mon Mar 4 22:15:09 2024 +0000 mount bpffs for XDP program Signed-off-by: Vincent Li 1 file changed, 4 insertions(+) commit 11d2901fc724022a0529444798be39f8991cfde4 Author: Vincent Li Date: Thu Feb 29 15:45:05 2024 +0000 Update README with FireBeeOS Signed-off-by: Vincent Li 1 file changed, 12 insertions(+), 17 deletions(-) commit 0864b3a5bac19fb4eec9ee4402a75af043ac9126 Author: Vincent Li Date: Thu Feb 29 03:08:54 2024 +0000 Add ecapture add-on Signed-off-by: Vincent Li 3 files changed, 80 insertions(+) commit 05ac4be3977128d1a2344245e763b32e2019bd79 Author: Vincent Li Date: Wed Feb 28 14:46:36 2024 +0000 add bpftool and re-arrange lfs build order add lfs bpftool from [0] first to meet lfs xdp-tools requirement. also re-arrange BPF related add-on build order to meet lfs knot build since it requires XDP xsk.h [0] https://github.com/libbpf/bpftool/releases/download/v7.3.0/bpftool-libbpf-v7.3.0-sources.tar.gz Signed-off-by: Vincent Li 3 files changed, 86 insertions(+), 4 deletions(-) commit f8ca312cfa1a5da42ed6bfb6b8b928520dbaa64a Author: Vincent Li Date: Tue Feb 27 03:44:27 2024 +0000 Add xdp-tools add-on with XDP Synproxy add xdp-tools utilities with addition of SYN flooding DDoS attack protection in XDP Signed-off-by: Vincent Li 2 files changed, 79 insertions(+) commit 292ed31c4d92bb186924533817301804a548dc04 Author: Vincent Li Date: Mon Feb 26 14:41:23 2024 +0000 Add clang add-on xdp-tools requires clang, add clang during build to meet xdp-tools requirement. Signed-off-by: Vincent Li 2 files changed, 86 insertions(+) commit 5de4e5e9e9d65ed0ecd2aff8e25661ff96611c36 Author: Vincent Li Date: Mon Feb 26 03:06:41 2024 +0000 Add pahole during build add pahole add-on during build to allow kernel with BPF/BTF enabled to be built. no need to install pahole since we only need it during build. the procedure to prepare pahole tar ball: download pahole from [0] untar it and download libbpf from [1] and untar libbpf then: rm pahole-1.25/lib/bpf mv libbpf-1.3.0 to pahole-1.25/lib/ cd pahole-1.25/lib/ mv libbpf-1.3.0 bpf cd ../../ tar -czcf pahole-1.25.tar.gz pahole-1.25 mv pahole-1.25.tar.gz ipfire-2.x/cache b2sum ipfire-2.x/cache/pahole-1.25.tar.gz Note cmake without optimization -O2 in lfs/pahole result in _FORTIFY_SOURCE requires optimzation error since ipfire glibc built with --enable-fortify-source this also avoid the hack in [2] [0]https://git.kernel.org/pub/scm/devel/pahole/pahole.git/snapshot/pahole-1.25.tar.gz [1]https://github.com/libbpf/libbpf/archive/refs/tags/v1.3.0.tar.gz [2]https://community.ipfire.org/t/how-to-customize-config-kernel-kernel-config-x86-64-ipfire/11100/8 Signed-off-by: Vincent Li 2 files changed, 79 insertions(+) commit fc0c2fe6dab889c6f78ce276bff6f4c4f54ad185 Author: Vincent Li Date: Fri Feb 23 00:25:24 2024 +0000 Add GUI Chinese translation Add China mainland, China hk, China tw translation. remember to remove log/configroot to re-build image with new language support Signed-off-by: Vincent Li 4 files changed, 9366 insertions(+) commit 45f0a5d5438e755ae1ab058fb1b3b73331916418 Author: Vincent Li Date: Wed Feb 21 23:26:07 2024 +0000 Add lfs libbpf 1.3.0 add-on follow [0] to add libbpf add-on for bpf user space program to open,load,attach bpf program. to build libbpf add-on, follow [1] first, then follow [0] [0] https://www.ipfire.org/docs/devel/ipfire-2-x/addon-howto [1] https://www.ipfire.org/docs/devel/ipfire-2-x/build-howto Signed-off-by: Vincent Li 3 files changed, 82 insertions(+) commit e97d70d1526d2acb6e026ce8ada4c4e68ceb0638 Author: Vincent Li Date: Tue Feb 20 21:07:56 2024 +0000 Add bpftool bpftool comes with Linux kernel source and it is handy to have bpftool on ipfire kernel with BPF/BTF enabled to diagnosis BPF related issue. Signed-off-by: Vincent Li 2 files changed, 8 insertions(+) commit d0bd3cc0331faaa493e81233432e4ae91a87c431 Author: Vincent Li Date: Sun Feb 18 05:23:27 2024 +0000 Enable kernel BPF/BTF enable kernel BPF/BTF build for ebpf/XDP program packet filtering see hack in [1] [1] https://community.ipfire.org/t/how-to-customize-config-kernel-kernel-config-x86-64-ipfire/11100/7 Signed-off-by: Vincent Li 1 file changed, 86 insertions(+), 70 deletions(-) commit 803c6baaea835b73422ecdf04d075b7120797a63 Author: Vincent Li Date: Sun Feb 18 05:22:00 2024 +0000 Increase img build partition size increase img build partition size for BPF/BTF enabled kernel Singed-off-by: Vincent Li 1 file changed, 1 insertion(+), 1 deletion(-) commit 2f621b80d5e8cfe4e800507885caf71c6304cc65 Author: Vincent Li Date: Sun Feb 18 05:20:08 2024 +0000 Increase build tmpfs size increase build tmpfs size to prepare space for building BPF/BTF enabled kernel Singed-off-by: Vincent Li 1 file changed, 2 insertions(+), 2 deletions(-) commit 7773f82726f8a93591216867b2862b37242864a0 Author: Vincent Li Date: Sun Feb 18 05:09:46 2024 +0000 Enable serial console in default grub serial console allows user to easy access to ipfire image instance in KVM/Libvirt environment by virt console Signed-off-by: Vincent Li 1 file changed, 3 insertions(+), 1 deletion(-) commit 6d501c05583a4efa513ff4b04a48ef41d5e8170e Author: Arne Fitzenreiter Date: Sun Feb 18 11:38:29 2024 +0100 cpufrequtils: hide output on disabled cores. We disable cores if the are affected by some cpu vulnerabilities this cores report errors if you try to change the settings. So only print the output for core0 and hide it for all cores. Signed-off-by: Arne Fitzenreiter 2 files changed, 3 insertions(+), 3 deletions(-) commit 06a6788e51a863097fc2c6946767e8bf1b144e2f Author: Arne Fitzenreiter Date: Sun Feb 18 07:59:18 2024 +0100 core184: fix rtl8812au module compression Signed-off-by: Arne Fitzenreiter 1 file changed, 4 insertions(+) commit 1d1f9a9a064b6423eb2f448d8c03213553adf085 Author: Arne Fitzenreiter Date: Sat Feb 17 19:46:34 2024 +0100 rtl8812au: fix module compression the kernel cannot load the compressed module so fix compression parameters. Signed-off-by: Arne Fitzenreiter 1 file changed, 1 insertion(+), 1 deletion(-) commit 51fd73ea2b1c04204cfb3005425b5e9794d833e8 Author: Arne Fitzenreiter Date: Fri Feb 16 16:17:47 2024 +0100 cpufrequtils: fix initskript for amd-pstate the initskript loads a test-modul for amd-pstate (which traces on intel) and off course reports errors if firmware settings are missing. this also fix the error at start because also amd-pstate doesn't support ondemand mode. Signed-off-by: Arne Fitzenreiter 2 files changed, 24 insertions(+), 23 deletions(-) commit c9c9580c4e5ef2e726ffe6368ae85b3209917ce1 Author: Adolf Belka Date: Thu Feb 15 21:47:57 2024 +0100 freeradius: Increment PAK_VER & ship freeradius to link to the updated libssl version - OpenSSL was updated to 3.1.4 in CU181 and to 3.2.1 in CU183 but in both cases freeradius was not incremented to cause it to be shipped. - This patch increments the freeradius PAK_VER to ensure it will be shipped. Fixes: Bug#13590 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 2 insertions(+), 2 deletions(-) commit dd24668627fd9ee1c8ef912840904a556e5a690b Author: Adolf Belka Date: Sun Feb 11 14:19:48 2024 +0100 files: Ship collectd.conf for bug#12981 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 2071b2964fed10cbcf62bd2d7da3b7e718f8a88f Author: Adolf Belka Date: Wed Feb 14 11:34:36 2024 +0100 graphs.pl: Fixes graph failure when the DROP_HOSTILE directory is missing - If a fresh install is done then only the DROP_HOSTILE_IN & DROP_HOSTILE_OUT rrd directories are created. - With the DROP_HOSTILE directory missing then when the fwhits graph is updated an error message is caused by the inability to open the required files. - This patch adds an if/else loop into the fwhits graph code to deal with the two cases of the DROP_HOSTILE being present or not depending on the history and if a backup with logs has been restored from when DROP_HOSTILE was in use. - Tested on vm testbed and created a historical line for the hostile data when it was not split - There might be a simpler or better approach than this but it was the only option I could identify. I couldn't find anything about being able to use if loops within the RRD::Graph loop Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 158 insertions(+), 79 deletions(-) commit f3d7ce3b5d83222c78bc2b246f6afd5766af4dc9 Author: Michael Tremer Date: Wed Feb 14 19:01:25 2024 +0000 core184: Ship unbound Signed-off-by: Michael Tremer 2 files changed, 2 insertions(+) commit 4fb7b188434b69a7dc6c5e40e827f6a8f389a86f Author: Matthias Fischer Date: Wed Feb 14 17:24:52 2024 +0100 unbound: Update to 1.19.1 For details see: https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-1 "Bug Fixes Fix CVE-2023-50387, DNSSEC verification complexity can be exploited to exhaust CPU resources and stall DNS resolvers. Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU." Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+), 3 deletions(-) commit e705636a854de570987817d2f847bec980db928f Author: Matthias Fischer Date: Wed Feb 14 17:34:10 2024 +0100 unbound 1.19.1: Fix for forgotten rootfile Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+), 1 deletion(-) commit 0698daa3fb935ede4c027e8b507e7b3106391a86 Author: Michael Tremer Date: Wed Feb 14 19:00:03 2024 +0000 core184: Ship bind Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit de9e44e82daa1e650a38e3cb5235a59caaedb66b Author: Matthias Fischer Date: Wed Feb 14 17:43:12 2024 +0100 bind: Update to 9.16.48 For details see: https://downloads.isc.org/isc/bind9/9.16.48/doc/arm/html/notes.html#notes-for-bind-9-16-48 Fixes several CVEs. Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer 2 files changed, 10 insertions(+), 10 deletions(-) commit ee4c8d28e493862cb630e79b7ffadd6807b465fa Author: Michael Tremer Date: Fri Feb 9 14:15:32 2024 +0000 core183: Ship suricata Signed-off-by: Michael Tremer 3 files changed, 3 insertions(+), 1 deletion(-) commit 89941c3d131176a2cbc81f18dda2ab8a312e4aa0 Author: Michael Tremer Date: Fri Feb 9 11:30:38 2024 +0000 suricata: Update to 6.0.16 https://redmine.openinfosecfoundation.org/versions/201 Signed-off-by: Michael Tremer 1 file changed, 2 insertions(+), 2 deletions(-) commit 456aad9443bade55b2e8ef337191729c02632aed Author: Michael Tremer Date: Fri Feb 9 11:33:23 2024 +0000 libhtp: Update to 0.5.46 Signed-off-by: Michael Tremer 1 file changed, 2 insertions(+), 2 deletions(-) commit 4c68bcb588de1bda5944e3bee09aaf314b450aa8 Author: Michael Tremer Date: Fri Feb 9 12:02:11 2024 +0000 installer: Fail if the bootloader could not be installed If GRUB could not be installed during installation, the installer continued without reporting the error to the user. This change will make the installer fail. Signed-off-by: Michael Tremer 1 file changed, 2 insertions(+), 2 deletions(-) commit bce42f80eb06c1b14e1cc4eaeab5d72724a0e456 Author: Michael Tremer Date: Fri Feb 9 11:39:02 2024 +0000 core184: Ship suricata & libhtp Signed-off-by: Michael Tremer 3 files changed, 3 insertions(+), 1 deletion(-) commit fced111d30804160fe0e96b8bdca30dd11b43774 Author: Michael Tremer Date: Fri Feb 9 11:33:23 2024 +0000 libhtp: Update to 0.5.46 Signed-off-by: Michael Tremer 1 file changed, 2 insertions(+), 2 deletions(-) commit ef387142af48f8827225ac7695183b765829aeae Author: Michael Tremer Date: Fri Feb 9 11:30:38 2024 +0000 suricata: Update to 6.0.16 https://redmine.openinfosecfoundation.org/versions/201 Signed-off-by: Michael Tremer 1 file changed, 2 insertions(+), 2 deletions(-) commit 8e111d6f03f4e8f71bedd21e623700534ae7603b Author: Michael Tremer Date: Fri Feb 9 11:26:55 2024 +0000 core184: Ship squid Signed-off-by: Michael Tremer 2 files changed, 6 insertions(+) commit 8c2109bc217862207fc405fbbb1f6f9bfde53413 Author: Matthias Fischer Date: Wed Feb 7 18:37:23 2024 +0100 squid: Update to 6.7 Signed-off-by: Matthias Fischer For details see: https://github.com/squid-cache/squid/commits/v6 Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+), 3 deletions(-) commit 498d5613d6d46ea4392f0239485b2f1af8c91623 Author: Michael Tremer Date: Fri Feb 9 11:25:19 2024 +0000 core184: Ship expat Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 49b8893ff5c28abaf717e35d9db2f6b8177ff53d Author: Adolf Belka Date: Wed Feb 7 12:13:19 2024 +0100 expat: Update to version 2.6.0 - Update from version 2.5.0 to 2.6.0 - Update of rootfile - This update fixes two CVE's. Not sure if IPFire would be vulnerable or not but safer to update anyway. - Changelog 2.6.0 Security fixes: #789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens that can cause denial of service, in partial where dealing with compressed XML input. Applications that parsed a document in one go -- a single call to functions XML_Parse or XML_ParseBuffer -- were not affected. The smaller the chunks/buffers you use for parsing previously, the bigger the problem prior to the fix. Backporters should be careful to no omit parts of pull request #789 and to include earlier pull request #771, in order to not break the fix. #777 CVE-2023-52426 -- Fix billion laughs attacks for users compiling *without* XML_DTD defined (which is not common). Users with XML_DTD defined have been protected since Expat >=2.4.0 (and that was CVE-2013-0340 back then). Bug fixes: #753 Fix parse-size-dependent "invalid token" error for external entities that start with a byte order mark #780 Fix NULL pointer dereference in setContext via XML_ExternalEntityParserCreate for compilation with XML_DTD undefined #812 #813 Protect against closing entities out of order Other changes: #723 Improve support for arc4random/arc4random_buf #771 #788 Improve buffer growth in XML_GetBuffer and XML_Parse #761 #770 xmlwf: Support --help and --version #759 #770 xmlwf: Support custom buffer size for XML_GetBuffer and read #744 xmlwf: Improve language and URL clickability in help output #673 examples: Add new example "element_declarations.c" #764 Be stricter about macro XML_CONTEXT_BYTES at build time #765 Make inclusion to expat_config.h consistent #726 #727 Autotools: configure.ac: Support --disable-maintainer-mode #678 #705 .. #706 #733 #792 Autotools: Sync CMake templates with CMake 3.26 #795 Autotools: Make installation of shipped man page doc/xmlwf.1 independent of docbook2man availability #815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file section "Cflags.private" in order to fix compilation against static libexpat using pkg-config on Windows #724 #751 Autotools|CMake: Require a C99 compiler (a de-facto requirement already since Expat 2.2.2 of 2017) #793 Autotools|CMake: Fix PACKAGE_BUGREPORT variable #750 #786 Autotools|CMake: Make test suite require a C++11 compiler #749 CMake: Require CMake >=3.5.0 #672 CMake: Lowercase off_t and size_t to help a bug in Meson #746 CMake: Sort xmlwf sources alphabetically #785 CMake|Windows: Fix generation of DLL file version info #790 CMake: Build tests/benchmark/benchmark.c as well for a build with -DEXPAT_BUILD_TESTS=ON #745 #757 docs: Document the importance of isFinal + adjust tests accordingly #736 docs: Improve use of "NULL" and "null" #713 docs: Be specific about version of XML (XML 1.0r4) and version of C (C99); (XML 1.0r5 will need a sponsor.) #762 docs: reference.html: Promote function XML_ParseBuffer more #779 docs: reference.html: Add HTML anchors to XML_* macros #760 docs: reference.html: Upgrade to OK.css 1.2.0 #763 #739 docs: Fix typos #696 docs|CI: Use HTTPS URLs instead of HTTP at various places #669 #670 .. #692 #703 .. #733 #772 Address compiler warnings #798 #800 Address clang-tidy warnings #775 #776 Version info bumped from 9:10:8 (libexpat*.so.1.8.10) to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/ for what these numbers do Infrastructure: #700 #701 docs: Document security policy in file SECURITY.md #766 docs: Improve parse buffer variables in-code documentation #674 #738 .. #740 #747 .. #748 #781 #782 Refactor coverage and conformance tests #714 #716 Refactor debug level variables to unsigned long #671 Improve handling of empty environment variable value in function getDebugLevel (without visible user effect) #755 #774 .. #758 #783 .. #784 #787 tests: Improve test coverage with regard to parse chunk size #660 #797 #801 Fuzzing: Improve fuzzing coverage #367 #799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests #698 #721 CI: Resolve some Travis CI leftovers #669 CI: Be robust towards absence of Git tags #693 #694 CI: Set permissions to "contents: read" for security #709 CI: Pin all GitHub Actions to specific commits for security #739 CI: Reject spelling errors using codespell #798 CI: Enforce clang-tidy clean code #773 #808 .. #809 #810 CI: Upgrade Clang from 15 to 18 #796 CI: Start using Clang's Control Flow Integrity sanitizer #675 #720 #722 CI: Adapt to breaking changes in GitHub Actions Ubuntu images #689 CI: Adapt to breaking changes in Clang/LLVM Debian packaging #763 CI: Adapt to breaking changes in codespell #803 CI: Adapt to breaking changes in Cppcheck Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 15 insertions(+), 14 deletions(-) commit 3757d24e470975ab3451a1d8adb36281468c0532 Author: Michael Tremer Date: Wed Feb 7 11:21:49 2024 +0000 libvirt: Don't build for riscv64 There seems to be some problem that this package does not build from source, but as we don't currently have any hardware that supports thise, there is no point in debugging it. Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+), 1 deletion(-) commit b8c898b4824624b802ffda8b92c7009ea5a9db46 Author: Michael Tremer Date: Wed Feb 7 11:09:50 2024 +0000 core184: Ship vpnmain.cgi Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 9f01011570be542e394503cb8a4c5184eb9be8d1 Author: Michael Tremer Date: Tue Jan 30 17:45:44 2024 +0000 vpnmain.cgi: Add option to regenerate the host certificate This is necessary since we now have a much shorter lifetime for the host certificate. However, it is complicated to do this is which is why we are copying the previous certificate and generate a new CSR. This is then signed. A caveat of this patch is that we do not rollover the key. Signed-off-by: Michael Tremer 13 files changed, 72 insertions(+), 1 deletion(-) commit aa07e1bb3eba3606a0b8e647180e0926a411016b Author: Michael Tremer Date: Tue Jan 30 17:45:43 2024 +0000 vpnmain.cgi: Return the entire error message if OpenSSL fails The function did not evaluate the return code which is why it used a hack to figure out if some output is an error or not. This is being fixed in this commit and the entire output is being returned if the return code is non-zero. Signed-off-by: Michael Tremer 1 file changed, 7 insertions(+), 6 deletions(-) commit 182743310ce47d9a78d5fd6d32c510bcbb163762 Author: Michael Tremer Date: Tue Jan 30 17:45:42 2024 +0000 vpnmain.cgi: Do not use a bad source for randomness Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+), 1 deletion(-) commit 08c20b8457ec8c8fe24dda561b8d28a6f6b584a3 Author: Michael Tremer Date: Wed Feb 7 11:05:08 2024 +0000 core184: Ship HOSTILE IN/OUT changes Signed-off-by: Michael Tremer 2 files changed, 5 insertions(+) commit 3dfc7489461d52321bf6cb6a342b15416fd362bb Author: Michael Tremer Date: Tue Feb 6 18:17:26 2024 +0000 firewall: Improve labelling of hostile networks hits Signed-off-by: Michael Tremer 10 files changed, 30 insertions(+), 30 deletions(-) commit 7c9a6cf1631cd68970762cbb61056618f6de4c2e Author: Michael Tremer Date: Tue Feb 6 18:11:48 2024 +0000 firewall: graphs: Add a line for the total number of hostile hits Signed-off-by: Michael Tremer 12 files changed, 31 insertions(+) commit b4f6962c4dd5ddd18a376e4acec6a861cf870fa1 Author: Adolf Belka Date: Sun Jan 21 12:45:53 2024 +0100 optionsfw.cgi: Move Firewall Options Drop commands to before the logging section - Moved the Firewall Options Drop commands to before the logging section, as discussed at January 2024 Video Call. Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 24 insertions(+), 23 deletions(-) commit 216d4bfc3d42bb280ed4f88e066d9147b0f5b5c2 Author: Adolf Belka Date: Sun Jan 21 12:45:52 2024 +0100 graphs.pl: Fixes bug12981 - Creates in and outgoing drop hostile graph entries - This v3 version of the patch set splits the single hostile networks graph entry into incoming hostile networks and outgoing hostile networks entries. Fixes: bug12981 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 12 insertions(+), 6 deletions(-) commit d2b423b1dc866dccf70dba93d779da36871c1b84 Author: Adolf Belka Date: Sun Jan 21 12:45:51 2024 +0100 collectd.conf: Fix bug12981 - This creates in and out drop hostile data collection - In this v3 version of the patch set the splitting of drop hostile logging into incoming and outgoing logging means that the data collection and graphs need to have drop hostile also split into incoming and outgoing. Fixes: bug12981 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 2 insertions(+), 1 deletion(-) commit 6aa450ec3b4ab8a9a9ed37c710321c19b4db104d Author: Adolf Belka Date: Sun Jan 21 12:45:50 2024 +0100 en.pl: Fixes bug12981 - adds english language input for choice of drop hostile logging - In this v3 version have added translations for hostile networks in and hostile networks out and log drop hostile in and log drop hostile out. Fixes: bug12981 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 11 files changed, 75 insertions(+), 12 deletions(-) commit 37c5b4b62eb0e6bfb617a7173dd07d473c34f6a5 Author: Adolf Belka Date: Sun Jan 21 12:45:49 2024 +0100 firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic - This v3 version now has two if loops allowing logging of incoming drop hostile or outgoing drop hostile or both or neither. - Dependent on the choice in optionsfw.cgi this loop will either log or not log the dropped hostile traffic. Fixes: bug12981 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer 1 file changed, 12 insertions(+), 3 deletions(-) commit f23555a1c6acb12fbb626a27c2189dee4cb45c0c Author: Adolf Belka Date: Sun Jan 21 12:45:48 2024 +0100 rules.pl: Fixes bug12981 - Add in and out specific actions for drop hostile - This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming traffic and HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be taken on each independently. Fixes: bug12981 Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Acked-by: Bernhard Bitsch Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+), 3 deletions(-) commit 89645d1bbfbb26bdf0351fe01b69978f73fc0074 Author: Adolf Belka Date: Sun Jan 21 12:45:47 2024 +0100 optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic - This v3 version has split the logging choice for drop hostile to separate the logging of incoming drop hostile and outgoing drop hostile. - The bug originator had no port forwards so all hostile would be dropped normally anyway. However the logs were being swamped by the logging of drop hostile making analysis difficult. So incoming drop hostile was desired to not be logged. However logging of outgoing drop hostile was desired to identify if clients on the internal lan were infected with malware trying to reach home. - Added option with drop hostile section to decide if the dropped traffic should be logged or not. Fixes: bug12981 Tested-by: Adolf Belka Reviewed-by: Bernhard Bitsch Tested-by: Bernhard Bitsch Signed-off-by: Michael Tremer 1 file changed, 26 insertions(+) commit 7d0f48668b681b4b788f8adffd5a6d0ad56d02a5 Author: Michael Tremer Date: Wed Feb 7 11:01:25 2024 +0000 elfutils: Don't ship tools I don't think there is any point that we ship these. Signed-off-by: Michael Tremer 2 files changed, 37 insertions(+), 19 deletions(-) commit fb7d13725fc3d16eeddad73e5cfa86a15bc58408 Author: Michael Tremer Date: Wed Feb 7 10:58:21 2024 +0000 core184: Remove elfutils pakfire metadata (if installed) Signed-off-by: Michael Tremer 1 file changed, 6 insertions(+) commit 0e16c27908960fd911efe8193489a16eb970455f Author: Adolf Belka Date: Tue Feb 6 22:27:39 2024 +0100 strace: elfutils moved from addon dependency to core program Fixes: Bug#13516 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+), 3 deletions(-) commit 4b1254520ab884792aa41a342a7e2e31320519db Author: Adolf Belka Date: Tue Feb 6 22:27:38 2024 +0100 qemu: elfutils moved from addon dependency to core program Fixes: Bug#13516 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+), 3 deletions(-) commit c09d2324479fa2fceec9eb5166b5e8e7af45fb0a Author: Adolf Belka Date: Tue Feb 6 22:27:37 2024 +0100 ltrace: elfutils moved from addon dependency to core program Fixes: Bug#13516 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+), 3 deletions(-) commit 30dc4c0248a65b70baf89cb46cc5b18993788501 Author: Adolf Belka Date: Tue Feb 6 22:27:36 2024 +0100 frr: elfutils moved from addon dependency to core program Fixes: Bug#13516 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 2 insertions(+), 2 deletions(-) commit 816af4dfb78eb5f7b95390d1bd3e444f7fbb42fe Author: Adolf Belka Date: Tue Feb 6 22:27:35 2024 +0100 elfutils: Move from addon to core program. Required by suricata-7.0.2 for execution - Updated lfs file to core program type - Moved rootfile from packages to common - Older suricata versions required elfutils only for building but suricata-7.0.2 fails to start if elfutils is not present due to libelf.so.1 being missing. - The requirement for elfutils is not mentioned at all in the changelog. Fixes: Bug#13516 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 1 insertion(+), 10 deletions(-) commit 437bfd678013cf2b56b673b67a3eb6d68a0831cd Author: Arne Fitzenreiter Date: Mon Feb 5 11:07:03 2024 +0100 vdr_streamdev: update to 0.6.3 Signed-off-by: Arne Fitzenreiter 2 files changed, 8 insertions(+), 9 deletions(-) commit 6179f056da9a9191d26a0ea7a54dbb231ff97036 Author: Arne Fitzenreiter Date: Mon Feb 5 11:06:29 2024 +0100 vdr_epgsearch: update to 2.4.2 Signed-off-by: Arne Fitzenreiter 2 files changed, 11 insertions(+), 12 deletions(-) commit 2c930773f56b75903c590cf41bcdfe680c743c3c Author: Arne Fitzenreiter Date: Mon Feb 5 11:05:02 2024 +0100 vdr_eepg: update PLUGVER to new vdr Signed-off-by: Arne Fitzenreiter 2 files changed, 4 insertions(+), 4 deletions(-) commit bc4b8c485863d4a5d71f083b684080132fa726d2 Author: Arne Fitzenreiter Date: Mon Feb 5 11:03:33 2024 +0100 vdr_dvbapi: update pluginver for new vdr Signed-off-by: Arne Fitzenreiter 2 files changed, 4 insertions(+), 4 deletions(-) commit cbf32e7dd20dcc008aafe4c34d5b8898ccea2dd4 Author: Arne Fitzenreiter Date: Mon Feb 5 11:02:25 2024 +0100 vdr: update to 2.6.6 Signed-off-by: Arne Fitzenreiter 1 file changed, 5 insertions(+), 5 deletions(-) commit 8fcd99355b0386522f22fe08c098afc9df375b22 Author: Arne Fitzenreiter Date: Sun Feb 4 06:55:10 2024 +0000 borgbackup: fix rootfile Signed-off-by: Arne Fitzenreiter 1 file changed, 9 insertions(+), 9 deletions(-) commit 9a003afb9d35475fca024a8f0fa7049488f6c35f Author: Arne Fitzenreiter Date: Sun Feb 4 06:54:38 2024 +0000 python3-pyfuse3: fix rootfile Signed-off-by: Arne Fitzenreiter 1 file changed, 1 insertion(+), 1 deletion(-) commit 84a8b679cb0f32126983f390b34f286b5a20d309 Author: Arne Fitzenreiter Date: Sun Feb 4 06:53:49 2024 +0000 python3-msgpack: fix rootfile Signed-off-by: Arne Fitzenreiter 1 file changed, 1 insertion(+), 1 deletion(-) commit cd5d0b7658f67a5db50332434b93f579bda24e74 Author: Arne Fitzenreiter Date: Sat Feb 3 14:47:41 2024 +0000 checkrootfiles: fix search for wrong rootfiles Im not sure when the grep syntax has changed but grep -r not like/ignore the leading "/" anymore. 1 file changed, 14 insertions(+), 10 deletions(-) commit 8c43d1481a99743ce23d8b92879ea04f7e0153c1 Author: Arne Fitzenreiter Date: Fri Feb 2 07:33:38 2024 +0000 kernel: update to 6.6.15 Signed-off-by: Arne Fitzenreiter 5 files changed, 9 insertions(+), 9 deletions(-) commit 7f7cbd68b8fc15de7d8a10569684611704f005b7 Author: Arne Fitzenreiter Date: Wed Jan 31 21:09:14 2024 +0100 mympd: create/check config before first start this create missing folders for webradio and state. Signed-off-by: Arne Fitzenreiter 1 file changed, 3 insertions(+) commit 664eac84834676fd0bd64b7a90c93e4c612a860c Author: Arne Fitzenreiter Date: Sun Jan 28 21:29:46 2024 +0100 mympd: new addon to control mpd via WebGUI myMPD is written in C and has a nice WebGUI to play local music and also a WebRadio browser. This is to replace the removec client175. After install it can reached via https://IP_OF_THE_IPFIRE:8800 Signed-off-by: Arne Fitzenreiter Signed-off-by: Michael Tremer 8 files changed, 265 insertions(+) commit fdad4cf48f53556086fea1965b3e79b2c68ed3d5 Author: Arne Fitzenreiter Date: Sun Jan 28 15:42:53 2024 +0100 mpfire: fix initskript uninstall the uninstall with rm /etc/rc*.d/*mpd remove not only the mpd initlinks. Signed-off-by: Michael Tremer 2 files changed, 2 insertions(+), 2 deletions(-) commit d145574673a2822fc219cda4d1e19184b94c1078 Author: Arne Fitzenreiter Date: Fri Feb 2 07:33:38 2024 +0000 kernel: update to 6.6.15 Signed-off-by: Arne Fitzenreiter 5 files changed, 9 insertions(+), 9 deletions(-) commit e95d12e5ee8dad6a605c306098f4e2618c8d7872 Author: Michael Tremer Date: Thu Feb 1 16:09:02 2024 +0000 core184: Ship lzip Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit f7520e0addcb4162ba48aad221749a1f429763ff Author: Adolf Belka Date: Thu Feb 1 09:29:13 2024 +0100 lzip: Update to version 1.24 - Update from version 1.23 to 1.24 - Update of rootfile not required - Changelog 1.24 The option '--empty-error', which forces exit status 2 if any empty member is found, has been added. The option '--marking-error', which forces exit status 2 if the first LZMA byte is non-zero in any member, has been added. File diagnostics have been reformatted as 'PROGRAM: FILE: MESSAGE'. Diagnostics caused by invalid arguments to command-line options now show the argument and the name of the option. The option '-o, --output' now preserves dates, permissions, and ownership of the file when (de)compressing exactly one file. The option '-o, --output' now creates missing intermediate directories when writing to a file. The variable MAKEINFO has been added to configure and Makefile.in. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 5 insertions(+), 4 deletions(-) commit 7de5c351b5814e07a8c5d1954e05533648dcaa0d Author: Michael Tremer Date: Thu Feb 1 16:07:39 2024 +0000 core184: Ship gettext Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 64aa5bf53e80349ed1ea029a1896e193b0dfb897 Author: Adolf Belka Date: Thu Feb 1 09:29:11 2024 +0100 gettext: Update to version 0.22.4 - Update from version 0.22 to 0.22.4 - Update of rootfile - Changelog 0.22.4 * Bug fixes: - AM_GNU_GETTEXT now recognizes a statically built libintl on macOS and AIX. - Build fixes on AIX. 0.22.3 * Portability: - The libintl library now works on macOS 14. (Older versions of libintl crash on macOS 14, due to an incompatible change in macOS.) 0.22.2 * Bug fixes: - The libintl shared library now exports again some symbols that were accidentally missing. This bug was introduced in version 0.22. 0.22.1 * Bug fixes: - xgettext's processing of large Perl files may have led to errors - "xgettext --join-existing" could encounter errors. These bugs were introduced in version 0.22. * Portability: - Building on Android is now supported. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 19 insertions(+), 17 deletions(-) commit 2b2453568d000771541300b3bb7383277d6acaf8 Author: Michael Tremer Date: Thu Feb 1 16:07:01 2024 +0000 core184: Ship ed Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit da63a6cc46e7b03b47b440a0e501ff57a077ebbd Author: Adolf Belka Date: Thu Feb 1 09:29:10 2024 +0100 ed: Update to version 1.20 - Update from version 1.19 to 1.20 - Update of rootfile not required - Changelog 1.20 New command-line options '+line', '+/RE', and '+?RE' have been implemented to set the current line to the line number specified or to the first or last line matching the regular expression 'RE'. (Suggested by Matthew Polk and John Cowan). File names containing control characters 1 to 31 are now rejected unless they are allowed with the command-line option '--unsafe-names'. File names containing control characters 1 to 31 are now printed using octal escape sequences. Ed now rejects file names ending with a slash. Intervening commands that don't set the modified flag no longer make a second 'e' or 'q' command fail with a 'buffer modified' warning. Tilde expansion is now performed on file names supplied to commands; if a file name starts with '~/', the tilde (~) is expanded to the contents of the variable HOME. (Suggested by John Cowan). Ed now warns the first time that a command modifies a buffer loaded from a read-only file. (Suggested by Dan Jacobson). Ed now creates missing intermediate directories when writing to a file. It has been documented that 'e' creates an empty buffer if file does not exist. It has been documented that 'f' sets the default filename, whether or not its argument names an existing file. The description of the exit status has been improved in '--help' and in the manual. The variable MAKEINFO has been added to configure and Makefile.in. It has been documented in INSTALL that when choosing a C standard, the POSIX features need to be enabled explicitly: ./configure CFLAGS+='--std=c99 -D_POSIX_C_SOURCE=2' Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 7 insertions(+), 4 deletions(-) commit 49758838337a5feebbd170dd30ad9829a5c2cc98 Author: Michael Tremer Date: Thu Feb 1 16:06:10 2024 +0000 core184: Ship diffutils Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit fa96ada3a275daf21f68b77549f688db8cd5b5fc Author: Adolf Belka Date: Thu Feb 1 09:29:09 2024 +0100 diffutils: Update to version 3.10 - Update from version 3.9 to 3.10 - Update of rootfile not required - Changelog 3.10 Bug fixes cmp/diff can again work with file dates past Y2K38 [bug introduced in 3.9] diff -D no longer fails to output #ifndef lines. [bug#61193 introduced in 3.9] Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 6 insertions(+), 4 deletions(-) commit 88b6ad81123d2258aabc919055df0c2b478d8c00 Author: Arne Fitzenreiter Date: Wed Jan 31 21:09:14 2024 +0100 mympd: create/check config before first start this create missing folders for webradio and state. Signed-off-by: Arne Fitzenreiter 1 file changed, 3 insertions(+) commit 83338946dc2121d1f0d332d4e5f2f13b1bf078d5 Author: Michael Tremer Date: Wed Jan 31 17:09:16 2024 +0000 core184: Ship glibc Signed-off-by: Michael Tremer 4 files changed, 6 insertions(+) commit 38c1be257f5d740a502112ee8eae3566d8f2ac4e Author: Michael Tremer Date: Wed Jan 31 11:09:41 2024 +0000 glibc: Import latest patches from upstream These include (amongst others) fixes for: GLIBC-SA-2024-0001: =================== syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6246) __vsyslog_internal did not handle a case where printing a SYSLOG_HEADER containing a long program name failed to update the required buffer size, leading to the allocation and overflow of a too-small buffer on the heap. GLIBC-SA-2024-0002: =================== syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6779) __vsyslog_internal used the return value of snprintf/vsnprintf to calculate buffer sizes for memory allocation. If these functions (for any reason) failed and returned -1, the resulting buffer would be too small to hold output. GLIBC-SA-2024-0003: =================== syslog: Integer overflow in __vsyslog_internal (CVE-2023-6780) __vsyslog_internal calculated a buffer size by adding two integers, but did not first check if the addition would overflow. Signed-off-by: Michael Tremer 45 files changed, 1922 insertions(+), 27 deletions(-) commit 72a5fff634e357204cee76308f7e7ad4ddca406e Author: Adolf Belka Date: Wed Jan 31 15:18:48 2024 +0100 sqlite: Update to version 3450100 - Update from version 3450000 to 3450100 - Update of rootfile not required - Changelog 3.45.1 Restore the JSON BLOB input bug, and promise to support the anomaly in subsequent releases, for backward compatibility. Fix the PRAGMA integrity_check command so that it works on read-only databases that contain FTS3 and FTS5 tables. This resolves an issue introduced in version 3.44.0 but was undiscovered until after the 3.45.0 release. Fix issues associated with processing corrupt JSONB inputs: Prevent exponential runtime when converting a corrupt JSONB into text. Fix a possible read of one byte past the end of the JSONB blob when converting a corrupt JSONB into text. Enhanced testing using jfuzz to prevent any future JSONB problems such as the above. Fix a long-standing bug in which a read of a few bytes past the end of a memory-mapped segment might occur when accessing a craftily corrupted database using memory-mapped database. Fix a long-standing bug in which a NULL pointer dereference might occur in the bytecode engine due to incorrect bytecode being generated for a class of SQL statements that are deliberately designed to stress the query planner but which are otherwise pointless. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 2 insertions(+), 2 deletions(-) commit 08fb3034d0e5db72138d2ff87b91ea0dcfa532a0 Author: Michael Tremer Date: Wed Jan 31 17:06:33 2024 +0000 core184: Ship readline Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit e9ba050b69fb162c9520063394bc52513dfa1a37 Author: Adolf Belka Date: Wed Jan 31 15:18:47 2024 +0100 readline: Update patches to patch 1 to patch 10 - Update from version 8.2 with patch 1 to 8.2 with patches 1 to 10 - Update of rootfile not required - Changelog Patch 10 Fix the case where text to be completed from the line buffer (quoted) is compared to the common prefix of the possible matches (unquoted) and the quoting makes the former appear to be longer than the latter. Readline assumes the match doesn't add any characters to the word and doesn't display multiple matches. Patch 9 Fix issue where the directory name portion of the word to be completed (the part that is passed to opendir()) requires both tilde expansion and dequoting. Readline only performed tilde expansion in this case, so filename completion would fail. Patch 8 Add missing prototypes for several function declarations. Patch 7 If readline is called with no prompt, it should display a newline if return is typed on an empty line. It should still suppress the final newline if return is typed on the last (empty) line of a multi-line command. Patch 6 This is a variant of the same issue as the one fixed by patch 5. In this case, the signal arrives and is pending before readline calls rl_getc(). When this happens, the pending signal will be handled by the loop, but may alter or destroy some state that the callback uses. Readline needs to treat this case the same way it would if a signal interrupts pselect/select, so compound operations like searches and reading numeric arguments get cleaned up properly. Patch 5 If an application is using readline in callback mode, and a signal arrives after readline checks for it in rl_callback_read_char() but before it restores the application's signal handlers, it won't get processed until the next time the application calls rl_callback_read_char(). Readline needs to check for and resend any pending signals after restoring the application's signal handlers. Patch 4 There are systems that supply one of select or pselect, but not both. Patch 3 The custom color prefix that readline uses to color possible completions must have a leading `.'. Patch 2 It's possible for readline to try to zero out a line that's not null- terminated, leading to a memory fault. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 10 files changed, 576 insertions(+), 3 deletions(-) commit c749cee1e55a0855d88838abda59334bd9065a16 Author: Michael Tremer Date: Wed Jan 31 17:06:09 2024 +0000 core184: Ship iana-etc Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 622c9fe03feac9f5176faee1752fcb87153e54b6 Author: Adolf Belka Date: Wed Jan 31 15:18:46 2024 +0100 iana-etc: Update to version 20240125 - Update from version 20231026 to 20240125 - Update of rootfile not required - Changelog - update of iana-etc files Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+), 3 deletions(-) commit 9d6db385d7796328027f14534f2c03fd917680b2 Author: Adolf Belka Date: Wed Jan 31 15:18:45 2024 +0100 help2man: Update to version 1.49.3 - Update from version 1.49.2 to 1.49.3 - Update of rootfile not required - Changelog 1.49.3 * Cleanup whitespace in po-texi/help2man-texi.pot. * Add Korean translation (thanks to Seong-ho Cho). Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+), 3 deletions(-) commit 43894a9bab2f85a400831bc892cd216da454d881 Author: Michael Tremer Date: Wed Jan 31 17:05:30 2024 +0000 core184: Ship file Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 5aba1a15f756c316af2f4a753054a971a859c974 Author: Adolf Belka Date: Wed Jan 31 15:18:44 2024 +0100 file: Update to version 5.45 - Update from version 5.44 to 5.45 - Update of rootfile not required - Changelog 5.45 * PR/465: psrok1: Avoid muslc asctime_r crash * add SIMH tape format support * bump the max size of the elf section notes to be read to 128K and make it configurable * PR/415: Fix decompression with program returning empty * PR/408: fix -p with seccomp * PR/412: fix MinGW compilation Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 6 insertions(+), 4 deletions(-) commit 2240d0831265484474fd16b4d11d198cbceb74de Author: Michael Tremer Date: Wed Jan 31 11:11:41 2024 +0000 core184: Ship updated glibc Signed-off-by: Michael Tremer 4 files changed, 5 insertions(+), 1 deletion(-) commit a61a21ef7573726bb5d9d115f24e576a44c1d8be Author: Michael Tremer Date: Wed Jan 31 11:09:41 2024 +0000 glibc: Import latest patches from upstream These include (amongst others) fixes for: GLIBC-SA-2024-0001: =================== syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6246) __vsyslog_internal did not handle a case where printing a SYSLOG_HEADER containing a long program name failed to update the required buffer size, leading to the allocation and overflow of a too-small buffer on the heap. GLIBC-SA-2024-0002: =================== syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6779) __vsyslog_internal used the return value of snprintf/vsnprintf to calculate buffer sizes for memory allocation. If these functions (for any reason) failed and returned -1, the resulting buffer would be too small to hold output. GLIBC-SA-2024-0003: =================== syslog: Integer overflow in __vsyslog_internal (CVE-2023-6780) __vsyslog_internal calculated a buffer size by adding two integers, but did not first check if the addition would overflow. Signed-off-by: Michael Tremer 45 files changed, 1922 insertions(+), 27 deletions(-) commit eadffeb43f47e8c1561e62f5d4a6bae0fef3ada6 Author: Michael Tremer Date: Wed Jan 31 10:30:47 2024 +0000 core184: Ship updated collectd init script Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 500b6311b439dd480ca2fb715a6f1a05b33fcad5 Author: Michael Tremer Date: Tue Jan 30 18:01:52 2024 +0000 collectd: Do not sync Calling a global sync operation manually is generally a bad idea as it can block for forever. If people have storage that does not retain anything that is being written to it, they need to fix their hardware. Signed-off-by: Michael Tremer 1 file changed, 3 deletions(-) commit c1d60341d5f3f5813890035625458f8bf0c006a5 Author: Michael Tremer Date: Wed Jan 31 10:30:01 2024 +0000 core184: Ship zlib Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 91ddb27aa19a4c24a281b81943ecf206c101f747 Author: Adolf Belka Date: Tue Jan 30 23:13:45 2024 +0100 zlib: Update to version 1.3.1 - Update from version 1.3 to 1.3.1 - Update of rootfile - Changelog 1.3.1 - Reject overflows of zip header fields in minizip - Fix bug in inflateSync() for data held in bit buffer - Add LIT_MEM define to use more memory for a small deflate speedup - Fix decision on the emission of Zip64 end records in minizip - Add bounds checking to ERR_MSG() macro, used by zError() - Neutralize zip file traversal attacks in miniunz - Fix a bug in ZLIB_DEBUG compiles in check_match() - Various portability and appearance improvements Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 4 insertions(+), 4 deletions(-) commit 45d5af80a276559c11099e307acce0028cce3820 Author: Michael Tremer Date: Wed Jan 31 10:29:31 2024 +0000 core184: Ship xz Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit aff5c2756723f0a29f806a1b94cc68c8aaa0d35b Author: Adolf Belka Date: Tue Jan 30 23:13:44 2024 +0100 xz: Update to version 5.4.6 - Update from version 5.4.5 to 5.4.6 - Update of rootfile - Changelog 5.4.6 * Fixed a bug involving internal function pointers in liblzma not being initialized to NULL. The bug can only be triggered if lzma_filters_update() is called on a LZMA1 encoder, so it does not affect xz or any application known to us that uses liblzma. * xz: - Fixed a regression introduced in 5.4.2 that caused encoding in the raw format to unnecessarily fail if --suffix was not used. For instance, the following command no longer reports that --suffix must be used: echo foo | xz --format=raw --lzma2 | wc -c - Fixed an issue on MinGW-w64 builds that prevented reading from or writing to non-terminal character devices like NUL. * Added a new test. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 4 insertions(+), 4 deletions(-) commit b26696ebdf66b740ba4d90020eb91390821e05c2 Author: Michael Tremer Date: Wed Jan 31 10:28:48 2024 +0000 core184: Ship libpng Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 8066b4773b294fb6344377986a0d76fc4d413768 Author: Adolf Belka Date: Tue Jan 30 23:13:42 2024 +0100 libpng: Update to version 1.6.41 - Update from 1.6.39 to 1.6.41 - Update of rootfile - Changelog 1.6.41 Added SIMD-optimized code for the Loongarch LSX hardware. (Contributed by GuXiWei, JinBo and ZhangLixia) Fixed the run-time discovery of MIPS MSA hardware. (Contributed by Sui Jingfeng) Fixed an off-by-one error in the function `png_do_check_palette_indexes`, which failed to recognize errors that might have existed in the first column of a broken palette-encoded image. This was a benign regression accidentally introduced in libpng-1.6.33. No pixel was harmed. (Contributed by Adam Richter; reviewed by John Bowler) Fixed, improved and modernized the contrib/pngminus programs, i.e., png2pnm.c and pnm2png.c Removed old and peculiar portability hacks that were meant to silence warnings issued by gcc version 7.1 alone. (Contributed by John Bowler) Fixed and modernized the CMake file, and raised the minimum required CMake version from 3.1 to 3.6. (Contributed by Clinton Ingram, Timothy Lyanguzov, Tyler Kropp, et al.) Allowed the configure script to disable the building of auxiliary tools and tests, thus catching up with the CMake file. (Contributed by Carlo Bramini) Fixed a build issue on Mac. (Contributed by Zixu Wang) Moved the Autoconf macro files to scripts/autoconf. Moved the CMake files (except for the main CMakeLists.txt) to scripts/cmake and moved the list of their contributing authors to scripts/cmake/AUTHORS.md Updated the CI configurations and scripts. Relicensed the CI scripts to the MIT License. Improved the test coverage. (Contributed by John Bowler) 1.6.40 Fixed the eXIf chunk multiplicity checks. Fixed a memory leak in pCAL processing. Corrected the validity report about tRNS inside png_get_valid(). Fixed various build issues on *BSD, Mac and Windows. Updated the configurations and the scripts for continuous integration. Cleaned up the code, the build scripts, and the documentation. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 4 insertions(+), 4 deletions(-) commit 4acdd39e3551daf4bc223778ca6230df6dca7e76 Author: Michael Tremer Date: Wed Jan 31 10:27:55 2024 +0000 core184: Ship bash Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 85db98e91926dbd9a81c059183c06ad34381d046 Author: Adolf Belka Date: Tue Jan 30 23:13:40 2024 +0100 bash: Update to include patches 22 to 26 - Update from version 5.2 with patches 1 to 21 to 5.2 with patches 1 to 26 - Update of rootfile not required - Changelog Patch 26 The custom color prefix that readline uses to color possible completions must have a leading `.'. Patch 25 Make sure a subshell checks for and handles any terminating signals before exiting (which might have arrived after the command completed) so the parent and any EXIT trap will see the correct value for $?. Patch 24 Fix bug where associative array compound assignment would not expand tildes in values. Patch 23 Running `local -' multiple times in a shell function would overwrite the original saved set of options. Patch 22 It's possible for readline to try to zero out a line that's not null- terminated, leading to a memory fault. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 6 files changed, 301 insertions(+), 2 deletions(-) commit b9fb3495a83845908ac78f467bc1103758bb28f4 Author: Michael Tremer Date: Wed Jan 31 10:27:30 2024 +0000 core184: Ship acl Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit f5000d47b7c81cd1b06535516474432121b5d08e Author: Adolf Belka Date: Tue Jan 30 23:13:39 2024 +0100 acl: Update to version 2.3.2 - Update from version 2.3.1 to 2.3.2 - Update of rootfile - Changelog is only available from reviewing the git commits https://git.savannah.nongnu.org/cgit/acl.git/log/ Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 9 insertions(+), 6 deletions(-) commit 0742f6eda5838897abd4b5cc66bf2cf5c040951a Author: Michael Tremer Date: Tue Jan 30 17:50:20 2024 +0000 core184: Ship vnstat Signed-off-by: Michael Tremer 2 files changed, 3 insertions(+) commit 353e7b95be2453556cf50e2d9ffc2ea7005f112c Author: Matthias Fischer Date: Mon Jan 29 17:25:55 2024 +0100 vnstat: Update to 2.12 For details see: https://humdi.net/vnstat/CHANGES "2.12 / 21-Jan-2024 - Fixed - QueryMode documentation in configuration file didn't match implementation or man page description - Daemon didn't try to import legacy databases when --noadd was used and no current version database initially existed resulting in the process exiting even when something could have been done - Daemon didn't try to import legacy databases when --initdb was used and no current version database initially existed, this behaviour can still be enabled by using --noadd in combination with --initdb - Using --nodaemon and --initdb at the same time didn't result in an error being shown - New - Add 95th percentile output as --95th, also available via --alert, --json, --xml and image output, requires 5MinuteHours configuration to be set to at least 744 for storing all the necessary data - Add --json support for --alert - Database queries resulting in error exit with status 1 - Show spinning animation at the beginning of -l / --live output line, visibility configurable using LiveSpinner configuration option - Add -ic / --invert-colors option to image output for facilitating for example dark mode switching without needing to have multiple separate color configurations - Add dark mode option to image output example cgi (examples/vnstat.cgi) - Add option 4 to QueryMode for selecting summary output of single interface regardless of the number of interfaces in the database - Add optional mode parameter to -q / --query for overriding QueryMode for summary output and for enabling control of summary output style regardless of the number of interfaces in the database - Add --startempty option to daemon for starting and keeping the daemon running even if no interfaces were discovered and the database is empty - Add --noremove option to daemon for disabling the automatic removal of interfaces from database that aren't currently visible and haven't seen any traffic - Add third mode option to --iflist and --dbiflist for getting only the interface count as output" Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+), 3 deletions(-) commit 10851f7ffab24ebd708e0ef2dc773642d3ebb612 Author: Matthias Fischer Date: Mon Jan 29 17:25:05 2024 +0100 mc: Update to 4.8.31 For details see: https://midnight-commander.org/wiki/NEWS-4.8.31 "Major changes since 4.8.30 Core Minimal version of GLib is 2.32.0. VFS fish: drop support of native FISH server and protocol. Rename VFS to shell (#4232) extfs; uc1541 extfs: update up to 3.6 version (#4511) s3+: port to Python3 (#4324) Support for LZO/LZOP compression format (#4509) ... Skins: add color for non-printable characters in editor (#4433) Fixes FTBFS on FreeBSD with ext2fs attribute support (#4493) Broken stickchars (-a) mode (#4498) Wrong timestamp after resuming of file copy operation (#4499) Editor: wrong deletion of marked column (#3761) Diff viewer: segfault when display of line numbers is enabled (#4500) Tar VFS: broken handling of hard links (#4494) Sftp VFS: failure establishing SSH session due hashed host names in ~/.ssh/known_hosts (#4506) Shell VFS: incorrect file names with cyrillic or diacritic symbols (#4507) mc.ext.ini: incorrect description of of how multiple sections and keys with same names are processed (#4497) mc.ext.ini: unescaped backslash \ is treated as invalid escape sequence in glib-2.77.3 and glib-2.79 (#4502) mc.ext.ini: file "Makefile.zip" is handled as Makefile not as zip-arhive (#4419)" Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer 2 files changed, 21 insertions(+), 21 deletions(-) commit 31269e52cb47dab4bfd404b5d95842461d33f7df Author: Michael Tremer Date: Tue Jan 30 17:42:53 2024 +0000 core183: Ship vpnmain.cgi Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit fc4b02df53bc8c2e584281eec104a0647044649c Author: Michael Tremer Date: Tue Jan 30 17:18:40 2024 +0000 vpnmain.cgi: Fix parsing CN from certificates generated by OpenSSL 3.2 Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+), 1 deletion(-) commit 7e8fc770bdd3bbeb98ba281208c2e735e46dee09 Author: Michael Tremer Date: Tue Jan 30 15:09:54 2024 +0000 openssl: Update to 3.2.1 * A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL did not correctly check for this case. A fix has been applied to prevent a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue prior to this fix. OpenSSL APIs that were vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. ([CVE-2024-0727]) *Matt Caswell* * When function EVP_PKEY_public_check() is called on RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is an overly large prime, then this computation would take a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function EVP_PKEY_public_check() is not called from other OpenSSL functions however it is called from the OpenSSL pkey command line application. For that reason that application is also vulnerable if used with the "-pubin" and "-check" options on untrusted data. To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason. ([CVE-2023-6237]) *Tomáš Mráz* * Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey rather than SM2. *Richard Levitte* * The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs saves the contents of vector registers in different order than they are restored. Thus the contents of some of these vector registers is corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. ([CVE-2023-6129]) *Rohan McLure* * Fix excessive time spent in DH check / generation with large Q parameter value. Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. ([CVE-2023-5678]) *Richard Levitte* * Disable building QUIC server utility when OpenSSL is configured with `no-apps`. *Vitalii Koshura* Signed-off-by: Michael Tremer 2 files changed, 71 insertions(+), 2 deletions(-) commit 0bbbac793499507a22f810c55f8a84f4dbec1b6e Author: Michael Tremer Date: Tue Jan 30 17:41:07 2024 +0000 core184: Ship OpenSSL Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 54387ef1436386ad2a116f2a5eeb956d0574f756 Author: Michael Tremer Date: Tue Jan 30 15:09:54 2024 +0000 openssl: Update to 3.2.1 * A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL did not correctly check for this case. A fix has been applied to prevent a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue prior to this fix. OpenSSL APIs that were vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. ([CVE-2024-0727]) *Matt Caswell* * When function EVP_PKEY_public_check() is called on RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is an overly large prime, then this computation would take a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function EVP_PKEY_public_check() is not called from other OpenSSL functions however it is called from the OpenSSL pkey command line application. For that reason that application is also vulnerable if used with the "-pubin" and "-check" options on untrusted data. To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason. ([CVE-2023-6237]) *Tomáš Mráz* * Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey rather than SM2. *Richard Levitte* * The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs saves the contents of vector registers in different order than they are restored. Thus the contents of some of these vector registers is corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. ([CVE-2023-6129]) *Rohan McLure* * Fix excessive time spent in DH check / generation with large Q parameter value. Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. ([CVE-2023-5678]) *Richard Levitte* * Disable building QUIC server utility when OpenSSL is configured with `no-apps`. *Vitalii Koshura* Signed-off-by: Michael Tremer 2 files changed, 71 insertions(+), 2 deletions(-) commit e2dce81ca343d4b55f6357417c556d63cb279f4e Author: Michael Tremer Date: Tue Jan 30 14:56:11 2024 +0000 make.sh: Build dependencies for frr These have accidentially been removed in ec01213dcf0c8283626aa9d5a7fbc30ac725ae8c. Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+) commit fc37ab7a5194479c551934db9e0fef115e65f0a3 Author: Michael Tremer Date: Mon Jan 29 16:08:11 2024 +0000 libvirt: Fix rootfile for riscv64 Signed-off-by: Michael Tremer 1 file changed, 8 insertions(+), 4 deletions(-) commit c3863ea14df3d088b7a6394231f1f8e93dff029a Author: Adolf Belka Date: Mon Jan 29 14:41:20 2024 +0100 python3-trio: Update to version 0.23.1 - Update from version 0.22.0 to 0.23.1 - Update of rootfile - Changelog 0.23.0 Headline features Add type hints. (#543) Features When exiting a nursery block, the parent task always waits for child tasks to exit. This wait cannot be cancelled. However, previously, if you tried to cancel it, it would inject a Cancelled exception, even though it wasn’t cancelled. Most users probably never noticed either way, but injecting a Cancelled here is not really useful, and in some rare cases caused confusion or problems, so Trio no longer does that. (#1457) If called from a thread spawned by trio.to_thread.run_sync, trio.from_thread.run and trio.from_thread.run_sync now reuse the task and cancellation status of the host task; this means that context variables and cancel scopes naturally propagate ‘through’ threads spawned by Trio. You can also use trio.from_thread.check_cancelled to efficiently check for cancellation without reentering the Trio thread. (#2392) trio.lowlevel.start_guest_run() now does a bit more setup of the guest run before it returns to its caller, so that the caller can immediately make calls to trio.current_time(), trio.lowlevel.spawn_system_task(), trio.lowlevel.current_trio_token(), etc. (#2696) Bugfixes When a starting function raises before calling trio.TaskStatus.started(), trio.Nursery.start() will no longer wrap the exception in an undocumented ExceptionGroup. Previously, trio.Nursery.start() would incorrectly raise an ExceptionGroup containing it when using trio.run(..., strict_exception_groups=True). (#2611) Deprecations and removals To better reflect the underlying thread handling semantics, the keyword argument for trio.to_thread.run_sync that was previously called cancellable is now named abandon_on_cancel. It still does the same thing – allow the thread to be abandoned if the call to trio.to_thread.run_sync is cancelled – but since we now have other ways to propagate a cancellation without abandoning the thread, “cancellable” has become somewhat of a misnomer. The old cancellable name is now deprecated. (#2841) Deprecated support for math.inf for the backlog argument in open_tcp_listeners, making its docstring correct in the fact that only TypeError is raised if invalid arguments are passed. (#2842) Removals without deprecations Drop support for Python3.7 and PyPy3.7/3.8. (#2668) Removed special MultiError traceback handling for IPython. As of version 8.15 ExceptionGroup is handled natively. (#2702) Miscellaneous internal changes Trio now indicates its presence to sniffio using the sniffio.thread_local interface that is preferred since sniffio v1.3.0. This should be less likely than the previous approach to cause sniffio.current_async_library() to return incorrect results due to unintended inheritance of contextvars. (#2700) On windows, if SIO_BASE_HANDLE failed and SIO_BSP_HANDLE_POLL didn’t return a different socket, runtime error will now raise from the OSError that indicated the issue so that in the event it does happen it might help with debugging. (#2807) 0.22.2 Bugfixes Fix PermissionError when importing trio due to trying to access pthread. (#2688) 0.22.1 Breaking changes Timeout functions now raise ValueError if passed math.nan. This includes trio.sleep, trio.sleep_until, trio.move_on_at, trio.move_on_after, trio.fail_at and trio.fail_after. (#2493) Features Added support for naming threads created with trio.to_thread.run_sync, requires pthreads so is only available on POSIX platforms with glibc installed. (#1148) trio.socket.socket now prints the address it tried to connect to upon failure. (#1810) Bugfixes Fixed a crash that can occur when running Trio within an embedded Python interpreter, by handling the TypeError that is raised when trying to (re-)install a C signal handler. (#2333) Fix sniffio.current_async_library() when Trio tasks are spawned from a non-Trio context (such as when using trio-asyncio). Previously, a regular Trio task would inherit the non-Trio library name, and spawning a system task would cause the non-Trio caller to start thinking it was Trio. (#2462) Issued a new release as in the git tag for 0.22.0, trio.__version__ is incorrectly set to 0.21.0+dev. (#2485) Improved documentation Documented that Nursery.start_soon does not guarantee task ordering. (#970) Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 73 insertions(+), 71 deletions(-) commit 74c8dc3548a93c51111030434ff4a1212c0db2f3 Author: Adolf Belka Date: Mon Jan 29 14:41:19 2024 +0100 python3-pyfuse3: Update to version 3.3.0 - Update from version 3.2.2 to 3.3.0 - Update of rootfile - Changelog 3.3.0 Note: This is the first pyfuse3 release compatible with Cython 3.0.0 release. Cython 0.29.x is also still supported. Cythonized with latest Cython 3.0.0. Drop Python 3.6 and 3.7 support and testing, #71. CI: also test python 3.12. test on cython 0.29 and cython 3.0. Tell Cython that callbacks may raise exceptions, #80. Fix lookup in examples/hello.py, similar to #16. Misc. CI, testing, build and sphinx related fixes. 3.2.3 cythonize with latest Cython 0.29.34 (brings Python 3.12 support) add a minimal pyproject.toml, require setuptools tests: fix integer overflow on 32-bit arches, fixes #47 test: Use shutil.which() instead of external which(1) program setup.py: catch more generic OSError when searching Cython, fixes #63 setup.py: require Cython >= 0.29 fix basedir computation in setup.py (fix pip install -e .) use sphinx < 6.0 due to compatibility issues with more recent versions Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 12 insertions(+), 12 deletions(-) commit 77d9d67314582076afbb12e86f34253f5b37cb4f Author: Adolf Belka Date: Mon Jan 29 14:41:18 2024 +0100 python3-packaging: Update to version 23.2 - Update from version 23.0 to 23.2 - Update of rootfile - Changelog 23.2 Document calendar-based versioning scheme (#716) Enforce that the entire marker string is parsed (#687) Requirement parsing no longer automatically validates the URL (#120) Canonicalize names for requirements comparison (#644) Introduce metadata.Metadata (along with metadata.ExceptionGroup and metadata.InvalidMetadata; #570) Introduce the validate keyword parameter to utils.normalize_name() (#570) Introduce utils.is_normalized_name() (#570) Make utils.parse_sdist_filename() and utils.parse_wheel_filename() raise InvalidSdistFilename and InvalidWheelFilename, respectively, when the version component of the name is invalid 23.1 Parse raw metadata (#671) Import underlying parser functions as an underscored variable (#663) Improve error for local version label with unsupported operators (#675) Add dedicated error for specifiers with incorrect .* suffix Replace spaces in platform names with underscores (#620) Relax typing of _key on _BaseVersion (#669) Handle prefix match with zeros at end of prefix correctly (#674) Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 10 insertions(+), 9 deletions(-) commit 0e299f6fb6cf7cf8dfec6b4dd06cda45c28c3e1b Author: Adolf Belka Date: Mon Jan 29 14:41:17 2024 +0100 python3-msgpack: Update to version 1.0.7 - Update from version 1.0.4 to 1.0.7 - Update of rootfile - Changelog 1.0.7 Fix build error of extension module on Windows. (#567) setup.py doesn't skip build error of extension module. (#568) 1.0.6 Add Python 3.12 wheels (#517) Remove Python 2.7, 3.6, and 3.7 support 1.0.5 Use __BYTE_ORDER__ instead of __BYTE_ORDER for portability. (#513, #514) Add Python 3.11 wheels (#517) fallback: Fix packing multidimensional memoryview (#527) Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 21 insertions(+), 10 deletions(-) commit c60238f606a5121dcfe16323bf0d9d5aab9c1312 Author: Adolf Belka Date: Mon Jan 29 14:41:16 2024 +0100 python3-exceptiongroup: Update to version 1.2.0 - Updated from version 1.1.0 to 1.2.0 - Update of rootfile - Changelog 1.2.0 Added special monkeypatching if Apport has overridden sys.excepthook so it will format exception groups correctly (PR by John Litborn) Added a backport of contextlib.suppress() from Python 3.12.1 which also handles suppressing exceptions inside exception groups Fixed bare raise in a handler reraising the original naked exception rather than an exception group which is what is raised when you do a raise in an except* handler 1.1.3 catch() now raises a TypeError if passed an async exception handler instead of just giving a RuntimeWarning about the coroutine never being awaited. (#66, PR by John Litborn) Fixed plain raise statement in an exception handler callback to work like a raise in an except* block Fixed new exception group not being chained to the original exception when raising an exception group from exceptions raised in handler callbacks Fixed type annotations of the derive(), subgroup() and split() methods to match the ones in typeshed 1.1.2 Changed handling of exceptions in exception group handler callbacks to not wrap a single exception in an exception group, as per CPython issue 103590 1.1.1 Worked around CPython issue #98778, urllib.error.HTTPError(..., fp=None) raises KeyError on unknown attribute access, on affected Python versions. (PR by Zac Hatfield-Dodds) Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 13 insertions(+), 12 deletions(-) commit 6c7e8760f7c5129b9c25d441b8bbece0e58fe0f8 Author: Adolf Belka Date: Mon Jan 29 14:41:15 2024 +0100 python3-calver: New build dependency for python3-trove-classifiers - lfs and rootfile created. - rootfile put into common as it is only used as a build dependency. - Used setup.py build approach as the pyproject.toml approach failed to build successfully Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 3 files changed, 86 insertions(+) commit 6d7c67de3fe641cb67f614981fe8e72867985e51 Author: Adolf Belka Date: Mon Jan 29 14:41:14 2024 +0100 python3-trove-classifiers: New build dependency for python3-hatchling - lfs and rootfile created. - rootfile put into common as it is only used as a build dependency. - Used setup.py build approach as the pyproject.toml approach failed to build successfully. Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 3 files changed, 86 insertions(+) commit cffababa468325daeaeda926e38d47cce3f8561e Author: Adolf Belka Date: Mon Jan 29 14:41:13 2024 +0100 python3-pluggy: New build dependency for python3-hatchling - lfs and rootfile created. - rootfile put into common as it is only used as a build dependency. - Used setup.py build approach as pyproject.toml approach kept failing to build Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 3 files changed, 93 insertions(+) commit ccaa26aa6a169ac7430dd2ea025075231b74d012 Author: Adolf Belka Date: Mon Jan 29 14:41:12 2024 +0100 python3-pathspec: New build dependency for python3-hatchling - lfs and rootfile created. - rootfile put into common as it is only used as a build dependency. - Used pyproject.toml build approach Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 3 files changed, 105 insertions(+) commit ec01213dcf0c8283626aa9d5a7fbc30ac725ae8c Author: Adolf Belka Date: Mon Jan 29 14:41:11 2024 +0100 python3-editables: New build dependency for python3-hatchling - lfs and rootfile created. - rootfile put into common as it is only used as a build dependency. - Used pyproject.toml build approach Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 3 files changed, 98 insertions(+), 3 deletions(-) commit 703d5dfef063cc8833fbc6209a2bea7004f30c53 Author: Adolf Belka Date: Mon Jan 29 14:41:10 2024 +0100 python3-hatch-fancy-pypi-readme: New build dependency for python3-attrs - lfs and rootfile created. - rootfile put into common as it is only used as a build dependency. - Used pyproject.toml build approach Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 3 files changed, 109 insertions(+) commit eadd3ad7b28d6a7cf3d2595cf2cbedc5e4b7bbe8 Author: Adolf Belka Date: Mon Jan 29 14:41:09 2024 +0100 python3-hatch-vcs: New build dependency for python3-attrs - lfs and rootfile created. - rootfile put into common as it is only used as a build dependency. - Used pyproject.toml build approach Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 3 files changed, 104 insertions(+) commit 0f2449afac67686a8c94f8c2a1b74e0c8460cb15 Author: Adolf Belka Date: Mon Jan 29 14:41:08 2024 +0100 python3-hatchling: New build dependency for python3-attrs - lfs and rootfile created. - rootfile put into common as it is only used as a build dependency. - Used pyproject.toml build approach Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 3 files changed, 185 insertions(+) commit 2889d50f1c43834829d08950681747d1c54cab11 Author: Adolf Belka Date: Mon Jan 29 14:41:07 2024 +0100 python3-attrs: Update to version 23.2.0 - Update from version 22.1.0 to 23.2.0 - Update of rootfile - setup.py is no longer available so build to use pyproject.toml was used. - A new series of build dependencies are also now required for python3-attrs - Changelog 23.2.0 Changes The type annotation for attrs.resolve_types() is now correct. #1141 Type stubs now use typing.dataclass_transform to decorate dataclass-like decorators, instead of the non-standard __dataclass_transform__ special form, which is only supported by Pyright. #1158 Fixed serialization of namedtuple fields using attrs.asdict/astuple() with retain_collection_types=True. #1165 attrs.AttrsInstance is now a typing.Protocol in both type hints and code. This allows you to subclass it along with another Protocol. #1172 If attrs detects that __attrs_pre_init__ accepts more than just self, it will call it with the same arguments as __init__ was called. This allows you to, for example, pass arguments to super().__init__(). #1187 Slotted classes now transform functools.cached_property decorated methods to support equivalent semantics. #1200 Added class_body argument to attrs.make_class() to provide additional attributes for newly created classes. It is, for example, now possible to attach methods. #1203 23.1.0 Backwards-incompatible Changes Python 3.6 has been dropped and packaging switched to static package data using Hatch. #993 Deprecations The support for zope-interface via the attrs.validators.provides validator is now deprecated and will be removed in, or after, April 2024. The presence of a C-based package in our developement dependencies has caused headaches and we’re not under the impression it’s used a lot. Let us know if you’re using it and we might publish it as a separate package. #1120 Changes attrs.filters.exclude() and attrs.filters.include() now support the passing of attribute names as strings. #1068 attrs.has() and attrs.fields() now handle generic classes correctly. #1079 Fix frozen exception classes when raised within e.g. contextlib.contextmanager, which mutates their __traceback__ attributes. #1081 @frozen now works with type checkers that implement PEP-681 (ex. pyright). #1084 Restored ability to unpickle instances pickled before 22.2.0. #1085 attrs.asdict()’s and attrs.astuple()’s type stubs now accept the attrs.AttrsInstance protocol. #1090 Fix slots class cellvar updating closure in CPython 3.8+ even when __code__ introspection is unavailable. #1092 attrs.resolve_types() can now pass include_extras to typing.get_type_hints() on Python 3.9+, and does so by default. #1099 Added instructions for pull request workflow to CONTRIBUTING.md. #1105 Added type parameter to attrs.field() function for use with attrs.make_class(). Please note that type checkers ignore type metadata passed into make_class(), but it can be useful if you’re wrapping attrs. #1107 It is now possible for attrs.evolve() (and attr.evolve()) to change fields named inst if the instance is passed as a positional argument. Passing the instance using the inst keyword argument is now deprecated and will be removed in, or after, April 2024. #1117 attrs.validators.optional() now also accepts a tuple of validators (in addition to lists of validators). #1122 22.2.0 Backwards-incompatible Changes Python 3.5 is not supported anymore. #988 Deprecations Python 3.6 is now deprecated and support will be removed in the next release. #1017 Changes attrs.field() now supports an alias option for explicit __init__ argument names. Get __init__ signatures matching any taste, peculiar or plain! The PEP 681 compatible alias option can be use to override private attribute name mangling, or add other arbitrary field argument name overrides. #950 attrs.NOTHING is now an enum value, making it possible to use with e.g. typing.Literal. #983 Added missing re-import of attr.AttrsInstance to the attrs namespace. #987 Fix slight performance regression in classes with custom __setattr__ and speedup even more. #991 Class-creation performance improvements by switching performance-sensitive templating operations to f-strings. You can expect an improvement of about 5% – even for very simple classes. #995 attrs.has() is now a TypeGuard for AttrsInstance. That means that type checkers know a class is an instance of an attrs class if you check it using attrs.has() (or attr.has()) first. #997 Made attrs.AttrsInstance stub available at runtime and fixed type errors related to the usage of attrs.AttrsInstance in Pyright. #999 On Python 3.10 and later, call abc.update_abstractmethods() on dict classes after creation. This improves the detection of abstractness. #1001 attrs’s pickling methods now use dicts instead of tuples. That is safer and more robust across different versions of a class. #1009 Added attrs.validators.not_(wrapped_validator) to logically invert wrapped_validator by accepting only values where wrapped_validator rejects the value with a ValueError or TypeError (by default, exception types configurable). #1010 The type stubs for attrs.cmp_using() now have default values. #1027 To conform with PEP 681, attr.s() and attrs.define() now accept unsafe_hash in addition to hash. #1065 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 25 insertions(+), 13 deletions(-) commit d06c224ed64e95f1cbe5779ef807e39a6d531947 Author: Adolf Belka Date: Mon Jan 29 14:41:06 2024 +0100 borgbackup: Update to version 1.2.7 - Update from version 1.2.3 to 1.2.7 - Update of rootfile - Patch set put together to also update the dependency packages where they have been updated. - Changelog 1.2.7 Fixes: - docs: CVE-2023-36811 upgrade steps: consider checkpoint archives, #7802 - check/compact: fix spurious reappearance of orphan chunks since borg 1.2, #6687 - this consists of 2 fixes: - for existing chunks: check --repair: recreate shadow index, #6687 - for newly created chunks: update shadow index when doing a double-put, #5661 - LockRoster.modify: no KeyError if element was already gone, #7937 - create --X-from-command: run subcommands with a clean environment, #7916 - list --sort-by: support "archive" as alias of "name", #7873 - fix rc and msg if arg parsing throws an exception, #7885 Other changes: - support and test on Python 3.12 - include unistd.h in _chunker.c (fix for Python 3.13) - allow msgpack 1.0.6 and 1.0.7 - TAM issues: show tracebacks, improve borg check logging, #7797 - replace "datetime.utcfromtimestamp" with custom helper to avoid deprecation warnings when using Python 3.12 - vagrant: - use generic/debian9 box, fixes #7579 - add VM with debian bookworm / test on OpenSSL 3.0.x. - docs: - not only attack/unsafe, can also be a fs issue, #7853 - point to CVE-2023-36811 upgrade steps from borg 1.1 to 1.2 upgrade steps, #7899 - upgrade steps needed for all kinds of repos (including "none" encryption mode), #7813 - upgrade steps: talk about consequences of borg check, #7816 - upgrade steps: remove period that could be interpreted as part of the command - automated-local.rst: use GPT UUID for consistent udev rule - create disk/partition sector backup by disk serial number, #7934 - update macOS hint about full disk access - clarify borg prune -a option description, #7871 - readthedocs: also build offline docs (HTMLzip), #7835 - frontends: add "check.rebuild_refcounts" message 1.2.6 Fixes: - The upgrade procedure docs as published with borg 1.2.5 did not work, if the repository had archives resulting from a borg rename or borg recreate operation. The updated docs now use BORG_WORKAROUNDS=ignore_invalid_archive_tam at some places to avoid that issue, #7791. See: fix pre-1.2.5 archives spoofing vulnerability (CVE-2023-36811), details and necessary upgrade procedure described above. Other changes: - updated 1.2.5 changelog entry: 1.2.5 already has the fix for rename/recreate. - remove cython restrictions. recommended is to build with cython 0.29.latest, because borg 1.2.x uses this since years and it is very stable. You can also try to build with cython 3.0.x, there is a good chance that it works. As a 3rd option, we also bundle the `*.c` files cython outputs in the release pypi package, so you can also just use these and not need cython at all. 1.2.5 Fixes: - Security: fix pre-1.2.5 archives spoofing vulnerability (CVE-2023-36811), see details and necessary upgrade procedure described above. - rename/recreate: correctly update resulting archive's TAM, see #7791 - create: do not try to read parent dir of recursion root, #7746 - extract: fix false warning about pattern never matching, #4110 - diff: remove surrogates before output, #7535 - compact: clear empty directories at end of compact process, #6823 - create --files-cache=size: fix crash, #7658 - keyfiles: improve key sanity check, #7561 - only warn about "invalid" chunker params, #7590 - ProgressIndicatorPercent: fix space computation for wide chars, #3027 - improve argparse validator error messages New features: - mount: make up volname if not given (macOS), #7690. macFUSE supports a volname mount option to give what finder displays on the desktop / in the directory view. if the user did not specify it, we make something up, because otherwise it would be "macFUSE Volume 0 (Python)" and hide the mountpoint directory name. - BORG_WORKAROUNDS=authenticated_no_key to extract from authenticated repos without key, #7700 Other changes: - add `utcnow()` helper function to avoid deprecated `datetime.utcnow()` - stay on latest Cython 0.29 (0.29.36) for borg 1.2.x (do not use Cython 3.0 yet) - docs: - move upgrade notes to own section, see #7546 - mount -olocal: how to show mount in finder's sidebar, #5321 - list: fix --pattern examples, #7611 - improve patterns help - incl./excl. options, path-from-stdin exclusiveness - obfuscation docs: markup fix, note about MAX_DATA_SIZE - --one-file-system: add macOS apfs notes, #4876 - improve --one-file-system help string, #5618 - rewrite borg check docs - improve the docs for --keep-within, #7687 - fix borg init command in environment.rst.inc - 1.1.x upgrade notes: more precise borg upgrade instructions, #3396 -tests: - fix repo reopen - avoid long ids in pytest output - check buzhash chunksize distribution, see #7586 1.2.4 New features: - import-tar: add --ignore-zeros to process concatenated tars, #7432. - debug id-hash: computes file/chunk content id-hash, #7406 - diff: --content-only does not show mode/ctime/mtime changes, #7248 - diff: JSON strings in diff output are now sorted alphabetically Bug fixes: - xattrs: fix namespace processing on FreeBSD, #6997 - diff: fix path related bug seen when addressing deferred items. - debug get-obj/put-obj: always give chunkid as cli param, see #7290 (this is an incompatible change, see also borg debug id-hash) - extract: fix mtime when ResourceFork xattr is set (macOS specific), #7234 - recreate: without --chunker-params, do not re-chunk, #7337 - recreate: when --target is given, do not detect "nothing to do". use case: borg recreate -a src --target dst can be used to make a copy of an archive inside the same repository, #7254. - set .hardlink_master for ALL hardlinkable items, #7175 - locking: fix host, pid, tid order. tid (thread id) must be parsed as hex from lock file name. - update development.lock.txt, including a setuptools security fix, #7227 Other changes: - requirements: allow msgpack 1.0.5 also - upgrade Cython to 0.29.33 - hashindex minor fixes, refactor, tweaks, tests - use os.replace not os.rename - remove BORG_LIBB2_PREFIX (not used any more) - docs: - BORG_KEY_FILE: clarify docs, #7444 - update FAQ about locale/unicode issues, #6999 - improve mount options rendering, #7359 - make timestamps in manual pages reproducible - installation: update Fedora in distribution list, #7357 - tests: - fix test_size_on_disk_accurate for large st_blksize, #7250 - add same_ts_ns function and use it for relaxed timestamp comparisons - "auto" compressor tests: don't assume a specific size, do not assume zlib is better than lz4, #7363 - add test for extracted directory mtime - vagrant: - upgrade local freebsd 12.1 box -> generic/freebsd13 box (13.1) - use pythons > 3.8 which work on freebsd 13.1 - pyenv: also install python 3.11.1 for testing - pyenv: use python 3.10.1, 3.10.0 build is broken on freebsd Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 22 insertions(+), 22 deletions(-) commit 91e28f1813a9feb1c9324b39d667ea7ae49780b8 Author: Michael Tremer Date: Mon Jan 29 16:03:16 2024 +0000 core184: Ship dhcpcd Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 3e1731f0e233289b1902ffdeae15d358dbf5841d Author: Adolf Belka Date: Mon Jan 29 12:22:18 2024 +0100 dhcpcd: Update to version 10.0.6 + fix issue experinced by some community users. - Update from version 10.0.4 to 10.0.6 - Update of rootfile not required. - In version 10.0.4 a bug was found https://github.com/NetworkConfiguration/dhcpcd/issues/260 which was fixed in version 10.0.5. From the community forum it looks like some people have experienced this issue with the update to 10.0.4 in CU182 https://community.ipfire.org/t/core-update-182-aarch64-red0-interface-stops/10827 - According to the dhcpcd issue report this problem can affect both x86_64 and aarch64 but it seems to affect aarch64 systems much more often and the reports in the community forum are related to aarch64. - This patch updates to version 10.0.6 because that is the current latest version and includes the fix commits for the above issue that were built into 10.0.5 - Changelog 10.0.6 privsep: Stop proxying stderr to console and fix some detachment issues non-privsep: Fix launcher hangup DHCP6: Allow the invalid interface name - to mean don't assign an address from a delegated prefix DHCP6: Load the configuration for the interface being activated from prefix delegation 10.0.5 DHCP: re-enter DISCOVER phase if server doesn't reply to our REQUEST privsep: Allow __NR_dup3 syscall as some libc's use that instead of the dup2 dhcpcd uses dev: Fix an issue where not opening the dev plugin folder if configured returned the wrong fd privsep: Harden the launcher process detecting daemonisation. compat: arc4random uses explicit_bzero if available Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+), 3 deletions(-) commit 9786225a9b1a0725a8a5a284c916150d1646d6a9 Author: Arne Fitzenreiter Date: Sun Jan 28 21:29:46 2024 +0100 mympd: new addon to control mpd via WebGUI myMPD is written in C and has a nice WebGUI to play local music and also a WebRadio browser. This is to replace the removec client175. After install it can reached via https://IP_OF_THE_IPFIRE:8800 Signed-off-by: Arne Fitzenreiter Signed-off-by: Michael Tremer 8 files changed, 265 insertions(+) commit c4b233ddf7fb3b48e1f8593d23d740668ab89328 Author: Arne Fitzenreiter Date: Sun Jan 28 15:42:53 2024 +0100 mpfire: fix initskript uninstall the uninstall with rm /etc/rc*.d/*mpd remove not only the mpd initlinks. Signed-off-by: Michael Tremer 2 files changed, 2 insertions(+), 2 deletions(-) commit 897fecc8df3a09195ed26a2bdf5d4607f492eafd Author: Adolf Belka Date: Wed Jan 24 22:09:44 2024 +0100 abseil-cpp: New build dependency for protobuf - abseil-cpp required to build protobuf which is required for protobuf-c which is new build dependency for frr Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 3 files changed, 937 insertions(+) commit 27ff7667519829c24c88c3b6ed5dd8f53010db5d Author: Adolf Belka Date: Wed Jan 24 22:09:43 2024 +0100 protobuf: New build dependency for protobuf-c - protobuf required for protobuf-c which is new build dependency for frr Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 3 files changed, 370 insertions(+) commit 4492b4622c56132be863006ffbc9e50bb283a42c Author: Adolf Belka Date: Wed Jan 24 22:09:42 2024 +0100 protobuf-c: New build dependency for frr Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 3 files changed, 92 insertions(+) commit 09b48ccee80402db682fed7117128c49052be525 Author: Adolf Belka Date: Wed Jan 24 22:09:41 2024 +0100 libyang: Update to version 2.1.148 - Update from version 2.1.4 to 2.1.148 - Update of rootfile - Minimum version of 2.1.128 will be required in a future frr release and currently needs to be a minimum of 2.1.80 but not 2.1.111 - Changelog 2.1.148 Main changes of this release are: lots of bugfixes and improvements in various parts of the library 2.1.128 Main changes of this release are: revert of identityref canonical value change the identity always printed with the module name as the prefix data tree and hash table optimizations opaque node handling fixes and improvements lots of other bug fixes 2.1.111 Main changes of this release are: opaque node parsing improved native RESTCONF operation parsing support union value error reporting improved new yanglint and yangre tests optional support for leafref with XPath functions lots of other fixes and improvements 2.1.80 Main changes of this release are: RESTCONF message parsing JSON parser refactor timezone DST handling public hash table API stored union value bugfix many other clarifications, improvements, and bugfixes 2.1.55 Main changes of this release are: type compilation fixes multi-error validation support JSON parser fixes portability improvements schema-mount support improvements minor optimizations other minor fixes 2.1.30 Main changes of this release are: many JSON printer/parser fixes and improvements unintentionally large library size reduced thread safety improvements big-endian compatibility fix uncrustify updated lots of other fixes and improvements Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 5 insertions(+), 4 deletions(-) commit 13835af399da27c4fa08dba42c94b52d86c759e6 Author: Adolf Belka Date: Wed Jan 24 22:09:40 2024 +0100 frr: Update to version 9.1 - Update from version 8.5.2 to 9.1 - Update of rootfile - Build dependencies of frr now include protobuf-c. protobuf-c requires protobuf. protobuf requires abseil-cpp. - Build dependency of libyang will have a minimum version requirement of 2.1.128 coming out of an issue. Minimum version for frr-9.1 is 2.1.80 but excluding 2.1.111 due to API issues. Based on the near future requirement being 2.1.128 will move to current latest version of 2.1.148 - This patch set includes the above build dependencies - Changelog 9.1 FRR 9.1 brings a long list of enhancements and fixes with 941 commits from 73 developers. OSPFv2 HMAC-SHA Cryptographic Authentication Specify that HMAC cryptographic authentication must be used on a specific interface using a key chain. BGP MAC-VRF Site-Of-Origin support In some EVPN deployments, it is useful to associate a logical VTEP’s Layer 2 domain (MAC-VRF) with a Site-of-Origin “site” identifier. This provides a BGP topology-independent means of marking and import-filtering EVPN routes originating from a particular L2 domain. One situation where this is valuable is when deploying EVPN using anycast VTEPs, i.e. Active/Active MLAG, as it can be used to avoid ownership conflicts between the two control planes (EVPN vs MLAG). BGP Dynamic capability support Added support for Graceful-Restart, Long-lived Graceful-Restart, Software-version, and Role BGP capabilities to be adjusted dynamically using BGP dynamic capability. Dynamic BGP capability allows the dynamic update of capabilities over an established BGP session. This capability would facilitate non-disruptive capability changes by BGP speakers. IS-IS SRv6 uSID support (RFC 9352) The Segment Routing (SR) architecture allows a flexible definition of the end-to-end path by encoding it as a sequence of topological elements called "segments". It can be implemented over the MPLS or the IPv6 data plane. This feature enables extensions in IS-IS to support Segment Routing over the IPv6 data plane (SRv6) as per RFC 9352. Next-hop resolution via the default route Changed the default for a traditional profile to be enabled. The datacenter profile is left as disabled. Add support for VLAN, ECN, DSCP mangling/filtering PBR maps are a way to specify a set of rules that are applied to packets received on individual interfaces. If a received packet matches a rule, the rule’s next-hop-group or next-hop is used to forward it; any other actions specified in the rule are also applied to the packet. With this change, we added more commands for PBR maps, like matching src-ip, dst-ip, src-port, dst-port, vlan, dscp, ecn, and more. libyang 2.1.80 related breaking changes prefix-list matching in route-maps is fundamentally broken with libyang 2.1.111. If you have this version, please downgrade to the most stable version 2.1.80. More details CESNET/libyang#2090 Other significant changes Zebra support for route replace semantics in FPM link New command for BGP neighbor x addpath-tx-best-selected link New command for BGP mpls bgp l3vpn-multi-domain-switching link A couple more new BGP route-map commands: set as-path exclude all link set as-path exclude as-path-access-list link set extended-comm-list delete link set as-path replace [] link set as-path replace as-path-access-list WORD [] link match community-list X any UPDATE Deprecations Deprecate pre-standard outbound route filtering capability Deprecate pre-standard route refresh capability Drop deprecated capability A complete log of changes can be found by browsing the commit history of the FRR 9.1 tag 9.0.2 Fixed CVE-2023-47235 More details: https://frrouting.org/security/cve-2023-47235 Bug Fixes bgpd Fix aggregate-address summary-only suppressed export to EVPN Allow using attribute number 255 for path attr discard/withdraw cmds Check mandatory attributes more carefully for the UPDATE message Do not suppress conditional advertisement updates if triggered Fix Extended community memory leak Fix the no set as-path prepend command Fix heap-use-after-free for bgp_best_selection() Fix crash in SNMP BGP4V2-MIB bgpv2PeerErrorsTable() Fix clear bgp ipv6 unicast ... command Flush attributes only if we don't have to announce a conditional route (avoid use-after-free) Free memory for SRv6 functions and locator chunks Handle MP_UNREACH_NLRI malformed packets with session reset Ignore handling NLRIs if we received the MP_UNREACH_NLRI attribute Initialise timebuf arrays to zeros for dampening reuse timer Initialise buffer in bgp_notify_admin_message() before using it LTTng add EVPN route trace events Make sure dampening is enabled for the specified AFI/SAFI Use proper AFI when dumping information for dampening stuff Treat the AS4-PATH attribute as withdrawn if malformed Treat PMSI tunnel attribute as withdrawn if malformed Treat EOR as withdrawn to avoid unwanted handling of malformed attrs eigrpd Use the correct memory pool on interface deletion mgmtd Change mgmtd_vty_port to 2623 Fix crash on show mgmtd datastore-contents ospf6d Fix setting of the forwarding address in as-external LSAs Set loopback interface cost to 0 ospfd Fixing infinite loop when listing OSPF interfaces pathd Add no msd command Add no pcep command pbrd Fix show pbr map detail json command Free memory in pbr_map_delete() pim6d Fix valgrind issues pimd Fix missing pimreg interface tools Fix the frr-reload interface description command Fix the frr-reload route-map description command Make --quiet actually suppress output vtysh Fix entering configuration node in file-lock mode Fix configure terminal argument descriptions Fix working in file-lock mode Fix show route map json output zebra Add encap type when building packet for FPM Display ptmStatus order in interface JSON Fix connected route deletion when multiple entry exists Fix FPM multipath encap addition Fix link update for veth interfaces Fix zebra crash when replacing nhe during shutdown Prevent null pointer dereference 9.0.1 Bug Fixes bgpd Add peers back to peer hash when peer_xfer_conn fails Check the length of the rcv software version Do not explicitly print maxttl value for ebgp-multihop vty output Do not process nlris if the attribute length is zero Don't read the first byte of orf header if we are ahead of stream Evpn code was not properly unlocking rd_dest Fix show bgp all rpki notfound Make sure we have enough data to read two bytes when validating aigp Use treat-as-withdraw for tunnel encapsulation attribute zebra Fix evpn nexthop config order lib Allow unsetting walltime-warning and cpu-warning ospfd Prevent use after free( and crash of ospf ) when no router ospf pimd Prevent crash when receiving register message when the rp() is unknown When receiving a packet be more careful with length in pim_pim_packet vtysh Print uniq lines when parsing no service ... 8.5.4 Fixed CVE-2023-47235 More details: https://frrouting.org/security/cve-2023-47235 Bug Fixes bgpd Check mandatory attributes more carefully for the UPDATE message Do not suppress conditional advertisement updates if triggered Fix crash in SNMP BGP4V2-MIB bgpv2PeerErrorsTable() Handle MP_UNREACH_NLRI malformed packets with session reset Ignore handling NLRIs if we received the MP_UNREACH_NLRI attribute Initialise timebuf arrays to zeros for dampening reuse timer Initialise buffer in bgp_notify_admin_message() before using it Make sure dampening is enabled for the specified AFI/SAFI Use proper AFI when dumping information for dampening stuff Treat EOR as withdrawn to avoid unwanted handling of malformed attrs eigrpd Use the correct memory pool on interface deletion vtysh Fix show route map JSON output ospfd Fix infinite loop when listing OSPF interfaces pbrd Fix show pbr map detail json output zebra Add encap type when building packet for FPM Display ptmStatus order in interface JSON Fix connected route deletion when multiple entry exists Fix FPM multipath encap addition Fix link update for veth interfaces Fix zebra crash when replacing nhe during shutdown Prevent null pointer dereference 8.5.3 Bug Fixes bgpd Add peers back to peer hash when peer_xfer_conn fails Do not explicitly print maxttl value for ebgp-multihop vty output Do not process nlris if the attribute length is zero Do not try to redistribute routes if we are shutting down Don't read the first byte of orf header if we are ahead of stream Evpn code was not properly unlocking rd_dest Fix show bgp all rpki notfound Fix session reset issue caused by malformed core attributes Free bgp vpn policy Free previously dup'ed aspath attribute for aggregate routes Free temporary memory after using argv_concat() Intern attributes before putting into rib-out Make sure we have enough data to read two bytes when validating aigp Prevent use after free Rfapi memleak fixes, clean ce tables at exit Unlock dest if we return earlier for aggregate install Use treat-as-withdraw for tunnel encapsulation attribute zebra Fix evpn nexthop config order Abstract dplane_ctx_route_init to init route without copying Fix crash when dplane_fpm_nl fails to process received routes Further handle route replace semantics Fix command ipv6 nht xxx lib Allow unsetting walltime-warning and cpu-warning Skip route-map optimization if !af_inet(6) Use max_bitlen instead of magic number ospf6d Fix crash because neighbor structure was freed Stop crash in ospf6_write ospfd Check for nulls in vty code Prevent use after free( and crash of ospf ) when no router ospf pbrd Fix crash with match command pimd Prevent crash when receiving register message when the rp() is unknown When receiving a packet be more careful with length in pim_pim_packet ripd, ripngd Revert "Cleanup memory allocations on shutdown" tools Add what frr thinks as the fib routes for support_bundle vtysh Print uniq lines when parsing no service ... Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 30 insertions(+), 6 deletions(-) commit b4880b752e3eeb61a95a6701066e2cf240737371 Author: Michael Tremer Date: Thu Jan 25 10:22:18 2024 +0000 web-user-interface: Force browsers to reload the changed CSS Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+), 1 deletion(-) commit bd2e449a71c6249a88584beee3493b1418db8025 Author: Michael Tremer Date: Tue Jan 23 14:02:24 2024 +0000 core184: Ship sqlite Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit b7e830c99bd53a24f512b881c51177e3a601a7da Author: Adolf Belka Date: Tue Jan 23 12:26:47 2024 +0100 sqlite: Update to version 3450000 - Update from version 3440100 to 3450000 - Update of rootfile not required - Does IPFire have apopliocation defined SQL functions that invoke sqlite3_result_subtype() as per the first part of the below Changelog. - Changelog 3.45.0 Added the SQLITE_RESULT_SUBTYPE property for application-defined SQL functions. All application defined SQL functions that invokes sqlite3_result_subtype() must be registered with this new property. Failure to do so might cause the call to sqlite3_result_subtype() to behave as a no-op. Compile with -DSQLITE_STRICT_SUBTYPE=1 to cause an SQL error to be raised if a function that is not SQLITE_RESULT_SUBTYPE tries invokes sqlite3_result_subtype(). The use of -DSQLITE_STRICT_SUBTYPE=1 is a recommended compile-time option for every application that makes use of subtypes. Enhancements to the JSON SQL functions: All JSON functions are rewritten to use a new internal parse tree format called JSONB. The new parse-tree format is serializable and hence can be stored in the database to avoid unnecessary re-parsing whenever the JSON value is used. New versions of JSON-generating functions generate binary JSONB instead of JSON text. The json_valid() function adds an optional second argument that specifies what it means for the first argument to be "well-formed". Add the FTS5 tokendata option to the FTS5 virtual table. The SQLITE_DIRECT_OVERFLOW_READ optimization is now enabled by default. Disable it at compile-time using -DSQLITE_DIRECT_OVERFLOW_READ=0. Query planner improvements: Do not allow the transitive constraint optimization to trick the query planner into using a range constraint when a better equality constraint is available. (Forum post 2568d1f6e6.) The query planner now does a better job of disregarding indexes that ANALYZE identifies as low-quality. (Forum post 6f0958b03b.) Increase the default value for SQLITE_MAX_PAGE_COUNT from 1073741824 to 4294967294. Enhancements to the CLI: Improvements to the display of UTF-8 content on Windows Automatically detect playback of ".dump" scripts and make appropriate changes to settings such as ".dbconfig defensive off" and ".dbconfig dqs_dll on". Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+), 3 deletions(-) commit a65bcf84b49ce9cfea0524a1248dc82f74913993 Author: Michael Tremer Date: Tue Jan 23 14:02:02 2024 +0000 core184: Ship shadow Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 0839a78a90f5d3d5bdf37340d535c5ebabf3196f Author: Adolf Belka Date: Tue Jan 23 12:26:46 2024 +0100 shadow: Updated to version 4.14.3 - Updated from version 4.14.2 to 4.14.3 - Update of rootfile not required - Patch renamed to new version number - Changelog 4.14.3 libshadow: Avoid null pointer dereference. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 4 insertions(+), 4 deletions(-) commit eee8a5b285d7211602917cf9385776464bca90cf Author: Michael Tremer Date: Tue Jan 23 14:01:36 2024 +0000 core184: Ship PAM Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 64f9606302a4f1f0a701f10fc49be236b95636cd Author: Adolf Belka Date: Tue Jan 23 12:26:45 2024 +0100 pam: Update to version 1.6.0 - Update from version 1.5.3 to 1.6.0 - Update of rootfile - A build bug was found with 1.6.0 if --enable-read-both-confs was set in the configure. A commit fixing this has been released and converted into a patch for IPFire. This will end up in the next pam release version and the IPFire patch can then be removed. - Changelog 1.6.0 * Added support of configuration files with arbitrarily long lines. * build: fixed build outside of the source tree. * libpam: added use of getrandom(2) as a source of randomness if available. * libpam: fixed calculation of fail delay with very long delays. * libpam: fixed potential infinite recursion with includes. * libpam: implemented string to number conversions validation when parsing controls in configuration. * pam_access: added quiet_log option. * pam_access: fixed truncation of very long group names. * pam_canonicalize_user: new module to canonicalize user name. * pam_echo: fixed file handling to prevent overflows and short reads. * pam_env: added support of '\' character in environment variable values. * pam_exec: allowed expose_authtok for password PAM_TYPE. * pam_exec: fixed stack overflow with binary output of programs. * pam_faildelay: implemented parameter ranges validation. * pam_listfile: changed to treat \r and \n exactly the same in configuration. * pam_mkhomedir: hardened directory creation against timing attacks. Please note that using *at functions leads to more open file handles during creation. * pam_namespace: fixed potential local DoS (CVE-2024-22365). * pam_nologin: fixed file handling to prevent short reads. * pam_pwhistory: helper binary is now built only if SELinux support is enabled. * pam_pwhistory: implemented reliable usernames handling when remembering passwords. * pam_shells: changed to allow shell entries with absolute paths only. * pam_succeed_if: fixed treating empty strings as numerical value 0. * pam_unix: added support of disabled password aging. * pam_unix: synchronized password aging with shadow. * pam_unix: implemented string to number conversions validation. * pam_unix: fixed truncation of very long user names. * pam_unix: corrected rounds retrieval for configured encryption method. * pam_unix: implemented reliable usernames handling when remembering passwords. * pam_unix: changed to always run the helper to obtain shadow password entries. * pam_unix: unix_update helper binary is now built only if SELinux support is enabled. * pam_unix: added audit support to unix_update helper. * pam_userdb: added gdbm support. * Multiple minor bug fixes, portability fixes, documentation improvements, and translation updates. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 3 files changed, 18 insertions(+), 3 deletions(-) commit f4ca072ce48384581b8c40b2cf6b4a573ea1447f Author: Michael Tremer Date: Tue Jan 23 14:00:55 2024 +0000 core184: Ship LVM2 Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit ad06db0aca745d4169222b2def2c2b9db8e172ad Author: Adolf Belka Date: Tue Jan 23 12:26:44 2024 +0100 lvm2: Update to version 2.03.23 - Update from version 2.03.22 to 2.03.23 - Update of rootfile not required - Changelog 2.03.23 Set the first lv_attr flag for raid integrity images to i or I. Add -A option for pvs and pvscan to show PVs outside devices file. Improve searched_devnames temp file usage to prevent redundant scanning. Change default search_for_devnames from auto to all. Add lvmdevices --refresh to search for missing PVIDs on all devices. Add comparison between old and new entries in lvmdevices --check. Fix device_id matching order - match non-devname first. Fix "lvconvert -m 0" when there is other than first in-sync leg. Use system.devices as default for dmeventd when dmeventd.devices is undefined. Accept WWIDs containing QEMU HARDDISK for device_id. Improve handling of non-standard WWID prefixes used for device_id. Configure automatically enables cmdlib for dmeventd and notify-dbus for dbus. Fix hint calculation for pools with zero or error segment. Configure supports --disable-shared to build only static binaries. Configure supports --without-{blkid|systemd|udev} for easier static build. Refresh device ids if the system changes. Fix pvmove when specifying raid components as moved LVs. Enhance error detection for lvm_import_vdo. Support PV lists with thin lvconvert. Fix support for lvm_import_vdo with SCSI VDO volumes. Fix locking issue leading to hanging concurrent vgchange --refresh. Recognize lvm.conf report/headings=2 for full column names in report headings. Add --headings none|abbrev|full cmd line option to set report headings type. Fix conversion to thin pool using lvmlockd. Fix conversion from thick into thin volume using lvmlockd. Require writable LV for conversion to vdo pool. Fix return value from lvconvert integrity remove. Preserve UUID for pool metadata spare. Preserve UUID for swapped pool metadata. Rewrite validation of device name entries used as device_id. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+), 3 deletions(-) commit 5c4f1e680e4f04962c2270809806bc65ef09bb68 Author: Michael Tremer Date: Tue Jan 23 14:00:27 2024 +0000 core184: Ship libidn Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit f18d96971629979166347fc42c06ddaeec2da7df Author: Adolf Belka Date: Tue Jan 23 12:26:43 2024 +0100 libidn: Update to version 1.42 - Update from version 1.41 to 1.42 - Update of rootfile - Changelog 1.42 ** Bump required gettext version to 0.19.8 for musl-libc. ** Compiler warning improvements. As before, compiler warnings are enabled by default. You may disable them using ./configure --disable-gcc-warnings or turn them into fatal errors using ./configure --enable-gcc-warnings=error to add -Werror and sensible -Wno-error='s. Based on gnulib's manywarnings, see . ** Fix type confusion on LLP64/Windows platforms. While libidn has worked using cygwin libc, it has never worked on ucrt/msvcrt libc. Report and tiny patch by Francesco Pretto in . ** tests: Added script tests/standalone.sh suitable for integrators. The main purpose is to test a system-installed libidn, suitable for distributor checking (a'la Debian's autopkgtest/debci). It may also be used to test a newly built libidn outside the usual 'make check' infrastructure. To check that your system libidn is working, invoke the script with `srcdir` as an environment variable indicating where it can be find the source code for libidn's tests/ directory (it will use the directory name where the script is by default): tests/standalone.sh To check that a newly built static libidn behaves, invoke: env STANDALONE_CFLAGS="-Ilib lib/.libs/libidn.a" tests/standalone.sh To check that a newly built shared libidn behaves, invoke: env srcdir=tests STANDALONE_CFLAGS="-Ilib -Wl,-rpath lib/.libs lib/.libs/libidn.so" tests/standalone.sh If the libidn under testing is too old and has known bugs, that should cause tests to fail, which is intentional. ** Updated translations. ** Update gnulib files and build fixes. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 4 insertions(+), 6 deletions(-) commit fbff621fac1dbc8304e0cba0c392ec23342329ad Author: Michael Tremer Date: Tue Jan 23 13:59:50 2024 +0000 core184: Ship iputils Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 57da7bed373b4032a332bcb12f58f7bd39b79ff2 Author: Adolf Belka Date: Tue Jan 23 12:26:42 2024 +0100 iputils: Update to version 20240117 - Update from version 20231222 to 20240117 - Update of rootfile not required - Changelog 20240117 * ping - fix: Restore -i0 (commit: 7a51494, PR: #519, regression from 2a63b94) * localization - Updated Turkish and Indonesian - 100% translated: Chinese (Simplified), Czech, French, Georgian, German, Korean, Portuguese (Brazil), Turkish, Ukrainian - > 90% translated: Finnish, Indonesian, Japanese Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+), 3 deletions(-) commit 0dc494f5e5ac5c6ddd8f8b40817301b03f4c3ad5 Author: Michael Tremer Date: Tue Jan 23 13:59:26 2024 +0000 core184: Ship iproute2 Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 35d55995c43222c40faaae91aaa7441f2c8e4183 Author: Adolf Belka Date: Tue Jan 23 12:26:41 2024 +0100 iproute2: Update to version 6.7.0 - Update from version 6.6.0 to 6.7.0 - Update of rootfile not required - Changelog only available from git repo commits https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/ Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 4 insertions(+), 4 deletions(-) commit f51f33d24bce234e1f043bb0e6ad665a0493757a Author: Michael Tremer Date: Tue Jan 23 13:58:38 2024 +0000 core184: Ship GnuTLS Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit fa3b0964b612d90a8d7edbbf7a561ad48839579a Author: Adolf Belka Date: Tue Jan 23 12:26:40 2024 +0100 gnutls: Update to version 3.8.3 - Update from version 3.8.2 to 3.8.3 - Update of rootfile - Changelog 3.8.3 - libgnutls: Fix more timing side-channel inside RSA-PSK key exchange [GNUTLS-SA-2024-01-14, CVSS: medium] [CVE-2024-0553] - libgnutls: Fix assertion failure when verifying a certificate chain with a cycle of cross signatures [GNUTLS-SA-2024-01-09, CVSS: medium] [CVE-2024-0567] - libgnutls: Fix regression in handling Ed25519 keys stored in PKCS#11 token certtool was unable to handle Ed25519 keys generated on PKCS#11 with pkcs11-tool (OpenSC). This is a regression introduced in 3.8.2. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 4 insertions(+), 4 deletions(-) commit bdf5de6dd22ddb4ca02dfe82c1946160bdb1e2aa Author: Michael Tremer Date: Tue Jan 23 13:57:53 2024 +0000 core184: Ship attr Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit a7a4f0ce73f47a934660a3daabea2fce99ef9917 Author: Adolf Belka Date: Tue Jan 23 12:26:39 2024 +0100 attr: Update to version 2.5.2 - Update from version 2.5.1 to 2.5.2 - Update of rootfile - Changelog is no longer updated in the source tarball. Only source for changes is the git repository commits from https://git.savannah.nongnu.org/cgit/attr.git/log/ Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 5 insertions(+), 6 deletions(-) commit 2d79832a541725765c42d17cf884a93562300e0e Author: Adolf Belka Date: Thu Jan 18 12:40:31 2024 +0100 wavemon: Update to version 0.9.5 - Update from version 0.9.4 to 0.9.5 - Update of rootfile not required - force-netlink-include-path patch updated due to chganges in file in source tarball - Changelog 0.9.5 Info Screen: improve format of percentages (use fixed format rather than auto-format). Configuration: fix ncurses support for white backgrounds (#119), configuration file now either in $XDG_CONFIG_HOME/wavemon/wavemonrc or in $HOME/.config/wavemon/wavemonrc (#106). Miscellaneous avoid including include linux/if.h (#109), check and set support for C99 standard (#108), updated README (#107), configuration file can now be located in XDG_CONFIG_HOME (#105), added portable implementation of asprintf(3), updated copied nl80211 header file, make -Wpedantic the default when building. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 3 files changed, 16 insertions(+), 16 deletions(-) commit b9fec739fd9fa971bbe0e22d9a3e247a76f877f1 Author: Adolf Belka Date: Thu Jan 18 12:40:30 2024 +0100 transmission: Update to version 4.0.5 - Update from version 4.0.4 to 4.0.5 - Update of rootfile - Changelog 4.0.5 Highlights Fixed 4.0.0 bug where the IP address field in UDP announces were not encoded in network byte order. [BEP-15]. (#6132) Fixed a bug that incorrectly escaped JSON strings in some locales. (#6005, #6133) Fixed 4.0.4 decreased download speeds for people who set a low upload bandwidth limit. (#6134) All Platforms Fixed bug that prevented editing trackers on magnet links. (#5957) Fixed HTTP tracker announces and scrapes sometimes failing after adding a torrent file by HTTPS URL. (#5969) In RPC responses, change the default sort order of torrents to match Transmission 3.00. (#5604) Fixed tr_sys_path_copy() behavior on some Synology Devices. (#5974) macOS Client Support Sonoma when building from sources. (#6016, #6051) Fixed early truncation of long group names in groups list. (#6104) Qt Client Fix: only append .added suffix to watchdir files. (#5705) GTK Client Fixed crash when opening torrent file from "Recently used" section in GTK 4. (#6131, #6142) Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 6 insertions(+), 5 deletions(-) commit ab5113ae07f19f84f368d3dc7f791ec267f27d30 Author: Adolf Belka Date: Thu Jan 18 12:40:29 2024 +0100 stunnel: Update to version 5.71 - Update from vesrion 5.69 to 5.71 - Update of rootfile not required - Changelog 5.71, 2023.09.19, urgency: MEDIUM Security bugfixes - OpenSSL DLLs updated to version 3.1.3. Bugfixes - Fixed the console output of tstunnel.exe. Features sponsored by SAE IT-systems - OCSP stapling is requested and verified in the client mode. - Using "verifyChain" automatically enables OCSP stapling in the client mode. - OCSP stapling is always available in the server mode. - An inconclusive OCSP verification breaks TLS negotiation. This can be disabled with "OCSPrequire = no". - Added the "TIMEOUTocsp" option to control the maximum time allowed for connecting an OCSP responder. Features - Added support for Red Hat OpenSSL 3.x patches. 5.70, 2023.07.12, urgency: HIGH Security bugfixes - OpenSSL DLLs updated to version 3.0.9. - OpenSSL FIPS Provider updated to version 3.0.8. Bugfixes - Fixed TLS socket EOF handling with OpenSSL 3.x. This bug caused major interoperability issues between stunnel built with OpenSSL 3.x and Microsoft's Schannel Security Support Provider (SSP). - Fixed reading certificate chains from PKCS#12 files. Features - Added configurable delay for the "retry" option. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 4 insertions(+), 4 deletions(-) commit b0ef2af113b196cb98972017c31532bbc62ed0b2 Author: Michael Tremer Date: Tue Jan 23 13:56:30 2024 +0000 core184: Ship poppler Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit d8209b5a9c56ff14b4318cf43820fad59cd17cad Author: Adolf Belka Date: Thu Jan 18 12:40:28 2024 +0100 poppler: Update to version 24.01.0 - Update from version 23.08.0 to 24.01.0 - Update of rootfile - Changelog 24.01.0: core: * Don't crash on certain documents on the NSS signature backend * Fix infinite loop in some annotation code if there's not space for even one character * Fix build on Android with generic font configuration * Small internal code cleanup 23.12.0: core: * Rewrite FoFiType1::parse to be more flexible. Issue #1422 * Small internal code refactoring 23.11.0: core: * CairoOutputDev: Use internal downscaling algorithm if image exceeds Cairo's maximum dimensions. * Internal code improvements * Fix crash on malformed files utils: * pdftocairo: Add option to document logical structure if output is pdf * pdftocairo: EPS output should not contain %%PageOrientation 23.10.0: core: * cairo: update type 3 fonts for cairo 1.18 api * Fix crash on malformed files build system: * Make a few more dependencies soft-mandatory * Add more supported gnupg releases * Check if linker supports version scripts 23.09.0: core: * Add Android-specific font matching functionality * Fix digital signatures for NeedAppearance=true * Forms: Don't look up same glyph multiple times * Provide the key location for certificates you can sign with * Add ToUnicode support for similarequal * Fix crash on malformed files qt5: * Provide the key location for certificates you can sign with * Allow to force a rasterized overprint preview during PS conversion qt6: * Provide the key location for certificates you can sign with * Allow to force a rasterized overprint preview during PS conversion pdfsig: * Provide the key location for certificates you can sign with Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 8 insertions(+), 5 deletions(-) commit 3e32f30ba6176f39a15fcfbc90eddded095e9d84 Author: Michael Tremer Date: Tue Jan 23 13:55:33 2024 +0000 core184: Ship pixman Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 52d2ca0d4901d6850dd0fc41978ad70dafc73ece Author: Adolf Belka Date: Thu Jan 18 12:40:27 2024 +0100 pixman: Update to version 43.0 - Update from versionj 42.2 to 43.0 - Update of rootfile - Changelog The NEWS and ChangeLog files in the source tarball are empty. For details of changes see the commits log https://cgit.freedesktop.org/pixman/log/ Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 4 insertions(+), 5 deletions(-) commit ad9d1c7594f1cb33101bfaedf5e4a8a291ba1f48 Author: Michael Tremer Date: Tue Jan 23 13:54:58 2024 +0000 core184: Ship memtest Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit a99747a53cc9acc64d6389378fbe30557a8826fa Author: Adolf Belka Date: Thu Jan 18 12:40:26 2024 +0100 memtest: Update to version 7.00 - Update from version 6.20 to 7.00 - Update of rootfile not required - Changelog 7.00 IMC polling for live DRAM settings Preliminary support for ECC polling Add support for MMIO UART Add debugging options Bug fixes & optimizations Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+), 3 deletions(-) commit b66e42ddcfa6e1d5353b05586050c19425e7563a Author: Adolf Belka Date: Thu Jan 18 12:40:25 2024 +0100 lshw: Update to version B.02.20 - Update from version B.02.19.2 to B.02.20 - Update of rootfile - Changelog B.02.20 bug fixes code cleanup For more details see the git repo https://ezix.org/src/pkg/lshw/compare/B.02.19...B.02.20 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 6 insertions(+), 4 deletions(-) commit 3f22b830964b7822227194c7559d3398855c0a61 Author: Adolf Belka Date: Thu Jan 18 12:40:24 2024 +0100 libvirt: Update to version 10.0.0 - Update from version 8.10.0 to 10.0.0 - Update of rootfile - Changelog is too large to include here. Details can be found in the NEWS.rst file in the source tarball CVE-2023-3750 was fixed in version 9.6.0 Fix race condition in storage driver leading to a crash In **libvirt-8.3** a bug was introduced which in rare cases could cause ``libvirtd`` or ``virtstoraged`` to crash if multiple clients attempted to look up a storage volume by key, path or target path, while other clients attempted to access something from the same storage pool. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 12 insertions(+), 8 deletions(-) commit 525bdbafb2aabac9940a21388cb7621d1ec8b99c Author: Adolf Belka Date: Thu Jan 18 12:40:23 2024 +0100 libtalloc: Update to version 2.4.1 - Update from version 2.3.4 to 2.4.1 - Update of rootfile - Changelog 2.4.1 (2023-07-20) No change information available anywhere that I could find 2.4.0 (2023-01-18) No change information available anywhere that I could find Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 5 insertions(+), 5 deletions(-) commit d6b51f9c041c2d8f21a9e07dd2ddb81e203ea021 Author: Michael Tremer Date: Tue Jan 23 13:53:12 2024 +0000 core184: Ship ipset Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 43acdeb8a020c935010b35a76cef369cd07c7b4c Author: Adolf Belka Date: Thu Jan 18 12:40:22 2024 +0100 ipset: Update to version 7.19 - Update from version 7.17 to 7.19 - Update of nrootfile not required - Changelog 7.19 - build: Fix the double-prefix in pkgconfig (Sam James) 7.18 - Add json output to list command (Thomas Oberhammer) - tests: hash:ip,port.t: Replace VRRP by GRE protocol (Phil Sutter) - tests: hash:ip,port.t: 'vrrp' is printed as 'carp' (Phil Sutter) - tests: cidr.sh: Add ipcalc fallback (Phil Sutter) - tests: xlate: Make test input valid (Phil Sutter) - tests: xlate: Test built binary by default (Phil Sutter) - xlate: Drop dead code (Phil Sutter) - xlate: Fix for fd leak in error path (Phil Sutter) - configure.ac: fix bashisms (Sam James) - lib/Makefile.am: fix pkgconfig dir (Sam James) Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+), 4 deletions(-) commit 7ae9d20aadcf3e1791194fb4d45a97368abadc16 Author: Adolf Belka Date: Thu Jan 18 12:40:21 2024 +0100 haproxy: Update to version 2.9.2 - Update from version 2.8.5 to 2.9.2 - Update of rootfile not required - Changelog is too large to include here. Details can be found in the CHANGELOG file in the source tarball. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 5 insertions(+), 5 deletions(-) commit c23ca819d9989fd5b692c69bdcda7c9f3de42e5c Author: Adolf Belka Date: Thu Jan 18 12:40:20 2024 +0100 fmt: Update to version 10.2.1 - Update from version 10.0.0 to 10.2.1 - Update of rootfile - Changelog is a bit too large to include here. Details can be found in ChangeLog.md file in source tarball. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 2 files changed, 5 insertions(+), 5 deletions(-) commit df46bb241bf99a5b9a7da3ca77e095321a7dcfd1 Author: Michael Tremer Date: Tue Jan 23 11:36:08 2024 +0000 core184: Ship dmidecode (x86_64) Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 330f38dabeca0a6ada0b5dc5c8b32f267f67cee3 Author: Adolf Belka Date: Thu Jan 18 12:40:19 2024 +0100 dmidecode: Update to version 3.5 - Update from version 3.3 to 3.5 - Update of rootfile not required - Two patches no longer required as fixes are now in source tarball - Changelog 3.5 (Tue Mar 14 2023) - Decode HPE OEM records 216, 224, 230, 238 and 242. - Fortify entry point length checks. - Add a --no-quirks option. - Drop the CPUID exception list. - Do not let --dump-bin overwrite an existing file. - Ensure /dev/mem is a character device file. - Bug fixes: Fix segmentation fault in HPE OEM record 240 - Minor improvements: Typo fixes Write the whole dump file at once Fix a build warning when USE_MMAP isn't set 3.4 (Mon Jun 27 2022) - Support for SMBIOS 3.4.0. This includes new memory device types, new processor upgrades, new slot types and characteristics, decoding of memory module extended speed, new system slot types, new processor characteristics and new format of Processor ID. - Support for SMBIOS 3.5.0. This includes new processor upgrades, BIOS characteristics, new slot characteristics, new on-board device types, new pointing device interface types, and a new record type (type 45 - Firmware Inventory Information). - Decode HPE OEM records 194, 199, 203, 236, 237, 238 and 240. - Bug fixes: Fix OEM vendor name matching Fix ASCII filtering of strings Fix crash with option -u - Minor improvements: Skip details of uninstalled memory modules Don't display the raw CPU ID in quiet mode Improve the formatting of the manual pages Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 3 files changed, 3 insertions(+), 69 deletions(-) commit b15de7ba5297c32cdef21185fe20a5fc3c9e2cc1 Author: Adolf Belka Date: Thu Jan 18 12:40:18 2024 +0100 bird: Update to version 2.14 - Update from version 2.0.12 to 2.14 - Update of rootfile not required - Changelog 2.14 (2023-10-06) o MPLS subsystem o L3VPN: BGP/MPLS VPNs (RFC 4364) o BGP: Access to unknown route attributes o RAdv: Custom options o Babel: RTT metric extension o BMP: Refactored route monitoring o BMP: Multiple instances of BMP protocol o BMP: Both pre-policy and post-policy monitoring o Experimental route aggregation o Filter: Method framework o Filter: Functions have return type statements o Filter: New bytestring data type o Kernel: Option to learn kernel routes o Many bugfixes and improvements Notes: User-defined filter functions that return values now should have return type statements. We still accept functions without such statement, if they could be properly typed. For loops allowed to use both existing iterator variables or ones defined in the for statement. We no longer support the first case, all iterator variables must be defined in the for statement (e.g. 'for int i in bgp_path ...'). Due to oversight, VRF interfaces were not included in respective VRFs, this is fixed now. 2.13.1 (2023-06-23) o BGP: Fix role check when no capability option is present o Filter: Fixed segfault when a case option had an empty block This is a bugfix version. 2.13 (2023-04-21) o Babel: IPv4 via IPv6 extension (RFC 9229) o Babel: Improve authentication on lossy networks o BGP: New 'allow bgp_med' option o BSD: Support for IPv4 routes with IPv6 nexthop on FreeBSD o Experimental BMP protocol implementation o Important bugfixes Notes: We changed versioning scheme from .. to more common .. . From now on, you may expect that BIRD 2.13.x will be strictly only fixing bugs found in 2.13, whereas BIRD 2.14 will also contain new features. This BIRD version contains an alpha release of BMP protocol implementation. It is not ready for production usage and therefore it is not compiled by default and have to be enabled during installation. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 4 insertions(+), 4 deletions(-) commit ffe528be289f5605ead71b1ae0560468a5d87866 Author: Michael Tremer Date: Tue Jan 23 11:33:43 2024 +0000 Start Core Update 184 Signed-off-by: Michael Tremer 41 files changed, 111 insertions(+), 1 deletion(-) commit 02aa0f99b12cf7c5f9bfc7e5a43dbd361989f424 Author: Arne Fitzenreiter Date: Sun Jan 21 21:42:13 2024 +0100 web-user-interface: rootfile update Signed-off-by: Arne Fitzenreiter 1 file changed, 5 insertions(+), 4 deletions(-) commit 0722f42ed2eef96908253e69370f2bc29ea36e6a Author: Arne Fitzenreiter Date: Sun Jan 21 19:10:22 2024 +0100 kernel: update to 6.6.13 Signed-off-by: Arne Fitzenreiter 4 files changed, 5 insertions(+), 5 deletions(-) commit 0742747e6dc4416f5a7c7b7feabdcb639a8b5f55 Author: Michael Tremer Date: Fri Jan 19 16:38:12 2024 +0000 core183: Ship firewall initscript Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit e5a77641f35ec41e2b4a20403e690f0c9c96cb42 Author: Erik Kapfer Date: Tue Jan 16 16:26:39 2024 +0100 Firewall initscript: Restore Tor IPTable rules by manual firewall restart If the firewall will be manually restart via '/etc/init.d/firewall restart', the IPTable rules for the Tor relay will be deleted since 'iptables_init' only flushes and creates inbound and unbound chains for Tor but does not restore the ruleset from Tor initscript. For reference and tests please see --> https://community.ipfire.org/t/tor-stop-working-without-stop-the-process-or-give-an-error-message/10697 Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer 1 file changed, 8 insertions(+) commit b87cd867f704a5dbe1f28f448176f8a29950d709 Author: Michael Tremer Date: Fri Jan 19 16:36:58 2024 +0000 network: Only try to restart collectd if it is running This updated version of this script avoids any errors if collectd is not running (yet) which might happen during the boot process. Signed-off-by: Michael Tremer 1 file changed, 4 insertions(+), 2 deletions(-) commit 295af8f7666bcae0a8d05fae4824e803c0c523ff Author: Michael Tremer Date: Fri Jan 19 16:32:24 2024 +0000 core183: Ship the updated theme Signed-off-by: Michael Tremer 3 files changed, 3 insertions(+) commit 6094f35b5aea86b80e761302f83dc8c09a52b63b Author: Arne Fitzenreiter Date: Fri Jan 19 06:10:26 2024 +0000 core183: generate new rsa before apache start Signed-off-by: Arne Fitzenreiter 1 file changed, 10 insertions(+), 9 deletions(-) commit 36c16c71ed854b5bc43b79be926dd1d00f9091ff Author: Arne Fitzenreiter Date: Thu Jan 18 18:02:10 2024 +0100 core183: replace https rsa key if it is too small new openssl need at least 2048 bit rsa keys for apache. So if the existing is smaller a new 4096 bit key is generated. fixes #13527 Signed-off-by: Arne Fitzenreiter 3 files changed, 29 insertions(+) commit bca096b453809236775b497e0a3e4c7cd5e5437e Author: Peter Müller Date: Sun Jan 14 15:59:00 2024 +0000 linux: Forbid legacy TIOCSTI usage To quote from the kernel documentation: > Historically the kernel has allowed TIOCSTI, which will push > characters into a controlling TTY. This continues to be used > as a malicious privilege escalation mechanism, and provides no > meaningful real-world utility any more. Its use is considered > a dangerous legacy operation, and can be disabled on most > systems. > > Say Y here only if you have confirmed that your system's > userspace depends on this functionality to continue operating > normally. > > Processes which run with CAP_SYS_ADMIN, such as BRLTTY, can > use TIOCSTI even when this is set to N. > > This functionality can be changed at runtime with the > dev.tty.legacy_tiocsti sysctl. This configuration option sets > the default value of the sysctl. This patch therefore proposes to no longer allow legacy TIOCSTI usage in IPFire, given its security implications and the apparent lack of legitimate usage. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer 6 files changed, 3 insertions(+), 6 deletions(-) commit 254dcbaac88865c7f5fbaaa4cf5a846545cf8a0b Author: Peter Müller Date: Tue Jan 16 12:36:50 2024 +0000 Core Update 183: Fix permissions of /etc/sudoers.d/, again Signed-off-by: Peter Müller 1 file changed, 4 insertions(+) commit 601664309be244bb72ec1da48758a51c4301ffd5 Author: Matthias Fischer Date: Sat Jan 13 20:43:50 2024 +0100 htop: Update to 3.3.0 For details see: https://github.com/htop-dev/htop/blob/main/ChangeLog "What's new in version 3.3.0 * Multiple refactorings and code improvements * Shorten docker container IDs to 12 characters * Settings: preserve empty header * Fix execlp() argument without pointer cast * OpenFilesScreen: Make column sizing dynamic for file size, offset and inode * Add support for "truss" (FreeBSD equivalent of "strace") * Darwin: add NetworkIOMeter support * HeaderLayout: add "3 columns - 40/30/30", "... 30/40/30" & "... 30/30/40" * Meter: use correct unicode characters for digit '9' * Note in manual re default memory units of KiB * Add column for process container name * Add logic to filter the container name (+type) from the CGroup name * Change NetworkIOMeter value unit from KiB/s to bytes/second * Cap DiskIOMeter "utilisation" percentage at 100% * PCP platform implementation of frontswap and zswap accounting * Shorten podman/libpod container IDs to 12 characters * Write configuration to temporary file first * Incorporate shared memory in bar text * Move shared memory next to used memory * Correct order of memory meter in help * Add recalculate to Ctrl-L refresh * Update process list on thread visibility toggling * Support dynamic screens with 'top-most' entities beyond processes * Introduce Row and Table classes for screens beyond top-processes * Rework ZramMeter and remove MeterClass.comprisedValues * More robust logic for CPU process percentages (Linux & PCP) * Show year as start time for processes older than a year * Short-term fix for docker container detection * default color preset: use bold blue for better visibility * Document 'O' keyboard shortcut * Implement logic for '--max-iterations' * Update F5 key label on tab switch (Tree <-> List) * Force re-sorting of the process list view after switching between list/treeview mode * Linux: (hack) work around the fact that Zswapped pages may be SwapCached * Linux: implement zswap support * {Memory,Swap}Meter: add "compressed memory" metrics * Darwin: add DiskIOMeter support * Fix scroll relative to followed process * ZramMeter: update bar mode * Use shared real memory on FreeBSD * Increase Search and Filter max string length to 128 * Improve CPU computation code * Remove LXC special handling for the CPU count * Create new File Descriptor meter * PCP: add IRQ PSI meter * Linux: add IRQ PSI meter * Linux: highlight username if process has elevated privileges * Add support for scheduling policies * Add a systemd user meter to monitor user units. * FreeBSD: remove duplicate zfs ARC size subtraction" Signed-off-by: Matthias Fischer 1 file changed, 4 insertions(+), 4 deletions(-) commit 091988ad27735c799081e0d1426f50d4a60d7514 Author: Michael Tremer Date: Mon Jan 15 19:31:00 2024 +0000 core183: Ship /etc/rc.d/init.d/mountfs This script has been modified when we touched ExtraHD in Core Update 179/180, but has been forgotten to be shipped. Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit a93525c0caa8f443c80c7ae6533eaa61ba299eda Author: Arne Fitzenreiter Date: Tue Jan 16 12:41:08 2024 +0100 kernel: update to 6.6.12 Signed-off-by: Arne Fitzenreiter 4 files changed, 5 insertions(+), 5 deletions(-) commit d2e2c945a9cb7e3c5f0aa5db81ff95afdfbff81c Author: Peter Müller Date: Sun Jan 14 16:05:12 2024 +0000 Core Update 183: Ship 60-collectd Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit f2d7d4ec16f2aea87b5e8fe638b062610cd8dc94 Author: Michael Tremer Date: Fri Jan 12 13:29:04 2024 +0000 collectd: Restart is required after reconnect The "ping" plugin does not re-resolve the gateway IP address after pinging it for the first time. For most people this won't be a big problem, but if the default gateway changes, the latency graph won't work any more. In order to do re-resolve "gateway", the only way is to restart collectd. Fixes: #13522 Signed-off-by: Michael Tremer Acked-by: Peter Müller 4 files changed, 9 insertions(+) commit 4c7266a39e990db15498a7541ed7b0ad74184986 Author: Peter Müller Date: Thu Jan 11 11:59:18 2024 +0000 Core Update 183: Ship libssh Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit 31167fb3bbbbfaff1cdbfa0dc328cff4ab6a436d Author: Peter Müller Date: Mon Jan 8 09:51:00 2024 +0000 libssh: Update to 0.10.6 Please refer to https://www.libssh.org/2023/12/18/libssh-0-10-6-and-libssh-0-9-8-security-releases/ for this version's release announcement. Signed-off-by: Peter Müller 2 files changed, 4 insertions(+), 4 deletions(-) commit 2958c8c1e07ea0bc5c07ad6f8027ac5894c31240 Author: Peter Müller Date: Thu Jan 11 11:58:51 2024 +0000 Core Update 183: Ship libgcrypt Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit d4c04269034491b471c9b8ec223275c8efeaad57 Author: Peter Müller Date: Mon Jan 8 09:47:00 2024 +0000 libgcrypt: Update to 1.10.3 Refer to https://dev.gnupg.org/T6817 for release information concerning this version. Signed-off-by: Peter Müller 2 files changed, 4 insertions(+), 4 deletions(-) commit 6d95c33018db871a7f16c66624f9910de0079bf3 Author: Peter Müller Date: Thu Jan 11 11:58:17 2024 +0000 Core Update 183: Ship kmod Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit de2b71f385f7306f1a85eb248de5ff3cbbae9b42 Author: Peter Müller Date: Mon Jan 8 09:44:00 2024 +0000 kmod: Update to 31 According to the source tarball's NEWS file: - Improvements - Allow passing a path to modprobe so the module is loaded from anywhere from the filesystem, but still handling the module dependencies recorded in the indexes. This is mostly intended for kernel developers to speedup testing their kernel modules without having to load the dependencies manually or override the module in /usr/lib/modules/. Now it's possible to do: # modprobe ./drivers/gpu/drm/i915/i915.ko As long as the dependencies didn't change, this should do the right thing - Use in-kernel decompression if available. This will check the runtime support in the kernel for decompressing modules and use it through finit_module(). Previously kmod would fallback to the older init_module() when using compressed modules since there wasn't a way to instruct the kernel to uncompress it on load or check if the kernel supported it or not. This requires a recent kernel (>= 6.4) to have that support and in-kernel decompression properly working in the kernel. - Make modprobe fallback to syslog when stderr is not available, as was documented in the man page, but not implemented - Better explaing `modprobe -r` and how it differentiates from rmmod - depmod learned a `-o ` option to allow using a separate output directory. With this, it's possible to split the output files from the ones used as input from the kernel build system - Add compat with glibc >= 2.32.9000 that dropped __xstat - Improve testsuite to stop skipping tests when sysconfdir is something other than /etc - Build system improvements and updates - Change a few return codes from -ENOENT to -ENODATA to avoid confusing output in depmod when the module itself lacks a particular ELF section due to e.g. CONFIG_MODVERSIONS=n in the kernel. - Bug Fixes - Fix testsuite using uninitialized memory when testing module removal with --wait - Fix testsuite not correctly overriding the stat syscall on 32-bit platforms. For most architectures this was harmless, but for MIPS it was causing some tests to fail. - Fix handling unknown signature algorithm - Fix linking with a static liblzma, libzstd or zlib - Fix memory leak when removing module holders - Fix out-of-bounds access when using very long paths as argument to rmmod - Fix warnings reported by UBSan Signed-off-by: Peter Müller 2 files changed, 4 insertions(+), 4 deletions(-) commit 738bc25c9494c3ca3cea2c7be00ead931128a63e Author: Peter Müller Date: Thu Jan 11 11:57:39 2024 +0000 Core Update 183: Ship cpio Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit b8a149cc40fa5a5e99230b06803f77843ae1c89a Author: Peter Müller Date: Mon Jan 8 06:24:00 2024 +0000 cpio: Update to 2.14 Noteworthy changes in this release, according to https://lists.gnu.org/archive/html/info-gnu/2023-05/msg00001.html : * New option --ignore-dirnlink Valid in copy-out mode, it instructs cpio to ignore the actual number of links reported for each directory member and always store 2 instead. * Changes in --reproducible option The --reproducible option implies --ignore-dirlink. In other words, it is equivalent to --ignore-devno --ignore-dirnlink --renumber-inodes. * Use GNU ls algorithm for deciding timestamp format in -tv mode * Bugfixes ** Fix cpio header verification. ** Fix handling of device numbers on copy out. ** Fix calculation of CRC in copy-out mode. ** Rewrite the fix for CVE-2015-1197. ** Fix combination of --create --append --directory. ** Fix appending to archives bigger than 2G. Signed-off-by: Peter Müller 2 files changed, 4 insertions(+), 3 deletions(-) commit 3b2e37af229d03b162ccc9bf681fa02fb583a5bb Author: Peter Müller Date: Thu Jan 11 11:57:05 2024 +0000 Core Update 183: Ship and restart strongSwan Signed-off-by: Peter Müller 2 files changed, 5 insertions(+) commit 05d0278bf7469608b02c82d3eaa5f36bc803816f Author: Peter Müller Date: Mon Jan 8 06:19:00 2024 +0000 strongSwan: Update to 5.9.13 Please refer to https://github.com/strongswan/strongswan/releases/tag/5.9.13 for the changelog of this version. Signed-off-by: Peter Müller 1 file changed, 2 insertions(+), 2 deletions(-) commit 19e66d7e2b5b3fc73c9022e67789858983938811 Author: Arne Fitzenreiter Date: Thu Jan 11 10:30:13 2024 +0100 kernel: update to 6.6.11 Signed-off-by: Arne Fitzenreiter 4 files changed, 5 insertions(+), 5 deletions(-) commit e437405158560c435a2286b97241aa62a3dc70cc Author: Arne Fitzenreiter Date: Wed Jan 10 17:11:16 2024 +0100 core183: fix typo at install-bootloader Signed-off-by: Arne Fitzenreiter 1 file changed, 1 insertion(+), 1 deletion(-) commit 9d30f138f9508bf9fffab7a913972ddced287a87 Author: Michael Tremer Date: Wed Jan 10 12:25:33 2024 +0000 index.cgi: Remove some custom CSS styling that broke the design Signed-off-by: Michael Tremer 1 file changed, 3 insertions(+), 3 deletions(-) commit 0e415928b72a1e3c01bc01fb800d8f5e9342f0bd Author: Michael Tremer Date: Wed Jan 10 12:23:15 2024 +0000 web-user-interface: Replace the old tux logo with out new word mark Signed-off-by: Michael Tremer 4 files changed, 13 insertions(+), 11 deletions(-) commit dbf1d1634be473f02323f030ee0625d59bc3c351 Author: Michael Tremer Date: Wed Jan 10 12:12:32 2024 +0000 web-user-interface: Update interface design Signed-off-by: Michael Tremer 10 files changed, 102 insertions(+), 108 deletions(-) commit a2af8c71863c63bf2f6f8e41a11bd06088cc7401 Author: Arne Fitzenreiter Date: Wed Jan 10 06:26:25 2024 +0000 kernel: aarch64: enable CONFIG_SHADOW_CALL_STACK Signed-off-by: Arne Fitzenreiter 2 files changed, 2 insertions(+), 6 deletions(-) commit ed5e80eb626db0c6dd96f5a4c4dbe3fb7cd05fc2 Author: Arne Fitzenreiter Date: Wed Jan 10 07:22:59 2024 +0100 grub: update to 2.12 (final release version) this should fix problems on systems installed on xfs Signed-off-by: Arne Fitzenreiter 9 files changed, 180 insertions(+), 15 deletions(-) commit c4f03017a51e50f1a445e4180f44839689b188f1 Author: Peter Müller Date: Mon Jan 8 18:35:25 2024 +0000 Core Update 183: Ship proxy.cgi Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit a1bb2fb5853f882e4a87397448bead7a9ebfa43d Author: Michael Tremer Date: Mon Jan 8 16:42:48 2024 +0000 Revert "proxy.cgi: Fix for Bug #12826 'squid >=5 crashes on literal IPv6 addresses'" This reverts commit e0be9eab47d621545e5498c32c0fef39f7ef84a9. This change is now producing problems on IPv6-enabled systems as it will deny access to any website that is IPv6-enabled as well, even if the client connected using IPv4. I have tested if squid is now running on fine on systems where IPv6 is disabled and can confirm that its running just fine. Signed-off-by: Michael Tremer Acked-by: Peter Müller 1 file changed, 1 insertion(+), 11 deletions(-) commit cfb6d9c7fdb3507e5bf5c6d9790601c445502fae Author: Adolf Belka Date: Tue Dec 26 14:10:34 2023 +0100 postfix: Update to version 3.8.4 + prevent smtp smuggling - Update from version 3.8.3 to 3.8.4 - Update of rootfile not required - Permanent fix for smtp smuggling will be in version 3.9. However the fix has been backported into version 3.8.4 but with the default for the parameter of "no". - This patch sets the defaults for all the main.cf parameters highlighted by Wietse Venema in http://www.postfix.org/smtp-smuggling.html - Additionally the implementation of smtpd_forbid_bare_newline = yes has been added to the install.sh pak for postfix so that it will be included into any main.cf file being restored from backup. This parameter is available for the first time in 3.8.4 so will not be in any backup prior to this release and can therefore be safely applied to restored versions of main.cf. - This fix in install.sh will be able to be removed when version 3.9 is released early in 2024 as the default for that parameter in that version onwards will then be "yes" - Changelog 3.8.4 Security: with "smtpd_forbid_bare_newline = yes" (default "no" for Postfix < 3.9), reply with "Error: bare received" and disconnect when an SMTP client sends a line ending in , violating the RFC 5321 requirement that lines must end in . This prevents SMTP smuggling attacks that target a recipient at a Postfix server. For backwards compatibility, local clients are excluded by default with "smtpd_forbid_bare_newline_exclusions = $mynetworks". Files: mantools/postlink, proto/postconf.proto, global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h, smtpd/smtpd.c. Signed-off-by: Adolf Belka Reviewed-by: Peter Müller 2 files changed, 16 insertions(+), 4 deletions(-) commit d303f7c1546f63f734662fa907c140f66ff5869e Author: Arne Fitzenreiter Date: Sun Jan 7 16:08:31 2024 +0100 kernel: update to 6.6.10 Signed-off-by: Arne Fitzenreiter 6 files changed, 25 insertions(+), 18 deletions(-) commit 8f0f0d6d2ab2447b257935c5b4284a313207b049 Author: Peter Müller Date: Sun Jan 7 14:06:14 2024 +0000 Core Update 183: Ship bash Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit de1cd0d54d5adf45ed3a447d0e3577ca51d71b1f Author: Adolf Belka Date: Mon Dec 18 18:28:52 2023 +0100 bash: Update the patches applied to bash - Update the patches to include patches 16 to 21 - Update of rootfile not required - Changelog patch 21: fix for expanding command substitutions in a word expansion in a here-document patch 20: allow time reserved word as first token in command substitution patch 19: fix case where background job set the terminal process group patch 18: fix for returning unknown tokens to the bison parser patch 17: fix for optimizing forks when using the . builtin in a subshell patch 16: fix for a crash if one of the expressions in an arithmetic for command expands to NULL Signed-off-by: Adolf Belka Reviewed-by: Peter Müller 7 files changed, 3918 insertions(+), 1 deletion(-) commit da4e2fc635f14d2b0964de8e1e8aeb4a1a34d1ec Author: Arne Fitzenreiter Date: Fri Jan 5 19:20:14 2024 +0100 openssl: fix riscv build openssl 3.x need correct arch configuration or disable asm optimisation with no-asm config parameter. Signed-off-by: Arne Fitzenreiter 1 file changed, 5 insertions(+), 3 deletions(-) commit 10fede6f4c1f48dc613aeabc61fc06ebab1a266b Author: Peter Müller Date: Sat Dec 30 14:37:00 2023 +0000 haproxy: Update to 2.8.5 Please refer to https://www.mail-archive.com/search?l=haproxy%40formilux.org&q=announce+subject%3A%22[ANNOUNCE]+haproxy-2.8.5%22+-subject%3A%22re:%22 for this version's release announcement. Signed-off-by: Peter Müller 1 file changed, 3 insertions(+), 3 deletions(-) commit 20e608a8f8c0b89e6cddb78d1d8b1ab5138beaeb Author: Peter Müller Date: Sat Dec 30 14:35:00 2023 +0000 Tor: Update to 0.4.8.10 Changes in version 0.4.8.10 - 2023-12-08 This is a security release fixing a high severity bug (TROVE-2023-007) affecting Exit relays supporting Conflux. We strongly recommend to update as soon as possible. o Major bugfixes (TROVE-2023-007, exit): - Improper error propagation from a safety check in conflux leg linking lead to a desynchronization of which legs were part of a conflux set, ultimately causing a UAF and NULL pointer dereference crash on Exit relays. Fixes bug 40897; bugfix on 0.4.8.1-alpha. o Minor features (fallbackdir): - Regenerate fallback directories generated on December 08, 2023. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2023/12/08. o Minor bugfixes (bridges, statistics): - Correctly report statistics for client count over Pluggable transport. Fixes bug 40871; bugfix on 0.4.8.4 Signed-off-by: Peter Müller 1 file changed, 3 insertions(+), 3 deletions(-) commit 1e2f989fbd4957eafdd6edc32dfdb25737ace844 Author: Adolf Belka Date: Sun Dec 31 21:50:18 2023 +0100 libplist: Update to version 2.3.0 - Update from version 2.2.0 to 2.3.0 - Update of rootfile 2.3.0 - Changes: * Rename PLIST_UINT to PLIST_INT and add plist_new_int() and plist_get_int_val() * Add support for JSON format * Add support for OpenStep format * Introduce error codes and format constants * Add return value to import/export functions to allow returning error codes * Add new plist_sort function * Add several human-readable output-only formats * Add new plist_write_to_string/_stream/_file functions * Add new plist_print function * Add new plist_read_from_file function * Add new plist_mem_free() function * Add a few C++ methods * Add C++ interface test * Add PLIST_NULL type * Some code housekeeping (mostly clang-tidy) - Breaking: * plist_from_memory() gets additional parameter - Bugfixes: * Fix multiple bugs in all of the parsers * Fix handling of PLIST_UID nodes Signed-off-by: Adolf Belka 2 files changed, 8 insertions(+), 8 deletions(-) commit fda0b945d0464ea3b39acb15cacc057735d1f1fb Author: Adolf Belka Date: Sun Dec 31 21:50:17 2023 +0100 nqptp: Update to version 1.2.4 - Update from version commit ad384f9ed3b2cc31e97012ab6bfe5a214ffc65a2 (between 1.2.1 and 1.2.2) to 1.2.4 - Update of rootfile not required - Changelog 1.2.4 Following on from the security update of 1.2.3, some further changes are introduced to make the communication path between NQPTP and Shairport Sync resistant to outside interference. On Linux, nqptp now runs as a restricted user but with special permission to access ports 319 and 320. These changes have necessitated changing the SMI interface. The SMI interface is now at version 10, and Shairport Sync must also be updated to be compatible with it. Before updating, it is important that you remove the startup service file as described in the README. Please read the Release Notes for more details. 1.2.3 This important update fixes a crashing bug whereby a maliciously-crafted message to the control port could crash NQPTP. (Supersedes 1.2.2.) 1.2.2 Superseded by version 1.2.3 Signed-off-by: Adolf Belka 1 file changed, 5 insertions(+), 4 deletions(-) commit 9de11327551c13ccd3cae2f9391a8d9f8698ec83 Author: Adolf Belka Date: Sun Dec 31 21:50:16 2023 +0100 shairport-sync: Update to version 4.3.2 - Update from version 4.1.1 to 4.3.2 - Update of rootfile not required. - Updating shairport-sync to 4.2 or later also requires an update of nqptp as the newer version of shairport-sync requires NQPTP with Shared Memory Interface Version smi9 and will not work with older versions. - Changelog 4.3.2 This update contains a brand new PipeWire backend with full synchronisation -- your feedback is welcome on this. The update also contains a number of bug fixes. Enhancements A totally new PipeWire backend featuring full synchronisation. Bug Fixes Stability improvements for the PulseAudio backend. Fix a crash when the Avahi subsystem became disconnected. This is normally a rare occurrence, but Shairport Sync was not dereferencing obsolete data correctly when it happened. Set and reset Bonjour flags correctly when it's a Classic Airplay session in AirPlay 2 operation. Fix a number of FreeBSD compilation errors and warnings. Fix various errors when breaking into an existing session to terminate it. Thanks again to aaronk6. Fix some debug message errors, sigh. Thanks to Nathan Gray. 4.3.1 Bug Fixes This release, 4.3.1, fixes a bug in Version 4.3 that prevented Shairport Sync from being added to Home. 4.3 This update contains important security updates, bug fixes and enhancements. NQPTP must also be updated, and it should be updated before updating Shairport Sync. The Shared Memory Interface version of both Shairport Sync and NQPTP is now 10, i.e. smi10. Notes When updating NQPTP on Linux, be sure to remove the old service file as directed in the README. Having completed both updates and installations, remember to restart NQPTP first and then restart Shairport Sync. Security Updates A crashing bug in NQPTP has been fixed. The communications protocol used between NQPTP and Shairport Sync has been revised and made more resilient to attempted misuse. In Linux systems, NQPTP no longer runs as root -- instead it runs as the restriced user nqptp, with access to ports 319 and 320 set by the installer via the setcap utility. Enhancements A new volume control profile called dasl-tapered has been added in which halving the volume control setting halves the output level. For example, moving the volume slider from full to half reduces the output level by 10dB, which roughly corresponds with a perceived halving of the audio volume level. Moving the volume slider from half to a quarter reduces the output level by a further 10dB. The tapering rate is slightly modified at the lower end of the range if the device's attenuation range is restricted (less than about 55dB). To activate the dasl-tapered profile, set the volume_control_profile to "dasl_tapered" in the configuration file and restart Shairport Sync. Many thanks to David Leibovic, aka dasl-, for this. On graceful shutdown, an active_end signal should now be generated if the system was in the active state. Addresses issue #1647. Thanks to Tucker Kern for raising the issue. Bug Fixes Fixed a bug that causes the Docker image to crash occasionally when OwnTone interrupted an existing iOS session. Thanks to aaronk6 for the report. Fixed a cross-compliation error caused by not looking for the correct version of the ar tool. The fix was to substitute the correct version during the autoreconf phase. Thanks to sternenseemann for raising the issue and the PR containing the fix. Updated the mDNS strings for the Classic AirPlay feature of AP2, so that it does not appear to provide MFi authentication. Addresses this discussion. Always uses a revision number of 1 when looking for status updates on the DACP remote control port. This follows a suggestion in Issue #1658. Thanks to ejurgensen, as ever, for the report and the suggested fix. Fixed a statistics bug (the minimum buffer size was incorrectly logged) and also tidy up the statistics logging interval logic for resetting min and max counters. Added an important missing format string argument to a call in the Jack Audio backend. Many thanks to michieldwitte for their PR. Maintenance Stopped using a deprecated FFmpeg data structure reference. Stopped using deprecated OpenSSL calls. Thanks to yubiuser for their PR -- which did some of the updating -- and for their guidance. Run workflow-based tests on PRs automatically. Thanks to yubiuser for their PR. 4.2 This release consists of enhancements and important bug fixes to Shairport Sync Version 4.1. For information on the new features of 4.1, including AirPlay 2 support, please see the Version 4.1 Release Note. Important If you are updating an existing installation of Shairport Sync, you must also update NQPTP. The reason is that this update to Shairport Sync requires NQPTP with Shared Memory Interface Version smi9 and will not work with older versions. For details of the enhancements and bug fixes in this release, please refer to the RELEASENOTES. Signed-off-by: Adolf Belka 1 file changed, 4 insertions(+), 4 deletions(-) commit 70853b056af1f339b80ba2088f5830560d96eaa7 Author: Adolf Belka Date: Sun Dec 31 21:49:27 2023 +0100 sudo: Update to version 1.9.15p5 - Update from version 1.9.15p4 to 1.9.15p5 - Update of rootfile not required - Changelog 1.9.15p5 Fixed evaluation of the lecture, listpw, verifypw, and fdexec sudoers Defaults settings when used without an explicit value. Previously, if specified without a value they were evaluated as boolean false, even when the negation operator (’!’) was not present. Fixed a bug introduced in sudo 1.9.14 that prevented LDAP netgroup queries using the NETGROUP_BASE setting from being performed. Sudo will now transparently rename a user’s lecture file from the older name-based path to the newer user-ID-based path. GitHub issue #342. Fixed a bug introduced in sudo 1.9.15 that could cause a memory allocation failure if sysconf(_SC_LOGIN_NAME_MAX) fails. Bug #1066 Signed-off-by: Adolf Belka Reviewed-by: Peter Müller 1 file changed, 2 insertions(+), 2 deletions(-) commit 26c65649ae98e5ec6da266833fc9a46a97f49b24 Author: Adolf Belka Date: Sun Dec 31 10:27:24 2023 +0100 meson: Update to version 1.3.1 - Update from version 1.2.3 to 1.3.1 - Update of rootfile - Changelog is too large to include here. See details at https://mesonbuild.com/Release-notes.html Signed-off-by: Adolf Belka Reviewed-by: Peter Müller 2 files changed, 9 insertions(+), 9 deletions(-) commit 9a2ebf90776d273cc5dd2555448b042b61ad0594 Author: Adolf Belka Date: Sun Dec 31 10:27:23 2023 +0100 libseccomp: Update to version 2.5.5 - Update from version 2.5.4 to 2.5.5 - Update of rootfile - Changelog 2.5.5 - December 1, 2023 * Update the syscall table for Linux v6.7-rc3 Signed-off-by: Adolf Belka Reviewed-by: Peter Müller 2 files changed, 5 insertions(+), 5 deletions(-) commit bb9acf6731ac44587912d92770847f9e7a3f9c4e Author: Peter Müller Date: Wed Jan 3 21:17:19 2024 +0000 Core Update 183: Ship iputils Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit 7b877b140e18407f2025f297822061bf1c56e6f2 Author: Adolf Belka Date: Sun Dec 31 10:27:22 2023 +0100 iputils: Update to version 20231222 - Update from version 20221126 to 20231222 - Update of rootfile not required - Changelog 20231222 * arping - fix: Properly fix -Wpedantic warnings (commit: 80a580a, PR: #505) * clockdiff - fix: Set ppoll timeout minimum to 1ms (commit: 471942d, issue: #326, PR: #459) * ping - feature: Add option -H to force reverse DNS resolution (commit: dd5a81a, issue: #421, https://bugs.debian.org/650479, PR: #494) - feature: Decode unreachable codes added in RFC 4443 (commit: c4c7d52, PR: #447) - feature: Allow over-PMTU-sized packets with DF set using PMTUDISC_PROBE (commit: e123cab, PR: #448) - fix: Revert "ping: use random value for the identifier field" to use PID again (commit: d466aab, issue: #489, PR: #503, regression from s20200821) - fix: Fix support for DSCP (Traffic Class, option -Q) (commit: 425f711, PR: #468, broken since s20060425) - fix: Fix the errno handling for strtod (commit: 33e78be, PR: #450, regression from s20190324) - fix: Drop redundant setsockopt(IPV6_TCLASS) call (commit: d38519a, PR: #468, regression from s20150815) - fix: Fix overflow on negative -i (commit: 2a63b94, issue: #465) - fix: Fix sporadically missing DNS record on targets with multiple IP addresses (commit: 80a580a, PR: #505, regression from s20200821) - fix: Handle interval correctly in the first second after booting (commit: 7448c33, PR: #499) - fix: Fix presentation of IPv6 addresses with no reverse DNS (commit: bc3f2e3, issue: #455, PR: #478) - fix: Add missing whitespace in IPv6 output (commit: 14472fc, PR: #455) - fix: Allow to localize help (commit: e13508a) - fix: Use print target when empty ai_canonname (commit: c68afd5, issue: #421) - Improve interval error message (commit: fb75557, PR: #487) - man: Mention broadcast and multicast limit for non-root (commit: e7aafa7, PR: #486) - man: Document collisions and pid_max (commit: c515a0d, PR: #507) - man: Add missing parameter for -e (commit: 2400215) - man: Update TTL details (commit: 2beff77, issue: #488, PR: #497) - man: Describe the defaults for -n option, reword (commit: a6e6d24) * tracepath - fix: Restore the MTU probing behavior") (commit: a75feb0, PR: #448, regression from s20190709) - fix: Fix behavior during the first second after booting (commit: c64bcd8, PR: #499) - Add NULL pointer assert() check (commit: 065daad, PR: #498) - man: Fix output related docs (commit: 40c7bc3, issue: #469, PR: #470) - man: Document error messages (commit: 90371d2, issue: #463, PR: #495) * CI - Add Add CentOS Stream 9 and Rocky Linux 8 and 9 (commit: 26edb41, 0ce30ae, PR: #457, #476) * localization - 100% translated: Chinese (Simplified), Czech, English, French, Georgian, German, Korean, Portuguese (Brazil), Ukrainian - > 90% Finnish, Turkish, Japanese, Indonesian Signed-off-by: Adolf Belka Reviewed-by: Peter Müller 1 file changed, 3 insertions(+), 3 deletions(-) commit cc0b22d92c206eca5ddf94c42f3f73f6a598a21a Author: Adolf Belka Date: Sun Dec 31 10:27:21 2023 +0100 iperf3: Update to version 3.16 - Update from version 3.12 to 3.16 - Update of rootfile not required - Changelog 3.16 2023-11-30 * Notable user-visible changes * Multiple test streams started with -P/--parallel will now be serviced by different threads. This allows iperf3 to take advantage of multiple CPU cores on modern processors, and will generally result in significant throughput increases (PR #1591). * OpenSSL 3 is now detected at build time. If OpenSSL 3 is found, various older, deprecated, APIs will not be used. iperf3 will continue to work with OpenSSL 1.1.1. OpenSSL is used as a part of the iperf3 authentication functionality (Issue #1300, PR #1589). * The authorized users file used by the authentication functionality is now checked for accessibility much earlier during the program startup, as opposed to being checked near the start of a test (Issue #1583, PR #1585). * Developer-visible changes * BREAKING CHANGE: iperf3 now requires pthreads and C atomic variables to compile and run. 3.15 2023-09-14 * Notable user-visible changes * Several bugs that could allow the iperf3 server to hang waiting for input on the control connection has been fixed. ESnet thanks Jorge Sancho Larraz from Canonical for reporting this issue. For more information, see: https://downloads.es.net/pub/iperf/esnet-secadv-2023-0002.txt.asc * A bug that caused garbled output with UDP tests on 32-bit hosts has been fixed (PR #1554, PR #1556). This bug was introduced in iperf-3.14. * A bug in counting UDP messages has been fixed (PR #1367, PR #1380). 3.14 2023-07-07 * Notable user-visible changes * A memory allocation hazard was fixed (Issue #1542/PR #1543). For more information see: https://downloads.es.net/pub/iperf/esnet-secadv-2023-0001.txt.asc * JSON output was improved, such as print JSON numbers as signed (PR #1539, Issue #1435), the exit code when doing JSON output was fixed (PR #1523), and client_api was fixed so that it still returns an error code when JSON is enabled (Issue #1405). Also, duplicate fields when using multiple streams was removed from the JSON output (#1492). * Prevent UDP packet count and operations overflow (PR #1536/Issue #1534). * Statistics are fixed when --omit is used (Issue #1489/PR #1498). * Developer-visible changes * CI builds and tests using GitHub actions have been added (PR #1519). * A fix for Android "unable to create a new stream error" was added (PR #1506). * Support for Voice Admit DSCP code point from RFC 5865 was added (PR #1490). * A fix for preventing a crash when RSA public key path doesn't exist was fixed (PR #1488/Issue #1471). 3.13 2023-02-16 * Notable user-visible changes * fq-rate (PR #1461, Issue #1366), and bidirectional flag (Issue #1428, PR #1429) were added to the JSON output. * Added support for OpenBSD including cleaning up endian handling (PR #1396) and support for TCP_INFO on systems where it was implemented (PR #1397). * Fixed bug in how TOS is set in mapped v4 (PR #1427). * Corrected documentation, such as updating binary download links and text (Issue #1459), updating version on iperf3 websites, and fixing an incorrect error message (Issue #1441). * Fixed crash on rcv-timeout with JSON logfile (#1463, #1460, issue #1360, PR #1369). * Fixed a bug that prevented TOS/DSCP from getting set correctly for reverse tests (PR #1427, Issue #638). * Developer-visible changes * Getter and setter are now available for bind_dev (PR #1419). * Added missing getter for bidirectional tests (PR #1453). * Added minor changes to clean up .gitignore and error messages (#1408). * Made sure configure scripts are runnable with /bin/sh (PR #1398). * Cleaned up RPM spec, such as adding missing RPM build dependencies, dropping EL5 and removing outdated %changelog (PR #1401) to make. * Added a fix for a resource leak bug in function iperf_create_pidfile(#1443). Signed-off-by: Adolf Belka 1 file changed, 3 insertions(+), 3 deletions(-) commit 519fef8ed261feec445f716cbf8bd0d63d1c7099 Author: Peter Müller Date: Wed Jan 3 21:12:21 2024 +0000 Core Update 183: Ship fontconfig Signed-off-by: Peter Müller 2 files changed, 2 insertions(+) commit 8c8aee96550b9ce437ea5d19f570c4bed176eca3 Author: Adolf Belka Date: Sun Dec 31 10:27:20 2023 +0100 fontconfig: Update to version 2.15.0 - Update from version 2.14.1 to 2.15.0 - Update of rootfile - Autogen no longer required - fcobjshash.h is no longer in tarball from version 2.13.1 - Changelog 2.15 Do not change the order of orth files Convert tabs to spaces Convert more tabs to spaces in docs src/meson.build: Store correct paths to fontconfig.pc. Fix a typo in description for HAVE_STDATOMIC_PRIMITIVES Report more detailed logs instead of assertion. Add some missing constant names for weight. Adujst indentation between programlisting in fontconfig-user.sgml Bump version to 2.14.2 Clean up unused code Add another test case for flatpak Update 65-nonlatin.conf for macOS Change the order of the properties to the order of fontconfig cache format Add missing property descriptions Add namedinstance property Remove the problematic language from code and doc Fix a typo Fix a typo for FcCharSetDelChar doc Fix a typo in scalable property Use 'outline' instead of 'scalable' for bitmaps Add more docs about selectfont Rework CI implementation Fix a typo Rework CI implementation v2 Apply a fix of ci-templates Fix uninitialized memory access when failing memory allocation. Create a symlink with relative path Fix an error of "initializer element is not constant" Update CaseFolding.txt to Unicode 15.1 Update the encoding table for Simplified Chinese Retry to decode strings in the name table as UTF-16BE in some cases. Work around decoding strings in Macintosh encoding for the name table. Add iconv detection for meson build .gitlab-ci: Update CI: Update CI: static build only for rawhide Use memmove instead of memcpy Rename README to NEWS and add README.md Update so version Fix leak of `reason` in _FcConfigParse when not complaining Ignore LC_CTYPE if set to "UTF-8" Some doc clarifications Add FC_FONT_WRAPPER Detect standalone CFF fonts for FC_FONT_WRAPPER Add anp.orth, bhb.orth, hif.orth, mag.orth, raj.orth, and the.orth Add {agr,ayc,bem,ckb,cmn,dsb,hak,lij,lzh,mfe,mhr,miq,mjw,mnw,nan,nhn,niu,rif,sgs,shn,szl,tcy,tpi,unm,wae,yue,yuw}.orth Change index type to 16 bit and bump cache version to 9 Expand ~ in glob Add optional 11-lcdfilter-none configuration Fix filepaths added when scanning with sysroot Fix false-positive CFI failure In fcfreetype.c, `GetScriptTags`: fix `use_of_uninitialized_value` and return the correct number of parsed tags in case the font file contains less tags than indicated. meson: Support any compiler with gcc or msvc argument syntax fix typo Reload MM/VF metadata for each font face in font collection fixed typos in fc-conflist.sgml Add aliases for Helvetica LT Std 2.14.2 Fix the build issue on meson when -g option is added to c_args Store artifacts for meson windows CI Add FC_DESKTOP_NAME property Add --with-default-sub-pixel-rendering option Update po-conf/POTFILES.in Ignore null pointer on Fc*Destroy functions Convert tabs to spaces Convert more tabs to spaces in docs src/meson.build: Store correct paths to fontconfig.pc. Fix a typo in description for HAVE_STDATOMIC_PRIMITIVES Report more detailed logs instead of assertion. Add some missing constant names for weight. Adujst indentation between programlisting in fontconfig-user.sgml meson: modify gperf test to remove sh dependency meson: Update freetype2 git repository to upstream Ignore LC_CTYPE if set to "UTF-8" Expand ~ in glob fix typo Signed-off-by: Adolf Belka 2 files changed, 7 insertions(+), 8 deletions(-) commit 148b2ced3945ef6f7976e4ccd1b9e13ca3647ad1 Author: Adolf Belka Date: Sun Dec 31 10:27:19 2023 +0100 cifs-utils: Update to version 7.0 - Update from version 6.14 to 7.0 - Update of rootfile not required - Changelog 7.0 3165220 cifs-utils: bump version to 7.0 7b91873 cifs-utils: don't return uninitialized value in cifs_gss_get_req d9f5447 cifs-utils: make GSSAPI usage compatible with Heimdal 5e5aa50 cifs-utils: work around missing krb5_free_string in Heimdal dc60353 fix warnings for -Waddress-of-packed-member c4c94ad setcifsacl: fix memory allocation for struct cifs_ace 4ad2c50 setcifsacl: fix comparison of actions reported by covscan 9b074db cifs.upcall: remove unused variable and fix syslog message 2981686 cifs.upcall: Switch to RFC principal type naming 8a288d6 man-pages: Update cifs.upcall to mention GSS_USE_PROXY aeee690 cifs.upcall: fix compiler warning e2430c0 cifs.upcall: add gssproxy support 6.15 - CVE-2022-27239: mount.cifs: fix length check for ip option parsing In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges. - CVE-2022-29869: mount.cifs: fix verbose messages on option parsing cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file. Signed-off-by: Adolf Belka 1 file changed, 4 insertions(+), 4 deletions(-) commit 2508d606a9307f984a394cf4aeddec402156f6a0 Author: Peter Müller Date: Wed Jan 3 21:10:08 2024 +0000 Core Update 183: Ship lixml, and restart Apache Signed-off-by: Peter Müller 3 files changed, 6 insertions(+), 1 deletion(-) commit 4fc6f9cbe2dfd43cc6cf6c43119def1e08deadf3 Author: Adolf Belka Date: Mon Dec 18 18:29:44 2023 +0100 apache2: Apply patch to make work with updated libxml2 - libxml2 since version 2.12.0 has removed a variable that was specified in the apache apache mod_xml2enc code. - This dependency caused the apache2 build to fail with the updated libxml2. - This patch removes the dependency. It will be able to be removed when the next apache update is carried out as the patch was created from an apache commit. Signed-off-by: Adolf Belka 2 files changed, 25 insertions(+) commit 55d134a365ff2a3bdbf0a16ba28f499febd8f4cd Author: Adolf Belka Date: Mon Dec 18 18:29:43 2023 +0100 libxml2: Update to version 2.12.3 - Update from version 2.11.4 to 2.12.3 - Update of rootfile - Changelog 2.12.3: Dec 12 2023 ### Regressions - parser: Fix namespaces redefined from default attributes ### Build fixes - include: Rename XML_EMPTY helper macro - include: Move declaration of xmlInitGlobals - include: Add missing includes - include: Move globals from xmlsave.h to parser.h - include: Readd circular dependency between tree.h and parser.h 2.12.2: Dec 5 2023 ### Regressions - parser: Fix invalid free in xmlParseBalancedChunkMemoryRecover - globals: Disable TLS in static Windows builds - html: Reenable buggy detection of XML declarations - tree: Fix regression when copying DTDs - parser: Make CRLF increment line number ### Build fixes - build: Disable compiler TLS by default - cmake: Update config.h.cmake.in - tests: Fix tests --with-valid --without-xinclude 2.12.1: Nov 23 2023 ### Regressions - hash: Fix deletion of entries during scan - parser: Only enable SAX2 if there are SAX2 element handlers ### Build fixes - autotools: Stop checking for snprintf - dict: Fix '__thread' before 'static' - fix: pthread weak references in globals.c (Mike Dalessio) - tests: Fix build with older MSVC 2.12.0: Nov 16 2023 ### Major changes Most of the known issues leading to quadratic behavior in the XML parser were fixed. Internal hash tables were rewritten to reduce memory consumption. Starting with this release, it should be enough to add the --with-legacy configuration option to provide maximum ABI compatibility. For example, if a code module was removed from the default configuration, the option will add stubs for the removed symbols. libxml2 will now store global variables in thread-local storage if supported by the compiler. This avoids allocating the data lazily which can result in a fatal error condition. A new API function xmlCheckThreadLocalStorage was added so the allocation can be checked earlier if compiler TLS is not supported. To prepare for future improvements, some API functions now expect or return a const xmlError struct. Several cyclic dependencies in public header files were fixed. As a result, certain headers won't include other headers as before. Refactoring of the encoding code has been mostly completed. Calling xmlSwitchEncoding from client code is now fully supported, for example to override the encoding for the push parser. When parsing data from memory, libxml2 will now stream data chunk by chunk instead of copying the whole buffer (possibly twice with encodings), reducing peak memory consumption considerably. A new API function xmlCtxtSetMaxAmplification was added to allow parsing of files that would otherwise trigger the billion laughs protection. Several bugs in the regex determinism checks were fixed. Invalid XML Schemas which previous versions erroneously accepted will now be rejected. ### Deprecations - globals: Deprecate xmlLastError - parser: Deprecate global parser options - win32: Deprecate old Windows build system ### Bug fixes - parser: Stop switching to ISO-8859-1 on encoding errors - parser: Support encoded external PEs in entity values - string: Fix UTF-8 validation in xmlGetUTF8Char - SAX2: Allow multiple top-level elements - parser: Update line number after coalescing text nodes - parser: Check for truncated multi-byte sequences ### Improvements - error: Make more xmlError structs constant - parser: Remove redundant IS_CHAR check in xmlCurrentChar - parser: Fix stack handling in xmlParseTryOrFinish - parser: Protect against quadratic default attribute expansion - parser: Missing checks for disableSAX - entities: Make xmlFreeEntity public - examples: Don't use sprintf - encoding: Suppress -Wcast-align warnings - parser: Use hash tables to avoid quadratic behavior - parser: Don't skip CR in xmlCurrentChar - dict: Rewrite dictionary hash table code - hash: Rewrite hash table code - malloc-fail: Report malloc failure in xmlFARegExec - malloc-fail: Report malloc failure in xmlRegEpxFromParse - parser: Simplify xmlStringCurrentChar - regexp: Fix status codes and handle invalid UTF-8 - error: Make xmlGetLastError return a const error - html: Fix logic in htmlAutoClose - globals: Move globals back to correct header files - globals: Use thread-local storage if available - globals: Rework global state destruction on Windows - globals: Define globals using macros - globals: Introduce xmlCheckThreadLocalStorage - globals: Make xmlGlobalState private - threads: Move library initialization code to threads.c - debug: Remove debugging code - globals: Move code from threads.c to globals.c - parser: Avoid undefined behavior in xmlParseStartTag2 - schemas: Fix memory leak of annotations in notations - dict: Update hash function - dict: Use thread-local storage for PRNG state - dict: Use xoroshiro64** as PRNG - xmllint: Fix error messages - parser: Fix detection of null bytes - parser: Improve error handling in push parser - parser: Don't check inputNr in xmlParseTryOrFinish - parser: Remove push parser debugging code - tree: Fix copying of DTDs - legacy: Add stubs for disabled modules - parser: Allow to set maximum amplification factor - entities: Don't change doc when encoding entities - parser: Never use UTF-8 encoding handler - encoding: Remove debugging code - malloc-fail: Fix unsigned integer overflow in xmlTextReaderPushData - html: Remove encoding hack in htmlCreateFileParserCtxt - parser: Decode all data in xmlCharEncInput - parser: Stream data when reading from memory - parser: Optimize xmlLoadEntityContent - parser: Don't overwrite EOF parser state - parser: Simplify input pointer updates - parser: Don't reinitialize parser input members - encoding: Move rawconsumed accounting to xmlCharEncInput - parser: Rework encoding detection - parser: Always create UTF-8 in xmlParseReference - html: Remove some debugging code in htmlParseTryOrFinish - malloc-fail: Fix memory leak in xmlCompileAttributeTest - parser: Recover more input from encoding errors - malloc-fail: Handle malloc failures in xmlAddEncodingAlias - malloc-fail: Fix null-deref with xmllint --copy - xpath: Ignore entity ref nodes when computing node hash - malloc-fail: Fix null deref after xmlXIncludeNewRef - SAX: Always validate xml:ids - Stop using sprintf - Fix compiler warning on GCC < 8 - regexp: Fix determinism checks - regexp: Fix checks for eliminated transitions - regexp: Simplify xmlFAReduceEpsilonTransitions - regexp: Fix cycle check in xmlFAReduceEpsilonTransitions - schemas: Fix filename in xmlSchemaValidateFile - schemas: Fix line numbers in streaming validation - writer: Add error check in xmlTextWriterEndDocument - encoding: Stop calling xmlEncodingErr - xmlIO: Remove some calls to xmlIOErr - parser: Improve handling of encoding and IO errors - parser: Move xmlFatalErr to parserInternals.c - encoding: Rework error codes - .gitignore: Split up and rearrange .gitignore files - .gitignore: Add runsuite.log - Stop calling xmlMemoryDump - examples: Don't call xmlCleanupParser and xmlMemoryDump - xpath: Remove remaining references to valueFrame ### Portability - python: Make it compatible with python3.12 (Daniel Garcia Moreno) ### Build systems - cmake: Check whether static linking dependencies found in config files (James Le Cuirot) - autotools: Make --with-minimum disable lzma support - build: Remove some GCC warnings - Handle NOCONFIG case when setting locations from CMake target properties (Markus Rickert) - cmake: Generate better pkg-config file for SYSROOT builds under CMake (James Le Cuirot) - autoconf: Include non-pkg-config dependency flags in the pkg-config file (James Le Cuirot) - autoconf: Don't bake build time CFLAGS into pkg-config file (James Le Cuirot) - build: Generate better pkg-config files for static-only builds (James Le Cuirot) - build: Generate better pkg-config file for SYSROOT builds (James Le Cuirot) - autoconf: Allow custom --with-icu configure option ### Tests - tests: Also test xmlNextChar in testchar.c - tests: Start with testparser.c for extra tests - fuzz: Raise rss_limit_mb - fuzz: Test xmlTextReaderRead after EOF or failure - fuzz: Test XML_PARSE_XINCLUDE | XML_PARSE_VALID - tests: Handle entities in SAX tests - fuzz: Disable XML_PARSE_SAX1 option in xml fuzzer - tests: Add more tests for redefined attributes - hash: Add hash table tests - tests: Add ATTRIBUTE_NO_SANITIZE_INTEGER macro - fuzz: Allow to fuzz without push, reader or output modules - gitlab-ci: Add a "medium" config build - python: Fix tests on MinGW - test: Add push parser test with overridden encoding - testapi: test_xmlSAXDefaultVersion() leaves xmlSAX2DefaultVersionValue set to 1 with LIBXML_SAX1_ENABLED (David Kilzer) - gitlab-ci: Lower _XOPEN_SOURCE value - testapi: Don't set http_proxy environment variable - test: Add push parser tests for split UTF-8 sequences - xinclude: Lower initial table size when fuzzing - tests: Test streaming schema validation - runtest: Skip element name in schema error messages ### Documentation - doc: Add notes about runtest to MAINTAINERS.md - doc: Don't document internal macros in xmlversion.h - doc: Allow 'unsigned' without 'int' - doc: Improve documentation of configuration options 2.11.6: Nov 16 2023 ### Regressions - threads: Fix --with-thread-alloc - xinclude: Fix 'last' pointer in xmlXIncludeCopyNode ### Bug fixes - parser: Fix potential use-after-free in xmlParseCharDataInternal 2.11.5: Aug 9 2023 ### Regressions - parser: Make xmlSwitchEncoding always skip the BOM - autotools: Improve iconv check ### Bug fixes - valid: Fix c1->parent pointer in xmlCopyDocElementContent - encoding: Always call ucnv_convertEx with flush set to false ### Portability - autotools: fix Python module file ext for cygwin/msys2 (Christoph Reiter) ### Tests - runtest: Fix compilation without LIBXML_HTML_ENABLED Signed-off-by: Adolf Belka 2 files changed, 3 insertions(+), 3 deletions(-) commit c8dfb46b43b4d9c7c9f76ef82e6c33077cc759e1 Author: Peter Müller Date: Wed Jan 3 21:04:20 2024 +0000 nfs: Fix copy & waste in comment section Signed-off-by: Peter Müller 1 file changed, 1 insertion(+), 1 deletion(-) commit baa5c07c1c6df38945f8c8263a11c17f37242224 Author: Adolf Belka Date: Mon Dec 18 18:29:00 2023 +0100 nfs: Update to version 2.6.4 - Update from version 2.6.3 to 2.6.4 - Update of rootfile not required - Changelog is no longer created. The commits in the git repo have to be reviewed for changes - http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=shortlog;h=refs/heads/master Signed-off-by: Adolf Belka 1 file changed, 4 insertions(+), 4 deletions(-) commit ec40d45d60ad60801507a427f071c954fbbae8ff Author: Peter Müller Date: Wed Jan 3 21:03:17 2024 +0000 Core Update 183: Ship dhcp.cgi Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit f16eeae07853bf8b7bc8e740a74f9f9b28cadb1d Author: Adolf Belka Date: Mon Jan 1 15:35:46 2024 +0100 dhcp.cgi: Adjust legend entries to make clear they are legends and not messages - A new IPFire user on the forum saw the orange and red coloured blocks in the legend section and believed that they were messages about problems that had been created with the fixed leases. - This change puts a small block with seperate explanatory text for both the orange and red coloured blocks. - This change will also be applied to the wiki in a much clearer way Tested-by: Adolf Belka Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch 1 file changed, 4 insertions(+), 4 deletions(-) commit dcb878d6a11ee9b75b4d0752a12b2d68b8691c8e Author: Adolf Belka Date: Mon Jan 1 15:35:45 2024 +0100 dhcp.cgi: Adjust spacing between an icon and explanatory text - When dealing with a problem on the forum I noticed that in the Fixed Leases table Legend section there was a very large space between the empty checkbox icon and the explanatory text. It looks like the   that I have removed worked on the text section 'click to enable' as that was moved but not on the off.gif icon as that stayed in its original place leaving a very large space between the icon and the explanatory text. Removing the two   commands fixes that. - Reading up about   the problem might be related to these tags no longer being recommended to use with the newer HTML versions and that indenting or spacing should be done via CSS code. Will have a look in future on how to accomplish this via CSS. Tested-by: Adolf Belka Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch 1 file changed, 1 deletion(-) commit 3920ba127fb854422f19fb5f6bc7f192f2c2df80 Author: Arne Fitzenreiter Date: Tue Jan 2 09:54:10 2024 +0100 kernel: update to 6.6.9 Signed-off-by: Arne Fitzenreiter 3 files changed, 5 insertions(+), 5 deletions(-) commit dfae8b97b69c58f3ae2b66923c68680f3ee42e22 Author: Peter Müller Date: Sat Dec 30 07:39:53 2023 +0000 Core Update 183: Ship GnuTLS Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit 8cc92f502541190bac77fde8aea22616cc8d74c9 Author: Adolf Belka Date: Mon Dec 18 18:28:54 2023 +0100 gnutls: Update to version 3.8.2 - Update from version 3.8.0 to 3.8.2 - Update of rootfile - Changelog 3.8.2 (released 2023-11-14) ** libgnutls: Fix timing side-channel inside RSA-PSK key exchange. [GNUTLS-SA-2023-10-23, CVSS: medium] [CVE-2023-5981] ** libgnutls: Add API functions to perform ECDH and DH key agreement The functionality has been there for a long time though they were not available as part of the public API. This enables applications to implement custom protocols leveraging non-interactive key agreement with ECDH and DH. ** libgnutls: Added support for AES-GCM-SIV ciphers (RFC 8452) The new algorithms GNUTLS_CIPHER_AES_128_SIV_GCM and GNUTLS_CIPHER_AES_256_SIV_GCM have been added to be used through the AEAD interface. Note that, unlike GNUTLS_CIPHER_AES_{128,256}_SIV_GCM, the authentication tag is appended to the ciphertext, not prepended. ** libgnutls: transparent KTLS support is extended to FreeBSD kernel The kernel TLS feature can now be enabled on FreeBSD as well as Linux when compiled with the --enable-ktls configure option. ** gnutls-cli: New option --starttls-name Depending on deployment, application protocols such as XMPP may require a different origin address than the external address to be presented prior to STARTTLS negotiation. The --starttls-name can be used to specify specify the addresses separately. ** API and ABI modifications: gnutls_pubkey_import_dh_raw: New function gnutls_privkey_import_dh_raw: New function gnutls_pubkey_export_dh_raw: New function gnutls_privkey_export_dh_raw: New function gnutls_x509_privkey_import_dh_raw: New function gnutls_privkey_derive_secret: New function GNUTLS_KEYGEN_DH: New enum member of gnutls_keygen_types_t GNUTLS_CIPHER_AES_128_SIV_GCM: Added GNUTLS_CIPHER_AES_256_SIV_GCM: Added 3.8.1 (released 2023-08-03) ** libgnutls: ClientHello extensions are randomized by default To make fingerprinting harder, TLS extensions in ClientHello messages are shuffled. As this behavior may cause compatibility issue with legacy applications that do not accept the last extension without payload, the behavior can be reverted with the %NO_SHUFFLE_EXTENSIONS priority keyword. ** libgnutls: Add support for RFC 9258 external PSK importer. This enables to deploy the same PSK across multiple TLS versions (TLS 1.2 and TLS 1.3) in a secure manner. To use, the application needs to set up a callback that formats the PSK identity using gnutls_psk_format_imported_identity(). ** libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to %GNUTLS_NO_DEFAULT_EXTENSIONS. ** libgnutls: Add additional PBKDF limit checks in FIPS mode as defined in SP 800-132. Minimum salt length is 128 bits and minimum iterations bound is 1000 for PBKDF in FIPS mode. ** libgnutls: Add a mechanism to control whether to enforce extended master secret (RFC 7627). FIPS 140-3 mandates the use of TLS session hash (extended master secret, EMS) in TLS 1.2. To enforce this, a new priority keyword %FORCE_SESSION_HASH is added and if it is set and EMS is not set, the peer aborts the connection. This behavior is the default in FIPS mode, though it can be overridden through the configuration file with the "tls-session-hash" option. In either case non-EMS PRF is reported as a non-approved operation through the FIPS service indicator. ** New option --attime to specify current time. To make testing with different timestamp to the system easier, the tools doing certificate verification now provide a new option --attime, which takes an arbitrary time. ** API and ABI modifications: gnutls_psk_client_credentials_function3: New typedef gnutls_psk_server_credentials_function3: New typedef gnutls_psk_set_server_credentials_function3: New function gnutls_psk_set_client_credentials_function3: New function gnutls_psk_format_imported_identity: New function GNUTLS_PSK_KEY_EXT: New enum member of gnutls_psk_key_flags Signed-off-by: Adolf Belka Reviewed-by: Peter Müller 2 files changed, 12 insertions(+), 3 deletions(-) commit e807011eba46aedfa4feb000e09ab70f20458608 Author: Peter Müller Date: Sat Dec 30 07:37:14 2023 +0000 Core Update 183: Ship iptables Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit c75d942a4d973d297d840227e6c7d11b3ba3f960 Author: Adolf Belka Date: Mon Dec 18 18:28:55 2023 +0100 iptables: Update to version 1.8.10 - Update from version 1.8.9 to 1.8.10 - Update of rootfile not required - Changelog 1.8.10 build: use pkg-config for libpcap iptables-test.py: make explicit use of python3 xtables-eb: fix crash when opts isn't reallocated iptables-nft: make builtin tables static iptables-nft: remove unused function argument include: update nf_tables uapi header ebtables-nft: add broute table emulation nft-ruleparse: parse meta mark set as MARK target iptables: Fix setting of ipv6 counters iptables: Fix handling of non-existent chains xshared: dissolve should_load_proto nft: move processing logic out of asserts man: string: document BM false negatives ip6tables: Fix checking existence of rule nft: check for source and destination address in first place nft: use payload matching for layer 4 protocol nft-bridge: pass context structure to ops->add() to improve anonymous set support configure: Bump version for 1.8.10 release extensions: NAT: Fix for -Werror=format-security etc: Drop xtables.conf Proper fix for "unknown argument" error message ebtables: Refuse unselected targets' options ebtables-translate: Drop exec_style ebtables-translate: Use OPT_* from xshared.h ebtables-translate: Ignore '-j CONTINUE' ebtables-translate: Print flush command after parsing is finished tests: xlate: Support testing multiple individual files tests: CLUSTERIP: Drop test file nft-shared: Lookup matches in iptables_command_state nft-shared: Use nft_create_match() in one more spot nft-shared: Simplify using nft_create_match() tests: xlate: Properly split input in replay mode tests: xlate: Print file names even if specified extensions: libebt_redirect: Fix target translation extensions: libebt_redirect: Fix for wrong syntax in translation extensions: libebt_ip: Do not use 'ip dscp' for translation extensions: libebt_ip: Translation has to match on ether type ebtables: ip and ip6 matches depend on protocol match xtables-translate: Support insert with index include: Add missing linux/netfilter/xt_LOG.h nft-restore: Fix for deletion of new, referenced rule tests: shell: Test for false-positive rule check utils: nfbpf_compile: Replace pcap_compile_nopcap() nft-shared: Drop unused include arptables: Fix parsing of inverted 'arp operation' match arptables: Don't omit standard matches if inverted xshared: Fix parsing of option arguments in same word nft: Introduce nft-ruleparse.{c,h} nft: Extract rule parsing callbacks from nft_family_ops nft: ruleparse: Create family-specific source files tests: shell: Sanitize nft-only/0009-needless-bitwise_0 nft: Special casing for among match in compare_matches() nft: More verbose extension comparison debugging nft: Do not pass nft_rule_ctx to add_nft_among() nft: Include sets in debug output *tables-restore: Enforce correct counters syntax if present *tables: Reject invalid chain names when renaming ebtables: Improve invalid chain name detection tests: shell: Fix and extend chain rename test iptables-restore: Drop dead code iptables-apply: Eliminate shellcheck warnings extensions: libipt_icmp: Fix confusion between 255/255 and any tests: libipt_icmp.t: Enable tests with numeric output man: iptables.8: Extend exit code description man: iptables.8: Trivial spelling fixes man: iptables.8: Fix intra page reference man: iptables.8: Clarify --goto description man: Use HTTPS for links to netfilter.org man: iptables.8: Trivial font fixes man: iptables-restore.8: Fix --modprobe description man: iptables-restore.8: Consistently document -w option man: iptables-restore.8: Drop -W option from synopsis man: iptables-restore.8: Put 'file' in italics in synopsis man: iptables-restore.8: Start paragraphs in upper-case man: Trivial: Missing space after comma man: iptables-save.8: Clarify 'available tables' man: iptables-save.8: Fix --modprobe description man: iptables-save.8: Start paragraphs in upper-case extensions: libip6t_icmp: Add names for mld-listener types nft-ruleparse: Introduce nft_create_target() tests: iptables-test: Fix command segfault reports nft: Create builtin chains with counters enabled Revert "libiptc: fix wrong maptype of base chain counters on restore" tests: shell: Test chain policy counter behaviour Use SOCK_CLOEXEC/O_CLOEXEC where available nft: Pass nft_handle to add_{target,action}() nft: Introduce and use bool nft_handle::compat Add --compat option to *tables-nft and *-nft-restore commands tests: Test compat mode Revert --compat option related commits tests: shell: Fix for ineffective 0007-mid-restore-flush_0 nft: Fix for useless meta expressions in rule include: linux: Update kernel.h build: Bump dependency on libnftnl extensions: Fix checking of conntrack --ctproto 0 doc: fix example of xt_cpu xt_sctp: add the missing chunk types in sctp_help Signed-off-by: Adolf Belka Reviewed-by: Peter Müller 1 file changed, 3 insertions(+), 3 deletions(-) commit 342e5b662949480c8e75fd516c81adeab6eef3a8 Author: Peter Müller Date: Sat Dec 30 07:33:53 2023 +0000 Core Update 183: Ship lcms2 Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit d5f617d057d3de9c6d4e14e4b3c820fe4d75c3a7 Author: Adolf Belka Date: Mon Dec 18 18:28:56 2023 +0100 lcms2: Update to version 2.16 - Update from version 2.14 to 2.16 - Update of rootfile - Changelog 2.16 Featured release New import .CUBE files as RGB devicelinks New Read/Write MHC2 tags for Windows GPU access New Support for UTF8 on multilocalized unicode functions New Suppot for OkLab color space, built-in and formatter. Improved floating point transforms float -> integer are now honored as float Improved MSYS2, mingw is now supported Improved proferred CMM, platform and creator now survives profile edition. Fixed tificc now can deal with Lab TIFF Fixed code can now be compiled by a C++17 compiler, "register" keywork use detected at compile time. Fixed Reverted postcript creation that corrupted some interpreters. 2.15 Maintenance release New MESON build system, many thanks to amispark and Lovell Fuller for bringing this. Fixed a bug that caused memory corruption on colord cmsReadRawTag can read portions of tags again. Removing this caused colord to segfault when dumping profiles Added more checks based of fuzzer discoveries. MSYS2 can now compile lcms2 Checked on Apple Silicon M1 and M2 Fixed a bug of fastfloat plug-in that affected Krita CMYK color selector Signed-off-by: Adolf Belka 2 files changed, 3 insertions(+), 3 deletions(-) commit 4488435573da0b7d7991a0ccee9b2b32254fdcec Author: Peter Müller Date: Sat Dec 30 07:31:11 2023 +0000 Core Update 183: Ship libnl-3 Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit 7ca5fc5eb06b1081525bbfe528889d1ba6227b7a Author: Adolf Belka Date: Mon Dec 18 18:28:57 2023 +0100 libnl-3: Update to version 3.9.0 - Update from version 3.8.0 to 3.9.0 - Update of rootfile not required - Changelog is not produced. Changes can be seen from the commits in the github repo https://github.com/thom311/libnl/commits/main Signed-off-by: Adolf Belka 1 file changed, 2 insertions(+), 2 deletions(-) commit 2a90a6782d4fc3d05d386eb7530ff02f1a313a4b Author: Peter Müller Date: Sat Dec 30 07:30:38 2023 +0000 Core Update 183: Ship lmdb Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit cc6762db84722512996afff3c7de8ffeb5785371 Author: Adolf Belka Date: Mon Dec 18 18:28:58 2023 +0100 lmdb: Update to version 0.9.31 - Update from version 0.9.30 to 0.9.31 - Update of rootfile not required - Changelog 0.9.31 Release (2023/07/10) ITS#8447 - Fix cursor_put(MDB_CURRENT) on DUPSORT DB with different sized data Signed-off-by: Adolf Belka 1 file changed, 2 insertions(+), 2 deletions(-) commit 6506b9f807d47a0a8ed49f3b9e135383697d7535 Author: Peter Müller Date: Sat Dec 30 07:30:05 2023 +0000 Core Update 183: Ship lsof Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit 6220917d8763a63b427eb2ffdb104489e1ced3d2 Author: Adolf Belka Date: Mon Dec 18 18:28:59 2023 +0100 lsof: Update to version 4.99.3 - Update from version 4.98.0 to 4.99.3 - Update of rootfile not required - Changelog 4.99.3 Fix a spaces vs. tabs issue in 00DIST. 4.99.2 Fix version file for CI 4.99.1 Fix compilation error when HASIPv6 is not defined. (@chenrui333) Add configure option --disable-liblsof to disable installation of liblsof. (@subnut, #300) [freebsd] fix segfault from fs info (FreeBSD bug 267760) 4.99.0 [netbsd] Get device numer of tmpfs instead of reporting zero [openbsd] Rewrite OpenBSD support because OpenBSD disallows kernel memory access and lsof has to switch to user mode API. Currently, most features are working, but file path reporting and lock status are not working for lack of kernel support. As a consequence, OpenBSD dialect is separated in a new folder. [darwin] Remove /dev/kmem backend because it no longer exists on current macOS releases. Use libproc backend instead. [linux] Do not hard-code fd numbers in epoll test, fixing tests on Void Linux [freebsd] Use kf_file_nlink if provided by kernel instead of stat(). This commit requires kernel with https://reviews.freebsd.org/D38169. It brings back the ability to list deleted files via `lsof +L1`. Closes #264. [linux] Add --with-selinux configure option. [solaris] Re-introduce support for recent Solaris & OpenIndiana releases. [darwin] Display kern ctl info, learned from apple lsof version. [linux] Improve performance by using closefrom(). Closes #281. [aix] Fix compilation on AIX 7.2 and add autotools build system support for AIX. [aix] Suppress warnings properly on AIX version greater than 5.0. Closes #187. Introduce alpha version of liblsof which allows users to use lsof functionality via C functions instead of spawning a subprocess and parsing the output. This version may contain BUGs and memory leaks, and the API may change before it stablizes. Signed-off-by: Adolf Belka 1 file changed, 2 insertions(+), 2 deletions(-) commit 09e6a4fa16cc5e90e343049abc1e12d448bcfa49 Author: Peter Müller Date: Sat Dec 30 07:26:18 2023 +0000 Core Update 183: Ship p11-kit Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit fefd0cb8497870b791b2ae957b5d40fa0deb6d28 Author: Adolf Belka Date: Mon Dec 18 18:29:01 2023 +0100 p11-kit: Update to version 0.25.3 - Update from version 0.25.2 to 0.25.3 - Update of rootfile - Changelog 0.25.3 rpc: fix serialization of NULL mechanism pointer [PR#601] fix meson build failure in macOS (appleframeworks not found) [PR#603] Signed-off-by: Adolf Belka 2 files changed, 3 insertions(+), 5 deletions(-) commit 17cad1e885987703ebdea3721df4c346695cd68c Author: Adolf Belka Date: Mon Dec 18 18:29:02 2023 +0100 samba: Update to version 4.19.3 - Update from version 4.19.2 to 4.19.3 - Update of rootfile not required - I don't believe that the CVE from this version will affect IPFire users as Samba on IPFire is not run as an Active Directory Domain Controller. That functionality was removed some time ago. - Changelog 4.19.3 This is the latest stable release of the Samba 4.19 release series. It contains the security-relevant bugfix CVE-2018-14628: Wrong ntSecurityDescriptor values for "CN=Deleted Objects" allow read of object tombstones over LDAP (Administrator action required!) https://www.samba.org/samba/security/CVE-2018-14628.html Description of CVE-2018-14628 All versions of Samba from 4.0.0 onwards are vulnerable to an information leak (compared with the established behaviour of Microsoft's Active Directory) when Samba is an Active Directory Domain Controller. When a domain was provisioned with an unpatched Samba version, the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object instead of being very strict (as on a Windows provisioned domain). This means also non privileged users can use the LDAP_SERVER_SHOW_DELETED_OID control in order to view, the names and preserved attributes of deleted objects. No information that was hidden before the deletion is visible, but in with the correct ntSecurityDescriptor value in place the whole object is also not visible without administrative rights. There is no further vulnerability associated with this error, merely an information disclosure. Action required in order to resolve CVE-2018-14628! The patched Samba does NOT protect existing domains! The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain: samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix The above requires manual interaction in order to review the changes before they are applied. Typicall question look like this: Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default? Owner mismatch: SY (in ref) DA(in current) Group mismatch: SY (in ref) DA(in current) Part dacl is different between reference and current here is the detail: (A;;LCRPLORC;;;AU) ACE is not present in the reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current (A;;LCRP;;;BA) ACE is not present in the current [y/N/all/none] y Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org' The change should be confirmed with 'y' for all objects starting with 'CN=Deleted Objects'. Changes since 4.19.2 * BUG 15520: sid_strings test broken by unix epoch > 1700000000. * BUG 15487: smbd crashes if asked to return full information on close of a stream handle with delete on close disposition set. * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in smb_fname_fsp_destructor(). * BUG 15499: Improve logging for failover scenarios. * BUG 15093: Files without "read attributes" NFS4 ACL permission are not listed in directories. * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in AD LDAP to normal users. * BUG 15492: Kerberos TGS-REQ with User2User does not work for normal accounts. * BUG 15507: vfs_gpfs stat calls fail due to file system permissions. * BUG 15513: Samba doesn't build with Python 3.12 Signed-off-by: Adolf Belka 1 file changed, 3 insertions(+), 3 deletions(-) commit acdb9df0895626e48fccde773d6e1ff27702eef9 Author: Peter Müller Date: Sat Dec 30 07:24:18 2023 +0000 Core Update 183: Ship sudo Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit 68fe599aed3ce3c4651cba6c9108ca324fe23886 Author: Adolf Belka Date: Mon Dec 18 18:29:03 2023 +0100 sudo: Update to version 1.9.15p4 - Update from version 1.9.15p2 to 1.9.15p4 - Update of rootfile not required - Changelog 1.9.15p4 * Fixed a bug introduced in sudo 1.9.15 that could prevent a user's privileges from being listed by "sudo -l" if the sudoers entry in /etc/nsswitch.conf contains "[SUCCESS=return]". This did not affect the ability to run commands via sudo. Bug #1063. 1.9.15p3 * Always disable core dumps when sudo sends itself a fatal signal. Fixes a problem where sudo could potentially dump core dump when it re-sends the fatal signal to itself. This is only an issue if the command received a signal that would normally result in a core dump but the command did not actually dump core. * Fixed a bug matching a command with a relative path name when the sudoers rule uses shell globbing rules for the path name. Bug #1062. * Permit visudo to be run even if the local host name is not set. GitHub issue #332. * Fixed an editing error introduced in sudo 1.9.15 that could prevent sudoreplay from replaying sessions correctly. GitHub issue #334. * Fixed a bug introduced in sudo 1.9.15 where "sudo -l > /dev/null" could hang on Linux systems. GitHub issue #335. * Fixed a bug introduced in sudo 1.9.15 where Solaris privileges specified in sudoers were not applied to the command being run. Signed-off-by: Adolf Belka Reviewed-by: Peter Müller 1 file changed, 2 insertions(+), 2 deletions(-) commit ac225ec69848ac39846efda40e76917ff346e3c8 Author: Peter Müller Date: Sat Dec 30 07:05:49 2023 +0000 firewalllog.dat: Update copyright header Signed-off-by: Peter Müller 1 file changed, 20 insertions(+), 12 deletions(-) commit d1f75149cf34ac4268135a6ce77d8dada681d257 Author: Peter Müller Date: Sat Dec 30 07:04:50 2023 +0000 Core Update 183: Ship firewalllog.dat Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit f02adfbc7488c408ad73def2cb59997dfaf7265f Author: Adolf Belka Date: Fri Dec 22 13:37:47 2023 +0100 firewalllog.dat: Fix for bug#13492 - include chain in the exported output - The regex code does not extract out the chain and so it is missed off from the log output when it is exported. - Changed code tested out on my vm testbed and confirmed to work and include the chain in the output. Fixes: Bug13492 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch 1 file changed, 3 insertions(+), 2 deletions(-) commit 6ac85c116e991337bb4311fdeec85aeca5e95cfd Author: Peter Müller Date: Sat Dec 30 07:03:39 2023 +0000 Core Update 183: Ship bind Signed-off-by: Peter Müller 2 files changed, 9 insertions(+) commit 2ecefae2954b44da3924a209b50b0718d39fbb0c Author: Matthias Fischer Date: Fri Dec 22 21:08:35 2023 +0100 bind: Update to 9.16.45 For details see: https://downloads.isc.org/isc/bind9/9.16.45/doc/arm/html/notes.html#notes-for-bind-9-16-45 "Feature Changes The IP addresses for B.ROOT-SERVERS.NET have been updated to 170.247.170.2 and 2801:1b8:10::b. [GL #4101]" Signed-off-by: Matthias Fischer 2 files changed, 9 insertions(+), 9 deletions(-) commit 1bbf603475231722e21f85750441ed18c0516403 Author: Peter Müller Date: Sat Dec 30 06:57:03 2023 +0000 Core Update 183: Ship and restart OpenSSH Signed-off-by: Peter Müller 2 files changed, 5 insertions(+) commit ec4c98baa2eb0dffb0da6684b0f95e0bee028d2b Author: Adolf Belka Date: Tue Dec 26 14:10:32 2023 +0100 openssh: Update to version 9.6p1 - Update from version 9.5p1 to 9.6p1 - Update of rootfile not required - Changelog is too large to include here. See details in the file ChangeLog in the source tarball Signed-off-by: Adolf Belka Reviewed-by: Peter Müller 1 file changed, 2 insertions(+), 2 deletions(-) commit 6c4ecf6b0f17d553a560d14389de16de0001d811 Author: Peter Müller Date: Sat Dec 30 06:53:53 2023 +0000 Core Update 183: Ship OpenSSL Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit c0dd2fd124a24bce5f22f4359e0908d56ae7f9c4 Author: Adolf Belka Date: Tue Dec 26 14:10:33 2023 +0100 openssl: Update to version 3.2.0 - Update from version 3.1.4 to 3.2.0 - Update of rootfile - Changelog 3.2.0 This release incorporates the following potentially significant or incompatible changes: * The default SSL/TLS security level has been changed from 1 to 2. * The `x509`, `ca`, and `req` apps now always produce X.509v3 certificates. * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings by default. From my understanding these above changes should not create any problem for IPFire. This release adds the following new features: * Support for client side QUIC, including support for multiple streams (RFC 9000) * Support for Ed25519ctx, Ed25519ph and Ed448ph in addition to existing support for Ed25519 and Ed448 (RFC 8032) * Support for deterministic ECDSA signatures (RFC 6979) * Support for AES-GCM-SIV, a nonce-misuse-resistant AEAD (RFC 8452) * Support for the Argon2 KDF, along with supporting thread pool functionality (RFC 9106) * Support for Hybrid Public Key Encryption (HPKE) (RFC 9180) * Support for SM4-XTS * Support for Brainpool curves in TLS 1.3 * Support for TLS Raw Public Keys (RFC 7250) * Support for TCP Fast Open on Linux, macOS and FreeBSD, where enabled and supported (RFC 7413) * Support for TLS certificate compression, including library support for zlib, Brotli and zstd (RFC 8879) * Support for provider-based pluggable signature algorithms in TLS 1.3 with supporting CMS and X.509 functionality With a suitable provider this enables the use of post-quantum/quantum-safe cryptography. * Support for using the Windows system certificate store as a source of trusted root certificates This is not yet enabled by default and must be activated using an environment variable. This is likely to become enabled by default in a future feature release. * Support for using the IANA standard names in TLS ciphersuite configuration * Multiple new features and improvements to CMP protocol support The following known issues are present in this release and will be rectified in a future release: * Provider-based signature algorithms cannot be configured using the SignatureAlgorithms configuration file parameter (#22761) This release incorporates the following documentation enhancements: * Added multiple tutorials on the OpenSSL library and in particular on writing various clients (using TLS and QUIC protocols) with libssl Signed-off-by: Adolf Belka Reviewed-by: Peter Müller 2 files changed, 315 insertions(+), 5 deletions(-) commit b0478069c4ce688fa3328a07c5fe4de41d2fa4b6 Author: Peter Müller Date: Sat Dec 30 06:50:22 2023 +0000 Core Update 183: Ship qpdf Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit 93137ccb86ab117879fa1de986289be1db9ca15e Author: Adolf Belka Date: Tue Dec 26 14:10:35 2023 +0100 qpdf: Update to version 11.7.0 - Update from version 11.6.1 to 11.7.0 - Update of rootfile - Changelog 11.7.0 * Define CPACK_NSIS_MODIFY_PATH for the Windows builds so the official installers will offer to modify PATH when installing qpdf. Fixes #1054. * Add QPDFAcroFormDocumentHelper::disableDigitalSignatures, which disables any digital signature fields, leaving their visual representations intact. The --remove-restrictions command-line argument now calls this. Fixes #1015. * Generate a more complete qpdf "man page" from the same source as qpdf --help. Fixes #1064. * Allow the syntax "--encrypt --user-password=user-password --owner-password=owner-password --bits={40,128,256}" when encrypting PDF files. This is an alternative to the syntax "--encrypt user-password owner-password {40,128,256}", which will continue to be supported. The new syntax works better with shell completion and allows creation of passwords that start with "-". Fixes #874. * When setting a check box value, allow any value other than /Off to mean checked. This is permitted by the spec. Previously, any value other than /Yes or /Off was rejected. Fixes #1056. * Fix to QPDF JSON: a floating point number that appears in scientific notation will be converted to fixed-point notation, rounded to six digits after the decimal point. Fixes #1079. * Fix to QPDF JSON: the syntax "n:/pdf-syntax" is now accepted as an alternative way to represent names. This can be used for any name (e.g. "n:/text#2fplain"), but it is necessary when the name contains binary characters. For example, /one#a0two must be represented as "n:/one#a0two" since the single byte a0 is not valid in JSON. Fixes #1072. * From M. Holger: Refactor QPDFParser for performance. See #1059 for a discussion. * Update code and tests so that qpdf's test suite no longer depends on the output of any specific zlib implementation. This makes it possible to get a fully passing test suite with any API-compatible zlib library. CI tests with the default zlib as well as zlib-ng (including verifying that zlib-ng is not the default), but any zlib implementation should work. Fixes #774. * Bug fix: with --compress-streams=n, don't compress object, XRef, or linearization hint streams. * Add new C++ functions "qpdf_c_get_qpdf" and "qpdf_c_wrap" to qpdf-c.h that make it possible to write your own extern "C" functions in C++ that interoperate with the C API. See examples/extend-c-api for more information. * Bug fix from M. Holger: the default for /Columns in PNG filter is 1, but libqpdf was acting like it was 0. * Enhancement from M. Holger: add methods to Buffer to work more easily with std::string. 11.6.4 * Install fix: include cmake files with the dev component. * Build AppImage with an older Linux distribution to support AWS Lambda. Fixes #1086. 11.6.3 * Tweak linearization code to better handle files between 2 GB and 4 GB in size. Fixes #1023. * Fix data loss bug: qpdf could discard a the character after an escaped octal string consisting of less than three digits. For content, this would only happen with QDF or when normalizing content. Outside of content, it could have happened in any binary string, such as /ID, if the encoding software used octal escape strings with less than three digits. This bug was introduced between 10.6.3 and 11.0.0. Fixes #1050. 11.6.2 * Bug fix: when piping stream data, don't call finish on failure if the failure was caused by a previous call to finish. Fixes #1042. * Push .idea directory with the beginning of a sharable JetBrains CLion configuration. Signed-off-by: Adolf Belka 2 files changed, 3 insertions(+), 3 deletions(-) commit e49c0a4297a7087db55ee24506466501f8c379fd Author: Adolf Belka Date: Mon Dec 18 18:28:53 2023 +0100 git: Update to version 2.43.0 - Update from version 2.42.1 to 2.43.0 - Update of rootfile not required - Changelog 2.43.0 Backward Compatibility Notes * The "--rfc" option of "git format-patch" used to be a valid way to override an earlier "--subject-prefix=" on the command line and replace it with "[RFC PATCH]", but from this release, it merely prefixes the string "RFC " in front of the given subject prefix. If you are negatively affected by this change, please use "--subject-prefix=PATCH --rfc" as a replacement. * In Git 2.42, "git rev-list --stdin" learned to take non-revisions (like "--not") from the standard input, but the way such a "--not" was handled was quite confusing, which has been rethought. The updated rule is that "--not" given from the command line only affects revs given from the command line that comes but not revs read from the standard input, and "--not" read from the standard input affects revs given from the standard input and not revs given from the command line. UI, Workflows & Features * A message written in olden time prevented a branch from getting checked out, saying it is already checked out elsewhere. But these days, we treat a branch that is being bisected or rebased just like a branch that is checked out and protect it from getting modified with the same codepath. The message has been rephrased to say that the branch is "in use" to avoid confusion. * Hourly and other schedules of "git maintenance" jobs are randomly distributed now. * "git cmd -h" learned to signal which options can be negated by listing such options like "--[no-]opt". * The way authentication related data other than passwords (e.g., oauth token and password expiration data) are stored in libsecret keyrings has been rethought. * Update the libsecret and wincred credential helpers to correctly match which credential to erase; they erased the wrong entry in some cases. Git GUI updates. * "git format-patch" learned a new "--description-file" option that lets cover letter description to be fed; this can be used on detached HEAD where there is no branch description available, and also can override the branch description if there is one. * Use of the "--max-pack-size" option to allow multiple packfiles to be created is now supported even when we are sending unreachable objects to cruft packs. * "git format-patch --rfc --subject-prefix=" used to ignore the "--subject-prefix" option and used "[RFC PATCH]"; now we will add "RFC" prefix to whatever subject prefix is specified. * "git log --format" has been taught the %(decorate) placeholder for further customization over what the "--decorate" option offers. * The default log message created by "git revert", when reverting a commit that records a revert, has been tweaked, to encourage people to describe complex "revert of revert of revert" situations better in their own words. * The command-line completion support (in contrib/) learned to complete "git commit --trailer=" for possible trailer keys. * "git update-index" learned the "--show-index-version" option to inspect the index format version used by the on-disk index file. * "git diff" learned the "diff.statNameWidth" configuration variable, to give the default width for the name part in the "--stat" output. * "git range-diff --notes=foo" compared "log --notes=foo --notes" of the two ranges, instead of using just the specified notes tree, which has been corrected to use only the specified notes tree. * The command line completion script (in contrib/) can be told to complete aliases by including ": git ;" in the alias to tell it that the alias should be completed in a similar way to how "git " is completed. The parsing code for the alias has been loosened to allow ';' without an extra space before it. * "git for-each-ref" and friends learned to apply mailmap to authorname and other fields in a more flexible way than using separate placeholder letters like %a[eElL] every time we want to come up with small variants. * "git repack" machinery learned to pay attention to the "--filter=" option. * "git repack" learned the "--max-cruft-size" option to prevent cruft packs from growing without bounds. * "git merge-tree" learned to take strategy backend specific options via the "-X" option, like "git merge" does. * "git log" and friends learned the "--dd" option that is a short-hand for "--diff-merges=first-parent -p". * The attribute subsystem learned to honor the "attr.tree" configuration variable that specifies which tree to read the .gitattributes files from. * "git merge-file" learns a mode to read three variants of the contents to be merged from blob objects. Performance, Internal Implementation, Development Support etc. * "git check-attr" has been taught to work better with sparse-index. * It may be tempting to leave the help text NULL for a command line option that is either hidden or too obvious, but "git subcmd -h" and "git subcmd --help-all" would have segfaulted if done so. Now the help text is truly optional. * Tests that are known to pass with LSan are now marked as such. * Flaky "git p4" tests, as well as "git svn" tests, are now skipped in the (rather expensive) sanitizer CI job. * Tests with LSan from time to time seem to emit harmless messages that make our tests unnecessarily flaky; we work around it by filtering the uninteresting output. * Unused parameters to functions are marked as such, and/or removed, in order to bring us closer to "-Wunused-parameter" clean. * The code to keep track of existing packs in the repository while repacking has been refactored. * The "streaming" interface used for bulk-checkin codepath has been narrowed to take only blob objects for now, with no real loss of functionality. * GitHub CI workflow has learned to trigger Coverity check. * Test coverage for trailers has been improved. * The code to iterate over loose references has been optimized to reduce the number of lstat() system calls. * The codepaths that read "chunk" formatted files have been corrected to pay attention to the chunk size and notice broken files. * Replace macos-12 used at GitHub CI with macos-13. (merge 682a868f67 js/ci-use-macos-13 later to maint). Signed-off-by: Adolf Belka 1 file changed, 3 insertions(+), 3 deletions(-) commit ca7bd37aee1baa0005797ac6fb0e24238891b29c Author: Peter Müller Date: Sat Dec 30 06:44:07 2023 +0000 Core Update 183: Ship tzdata Signed-off-by: Peter Müller 1 file changed, 1 insertion(+) commit 109e5217a6e28a53745b8f7385db94701a57be15 Author: Adolf Belka Date: Tue Dec 26 14:10:36 2023 +0100 tzdata: Update to version 2023d - Update from version 2023c to 2023d - Update of rootfile not required - Changelog 2023d Briefly: Ittoqqortoormiit, Greenland changes time zones on 2024-03-31. Vostok, Antarctica changed time zones on 2023-12-18. Casey, Antarctica changed time zones five times since 2020. Code and data fixes for Palestine timestamps starting in 2072. A new data file zonenow.tab for timestamps starting now. Changes to future timestamps Ittoqqortoormiit, Greenland (America/Scoresbysund) joins most of the rest of Greenland's timekeeping practice on 2024-03-31, by changing its time zone from -01/+00 to -02/-01 at the same moment as the spring-forward transition. Its clocks will therefore not spring forward as previously scheduled. The time zone change reverts to its common practice before 1981. Fix predictions for DST transitions in Palestine in 2072-2075, correcting a typo introduced in 2023a. Changes to past and future timestamps Vostok, Antarctica changed to +05 on 2023-12-18. It had been at +07 (not +06) for years. (Thanks to Zakhary V. Akulov.) Change data for Casey, Antarctica to agree with timeanddate.com, by adding five time zone changes since 2020. Casey is now at +08 instead of +11. Changes to past tm_isdst flags Much of Greenland, represented by America/Nuuk, changed its standard time from -03 to -02 on 2023-03-25, not on 2023-10-28. This does not affect UTC offsets, only the tm_isdst flag. (Thanks to Thomas M. Steenholdt.) New data file A new data file zonenow.tab helps configure applications that use timestamps dated from now on. This simplifies configuration, since users choose from a smaller Zone set. The file's format is experimental and subject to change. Changes to code localtime.c no longer mishandles TZif files that contain a single transition into a DST regime. Previously, it incorrectly assumed DST was in effect before the transition too. (Thanks to Alois Treindl for debugging help.) localtime.c's timeoff no longer collides with OpenBSD 7.4. The C code now uses _Generic only if __STDC_VERSION__ says the compiler is C11 or later. tzselect now optionally reads zonenow.tab, to simplify when configuring only for timestamps dated from now on. tzselect no longer creates temporary files. tzselect no longer mishandles the following: Spaces and most other special characters in BUGEMAIL, PACKAGE, TZDIR, and VERSION. TZ strings when using mawk 1.4.3, which mishandles regular expressions of the form /X{2,}/. ISO 6709 coordinates when using an awk that lacks the GNU extension of newlines in -v option-arguments. Non UTF-8 locales when using an iconv command that lacks the GNU //TRANSLIT extension. zic no longer mishandles data for Palestine after the year 2075. Previously, it incorrectly omitted post-2075 transitions that are predicted for just before and just after Ramadan. (Thanks to Ken Murchison for debugging help.) zic now works again on Linux 2.6.16 and 2.6.17 (2006). (Problem reported by Rune Torgersen.) Changes to build procedure The Makefile is now more compatible with POSIX: * It no longer defines AR, CC, CFLAGS, LDFLAGS, and SHELL. * It no longer uses its own 'cc' in place of CC. * It now uses ARFLAGS, with default specified by POSIX. * It does not use LFLAGS incompatibly with POSIX. * It uses the special .POSIX target. * It quotes special characters more carefully. * It no longer mishandles builds in an ISO 8859 locale. Due to the CC changes, TZDIR is now #defined in a file tzfile.h built by 'make', not in a $(CC) -D option. Also, TZDEFAULT is now treated like TZDIR as they have similar roles. Changes to commentary Limitations and hazards of the optional support for obsolescent C89 platforms are documented better, along with a tentative schedule for removing this support. Signed-off-by: Adolf Belka 1 file changed, 3 insertions(+), 3 deletions(-) commit 7270984c460653f2215271b86286f74e6e9fb6ca Author: Arne Fitzenreiter Date: Fri Dec 22 10:30:45 2023 +0000 update-contributors Signed-off-by: Arne Fitzenreiter 1 file changed, 2 insertions(+), 1 deletion(-) commit aa892602ddb83121b828353e8754f9530bc8ef8e Author: Arne Fitzenreiter Date: Fri Dec 22 10:20:27 2023 +0000 core182: ship index.cgi Signed-off-by: Arne Fitzenreiter 1 file changed, 1 insertion(+) commit 0a60842a284e96420d4a9e07e4649cbad85de273 Author: Sebastien GISLAIN Date: Thu Dec 14 08:07:33 2023 +0100 index.cgi: correct gpl-accepted in gpl_accepted Signed-off-by: Arne Fitzenreiter 1 file changed, 1 insertion(+), 1 deletion(-) commit bf92e5596827c6a9942c2b9eec0e0d664beab486 Author: Arne Fitzenreiter Date: Thu Dec 21 13:50:59 2023 +0100 kernel: update to 6.6.8 Signed-off-by: Arne Fitzenreiter 3 files changed, 5 insertions(+), 10 deletions(-) commit 26c98d0904897a4e8fcdaf5824907c325c77bfdc Author: Arne Fitzenreiter Date: Thu Dec 21 09:51:47 2023 +0100 core182: remove old udev binary and rules they are the reason for boot fails with scsi controllers in core 181. Signed-off-by: Arne Fitzenreiter 1 file changed, 11 insertions(+) commit 7e35b9b9bb29ab48c0e8a6e051dd203ffb9bb5cd Author: Arne Fitzenreiter Date: Thu Dec 21 09:51:05 2023 +0100 core182: add more files from stage2 that are updated Signed-off-by: Arne Fitzenreiter 1 file changed, 5 insertions(+) commit cdbaf83bb6e4a932899ce2cb256a3a57cfc1f70c Author: Matthias Fischer Date: Sat Dec 9 08:56:58 2023 +0100 squid: Update to 6.6 For details see: https://github.com/squid-cache/squid/commits/v6 Signed-off-by: Matthias Fischer Reviewed-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 2 insertions(+), 2 deletions(-) commit 276fe09afc6496979291c2f2fd87ae98aadc058e Author: Arne Fitzenreiter Date: Wed Dec 20 09:48:26 2023 +0100 core182: ship libgcc_s.so.1 we have not shipped the gcc lib since core119 Signed-off-by: Arne Fitzenreiter 1 file changed, 1 insertion(+) commit 73b04029c9761944e404da9c20fda6483049d459 Author: Arne Fitzenreiter Date: Wed Dec 20 08:44:10 2023 +0100 dracut: fix early_microcode put into ramdisk the kernel has no CONFIG_MICROCODE_{AMD|INTEL} anymore so this patch change the check to CONFIG_MICROCODE. Signed-off-by: Arne Fitzenreiter 3 files changed, 32 insertions(+) commit d3b2b04672209aa5971e69d99c4fa64da875a370 Author: Arne Fitzenreiter Date: Tue Dec 19 11:45:26 2023 +0100 alsa: bump package version Signed-off-by: Arne Fitzenreiter 1 file changed, 1 insertion(+), 1 deletion(-) commit 6c85ffbfd45a3c2f23e6b8f512c40cf9b0678d86 Author: Arne Fitzenreiter Date: Tue Dec 19 11:44:03 2023 +0100 alsa: remove kernel module unload at uninstall this sometimes result in unstable/crashing kernel. Signed-off-by: Arne Fitzenreiter 1 file changed, 3 deletions(-) commit cb58d049e0e121466fb2eb0694fa7b8e715b6f2c Author: Arne Fitzenreiter Date: Tue Dec 19 11:35:53 2023 +0100 alsa: don't report failed module loads this will stop pakfire if the kernel was updated before the alsa update. Signed-off-by: Arne Fitzenreiter 1 file changed, 4 insertions(+), 4 deletions(-) commit 010869713142e1cc8874e59409e446a075a2878d Author: Arne Fitzenreiter Date: Tue Dec 12 21:12:37 2023 +0100 kernel: update to 6.6.6 Signed-off-by: Arne Fitzenreiter 3 files changed, 4 insertions(+), 4 deletions(-) commit 5109f8ee7fad608b9e85e61a1ab1a2608f09b106 Author: Arne Fitzenreiter Date: Fri Dec 8 16:12:17 2023 +0100 kernel: update to 6.6.5 Signed-off-by: Arne Fitzenreiter 3 files changed, 4 insertions(+), 4 deletions(-) commit 9d77a9a5cb558c0b6aeda0752de9c9d2fdd2b582 Author: Arne Fitzenreiter Date: Thu Dec 7 10:19:37 2023 +0100 installer: update filecount Signed-off-by: Arne Fitzenreiter 1 file changed, 1 insertion(+), 1 deletion(-) commit 935e7e115e515aae442983ffafa596f916fc9720 Author: Arne Fitzenreiter Date: Thu Dec 7 10:07:07 2023 +0100 core183: update disk-space/size check Signed-off-by: Arne Fitzenreiter 1 file changed, 6 insertions(+), 4 deletions(-) commit 365306f5e504f0de56e786dd505c5cb92da9ead3 Author: Arne Fitzenreiter Date: Thu Dec 7 08:11:08 2023 +0100 core183: ship kbd Signed-off-by: Arne Fitzenreiter 1 file changed, 1 insertion(+) commit e3544476b9c42dc8b50a9dee342549a3b01bb3f4 Author: Arne Fitzenreiter Date: Thu Dec 7 08:08:05 2023 +0100 kbd: imclude eurlatgr font this font is now default for european languages. Signed-off-by: Arne Fitzenreiter 1 file changed, 1 insertion(+), 1 deletion(-) commit 8064dce996a356e228be5fdd900a6733df3f47b7 Author: Arne Fitzenreiter Date: Wed Dec 6 13:40:14 2023 +0000 alsa: update rootfile and bump version some files are removed from linux-firmware so we need to install alsa again. Signed-off-by: Arne Fitzenreiter 2 files changed, 84 insertions(+), 84 deletions(-) commit 1513ac881469b8ecf6421d589f4aca1d0130c86c Author: Arne Fitzenreiter Date: Wed Dec 6 13:29:34 2023 +0000 core182: dont delete firmware of common soundcards. We still have alsa and mediaplayers so this is needed! Signed-off-by: Arne Fitzenreiter 1 file changed, 4 deletions(-) commit 71070690da3fa83c1f948c2c577cb9e171078da9 Author: Arne Fitzenreiter Date: Wed Dec 6 13:27:11 2023 +0000 core182: dont remove libs in update this will delete the current liblzma library. Unused libs removed by filesystem cleanup later. Signed-off-by: Arne Fitzenreiter 1 file changed, 1 insertion(+), 4 deletions(-) commit 185217edbcea3327a877bd5d90aa901b79b9c363 Author: Adolf Belka Date: Wed Dec 6 11:59:44 2023 +0100 netatalk: Bump PAK_VER due to dbus update Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 2 insertions(+), 2 deletions(-) commit 6e269cd7b828e137a14c1aa5a0cc95041ee21206 Author: Adolf Belka Date: Wed Dec 6 11:59:43 2023 +0100 cups: Bump PAK_VER due to dbus update Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+), 1 deletion(-) commit da5ad141d1e57c04637d20b5bc15949e4a539a18 Author: Adolf Belka Date: Wed Dec 6 11:59:42 2023 +0100 avahi: Bump PAK_VER due to dbus update Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+), 1 deletion(-) commit e4176557f0c3307f6a922348fc4e2f06a9021bc5 Author: Michael Tremer Date: Tue Nov 28 16:18:39 2023 +0000 core181: Ship apache initscript Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+) commit 633c7318279d99e98e8cdf077c4f3ab922744212 Author: Adolf Belka Date: Wed Dec 6 11:59:44 2023 +0100 netatalk: Bump PAK_VER due to dbus update Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 2 insertions(+), 2 deletions(-) commit d7d963ed862b2c607dbb43a037f24c075896e378 Author: Adolf Belka Date: Wed Dec 6 11:59:43 2023 +0100 cups: Bump PAK_VER due to dbus update Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer 1 file changed, 1 insertion(+), 1 deletion(-)