commit 0ba187b4d391d02e3016cc44f313320e6481198b Merge: 47b66afb3 b57bafa35 Author: Arne Fitzenreiter Date: Wed Jan 8 06:33:35 2025 +0100 Merge remote-tracking branch 'origin/core190' commit 47b66afb31a82e239c94c18c9326294669df02ef Author: Arne Fitzenreiter Date: Wed Jan 8 06:32:52 2025 +0100 core191: reship squid and dhcpcd Signed-off-by: Arne Fitzenreiter commit 275533dce4e4a8c35f73b665fab6787f64eeceda Author: Arne Fitzenreiter Date: Wed Jan 8 06:27:52 2025 +0100 core191: ship iplockslist/sources and inuitscript/functions Signed-off-by: Arne Fitzenreiter commit b57bafa358ae77a3d4ac7e721b034ea21d3059a2 Author: Adolf Belka Date: Thu Jan 2 17:29:26 2025 +0100 miniupnpc: revert the addition of this package due to transmission reversion - As transmission has been reverted back to version 4.0.5 then miniupnpc is no longer needed for building or runtime. - This removes the minupnpc lfs and rootfile files. It also removes miniupnpc from the make.sh file. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 699abe572f8f4a56191d73d68ef1034b1174b576 Author: Adolf Belka Date: Thu Jan 2 17:29:25 2025 +0100 transmission: revert version back to 4.0.5 - Revert back from 4.0.6 to 4.0.5 due to a bug in 4.0.6 that has resulted in a variety of torrent mirrors banning transmission-4.0.6 - The update from 4.0.5 to 4.0.6 did not have any security fixes in it so there is no issue in moving backward to 4.0.5 - A fix has been created but it is unclear when (and if) version 4.0.7 will be released. The fix has also been included in version 4.1.0 but this is still in beta development form. - Version 4.0.6 required minupnpc for building and run time. This reversion is also removing miniupnpc in an associated patch in this patch set. - No change required in the rootfile. Signed-off-by: Adolf Belka Reviewed-by: Michael Tremer Signed-off-by: Michael Tremer commit e3b5000b8318591a239125560b9e5fa101a3802e Author: Arne Fitzenreiter Date: Thu Jan 2 10:15:23 2025 +0100 elinks: fix new configuration path Signed-off-by: Arne Fitzenreiter commit 8ceaf358ae36764661c2a70432b78ff879ac845b Author: Arne Fitzenreiter Date: Mon Dec 30 18:52:36 2024 +0100 mpd: disable https peer/host verification if myMPD is serving playlists mpd cannot load this with enabled verification. Signed-off-by: Arne Fitzenreiter commit a3a5c4ee95289ebc906e4406e2f87a246f8acabc Author: Peter Müller Date: Fri Dec 27 09:10:00 2024 +0000 Tor: Update to 0.4.8.13 Full changelog according to https://gitlab.torproject.org/tpo/core/tor/-/blob/tor-0.4.8.13/ChangeLog : Changes in version 0.4.8.13 - 2024-10-24 This is minor release fixing an important client circuit building (Conflux related) bug which lead to performance degradation and extra load on the network. Some minor memory leaks fixes as well as an important minor feature for pluggable transports. We strongly recommend to update as soon as possible for clients in order to neutralize this conflux bug. o Major bugfixes (circuit building): - Conflux circuit building was ignoring the "predicted ports" feature, which aims to make Tor stop building circuits if there have been no user requests lately. This bug led to every idle Tor on the network building and discarding circuits every 30 seconds, which added overall load to the network, used bandwidth and battery from clients that weren't actively using their Tor, and kept sockets open on guards which added connection padding essentially forever. Fixes bug 40981; bugfix on 0.4.8.1-alpha; o Minor feature (bridges, pluggable transport): - Add STATUS TYPE=version handler for Pluggable Transport. This allows us to gather version statistics on Pluggable Transport usage from bridge servers on our metrics portal. Closes ticket 11101. o Minor features (fallbackdir): - Regenerate fallback directories generated on October 24, 2024. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2024/10/24. o Minor bugfixes (memleak, authority): - Fix a small memleak when computing a new consensus. This only affects directory authorities. Fixes bug 40966; bugfix on 0.3.5.1-alpha. o Minor bugfixes (memory): - Fix memory leaks of the CPU worker code during shutdown. Fixes bug 833; bugfix on 0.3.5.1-alpha. Signed-off-by: Peter Müller Signed-off-by: Arne Fitzenreiter commit 58179c1efdd08019c35e9ad2376b12929e1bbe40 Author: Michael Tremer Date: Mon Dec 30 11:34:13 2024 +0000 samba: Depend on libtalloc Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit fad9bbe3348d2e45fc579801408f955fd89afe1c Author: Arne Fitzenreiter Date: Mon Dec 30 18:43:52 2024 +0100 core191: move existing elinks configuration Signed-off-by: Arne Fitzenreiter commit 7b1ce94f5d9be804fd9ca24c87b42f4d5d310382 Author: Arne Fitzenreiter Date: Mon Dec 30 18:37:23 2024 +0100 elinks: fix config directory the new version has moved the config directioy from ~/.elinks to ~/.config/.elinks Signed-off-by: Arne Fitzenreiter commit 52487fb2a70485bc71f92fdfdf21e65d36354be1 Author: Arne Fitzenreiter Date: Mon Dec 30 18:32:41 2024 +0100 core191: ship ntp ntp is build against OpenSSl and checks if it is linked against the correct version. So ship it to get rid of the ugly message. Signed-off-by: Arne Fitzenreiter commit 1069e68709ce9ea5f294b3cfb9aeb2672f5f9d7b Merge: c6febcc99 4692bdaa5 Author: Arne Fitzenreiter Date: Tue Dec 24 08:48:30 2024 +0100 Merge remote-tracking branch 'origin/next' commit 4692bdaa5fdcd100bc14bb36c3b5ed9d2aadf2a4 Author: Arne Fitzenreiter Date: Tue Dec 24 08:47:40 2024 +0100 core191: update contributors Signed-off-by: Arne Fitzenreiter commit 84ad76dd670324f3b2d920ef0dce64cc69159bd6 Author: Arne Fitzenreiter Date: Mon Dec 23 17:15:22 2024 +0100 core191: ship backup.pl Signed-off-by: Arne Fitzenreiter commit b630334147324d5e05c38acc5b428e67f01b9f87 Author: Adolf Belka Date: Fri Dec 20 11:04:05 2024 +0100 backup.pl: Fix Bug13799 - addon restore not working - This fixes the existence check for the addon .ipf file from a check of existence of a directory to a check of existence of a file. Suggested-by: Bernhard Bitsch Tested-by: Bernhard Bitsch Fixes: Bug13799 Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Arne Fitzenreiter commit 50f8a13985fd804dc6c9a71cccbfd179ae62a732 Author: Michael Tremer Date: Sat Dec 21 10:54:42 2024 +0000 make.sh: Explicitely check the source tarballs The Makefiles do not automatically perform the check that I expected them to perform when running a build. They check if the source tarballs are all present, but they don't check whether they match the checksum. This is only being done when "./make.sh downloadsrc" is being run. In case of the automated builds, we explicitely run "./make.sh downloadsrc", so I don't think that this might have introduced any malicious source into the published builds. Reported-by: Stephen Cuka Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit 1ff1a164b58fbed161f4f4cb464f4e207ec823ac Author: Adolf Belka Date: Fri Dec 20 12:40:02 2024 +0100 libyajl: Removal of addon as no longer required by libvirt - libyajl is no longer being used by libvirt. libvirt now uses json-c which is a core package in IPFire. libyajl was stopped being used as it had not been updated and is considered effectively dead upstream. - lfs, rootfile and libyajl entry in make.sh removed. Signed-off-by: Adolf Belka Reviewed-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit 3a740522afd2b02ea21798925b99c7a8823e5482 Author: Adolf Belka Date: Fri Dec 20 12:40:01 2024 +0100 libvirt: Update to version 10.10.0 - Update from version 10.7.0 to 10.10.0 - Update of rootfile - version 10.7.0 had a change in it which meant that the script friendly output of ``virsh list --uuid`` was replaced. This change was reverted in version 10.8.0 - In version 10.8.0 libyajl was replaced by json-c for JSON parsing and formatting. Therefore this patch set also removes libyajl from IPFire as it is no longer required. - Changelog 10.10.0 New features * qemu: add multi boot device support on s390x For classical mainframe guests (i.e. LPAR or z/VM installations), you always have to explicitly specify the disk where you want to boot from (or "IPL" from, in s390x-speak -- IPL means "Initial Program Load"). In the past QEMU only used the first device in the boot order to IPL from. With the new multi boot device support on s390x that is available with QEMU version 9.2 and newer, this limitation is lifted. If the IPL fails for the first device with the lowest boot index, the device with the second lowest boot index will be tried and so on until IPL is successful or there are no remaining boot devices to try. Limitation: The s390x BIOS will try to IPL up to 8 total devices, any number of which may be disks or network devices. * qemu: Add support for versioned CPU models Updates to QEMU CPU models with -vN suffix can now be used in libvirt just like any other CPU model. * qemu: Support for the 'data-file' QCOW2 image feature The QEMU hypervisor driver now supports QCOW2 images with 'data-file' feature present (both when probing form the image itself and when specified explicitly via ```` element). This can be useful when it's required to keep data "raw" on disk, but the use case requires features of the QCOW2 format such as incremental backups. * swtpm: Add support for profiles Upcoming swtpm release will have TPM profile support that allows to restrict a TPM's provided set of crypto algorithms and commands. Users can now select profile by using ```` in their TPM XML definition. Improvements * qemu: Support UEFI NVRAM images on block storage Libvirt now allows users to use block storage as backend for UEFI NVRAM images and allows them to be in format different than the template. When qcow2 is used as the format, the images are now also auto-populated from the template. * qemu: Automatically add IOMMU when needed When domain of 'qemu' or 'kvm' type has more than 255 vCPUs IOMMU with EIM mode is required. Starting with this release libvirt automatically adds one (or turns on the EIM mode if there's IOMMU without it). * ch: allow hostdevs in domain definition The Cloud Hypervisor driver (ch) now supports ````-s. * ch: Enable callbacks for ch domain events The Cloud Hypervisor driver (ch) now supports emitting events on domain define, undefine, start, boot, stop and destroy. Bug fixes * qemu: Fix reversion and inactive deletion of internal snapshots with UEFI NVRAM. In `v10.9.0 (2024-11-01)`_ creation of internal snapshots of VMs with UEFI firmware was allowed, but certain operations such as reversion or inactive deletion didn't work properly as they didn't consider the NVRAM qcow2 file. * virnetdevopenvswitch: Warn on unsupported QoS settings For OpenVSwitch vNICs libivrt does not set QoS directly using 'tc' but offloads setting to OVS. But OVS is not as feature full as libvirt in this regard and setting different 'peak' than 'average' results in vNIC always sticking with 'peak'. Produce a warning if that's the case. 10.9.0 New features * qemu: zero block detection for non-shared-storage migration Users can now request that all-zero blocks are not transferred when migrating non-shared disk data without actually enabling zero detection on the disk itself. This allows sparsifying images during migration where the source has no access to the allocation state of blocks at the cost of CPU overhead. This feature is available via the ``--migrate-disks-detect-zeroes`` option for ``virsh migrate`` or ``VIR_MIGRATE_PARAM_MIGRATE_DISKS_DETECT_ZEROES`` migration parameter. See the documentation for caveats. Improvements * qemu: internal snapshot improvements The qemu internal snapshot handling code was updated to use modern commands which avoid the problems the old ones had, preventing use of internal snapshots on VMs with UEFI NVRAM. Internal snapshots of VMs using UEFI are now possible provided that the NVRAM is in ``qcow2`` format. The new code also allows better control when deleting snapshots. To prevent possible regressions no strict checking is done, but in case inconsistent state is encountered a log message is added:: warning : qemuSnapshotActiveInternalDeleteGetDevices:3841 : inconsistent internal snapshot state (deletion): VM='snap' snapshot='1727959843' missing='vda ' unexpected='' extra='' Users are encouraged to report any occurence of the above message along with steps they took to the upstream tracker. * qemu: improve documentation of image format settings The documentation of the various ``*_image_format`` settings in ``qemu.conf`` imply they can only be used to control compression of the image. The documentation has been improved to clarify the settings describe the representation of guest memory blocks on disk, which includes compression among other possible layouts. * Report CPU model blockers in domain capabilities When a CPU model is reported as usable='no' an additional ```` element is added for that CPU model listing features required by the CPU model, but not supported on the host. 10.8.0 Improvements * network: make networks with ```` more useful It is now permissable to have a ```` network that has no IP address assigned to the host's port of the bridge. This is the only way to create a libvirt network where guests are unreachable from the host (and vice versa) and also 0 firewall rules are added on the host. It is now also possible for a ```` network to use the ``zone`` attribute of ```` to set the firewalld zone of the bridge interface (normally it would not be set, as is done with other forward modes). * storage: Lessen dependancy on the ``showmount`` program Libvirt now automatically detects presence of ``showmount`` during runtime as we do with other helper programs and also the ``daemon-driver-storage-core`` RPM package now doesn't strongly depend on it if the users wish for a more minimal deployment. * Switch from YAJL to json-c for JSON parsing and formatting The parser and formatter in the libvirt library, as well as the parsers in the nss plugin were rewritten to use json-c instead of YAJL, which is effectively dead upstream. * Relax restrictions for memorytune settings It should now be possible to use resctrl on AMD CPUs as well as Intel CPUs when the resctrl filesystem is mounted with ``mba_MBps`` option. Bug fixes * virsh: Fix script-friedly output of ``virsh list --uuid`` The script-friendly output of just 1 UUID per line was mistakenly replaced by the full human-targetted table view full of redundant information and very hard to parse. Users who wish to see the UUIDs in the tabular output need to use ``virsh list --table --uuid`` as old behaviour was reverted. Note that this also broke the ``libvirt-guests`` script. The bug was introduced in `v10.7.0 (2024-09-02)`_. * network/qemu: fix some cases where ``device-update`` of a network interface was failing: * If the interface was connected to a libvirt network that was providing a pool of VFs to be used with macvtap passthrough mode, then *any* update to the interface would fail, even changing the link state. Updating (the updateable parts of) a macvtap passthrough interface will now succeed. * It previously was not possible to move an interface from a Linux host bridge to an OVS bridge. This (and the opposite direction) now works. * qemu: backup: Fix possible crashes when running monitoring commands during backup job The qemu monitor code was fixed to not crash in specific cases when monitoing APIs are called during a backup job. * Fix various memleaks and overflows Multiple memory leaks and overflows in corner cases were fixed based on upstream issues reported. * network: Better cleanup after disappeared networks If a network disappeared while virtnetworkd was not running not all clean up was done properly once the daemon was started, especially when only the network interface disappeared. This could have in some cases resulted in the network being shown as inactive, but not being able to start. * qemu: Remember memory backing directory for domains If ``memory_backing_dir`` is changed during the lifetime of a domain with file backed memory, files in the old directory would not be cleaned up once the domain is shut down. Now the directory that was used during startup is remembered for each running domain. Signed-off-by: Adolf Belka Reviewed-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit f3523a9d7d5577909570d654540774cd8d9ab395 Author: Arne Fitzenreiter Date: Sun Dec 22 17:48:00 2024 +0100 tftpd: leave /var/tftpboot at update or uninstall Signed-off-by: Arne Fitzenreiter commit 8a9507b169af324f4031b4f09ab162131858b065 Author: Arne Fitzenreiter Date: Fri Dec 20 16:30:46 2024 +0100 mympd: update to 19.0.1 Signed-off-by: Arne Fitzenreiter commit 17ad30b9e2aaca5b90df98ceee9ac68a9c68e238 Author: Arne Fitzenreiter Date: Fri Dec 20 07:51:30 2024 +0100 Revert "en.pl: Update the wording for the check on the CA Name for upload" This reverts commit f32ca6cd79124c4fcfc722a2238c1accbfb1a9ff. commit 754451021b7d6fa6aa812b1ac2f017fb118bd383 Author: Arne Fitzenreiter Date: Fri Dec 20 07:51:05 2024 +0100 Revert "vpnmain.cgi: Fix for 2nd part of bug10595" This reverts commit 7b29acfbb597b89837dcbe1b91ef6ef4352f28a6. commit 32fba6d49bcb06b270e08344164e5bb1b55331c7 Author: Arne Fitzenreiter Date: Wed Dec 18 12:30:10 2024 +0100 zabbix-agentd: Update to 6.0.37 (LTS) Full changelog since 6.0.33: - https://www.zabbix.com/rn/rn6.0.34 - https://www.zabbix.com/rn/rn6.0.35 - https://www.zabbix.com/rn/rn6.0.36 - https://www.zabbix.com/rn/rn6.0.37 Signed-off-by: Arne Fitzenreiter commit c6febcc99646c39aeb2989ffd6fe43b5c876ca65 Author: Michael Tremer Date: Wed Dec 18 11:16:56 2024 +0000 core190: Remove a control character in update script Signed-off-by: Michael Tremer commit 211b1a4b8725593cfcbd61b8ff928890cff03603 Author: Robin Roevens Date: Tue Nov 5 23:36:18 2024 +0100 zabbix_agentd: Add IPS throughput and guardian blocked IP count items - Adds Zabbix Agent userparameter `ipfire.ips.throughput.get` for the agent to get details about IPS throughput bypassed/scanned/whitelisted in bytes (JSON) - Adds Zabbix Agent userparameter `ipfire.guardian.blocked.count` for the agent to get the number of currently blocked IP's by Addon: Guardian. Signed-off-by: Robin Roevens Signed-off-by: Arne Fitzenreiter commit 1d1e1d24c3716d45d533b671022a6183887895a7 Author: Adolf Belka Date: Sat Dec 14 13:49:04 2024 +0100 fr.pl: Update to French translations for the optionsfw.cgi page Reported-by: Phil SCAR Fixes: Bug13800 Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 40f261182851c680b239e5e6fb62e97dc5a40694 Author: Matthias Fischer Date: Wed Dec 11 17:33:21 2024 +0100 monit: Update to 5.34.3 For details see: https://mmonit.com/monit/changes/ "Fixed: If the ping statement did not explicitly specify an outgoing address but a previous ping statement did, the same address was shared by both statements. Fixed: Monit may crash upon stopping if the ping statement is used in conjunction with the address option. Fixed: If a directory is set in the allow option of the set httpd statement, instead of a file or string, Monit hangs on startup." Signed-off-by: Matthias Fischer Reviewed-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit e80aa493e6f45ca2c4bac70060ef854adcc70bdc Author: Arne Fitzenreiter Date: Wed Dec 18 08:22:28 2024 +0100 core191: ship vpnmain.cgi Signed-off-by: Arne Fitzenreiter commit f32ca6cd79124c4fcfc722a2238c1accbfb1a9ff Author: Adolf Belka Date: Wed Dec 11 12:51:44 2024 +0100 en.pl: Update the wording for the check on the CA Name for upload - This changes the wording to allowing characters and spaces. Fixes: Bug10595 part 2 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 7b29acfbb597b89837dcbe1b91ef6ef4352f28a6 Author: Adolf Belka Date: Wed Dec 11 12:51:43 2024 +0100 vpnmain.cgi: Fix for 2nd part of bug10595 - Bug10595 had two parts in it and was closed after the first part was fixed. The second part was still unfixed at that time. I cam across it when checking out an open bug on a similar issue with OpenVPN. - I found the section that checks on the CA Name and modified it to also allow spaces. - Having modified that then the subroutines getsubjectfromcert and getCNfromcert required to have quotation marks put around the parameter that had the CA Name with spaces in it otherwise the openssl statement only got a filename with the first portion of the ca name until the first space was encountered. - Tested this change out on my vm and it worked fine. I was able to upload a ca certificate into IPSec and use spaces in the CA Name. Fixes: Bug10595 part 2 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 39239d2bc45a91498d243b14e346a804adc4a7f5 Author: Adolf Belka Date: Tue Dec 10 15:11:21 2024 +0100 samba: Update to version 4.21.2 - Update from version 4.21.0 to 4.21.2 - Update of the rootfiles for x86_64, aarch64 & riscv64 - Version 4.21.0 mentioned that LDB is no longer available to build as a distinct tarball. However version 4.21.0 previously built without any problem so it looks like it was still available. Now with version 4.21.2 the lmdb package needs to be available or you have to disable all ldb options. As these options were uncommented in the previous versions of samba, it looks like they are intended to be present. To make this version support in the same way the lmdb package had to be moved so it was built before samba is built. Hence the shift of lmdb in make.sh - Changelog 4.21.2 * BUG 15732: smbd fails to correctly check sharemode against OVERWRITE dispositions. * BUG 15754: Panic in close_directory. * BUG 15752: winexe no longer works with samba 4.21. * BUG 14356: protocol error - Unclear debug message "pad length mismatch" for invalid bind packet. * BUG 15425: NetrGetLogonCapabilities QueryLevel 2 needs to be implemented. * BUG 15740: gss_accept_sec_context() from Heimdal does not imply GSS_C_MUTUAL_FLAG with GSS_C_DCE_STYLE. * BUG 15749: winbindd should call process_set_title() for locator child. * BUG 15320: Update CTDB to track all TCP connections to public IP addresses. 4.21.1 * BUG 15624: DH reconnect error handling can lead to stale sharemode entries. * BUG 15695: "inherit permissions = yes" triggers assert() in vfs_default when creating a stream. * BUG 15715: Samba 4.21.0 broke FreeIPA domain member integration. * BUG 15692: Missing conversion for msDS-UserTGTLifetime, msDS- ComputerTGTLifetime and msDS-ServiceTGTLifetime on "samba-tool domain auth policy modify". * BUG 15280: irpc_destructor may crash during shutdown. * BUG 15624: DH reconnect error handling can lead to stale sharemode entries. * BUG 15649: Durable handle is not granted when a previous OPEN exists with NoOplock. * BUG 15651: Durable handle is granted but reconnect fails. * BUG 15708: Disconnected durable handles with RH lease should not be purged by a new non conflicting open. * BUG 15714: net ads testjoin and other commands use the wrong secrets.tdb in a cluster. * BUG 15726: 4.21 using --with-system-mitkrb5 requires MIT krb5 1.16 as rfc 8009 etypes are used. * BUG 15730: VFS_OPEN_HOW_WITH_BACKUP_INTENT breaks shadow_copy2. * BUG 15643: Samba 4.20.0 DLZ module crashes BIND on startup. * BUG 15721: Cannot build libldb lmdb backend on a build without AD DC. * BUG 15706: Consistent log level for sighup handler. Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit b0fd6b1fd53dcbe6fb7b539555969b891609d197 Author: Adolf Belka Date: Tue Dec 10 14:23:55 2024 +0100 suricata.yaml: Fix bug13646 - Adjust the include syntax to use array format - Suricata-8.x will only accept include statements in array format and not in multiple single lines. Suricata-7.x still accepts the multiple single lines but flags up that the format is deprecated and will be removed in suricata-8.x - This patch adjusts the address-groups include into the array format. - This change has been tested out on my vm and the IPS started up and from the logs you can see that all the include files were taken on board and the derprecation message is no longer shown. - This change can be implemented with Suricata-7.x and will make sure that IPFire has the include syntax that Suricata-8.x will require. Fixes: Bug13646 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Reviewed-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit 87c37fa5bc94dd5bb9655bdf3359eb8d482874e9 Author: Adolf Belka Date: Mon Dec 9 12:42:51 2024 +0100 update.sh: Remove the lines related to FEODO_RECOMMENDED - This removes the lines related to removing any time entries in the modified file for FEODO_RECOMMENDED. - This also removes the lines realted to removing the blocklists for the FEODO_RECOMMENDED sources from the /var/lib/ipblocklist directory. - This patch will ensure that FEODO_RECOMMENDED stays in place if it was being used. Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit c178f3f6fff1948bdf41b0ba71530992f9acf5c4 Author: Adolf Belka Date: Mon Dec 9 12:42:50 2024 +0100 sources: Replacement of Feodo Recommended Tracker list to ipblocklist sources file - FEODO_RECOMMENDED list is still being updated but the number of events can be very low. However as it is still active then it has been added back in as discussed in the Dev Conf Call on Nov 4th. - FEODO_IP list covers any IP that has been detected as a botnet in the last 30 days. This could lead to false positives if the botnet has been fixed within one day of being detected. So it was agreed that this list would stay removed. - FEODO_AGGRESSIVE list contains all IP's that havce ever been detected as botnets since the list was started. It is not intended to be used for blocking as it would have a huge false positive effect. This list will also stay removed as it should not have been included originally. - This patch set adds back in the FEODO_RECOMMENDED list into the sources file and in the associated patch for the update.sh file removes the lines that removed the files related to FEODO_RECOMMENDED. Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 7f958c7254b3188f7f18c72603ff98dfcdcdc865 Author: Arne Fitzenreiter Date: Wed Dec 18 08:19:21 2024 +0100 core191: ship sqlite Signed-off-by: Arne Fitzenreiter commit 6e28bcb4b22f3ccb4f18163c5a6d65008c9b4172 Author: Adolf Belka Date: Mon Dec 9 12:11:13 2024 +0100 sqlite: Update to version 3470200 - Update from version 3460100 to 3470200 - Update of rootfile not required - Changelog 3470200 Fix a problem in text-to-floating-point conversion for SQLite that can cause values between '1.8446744073709550592eNNN' and '1.8446744073709551609eNNN' for any exponent NNN to be rendered incorrectly. In other words, some numeric text values where the first 16 significant digits are '1844674407370955' might be converted into the wrong floating-point value. See forum thread 569a7209179a7f5e. This problem only arises on x64 and i386 hardware. The problem was introduced in 3.47.0. Other minor bug fixes. 3470100 Fix the makefiles so that they once again honored DESTDIR for the "install" target. Add the SQLITE_IOCAP_SUBPAGE_READ capability to the VFS, to work around issues on some non-standard VFSes caused by making SQLITE_DIRECT_OVERFLOW_READ the default in version 3.45.0. Fix problems with line endings in the new sqlite3_rsync.exe utility on Windows. Fix incorrect answers to certain obscure IN queries caused by new query optimizations added in the 3.47.0 release. Other minor bug fixes. 3470000 Allow arbitrary expressions in the second argument to the RAISE function. If the RHS of the ->> operator is negative, then access array elements counting from the right. Fix a problem with rolling back hot journal files in the seldom-used unix-dotfile VFS. FTS5 tables can now be dropped even if they use a non-standard tokenizer that has not been registered. Fix the group_concat() aggregate function so that it returns an empty string, not a NULL, if it receives a single input value which is an empty string. Enhance the generate_series() table-valued function so that it is able to recognize and use constraints on its output value. Preupdate hooks now recognize when a column added by ALTER TABLE ADD COLUMN has a non-null default value. Performance optimizations: Improved reuse of subqueries associated with the IN operator, especially when the IN operator has been duplicated due to predicate push-down. Use a Bloom filter on subqueries on the right-hand side of the IN operator, in cases where that seems likely to improve performance. Ensure that queries like "SELECT func(a) FROM tab GROUP BY 1" only invoke the func() function once per row. No attempt is made to create automatic indexes on a column that is known to be non-selective because of its use in other indexes that have been analyzed. Adjustments to the query planner so that it produces better plans for star queries with a large number of dimension tables. Add the "order-by-subquery" optimization, that seeks to disable sort operations in outer queries if the desired order is obtained naturally due to ORDER BY clauses in subqueries. The "indexed-subtype-expr" optimization strives to use expressions that are part of an index rather than recomputing the expression based on table values, as long as the query planner can prove that the subtype of the expression will never be used. Miscellaneous coding tweaks for faster runtimes. Enhancements to SQLite-related command-line programs: Add the experimental sqlite3_rsync program. Add extension functions median(), percentile(), percentile_cont(), and percentile_disc() to the CLI. Add the .www dot-command to the CLI. The sqlite3_analyzer utility now provides a break-out of statistics for WITHOUT ROWID tables. The sqldiff utility avoids creating an empty database if its second argument does not exist. Enhance the sqlite_dbpage table-valued function such that INSERT can be used to increase or decrease the size of the database file. SQLite no longer makes any use of the "long double" data type, as hardware support for long double is becoming less common and long double creates challenges for some compiler tool chains. Instead, SQLite uses Dekker's algorithm when extended precision is needed. The TCL Interface for SQLite supports TCL9. Everything probably still works for TCL 8.5 and later, though this is not guaranteed. Users are encouraged to upgrade to TCL9. JavaScript/WASM: Fix a corruption-causing bug in the JavaScript "opfs" VFS. Correct "mode=ro" handling for the "opfs" VFS. Work around a couple of browser-specific OPFS quirks. FTS5 Changes: Add the fts5_tokenizer_v2 API and the locale=1 option, for creating custom locale-aware tokenizers and fts5 tables that may take advantage of them. Add the contentless_unindexed=1 option, for creating contentless fts5 tables that store the values of any UNINDEXED columns persistently in the database. Allow an FTS5 table to be dropped even if it uses a custom tokenizer whose implementation is not available. Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 03654da62fcc226548acedb506c489ec0c1b05b3 Author: Arne Fitzenreiter Date: Wed Dec 18 08:17:54 2024 +0100 core191: ship connections.cgi Signed-off-by: Arne Fitzenreiter commit 65e0b783ad3691f12a3cc0e41533b92c93bb13ac Author: Michael Tremer Date: Fri Dec 6 16:44:17 2024 +0000 connections.cgi: Support CIDR notation Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit e95be58de99879e58d1c3d7df25f18a848f1f16f Author: Michael Tremer Date: Fri Dec 6 16:44:16 2024 +0000 connections.cgi: Fix importing Wireguard peers Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit 16cf9f1230da4f0056a65a85a352a5e6c97a67ee Author: Michael Tremer Date: Fri Dec 6 16:44:15 2024 +0000 connections.cgi: Ignore empty interfaces Parsing any custom routes for any custom interfaces was broken so that arbitrary routes were imported when not all interfaces were in use. Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit 00599ec3b0f8df56b65c53cabb90567bb4b92af0 Author: Michael Tremer Date: Fri Dec 6 16:44:14 2024 +0000 connections.cgi: Fix colour of destination country Signed-off-by: Michael Tremer Reviewed-by: Bernhard Bitsch Signed-off-by: Arne Fitzenreiter commit ff4ff2cfe0c8565a431bf499708dcb6e5c2fb3dc Author: Michael Tremer Date: Fri Dec 6 16:42:17 2024 +0000 initscripts: readhash: Fix handling = signs The function expected that a line only contains exactly one equals sign (=) which is not fit for purpose. In the WireGuard code we hold key material that is encoded in base64 and therefore contains padding that uses =. This patch fixes that we expect exactly one equals sign immediately after the key and we will then accept more = in the value - which was already permitted. Furthermore, this patch fixes the splitting if the key and value at the first =. Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit 73661e5ee1acc30e40e41493c8dfca10aa1097d0 Author: Michael Tremer Date: Fri Dec 6 16:42:16 2024 +0000 initscripts: readhash: Only strip quotes if they exist Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit 71ba9e8fb128c39f1d1e215cbff2cd9a5132c1bd Author: Michael Tremer Date: Fri Dec 6 16:42:15 2024 +0000 tests: Fix path to bash Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit f1a1b3775aa12317e94dbdbe1e32898393f72bfa Author: Adolf Belka Date: Thu Dec 5 14:16:46 2024 +0100 libtalloc: Update to version 2.4.2 plus moved before cifs-utils - Update from version 2.4.1 to 2.4.2 - Update of rootfile - Moved to before cifs-utils in make.sh as now a required dependency for cifs-utils - The last changelog is recorded in the sourcde tarball is from 2007 and I have been unable to find anywhere where the changes can be identified. So updated on the principle of having the latest version and both samba and cifs-utils now require it. Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 6fbe2b92346f173cd8de217adeb1a9aa0dc382a9 Author: Adolf Belka Date: Thu Dec 5 14:16:45 2024 +0100 cifs-utils: Update to version 7.1 - Update from version 7.0 to 7.1 - Update of rootfile not required - libtalloc now required as a build and run-time dependency for cifs-utils - Changelog 7.1 LDAP Ping capability smbinfo adds gettconinfo command Various improvements to man pages Detailed list of changes since 7.0 was released: 0fae4c7 cifs-utils: bump version to 7.1 2cd7b1f cifs: update documentation for sloppy mount option 9918019 docs: add closetimeo description c4c30b5 docs: add compress description 454870a checkopts: update it to work with latest kernel version 465f213 cifs-utils: add documentation for multichannel and max_channels b3fe25c cifs-utils: smbinfo: add gettconinfo command c6bf4d9 Implement CLDAP Ping to find the closest site 4718e09 (for-next) mount.cifs.rst: update section about xattr/acl support e7ec003 mount.cifs.rst: add missing reference for sssd 3870f5b getcifsacl, setcifsacl: add missing include for le32toh c8ec7d1 getcifsacl, setcifsacl: add missing include for XATTR_SIZE_MAX 25d6552 cifs-utils: Make automake treat /sbin as exec, not data dac3301 pam_cifscreds: fix warning on NULL arg passed to %s in pam_syslog() 7314638 cifs.upcall: fix UAF in get_cachename_from_process_env() ef0d95e cifs-utils: add documentation for acregmax and acdirmax 2260c0d setcifsacl: Fix uninitialized value. 1eee8e8 Use explicit "#!/usr/bin/python3" Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 842ccb17e74d341ed611aa26526a1d61d746deb4 Author: Adolf Belka Date: Thu Dec 5 14:15:46 2024 +0100 dnsdist: Update to version 1.9.7 - Update from version 1.9.6 to 1.9.7 - Update of rootfilke not required - Changelog 1.9.7 New Features Add a FFI accessor to incoming proxy protocol values References: #14664, pull request 14716 Improvements Update Quiche to 0.22.0 (in our packages) References: pull request 14647 Update the Rust version we use in our packages to 1.78 References: pull request 14695 Fix build with boost 1.86.0 References: #14562, pull request 14638 Stop reporting timeouts in topSlow(), add topTimeouts() References: #14568, pull request 14641 Fix compilation with GCC 15 (Holger Hoffstätte) References: #14549, pull request 14645 Add warnings about large values passed to setMaxTCPClientThreads References: pull request 14646 Bug Fixes Disable eBPF filtering on QUIC (DoQ, DoH3) sockets References: #14736, pull request 14740 Fix handling of proxy protocol payload outside of TLS for DoT References: #14631, pull request 14639 Prevent a data race in incoming DNS over TLS connections by storing the OpenSSLTLSIOCtx in the connection References: pull request 14677 Return a valid unix timestamp for Dynamic Block’s until References: #14552, pull request 14643 Fix EDNS flags confusion when editing the OPT header References: #14548, pull request 14644 Handle a nonexistent default pool when removing a server References: pull request 14640 Add EDNS to responses generated from raw record data References: pull request 14730 Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 4854a002228adf15cdf4ef5de9c10911385300c4 Author: Adolf Belka Date: Thu Dec 5 14:15:45 2024 +0100 aws-cli: Update to version 1.36.15 - Update from version 1.27.100 to 1.36.15 (398 update versions between thgese two) - Update of rootfile not required - Changelog is around 4,500 lines long so not suitable to include here. Changes can be found in the CHANGELOG.rst file in the source tarball Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit b261e227a3c6a4a58abcac537e4f6975cfec5d83 Author: Adolf Belka Date: Thu Dec 5 14:15:44 2024 +0100 amazon-ssm-agent: Update to version 3.3.1345.0 - Update from version 3.2.582.0 to 3.3.1345.0 - Update of rootfile not required - Changelog 3.3.1345.0 Revert "Update configurePackage to use fixed download method" Revert "Use a single syscall for route table for health check IP" 3.3.13110.0 Add alternative to wmic to support Windows 2025 Add armv7 architecture support for greengrass component Add support in ssm-setup-cli for standalone installation in on-premises environments Fail ssm-setup-cli install command if agent config is not loadable Implement S3 ownership verification as an optional parameter for plugins Mark Session task as cancelled when MGS indicates that session is over Update configurePackage to use fixed download method Update Docker Engine version and use system environment variables in installation path Update GreenGrass component minor version to 1.3.1 3.3.1230.0 Revert compatibility hook for future Windows versions as it increased CPU consumption for document execution on Windows. Revert Increase RunCommand timeout during the registration process for the on-prem instances 3.3.1142.0 Fail windows update when installed version does not match Reduced length of IMDS errors to shorter format Increase the RunCommand timeout during the registration process for the on-prem instances Add nil check when calling GetRepository content in aws:downloadContent Worker process to exit if they are not successfully started and became idle Fix bug where unforeseen failures cause time to be incorrectly displayed in RunCommand Update GreenGrass component minor version to 1.3.0 Ensure agent thread always exit after the corresponding worker process exits Fix IPC file filtering bug where usernames or session names containing tmp causes agent worker to not correctly receive IPC Load directly from appconfig file when calling UpdateInstanceInformation during credential refresher Use a single syscall for route table for health check IP 3.3.987.0 Update default session logging destination to none Specify a minimum of TLS v1.2 in http client calls Add web-socket heartbeat to detect connection drops in the web-socket for control and data channels sooner Use exponential retry for document worker, increase retry interval and attempt count when reading IPC files Add wait for cloud-init in the agent updater Fix timeouts for update without yum endpoint connectivity Change in orchestration directory removal process to reduce disk space usage Fix Inventory detailed information invalid value check Fix parsing issue with DomainJoin Plugin Modify DomainJoin Plugin to use Kerberos REALM in username for RHEL and variants Change the SUSE linux zypper commands to quiet mode for the DomainJoin Plugin Move high volume info logs to debug level Remove deprecated go coverage library (golang.org/x/tools/cmd/cover) Add lock on session orchestration cleanup to prevent quadratic file system lookup for large volume session users Upgrade GoLang to version 1.22.7 3.3.859.0 Updated snapcraft.yml specification 3.3.808.0 Add enhancements related to KMS sessions Add support for RHEL 8.10 & 9.4 Allow in-place upgrade for hybrid distributor packages Fix idempotency not found error during agent startup Fix bug that could cause unexpected behavior during parameter replacement in document Gather metrics during agent version validation in Windows agent update Make long sleep for onprem same as long sleep for EC2, and cap sleep time at 30 minutes for OnPrem instances Migrated snap package builder from core18 to core22 Parse version from OS release file correctly when contains special chars Suppress logs from the go-routine that checks the session manager's orchestration directory Update go git dependency to v5.12.0 Update seelog config to have default time format with Milliseconds Update TMP/TEMP env variable during windows installer launch in Updater Upgrade GoLang to version 1.21.12 3.3.551.0 Agent updater attempts yum install/uninstall before falling back to attempt with rpm Updated golang.org/x/net from v0.19.0 to v0.26.0 Upgrade GoLang to version 1.21.11 Add IPv6 addresses for NTP and EC2Config to default DenyList Update Distributor to only use Systems Manager APIs to fetch package contents 3.3.484.0 Update SSM-Setup-CLI logs related to checksum validation of latest version 3.3.418.0 Upgrade go-github version from v8 to v61 Increase timeouts in SSM-Setup-CLI Fix darwin build issue in SSM-Setup-CLI Fix the command builder bug to handle space char in input value Fix an inaccurate log when validating allowDowngrade parameter during Agent update Signing SSM Agent vended Windows executables 3.3.380.0 Update AWS GO SDK to v1.51.20 3.3.337.0 Remove yum as package manager in linux install/uninstall script Verify TrustedInstaller status before posting WindowsUpdate information in aws:softwareInventory plugin 3.3.217.0 Add alternative outputs for agent package generation scripts Add support for Oracle 8.8 & 8.9, Rocky 8.8 & 8.9, AlmaLinux 8.8 & 8.9, and RHEL 8.9 & 9.3 Fix flaky integration test Fix setup-cli error code for non English systems Set IPR creds expiry to 30 mins for ssm agent worker Switch installer package manager from rpm to yum on OSes that support yum Upgrade GoLang to version 1.21.8 3.3.131.0 Add integration tests for control channel and data channel module Remove data channel and control channel acknowledgement functionality in MGS Interactor 3.3.40.0 Fix issue to execute aws:updateSSMAgent plugin through aws:rundocument plugin Update Messaging module to switch off ec2messages when ssmmessages connected successfully Update SSM Agent Minor version from 3.2 to 3.3 3.2.2303.0 Add integration tests for control channel module Revert data channel and control channel acknowledgement functionality in MGS Interactor Update Greengrass component minor version to 1.2.4 3.2.2222.0 Upgrade minimum go version in go.mod file to go 1.19 Upgrade go-git package to v5.11.0 Fix for bad default manifest url when updating EC2Config 3.2.2143.0 Fixed plugin path traversal logic Updated aws:application plugin default param Fixed default param in psmodule Upgraded GoLang to version 1.21.5 3.2.2086.0 Added Agent config to configure session logs destination Added data channel acknowledgement functionalities Added redirect handler and timeout for HTTP client Added steps to verify aws-cli installation for domainJoin plugin Added support for Ubuntu 23.04, Debian 11.7 & 12, and SUSE 15.5 Adjusted random number generator logic used to get filename in downloadContent plugin Fixed Agent to gather application inventory from both rpm and dpkg package managers if present in Unix instances Bump golang.org/x/crypto/ssh from 0.14.0 to 0.17.0 3.2.2016.0 Added telemetry for agent core in-proc executor usage Added retries for Agent installation with snap on Greengrass Added code to update Agent config to use only Onprem Identity in Greengrass Added support for macOS 14 (Sonoma) Added Onprem registration support using ssm-setup-cli Fixed docker installation issues in aws:configureDocker plugin Fix for document worker and session worker not logging when custom seelog configuration missing parameters Updated allowed regex pattern in S3 URI Update Agent IoT Greengrass component minor version Updated SUSE version in Seamless Domain Join script Updated Greengrass component workflow to get installed Agent version and update Agent only when the installed Agent version doesn't match with Greengrass component Agent version Upgraded GoLang version that builds agent binaries with to 1.20.11 3.2.1798.0 Bump golang.org/x/net from 0.15.0 to 0.17.0 Upgraded GoLang to version 1.20.10 Fixing race condition in session datachannel unit test 3.2.1705.0 Updated MGS Interactor to send 'Failed' status on agentJob parsing error Added error handling for Linux DomainJoin when service account credentials empty Fix for panic scenario in when running aws:configureDocker plugin Upgraded GoLang to version 1.20.8 Upgraded golang.org/x/net to v0.15.0 Added support for macOS 13 (Ventura) 3.2.1630.0 Fix credential retrieval retry logic in credential refresher Reducing retrieval log level to debug in the credential refresher after more than 3 retrieval retries Fix for EC2 credential retrieval errors not being propagated to the credential refresher Fixing agent version input format validation Fix downloadPlatformOverride for AlmaLinux Fixed issue where removing seelog.xml file doesn't revert minimum log level back to INFO Ignore non-audit files in audit folder 3.2.1542.0 Add aws:updateSSMAgent plugin support for Flatcar Linux Add fix to resolve manifest url during agent update when using stable keyword Fix multiple issues causing tight loops during IPC connection scenarios Sign deb and rpm installer packages for Linux instances using new key Use file based IPC by default for amazon-ssm-agent and ssm-agent-worker communication in Darwin 3.2.1478.0 Added fix to propagate exit code properly when command fails to start Added control channel acknowledgement functionalities Added flag to specify go version used for gosec and govulncheck in static analysis script Added support for RHEL 8.7, 8.8, 9.1, 9.2 Added support for Rocky Linux 8.7, 9.0, 9.1, 9.2 Added support for Oracle Linux 8.7, 9.1, 9.2 Update go version to 1.20.7 3.2.1377.0 Stopped saving instance profile credentials to disk Added static agent security scans to makefile Updated Greengrass component minor version 3.2.1297.0 Added retries to snap uninstall call in setupcli Fix for windows shutdown executable not found when compiled with golang1.19+ Fix to return correct Agent Job ID for ack after AgentJobParseError Pass golang contexts for network calls in agent core to terminate cleanly Remove credential file dependency in agent workers implemented in 3.2.x.x versions Report MGS Connection Channel status to Health table Update Dockerfile to use Golang image from ECR repository 3.2.1241.0 Get bucket region using signed HeadBucket request Updated golang.org/x/net version to 0.10.0 and golang.org/x/crypto version to 0.9.0 Update go version to 1.19.10 3.2.1041.0 Add retry to handle stream data acknowledge messages Support latest as a version in configurePackage plugin Updated AWS GO SDK to v1.44.261 and disabled IMDSv1 fallback logic Use IP address to connect to destination server in port session 3.2.985.0 Add Domain Join support for RHEL 8.7 and AL2022 Add Support to send aws:updateSSMAgent replies through MGS Retrieve and set interface name dynamically in aws:domainJoin plugin for Ubuntu 3.2.923.0 Update Dockerfile Go version to 1.19 Add reporting of MGS connection status Add support for updating to agent version marked stable Add status code to MGS ack and send on message process failure Update golangci-lint configuration Add e2e tag to session shell tests 3.2.815.0 Add EC2 credential fallback for AssumeRoleUnauthorizedAccess error Add CloudWatch log upload support for document and session worker Add set-hostname support in domainjoin plugin for windows Add wait time in Agent updater to avoid installation issues caused during reboots initiated by domainjoin plugin Add support for AlmaLinux Fix KeepHostName parameter without DNS IP address parameter in domainJoin plugin Fix issue where carriage returns cause json conversion to fail in aws:softwareInventory plugin Remove IMDS calls in Onprem during health check Remove S3 global endpoint fallback logic Update cli descriptions for registration parameters Update go version to 1.19.6 Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter