commit 6c8b5444946bd5cadb665ae7f37c7f62fcba2252 Author: Adolf Belka Date: Mon Jan 13 22:41:05 2025 +0100 freeradius: Update to version 3.2.6 - Update from version 3.2.5 to 3.2.6 - Update of rootfile - Changelog 3.2.6 Configuration changes * require_message_authenticator=auto and limit_proxy_state=auto are not applied for wildcard clients. This likely will leave your network in an insecure state. Upgrade all clients! Feature improvements * Allow for "auth+acct" dynamic home servers. * Allow for setting "Home-Server-Pool", etc. for proxying accounting packets, just like authentication packets. * Fix spelling in starent SN[1]-Subscriber-Acct-Mode attribute value. Patch from John Thacker. * Update dictionary.iea. Patch from John Thacker. * Add warning for secrets that are too short. * More debugging for SSL ciphers. Patch from Nick Porter. * Update 3GPP dictionary. Patch from Nick Porter. * Fix ZTE dictionary. * Make radsecret more portable and avoid extra dependencies. * Add timestamp for Client-Lost so we don't think it's 1970. Patch from Alexander Clouter. #5353 Bug fixes * Dynamic clients now inherit require_message_authenticator and limit_proxy_state from dynamic client {...} definition. * Fix radsecret build rules to better support parallel builds. * Checkpoint systems should be reconfigured for the BlastRADIUS attack: https://support.checkpoint.com/results/sk/sk182516 The Checkpoint systems drop packets containing Message-Authenticator, which violates the RFCs and is completely ridiculous. * Fix duplicate CoA packet issue. #5397 * Several fixes in the event code * Don't leak memory in rlm_sql_sqlite. #5392 * Don't stop processing RadSec data too early. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit a08b674d1ba6651a1cbd4a8a29e2a719723caac0 Author: Adolf Belka Date: Thu Jan 16 18:19:10 2025 +0100 libxxhash: Update to version 0.8.3 and make available to rsync - Update from version 0.8.2 to 0.8.3 - Update of rootfile - Move libxxhash to before rsync in make.sh - Changelog 0.8.3 - fix : variant `XXH3_128bits_withSecretandSeed()` could produce an invalid result in some specific set of conditions, #894 by @hltj - cli : vector extension detected at runtime on x86/x64, enabled by default - cli : new commands `--filelist` and `--files-from`, by @Ian-Clowes - cli : XXH3 64-bits GNU format can now be generated and checked (command `-H3`) - portability: LoongArch SX SIMD extension, by @lrzlin - portability: can build on AIX, suggested by @likema - portability: validated for SPARC cpus Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit a32de1bbaec84e18a3284015fda0b0467ca60831 Author: Adolf Belka Date: Thu Jan 16 18:19:09 2025 +0100 rsync: Update to version 3.4.1 - Update from version 3.3.0 to 3.4.1 as the previous patch which went from 3.3.0 to 3.4.0 has only been merged into CU190 and not into next where this patch is being done. Not sure if this will cause problems or not. I updated the PAK_VER of rsynce from 19 to 21 so that it went over the PAK_VER of the version merged into CU190. - If how I have done it is not the best or not correct just let me know how I should do it and I will re-do it. - Update of rootfile not required. - Added in enabling xxhash as we have that available in IPFire as another addon. - Ran rsync -V and confirmed that xxhash is now available to rsync. - Changelog 3.4.1 Release 3.4.1 is a fix for regressions introduced in 3.4.0 BUG FIXES: - fixed handling of -H flag with conflict in internal flag values - fixed a user after free in logging of failed rename - fixed build on systems without openat() - removed dependency on alloca() in bundled popt DEVELOPER RELATED: - fix to permissions handling in the developer release script 3.4.0 (This was already in the previous patch that went from 3.3.0 to 3.4.0 Release 3.4.0 is a security release that fixes a number of important vulnerabilities. For more details on the vulnerabilities please see the CERT report https://kb.cert.org/vuls/id/952657 PROTOCOL NUMBER: - The protocol number was changed to 32 to make it easier for administrators to check their servers have been updated SECURITY FIXES: Many thanks to Simon Scannell, Pedro Gallegos, and Jasiel Spelman at Google Cloud Vulnerability Research and Aleksei Gorban (Loqpa) for discovering these vulnerabilities and working with the rsync project to develop and test fixes. - CVE-2024-12084 - Heap Buffer Overflow in Checksum Parsing. - CVE-2024-12085 - Info Leak via uninitialized Stack contents defeats ASLR. - CVE-2024-12086 - Server leaks arbitrary client files. - CVE-2024-12087 - Server can make client write files outside of destination directory using symbolic links. - CVE-2024-12088 - --safe-links Bypass. - CVE-2024-12747 - symlink race condition. BUG FIXES: - Fixed the included popt to avoid a memory error on modern gcc versions. - Fixed an incorrect extern variable's type that caused an ACL issue on macOS. - Fixed IPv6 configure check INTERNAL: - Updated included popt to version 1.19. DEVELOPER RELATED: - Various improvements to the release scripts and git setup. - Improved packaging/var-checker to identify variable type issues. - added FreeBSD and Solaris CI builds Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 0ba187b4d391d02e3016cc44f313320e6481198b Merge: 47b66afb3 b57bafa35 Author: Arne Fitzenreiter Date: Wed Jan 8 06:33:35 2025 +0100 Merge remote-tracking branch 'origin/core190' commit 47b66afb31a82e239c94c18c9326294669df02ef Author: Arne Fitzenreiter Date: Wed Jan 8 06:32:52 2025 +0100 core191: reship squid and dhcpcd Signed-off-by: Arne Fitzenreiter commit 275533dce4e4a8c35f73b665fab6787f64eeceda Author: Arne Fitzenreiter Date: Wed Jan 8 06:27:52 2025 +0100 core191: ship iplockslist/sources and inuitscript/functions Signed-off-by: Arne Fitzenreiter commit b57bafa358ae77a3d4ac7e721b034ea21d3059a2 Author: Adolf Belka Date: Thu Jan 2 17:29:26 2025 +0100 miniupnpc: revert the addition of this package due to transmission reversion - As transmission has been reverted back to version 4.0.5 then miniupnpc is no longer needed for building or runtime. - This removes the minupnpc lfs and rootfile files. It also removes miniupnpc from the make.sh file. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 699abe572f8f4a56191d73d68ef1034b1174b576 Author: Adolf Belka Date: Thu Jan 2 17:29:25 2025 +0100 transmission: revert version back to 4.0.5 - Revert back from 4.0.6 to 4.0.5 due to a bug in 4.0.6 that has resulted in a variety of torrent mirrors banning transmission-4.0.6 - The update from 4.0.5 to 4.0.6 did not have any security fixes in it so there is no issue in moving backward to 4.0.5 - A fix has been created but it is unclear when (and if) version 4.0.7 will be released. The fix has also been included in version 4.1.0 but this is still in beta development form. - Version 4.0.6 required minupnpc for building and run time. This reversion is also removing miniupnpc in an associated patch in this patch set. - No change required in the rootfile. Signed-off-by: Adolf Belka Reviewed-by: Michael Tremer Signed-off-by: Michael Tremer commit e3b5000b8318591a239125560b9e5fa101a3802e Author: Arne Fitzenreiter Date: Thu Jan 2 10:15:23 2025 +0100 elinks: fix new configuration path Signed-off-by: Arne Fitzenreiter commit 8ceaf358ae36764661c2a70432b78ff879ac845b Author: Arne Fitzenreiter Date: Mon Dec 30 18:52:36 2024 +0100 mpd: disable https peer/host verification if myMPD is serving playlists mpd cannot load this with enabled verification. Signed-off-by: Arne Fitzenreiter commit a3a5c4ee95289ebc906e4406e2f87a246f8acabc Author: Peter Müller Date: Fri Dec 27 09:10:00 2024 +0000 Tor: Update to 0.4.8.13 Full changelog according to https://gitlab.torproject.org/tpo/core/tor/-/blob/tor-0.4.8.13/ChangeLog : Changes in version 0.4.8.13 - 2024-10-24 This is minor release fixing an important client circuit building (Conflux related) bug which lead to performance degradation and extra load on the network. Some minor memory leaks fixes as well as an important minor feature for pluggable transports. We strongly recommend to update as soon as possible for clients in order to neutralize this conflux bug. o Major bugfixes (circuit building): - Conflux circuit building was ignoring the "predicted ports" feature, which aims to make Tor stop building circuits if there have been no user requests lately. This bug led to every idle Tor on the network building and discarding circuits every 30 seconds, which added overall load to the network, used bandwidth and battery from clients that weren't actively using their Tor, and kept sockets open on guards which added connection padding essentially forever. Fixes bug 40981; bugfix on 0.4.8.1-alpha; o Minor feature (bridges, pluggable transport): - Add STATUS TYPE=version handler for Pluggable Transport. This allows us to gather version statistics on Pluggable Transport usage from bridge servers on our metrics portal. Closes ticket 11101. o Minor features (fallbackdir): - Regenerate fallback directories generated on October 24, 2024. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2024/10/24. o Minor bugfixes (memleak, authority): - Fix a small memleak when computing a new consensus. This only affects directory authorities. Fixes bug 40966; bugfix on 0.3.5.1-alpha. o Minor bugfixes (memory): - Fix memory leaks of the CPU worker code during shutdown. Fixes bug 833; bugfix on 0.3.5.1-alpha. Signed-off-by: Peter Müller Signed-off-by: Arne Fitzenreiter commit 58179c1efdd08019c35e9ad2376b12929e1bbe40 Author: Michael Tremer Date: Mon Dec 30 11:34:13 2024 +0000 samba: Depend on libtalloc Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit fad9bbe3348d2e45fc579801408f955fd89afe1c Author: Arne Fitzenreiter Date: Mon Dec 30 18:43:52 2024 +0100 core191: move existing elinks configuration Signed-off-by: Arne Fitzenreiter commit 7b1ce94f5d9be804fd9ca24c87b42f4d5d310382 Author: Arne Fitzenreiter Date: Mon Dec 30 18:37:23 2024 +0100 elinks: fix config directory the new version has moved the config directioy from ~/.elinks to ~/.config/.elinks Signed-off-by: Arne Fitzenreiter commit 52487fb2a70485bc71f92fdfdf21e65d36354be1 Author: Arne Fitzenreiter Date: Mon Dec 30 18:32:41 2024 +0100 core191: ship ntp ntp is build against OpenSSl and checks if it is linked against the correct version. So ship it to get rid of the ugly message. Signed-off-by: Arne Fitzenreiter commit 1069e68709ce9ea5f294b3cfb9aeb2672f5f9d7b Merge: c6febcc99 4692bdaa5 Author: Arne Fitzenreiter Date: Tue Dec 24 08:48:30 2024 +0100 Merge remote-tracking branch 'origin/next' commit 4692bdaa5fdcd100bc14bb36c3b5ed9d2aadf2a4 Author: Arne Fitzenreiter Date: Tue Dec 24 08:47:40 2024 +0100 core191: update contributors Signed-off-by: Arne Fitzenreiter commit 84ad76dd670324f3b2d920ef0dce64cc69159bd6 Author: Arne Fitzenreiter Date: Mon Dec 23 17:15:22 2024 +0100 core191: ship backup.pl Signed-off-by: Arne Fitzenreiter commit b630334147324d5e05c38acc5b428e67f01b9f87 Author: Adolf Belka Date: Fri Dec 20 11:04:05 2024 +0100 backup.pl: Fix Bug13799 - addon restore not working - This fixes the existence check for the addon .ipf file from a check of existence of a directory to a check of existence of a file. Suggested-by: Bernhard Bitsch Tested-by: Bernhard Bitsch Fixes: Bug13799 Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Arne Fitzenreiter commit 50f8a13985fd804dc6c9a71cccbfd179ae62a732 Author: Michael Tremer Date: Sat Dec 21 10:54:42 2024 +0000 make.sh: Explicitely check the source tarballs The Makefiles do not automatically perform the check that I expected them to perform when running a build. They check if the source tarballs are all present, but they don't check whether they match the checksum. This is only being done when "./make.sh downloadsrc" is being run. In case of the automated builds, we explicitely run "./make.sh downloadsrc", so I don't think that this might have introduced any malicious source into the published builds. Reported-by: Stephen Cuka Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit 1ff1a164b58fbed161f4f4cb464f4e207ec823ac Author: Adolf Belka Date: Fri Dec 20 12:40:02 2024 +0100 libyajl: Removal of addon as no longer required by libvirt - libyajl is no longer being used by libvirt. libvirt now uses json-c which is a core package in IPFire. libyajl was stopped being used as it had not been updated and is considered effectively dead upstream. - lfs, rootfile and libyajl entry in make.sh removed. Signed-off-by: Adolf Belka Reviewed-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit 3a740522afd2b02ea21798925b99c7a8823e5482 Author: Adolf Belka Date: Fri Dec 20 12:40:01 2024 +0100 libvirt: Update to version 10.10.0 - Update from version 10.7.0 to 10.10.0 - Update of rootfile - version 10.7.0 had a change in it which meant that the script friendly output of ``virsh list --uuid`` was replaced. This change was reverted in version 10.8.0 - In version 10.8.0 libyajl was replaced by json-c for JSON parsing and formatting. Therefore this patch set also removes libyajl from IPFire as it is no longer required. - Changelog 10.10.0 New features * qemu: add multi boot device support on s390x For classical mainframe guests (i.e. LPAR or z/VM installations), you always have to explicitly specify the disk where you want to boot from (or "IPL" from, in s390x-speak -- IPL means "Initial Program Load"). In the past QEMU only used the first device in the boot order to IPL from. With the new multi boot device support on s390x that is available with QEMU version 9.2 and newer, this limitation is lifted. If the IPL fails for the first device with the lowest boot index, the device with the second lowest boot index will be tried and so on until IPL is successful or there are no remaining boot devices to try. Limitation: The s390x BIOS will try to IPL up to 8 total devices, any number of which may be disks or network devices. * qemu: Add support for versioned CPU models Updates to QEMU CPU models with -vN suffix can now be used in libvirt just like any other CPU model. * qemu: Support for the 'data-file' QCOW2 image feature The QEMU hypervisor driver now supports QCOW2 images with 'data-file' feature present (both when probing form the image itself and when specified explicitly via ```` element). This can be useful when it's required to keep data "raw" on disk, but the use case requires features of the QCOW2 format such as incremental backups. * swtpm: Add support for profiles Upcoming swtpm release will have TPM profile support that allows to restrict a TPM's provided set of crypto algorithms and commands. Users can now select profile by using ```` in their TPM XML definition. Improvements * qemu: Support UEFI NVRAM images on block storage Libvirt now allows users to use block storage as backend for UEFI NVRAM images and allows them to be in format different than the template. When qcow2 is used as the format, the images are now also auto-populated from the template. * qemu: Automatically add IOMMU when needed When domain of 'qemu' or 'kvm' type has more than 255 vCPUs IOMMU with EIM mode is required. Starting with this release libvirt automatically adds one (or turns on the EIM mode if there's IOMMU without it). * ch: allow hostdevs in domain definition The Cloud Hypervisor driver (ch) now supports ````-s. * ch: Enable callbacks for ch domain events The Cloud Hypervisor driver (ch) now supports emitting events on domain define, undefine, start, boot, stop and destroy. Bug fixes * qemu: Fix reversion and inactive deletion of internal snapshots with UEFI NVRAM. In `v10.9.0 (2024-11-01)`_ creation of internal snapshots of VMs with UEFI firmware was allowed, but certain operations such as reversion or inactive deletion didn't work properly as they didn't consider the NVRAM qcow2 file. * virnetdevopenvswitch: Warn on unsupported QoS settings For OpenVSwitch vNICs libivrt does not set QoS directly using 'tc' but offloads setting to OVS. But OVS is not as feature full as libvirt in this regard and setting different 'peak' than 'average' results in vNIC always sticking with 'peak'. Produce a warning if that's the case. 10.9.0 New features * qemu: zero block detection for non-shared-storage migration Users can now request that all-zero blocks are not transferred when migrating non-shared disk data without actually enabling zero detection on the disk itself. This allows sparsifying images during migration where the source has no access to the allocation state of blocks at the cost of CPU overhead. This feature is available via the ``--migrate-disks-detect-zeroes`` option for ``virsh migrate`` or ``VIR_MIGRATE_PARAM_MIGRATE_DISKS_DETECT_ZEROES`` migration parameter. See the documentation for caveats. Improvements * qemu: internal snapshot improvements The qemu internal snapshot handling code was updated to use modern commands which avoid the problems the old ones had, preventing use of internal snapshots on VMs with UEFI NVRAM. Internal snapshots of VMs using UEFI are now possible provided that the NVRAM is in ``qcow2`` format. The new code also allows better control when deleting snapshots. To prevent possible regressions no strict checking is done, but in case inconsistent state is encountered a log message is added:: warning : qemuSnapshotActiveInternalDeleteGetDevices:3841 : inconsistent internal snapshot state (deletion): VM='snap' snapshot='1727959843' missing='vda ' unexpected='' extra='' Users are encouraged to report any occurence of the above message along with steps they took to the upstream tracker. * qemu: improve documentation of image format settings The documentation of the various ``*_image_format`` settings in ``qemu.conf`` imply they can only be used to control compression of the image. The documentation has been improved to clarify the settings describe the representation of guest memory blocks on disk, which includes compression among other possible layouts. * Report CPU model blockers in domain capabilities When a CPU model is reported as usable='no' an additional ```` element is added for that CPU model listing features required by the CPU model, but not supported on the host. 10.8.0 Improvements * network: make networks with ```` more useful It is now permissable to have a ```` network that has no IP address assigned to the host's port of the bridge. This is the only way to create a libvirt network where guests are unreachable from the host (and vice versa) and also 0 firewall rules are added on the host. It is now also possible for a ```` network to use the ``zone`` attribute of ```` to set the firewalld zone of the bridge interface (normally it would not be set, as is done with other forward modes). * storage: Lessen dependancy on the ``showmount`` program Libvirt now automatically detects presence of ``showmount`` during runtime as we do with other helper programs and also the ``daemon-driver-storage-core`` RPM package now doesn't strongly depend on it if the users wish for a more minimal deployment. * Switch from YAJL to json-c for JSON parsing and formatting The parser and formatter in the libvirt library, as well as the parsers in the nss plugin were rewritten to use json-c instead of YAJL, which is effectively dead upstream. * Relax restrictions for memorytune settings It should now be possible to use resctrl on AMD CPUs as well as Intel CPUs when the resctrl filesystem is mounted with ``mba_MBps`` option. Bug fixes * virsh: Fix script-friedly output of ``virsh list --uuid`` The script-friendly output of just 1 UUID per line was mistakenly replaced by the full human-targetted table view full of redundant information and very hard to parse. Users who wish to see the UUIDs in the tabular output need to use ``virsh list --table --uuid`` as old behaviour was reverted. Note that this also broke the ``libvirt-guests`` script. The bug was introduced in `v10.7.0 (2024-09-02)`_. * network/qemu: fix some cases where ``device-update`` of a network interface was failing: * If the interface was connected to a libvirt network that was providing a pool of VFs to be used with macvtap passthrough mode, then *any* update to the interface would fail, even changing the link state. Updating (the updateable parts of) a macvtap passthrough interface will now succeed. * It previously was not possible to move an interface from a Linux host bridge to an OVS bridge. This (and the opposite direction) now works. * qemu: backup: Fix possible crashes when running monitoring commands during backup job The qemu monitor code was fixed to not crash in specific cases when monitoing APIs are called during a backup job. * Fix various memleaks and overflows Multiple memory leaks and overflows in corner cases were fixed based on upstream issues reported. * network: Better cleanup after disappeared networks If a network disappeared while virtnetworkd was not running not all clean up was done properly once the daemon was started, especially when only the network interface disappeared. This could have in some cases resulted in the network being shown as inactive, but not being able to start. * qemu: Remember memory backing directory for domains If ``memory_backing_dir`` is changed during the lifetime of a domain with file backed memory, files in the old directory would not be cleaned up once the domain is shut down. Now the directory that was used during startup is remembered for each running domain. Signed-off-by: Adolf Belka Reviewed-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit f3523a9d7d5577909570d654540774cd8d9ab395 Author: Arne Fitzenreiter Date: Sun Dec 22 17:48:00 2024 +0100 tftpd: leave /var/tftpboot at update or uninstall Signed-off-by: Arne Fitzenreiter commit 8a9507b169af324f4031b4f09ab162131858b065 Author: Arne Fitzenreiter Date: Fri Dec 20 16:30:46 2024 +0100 mympd: update to 19.0.1 Signed-off-by: Arne Fitzenreiter commit 17ad30b9e2aaca5b90df98ceee9ac68a9c68e238 Author: Arne Fitzenreiter Date: Fri Dec 20 07:51:30 2024 +0100 Revert "en.pl: Update the wording for the check on the CA Name for upload" This reverts commit f32ca6cd79124c4fcfc722a2238c1accbfb1a9ff. commit 754451021b7d6fa6aa812b1ac2f017fb118bd383 Author: Arne Fitzenreiter Date: Fri Dec 20 07:51:05 2024 +0100 Revert "vpnmain.cgi: Fix for 2nd part of bug10595" This reverts commit 7b29acfbb597b89837dcbe1b91ef6ef4352f28a6. commit 32fba6d49bcb06b270e08344164e5bb1b55331c7 Author: Arne Fitzenreiter Date: Wed Dec 18 12:30:10 2024 +0100 zabbix-agentd: Update to 6.0.37 (LTS) Full changelog since 6.0.33: - https://www.zabbix.com/rn/rn6.0.34 - https://www.zabbix.com/rn/rn6.0.35 - https://www.zabbix.com/rn/rn6.0.36 - https://www.zabbix.com/rn/rn6.0.37 Signed-off-by: Arne Fitzenreiter commit c6febcc99646c39aeb2989ffd6fe43b5c876ca65 Author: Michael Tremer Date: Wed Dec 18 11:16:56 2024 +0000 core190: Remove a control character in update script Signed-off-by: Michael Tremer commit 211b1a4b8725593cfcbd61b8ff928890cff03603 Author: Robin Roevens Date: Tue Nov 5 23:36:18 2024 +0100 zabbix_agentd: Add IPS throughput and guardian blocked IP count items - Adds Zabbix Agent userparameter `ipfire.ips.throughput.get` for the agent to get details about IPS throughput bypassed/scanned/whitelisted in bytes (JSON) - Adds Zabbix Agent userparameter `ipfire.guardian.blocked.count` for the agent to get the number of currently blocked IP's by Addon: Guardian. Signed-off-by: Robin Roevens Signed-off-by: Arne Fitzenreiter commit 1d1e1d24c3716d45d533b671022a6183887895a7 Author: Adolf Belka Date: Sat Dec 14 13:49:04 2024 +0100 fr.pl: Update to French translations for the optionsfw.cgi page Reported-by: Phil SCAR Fixes: Bug13800 Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 40f261182851c680b239e5e6fb62e97dc5a40694 Author: Matthias Fischer Date: Wed Dec 11 17:33:21 2024 +0100 monit: Update to 5.34.3 For details see: https://mmonit.com/monit/changes/ "Fixed: If the ping statement did not explicitly specify an outgoing address but a previous ping statement did, the same address was shared by both statements. Fixed: Monit may crash upon stopping if the ping statement is used in conjunction with the address option. Fixed: If a directory is set in the allow option of the set httpd statement, instead of a file or string, Monit hangs on startup." Signed-off-by: Matthias Fischer Reviewed-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit e80aa493e6f45ca2c4bac70060ef854adcc70bdc Author: Arne Fitzenreiter Date: Wed Dec 18 08:22:28 2024 +0100 core191: ship vpnmain.cgi Signed-off-by: Arne Fitzenreiter commit f32ca6cd79124c4fcfc722a2238c1accbfb1a9ff Author: Adolf Belka Date: Wed Dec 11 12:51:44 2024 +0100 en.pl: Update the wording for the check on the CA Name for upload - This changes the wording to allowing characters and spaces. Fixes: Bug10595 part 2 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 7b29acfbb597b89837dcbe1b91ef6ef4352f28a6 Author: Adolf Belka Date: Wed Dec 11 12:51:43 2024 +0100 vpnmain.cgi: Fix for 2nd part of bug10595 - Bug10595 had two parts in it and was closed after the first part was fixed. The second part was still unfixed at that time. I cam across it when checking out an open bug on a similar issue with OpenVPN. - I found the section that checks on the CA Name and modified it to also allow spaces. - Having modified that then the subroutines getsubjectfromcert and getCNfromcert required to have quotation marks put around the parameter that had the CA Name with spaces in it otherwise the openssl statement only got a filename with the first portion of the ca name until the first space was encountered. - Tested this change out on my vm and it worked fine. I was able to upload a ca certificate into IPSec and use spaces in the CA Name. Fixes: Bug10595 part 2 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 39239d2bc45a91498d243b14e346a804adc4a7f5 Author: Adolf Belka Date: Tue Dec 10 15:11:21 2024 +0100 samba: Update to version 4.21.2 - Update from version 4.21.0 to 4.21.2 - Update of the rootfiles for x86_64, aarch64 & riscv64 - Version 4.21.0 mentioned that LDB is no longer available to build as a distinct tarball. However version 4.21.0 previously built without any problem so it looks like it was still available. Now with version 4.21.2 the lmdb package needs to be available or you have to disable all ldb options. As these options were uncommented in the previous versions of samba, it looks like they are intended to be present. To make this version support in the same way the lmdb package had to be moved so it was built before samba is built. Hence the shift of lmdb in make.sh - Changelog 4.21.2 * BUG 15732: smbd fails to correctly check sharemode against OVERWRITE dispositions. * BUG 15754: Panic in close_directory. * BUG 15752: winexe no longer works with samba 4.21. * BUG 14356: protocol error - Unclear debug message "pad length mismatch" for invalid bind packet. * BUG 15425: NetrGetLogonCapabilities QueryLevel 2 needs to be implemented. * BUG 15740: gss_accept_sec_context() from Heimdal does not imply GSS_C_MUTUAL_FLAG with GSS_C_DCE_STYLE. * BUG 15749: winbindd should call process_set_title() for locator child. * BUG 15320: Update CTDB to track all TCP connections to public IP addresses. 4.21.1 * BUG 15624: DH reconnect error handling can lead to stale sharemode entries. * BUG 15695: "inherit permissions = yes" triggers assert() in vfs_default when creating a stream. * BUG 15715: Samba 4.21.0 broke FreeIPA domain member integration. * BUG 15692: Missing conversion for msDS-UserTGTLifetime, msDS- ComputerTGTLifetime and msDS-ServiceTGTLifetime on "samba-tool domain auth policy modify". * BUG 15280: irpc_destructor may crash during shutdown. * BUG 15624: DH reconnect error handling can lead to stale sharemode entries. * BUG 15649: Durable handle is not granted when a previous OPEN exists with NoOplock. * BUG 15651: Durable handle is granted but reconnect fails. * BUG 15708: Disconnected durable handles with RH lease should not be purged by a new non conflicting open. * BUG 15714: net ads testjoin and other commands use the wrong secrets.tdb in a cluster. * BUG 15726: 4.21 using --with-system-mitkrb5 requires MIT krb5 1.16 as rfc 8009 etypes are used. * BUG 15730: VFS_OPEN_HOW_WITH_BACKUP_INTENT breaks shadow_copy2. * BUG 15643: Samba 4.20.0 DLZ module crashes BIND on startup. * BUG 15721: Cannot build libldb lmdb backend on a build without AD DC. * BUG 15706: Consistent log level for sighup handler. Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit b0fd6b1fd53dcbe6fb7b539555969b891609d197 Author: Adolf Belka Date: Tue Dec 10 14:23:55 2024 +0100 suricata.yaml: Fix bug13646 - Adjust the include syntax to use array format - Suricata-8.x will only accept include statements in array format and not in multiple single lines. Suricata-7.x still accepts the multiple single lines but flags up that the format is deprecated and will be removed in suricata-8.x - This patch adjusts the address-groups include into the array format. - This change has been tested out on my vm and the IPS started up and from the logs you can see that all the include files were taken on board and the derprecation message is no longer shown. - This change can be implemented with Suricata-7.x and will make sure that IPFire has the include syntax that Suricata-8.x will require. Fixes: Bug13646 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Reviewed-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit 87c37fa5bc94dd5bb9655bdf3359eb8d482874e9 Author: Adolf Belka Date: Mon Dec 9 12:42:51 2024 +0100 update.sh: Remove the lines related to FEODO_RECOMMENDED - This removes the lines related to removing any time entries in the modified file for FEODO_RECOMMENDED. - This also removes the lines realted to removing the blocklists for the FEODO_RECOMMENDED sources from the /var/lib/ipblocklist directory. - This patch will ensure that FEODO_RECOMMENDED stays in place if it was being used. Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit c178f3f6fff1948bdf41b0ba71530992f9acf5c4 Author: Adolf Belka Date: Mon Dec 9 12:42:50 2024 +0100 sources: Replacement of Feodo Recommended Tracker list to ipblocklist sources file - FEODO_RECOMMENDED list is still being updated but the number of events can be very low. However as it is still active then it has been added back in as discussed in the Dev Conf Call on Nov 4th. - FEODO_IP list covers any IP that has been detected as a botnet in the last 30 days. This could lead to false positives if the botnet has been fixed within one day of being detected. So it was agreed that this list would stay removed. - FEODO_AGGRESSIVE list contains all IP's that havce ever been detected as botnets since the list was started. It is not intended to be used for blocking as it would have a huge false positive effect. This list will also stay removed as it should not have been included originally. - This patch set adds back in the FEODO_RECOMMENDED list into the sources file and in the associated patch for the update.sh file removes the lines that removed the files related to FEODO_RECOMMENDED. Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 7f958c7254b3188f7f18c72603ff98dfcdcdc865 Author: Arne Fitzenreiter Date: Wed Dec 18 08:19:21 2024 +0100 core191: ship sqlite Signed-off-by: Arne Fitzenreiter commit 6e28bcb4b22f3ccb4f18163c5a6d65008c9b4172 Author: Adolf Belka Date: Mon Dec 9 12:11:13 2024 +0100 sqlite: Update to version 3470200 - Update from version 3460100 to 3470200 - Update of rootfile not required - Changelog 3470200 Fix a problem in text-to-floating-point conversion for SQLite that can cause values between '1.8446744073709550592eNNN' and '1.8446744073709551609eNNN' for any exponent NNN to be rendered incorrectly. In other words, some numeric text values where the first 16 significant digits are '1844674407370955' might be converted into the wrong floating-point value. See forum thread 569a7209179a7f5e. This problem only arises on x64 and i386 hardware. The problem was introduced in 3.47.0. Other minor bug fixes. 3470100 Fix the makefiles so that they once again honored DESTDIR for the "install" target. Add the SQLITE_IOCAP_SUBPAGE_READ capability to the VFS, to work around issues on some non-standard VFSes caused by making SQLITE_DIRECT_OVERFLOW_READ the default in version 3.45.0. Fix problems with line endings in the new sqlite3_rsync.exe utility on Windows. Fix incorrect answers to certain obscure IN queries caused by new query optimizations added in the 3.47.0 release. Other minor bug fixes. 3470000 Allow arbitrary expressions in the second argument to the RAISE function. If the RHS of the ->> operator is negative, then access array elements counting from the right. Fix a problem with rolling back hot journal files in the seldom-used unix-dotfile VFS. FTS5 tables can now be dropped even if they use a non-standard tokenizer that has not been registered. Fix the group_concat() aggregate function so that it returns an empty string, not a NULL, if it receives a single input value which is an empty string. Enhance the generate_series() table-valued function so that it is able to recognize and use constraints on its output value. Preupdate hooks now recognize when a column added by ALTER TABLE ADD COLUMN has a non-null default value. Performance optimizations: Improved reuse of subqueries associated with the IN operator, especially when the IN operator has been duplicated due to predicate push-down. Use a Bloom filter on subqueries on the right-hand side of the IN operator, in cases where that seems likely to improve performance. Ensure that queries like "SELECT func(a) FROM tab GROUP BY 1" only invoke the func() function once per row. No attempt is made to create automatic indexes on a column that is known to be non-selective because of its use in other indexes that have been analyzed. Adjustments to the query planner so that it produces better plans for star queries with a large number of dimension tables. Add the "order-by-subquery" optimization, that seeks to disable sort operations in outer queries if the desired order is obtained naturally due to ORDER BY clauses in subqueries. The "indexed-subtype-expr" optimization strives to use expressions that are part of an index rather than recomputing the expression based on table values, as long as the query planner can prove that the subtype of the expression will never be used. Miscellaneous coding tweaks for faster runtimes. Enhancements to SQLite-related command-line programs: Add the experimental sqlite3_rsync program. Add extension functions median(), percentile(), percentile_cont(), and percentile_disc() to the CLI. Add the .www dot-command to the CLI. The sqlite3_analyzer utility now provides a break-out of statistics for WITHOUT ROWID tables. The sqldiff utility avoids creating an empty database if its second argument does not exist. Enhance the sqlite_dbpage table-valued function such that INSERT can be used to increase or decrease the size of the database file. SQLite no longer makes any use of the "long double" data type, as hardware support for long double is becoming less common and long double creates challenges for some compiler tool chains. Instead, SQLite uses Dekker's algorithm when extended precision is needed. The TCL Interface for SQLite supports TCL9. Everything probably still works for TCL 8.5 and later, though this is not guaranteed. Users are encouraged to upgrade to TCL9. JavaScript/WASM: Fix a corruption-causing bug in the JavaScript "opfs" VFS. Correct "mode=ro" handling for the "opfs" VFS. Work around a couple of browser-specific OPFS quirks. FTS5 Changes: Add the fts5_tokenizer_v2 API and the locale=1 option, for creating custom locale-aware tokenizers and fts5 tables that may take advantage of them. Add the contentless_unindexed=1 option, for creating contentless fts5 tables that store the values of any UNINDEXED columns persistently in the database. Allow an FTS5 table to be dropped even if it uses a custom tokenizer whose implementation is not available. Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 03654da62fcc226548acedb506c489ec0c1b05b3 Author: Arne Fitzenreiter Date: Wed Dec 18 08:17:54 2024 +0100 core191: ship connections.cgi Signed-off-by: Arne Fitzenreiter commit 65e0b783ad3691f12a3cc0e41533b92c93bb13ac Author: Michael Tremer Date: Fri Dec 6 16:44:17 2024 +0000 connections.cgi: Support CIDR notation Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit e95be58de99879e58d1c3d7df25f18a848f1f16f Author: Michael Tremer Date: Fri Dec 6 16:44:16 2024 +0000 connections.cgi: Fix importing Wireguard peers Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit 16cf9f1230da4f0056a65a85a352a5e6c97a67ee Author: Michael Tremer Date: Fri Dec 6 16:44:15 2024 +0000 connections.cgi: Ignore empty interfaces Parsing any custom routes for any custom interfaces was broken so that arbitrary routes were imported when not all interfaces were in use. Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit 00599ec3b0f8df56b65c53cabb90567bb4b92af0 Author: Michael Tremer Date: Fri Dec 6 16:44:14 2024 +0000 connections.cgi: Fix colour of destination country Signed-off-by: Michael Tremer Reviewed-by: Bernhard Bitsch Signed-off-by: Arne Fitzenreiter commit ff4ff2cfe0c8565a431bf499708dcb6e5c2fb3dc Author: Michael Tremer Date: Fri Dec 6 16:42:17 2024 +0000 initscripts: readhash: Fix handling = signs The function expected that a line only contains exactly one equals sign (=) which is not fit for purpose. In the WireGuard code we hold key material that is encoded in base64 and therefore contains padding that uses =. This patch fixes that we expect exactly one equals sign immediately after the key and we will then accept more = in the value - which was already permitted. Furthermore, this patch fixes the splitting if the key and value at the first =. Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit 73661e5ee1acc30e40e41493c8dfca10aa1097d0 Author: Michael Tremer Date: Fri Dec 6 16:42:16 2024 +0000 initscripts: readhash: Only strip quotes if they exist Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit 71ba9e8fb128c39f1d1e215cbff2cd9a5132c1bd Author: Michael Tremer Date: Fri Dec 6 16:42:15 2024 +0000 tests: Fix path to bash Signed-off-by: Michael Tremer Signed-off-by: Arne Fitzenreiter commit f1a1b3775aa12317e94dbdbe1e32898393f72bfa Author: Adolf Belka Date: Thu Dec 5 14:16:46 2024 +0100 libtalloc: Update to version 2.4.2 plus moved before cifs-utils - Update from version 2.4.1 to 2.4.2 - Update of rootfile - Moved to before cifs-utils in make.sh as now a required dependency for cifs-utils - The last changelog is recorded in the sourcde tarball is from 2007 and I have been unable to find anywhere where the changes can be identified. So updated on the principle of having the latest version and both samba and cifs-utils now require it. Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter commit 6fbe2b92346f173cd8de217adeb1a9aa0dc382a9 Author: Adolf Belka Date: Thu Dec 5 14:16:45 2024 +0100 cifs-utils: Update to version 7.1 - Update from version 7.0 to 7.1 - Update of rootfile not required - libtalloc now required as a build and run-time dependency for cifs-utils - Changelog 7.1 LDAP Ping capability smbinfo adds gettconinfo command Various improvements to man pages Detailed list of changes since 7.0 was released: 0fae4c7 cifs-utils: bump version to 7.1 2cd7b1f cifs: update documentation for sloppy mount option 9918019 docs: add closetimeo description c4c30b5 docs: add compress description 454870a checkopts: update it to work with latest kernel version 465f213 cifs-utils: add documentation for multichannel and max_channels b3fe25c cifs-utils: smbinfo: add gettconinfo command c6bf4d9 Implement CLDAP Ping to find the closest site 4718e09 (for-next) mount.cifs.rst: update section about xattr/acl support e7ec003 mount.cifs.rst: add missing reference for sssd 3870f5b getcifsacl, setcifsacl: add missing include for le32toh c8ec7d1 getcifsacl, setcifsacl: add missing include for XATTR_SIZE_MAX 25d6552 cifs-utils: Make automake treat /sbin as exec, not data dac3301 pam_cifscreds: fix warning on NULL arg passed to %s in pam_syslog() 7314638 cifs.upcall: fix UAF in get_cachename_from_process_env() ef0d95e cifs-utils: add documentation for acregmax and acdirmax 2260c0d setcifsacl: Fix uninitialized value. 1eee8e8 Use explicit "#!/usr/bin/python3" Signed-off-by: Adolf Belka Signed-off-by: Arne Fitzenreiter