Release for the following issues:
HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding (Medium)(CVE-2022-32213)
HTTP Request Smuggling - Improper Delimiting of Header Fields (Medium)(CVE-2022-32214)
HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)(CVE-2022-32215)
DNS rebinding in --inspect via invalid IP addresses (High)(CVE-2022-32212)
Petr Štetiar [Thu, 16 Jun 2022 11:38:11 +0000 (13:38 +0200)]
libarchive: fix ext2fs build race error condition
libarchive looks for ext2fs headers during configure, and if it finds
them it will expect to find them during compile, or on the rare occasion
when they aren't it will fail:
libarchive/archive_entry.c:59:55: fatal error: ext2fs/ext2_fs.h: No such file or directory
As we just need headers for some type constants, let's re-use headers
from tools/e2fsprogs package which are always available.
Reported-by: Adam Dov <redacted> Suggested-by: Paul Eggleton <redacted>
References: https://git.yoctoproject.org/poky/commit/?id=f0b9a7cf9f80be1917e45266fa201f464a28c1e5 Signed-off-by: Petr Štetiar <redacted>
modemmanager: explicitly disconnect even if no bearers found
A network restart where netifd is cleanly restarted involves bringing
the network interfaces down. The 'modemmanager' protocol handler will
run a mmcli --simple-disconnect in this case, but only if there are
bearer objects found.
If the network restart happened *during* the connection attempt
procedure, while the modem is e.g. being registered in the network, no
bearer objects exist yet, and so, we would skip doing anything during
the interface teardown operation. This would lead to the original
connection attempt succeeding, so leaving the modem in ModemManager
in connected state, while the associated interface in netifd is
reported down.
Stijn Tintel [Mon, 13 Jun 2022 07:42:29 +0000 (10:42 +0300)]
kea: create /var/run/kea in init script
Kea expects /var/run/kea to exist. Without it, errors occur:
Mon Jun 13 10:31:45 2022 daemon.err kea-dhcp6[2977]: Unable to use interprocess sync lockfile (No such file or directory): /var/run/kea/logger_lockfile
John Audia [Sat, 18 Jun 2022 12:52:17 +0000 (08:52 -0400)]
ncdu: update to 1.17 and add blue option
Upstream bump and add a patch to use a blue highlight color for the dark
color scheme (--color dark) as some users find the default bright green is
too intense.
Note that invoking ncdu without the --color switch at use uses the upstream
default bright green, so users will need to call ncdu with --color dark in
order to get the blue color.
Rui Salvaterra [Tue, 28 Jun 2022 11:07:30 +0000 (12:07 +0100)]
tor: bump to 0.4.7.8 stable
From the changelog…
o Major bugfixes (congestion control, TROVE-2022-001):
- Fix a scenario where RTT estimation can become wedged, seriously
degrading congestion control performance on all circuits. This
impacts clients, onion services, and relays, and can be triggered
remotely by a malicious endpoint. Tracked as CVE-2022-33903. Fixes
bug 40626; bugfix on 0.4.7.5-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on June 17, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/06/17.
o Minor bugfixes (linux seccomp2 sandbox):
- Allow the rseq system call in the sandbox. This solves a crash
issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
40601; bugfix on 0.3.5.11.
o Minor bugfixes (logging):
- Demote a harmless warn log message about finding a second hop to
from warn level to info level, if we do not have enough
descriptors yet. Leave it at notice level for other cases. Fixes
bug 40603; bugfix on 0.4.7.1-alpha.
- Demote a notice log message about "Unexpected path length" to info
level. These cases seem to happen arbitrarily, and we likely will
never find all of them before the switch to arti. Fixes bug 40612;
bugfix on 0.4.7.5-alpha.
o Minor bugfixes (relay, logging):
- Demote a harmless XOFF log message to from notice level to info
level. Fixes bug 40620; bugfix on 0.4.7.5-alpha.
- convert autossh into procd instances
- add new uci config options to handle local and remote
port forwarding
- remove hotplug down actions causing service to stop on
any interface down event
Bug Fixes:
- Fix refused startup with openssl <1.1
- Fix compiler issue for Fedora 33 on s390x
- Fix small memory leak in config parser
- Fix lazy certificate check when connecting to TLS servers
- Fix connect is aborted if first host in list has invalid certificate
- Fix setstacksize for glibc 2.34
- Fix system defaults/settings for TLS version not honored
Nick Hainke [Sun, 3 Jul 2022 21:03:01 +0000 (23:03 +0200)]
radcli: uptdate to 1.3.0
- Removed duplicate function definition from util.h
- Increased size of dictionary vendor and values to 32-bits from 16;
this breaks the ABI from the previous release.
- Corrected a string termination issue in rc_avpair_tostr()
- Added functions to create dictionary without a file:
rc_dict_addattr
rc_dict_addval
rc_dict_addvend
The totem-pl-parser library seems to rely on freedesktop.org's MIME-type
definitions to parse playlist files. Without them, parsing will produce
a TOTEM_PL_PARSER_RESULT_IGNORED error.
Javier Marcet [Wed, 29 Jun 2022 12:17:42 +0000 (14:17 +0200)]
python-jsonschema: Update to 4.6.1
What's Changed:
- Type annotate format checker methods by @sirosen
- Fix fuzzer to include instrumentation by @DavidKorczynski
- [pre-commit.ci] pre-commit autoupdate by @pre-commit-ci
Javier Marcet [Sun, 26 Jun 2022 16:24:40 +0000 (18:24 +0200)]
docker-compose: Update to version 2.6.1
Enhancements:
- Support for setting secret from env variable by @ndeloof
Fixes:
- Do not start unrelated dependencies on run by @laurazard
- Fix service not found errors when using --no-deps by @nicksieger
- Respect COMPOSE_REMOVE_ORPHANS env var on down by @nicksieger
- Fix project level bind mounts volumes by @ulyssessouza
- Respect deploy.limits.cpus and deploy.limits.pids by @glours
Internal:
- Upgrade: Go v1.18.3 by @thaJeztah
- Upgrade: compose-go v1.2.8 by @milas
- Upgrade: buildx v0.8.2 by @dependabot
- Upgrade: containerd v1.6.6 by @dependabot
Peter van Dijk [Mon, 20 Jun 2022 14:53:34 +0000 (16:53 +0200)]
dnsdist: switch from liblua to luajit
luajit provides higher performance for requests handled in Lua hooks.
It also enables access to dnsdist functionality only exposed via FFI,
and allows configurations/hooks to call functions in any C library
without providing separate bindings.
collectd: Fix various issues with lantiq dsl metrics.
- Handle bool values correctly. We get the values as bool, but collectd
requires a bool value to be numeric in the range [0, 1].
- Remove profile and mode values. Those are strings, which cannot be
represented by collectd.
- Update collectd type for some values.
- Fix latn value being present twice.
- New major LTS release (https://www.mail-archive.com/haproxy@formilux.org/msg42371.html)
- Sadly, no QUIC/H3 support for now because the QuicTLS library - which is a fork of OpenSSL - would be needed. However, we do not have a package for that and I currently do not want to build and statically link it into the haproxy package
- Update haproxy download URL and hash
Tom Stöveken [Wed, 8 Jun 2022 16:11:00 +0000 (18:11 +0200)]
restic: update to 0.13.1
Tested lantiq/xrx200
Maintainer: Markus Weipert suggested to hand over to me, thank you!
Compile tested: SDK for OpenWrt 21.02.3
Run tested: xRX200 rev 1.2, AVM FRITZ!Box 7360 V2, OpenWrt 21.02.3
collectd: Support configuration of write_http plugin
write_http plugin is already built and shipped in
collectd-mod-write_http, however it is not possible to configure it via
uci currently, instead having to rely on populating the config file manually.
Add support by adding 2 functions, process_write_http() and
process_write_http_node(). First one just enables/disables the plugin.
The second one, in the spirit of the curl plugin, adds support for
populating multiple <Node> elements under <Plugin write_http> with
support for a few parameters. Those are:
* name. The name of the <Node>. Mandatory
* URL. Mandatory
* Format. Optional.
* User. Optional.
* Password. Optional.
* Timeout. Optional.
* BufferSize. Optional.