Exim version 4.96
-----------------
JH/01 Move the wait-for-next-tick (needed for unique message IDs) from
after reception to before a subsequent reception. This should
mean slightly faster delivery, and also confirmation of reception
to senders.
JH/02 Move from using the pcre library to pcre2. The former is no longer
being developed or supported (by the original developer).
JH/03 Constification work in the filters module required a major version
bump for the local-scan API. Specifically, the "headers_charset"
global which is visible via the API is now const and may therefore
not be modified by local-scan code.
JH/04 Fix ClamAV TCP use under FreeBSD. Previously the OS-specific shim for
sendfile() didi not account for the way the ClamAV driver code called it.
JH/05 Bug 2819: speed up command-line messages being read in. Previously a
time check was being done for every character; replace that with one
per buffer.
JH/06 Bug 2815: Fix ALPN sent by server under OpenSSL. Previously the string
sent was prefixed with a length byte.
JH/07 Change the SMTP feature name for pipelining connect to be compliant with
RFC 5321. Previously Dovecot (at least) would log errors during
submission.
JH/08 Remove stripping of the binaries from the FreeBSD build. This was added
in 4.61 without a reason logged. Binaries will be bigger, which might
matter on diskspace-constrained systems, but debug is easier.
JH/09 Fix macro-definition during "-be" expansion testing. The move to
write-protected store for macros had not accounted for these runtime
additions; fix by removing this protection for "-be" mode.
JH/10 Convert all uses of select() to poll(). FreeBSD 12.2 was found to be
handing out large-numbered file descriptors, violating the usual Unix
assumption (and required by Posix) that the lowest possible number will be
allocated by the kernel when a new one is needed. In the daemon, and any
child procesees, values higher than 1024 (being bigger than FD_SETSIZE)
are not useable for FD_SET() [and hence select()] and overwrite the stack.
Assorted crashes happen.
JH/11 Fix use of $sender_host_name in daemon process. When used in certain
main-section options or in a connect ACL, the value from the first ever
connection was never replaced for subsequent connections. Found by
Wakko Warner.
JH/12 Bug 2838: Fix for i32lp64 hard-align platforms. Found for SPARC Linux,
though only once PCRE2 was introduced: the memory accounting used under
debug offset allocations by an int, giving a hard trap in early startup.
Change to using a size_t. Debug and fix by John Paul Adrian Glaubitz.
JH/13 Bug 2845: Fix handling of tls_require_ciphers for OpenSSL when a value
with underbars is given. The write-protection of configuration introduced
in 4.95 trapped when normalisation was applied to an option not needing
expansion action.
JH/14 Bug 1895: TLS: Deprecate RFC 5114 Diffie-Hellman parameters.
JH/15 Fix a resource leak in *BSD. An off-by-one error resulted in the daemon
failing to close the certificates directory, every hour or any time it
was touched.
JH/16 Debugging initiated by an ACL control now continues through into routing
and transport processes. Previously debugging stopped any time Exim
re-execs, or for processing a queued message.
JH/17 The "expand" debug selector now gives more detail, specifically on the
result of expansion operators and items.
JH/18 Bug 2751: Fix include_directory in redirect routers. Previously a
bad comparison between the option value and the name of the file to
be included was done, and a mismatch was wrongly identified.
4.88 to 4.95 are affected.
JH/19 Support for Berkeley DB versions 1 and 2 is withdrawn.
JH/20 When built with NDBM for hints DB's check for nonexistence of a name
supplied as the db file-pair basename. Previously, if a directory
path was given, for example via the autoreply "once" option, the DB
file.pag and file.dir files would be created in that directory's
parent.
JH/21 Remove the "allow_insecure_tainted_data" main config option and the
"taint" log_selector. These were previously deprecated.
JH/22 Fix static address-list lookups to properly return the matched item.
Previously only the domain part was returned.
JH/23 Bug 2864: FreeBSD: fix transport hang after 4xx/5xx response. Previously
the call into OpenSSL to send a TLS Close was being repeated; this
resulted in the library waiting for the peer's Close. If that was never
sent we waited forever. Fix by tracking send calls.
JH/24 The ${run} expansion item now expands its command string elements after
splitting. Previously it was before; the new ordering makes handling
zero-length arguments simpler. The old ordering can be obtained by
appending a new option "preexpand", after a comma, to the "run".
JH/25 Taint-check exec arguments for transport-initiated external processes.
Previously, tainted values could be used. This affects "pipe", "lmtp" and
"queryprogram" transport, transport-filter, and ETRN commands.
The ${run} expansion is also affected: in "preexpand" mode no part of
the command line may be tainted, in default mode the executable name
may not be tainted.
JH/26 Fix CHUNKING on a continued-transport. Previously the usabliility of
the the facility was not passed across execs, and only the first message
passed over a connection could use BDAT; any further ones using DATA.
JH/27 Support the PIPECONNECT facility in the smtp transport when the helo_data
uses $sending_ip_address and an interface is specified.
Previously any use of the local address in the EHLO name disabled
PIPECONNECT, the common case being to use the rDNS of it.
JH/28 OpenSSL: fix transport-required OCSP stapling verification under session
resumption. Previously verify failed because no certificate status is
passed on the wire for the restarted session. Fix by using the recorded
ocsp status of the stored session for the new connection.
JH/29 TLS resumption: the key for session lookup in the client now includes
more info that a server could potentially use in configuring a TLS
session, avoiding oferring mismatching sessions to such a server.
Previously only the server IP was used.
JH/30 Fix string_copyn() for limit greater than actual string length.
Previously the copied amount was the limit, which could result in a
overlapping memcpy for newly allocated destination soon after a
source string shorter than the limit. Found/investigated by KM.
JH/31 Bug 2886: GnuTLS: Do not free the cached creds on transport connection
close; it may be needed for a subsequent connection. This caused a
SEGV on primary-MX defer. Found/investigated by Gedalya & Andreas.
JH/32 Fix CHUNKING for a second message on a connection when the first was
rejected. Previously we did not reset the chunking-offered state, and
erroneously rejected the BDAT command. Investigation help from
Jesse Hathaway.
JH/33 Fis ${srs_encode ...} to handle an empty sender address, now returning
an empty address. Previously the expansion returned an error.
HS/01 Bug 2855: Handle a v4mapped sender address given us by a frontending
proxy. Previously these were misparsed, leading to paniclog entries.
Also contains commit 51be321b27 "Fix PAM auth. Bug 2813" addressing
CVE-2022-37451.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit f2763b95af)
Use PKG_FIXUP:=autoreconf when building cryptsetup to prevent
accidental linkage against host libraries.
Fixes: #19011
Reported-by: @dreirund
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit ad0ac5198d)
1.5.0 - 27 January 2022, Ludovic Rousseau
- Add support of
- ACS ACR1281U
- Circle CCR7125 ICC
- Circle CIR125 ICC
- Circle CIR125-DOT ICC
- Circle CIR215 CL with iProduct 0x2100
- Circle CIR315 DI
- Circle CIR315 with idProduct: 0x0324
- Circle CIR315 with idProduct: 0x7004
- Circle CIR415 CL
- Circle CIR515 ICC
- Circle CIR615 CL
- Circle CIR615 CL & 1S
- ELYCTIS CL reader
- Nitrokey Nitrokey 3
- Thales Shield M4 Reader
- Add support of simultaneous slot access on multi slots readers
- Use FeliCa instead of Felica on SONY request
- Fix SafeNet eToken 5110 SC issue
- Allow vendor control commands for Omnikey 5427 CK
- always compute readTimeout to use a value greater than default 3 seconds
- Check the bSeq value when receiving a CCID frame
- Avoid logging errors when a reader is removed
- Some other minor improvements
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 0dd218a2fb)
Sync auc with main branch.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 6c9ab0e426)
(cherry picked from commit f1969ab584)
(cherry picked from commit 36525086ce)
(cherry picked from commit fd36c91db8)
When we explicitly declare, that we would like to have curl built with
wolfSSL support using `--with-wolfssl` configure option, then we should
make sure, that we either endup with curl having that support, or it
shouldn't be available at all, otherwise we risk, that we end up with
regressions like following:
configure:25299: checking for wolfSSL_Init in -lwolfssl
configure:25321: x86_64-openwrt-linux-musl-gcc -o conftest [snip]
In file included from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/dsa.h:33,
from target-x86_64_musl/usr/include/wolfssl/wolfcrypt/asn_public.h:35,
from target-x86_64_musl/usr/include/wolfssl/ssl.h:35,
from conftest.c:47:
target-x86_64_musl/usr/include/wolfssl/wolfcrypt/integer.h:37:14: fatal error: wolfssl/wolfcrypt/sp_int.h: No such file or directory
#include <wolfssl/wolfcrypt/sp_int.h>
^~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
and in the end thus produce curl without https support:
curl: (1) Protocol "https" not supported or disabled in libcurl
So fix it, by making the working wolfSSL mandatory and error out in
configure step when that's not the case:
checking for wolfSSL_Init in -lwolfssl... no
configure: error: --with-wolfssl but wolfSSL was not found or doesn't work
References: #19005, #19547
Upstream-Status: Accepted [https://github.com/curl/curl/pull/9682]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 9140f366ef)
The following CVEs are fixed in this release:
* CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
* CVE-2022-32213: bypass via obs-fold mechanic (Medium)
* CVE-2022-35256: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium)
More detailed information on each of the vulnerabilities can be found in September 22nd 2022 Security Releases blog post.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
options.h header is needed after bump of libwolfssl to version 5.5.1,
otherwise libcurl autodetection for libwolfssl availability fails and
libcurl is then compiled without https support.
Fixes: #19547
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 317575755a)
(cherry picked from commit ef545e0317)
Signed-off-by: Petr Štetiar <ynezz@true.cz> [commit verbosity]
Change the CONFLICTS line from the libgd-full to libgd to fix a
recursive dependency.
While at it, remove the redundant +LIBGD_TIFF:libtiff
+LIBGD_FREETYPE:libfreetype dependencies from Package/libgd/default.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 085eb34fbf)
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.
So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages
using wolfSSL library.
Same bump has been done in buildroot in commit f1b7e1434f66 ("treewide:
fix security issues by bumping all packages using libwolfssl").
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 845d81ca09)
(cherry picked from commit f624e41f38)
Section 'Persistence' in 'luci-app-mosquitto' is unusable without 'persistence'
section in config file.
Signed-off-by: Ptilopsis Leucotis <PtilopsisLeucotis@yandex.com>
Fixes multiple security issues:
CVE-2022-38178 - Fix memory leak in EdDSA verify processing
CVE-2022-3080 - Fix serve-stale crash that could happen when
stale-answer-client-timeout was set to 0 and there was
a stale CNAME in the cache for an incoming query
CVE-2022-2906 - Fix memory leaks in the DH code when using OpenSSL 3.0.0
and later versions. The openssldh_compare(),
openssldh_paramcompare(), and openssldh_todns()
functions were affected
CVE-2022-2881 - When an HTTP connection was reused to get
statistics from the stats channel, and zlib
compression was in use, each successive
response sent larger and larger blocks of memory,
potentially reading past the end of the allocated
buffer
CVE-2022-2795 - Prevent excessive resource use while processing large
delegations
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
(cherry picked from commit 58bcd3fad37eaf56d4dbeecc0c73abe464e7e987)
One of common use cases for SMB3 server in routers is sharing hotplugged
drives. Users make many attempts setting that up which often are not
optimal.
This script handles it in the cleanest way by using:
1. hotplug.d mount subsystem
2. runtime config in the /var/run/config/
It provides a working basic solution that can be later adjusted by
modifying provided hotplug script.
A pretty much idential solution was part of the samba36 package. It was
added in the OpenWrt commit ef1efa756e0d0 ("samba36: add package with
hotplug.d script for auto sharing") as an answer for feature required by
the Rosinson company.
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit d0406d4c95)
Dynamically created shares shouldn't be stored in the /etc/config/
because of:
1. Flash wearing
2. Risk of inconsistent state on reboots
With this change all automation/hotplug.d scripts can store runtime in
the /var/run/config/samba. It's useful e.g. for USB drives that user
wants to be automatically shared.
Also: automated scripts should never call "uci [foo] commit" as that
could flush incomplete config. This problem also gets solved.
Identical feature was added to samba36 in the OpenWrt commit
5a59e2c059866 ("samba36: append config from /var/run/config/ for runtime
shares") but wasn't ported to ksmbd until now.
Cc: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit c9cba61989)
- Release notes:
https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.38.1
- Update the configuration file to use version 4.0 as mentioned in the
release notes to try the latest changes
Fixes: CVE-2022-38725
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 34b7af9e08)
With heavy system logging which goes by default into `/var/log/messages`
log file which is usually placed in tmpfs/RAM one can trigger OOM killer
fairly easily, thus killing random processes and in some cases making
system unusable.
This is likely happening due to the fact, that Linux by default uses 1/2
of available RAM for tmpfs, which might be for example an issue on low
RAM devices with ath10k wireless.
So let's fix it by adding logrotate functionality which should limit the
size of `/var/log/messages` log file to 1M by default, but could be
tweaked by config knob if needed be.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 660fa63faf)
The full variant should conflict with the default variant. This prevents that
libgd and libgd-full could be installed side by side, and also, the full
variant should provide the libgd. Otherwise, if you install libgd-full,
you can not install vnstat.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 42b36b7180)
This adds conflicts between the variants,
because they provide the same files, and it should not be
possible to install them side by side. Otherwise, it might happen that
half files would be from one variant and the other half from the
other.
Also, adds provides as if you request to install ``vim`` and
``vim-full``, then the request could be satisfied even they collide,
because ``vim-full`` provides ``vim`` package.
Signed-off-by: Karel Kočí <cynerd@email.cz>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[add commit message]
(cherry picked from commit 46c058468a)
GitHub CI actions/checkout uses a merge commit which isn't compatible
with our formality checks. Instead checkout the pull request HEAD.
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 13c1f2bcda)
