11839
|
|
apache: Update to 2.4.58
For details see: https://dlcdn.apache.org/httpd/CHANGES_2.4.58
Excerpt from changelog: "Changes with Apache 2.4.58
*) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST (cve.mitre.org) When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Credits: Will Dormann of Vul Labs
*) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0 (cve.mitre.org) An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Credits: Prof. Sven Dietrich (City University of New York)
*) SECURITY: CVE-2023-31122: mod_macro buffer over-read (cve.mitre.org) Out-of-bounds Read vulnerability in mod_macro of Apache HTTP Server.This issue affects Apache HTTP Server: through 2.4.57. Credits: David Shoon (github/davidshoon)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
Matthias Fischer |
7 months ago
|
|
|
11838
|
|
|
Matthias Fischer |
7 months ago
|
|
|
11837
|
|
|
Adolf Belka |
7 months ago
|
|
|
11836
|
|
|
Michael Tremer |
7 months ago
|
|
|
11835
|
|
|
Adolf Belka |
7 months ago
|
|
|
11834
|
|
|
Arne Fitzenreiter |
7 months ago
|
|
|
11833
|
|
|
Arne Fitzenreiter |
7 months ago
|
|
|
11832
|
|
Tor: Update to 0.4.8.7
Changes in version 0.4.8.7 - 2023-09-25 This version fixes a single major bug in the Conflux subsystem on the client side. See below for more information. The upcoming Tor Browser 13 stable will pick this up.
o Major bugfixes (conflux): - Fix an issue that prevented us from pre-building more conflux sets after existing sets had been used. Fixes bug 40862; bugfix on 0.4.8.1-alpha.
o Minor features (fallbackdir): - Regenerate fallback directories generated on September 25, 2023.
o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2023/09/25.
Changes in version 0.4.8.6 - 2023-09-18 This version contains an important fix for onion service regarding congestion control and its reliability. Apart from that, uneeded BUG warnings have been suppressed especially about a compression bomb seen on relays. We strongly recommend, in particular onion service operators, to upgrade as soon as possible to this latest stable.
o Major bugfixes (onion service): - Fix a reliability issue where services were expiring their introduction points every consensus update. This caused connectivity issues for clients caching the old descriptor and intro points. Bug reported and fixed by gitlab user @hyunsoo.kim676. Fixes bug 40858; bugfix on 0.4.7.5-alpha.
o Minor features (debugging, compression): - Log the input and output buffer sizes when we detect a potential compression bomb. Diagnostic for ticket 40739.
o Minor features (fallbackdir): - Regenerate fallback directories generated on September 18, 2023.
o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2023/09/18.
o Minor bugfix (defensive programming): - Disable multiple BUG warnings of a missing relay identity key when starting an instance of Tor compiled without relay support. Fixes bug 40848; bugfix on 0.4.3.1-alpha.
o Minor bugfixes (bridge authority): - When reporting a pseudo-networkstatus as a bridge authority, or answering "ns/purpose/*" controller requests, include accurate published-on dates from our list of router descriptors. Fixes bug 40855; bugfix on 0.4.8.1-alpha.
o Minor bugfixes (compression, zstd): - Use less frightening language and lower the log-level of our run- time ABI compatibility check message in our Zstd compression subsystem. Fixes bug 40815; bugfix on 0.4.3.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
Peter Müller |
7 months ago
|
|
|
11831
|
|
|
Michael Tremer |
8 months ago
|
|
|
11830
|
|
|
Michael Tremer |
8 months ago
|
|
|
11829
|
|
|
Michael Tremer |
8 months ago
|
|
|
11828
|
|
|
Michael Tremer |
8 months ago
|
|
|
11827
|
|
|
Adolf Belka |
8 months ago
|
|
|
11826
|
|
sysvinit: Update to version 3.08
- Update from version 3.00 to 3.08 - Update of rootfile - All the other patches and sed modifications are now built mintyo the source tarball, except for the mountpoint patch which is stilol needed - Changelog 3.08 This release focuses on three changes which are basically imports of patches from Gentoo. Special thanks to floppym for supplying these. Applied a patch from floppm which adds kexec option to the halt command. This can be used as "halt -k". floppym provided patch which causes the halt command to call "shutdown -h -H" instead of "shutdown -h" when halt is invoked without parameters. This forces the shutdown command to set the INIT_HALT variable and assume, unless other conditions apply, that the "halt" call really wants to halt the machine and INIT_HALT should be set. In other words we assume halt wants to halt unless told otherwise. Addresses downstream Gentoo bug ID 911257. Updated halt documentation and help output to display parameters in alphabetical order. 3.07 The 3.07 release of SysV init mostly introduces fixes and improvements for the killall5 and pidof programs. (These are actually the same program, but are invoked with two different names, which result in different behaviour. The main highlights in this release are: Fixed killall5 so that processes in the omit list are not sent any signals, including SIGSTOP. Fixed usage message for killall5 to be more accurate. pidof was not returning PIDs of programs which were launched using a symbolic link. This has been fixed so programs run from a symbolic link show up in process lists. 3.06 Mark Hindley fixed typo in es.po Mark Hindley cleaned up translation code in src/Makefile. Drop sulogin from Debian build. Removed libcrypt-dev dependency. Fixed pt translation pages which were failing due to mis-matched open/close tags. Makefile now respects ROOT prefix when setting up pidof-to-killall5 symbolic link. Removed redundant translation files from man directory. Makefile now respects DESTDIR. User can specify either ROOT= or DESTDIR= to set install prefix. 3.05 This release (3.05) focuses on two things: Updating the translation framework. Fixing compiling issues on various systems. The second point, compiling, encompasses a few minor changes to get SysV init to build properly on GNU Hurd, systems without certain GNU assumptions, and systems running the latest glibc library (2.36 at time of writing). 3.04 This release contains one minor fix which allows the bootlogd code to properly compile on Debian's GNU Hurd branch. 3.03 This release includes two minor changes. One is fixing a typo in the init manual page (init.8). this fix was offered by Mark hindley. Mark, and a few other people, also pointed out that a fix in 3.02 for bootlogd introduced reliance on a defined PATH_MAX constant. This is used elsewhere in the code, but is not explicitly defined in bootlogd, which caused bootlogd to not build properly on GNU Hurd and musl C systems. This has been fixed. 3.02 Added q and Q flags to synopsis in shutdown manual page. Applied fixes for markup and spacing in manual pages. Patch provided by Mario Blattermann. Added translation framework (po4a) from Mario Blttermann. Added Makefile for man/ directory. Will handle translations and substitutions. Applied new translations for multiple languages from Mario Blattermann. Added ability to use "@" symbol in command named in the inittab file. This treats commands as literal and does not launch a shell to interpret them. Updated inittab manual page to include overview of symbols which trigger a shell interpretor and how to disable them using the @ symbol. Introduced change which adds error checking in bootlogd when performing chdir(). - Provided by Alexander Vickberg Add check for console using TIOCGDEV on Linux systems in bootlogd to make finding console more robust. - Provided by Alexander Vickberg 3.01 Default to showing processes in the uninterruptable state (D). The -z flag no longer affects whether processes in D state are shown. The -z flag does still toggle whether zombie (Z) processes are shown. Removed unnecessary check which is always true from init tab parsing.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
Adolf Belka |
8 months ago
|
|
|
11825
|
|
|
Peter Müller |
8 months ago
|
|
|
11824
|
|
|
Peter Müller |
8 months ago
|
|
|
11823
|
|
|
Arne Fitzenreiter |
8 months ago
|
|
|
11822
|
|
|
Arne Fitzenreiter |
8 months ago
|
|
|
11821
|
|
|
Arne Fitzenreiter |
8 months ago
|
|
|
11820
|
|
|
Arne Fitzenreiter |
8 months ago
|
|
|