The logging "sed-patch" that was introduced for version 20190611 worked poorly:
it was too intrusive (breaking the --logfile option), and it didn't prevent
using in-store file for logging by default. The new logging patch (an actual
"diff-patch") is less intrusive: it just changes the default log file's
location to be the current directory instead of the executable's directory.
Fixes: CVE-2019-14834
A vulnerability was found in dnsmasq before version 2.81, where the
memory leak allows remote attackers to cause a denial of service
(memory consumption) via vectors involving DHCP response creation.
Changelog:
version 2.81
Improve cache behaviour for TCP connections. For ease of
implementaion, dnsmasq has always forked a new process to handle
each incoming TCP connection. A side-effect of this is that
any DNS queries answered from TCP connections are not cached:
when TCP connections were rare, this was not a problem.
With the coming of DNSSEC, it is now the case that some
DNSSEC queries have answers which spill to TCP, and if,
for instance, this applies to the keys for the root, then
those never get cached, and performance is very bad.
This fix passes cache entries back from the TCP child process to
the main server process, and fixes the problem.
Remove the NO_FORK compile-time option, and support for uclinux.
In an era where everything has an MMU, this looks like
an anachronism, and it adds to (Ok, multiplies!) the
combinatorial explosion of compile-time options. Thanks to
Kevin Darbyshire-Bryant for the patch.
Fix line-counting when reading /etc/hosts and friends; for
correct error messages. Thanks to Christian Rosentreter
for reporting this.
Fix bug in DNS non-terminal code, added in 2.80, which could
sometimes cause a NODATA rather than an NXDOMAIN reply.
Thanks to Norman Rasmussen, Sven Mueller and Maciej Żenczykowski
for spotting and diagnosing the bug and providing patches.
Support TCP-fastopen (RFC-7413) on both incoming and
outgoing TCP connections, if supported and enabled in the OS.
Improve kernel-capability manipulation code under Linux. Dnsmasq
now fails early if a required capability is not available, and
tries not to request capabilities not required by its
configuration.
Add --shared-network config. This enables allocation of addresses
by the DHCP server in subnets where the server (or relay) does not
have an interface on the network in that subnet. Many thanks to
kamp.de for sponsoring this feature.
Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet
validation check got borked in commit 2b38e382 and release 2.80.
Thanks to Tomasz Szajner for spotting this.
Fix compilation against nettle version 3.5 and later.
Fix spurious DNSSEC validation failures when the auth section
of a reply contains unsigned RRs from a signed zone,
with the exception that NSEC and NSEC3 RRs must always be signed.
Thanks to Tore Anderson for spotting and diagnosing the bug.
Add --dhcp-ignore-clid. This disables reading of DHCP client
identifier option (option 61), so clients are only identified by
MAC addresses.
Fix a bug which stopped --dhcp-name-match from working when a hostname
is supplied in --dhcp-host. Thanks to James Feeney for spotting this.
Fix bug which caused very rarely caused zero-length DHCPv6 packets.
Thanks to Dereck Higgins for spotting this.
Add --tftp-single-port option.
Enhance --conf-dir to load files in a deterministic order. Thanks to
Evgenii Seliavka for the suggestion and initial patch.
In the router advert code, handle case where we have two
different interfaces on the same IPv6 net, and we are doing
RA/DHCP service on only one of them. Thanks to NIIBE Yutaka
for spotting this case and making the initial patch.
Support prefixed ranges of ipv6 addresses in dhcp-host.
This eases problems chain-netbooting, where each link in the
chain requests an address using a different UID. With a single
address, only one gets the "static" address, but with this
fix, enough addresses can be reserved for all the stages of the
boot. Many thanks to Harald Jensås for his work on this idea and
earlier patches.
Add filtering by tag of --dhcp-host directives. Based on a patch
by Harald Jensås.
Allow empty server spec in --rev-server, to match --server.
Remove DSA signature verification from DNSSEC, as specified in
RFC 8624. Thanks to Loganaden Velvindron for the original patch.
Add --script-on-renewal option.
* treewide Drop unneeded go 1.12 overrides
* Fix packr to be go module compatible.
I updated to version 2.8.0 which is the latest on master.
Then due to the 2 different sets of go modules which are used, I split
the build into two different derivations, then merged them togethor
using symlinkJoin to have the same output structure as the existing derivation.
* Remove consul dependency on go1.12
I updated the consul version to 1.7.2 and flipped it to building using
modules.
* Remove go1.12 from perkeep.
Update the version to the latest unstable on master.
* Update scaleway-cli to not be pinned to go1.12
Switched the version to 1.20
* Update prometheus-varnish-exporter to not depend on go1.12
* Update lnd to build with go1.12
Updated the version
Forced only building subpackages with main to prevent panics over
multiple modules in one repo
* Remove go1.12 from openshift
Had to update the version to 4.1.0 and do a bit of munging to get this
to work
* Remove go1.12 completely.
These are no longer needed.
* Update bazel-watcher and make it build with go 1.14
The package was marked as broken for 3 years, there were no
upstream updates for 8 years, and the program requires third
party services that don't provide APIs to work. I think it's
safe to say that this program is not going to work.
Dear all,
Babeld-1.9.2 is available from
https://www.irif.fr/~jch/software/files/babeld-1.9.2.tar.gzhttps://www.irif.fr/~jch/software/files/babeld-1.9.2.tar.gz.asc
For more information about the Babel routing protocol, please see
https://www.irif.fr/~jch/software/babel/
This is a bug fix release. It fixes two bugs where IPv4 prefixes could be
represented incorrectly, with a range of confusing symptoms ; many thanks
to Faban Bläse for diagnosing the issue. In addition, it fixes incorrect
parsing of unknown address encodings, thanks to Théo Bastian for the fix.
21 April 2020: babeld-1.9.2
* Fixed two issues that could cause IPv4 routes to be represented
incorrectly, with a range of confusing symptoms. Thanks to
Fabian Bläse.
* Fixed incorrect parsing of TLVs with an unknown Address Encoding.
Thanks to Théophile Bastian.
* Fixed access to mis-aligned data structure. Thanks to Antonin Décimo.
-- Juliusz Chroboczek
_______________________________________________
Babel-users mailing list
Babel-users@alioth-lists.debian.nethttps://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
7-Zip's RAR implementation is built on the non-free UnRAR source code;
DOC/License.txt says:
Licenses for files are:
1) CPP/7zip/Compress/Rar* files: GNU LGPL + unRAR restriction
2) All other files: GNU LGPL
The GNU LGPL + unRAR restriction means that you must follow both
GNU LGPL rules and unRAR restriction rules.
...
unRAR restriction
-----------------
The decompression engine for RAR archives was developed using source
code of unRAR program.
All copyrights to original unRAR code are owned by Alexander Roshal.
The license for original unRAR code has the following restriction:
The unRAR sources cannot be used to re-create the RAR compression algorithm,
which is proprietary. Distribution of modified unRAR sources in separate form
or as a part of other software is permitted, provided that it is clearly
stated in the documentation and source comments that the code may
not be used to develop a RAR (WinRAR) compatible archiver.
The unrar licensing is [infamously restrictive and non-free][fedora];
it's inappropriate for us to keep the RAR support while labelling the
package as free software (and indeed there's a commented-out line
pointing out that the current `meta.license` is false). Unfortunately,
the 7-Zip upstream seems uninterested in replacing the code with a
freely-licensed alternative (see [7-Zip ticket #1229][7zip]).
[fedora]: https://fedoraproject.org/wiki/Licensing:Unrar
[7zip]: https://sourceforge.net/p/sevenzip/feature-requests/1229/
An alternative solution would be to mark the p7zip package as non-free
instead; I decided not to because its other functionality (especially
`.7z` support) is freely-licensed and useful, and there are free
software alternatives for extracting RAR files (e.g. in nixpkgs there's
`archiver`, which is written in a memory-safe language, and `unar`,
which at least doesn't have two patches for CVEs that haven't been
addressed upstream...).
I checked that `7z(1)` fails gracefully on `.rar` files now:
emily@renko ~/tmp> curl -L -O https://www.philippwinterberg.com/download/example.rar
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 5715k 100 5715k 0 0 6716k 0 --:--:-- --:--:-- --:--:-- 6716k
emily@renko ~/tmp> 7z x example.rar
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_CA.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs x64)
Scanning the drive for archives:
1 file, 5853119 bytes (5716 KiB)
Extracting archive: example.rar
ERROR: example.rar
Can not open the file as archive
Can't open as archive: 1
Files: 0
Size: 0
Compressed: 0
