fixes CVE-2024-25583; also includes changes from 4.8.7 that
fix regressions introduced with the security fixes in 4.8.6
Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>
* move extra_command and EXTRA_HELP to the top of the init file
* add packageCompat variable for compatibility check with WebUI
* add OutputFilter variables for supported resolvers
* simplify adb_check with the use of OutputFilter variables
* add show_blocklist command to display currently blocked domains
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit fb151d5b82)
* fix a processing race condition
* it's now possible to disable the icmp/syn/udp safeguards in pre-routing - set the threshold to '0'.
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 083554094b)
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 0db33e866b)
[added a patch to fix build with go 1.21]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
The new validation_method option can be: dns, webroot or standalone.
Previously we guessed the challenge type:
1. if the DNS provider is specified then it's dns
2. if standalone=1
3. fallback to webroot
The logic is preserved and if the validation_method wasn't set explicitly we'll guess it in old manner.
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
This commit adds the following features:
1. UCI support for local DNS over HTTPS/TLS/QUIC server.
2. UCI support for using private reverse DNS.
3. procd jail with CAP_NET_BIND_SERVICE, allowing
dnsproxy to serve on standard ports directly.
Signed-off-by: Emily H. <battery_tag708@simplelogin.com>
(cherry picked from commit 5df794e343)
This swaps the order of the lines in the description so that when LuCI displays only the first line, it still offers some helpful information.
Signed-off-by: Nathan Friedly <nathan@nfriedly.com>
(cherry picked from commit 06ea66c558)
* fixed possible Set search race condition (initiated from LuCI frontend)
* fixed the "no result" Set search problem in LuCI
* removed abandoned feeds: spamhaus edrop (was merged with spamhaus drop)
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit ad755e0c4d)
* added a DDoS protection rules in a new pre-routing chain to prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets, flood tresholds are configured via 'ban_icmplimit' (default 10/s), 'ban_synlimit' (default 10/s) and 'ban_udplimit' (default 100/s)
* the new pre-routing rules are tracked via named nft counters and are part of the standard reporting, set 'ban_logprerouting' accordingly
* block countries dynamically by Regional Internet Registry (RIR)/regions, e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE, set 'ban_region' accordingly
* it's now possible to always allow certain protocols/destination ports in wan-input and wan-forward chains, set 'ban_allowflag' accordingly - e.g. ' tcp 80 443-445'
* filter/convert possible windows line endings of external feeds during processing
* the cpu core autodetection is now limited to max. 16 cores in parallel, set 'ban_cores' manually to overrule this limitation
* set the default nft priority to -100 for banIP input/forward chains (pre-routing is set to -150)
* update readme
* a couple of bugfixes & performance improvements
* removed abandoned feeds: darklist, ipblackhole
* added new feeds: becyber, ipsum, pallebone, debl (changed URL)
* requires a LuCI frontend update as well (separate PR/commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit fa80fefe22)
* include `server:` directive at the top of unbound file
* update unbound-related outputGzip variable to include full path
* return always_nxdomain for blocked domains
* also update copyright stamp/license
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 474587a1f4)
Maintainer: Stan Grishin <stangri@melmac.ca>
Run tested: aarch64, Dynalink DL-WRX36, Master Branch
Signed-off-by: Sean Khan <datapronix@protonmail.com>
(cherry picked from commit 3cbb7474c3)
Also some spell fixes for README.md
Drop patch-0001 - ntpd >= 4.2.8p16 patched this behaviour. See:
https://bugs.ntp.org/show_bug.cgi?id=3741 (and the linked diff there)
d2a7faef2f
Signed-off-by: Paul Donald <newtwen@gmail.com>
(cherry picked from commit b2742ed05d)
Bump to latest 2.0.25.1 release
Drop upstream PCRE2 patch and alarm memory leak fix.
Rework and refresh patch due to release bump.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit a9371952c9)
Add experimental pcre2 patch and drop pcre in favor of pcre2 library.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 4374c3250f)
Bump to release 2.0.22 to make it easier to apply patch for pcre2
support.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 94ded8ff31)
This release marks a noteworthy milestone in that it includes a
completely new transport layer. It lays the groundwork for fixing some
major design issues and may also already alleviate a variety of issues
seen in previous releases related to connectivity. This change also
deprecates our testbed and ATS subsystem.
This is a new major release. It breaks protocol compatibility with the
0.20.x versions. Please be aware that Git master is thus henceforth
(and has been for a while) INCOMPATIBLE with the 0.20.x GNUnet
network, and interactions between old and new peers will result in
issues. In terms of usability, users should be aware that there are
still a number of known open issues in particular with respect to ease
of use, but also some critical privacy issues especially for mobile
users. Also, the nascent network is tiny and thus unlikely to provide
good anonymity or extensive amounts of interesting information. As a
result, the 0.21.0 release is still only suitable for early adopters
with some reasonable pain tolerance.
v0.21.0:
- Reworked PEERSTORE API
- Added record flag for maintenance records
- ensure traits can be generated with subsystem-specific prefixes for
the symbols
- libgnunettesting first major testing NG refactor towards getting
dependency structure streamlined
- Remove single-use API macro GNUNET_VA_ARG_ENUM
- major revision of blind signature API
- Introduced closure to hold store context when caling function to add
hello in peerstore.
- Added DDLs for handling GNUNET_PEERSTORE_StoreHelloContext
- Removed old hello functionality.
- Refactoring components under src/ into lib/, plugin/, cli/ and
service/
- add support for encoding/decoding double values as part of JSON to
libgnunetjson
- Changed method GNUNET_HELLO_builder_get_expiration_time to not need
parameter GNUNET_HELLO_Builder.
- Code moved to the core package to get rid of circular dependencies.
- Moved code to testing to have more generic test setup, which can be
used not only from within transport.
- The old hello design replaced by the new hello design.
- Added api to get notified when hellos are stored with peerstore
service.
- Added api to store hellos with peerstore service.
- Changed new hello uri api to allow to change the expiration time
- Moved start peer command to testing subsystem.
- Removed all usage of old transport api, beside peerinfo tool,
gnunet-transport cli and usage in transport layer itself.
- Added __attribute__((deprecated)) to the old transport API
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 31e9aea1b6)
v0.20.0:
- GNUNET_TESTING_get_testname_from_underscore renamed to GNUNET_STRINGS_get_suffix_from_binary_name and moved from libgnunettesting to libgnuneutil
- Move GNUNET_s into libgnunetutil.
- re-introduce compiler annotation for array size in signature
- function-signature adjustment due to compiler error
- GNUNET_PQ_get_oid removed, GNUNET_PQ_get_oid_by_name improved
- Added GNUNET_PQ_get_oid_by_name
- added GNUNET_PQ_get_oid()
- Added new CCA-secure KEM and use in IDENTITY encryption
- Add KEM API to avoid ephemeral private key management
- Add new GNUNET_PQ_event_do_poll() API to gnunet_pq_lib.h
- Added API to support arrays in query results
- Improve PQ API documentation.
- API for array types extended for times
- API extended for array query types
- relevant array-types in queries (not results) in postgresql added
- just style fixes, int to enum
- initial steps towards support of array-types in posgresql
- adds GNUNET_JSON_spec_object_const() and GNUNET_JSON_spec_array_const()
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit dbae7f9493)
v0.19.4:
- No changes
v0.19.3:
- We now detect MySQL's strange, version-dependent my_bool type on configure.
- Add pkg-config definitions for gnunet messenger.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit bef5da553f)
- Missing --without-nghttp3 was leaking host includes and breaking the build
- Remove or rename deprecated configure options
- Add --disable-libcurl-option to reduce package size
- Use .xz instead of .bz2 for PKG_SOURCE
Signed-off-by: Aleksey Vasilenko <aleksey.vasilenko@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 30fe2d99ab)
https://curl.se/changes.html#8_5_0
Pick upstream patch to fix build with gnuTLS and verbose strings removed.
The patch should be removed with the next version bump.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit cbdd619c23)