With two patches provided by Onno van der Linden.
## 4.0.0 beta 1
- Resource Efficiency - Use less memory, fewer CPU cycles
- Better Community - Pull requests welcomed and used
- Code Modernization - Rewritten in C++
### New Features
- Support for using BitTorrent v2 torrents and hybrid torrents. (Support for _creating_ v2 and hybrid torrents is slated for an upcoming release.)
- Users can now set "default" trackers that can be used to announce all public torrents.
- Newly-added seeds can start immediately and verify pieces on demand, instead of needing a full verify before seeding can begin.
- Added an option to omit potentially-identifying information (e.g. User-Agent and date created) when creating new torrents.
- The Web client has been rewritten and now supports mobile use.
- When creating new torrents, users can now specify the piece size.
- IPv6 blocklists are now supported.
- Beginning with 4.0.0-beta.1, Transmission releases now use semver versioning.
- Dozens of other new features -- too many to list here! We've been working on this for a year!
### Qt Client
- Support both Qt5 and Qt6
### GTK Client
- Ported to GTKMM
## 4.0.0 beta 2
### Highlights
* Added support for GTK 4.
* Lots of bugfixes!
## 4.0.0 beta 3
Bugfixes.
- Checked compatibility with LibreSSL 3.6/3.7.
- The selected ciphers are now shown during start of sslserver/sslhandle.
- Fixed duplicate symbol in sslhandle (Who).
- Included enhancements and bug fixes from M.C. for dnscache and
queries: no global PTR lookup for ULA addresses, recognition of
.onion domain, considering empty forwarding files and all 16
possible name servers.
- tinydns' split-horizon capabilities are now based on IPv4/IPv6
CIDR addresses.
22:
- Changed ipX_bytestring to return correctly the number of bytes
processed.
21:
- Fixed wrong return code for DNS_COM (tx Franz).
- Fixed header and man page for env functions and included fd_coe
in man fd.
Changes:
2.23.0
------
* `repo fork`: Add `--default-branch-only` flag
* `repo edit`: Add visibility warning
2.22.1
------
* Rename `--confirm` flag to `--yes` for various destructive commands
2.22.0
------
* Add all-new Projects support to issue and PR commands
Commands like `gh issue create --project mytitle` now work with
all-new GitHub Projects, not just with "Projects (classic)" as it was
before. However, an additional OAuth scope is needed to interact with
new Projects. To enable this, run:
`gh auth refresh -h github.com -s project`
* Add `search commits` command
* Add `repo edit --enable-discussions`
* `auth status` now shows token scopes
* `extension create` now makes the initial git commit
[1.1.0] - 2023-02-07
- Added Custom Notifications to inform the user when defined network events
occur:
- data intensity exceeded a defined packets per second rate
- data intensity exceeded a defined bytes per second rate
- new data are exchanged from one of the favorite connections
- Added Settings pages to configure the state of the application (persistently
stored in a configuration file):
- customise notifications
- choose between 4 different application styles
- set the application language (this release introduces the Italian
language 🇮🇹, and more languages will be supported soon)
- Added Geolocation of the remote IP addresses (consult the README for more
information)
- Implemented the possibility of marking a group of connections as favorites
and added favorites view to the report
- Added modal to ask the user for confirmation before leaving the current
analysis
- Added Tooltips to help the user better understand the function of some
buttons
- Partially implemented support for broadcast IP addresses (still missing IPv4
directed broadcast)
- The application window is now maximized after start
- All the GUI text fonts have been replaced with 'Inconsolata'
- Fixed issue #48 adding a horizontal scrollable to the report view
Approved by MAINTAINER (sekiya@).
--- 9.18.11 released ---
6067. [security] Fix serve-stale crash when recursive clients soft quota
is reached. (CVE-2022-3924) [GL #3619]
6066. [security] Handle RRSIG lookups when serve-stale is active.
(CVE-2022-3736) [GL #3622]
6064. [security] An UPDATE message flood could cause named to exhaust all
available memory. This flaw was addressed by adding a
new "update-quota" statement that controls the number of
simultaneous UPDATE messages that can be processed or
forwarded. The default is 100. A stats counter has been
added to record events when the update quota is
exceeded, and the XML and JSON statistics version
numbers have been updated. (CVE-2022-3094) [GL #3523]
6062. [func] The DSCP implementation, which has been
nonfunctional for some time, is now marked as
obsolete and the implementation has been removed.
Configuring DSCP values in named.conf has no
effect, and a warning will be logged that
the feature should no longer be used. [GL #3773]
6061. [bug] Fix unexpected "Prohibited" extended DNS error
on allow-recursion. [GL #3743]
6060. [bug] Fix a use-after-free bug in dns_zonemgr_releasezone()
by detaching from the zone manager outside of the write
lock. [GL #3768]
6059. [bug] In some serve stale scenarios, like when following an
expired CNAME record, named could return SERVFAIL if the
previous request wasn't successful. Consider non-stale
data when in serve-stale mode. [GL #3678]
6058. [bug] Prevent named from crashing when "rndc delzone"
attempts to delete a zone added by a catalog zone.
[GL #3745]
6053. [bug] Fix an ADB quota management bug in resolver. [GL #3752]
6051. [bug] Improve thread safety in the dns_dispatch unit.
[GL #3178] [GL #3636]
6050. [bug] Changes to the RPZ response-policy min-update-interval
and add-soa options now take effect as expected when
named is reconfigured. [GL #3740]
6049. [bug] Exclude ABD hashtables from the ADB memory
overmem checks and don't clean ADB names
and ADB entries used in the last 10 seconds
(ADB_CACHE_MINIMUM). [GL #3739]
6048. [bug] Fix a log message error in dns_catz_update_from_db(),
where serials with values of 2^31 or larger were logged
incorrectly as negative numbers. [GL #3742]
6047. [bug] Try the next server instead of trying the same
server again on an outgoing query timeout.
[GL #3637]
6046. [bug] TLS session resumption might lead to handshake
failures when client certificates are used for
authentication (Mutual TLS). This has been fixed.
[GL #3725]
6045. [cleanup] The list of supported DNSSEC algorithms changed log
level from "warning" to "notice" to match named's other
startup messages. [GL !7217]
6044. [bug] There was an "RSASHA236" typo in a log message.
[GL !7206]
5830. [func] Implement incremental resizing of isc_ht hash tables to
perform the rehashing gradually. The catalog zone
implementation has been optimized to work with hundreds
of thousands of member zones. [GL #3212] [GL #3744]
4.3.0
Bump cibuildwheel to build for Python 3.11 + CI total time speedups
Fix tests that depended on external sites
Complete the Python 3.11 support
Drop CPython 3.6
Improve test compatibility with pytest
Update c-ares submodule to 1.18.1
version 2.89
Fix bug introduced in 2.88 (commit fe91134b) which can result
in corruption of the DNS cache internal data structures and
logging of "cache internal error". This has only been seen
in one place in the wild, and it took considerable effort
to even generate a test case to reproduce it, but there's
no way to be sure it won't strike, and the effect is to break
the cache badly. Installations with DNSSEC enabled are more
likely to see the problem, but not running DNSSEC does not
guarantee that it won't happen. Thanks to Timo van Roermund
for reporting the bug and for his great efforts in chasing
it down.
v0.13.0
Fixed missing option to not install static library
Missing pkgconfig version in v0.12.0 output
Correct return value from amqp_ssl_socket_set_key_buffer
Changed
Remove OpenSSL code no longer needed when used with OpenSSL >= 1.1.0.
Added
Integration with OSS-Fuzz
3.2.3 (2023-01-26)
* Add :endpoint argument when binding
* Add NDR Type Serialization Version 1 structures
* Make the structure more generic and easy to use
3.2.4 (2023-01-30)
* Land #247, Fix rails 7 deprecation warning
* Land #241, Add documentation for kerberos type rc4-hmac
* Land #240, Fix fix_dump_secrets_from_sid Example
* Land #242, Add NDR Type Serialization structures
rabbitmq-c v0.12.0
rabbitmq-c now compiles as C99
CMake 3.12 is new minimum required version
CMake -DBUILD_TESTS renamed to -DBUILD_TESTING
CMake -DBUILD_EXAMPLES now defaults to OFF
CMake -DBUILD_TOOLS now defaults to OFF
Unix library version now matches the release version, SONAME remains the same.
Modernized CMake scripts to better adopt modern standards
Public headers have moved to rabbitmq-c/ directory
Dropped support for MSVC older than VS 2010
Dropped support for OpenSSL v1.1.0 and older
Minimum SSL version set to TLSv1.2
Updated to RabbitMQ framing to v3.8.19
Switch to wxGTK32.
3.63.1 (2023-01-26)
- MSW: Fixed icon sizing issue on high DPI scale factors
3.63.0 (2023-01-24)
- All official FileZilla binares now link against wxWidgets 3.2.1
- Fixed a potential crash when closing FileZilla
- macOS: Fixed tree control scroll position not following the foucsed item
- macOS: Fixed an issue preventing translations into some languages to be loaded
RabbitMQ 3.11.8
Core Server
Enhancements
Stream throughput improvements for workloads with a lot of very small (say, less than 10 bytes)
messages.
CLI Tools
Features
rabbitmqctl hash_password is a new command that produces a hashed value of the provided password.
rabbitmq-diagnostics check_port_connectivity now supports a new optional flag, --address,
that makes the check connect to a specific IP address instead of resolving node's hostname.
This is useful when target node is configured to only listen for connections on one interface
but not others:
rabbitmq-diagnostics check_port_connectivity --address 127.0.0.1
rabbitmq-diagnostics check_port_connectivity --address "::1"
Management Plugin
Bug Fixes
User filtering combined with pagination in the management UI did not work as expected.
Correctly format JSON field value in channel detail API response.
AMQP 1.0 Plugin
Bug Fixes
AMQP 1.0 connection churn resulted in a memory leak.
STOMP Plugin
Bug Fixes
STOMP client subscriptions to a destination that is an AMQP 0-9-1 exchange now declares
auto-delete, exclusive queues (previously only auto-delete) as promised in the docs.
Imported from wip/gnunet
GNUnet is a framework for secure peer-to-peer networking that does not
use any centralized or otherwise trusted services.
A first service implemented on top of the networking layer allows
anonymous censorship-resistant file-sharing.
GNUnet uses a simple, excess-based economic model to allocate
resources.
Peers in GNUnet monitor each others behavior with respect to resource
usage; peers that contribute to the network are rewarded with better
service.
Version 1.19.0 (18 Jan 2023)
bradh352 (18 Jan 2023)
- Prep for 1.19.0 release
- Fix inverted logic in 25523e2
Fix .localhost. handling in prior commit
Fix By: Brad House (@bradh352)
- RFC6761 localhost definition includes subdomains
RFC6761 6.3 states:
The domain "localhost." and any names falling within ".localhost."
We were only honoring "localhost".
Fixes: #477
Fix By: Brad House (@bradh352)
- docs: ARES_OPT_UDP_PORT and ARES_OPT_TCP_PORT docs wrong byte order
As per #487, documentation states the port should be in network byte
order, but we can see from the test cases using MockServers on
different ports that this is not the case, it is definitely in host
byte order.
Fix By: Brad House (@bradh352)
GitHub (18 Jan 2023)
- [hopper-vul brought this change]
Add str len check in config_sortlist to avoid stack overflow (#497)
In ares_set_sortlist, it calls config_sortlist(..., sortstr) to parse
the input str and initialize a sortlist configuration.
However, ares_set_sortlist has not any checks about the validity of the input str.
It is very easy to create an arbitrary length stack overflow with the unchecked
`memcpy(ipbuf, str, q-str);` and `memcpy(ipbufpfx, str, q-str);`
statements in the config_sortlist call, which could potentially cause severe
security impact in practical programs.
This commit add necessary check for `ipbuf` and `ipbufpfx` which avoid the
potential stack overflows.
fixes#496
Fix By: @hopper-vul
bradh352 (18 Jan 2023)
- Fix build due to str-split sed gone wrong
Fix By: Brad House (@bradh352)
- cirrus-ci: switch to scan-build-py for MacOS
MacOS seems to work better with scan-build-py
Fix By: Brad House (@bradh352)
- ares_strsplit* -> ares__strsplit* to comply with internal function naming
Inspired by #495, but was missing test cases and would failed to build.
Fix By: Brad House (@bradh352), Daniel Stenberg (@bagder)
- Cirrus-CI: MacOS Homebrew has changed from /usr/local/opt to /opt/homebrew
Fix paths for homebrew.
Fix By: Brad House (@bradh352)
- cirrus-ci: iOS build needs to use ARM MacOS image
CirrusCI removed Intel-based MacOS images. Need to switch
iOS builds to use new ARM images as well.
Fix By: Brad House (@bradh352)
- cirrus-ci: new MacOS image
Cirrus-CI has recently EOL'd Intel MacOS VMs, switch to the latest
ARM-based image.
Fix By: Brad House (@bradh352)
- acountry was passing stack variable to callback
Recent ASAN versions picked up that acountry was passing stack
variables to ares_gethostbyname() then leaving the stack context.
We will now allocate a buffer for this.
Fix By: Brad House (@bradh352)
GitHub (13 Dec 2022)
- [Daniel Stenberg brought this change]
docs: reformat/cleanup man pages SYNOPSIS sections (#494)
To make them render "nicer" in both terminals and on the website.
- Removes the bold
- Removes .PP lines
- Indents them more like proper code style
Fix By: Daniel Stenberg (@bagder)
- [Nikolaos Chatzikonstantinou brought this change]
bug fix: new ares_strsplit (#492)
* add ares_strsplit unit test
The test reveals a bug in the implementation of ares_strsplit when the
make_set parameter is set to 1, as distinct domains are confused for
equal:
out = ares_strsplit("example.com, example.co", ", ", 1, &n);
evaluates to n = 1 with out = { "example.com" }.
* bugfix and cleanup of ares_strsplit
The purpose of ares_strsplit in c-ares is to split a comma-delimited
string of unique (up to letter case) domains. However, because the
terminating NUL byte was not checked in the substrings when comparing
for uniqueness, the function would sometimes drop domains it should
not. For example,
ares_strsplit("example.com, example.co", ",")
would only result in a single domain "example.com".
Aside from this bugfix, the following cleanup is performed:
1. The tokenization now happens with the help of strcspn instead of the
custom function is_delim.
2. The function list_contains has been inlined.
3. The interface of ares_strsplit has been simplified by removing the
parameter make_set since in practice it was always 1.
4. There are fewer passes over the input string.
5. We resize the table using realloc() down to its minimum size.
6. The docstring of ares_strsplit is updated and also a couple typos
are fixed.
There occurs a single use of ares_strsplit and since the make_set
parameter has been removed, the call in ares_init.c is modified
accordingly. The unit test for ares_strsplit is also updated.
Fix By: Nikolaos Chatzikonstantinou (@createyourpersonalaccount)
bradh352 (23 Oct 2022)
- CirrusCI: update freebsd image
Old FreeBSD image for CirrusCI has issues with newer symbols, update to later one.
Fix By: Brad House (@bradh352)
GitHub (23 Oct 2022)
- [Stephen Sachs brought this change]
Fix Intel compiler deprecated options (#485)
Options `-we ###` and `-wd ###` should not include a whitespace. They are also deprecated and `-diag-error` and `-diag-disable` are their replacements.
Intel compiler 2021.6 is not able to be used in configure without the proposed patch.
Fix By: Stephen Sachs (@stephenmsachs)
- [Jonathan Ringer brought this change]
Allow for CMake to use absolute install paths (#486)
Generated libcares.pc could have bad paths when using absolute paths.
Fix By: Jonathan Ringer (@jonringer)
- [Thomas Dreibholz brought this change]
Fix for issue #488: ensure that the number of iovec entries does not exceed system limits. (#489)
c-ares could try to exceed maximum number of iovec entries supported by system.
Fix By: Thomas Dreibholz (@dreibh)
- [bsergean brought this change]
Add include guards to ares_data.h (#491)
All the other header files in the src/lib folder do have an include guard so it look like an overthought.
Fix By: @bsergean
- [Brad Spencer brought this change]
Fix typo in docs for ares_process_fd (#490)
A single letter was missing
Fix By: Brad Spencer (@b-spencer)
- [lifenjoiner brought this change]
tools: refine help (#481)
fix invalid help options and documentation typos
Fix By: @lifenjoiner
- [lifenjoiner brought this change]
Git: ignore CMake temporary files (#480)
exclude more files from git
Fix By: @lifenjoiner
- [lifenjoiner brought this change]
adig: fix `-T` option (#479)
Helper was missing flag to enable TCP mode of operation.
Fix By: @lifenjoiner
- [Frank brought this change]
Add vcpkg installation instructions (#478)
Update to include vcpkg installation instructions
Fix By: @FrankXie05
- [marc-groundctl brought this change]
Convert total timeout to per-query (#467)
On Apple platforms, libresolv reports the total timeout in retrans, not the per-query time. This patch undoes that math to get the per-query time, which is what c-ares expects. This is not perfect because libresolv is inconsistent on whether the timeout is multiplied by retry or retry+1, but I don't see any way to distinguish these cases.
Fix By: Marc Aldorasi (@marc-groundctl)
- [marc-groundctl brought this change]
Don't include version info in the static library (#468)
The static library should not contain version info, since it would be linked into an executable or dll with its own version info.
Fix By: @marc-groundctl
- [Ridge Kennedy brought this change]
Fix ares_getaddrinfo() numerical address fast path with AF_UNSPEC (#469)
The conversion of numeric IPv4 addresses in fake_addrinfo() is broken when
the family is AF_UNSPEC. The initial call to ares_inet_pton with AF_INET
will succeed, but the subsequent call using AF_INET6 will fail. This results
in the fake_addrinfo() fast path failing, and ares_getaddrinfo() making a
query when none should be required.
Resolve this by only attempting the call to ares_inet_pton with AF_INET6
if the initial call with AF_INET was unsuccessful.
Fix By: Ridge Kennedy (@ridgek)
- [Manish Mehra brought this change]
Configurable hosts path for file_lookup (#465)
This changeset adds support for configurable hosts file
ARES_OPT_HOSTS_FILE (similar to ARES_OPT_RESOLVCONF).
Co-authored-by: Manish Mehra (@mmehra)
bradh352 (27 Apr 2022)
- CMake: Windows DLLs lack version information
The cares.rc was not included in the build for CMake. Conditionally
add it when building for Windows.
Fix By: Brad House (@bradh352)
Fixes Bug: #460
GitHub (27 Apr 2022)
- [Kai Pastor brought this change]
CMake: Guard target creation in exported config (#464)
User projects may call 'find_package(c-ares)' multiple times (e.g.
via dependencies), but targets must be created only once.
Shared and static target must be treated independently.
Fix By: Kai Pastor (@dg0yt)
bradh352 (27 Apr 2022)
- Honor valid DNS result even if other class returned an error
When using ares_getaddrinfo() with PF_UNSPEC, if a DNS server returned
good data on an A record, followed by bad data on an AAAA record, the
good record would be thrown away and an error returned.
If we got a good response from one of the two queries, regardless of
the order returned, we should honor that.
Fix By: Dmitry Karpov (dkarpov@roku.com)
Signed Off By: Brad House (@bradh352)
GitHub (2 Apr 2022)
- [Sam James brought this change]
configure.ac: fix STDC_HEADERS typo (#459)
There is no autoconf macro called STDC_HEADERS. AC_HEADER_STDC however does
exist and it defines the STDC_HEADERS macro for use.
Not clear that STDC_HEADERS from its use in the repo is needed but
would rather not meddle with it for now.
Fixes an annoying warning on `./configure`:
```
/var/tmp/portage/net-dns/c-ares-1.18.1/work/c-ares-1.18.1/configure: 24546: STDC_HEADERS: not found
```
Signed-off-by: Sam James <sam@gentoo.org>
bradh352 (2 Mar 2022)
- Asterisks should be allowed in host validation as CNAMEs may reference wildcard domains
CloudFlare appears to use this logic in CNAMEs as per
https://github.com/nodejs/node/issues/42171Fixes: #457
Fix By: Brad House (@bradh352)
- Don't return on file lookup failure, set status
When resolving a host via /etc/hosts, don't return with a predefined
error as there may be other tries.
Fix By: Brad House (@bradh352)
- 'localhost' special treatment enhancement
Since localhost is special-cased, any errors should be ignored when
reading /etc/hosts as otherwise we could return an error if there
were for instance an invalidly formatted /etc/hosts or if /etc/hosts
had a permissions error while reading.
This exact behavior appears to have been seen on OS/400 PASE
environments which allows AIX binares to run.
Fix By: Brad House (@bradh352)
- If chain building c-ares as part of another project, detect of res_servicename could fail (#451)
If libresolv is already included with the build, c-ares wouldn't properly detect its use.
May fix: #451
Fix by: Brad House (@bradh352)
- no analyze capability on ios
- attempt to use scan-build on ios
- disable tests on ios
- fix switch statement
- code coverage had gotten disabled
- looks like shell expansion doesn't work with cirrus-ci, lets do it another way
- attempt to autobuild for iOS
GitHub (8 Dec 2021)
- [Brad House brought this change]
Windows: rework/simplify initialization code, drop long EOL systems (#445)
There was a lot of windows initialization code specific to the era that predates Windows Vista such as reading DNS configuration from the registry, and dynamically loading libraries to get access to functions that didn't exist in XP or earlier releases.
Vista was released in January 2007, and was EOL'd in 2017, and support for Vista is still maintained with this patch set.
XP was EOL'd in Apr 8 2014.
I believe the last OS based on something earlier than Vista was POSReady 2009, as it was XP based for some reason, and that was EOL'd in January 2019. Considering any POS system falls under the PCI-DSS rules, they aren't allow to run POSReady 2009 any more so there is no reason to try to continue supporting such systems.
We have also targeted with our build system Vista support for the last few years, and while developers could change the target, we haven't had any reports that they have.
bradh352 (9 Nov 2021)
- Fix memory leak in reading /etc/hosts
When an /etc/hosts lookup is performed, but fails with ENOTFOUND, and
a valid RFC6761 Section 6.3 fallback is performed, it could overwrite
variables that were already set and therefore leave the pointers
dangling, never to be cleaned up.
Clean up explicitly on ENOTFOUND when returning from the file parser.
Fixes: #439
Fix By: Brad House (@bradh352)
GitHub (2 Nov 2021)
- [Bobby Reynolds brought this change]
Fix cross-compilation from Windows to Linux due to CPACK logic (#436)
When determining value for CPACK_PACKAGE_ARCHITECTURE, prefer to use
value from CMAKE_SYSTEM_PROCESSOR before falling back to uname output.
Additionally, if building from a Windows host, emit a fatal error
instead of attempting to call uname.
Fix By: Bobby Reynolds (@reynoldsbd)
bradh352 (1 Nov 2021)
- fix coveralls link
- coveralls needs token
- coveralls appears to require git
- fix a couple of coveralls vars
- more coveralls fixes
- add code coverage libs to LDADD instead of _LIBS
- make verbose
- try to fix code coverage building
- need -y for install
- try to fix asan/ubsan/lsan when built with clang. try to support code coverage properly.
- try another path
- fix pip
- attempt to enable some other build types that travis supported
RabbitMQ 3.11.7
Core Server
Bug Fixes
direct_exchange_routing_v2 feature flag could sometimes fail to enable on freshly started nodes.
Enhancements
Improvements to the feature flag subsystem.
Preserve additional information in the log message when heartbeat frame cannot
be sent due to a TCP timeout.
CLI Tools
Bug Fixes
rabbitmqctl add_vhost now coerces a single string value of --tags into an array.
Stream Plugin
Bug Fixes
Core server did not correctly translate empty stream message bodies to AMQP 0-9-1 when a stream was
consumed by an AMQP 0-9-1 (as opposed to RabbitMQ Stream protocol) client.
Web STOMP Plugin
Bug Fixes
ERROR frames delivery is now correctly delivered w.r.t. TCP connection closure for clients that run into
certain types of exceptions.
Contributed by @csicar.
Dependency Upgrades
prometheus.erl was upgraded from 4.9.1 to 4.10.0
Changelog:
Noteworthy changes
Fix escaping space in query part
Set EXIT_STATUS_NETWORK on error for the last try
Fix -k/--convert-links fragment
Fix escapng URLs with -k/--convert-links
Fix false reporting of a PSL error
Fix --directory-prefix with --content-disposition
Allow spaces and \ escaping in passwords in .netrc
Fix download abortion on some versions of Windows
Fix --unlink behavior
Fix deflate decompression when server omits the header
WolfSSL: Fix buffer overflow in SHA512 hashing
WolfSSL: Fix memory leak
Add support for unquoted HTML attribute values
OpenSSL: Fix several OCSP issues
Use keep-alive for HTTP/1.1 and higher as default
Don't create core dumps on CTRL-c
Fix replacing Content-Type: headers
Fix NULL pointer read / segfault
Fix several build issues
Fix several documentation issues
==============================
Release Notes for Samba 4.17.5
January 26, 2023
==============================
This is the latest stable release of the Samba 4.17 release series.
Changes since 4.17.4
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 14808: smbc_getxattr() return value is incorrect.
* BUG 15172: Compound SMB2 FLUSH+CLOSE requests from MacOSX are not handled
correctly.
* BUG 15210: synthetic_pathref AFP_AfpInfo failed errors.
* BUG 15226: samba-tool gpo listall fails IPv6 only - finddcs() fails to find
DC when there is only an AAAA record for the DC in DNS.
* BUG 15236: smbd crashes if an FSCTL request is done on a stream handle.
* BUG 15277: DFS links don't work anymore on Mac clients since 4.17.
* BUG 15283: vfs_virusfilter segfault on access, directory edgecase
(accessing NULL value).
o Samuel Cabrero <scabrero@samba.org>
* BUG 15240: CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5)
based SChannel on NETLOGON (additional changes).
o Volker Lendecke <vl@samba.org>
* BUG 15243: %U for include directive doesn't work for share listing
(netshareenum).
* BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
* BUG 15269: ctdb: use-after-free in run_proc.
o Stefan Metzmacher <metze@samba.org>
* BUG 15243: %U for include directive doesn't work for share listing
(netshareenum).
* BUG 15266: Shares missing from netshareenum response in samba 4.17.4.
* BUG 15280: irpc_destructor may crash during shutdown.
* BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
o Andreas Schneider <asn@samba.org>
* BUG 15268: smbclient segfaults with use after free on an optimized build.
o Jones Syue <jonessyue@qnap.com>
* BUG 15282: smbstatus leaking files in msg.sock and msg.lock.
o Andrew Walker <awalker@ixsystems.com>
* BUG 15164: Leak in wbcCtxPingDc2.
* BUG 15265: Access based share enum does not work in Samba 4.16+.
* BUG 15267: Crash during share enumeration.
* BUG 15271: rep_listxattr on FreeBSD does not properly check for reads off
end of returned buffer.
o Florian Weimer <fweimer@redhat.com>
* BUG 15281: Avoid relying on C89 features in a few places.
This module provides efficient receiving functions from the network. recv
uses createAndTrim which behaves as follows:
* Allocates a buffer whose size is decided from the first argument.
* Receives data with the buffer.
* Allocates another buffer whose size fits the received data.
* Copies the data from the first buffer to the second buffer.
On 64bit machines, the global lock is taken for the allocation of a byte
string whose length is larger than or equal to 3272 bytes. So, for
instance, if 4,096 is specified to recv and the size of received data is
3,300, the global lock is taken twice with the copy overhead.
The efficient receiving functions provided here use a buffer pool. A large
buffer is allocated at the beginning and it is divided into a used one and
a leftover when receiving. The latter is kept in the buffer pooll and will
be used next time. When the buffer gets small and usefless, a new large
buffer is allocated.
--- 9.16.37 released ---
6067. [security] Fix serve-stale crash when recursive clients soft quota
is reached. (CVE-2022-3924) [GL #3619]
6066. [security] Handle RRSIG lookups when serve-stale is active.
(CVE-2022-3736) [GL #3622]
6064. [security] An UPDATE message flood could cause named to exhaust all
available memory. This flaw was addressed by adding a
new "update-quota" statement that controls the number of
simultaneous UPDATE messages that can be processed or
forwarded. The default is 100. A stats counter has been
added to record events when the update quota is
exceeded, and the XML and JSON statistics version
numbers have been updated. (CVE-2022-3094) [GL #3523]
6062. [func] The DSCP implementation, which has only been
partly operational since 9.16.0, is now marked as
deprecated. Configuring DSCP values in named.conf
will cause a warning will be logged. [GL #3773]
6060. [bug] Fix a use-after-free bug in dns_zonemgr_releasezone()
by detaching from the zone manager outside of the write
lock. [GL #3768]
6059. [bug] In some serve stale scenarios, like when following an
expired CNAME record, named could return SERVFAIL if the
previous request wasn't successful. Consider non-stale
data when in serve-stale mode. [GL #3678]
6058. [bug] Prevent named from crashing when "rndc delzone"
attempts to delete a zone added by a catalog zone.
[GL #3745]
6050. [bug] Changes to the RPZ response-policy min-update-interval
and add-soa options now take effect as expected when
named is reconfigured. [GL #3740]
6048. [bug] Fix a log message error in dns_catz_update_from_db(),
where serials with values of 2^31 or larger were logged
incorrectly as negative numbers. [GL #3742]
6045. [cleanup] The list of supported DNSSEC algorithms changed log
level from "warning" to "notice" to match named's other
startup messages. [GL !7217]
6044. [bug] There was an "RSASHA236" typo in a log message.
[GL !7206]