Peter Müller [Wed, 23 Mar 2022 11:12:31 +0000 (11:12 +0000)]
Switch checksums from MD5 to BLAKE2
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremeripfire.org>
Peter Müller [Mon, 21 Mar 2022 13:30:40 +0000 (13:30 +0000)]
Core Update 166: Drop orphaned convert-ovpn script
This script only appeared in conjunction with Core Update 75, released
January 2014. Although it is still being executed while restoring a
backup, it would only be effective if anyone tried to restore a backup
created before C75.
I don't think there is a realistic need to carry this script along any
further. In doubt, it might be better to start from scratch again rather
than trying to restore an 8 year old backup, expecting everything to be
peachy and vanilla with it.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
For the time being, shipping this was found to be too difficult, since
we cannot get linux-firmware down to an acceptable size limit.
Compressing the firmware on installations would work, but takes about 4
minutes on an Intel Xenon CPU alone, hence it is an unacceptable
workload to do for IPFire installation running on weaker hardware.
Therefore, we do not proceed with this at the moment.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Thu, 31 Mar 2022 07:08:19 +0000 (07:08 +0000)]
zlib: Update to 1.2.12
Full changelog, as retrieved from https://www.zlib.net/ChangeLog.txt :
Changes in 1.2.12 (27 Mar 2022)
- Cygwin does not have _wopen(), so do not create gzopen_w() there
- Permit a deflateParams() parameter change as soon as possible
- Limit hash table inserts after switch from stored deflate
- Fix bug when window full in deflate_stored()
- Fix CLEAR_HASH macro to be usable as a single statement
- Avoid a conversion error in gzseek when off_t type too small
- Have Makefile return non-zero error code on test failure
- Avoid some conversion warnings in gzread.c and gzwrite.c
- Update use of errno for newer Windows CE versions
- Small speedup to inflate [psumbera]
- Return an error if the gzputs string length can't fit in an int
- Add address checking in clang to -w option of configure
- Don't compute check value for raw inflate if asked to validate
- Handle case where inflateSync used when header never processed
- Avoid the use of ptrdiff_t
- Avoid an undefined behavior of memcpy() in gzappend()
- Avoid undefined behaviors of memcpy() in gz*printf()
- Avoid an undefined behavior of memcpy() in _tr_stored_block()
- Make the names in functions declarations identical to definitions
- Remove old assembler code in which bugs have manifested
- Fix deflateEnd() to not report an error at start of raw deflate
- Add legal disclaimer to README
- Emphasize the need to continue decompressing gzip members
- Correct the initialization requirements for deflateInit2()
- Fix a bug that can crash deflate on some input when using Z_FIXED
- Assure that the number of bits for deflatePrime() is valid
- Use a structure to make globals in enough.c evident
- Use a macro for the printf format of big_t in enough.c
- Clean up code style in enough.c, update version
- Use inline function instead of macro for index in enough.c
- Clarify that prefix codes are counted in enough.c
- Show all the codes for the maximum tables size in enough.c
- Add gznorm.c example, which normalizes gzip files
- Fix the zran.c example to work on a multiple-member gzip file
- Add tables for crc32_combine(), to speed it up by a factor of 200
- Add crc32_combine_gen() and crc32_combine_op() for fast combines
- Speed up software CRC-32 computation by a factor of 1.5 to 3
- Use atomic test and set, if available, for dynamic CRC tables
- Don't bother computing check value after successful inflateSync()
- Correct comment in crc32.c
- Add use of the ARMv8 crc32 instructions when requested
- Use ARM crc32 instructions if the ARM architecture has them
- Explicitly note that the 32-bit check values are 32 bits
- Avoid adding empty gzip member after gzflush with Z_FINISH
- Fix memory leak on error in gzlog.c
- Fix error in comment on the polynomial representation of a byte
- Clarify gz* function interfaces, referring to parameter names
- Change macro name in inflate.c to avoid collision in VxWorks
- Correct typo in blast.c
- Improve portability of contrib/minizip
- Fix indentation in minizip's zip.c
- Replace black/white with allow/block. (theresa-m)
- minizip warning fix if MAXU32 already defined. (gvollant)
- Fix unztell64() in minizip to work past 4GB. (Daniël Hörchner)
- Clean up minizip to reduce warnings for testing
- Add fallthrough comments for gcc
- Eliminate use of ULL constants
- Separate out address sanitizing from warnings in configure
- Remove destructive aspects of make distclean
- Check for cc masquerading as gcc or clang in configure
- Fix crc32.c to compile local functions only if used
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Michael Tremer [Tue, 29 Mar 2022 09:48:56 +0000 (09:48 +0000)]
linux-firmware: Hardlink any identical firmware files
Some files are identical which is why we don't need to ship them mutiple
times. This will save about 13 MiB of disk space and presumably the same
on the compressed distro image.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Fri, 25 Mar 2022 16:41:31 +0000 (17:41 +0100)]
monit: Update to 5.32.0
For details see:
https://mmonit.com/monit/changes/
"Fixed: Issue #1028: If the Monit statefile was removed, the monit
start <service> action for services with onreboot nostart option
started the service, but did not enable monitoring of said service.
The same problem occurred if a new onreboot nostart service was
added, even if the statefile did exist.
Fixed: Issue #1029: The generic protocol test truncated received
data if the response contained zeros.
Fixed: PAM authentication: Users with a valid password for
a disabled account could still login to Monit. Thanks to Youssef
Rebahi-Gilbert.
Fixed: The Monit HTTP interface could be blocked by sending
a request with an infinite stream of HTTP headers. Thanks to Youssef
Rebahi-Gilbert for report."
For more details see:
https://bitbucket.org/tildeslash/monit/commits/tag/release-5-32-0
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 24 Mar 2022 09:09:05 +0000 (09:09 +0000)]
alsa: Do not ship compressed firmware again
This package installs some firmware files. Since linux-firmware is now
compressed, files will no longer be overwritten, but this package will
put the uncompressed files next to the compressed ones.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 21 Mar 2022 19:07:06 +0000 (19:07 +0000)]
misc-progs: Set a reasonable default PATH variable
We have some scripts in /usr/local/bin which cannot be found by any
misc-progs which is fixed by this patch.
Fixes: #12811 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Adolf Belka <adolf.belka@ipfire.org> Tested-by: Bernhard Bitsch <bernhard.bitsch@ipfire.org>
Stefan Schantl [Wed, 23 Mar 2022 17:08:52 +0000 (18:08 +0100)]
rules.pl: Fix creating rules for location based groups.
The former used hash value only contains the country code when
a rule for a single country should be created.
In case a location group is used the hash value refers to the group name,
which does not work here.
The required country code is part of the processed string and can be omitted
from here. This works well for single codes and location groups, because those
are processed in a loop.
Fixes #12809.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Wed, 23 Mar 2022 17:08:52 +0000 (18:08 +0100)]
rules.pl: Fix creating rules for location based groups.
The former used hash value only contains the country code when
a rule for a single country should be created.
In case a location group is used the hash value refers to the group name,
which does not work here.
The required country code is part of the processed string and can be omitted
from here. This works well for single codes and location groups, because those
are processed in a loop.
Fixes #12809.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Wed, 23 Mar 2022 11:18:34 +0000 (11:18 +0000)]
firewall: Fix placement of HOSTILE chains
They were mistakenly placed after the IPS chains in commit 7b529f5417254c68b6bd33732f30578182893d34, but should be placed after the
connection tracking and before the IPS.
Fixes: #12815 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 22 Mar 2022 15:24:49 +0000 (15:24 +0000)]
linux-firmware: Compress firmware on disk
This patch enabled that we can compress any firmware files on disk. This
will save some space since /lib/firmware is becoming larger with every
release.
From formerly 828MiB, this is now using ~349MiB which is a saving of
about 480MiB on disk. This is helping us a lot fighting to contain the
distribution to 2GB on /.
Some other firmware that is installed in other packages is not
compressed with this patch which is a bit sad, but potentially not worth
the effort.
In order to ship this change with a Core Update, it might be intuitive
to remove /lib/firmware first and then extract the new update with all
new files. However, I do not know if this all will compress as well as
before since now the files are already individually compressed. It might
be a challenge to ship this.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 23 Mar 2022 11:18:34 +0000 (11:18 +0000)]
firewall: Fix placement of HOSTILE chains
They were mistakenly placed after the IPS chains in commit 7b529f5417254c68b6bd33732f30578182893d34, but should be placed after the
connection tracking and before the IPS.
Fixes: #12815 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Tue, 22 Mar 2022 17:32:03 +0000 (18:32 +0100)]
bind: Update to 9.16.27
For details see:
https://downloads.isc.org/isc/bind9/9.16.27/doc/arm/html/notes.html#notes-for-bind-9-16-27
"Security Fixes
The rules for acceptance of records into the cache have been
tightened to prevent the possibility of poisoning if forwarders send
records outside the configured bailiwick. (CVE-2021-25220)
ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
Network and Information Security Lab, Tsinghua University, and
Changgen Zou from Qi An Xin Group Corp. for bringing this
vulnerability to our attention. [GL #2950]
TCP connections with keep-response-order enabled could leave the TCP
sockets in the CLOSE_WAIT state when the client did not properly
shut down the connection. (CVE-2022-0396) [GL #3112]
Feature Changes
DEBUG(1)-level messages were added when starting and ending the BIND
9 task-exclusive mode that stops normal DNS operation (e.g. for
reconfiguration, interface scans, and other events that require
exclusive access to a shared resource). [GL #3137]
Bug Fixes
The max-transfer-time-out and max-transfer-idle-out options were not
implemented when the BIND 9 networking stack was refactored in 9.16.
The missing functionality has been re-implemented and outgoing zone
transfers now time out properly when not progressing. [GL #1897]
TCP connections could hang indefinitely if the other party did not
read sent data, causing the TCP write buffers to fill. This has been
fixed by adding a “write” timer. Connections that are hung while
writing now time out after the tcp-idle-timeout period has elapsed.
[GL #3132]
The statistics counter representing the current number of clients
awaiting recursive resolution results (RecursClients) could
be miscalculated in certain resolution scenarios, potentially
causing the value of the counter to drop below zero. This has been
fixed. [GL #3147]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Tue, 22 Mar 2022 17:37:43 +0000 (18:37 +0100)]
rrdtool: Update to 1.8.0
For details see:
https://github.com/oetiker/rrdtool-1.x/releases/tag/v1.8.0
"Bugfixes
python bindings: properly convert double values of rrd info
failed to expand 'Py_UNUSED', Invalid usage when expanding 'Py_UNUSED'
document --showtime in xport help output
fix --use-nan-for-all-missing-data
update rrdruby.pod
add missing rrdruby.pod and rrdpython.pod to dist
Set first_weekday to 0 (Sunday), when HAVE__NL_TIME_WEEK_1STDAY is not defined
fix median calculation for all NaN inputs
fix potential leak in xport during failure
fix many warnings raised by Cppcheck
fix many compiler warnings from latest gcc
ensure proper initialization in rrd_daemon
cleanup testsuite
better testing
avoid invalid read in rrd_client
add symbols from rrdc to librrd
Fix duplicate write_changes_to_disk() calls when HAVE_LIBRADOS is true and HAVE_MMAP is false
documentation updates
for SMIN example in docs
fix for pyton3 compatibility
freemem only for valid status <Christian Kr"oger>
fix double meaning of time 0 as uninitialized value
fix for zfs not supporting fallocate. this makes resize work on zfs
add rrdrados.pod to dist
fetch - do not call rrd_freemem on uninitialized pointers
use separate pango fontmap per thread
switch to python 3
do not leak filename when opening a broken file
fix leaks in rrdcached
avoid segfault when flushing cache
escape json in legend entries
fix leak in xport
make rrdcgi param parsing more robust
fix race in journal_write"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 21 Mar 2022 15:35:22 +0000 (15:35 +0000)]
Core Update 166: Perform spring clean of orphaned files
On an IPFire installation that has been around since Core Update 110
(released April 28, 2017), these files have been identified as being
orphaned, comparing to a fresh installation of Core Update 164.
To avoid such a list of files agglomerating, persons responsible for a
Core Update should check whether an updated package contains deleted
files in its rootfile. If so, they should be deleted on existing systems
via update.sh as well.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Michael Tremer [Tue, 22 Mar 2022 10:42:51 +0000 (10:42 +0000)]
strongswan: Remove redundant iptables rules
We used to create some iptables rules that permitted traffic to the
firewall from IPsec peers. This however doesn't work due to changes in
iana-etc and it looks like those rules are entirely absolete now.
This patch removes them which should not cause any functional changes.
Fixes: #12808 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org>
Jon Murphy [Thu, 17 Mar 2022 17:06:29 +0000 (12:06 -0500)]
Nano: Move nano editor from packages to core system
- this will not change the default editor `vim`
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 21 Mar 2022 13:47:58 +0000 (13:47 +0000)]
Improve README and CONTRIBUTING
- Strip tailing whitespaces
- Use shorter line length to make reading the files with editors or
terminals without automatic line break easier
- Slightly improve the content of these files
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Jonatan Schlag [Tue, 8 Mar 2022 11:18:24 +0000 (12:18 +0100)]
Add Readme and Contributing guidelines.
For people which just have found our source code especially over GitHub
sometimes seem to have problems finding out how to contribute. This is
sad as it prevents us building a bigger community. While we have a wiki
which conatins a lot informations, this seems to get overlooked. I guess
a contributing fact is that most software today has these informations
contained in the repository itself. While I am not going to duplicate
the wiki to have these informations in our repository I still think it
is a good idea to have a short guide to lead new contributers into the
right direction.
Someone now could argue that new people just a too * to look at the
right place and that's why we do not need these documents. I do not
think so because of several points:
First people get used to look for information at a readme. I guees that
is because of the fact both GitHub and Gitlab place the readme so
prominently.
Second starting in a new project is hard. Finding the right place where
to start is also not easy as every project is different. Giving people a
short introduction what the first steps could be is definitely needed.
Peter Müller [Mon, 21 Mar 2022 11:44:48 +0000 (11:44 +0000)]
Core Update 166: Drop old 2007 Pakfire key, and remove it from existing installations
It is not necessary to have this key present on IPFire systems anymore,
since it has not been in use for years, and we can expect systems to be
sufficiently up-to-date, so they no longer need to rely on old updates
or add-ons signed with this key.
Also, given the current key was generated in 2018, we should consider a
Pakfire key rollover soon.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 17 Mar 2022 21:27:15 +0000 (22:27 +0100)]
sysvinit: Update rootfile to fix bug 12797
- In sysvinit-2.97 (Dec2020) a patch was added which allows init to load configuration data
from files stored in /etc/inittab.d/
This modification would have come in with Core Update 155.
- When sysvinit was updated from 2.88dsf to 2.98 the /etc/inittab.d/ directory in the
rootfile was commented out.
Sysvinit looks to see if there are any files in inittab.d but as that directory does not
exist then the message "No inittab.d directory found" is written during the boot and is
also shown in the log summary.
- This patch uncomments the directory so that it will be present. No files will be placed
in it but its prescence will stop the error message being shown during boot.
Fixes: Bug #12797 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 19 Mar 2022 16:35:35 +0000 (16:35 +0000)]
Drop orphaned ovpn-ccd-convert script
This script appeared in the rootfiles for Core Updates 65 and 66, being
released in late 2012 and early 2013. It is not used elsewhere, and
there is no sense in keeping it around on IPFire installations.
Should this patch be accepted, a corresponding 'rm' statement is
necessary in the update.sh script of the Core Update it will go into.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 16 Mar 2022 16:09:12 +0000 (17:09 +0100)]
apache: Update to 2.4.53
For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.53
Short summary of the most important SECURITY changes:
"Changes with Apache 2.4.53
*) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
(cve.mitre.org)
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP
Server allows an attacker to overwrite heap memory with possibly
attacker provided data.
This issue affects Apache HTTP Server 2.4 version 2.4.52 and
prior versions.
Credits: Ronald Crane (Zippenhop LLC)
*) SECURITY: CVE-2022-22721: core: Possible buffer overflow with
very large or unlimited LimitXMLRequestBody (cve.mitre.org)
If LimitXMLRequestBody is set to allow request bodies larger
than 350MB (defaults to 1M) on 32 bit systems an integer
overflow happens which later causes out of bounds writes.
This issue affects Apache HTTP Server 2.4.52 and earlier.
Credits: Anonymous working with Trend Micro Zero Day Initiative
*) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability
in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org)
Apache HTTP Server 2.4.52 and earlier fails to close inbound
connection when errors are encountered discarding the request
body, exposing the server to HTTP Request Smuggling
Credits: James Kettle <james.kettle portswigger.net>
*) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of
in r:parsebody (cve.mitre.org)
A carefully crafted request body can cause a read to a random
memory area which could cause the process to crash.
This issue affects Apache HTTP Server 2.4.52 and earlier.
Credits: Chamal De Silva
..."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Tue, 15 Mar 2022 17:25:57 +0000 (18:25 +0100)]
ids-functions.pl: Skip deleted.rules files
These rulefiles are used by various providers as a kind of reference and
to store rules which have been taken out for correctness, performance
reasons or because of other reasons.
Fixes #12794.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 15 Mar 2022 17:51:13 +0000 (17:51 +0000)]
openssl: Update to 1.1.1n
OpenSSL Security Advisory [15 March 2022]
============================================
Infinite loop in BN_mod_sqrt() reachable when parsing certificates
(CVE-2022-0778)
==================================================================================
Severity: High
The BN_mod_sqrt() function, which computes a modular square root,
contains
a bug that can cause it to loop forever for non-prime moduli.
Internally this function is used when parsing certificates that contain
elliptic curve public keys in compressed form or explicit elliptic curve
parameters with a base point encoded in compressed form.
It is possible to trigger the infinite loop by crafting a certificate
that
has invalid explicit curve parameters.
Since certificate parsing happens prior to verification of the
certificate
signature, any process that parses an externally supplied certificate
may thus
be subject to a denial of service attack. The infinite loop can also be
reached when parsing crafted private keys as they can contain explicit
elliptic curve parameters.
Thus vulnerable situations include:
- TLS clients consuming server certificates
- TLS servers consuming client certificates
- Hosting providers taking certificates or private keys from customers
- Certificate authorities parsing certification requests from
subscribers
- Anything else which parses ASN.1 elliptic curve parameters
Also any other applications that use the BN_mod_sqrt() where the
attacker
can control the parameter values are vulnerable to this DoS issue.
In the OpenSSL 1.0.2 version the public key is not parsed during initial
parsing of the certificate which makes it slightly harder to trigger
the infinite loop. However any operation which requires the public key
from the certificate will trigger the infinite loop. In particular the
attacker can use a self-signed certificate to trigger the loop during
verification of the certificate signature.
This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was
addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022.
OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers
only)
OpenSSL 1.1.1 users should upgrade to 1.1.1n
OpenSSL 3.0 users should upgrade to 3.0.2
This issue was reported to OpenSSL on the 24th February 2022 by Tavis
Ormandy
from Google. The fix was developed by David Benjamin from Google and
Tomáš Mráz
from OpenSSL.
Note
====
OpenSSL 1.0.2 is out of support and no longer receiving public updates.
Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html
OpenSSL 1.1.0 is out of support and no longer receiving updates of any
kind.
It is affected by the issue.
Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20220315.txt
Note: the online version of the advisory may be updated with additional
details
over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Tue, 15 Mar 2022 17:25:57 +0000 (18:25 +0100)]
ids-functions.pl: Skip deleted.rules files
These rulefiles are used by various providers as a kind of reference and
to store rules which have been taken out for correctness, performance
reasons or because of other reasons.
Fixes #12794.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 15 Mar 2022 17:51:13 +0000 (17:51 +0000)]
openssl: Update to 1.1.1n
OpenSSL Security Advisory [15 March 2022]
============================================
Infinite loop in BN_mod_sqrt() reachable when parsing certificates
(CVE-2022-0778)
==================================================================================
Severity: High
The BN_mod_sqrt() function, which computes a modular square root,
contains
a bug that can cause it to loop forever for non-prime moduli.
Internally this function is used when parsing certificates that contain
elliptic curve public keys in compressed form or explicit elliptic curve
parameters with a base point encoded in compressed form.
It is possible to trigger the infinite loop by crafting a certificate
that
has invalid explicit curve parameters.
Since certificate parsing happens prior to verification of the
certificate
signature, any process that parses an externally supplied certificate
may thus
be subject to a denial of service attack. The infinite loop can also be
reached when parsing crafted private keys as they can contain explicit
elliptic curve parameters.
Thus vulnerable situations include:
- TLS clients consuming server certificates
- TLS servers consuming client certificates
- Hosting providers taking certificates or private keys from customers
- Certificate authorities parsing certification requests from
subscribers
- Anything else which parses ASN.1 elliptic curve parameters
Also any other applications that use the BN_mod_sqrt() where the
attacker
can control the parameter values are vulnerable to this DoS issue.
In the OpenSSL 1.0.2 version the public key is not parsed during initial
parsing of the certificate which makes it slightly harder to trigger
the infinite loop. However any operation which requires the public key
from the certificate will trigger the infinite loop. In particular the
attacker can use a self-signed certificate to trigger the loop during
verification of the certificate signature.
This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was
addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022.
OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers
only)
OpenSSL 1.1.1 users should upgrade to 1.1.1n
OpenSSL 3.0 users should upgrade to 3.0.2
This issue was reported to OpenSSL on the 24th February 2022 by Tavis
Ormandy
from Google. The fix was developed by David Benjamin from Google and
Tomáš Mráz
from OpenSSL.
Note
====
OpenSSL 1.0.2 is out of support and no longer receiving public updates.
Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html
OpenSSL 1.1.0 is out of support and no longer receiving updates of any
kind.
It is affected by the issue.
Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20220315.txt
Note: the online version of the advisory may be updated with additional
details
over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 11 Mar 2022 14:43:11 +0000 (14:43 +0000)]
firewall: Make blocking all traffic impossible on HOSTILE
The current setup can fail and block all traffic on RED if the RETURN
rules could not be created.
This can happen when the kernel fails to load the ipset module, as it is
the case after upgrading to a new kernel. Restarting the firewall will
cause that the system is being cut off the internet.
This design now changes that if those rules cannot be created, the
DROP_HOSTILE feature is just inactive, but it would not disrupt any
traffic.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 11 Mar 2022 14:43:11 +0000 (14:43 +0000)]
firewall: Make blocking all traffic impossible on HOSTILE
The current setup can fail and block all traffic on RED if the RETURN
rules could not be created.
This can happen when the kernel fails to load the ipset module, as it is
the case after upgrading to a new kernel. Restarting the firewall will
cause that the system is being cut off the internet.
This design now changes that if those rules cannot be created, the
DROP_HOSTILE feature is just inactive, but it would not disrupt any
traffic.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / people / pmueller / ipfire-2.x.git / log
