Michael Tremer [Sat, 23 Mar 2024 14:03:36 +0000 (15:03 +0100)]
openvpnctrl: Rewrite the entire thing
This binary because a major headache as it has been changed so many
times by so many people neglegting the code quality. Therefore, the
logic has now been moved into initscripts and the binary changed so that
it only serves as a SUID wrapper to call the initscripts.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 23 Mar 2024 13:57:19 +0000 (14:57 +0100)]
initscripts: No longer restart OpenVPN when RED comes up/goes down
This is probably a relic from when dial-up connections where on trend
and systems were offline for long times of the day. Now, we should
always be on and there is no need to restart all those services on a
reconnect.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 20 Mar 2024 19:38:52 +0000 (20:38 +0100)]
ovpnmain.cgi: Migrate to subnet topology
For dynamic pools, this change is easy and does not require any extra
steps. For CCD clients however, we need to update the configuration to
replace the server IP address with the subnet mask.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 20 Mar 2024 13:56:20 +0000 (14:56 +0100)]
ovpnmain.cgi: Drop validdotmask()
This is a totally braindead function that prevented some basic usability
by using the more modern prefix notation. It simply checks if there is a
freaking dot. Great!
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 19 Mar 2024 19:44:18 +0000 (20:44 +0100)]
ovpnmain.cgi: Force NCP on clients
This change requires that all clients support NCP if they are set up
with a new connection. Existing clients remain supported using the
fallback cipher option.
This will result that connections with OpenVPN <= 2.3 cannot be set up
any more which is totally fine since that version is EOL.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 19 Mar 2024 19:11:31 +0000 (20:11 +0100)]
ovpnmain.cgi: Completely remove compression for RW clients
We will use the "compress migrate" option which disables compression by
default. If a client has been found that wants to use compression, the
server will push "stub-v2" to disable it. If that does not work, the
server might fall back to compression.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 19 Mar 2024 15:32:33 +0000 (16:32 +0100)]
ovpnmain.cgi: Drop newcleanssldatabase()
I have no idea why this was added when there is a function that does the
same already. The remove function also had typos in the path which
probably resulted in it not working very well.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 18 Mar 2024 18:43:14 +0000 (19:43 +0100)]
wsdd: Update install and uninstall pak files
- As wsdd is now started by samba when it is started then the wsdd install and uninstall
paks no longer need to create the symlinks for starting and stopping wsdd and no longer
need the start_service and stop_service commands in the paks.
Fixes: bug#13445 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 18 Mar 2024 18:43:13 +0000 (19:43 +0100)]
wsdd: Update of lfs file - fixes bug#13445
- Removal of services line as wsdd will now be started by the samba option in the addon
services wui page
- Removal of installing separate wsdd initscript as it is nowe integrated into the samba
initscript.
Fixes: bug#13445 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 18 Mar 2024 18:43:12 +0000 (19:43 +0100)]
wsdd: remove wsdd initscript as now covered by samba - fixes bug#13445
Fixes: bug#13445 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 18 Mar 2024 18:43:11 +0000 (19:43 +0100)]
samba: Integrate wsdd initscript into samba initscript - bug#13445
- This integrates the wsdd initscript functions into the samba initscript. When samba is
started or stopped or the status requested then wsdd is part of that process.
- Tested in my vm testbed and confirmed to work for start, stop and status. Confirmed
pid's shown with status command are in the appropriate pid files.
Fixes: bug#13445 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 15 Mar 2024 12:38:06 +0000 (13:38 +0100)]
ppp: Update to include bug fixes that should be in 2.5.1 but not yet released
- Update from version 2.5.0 to commit e1266c7
- Update of rootfile
- When ppp-2.5.0 was released it had a bug bin it that the lock and run directories
had non standard defaults but also that if the directory did not exist ppp just
ignored it and continued to start but would then have error messages in the logs about
not being able to cretae the lock file
- This issue was raised in the ppp github issues and a set of patches merged into ppp.
- The plan was written in Nov 2023 that this would be released as 2.5.1, however nearly
three months later there is no sight of 2.5.1 being released and people continue to
flag up the lock directory issues and have to apply a workaround to create the directory
in local.rc
- This patch has taken the zip source tarball of master at the commit e1266c7. The zip
tarball was then extracted and then tar'd back up as a tar.gz file with the version set
at e1266c7 rather than master. I could not find any other way to get a source tarball\
created at a certain commit stage.
- The patch ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch had to be updated due to some
changes in the source files.
- The patch ppp-2.5.0-7-add-configure-check-to-see-if-we-have-struct-sockaddr_ll.patch
was removed as the changes are now built into the source tarball.
- This will need to be tested thoroughly by people with ppp to confirm that the lock
directory is created if it doesn't exist on the system. I can't test that as I have
no access to a ppp connection system.
- For a view of the changelog between 2.5.0 and e1266c7 the github commits list needs to
be reviewed. https://github.com/ppp-project/ppp/commits/master/?before=e1266c76d1ad39f98f11676e34f180f78c5a510c+35
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 16 Mar 2024 09:32:54 +0000 (10:32 +0100)]
CU184-update.sh: Add drop hostile in & out logging entries
- My drop hostile patch set updated the WUI entries to include in and out logging options
but the values need to be added to the optionsfw entries for existing systems being
upgraded.
- After the existing CU184 update the LOGDROPHOSTILEIN and LOGDROPHO)STILEOUT entries
are not in the settings file which trewats them as being set to off, even though they
are enabled in the WUI update.
- This patch adds the LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries into the settings
file and then runs the firewallctrl command to apply to the firewall.
- Ran a CU184 update on a CU183 vm system and then ran the comands added into the update.sh
script and then did a reboot. Entries include and DROP_HOSTILE entries start to be
logged again.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Jon Murphy [Mon, 11 Mar 2024 23:45:00 +0000 (18:45 -0500)]
time.cgi: add current date-time to this WebGUI page
- added words and date-time format to english (en.pl)
- other languages are needed
- seconds included since time is accurate to < .1s
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=2234e8aacac2e0d0b06dac4513585c15c2b3b440
Code-by: Leo-Andres Hofmann <hofmann@leo-andres.de> Signed-off-by: Jon Murphy <jon.murphy@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 14 Mar 2024 16:52:08 +0000 (17:52 +0100)]
expat: Update to version 2.6.2
- Update from version 2.6.1 to 2.6.2
- Update of rootfile
- Changelog
2.6.2
Security fixes:
#839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with
isolated use of external parsers. Please see the commit
message of commit 1d50b80cf31de87750103656f6eb693746854aa8
for details.
Bug fixes:
#839 #841 Reject direct parameter entity recursion
and avoid the related undefined behavior
Other changes:
#847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces
#837 Add missing #821 and #824 to 2.6.1 change log
#838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1)
to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/
for what these numbers do
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 14 Mar 2024 13:32:58 +0000 (14:32 +0100)]
xz: Update to version 5.6.1
- Update from version 5.6.0 to 5.6.1
- Update of rootfile
- Changelog
5.6.1
* liblzma: Fixed two bugs relating to GNU indirect function (IFUNC)
with GCC. The more serious bug caused a program linked with
liblzma to crash on start up if the flag -fprofile-generate was
used to build liblzma. The second bug caused liblzma to falsely
report an invalid write to Valgrind when loading liblzma.
* xz: Changed the messages for thread reduction due to memory
constraints to only appear under the highest verbosity level.
* Build:
- Fixed a build issue when the header file <linux/landlock.h>
was present on the system but the Landlock system calls were
not defined in <sys/syscall.h>.
- The CMake build now warns and disables NLS if both gettext
tools and pre-created .gmo files are missing. Previously,
this caused the CMake build to fail.
* Minor improvements to man pages.
* Minor improvements to tests.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 14 Mar 2024 13:32:57 +0000 (14:32 +0100)]
wget: Update to version 1.24.5
- Update from version 1.21.4 to 1.24.5
- Update of rootfile not required
- Changelog
1.24.5
** Fix how subdomain matches are checked for HSTS.
Fixes a minor issue where cookies may be leaked to the wrong domain
** Wget will now also parse the srcset attribute in <source> HTML tags
** Support reading fetchmail style "user" and "passwd" fields from netrc
** In some cases, prevent the confusing "Cannot write to... (success)" error messages
** Support extremely fast download speeds (TB/s).
Previously this would cause Wget to crash when printing the speed
** Improve portability on OpenBSD to run the test suite
** Ensure that CSS URLs are corectly quoted (Bug: 64082)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / people / ms / ipfire-2.x.git / log
