]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/log
people/pmueller/ipfire-2.x.git
2 years agoopenssl: Update to 1.1.1n
Michael Tremer [Tue, 15 Mar 2022 17:51:13 +0000 (17:51 +0000)] 
openssl: Update to 1.1.1n

OpenSSL Security Advisory [15 March 2022]
============================================

Infinite loop in BN_mod_sqrt() reachable when parsing certificates
(CVE-2022-0778)
==================================================================================

Severity: High

The BN_mod_sqrt() function, which computes a modular square root,
contains
a bug that can cause it to loop forever for non-prime moduli.

Internally this function is used when parsing certificates that contain
elliptic curve public keys in compressed form or explicit elliptic curve
parameters with a base point encoded in compressed form.

It is possible to trigger the infinite loop by crafting a certificate
that
has invalid explicit curve parameters.

Since certificate parsing happens prior to verification of the
certificate
signature, any process that parses an externally supplied certificate
may thus
be subject to a denial of service attack. The infinite loop can also be
reached when parsing crafted private keys as they can contain explicit
elliptic curve parameters.

Thus vulnerable situations include:

 - TLS clients consuming server certificates
 - TLS servers consuming client certificates
 - Hosting providers taking certificates or private keys from customers
 - Certificate authorities parsing certification requests from
   subscribers
 - Anything else which parses ASN.1 elliptic curve parameters

Also any other applications that use the BN_mod_sqrt() where the
attacker
can control the parameter values are vulnerable to this DoS issue.

In the OpenSSL 1.0.2 version the public key is not parsed during initial
parsing of the certificate which makes it slightly harder to trigger
the infinite loop. However any operation which requires the public key
from the certificate will trigger the infinite loop. In particular the
attacker can use a self-signed certificate to trigger the loop during
verification of the certificate signature.

This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0.  It was
addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022.

OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers
only)
OpenSSL 1.1.1 users should upgrade to 1.1.1n
OpenSSL 3.0 users should upgrade to 3.0.2

This issue was reported to OpenSSL on the 24th February 2022 by Tavis
Ormandy
from Google. The fix was developed by David Benjamin from Google and
Tomáš Mráz
from OpenSSL.

Note
====

OpenSSL 1.0.2 is out of support and no longer receiving public updates.
Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html

OpenSSL 1.1.0 is out of support and no longer receiving updates of any
kind.
It is affected by the issue.

Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1.

References
==========

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20220315.txt

Note: the online version of the advisory may be updated with additional
details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agocore165: Ship IPS rule updater again and unlock IPS page
Michael Tremer [Tue, 15 Mar 2022 11:16:22 +0000 (11:16 +0000)] 
core165: Ship IPS rule updater again and unlock IPS page

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agocore165: Rebuild IPS rules
Michael Tremer [Mon, 14 Mar 2022 15:56:40 +0000 (15:56 +0000)] 
core165: Rebuild IPS rules

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agoids-functions.pl: Do not longer extract all rulefiles in archive.
Stefan Schantl [Sun, 13 Mar 2022 19:27:25 +0000 (20:27 +0100)] 
ids-functions.pl: Do not longer extract all rulefiles in archive.

Only extract rulefiles which are located in a rules directory and/or in the archive
root.

This prevents us from extracting experimental or binary rules etc. which
often are located in corresponding sub-directories.

Reference: #12794.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agofirewall: Make blocking all traffic impossible on HOSTILE
Michael Tremer [Fri, 11 Mar 2022 14:43:11 +0000 (14:43 +0000)] 
firewall: Make blocking all traffic impossible on HOSTILE

The current setup can fail and block all traffic on RED if the RETURN
rules could not be created.

This can happen when the kernel fails to load the ipset module, as it is
the case after upgrading to a new kernel. Restarting the firewall will
cause that the system is being cut off the internet.

This design now changes that if those rules cannot be created, the
DROP_HOSTILE feature is just inactive, but it would not disrupt any
traffic.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agocore165: Actually ship the core files
Michael Tremer [Thu, 10 Mar 2022 10:35:44 +0000 (10:35 +0000)] 
core165: Actually ship the core files

This filelist is there to ship files that contain the version number of
a release and *must* be shipped every time. For that, they will need to
be a part of the filelist.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agoMerge branch 'next'
Michael Tremer [Thu, 10 Mar 2022 10:27:51 +0000 (10:27 +0000)] 
Merge branch 'next'

2 years agosamba: Fix rootfile on x86_64
Michael Tremer [Thu, 10 Mar 2022 10:25:19 +0000 (10:25 +0000)] 
samba: Fix rootfile on x86_64

The web UI menu entry, samba.cgi and the control binary were lost in
61d7aaa3ef9f1097b9dab749ac2d967fe88b07af.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agogeneral-functions.pl: Do not die if no red interface could be determined.
Stefan Schantl [Wed, 9 Mar 2022 14:12:32 +0000 (15:12 +0100)] 
general-functions.pl: Do not die if no red interface could be determined.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agorules.pl: Do not create HOSTILE rules if no red dev is available.
Stefan Schantl [Wed, 9 Mar 2022 14:12:31 +0000 (15:12 +0100)] 
rules.pl: Do not create HOSTILE rules if no red dev is available.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agorules.pl: Adjust code to use sets generated by libloc 0.9.11
Stefan Schantl [Wed, 9 Mar 2022 14:12:30 +0000 (15:12 +0100)] 
rules.pl: Adjust code to use sets generated by libloc 0.9.11

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agolibloc: Update to 0.9.11
Stefan Schantl [Wed, 9 Mar 2022 14:12:29 +0000 (15:12 +0100)] 
libloc: Update to 0.9.11

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agortl8189fs: add realtek wlan driver
Arne Fitzenreiter [Sun, 27 Feb 2022 09:16:21 +0000 (09:16 +0000)] 
rtl8189fs: add realtek wlan driver

this chip is the successor of the rtl8189es look some boards has
silently switched to the new chip.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agortl8189fs: add realtek wlan driver
Arne Fitzenreiter [Sun, 27 Feb 2022 09:16:21 +0000 (09:16 +0000)] 
rtl8189fs: add realtek wlan driver

this chip is the successor of the rtl8189es look some boards has
silently switched to the new chip.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agooptionsfw.cgi: Add default settings for newly added options.
Stefan Schantl [Sat, 5 Mar 2022 18:13:39 +0000 (19:13 +0100)] 
optionsfw.cgi: Add default settings for newly added options.

If no settings for those features can be obtained from the settings
file, set them to the following defaults.

* DROPSPOOFEDMARTIAN -> on (yes)
* DROPHOSTILE -> off (no - because only fresh installed systems should
                     do this)
* LOGDROPCTINVALID -> on (yes)

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agocore165: Ship hyperscan
Michael Tremer [Tue, 8 Mar 2022 10:42:00 +0000 (10:42 +0000)] 
core165: Ship hyperscan

This package is being built with a different configuration.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agolinux: Fix for CVE-2022-0847 aka Dirty Pipe
Michael Tremer [Tue, 8 Mar 2022 09:59:43 +0000 (09:59 +0000)] 
linux: Fix for CVE-2022-0847 aka Dirty Pipe

https://dirtypipe.cm4all.com

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agolinux: Fix for CVE-2022-0847 aka Dirty Pipe
Michael Tremer [Tue, 8 Mar 2022 09:59:43 +0000 (09:59 +0000)] 
linux: Fix for CVE-2022-0847 aka Dirty Pipe

https://dirtypipe.cm4all.com

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agocore164: Ship backup exclude file
Michael Tremer [Mon, 7 Mar 2022 18:53:09 +0000 (18:53 +0000)] 
core164: Ship backup exclude file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agobackup: Make include/exclude files relative
Michael Tremer [Fri, 4 Mar 2022 10:41:30 +0000 (10:41 +0000)] 
backup: Make include/exclude files relative

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agobackup: Don't restore excluded files
Michael Tremer [Fri, 4 Mar 2022 10:29:23 +0000 (10:29 +0000)] 
backup: Don't restore excluded files

Sometimes, we restore a backup that has been created earlier before
exclude files have been changed. To avoid overwriting those files, we
will consider the exlude list upon restore.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agobackup: Exclude oinkmaster.conf
Michael Tremer [Fri, 4 Mar 2022 10:27:01 +0000 (10:27 +0000)] 
backup: Exclude oinkmaster.conf

This file is a system configuration file and does not contain any
configruation from the user.

Since it can be overwritten in a backup and restored to an older state,
this can cause problems such as #12788.

Fixes: #12788
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agobackup: Abort when the backup could not be extracted
Michael Tremer [Fri, 4 Mar 2022 10:18:25 +0000 (10:18 +0000)] 
backup: Abort when the backup could not be extracted

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agoids.cgi: Only read-in ignored hosts, if the ignore file exists.
Stefan Schantl [Mon, 7 Mar 2022 16:52:36 +0000 (17:52 +0100)] 
ids.cgi: Only read-in ignored hosts, if the ignore file exists.

Otherwise the CGI will crash.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agoids-functions.pl: Do not create an empty ignored settings file.
Stefan Schantl [Sat, 5 Mar 2022 17:53:10 +0000 (18:53 +0100)] 
ids-functions.pl: Do not create an empty ignored settings file.

The file will be created by the WUI, when adding the first host.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agoupdate-ids-ruleset: Always drop the lock file if it has been created during runtime.
Stefan Schantl [Thu, 3 Mar 2022 04:49:43 +0000 (05:49 +0100)] 
update-ids-ruleset: Always drop the lock file if it has been created during runtime.

In some situations or if an error happened, the lock file could be
keep on the system. In such a case the IDS page would be locked forever
until user interaction or reboot of the system.

Now the script checks if it has created such a lock and release it when
the script exists.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agoids-functions.pl: Do not try to chown files while extracting them.
Stefan Schantl [Thu, 3 Mar 2022 18:55:59 +0000 (19:55 +0100)] 
ids-functions.pl: Do not try to chown files while extracting them.

We are almost running as an unprivileged user and therfore have not
the permissions to do this.

This will save us a lot of confusion error messages.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agoCore Update 165: Rename squid-accounting add-on to proxy-accounting
Peter Müller [Sat, 5 Mar 2022 14:45:32 +0000 (14:45 +0000)] 
Core Update 165: Rename squid-accounting add-on to proxy-accounting

https://lists.ipfire.org/pipermail/development/2022-February/012482.html

The second version of this patch omits bogus directives for restarting a
service, which proxy-accounting is not.

Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agocore165: Ship ids.cgi
Michael Tremer [Mon, 7 Mar 2022 18:46:34 +0000 (18:46 +0000)] 
core165: Ship ids.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agoids.cgi: Only read-in ignored hosts, if the ignore file exists.
Stefan Schantl [Mon, 7 Mar 2022 16:52:36 +0000 (17:52 +0100)] 
ids.cgi: Only read-in ignored hosts, if the ignore file exists.

Otherwise the CGI will crash.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agocore165: Ship optionsfw.cgi
Michael Tremer [Mon, 7 Mar 2022 18:45:58 +0000 (18:45 +0000)] 
core165: Ship optionsfw.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agooptionsfw.cgi: Add default settings for newly added options.
Stefan Schantl [Sat, 5 Mar 2022 18:13:39 +0000 (19:13 +0100)] 
optionsfw.cgi: Add default settings for newly added options.

If no settings for those features can be obtained from the settings
file, set them to the following defaults.

* DROPSPOOFEDMARTIAN -> on (yes)
* DROPHOSTILE -> off (no - because only fresh installed systems should
                     do this)
* LOGDROPCTINVALID -> on (yes)

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agoids-functions.pl: Merge same named rulefiles during extract.
Stefan Schantl [Sat, 5 Mar 2022 15:27:17 +0000 (16:27 +0100)] 
ids-functions.pl: Merge same named rulefiles during extract.

In case a rulestarball contains several same-named rulefiles
they have been overwritten each time and so only contained the content
from the last extracted one.

Now the content of those files will be merged by appending the content
to the first extracted one for each time.

Fixes #12792.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agoids-functions.pl: Do not create an empty ignored settings file.
Stefan Schantl [Sat, 5 Mar 2022 17:53:10 +0000 (18:53 +0100)] 
ids-functions.pl: Do not create an empty ignored settings file.

The file will be created by the WUI, when adding the first host.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
2 years agoids-functions.pl: Merge same named rulefiles during extract.
Stefan Schantl [Sat, 5 Mar 2022 15:27:17 +0000 (16:27 +0100)] 
ids-functions.pl: Merge same named rulefiles during extract.

In case a rulestarball contains several same-named rulefiles
they have been overwritten each time and so only contained the content
from the last extracted one.

Now the content of those files will be merged by appending the content
to the first extracted one for each time.

Fixes #12792.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
2 years agoRevert "Core Update 165: Ship update-ids-ruleset" temp-c165-development
Peter Müller [Sat, 5 Mar 2022 14:35:09 +0000 (14:35 +0000)] 
Revert "Core Update 165: Ship update-ids-ruleset"

update-ids-rulesets is relevant for Core Update 164, not Core Update 165.

This reverts commit 9713023546fc1ac4a9b43c41be0e950a92a86553.

2 years agoCore Update 164: Ship update-ids-rulesets
Peter Müller [Sat, 5 Mar 2022 14:34:39 +0000 (14:34 +0000)] 
Core Update 164: Ship update-ids-rulesets

@Michael: Please cherry-pick this one into "master" as well.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2 years agofirewall-lib.pl: Remove prefix when dealing with ipset sets.
Stefan Schantl [Wed, 2 Mar 2022 19:43:06 +0000 (20:43 +0100)] 
firewall-lib.pl: Remove prefix when dealing with ipset sets.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
2 years agorules.pl: Autodetect ipset db file to restore.
Stefan Schantl [Wed, 2 Mar 2022 19:43:05 +0000 (20:43 +0100)] 
rules.pl: Autodetect ipset db file to restore.

This commit allows the ipset_restore() function to auto-detect
which set file needs to be restored.

Currently it is limitated to country codes only, because we currently
does not support anything else.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
2 years agofirewall: Move dropping hostile networks to rules.pl.
Stefan Schantl [Sun, 27 Feb 2022 13:49:03 +0000 (14:49 +0100)] 
firewall: Move dropping hostile networks to rules.pl.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agorules.pl: Allow dynamic destory of loaded but unused ipset sets.
Stefan Schantl [Sun, 27 Feb 2022 13:49:02 +0000 (14:49 +0100)] 
rules.pl: Allow dynamic destory of loaded but unused ipset sets.

Instead of stupidly destroying all ipsets, we now grab the already loaded sets
and compare them with the loaded sets during runtime of the script.

So we are now able to determine which sets are not longer required and
safely can destroy (unload) at a later time.

This saves us from taking care about dropping/flushing rules which are
based on ipset before we can destroy them - because only unused sets are
affected.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Inspired-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agoupdate ca-certificates CA bundle
Peter Müller [Wed, 2 Mar 2022 21:01:57 +0000 (21:01 +0000)] 
update ca-certificates CA bundle

Update the CA certificates list to what Mozilla NSS ships currently.

The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Please note that the certdata.txt file only appears to drop MD5
checksums in favour of SHA256, so there is no need in shipping
ca-certificates with the next Core Update.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2 years agoTor: Update to 0.4.6.10
Peter Müller [Wed, 2 Mar 2022 21:12:54 +0000 (21:12 +0000)] 
Tor: Update to 0.4.6.10

Full changelog as per https://gitweb.torproject.org/tor.git/plain/ChangeLog?h=tor-0.4.6.10 :

Changes in version 0.4.6.10 - 2022-02-04
  This version contains minor bugfixes but one in particular is that relays
  don't advertise onion service v2 support at the protocol version level.

  o Minor features (fallbackdir):
    - Regenerate fallback directories generated on February 04, 2022.

  o Minor features (geoip data):
    - Update the geoip files to match the IPFire Location Database, as
      retrieved on 2022/02/04.

  o Minor bugfix (logging):
    - Update a log notice dead URL to a working one. Fixes bug 40544;
      bugfix on 0.3.5.1-alpha.

  o Minor bugfix (relay):
    - Remove the HSDir and HSIntro onion service v2 protocol versions so
      relay stop advertising that they support them. Fixes bug 40509;
      bugfix on 0.3.5.17.

  o Minor bugfixes (MetricsPort, Prometheus):
    - Add double quotes to the label values of the onion service
      metrics. Fixes bug 40552; bugfix on 0.4.5.1-alpha.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2 years agoCore Update 165: Ship update-ids-ruleset
Peter Müller [Sat, 5 Mar 2022 14:30:10 +0000 (14:30 +0000)] 
Core Update 165: Ship update-ids-ruleset

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2 years agoupdate-ids-ruleset: Always drop the lock file if it has been created during runtime.
Stefan Schantl [Thu, 3 Mar 2022 04:49:43 +0000 (05:49 +0100)] 
update-ids-ruleset: Always drop the lock file if it has been created during runtime.

In some situations or if an error happened, the lock file could be
keep on the system. In such a case the IDS page would be locked forever
until user interaction or reboot of the system.

Now the script checks if it has created such a lock and release it when
the script exists.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
2 years agoids-functions.pl: Do not try to chown files while extracting them.
Stefan Schantl [Thu, 3 Mar 2022 18:55:59 +0000 (19:55 +0100)] 
ids-functions.pl: Do not try to chown files while extracting them.

We are almost running as an unprivileged user and therfore have not
the permissions to do this.

This will save us a lot of confusion error messages.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
2 years agobackup: Make include/exclude files relative
Michael Tremer [Fri, 4 Mar 2022 10:41:30 +0000 (10:41 +0000)] 
backup: Make include/exclude files relative

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agobackup: Don't restore excluded files
Michael Tremer [Fri, 4 Mar 2022 10:29:23 +0000 (10:29 +0000)] 
backup: Don't restore excluded files

Sometimes, we restore a backup that has been created earlier before
exclude files have been changed. To avoid overwriting those files, we
will consider the exlude list upon restore.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agobackup: Exclude oinkmaster.conf
Michael Tremer [Fri, 4 Mar 2022 10:27:01 +0000 (10:27 +0000)] 
backup: Exclude oinkmaster.conf

This file is a system configuration file and does not contain any
configruation from the user.

Since it can be overwritten in a backup and restored to an older state,
this can cause problems such as #12788.

Fixes: #12788
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agobackup: Abort when the backup could not be extracted
Michael Tremer [Fri, 4 Mar 2022 10:18:25 +0000 (10:18 +0000)] 
backup: Abort when the backup could not be extracted

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agopython3-cffi: Fix armv6l rootfile
Michael Tremer [Wed, 2 Mar 2022 13:37:28 +0000 (13:37 +0000)] 
python3-cffi: Fix armv6l rootfile

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agopython3-cffi: Add 32 bit ARM rootfile again due to "gnueabi" != "gnu"
Peter Müller [Tue, 1 Mar 2022 15:25:01 +0000 (15:25 +0000)] 
python3-cffi: Add 32 bit ARM rootfile again due to "gnueabi" != "gnu"

My fault, again. :-/

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2 years agopython3-yaml: Drop unnecessary armv6l rootfile
Peter Müller [Mon, 28 Feb 2022 20:18:58 +0000 (20:18 +0000)] 
python3-yaml: Drop unnecessary armv6l rootfile

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2 years agoMerge branch 'master' into next
Peter Müller [Mon, 28 Feb 2022 20:16:38 +0000 (20:16 +0000)] 
Merge branch 'master' into next

2 years agosuricata: drop unsupported JA3 rule provider
Arne Fitzenreiter [Sat, 26 Feb 2022 14:19:45 +0000 (14:19 +0000)] 
suricata: drop unsupported JA3 rule provider

our current suricata version not support JA3 based rules so
this drop the providers from the list.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 years agoborgbackup: Fix rootfile on 32 bit ARM
Peter Müller [Sat, 26 Feb 2022 12:16:39 +0000 (12:16 +0000)] 
borgbackup: Fix rootfile on 32 bit ARM

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2 years agoPython3: Fix rootfile for 32 bit ARM again
Peter Müller [Fri, 25 Feb 2022 14:04:06 +0000 (14:04 +0000)] 
Python3: Fix rootfile for 32 bit ARM again

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2 years agoCore Update 165: Ship vpnmain.cgi
Peter Müller [Wed, 23 Feb 2022 15:54:13 +0000 (15:54 +0000)] 
Core Update 165: Ship vpnmain.cgi

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2 years agovpnmain.cgi: Select Curve 25519 as default
Michael Tremer [Wed, 23 Feb 2022 10:16:41 +0000 (10:16 +0000)] 
vpnmain.cgi: Select Curve 25519 as default

This was supposed to be enabled by default. Due to a copy-and-paste
error, it was, however, not selected for IKE, but only for ESP.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
2 years agooci-python-sdk: Depend on python3-certifi
Michael Tremer [Tue, 22 Feb 2022 17:19:10 +0000 (17:19 +0000)] 
oci-python-sdk: Depend on python3-certifi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agoCore Update 165: Ship dhcpcd-related changes
Peter Müller [Wed, 23 Feb 2022 15:51:33 +0000 (15:51 +0000)] 
Core Update 165: Ship dhcpcd-related changes

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2 years agodhcpcd: Allow freely setting MTU
Michael Tremer [Tue, 22 Feb 2022 12:18:06 +0000 (12:18 +0000)] 
dhcpcd: Allow freely setting MTU

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
2 years agodhcpcd: Remove old MTU setting script
Michael Tremer [Tue, 22 Feb 2022 12:18:05 +0000 (12:18 +0000)] 
dhcpcd: Remove old MTU setting script

This is being replaced by adding the MTU option to any routes that
dhcpcd installs.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
2 years agodhcpcd: Force setting MTU through dhcpcd
Michael Tremer [Tue, 22 Feb 2022 12:18:04 +0000 (12:18 +0000)] 
dhcpcd: Force setting MTU through dhcpcd

The DHCP server can instruct clients to configure a certain MTU.

This used to be done by setting the MTU of the interface. However,
dhcpcd has changed this behaviour using routes to.

We used to have a modified version of the old mechanism which no longer
works well with the new system and is therefore to be dropped.

This is the first commit in the series implementing the new behaviour
and telling dhcpcd to use the configured MTU.

Fixes: #12563
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
2 years agoRevert "gcc: Compile without ZSTD"
Peter Müller [Wed, 23 Feb 2022 15:36:25 +0000 (15:36 +0000)] 
Revert "gcc: Compile without ZSTD"

https://lists.ipfire.org/pipermail/development/2022-February/012544.html

This reverts commit 0b6ba4a0ca2e08cd9fc56e99e80d33a6fe88b395.

2 years agoPython3: Attempt to fix rootfile on 32 bit ARM
Peter Müller [Tue, 22 Feb 2022 20:18:27 +0000 (20:18 +0000)] 
Python3: Attempt to fix rootfile on 32 bit ARM

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2 years agopython3-cffi: Fix rootfile more elegant on ARM
Peter Müller [Tue, 22 Feb 2022 20:13:44 +0000 (20:13 +0000)] 
python3-cffi: Fix rootfile more elegant on ARM

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2 years agoRevert "python3-cffi: Fix rootfiles on ARM"
Peter Müller [Tue, 22 Feb 2022 20:13:19 +0000 (20:13 +0000)] 
Revert "python3-cffi: Fix rootfiles on ARM"

This reverts commit 410758e03fdab9be8851068fb3d78c675c29744e.

2 years agofr: Update French translation
Stéphane Pautrel [Tue, 22 Feb 2022 12:39:06 +0000 (12:39 +0000)] 
fr: Update French translation

- 24 strings have been added (drop hostile and spoofed martians, fw red,
  ids options and provider, pakfire update messages...)
- 3 strings have been inproved

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agocredits: Run ./make.sh update-contributors
Michael Tremer [Tue, 22 Feb 2022 12:40:53 +0000 (12:40 +0000)] 
credits: Run ./make.sh update-contributors

This should be run regularly, or ideally just before we close a Core
Update so that we can give credit to everywhere who has contributed to
it.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agopython3-cffi: Fix rootfiles on ARM
Peter Müller [Tue, 22 Feb 2022 19:46:53 +0000 (19:46 +0000)] 
python3-cffi: Fix rootfiles on ARM

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2 years agoConfig: Disable parallel builds for Cargo on riscv64
Michael Tremer [Tue, 22 Feb 2022 12:51:35 +0000 (12:51 +0000)] 
Config: Disable parallel builds for Cargo on riscv64

There seems to be some problem where Cargo deadlocks during the build
when running on mutliple cores simulteneously.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agostrip: Do not try to strip QEMU
Michael Tremer [Tue, 22 Feb 2022 12:51:34 +0000 (12:51 +0000)] 
strip: Do not try to strip QEMU

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agoboost: Enable build on all architectures
Michael Tremer [Tue, 22 Feb 2022 12:51:33 +0000 (12:51 +0000)] 
boost: Enable build on all architectures

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agosuricata: Fix check for level one cache line size
Michael Tremer [Tue, 22 Feb 2022 12:51:32 +0000 (12:51 +0000)] 
suricata: Fix check for level one cache line size

riscv64 does not return any value on our machine (maybe because it is
emulated?). "undefined" is however seen as a valid value, which makes
the build fail.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agoliburcu: Update automake to build on riscv64
Michael Tremer [Tue, 22 Feb 2022 12:51:31 +0000 (12:51 +0000)] 
liburcu: Update automake to build on riscv64

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agokernel: Add a basic configuration for riscv64
Michael Tremer [Tue, 22 Feb 2022 12:51:30 +0000 (12:51 +0000)] 
kernel: Add a basic configuration for riscv64

This kernel configuration is a copy of our kernel configuration for
x86_64 on which I ran "make olddefconfig" which will set any unknown
values to their defaults.

This exists so that we have some kernel (which I did not try to boot) to
complete the build process.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agorust: Package for riscv64
Michael Tremer [Tue, 22 Feb 2022 12:51:29 +0000 (12:51 +0000)] 
rust: Package for riscv64

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agorust: Rust's arch for riscv64 is called riscv64gc
Michael Tremer [Tue, 22 Feb 2022 12:51:28 +0000 (12:51 +0000)] 
rust: Rust's arch for riscv64 is called riscv64gc

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agomake.sh: riscv64: Emulate SiFive U54 CPU
Michael Tremer [Tue, 22 Feb 2022 12:51:27 +0000 (12:51 +0000)] 
make.sh: riscv64: Emulate SiFive U54 CPU

In QEMU, some processes seem to freeze/deadlock in their futex handling
which is causing the whole build process to block.

Changing the emulated CPU seems to work around these problems.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agojq: Update autotools
Michael Tremer [Tue, 22 Feb 2022 12:51:26 +0000 (12:51 +0000)] 
jq: Update autotools

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agogcc: Compile without ZSTD
Michael Tremer [Tue, 22 Feb 2022 12:51:25 +0000 (12:51 +0000)] 
gcc: Compile without ZSTD

GCC can use ZSTD to compress debugging/LTO information in binary
objects. However, on riscv64, compiling zstd requires libatomic which is
not available at this point.

In order to make the build work, we explicitely disable ZSTD in GCC and
build ZSTD after libatomic is available.

Although ZSTD offers great compression, we won't have any disadvantages
through this change since we do not ship any debugging information and
at this point in time to not use LTO.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agostrip: Make this work when cross-compiling
Michael Tremer [Tue, 22 Feb 2022 12:51:24 +0000 (12:51 +0000)] 
strip: Make this work when cross-compiling

The host might not have the correct tools to strip a foreign
architecture, therefore we need to use the cross tools.

The crosstools might be built in an architecture that they
cannot strip themselves and since they are not being part of the
packaged toolchain, we will just skip them.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agomake.sh: Avoid calling date when determining elapsed seconds
Michael Tremer [Tue, 22 Feb 2022 12:51:23 +0000 (12:51 +0000)] 
make.sh: Avoid calling date when determining elapsed seconds

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agomake.sh: Follow symlinks when checking if QEMU is static
Michael Tremer [Tue, 22 Feb 2022 12:51:22 +0000 (12:51 +0000)] 
make.sh: Follow symlinks when checking if QEMU is static

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agomake.sh: Do not throw away any error messages when setting ccache size
Michael Tremer [Tue, 22 Feb 2022 12:51:21 +0000 (12:51 +0000)] 
make.sh: Do not throw away any error messages when setting ccache size

This is the first time we will try to enter the chroot environment and
when setting up QEMU fails, we won't see any errors.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agoMerge branch 'master' into next
Arne Fitzenreiter [Tue, 22 Feb 2022 11:40:44 +0000 (11:40 +0000)] 
Merge branch 'master' into next

2 years agocore164: exclude boot/uEnv.txt
Arne Fitzenreiter [Tue, 22 Feb 2022 11:38:15 +0000 (11:38 +0000)] 
core164: exclude boot/uEnv.txt

uEnv.txt was destroyed on aarch64 because here a new u-boot was shipped.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 years agoCore Update 165: Ship oci-setup initscript
Peter Müller [Mon, 21 Feb 2022 21:36:18 +0000 (21:36 +0000)] 
Core Update 165: Ship oci-setup initscript

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2 years agooci: user-data: Try to decode base64 content
Michael Tremer [Mon, 21 Feb 2022 17:24:56 +0000 (17:24 +0000)] 
oci: user-data: Try to decode base64 content

Terraform only supports sending any shell scripts encoded in base64
which is however not required by Oracle. Therefore we have to test if
the script is encoded or not.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
2 years agosamba: Fix rootfiles on ARM
Peter Müller [Mon, 21 Feb 2022 21:28:03 +0000 (21:28 +0000)] 
samba: Fix rootfiles on ARM

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
2 years agooci-cli: Depend on python3-jmespath
Michael Tremer [Mon, 21 Feb 2022 18:43:18 +0000 (18:43 +0000)] 
oci-cli: Depend on python3-jmespath

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agooci-cli: Ship egg metadata
Michael Tremer [Mon, 21 Feb 2022 18:43:17 +0000 (18:43 +0000)] 
oci-cli: Ship egg metadata

This package tries to identify if it is actually installed and does that
in a rather unorthodox way. So, thoses files are needed to run the "oci"
command. Only god knows why.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agopython3-terminaltables: New package
Michael Tremer [Mon, 21 Feb 2022 18:43:16 +0000 (18:43 +0000)] 
python3-terminaltables: New package

Required by oci-cli.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agopython3-arrow: New package
Michael Tremer [Mon, 21 Feb 2022 18:43:15 +0000 (18:43 +0000)] 
python3-arrow: New package

Required by oci-cli.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agopython3-click: New package
Michael Tremer [Mon, 21 Feb 2022 18:43:14 +0000 (18:43 +0000)] 
python3-click: New package

Required by oci-python-sdk

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agopython3-pytz: New package
Michael Tremer [Mon, 21 Feb 2022 18:43:13 +0000 (18:43 +0000)] 
python3-pytz: New package

Required by oci-python-sdk

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agopython3-circuitbreaker: New package
Michael Tremer [Mon, 21 Feb 2022 18:43:12 +0000 (18:43 +0000)] 
python3-circuitbreaker: New package

Required by oci-python-sdk

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agomake.sh: Re-order build of some Python modules
Michael Tremer [Mon, 21 Feb 2022 18:43:11 +0000 (18:43 +0000)] 
make.sh: Re-order build of some Python modules

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 years agopython3-cryptography: Fix build against Rust
Michael Tremer [Mon, 21 Feb 2022 18:43:10 +0000 (18:43 +0000)] 
python3-cryptography: Fix build against Rust

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>