Peter Müller [Mon, 5 Oct 2020 19:45:31 +0000 (19:45 +0000)]
sysctl.conf: prevent autoloading of TTY line disciplines
Malicious/vulnerable TTY line disciplines have been subject of some
kernel exploits such as CVE-2017-2636, and since - to put it in Greg
Kroah-Hatrman's words - we do not "trust the userspace to do the right
thing", this reduces local kernel attack surface.
Further, there is no legitimate reason why an unprivileged user should
load kernel modules during runtime, anyway.
See also:
- https://lkml.org/lkml/2019/4/15/890
- https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 5 Oct 2020 14:12:18 +0000 (14:12 +0000)]
sysctl.conf: prevent unintentional writes into attacker-controlled files and FIFOs
Similar to hard- and symlink protection introduced a while ago, this
patch enables protections against unintentional writes into
attacker-controlled regular files or FIFOs, where a program expected to
create new ones. This makes exploiting TOCTOU flaws harder.
See also: https://www.kernel.org/doc/Documentation/sysctl/fs.txt
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Thu, 1 Oct 2020 13:19:22 +0000 (15:19 +0200)]
freeradius: Update to version 3.0.21
Update includes several fixes (incl. CVE-2019-17185) and feature improvements.
A full overview of all changes can be found in here --> https://raw.githubusercontent.com/FreeRADIUS/freeradius-server/v3.0.x/doc/ChangeLog .
The freeradius-no-buildtime-cert-gen patch applies also with this version.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Thu, 1 Oct 2020 12:45:48 +0000 (14:45 +0200)]
lynis: Update to version 3.0.0
Several Fixes (incl. CVE-2019-13033 and CVE-2020-13882) and features has been added since the last version 2.6.4 .
For a full overview of the changes take a look in here --> https://cisofy.com/changelog/lynis/ .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Thu, 1 Oct 2020 12:37:14 +0000 (14:37 +0200)]
libsolv: Update to version 0.7.14
Several fixes and features has been added.
A full overview of all changes can be found in here --> https://github.com/openSUSE/libsolv/blob/master/package/libsolv.changes .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 30 Sep 2020 14:46:07 +0000 (14:46 +0000)]
sysctl.conf: drop RST packets for sockets in TIME-WAIT state
RFC 1337 describes various TCP (side channel) attacks against
prematurely closed connections stalling in TIME-WAIT state, such as DoS
or injecting arbitrary TCP segments, and recommends to silently discard
RST packets for sockets in this state.
While applications still tied to such sockets should tolerate invalid
input (thanks to Jon Postel), there is little legitimate reason to send
such RST packets altogether.
At the time of writing, no collateral damage related to active RFC 1337
implementations is known. Measuerements in productive environments did
not reveal any side effects either, which is why I consider enabling RFC
1337 implementation to be a safe change.
See also: https://tools.ietf.org/html/rfc1337
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Wed, 30 Sep 2020 13:06:07 +0000 (15:06 +0200)]
stunnel: Update to version 5.56
The version jump from 5.44 to 5.56 includes several 'LOW' and 'HIGH' urgent bugfixes which are also secure relevant.
A full overview of fixes and new features can be found in here --> https://www.stunnel.org/NEWS.html .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Wed, 30 Sep 2020 13:18:49 +0000 (15:18 +0200)]
keepalived: Update to version 2.1.5
The version jump from 2.0.20 to 2.1.5 includes several improvemnts and fixes.
The release notes can be overviewed in here --> https://www.keepalived.org/release-notes/Release-2.1.4.html .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 29 Sep 2020 07:21:30 +0000 (09:21 +0200)]
openssh: Update to 8.4p1
- Update openssh from version 8.3p1 to 8.4p1
See https://www.openssh.com/releasenotes.html
See https://www.openssh.com/portable.html#http for mirrors for source file
- No change to rootfiles
- Installed on virtual ipfire testbed and ssh connection successfully operated Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 29 Sep 2020 18:48:05 +0000 (20:48 +0200)]
bacula: Update to 9.6.6
- Update bacula from version 9.6.5 to 9.6.6
This is a minor bug release
See https://sourceforge.net/projects/bacula/files/bacula/9.6.6/ReleaseNotes/
Source file available at https://sourceforge.net/projects/bacula/files/bacula/9.6.6/bacula-9.6.6.tar.gz Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 29 Sep 2020 18:48:29 +0000 (20:48 +0200)]
bacula: Update to backup/includes definition
- Modified backup/includes file to backup the /var/bacula/working directory contents
rather than explicitly naming the state filename.
State filename could be varied if user modifies the port number for the file daemon
as the port number is part of the state filename Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Tue, 29 Sep 2020 08:45:27 +0000 (10:45 +0200)]
iptraf-ng: Update to version 1.2.1
Update includes several fixes and enhancements.
The full overview of changes are located in here --> https://github.com/iptraf-ng/iptraf-ng/blob/master/CHANGES .
rvnamed has been merged into iptraf-ng. Fix division by zero patch has been merged into new version, patch is not needed anymore. logrotate configuration for iptraf-ng has been included.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Tue, 29 Sep 2020 08:53:21 +0000 (10:53 +0200)]
nginx: Update to version 1.19.2
Several bugfixes and features has been integrated since version 1.17.8.
A full overview of all changes are located in here --> https://github.com/nginx/nginx-releases/blob/master/CHANGES .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Tue, 29 Sep 2020 09:17:33 +0000 (11:17 +0200)]
git: Update to version 2.28.0
Several changes s been made since version 2.12.2 .
The documentation RelNotes of Git can be found in here --> https://github.com/git/git/tree/master/Documentation/RelNotes .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Tue, 22 Sep 2020 18:25:06 +0000 (20:25 +0200)]
ipinfo.cgi: Display network flags of the given addresses.
Use the libloc data for gathering and displaying the stored network
flags, like "Anonymous Proxy" for the addresses.
The notice of a flag only will be displayed, if a flag is set for the
network which contains the given address.
Currently this notice text is "hardcoded" in englisch language, because
the entire other content of the page is in Englisch (responses from RIR's)
and also the flag names like "Anonymous Proxy" are only availabe in
English.
IMHO there is no need to to translate the string "This address is marked
as" into different languages, because of the reasons abouve.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
New package: lmdb 0.9.24 - required for knot 3.0.0
Lightning Memory-mapped Database from symas.
For details see:
https://symas.com/lmdb/
In contrast to the information from the knot documentation
(see: https://www.knot-dns.cz/docs/3.0/html/requirements.html#required-libraries),
this library is no longer included.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Sep 2020 11:48:54 +0000 (13:48 +0200)]
conntrack-tools: Update to 1.4.6
- Update conntrack-tools from version 1.4.5 to 1.4.6
Supporting request from Peter Müller Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Sep 2020 11:48:36 +0000 (13:48 +0200)]
libnetfilter_conntrack: Update to 1.0.8
- Update libnetfilter_conntrack from version 1.0.7 to 1.0.8
- No change to rootfiles
Supporting request from Peter Müller Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Sep 2020 11:48:07 +0000 (13:48 +0200)]
libnetfilter_queue: Update to 1.0.5
- Update libnetfilter_queue from version 1.0.3 to 1.0.5
Supporting request from Peter Müller Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Sep 2020 11:45:37 +0000 (13:45 +0200)]
iptables: Update to 1.8.5
- Update iptables from version 1.8.3 to 1.8.5
See: https://www.netfilter.org/projects/iptables/files/changes-iptables-1.8.5.txt
Supporting request from Peter Müller Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>