Adolf Belka [Wed, 2 Sep 2020 10:48:55 +0000 (12:48 +0200)]
postfix: Update to 3.5.7
- Update postfix from version 3.5.6 to 3.5.7
see ftp://ftp.cs.uu.nl/mirror/postfix/postfix-release/official/postfix-3.5.7.RELEASE_NOTES
Supporting request from Peter Müller Signed-off-by: Adolf Belka<ahb@ipfire@gmail.com Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 7 Sep 2020 18:26:46 +0000 (20:26 +0200)]
nagios_nrpe: Fix for bug 12337
- added pid_file=/var/run to the configure statement
to give the required pid directory in the default nrpe.cfg file
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
ACPI (with EFI) is used on ARM systems conforming to the
Server Base Boot Requirements (SBBR) and is an optional
on embedded systems (EBBR).
Up to now the ARM64 boards supported by IPFire use U-Boot and
device tree so ACPI was not turned on.
The immediate use case here is to run under virtualization,
using my muvirt project[1] I can run IPFire on our Traverse Ten64
system. For reasons I'll explain separately it is not
currently possible to run stock IPFire on this system.
This change also enables the EFI RTC driver which is presented
by the qemu arm64 virt machine.
the configure.ac has a bug that detects gcc-10 as gcc-1 and so not use
some quirks. Also there is a bug with FORTIFY-SOURCE=2 that crash
if the matchparen plugin is used (enabled by default).
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This problem is serious because it allows any client, including
browser scripts, to bypass local security and poison the browser
cache and any downstream caches with content from an arbitrary
source.
* SQUID-2020:9 Denial of Service processing Cache Digest Response
(CVE pending allocation)
This problem allows a trusted peer to deliver to perform Denial
of Service by consuming all available CPU cycles on the machine
running Squid when handling a crafted Cache Digest response
message.
This problem is serious because it allows any client, including
browser scripts, to bypass local security and poison the proxy
cache and any downstream caches with content from an arbitrary
source.
* Bug 5051: Some collapsed revalidation responses never expire
* SSL-Bump: Support parsing GREASEd (and future) TLS handshakes
* Honor on_unsupported_protocol for intercepted https_port"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Tue, 18 Aug 2020 14:34:37 +0000 (14:34 +0000)]
tshark: Update to version 3.2.6
The version jump from 3.2.3 to 3.2.6 includes several changes.
3.2.4 includes only bugfixes.
3.2.5 includes bugfixes and updated protocols.
3.2.6 includes also bugfixes and updated protocols.
For a full overview, the release notes can be found in here -->
https://www.wireshark.org/docs/relnotes/ .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://gitlab.freedesktop.org/spice/usbredir/-/blob/master/ChangeLog
"-Source code and bug tracker hosted in Freedesktop's instance of Gitlab
-https://gitlab.freedesktop.org/spice/usbredir
-usbredirfilter
-Fix busy wait due endless recursion when interface_count is zero
-usbredirhost:
-Fix leak on error
-usbredirserver:
-Use 'busnum-devnum' instead of 'usbbus-usbaddr'
-Add support for bind specific address -4 for ipv4, -6 for ipv6
-Reject empty vendorid from command line
-Enable TCP keepalive"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 14 Jul 2020 19:05:10 +0000 (19:05 +0000)]
Postfix: update to 3.5.4
Please refer to http://www.postfix.org/announcements/postfix-3.5.4.html
for release announcements.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 14 Jul 2020 20:26:26 +0000 (20:26 +0000)]
Tor: update to 0.4.3.6
Please refer to https://blog.torproject.org/new-release-tor-03511-0428-0436-security-fixes
for release announcements.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.21/RELEASE-NOTES-bind-9.11.21.html
"Bug Fixes
named could crash when cleaning dead nodes in lib/dns/rbtdb.c that
were being reused. [GL #1968]
Properly handle missing kyua command so that make check does not
fail unexpectedly when CMocka is installed, but Kyua is not. [GL
#1950]
The validator could fail to accept a properly signed RRset if an
unsupported algorithm appeared earlier in the DNSKEY RRset than
a supported algorithm. It could also stop if it detected a malformed
public key. [GL #1689]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Ice Lake Intel CPUs have been found of being vulnerable to MDS, thus
requiring new microcodes for them. <sarcasm>Yay!</sarcasm> Please refer to
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20200616
for further information.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Sat, 15 Aug 2020 15:08:45 +0000 (17:08 +0200)]
OpenVPN: Add tls-version-min for TLSv1.2
ovpnmain.cgi delivers now 'tls-version-min 1.2' for Roadwarrior and N2N.
Since the server needs it only on server side, this patch do not includes it for Roadwarrior clients.
N2N do not uses push options therefor this directive will be included on both sides.
To integrate the new directive into actual working OpenVPN server environment, the following commands
should be executed via update.sh.
Code block start:
if test -f "/var/ipfire/ovpn/server.conf"; then
# Add tls-version-minimum to OpenVPN server if not already there
if ! grep -q '^tls-version-min' /var/ipfire/ovpn/server.conf > /dev/null 2>&1; then
# Stop server before append the line
/usr/local/bin/openvpnctrl -k
# Append new directive
echo >> "tls-version-min 1.2" /var/ipfire/ovpn/server.conf
# Make sure server.conf have the correct permissions to prevent such
# --> https://community.ipfire.org/t/unable-to-start-the-openvpn-server/2465/54?u=ummeegge
# case
chown nobody:nobody /var/ipfire/ovpn/server.conf
# Start server again
/usr/local/bin/openvpnctrl -s
fi
fi
Code block end
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Tue, 11 Aug 2020 08:15:58 +0000 (08:15 +0000)]
curl: Update to version 7.71.1
Several bugfixes and vulnerabilities has been fixed since the current available version 7.64.0 .
For a full overview, the changelog is located in here --> https://curl.haxx.se/changes.html,
a security problem overview in here --> https://curl.haxx.se/docs/security.html .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sat, 8 Aug 2020 19:20:42 +0000 (21:20 +0200)]
hyperscan: Update to 5.3.0
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <Michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Mon, 10 Aug 2020 17:12:19 +0000 (19:12 +0200)]
OpenVPN: max-clients value has been enhanced
The --max-client value has been enhanced from 255 clients to 1024 clients.
Error message gives now explanation if the maximum has been reached.
Patch has been triggered by https://community.ipfire.org/t/openvpn-max-vpn-clients-quantity-and-connections/2925 .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 1 Aug 2020 12:13:47 +0000 (12:13 +0000)]
OpenSSL: remove ciphers without Forward Secrecy from default ciphersuite
Ciphers not supplying (Perfect) Forward Secrecy are considered dangerous
since they allow content decryption in retrospect, if an attacker is
able to gain access to the servers' private key used for the
corresponding TLS session.
Since IPFire machines establish very few TLS connections by themselves, and
destinations (IPFire.org infrastructure, mirrors, IPS rule sources, etc.)
provide support for Forward Secrecy ciphers - some are even enforcing
them -, it is safe to drop support for anything else.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 7 Aug 2020 11:50:00 +0000 (11:50 +0000)]
make.sh: Remove -mindirect-branch=thunk and -mfunction-return=thunk as default
I cannot find any evidence that this is helpful and no other
distribution has this as default. Packages that are vulnerable to these
attacks (i.e. the kernel) add these flags as appropriate automatically.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 12 Aug 2020 09:18:44 +0000 (09:18 +0000)]
bacula: Fix build with GCC 10
GCC 10 aborts compilation when nunbers are (potentially) out of range
when casted from one type to another:
fstype.c: In function 'bool fstype(FF_PKT*, char*, int)':
fstype.c:207:12: error: narrowing conversion of '4283649346' from
'unsigned int' to 'int' [-Wnarrowing]
207 | case 0xFF534D42: fstype = "cifs"; break; /*
CIFS_MAGIC_NUMBER */
| ^~~~~~~~~~
fstype.c:216:12: error: narrowing conversion of '4187351113' from
'unsigned int' to 'int' [-Wnarrowing]
216 | case 0xf995e849: fstype = "hpfs"; break; /*
HPFS_SUPER_MAGIC */
| ^~~~~~~~~~
fstype.c:217:12: error: narrowing conversion of '2508478710' from
'unsigned int' to 'int' [-Wnarrowing]
217 | case 0x958458f6: fstype = "hugetlbfs"; break; /*
HUGETLBFS_MAGIC */
| ^~~~~~~~~~
fstype.c:234:12: error: narrowing conversion of '2768370933' from
'unsigned int' to 'int' [-Wnarrowing]
234 | case 0xa501FCF5: fstype = "vxfs"; break;
| ^~~~~~~~~~
fstype.c:237:12: error: narrowing conversion of '2435016766' from
'unsigned int' to 'int' [-Wnarrowing]
237 | case 0x9123683e: fstype = "btrfs"; break;
| ^~~~~~~~~~
Does nobody build this for 32 bit any more?
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>