Michael Tremer [Wed, 23 May 2018 11:03:06 +0000 (12:03 +0100)]
make.sh: Refactor XZ compression parameters again
I completely ruined this now and therefore I had to make
it new again:
* I split the parameters into smaller chunks now and added
comments about why we have chosen those.
* I move it all to configure_build() since we do not need
to check if the host architecture is 64 bit capable, but
the architecture we are building for.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 21 May 2018 19:54:09 +0000 (20:54 +0100)]
tar seems to ignore the XZ_OPT variable sometimes
This caused that the xz command was called without any
extra arguments. This will now create the tar archive
first and then pass the archive through xz with our
command line switches.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sun, 20 May 2018 07:30:23 +0000 (09:30 +0200)]
xz: Performance and compression tuning (V1)
Hi,
as mentioned in the "list", we're trying to make the archives as small as possible
using 'xz'-compression.
In order to achieve this, this patch tests the size of the memory available on the
host system.
It sets the xz-memory-limit (--memory=[N]Mib) to 70% of the available working memory,
a maximum of four xz-'worker threads' (-T4) and a compression rate of '-8' (-8).
These options are written to the 'XZ_OPT=' environment.
For details see:
https://linux.die.net/man/1/xz
I have set the number of available xz-'worker threads' (-T) to four (-T4), because during
the final tests the '-T0' parameter led to error messages snd stopped: 'cannot allocate memory'.
It wouldn't even run with 90%.
Furthermore, testing with '-T0' led to countless messages filling up '_build.packages.log'.
E.g.:
...
xz: Adjusted the number of threads from 8 to 2 to not exceed the memory usage
limit of 1557 MiB
...
Tests took place on a 32bit-Ubuntu 16.04.4-system with 8 GB RAM and an Intel I7-2600.
Build time was about 04:30 hrs. Perhaps a 64bit-system would perform better (higher
values), but my goal was to make this run on as many systems as possible, so I choosed
these averages.
If minimum requirements (1024 MB RAM) are not met, building stops.
Peter Müller [Mon, 7 May 2018 15:01:58 +0000 (17:01 +0200)]
fix aesthetic issues in remote.cgi and ship them
Fix some minor cosmetic issues on remote.cgi as well as a typo in
the language files ("sesstions" -> "sessions"). The changes are
listed in "filelists" for Core Update 121.
Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Marx [Wed, 2 May 2018 11:27:07 +0000 (13:27 +0200)]
BUG11559: fwhosts
When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.
This patch adds the changes to the firewall groups. Signed-off-by: Alexander Marx <alexander.marx@ipfire.org> Tested-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Marx [Wed, 2 May 2018 11:27:06 +0000 (13:27 +0200)]
BUG11559: firewall-lib
When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.
This patch has neccessary changes for the firewall-lib. While the network name of the IpSec changes
on save (subnet is added to name) we need to split the name or normalise the field before using it. Signed-off-by: Alexander Marx <alexander.marx@ipfire.org> Tested-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Marx [Wed, 2 May 2018 11:27:05 +0000 (13:27 +0200)]
BUG11559: firewall.cgi
When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.
This patch has the changes for firewall.cgi Signed-off-by: Alexander Marx <alexander.marx@ipfire.org> Tested-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Marx [Wed, 2 May 2018 11:27:04 +0000 (13:27 +0200)]
BUG11559: Languagefiles
When creating firewallrules or using firewall groups,
it should be possible to select a single IpSec subnet if there is more than one.
This patch adds a new languagefileword "fwdfw all subnets" which is used in firewall.cgi and fwhosts.cgi Signed-off-by: Alexander Marx <alexander.marx@ipfire.org> Tested-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 20 Jan 2018 17:24:31 +0000 (18:24 +0100)]
display active logins at remote.cgi
Display active user logins (both local and remote) at
the remote.cgi page in the WebUI. This might be useful
for debugging broken SSH sessions or simply checking that
nobody is currently logged in. :-)
Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
"This version fixes CVE-2018-0494 (Cookie injection vulnerability) found
by Harry Sintonen.
This version fixes several issues, mostly found by OSS-Fuzz.
It also introduces TLS1.3 with OpenSSL, a new option --ciphers and
updates the CSS grammar to version 2.2.
...
Noteworthy changes:
* Fix cookie injection (CVE-2018-0494)
* Enable TLS1.3 with recent OpenSSL environment
* New option --ciphers to set GnuTLS / OpenSSL ciphers directly
* Updated CSS grammar to CSS 2.2
* Fixed several memleaks found by OSS-Fuzz
* Fixed several buffer overflows found by OSS-Fuzz
* Fixed several integer overflows found by OSS-Fuzz
* Several minor bug fixes"
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://lists.gnu.org/archive/html/info-gnu/2018-04/msg00001.html
"* Version 1.34 (2018-03-31)
** libidn: Fix integer overflow in combine_hangul()
Found by fuzzing.
** libidn: Fix integer overflow in punycode decoder
Found by fuzzing, fix for the fix reported by Christian Weisgerber
** libidn: Fix performance issue in idna_to_unicode_internal()
Found by fuzzing.
** libidn: Fix performance issue in stringprep functions.
Found by fuzzing.
** libidn: Fix NULL pointer dereference in g_utf8_normalize()
Found by fuzzing.
** libidn: Fix NULL pointer dereference in stringprep_ucs4_nfkc_normalize()
Found by fuzzing.
** libidn: Increase performance of stringprep functions
Found by fuzzing.
** testing: Add OSS-fuzz integration and regression testing
** build: Update gnulib files
** build: Modernize GTK-Doc build
** build: Fix parallel builds
** build: Add configure flag --disable-doc
** build: Add configure flag --enable-ubsan (enable UB Sanitizer)
** build: Add configure flag --enable-asan (enable Address Sanitizer)
** build: Fix compiler warnings
** build: Fix build for gcc-7
** i18n: Added Swedish translation.
Thanks to Josef Andersson.
** API and ABI is backwards compatible with the previous version."
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 29 Apr 2018 08:20:17 +0000 (10:20 +0200)]
update nagios_nrpe to 3.2.1
Update NRPE to 3.2.1, which fixes various security vulnerabilities
and bugs (changelog is available at:
https://github.com/NagiosEnterprises/nrpe/blob/master/CHANGELOG.md).
Due to changes in ./configure, some options such as initsystem (sysV)
need to be specified now. Also, simple "make" does not exist anymore
and must be replaced by "make all".
Rootfile information is now included which was missing in the
first version of this patch.
This fixes #11700 and partly addresses #11551.
Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
kernel: disable crng unseeded use message spamming
there was a bug until 4.14.36 that this message are not printed at all
now it work and spam the log at boot.
For security it is is a nightmare to use unseeded random but we and the user
cannot do anything. This is work for platform maintainers to get the crng
working earlier.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Thu, 26 Apr 2018 19:44:56 +0000 (21:44 +0200)]
remove forgotten Nagios files, if any
When we decided to drop Nagios, some files were not removed on the
installations. Since the package does not exist anymore, "pakfire remove
nagios" does not work so we need to clean them up manually in case they
exist.
The third version of this patch makes sure Apache is restarted
afterwards, and includes some forgotten files [sic] as well as it is
now applying for Core Update 121.
Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 26 Apr 2018 15:31:46 +0000 (17:31 +0200)]
BUG:11312 Fix renaming GeoIP groups
When renaming a GeoIP Group, the corresponding names in
firewallrules (if any) are not changed accordingly. Now
when changing a GeoIP Group the firewallrules are renamed
correctly.
Slightly improved first version of this patch (contained
a blank line with trailing whitespace). No functionality
changed, patch has been confirmed as working correctly.
Fixes: #11312 Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Alexander Marx <alexander.marx@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 24 Apr 2018 09:47:16 +0000 (10:47 +0100)]
ipsec: Open ports in outgoing direction
When the firewall policy is blocked, no outgoing IPsec connections
can be established. That is slightly counter-intuitive since we
open ports in the incoming direction automatically.
Fixes: #11704 Reported-by: Oliver Fuhrer <oliver.fuhrer@bluewin.ch> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 21 Apr 2018 16:44:45 +0000 (18:44 +0200)]
update ClamAV to 0.100.0
Update ClamAV to 0.100.0, which brings some new features and bugfixes
(release notes are available here: https://blog.clamav.net/2018/04/clamav-01000-has-been-released.html).
Since the internal LLVM code is now deprecated and disabled by default,
patching clamav/libclamav/c++/llvm/lib/ExecutionEngine/JIT/Intercept.cpp
does not seem to be necessary anymore.
Further, the --disable-zlib-vcheck option has been removed since it
produces warnings during compilation.
Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>