]>
git.ipfire.org Git - ipfire-2.x.git/log
Arne Fitzenreiter [Tue, 16 Jul 2019 09:14:41 +0000 (11:14 +0200)]
unbound: rework dns-forwader handling
add check if red interface has an IPv4 address before test the servers at
red up and simply remove forwarders at down process.
This also fix the hung at dhcpd shutdown.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sun, 14 Jul 2019 14:38:00 +0000 (14:38 +0000)]
unbound-dhcp-leases-bridge: handle PTR generation parameter
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reported-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Sun, 14 Jul 2019 05:45:51 +0000 (07:45 +0200)]
unbound: update root.hints to
2019070301
IPv4 of server B has changed. Other changes are whitespace only.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 9 Jul 2019 08:54:55 +0000 (09:54 +0100)]
core135: Ship updated squid
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 10 Jul 2019 12:20:22 +0000 (14:20 +0200)]
squid: Update to 4.8
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 6 Jul 2019 09:34:00 +0000 (09:34 +0000)]
Core Update 135: ship updated tzdata
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 4 Jul 2019 10:21:42 +0000 (11:21 +0100)]
core135: Ship updated sysctl.conf
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 4 Jul 2019 19:15:00 +0000 (19:15 +0000)]
sysctl: improve KASLR effectiveness for mmap
By feeding more random bits into mmap allocation, the
effectiveness of KASLR will be improved, making attacks
trying to bypass address randomisation more difficult.
Changed sysctl values are:
vm.mmap_rnd_bits = 32 (default: 28)
vm.mmap_rnd_compat_bits = 16 (default: 8)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Thu, 4 Jul 2019 18:42:47 +0000 (20:42 +0200)]
unbound: check if red/iface exists before read it
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Thu, 4 Jul 2019 17:51:00 +0000 (17:51 +0000)]
tzdata: update to 2019b
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 3 Jul 2019 13:57:04 +0000 (14:57 +0100)]
core135: Ship forgotten ddns package
This was updated before, but I forgot to ship it in the updater.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 1 Jul 2019 06:55:53 +0000 (07:55 +0100)]
core135: Ship cloud-init changes
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 1 Jul 2019 06:54:19 +0000 (07:54 +0100)]
Revert "Generate a VHD image"
This reverts commit
ee0e3beb39da302fb9735b8b3846ee675192b350 .
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 21 Jun 2019 03:54:54 +0000 (04:54 +0100)]
azure: Do not drop last byte of MAC addresses
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 16 Jun 2019 12:39:07 +0000 (13:39 +0100)]
Enable serial console on all Azure instances
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 15 Jun 2019 10:22:28 +0000 (11:22 +0100)]
cloud-init: Move detection functions into initscript function library
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 13 Jun 2019 11:18:52 +0000 (12:18 +0100)]
Generate a VHD image
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 14 Jun 2019 16:28:39 +0000 (16:28 +0000)]
cloud-init: Import experimental configuration script for Azure
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 14 Jun 2019 15:42:09 +0000 (15:42 +0000)]
cloud-init: Execute setup script for Azure if needed
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 14 Jun 2019 15:31:35 +0000 (15:31 +0000)]
cloud-init: Add function to detect if we are running on Azure
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 14 Jun 2019 15:25:40 +0000 (15:25 +0000)]
Rename AWS initscript to cloud-init
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 21 Jun 2019 03:54:47 +0000 (04:54 +0100)]
flash-image: Align image to 1MB boundary
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 1 Jul 2019 06:52:57 +0000 (07:52 +0100)]
core135: Ship updated packages/files
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 1 Jul 2019 06:50:48 +0000 (07:50 +0100)]
Start Core Update 135
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Fri, 28 Jun 2019 08:23:41 +0000 (10:23 +0200)]
nettle: Update to 3.5.1
For details see:
https://git.lysator.liu.se/nettle/nettle/blob/master/ChangeLog
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 27 Jun 2019 20:07:40 +0000 (22:07 +0200)]
dhcpcd: Update to 7.2.3
For details see: Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
https://roy.marples.name/blog/dhcpcd-7-2-3-released
"Minor update with the following changes:
OpenBSD: compiles again
BSD: Check RTM lengths incase of kernel issues
DHCP6: Don't stop even when last router goes away
DHCP6: Fix inform from RA
hostname: Fix short hostname check"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Sat, 29 Jun 2019 09:36:49 +0000 (11:36 +0200)]
unbound: use nic carrier instead of /var/ipfire/red/active
This speed boot with static settings and no link and
dhcp on intel nics if the mtu is changed by the dhcp lease
because the nic loose the carrier and restart the dhcp action
at mtu set.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 27 Jun 2019 16:18:41 +0000 (18:18 +0200)]
kernel: update to 4.14.131
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 24 Jun 2019 13:39:30 +0000 (14:39 +0100)]
linux: Fix rootfile to ship GeoIP modules
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Mon, 24 Jun 2019 11:07:32 +0000 (13:07 +0200)]
mc: Update to 4.8.23
For details see:
http://midnight-commander.org/wiki/NEWS-4.8.23
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Sat, 22 Jun 2019 18:59:32 +0000 (20:59 +0200)]
intel-microcode: update to
20190618
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 22 Jun 2019 14:01:16 +0000 (16:01 +0200)]
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Sat, 22 Jun 2019 14:00:37 +0000 (16:00 +0200)]
kernel: 4.14.129
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 22 Jun 2019 06:47:55 +0000 (08:47 +0200)]
finish core134
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 21 Jun 2019 00:39:42 +0000 (01:39 +0100)]
Update contributors
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 21 Jun 2019 00:38:59 +0000 (01:38 +0100)]
core134: Ship updated firewall initscript
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 21 Jun 2019 00:38:22 +0000 (01:38 +0100)]
core134: Ship updated bind
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Fri, 21 Jun 2019 12:31:26 +0000 (14:31 +0200)]
bind: Update to 9.11.8
For Details see:
https://downloads.isc.org/isc/bind9/9.11.8/RELEASE-NOTES-bind-9.11.8.html
"Security Fixes
A race condition could trigger an assertion failure when a large number
of incoming packets were being rejected.
This flaw is disclosed in CVE-2019-6471. [GL #942]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Marx [Thu, 20 Jun 2019 05:04:30 +0000 (07:04 +0200)]
BUG12015: Redirecting to Captive portal does not work after IPFire restart
When the Captive portal is enabled, the needed firewall rules are applied. But when restarting IPFire,
the rules are not applied because there is no call to do so.
Added call to captivectrl in the initscrip 'firewall'.
Fixes: #12015
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Fri, 21 Jun 2019 09:58:58 +0000 (11:58 +0200)]
core134: ship core133 late fixes again
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 20 Jun 2019 07:35:59 +0000 (09:35 +0200)]
Merge remote-tracking branch 'origin/master' into next
Arne Fitzenreiter [Thu, 20 Jun 2019 07:33:17 +0000 (09:33 +0200)]
kernel: remove RPi DMA allignment revert
TODO: test if RPi works without now or if we need to
revert more of the allignment patches.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 19 Jun 2019 19:01:29 +0000 (21:01 +0200)]
Kernel: update to 4.14.128
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 18 Jun 2019 21:35:23 +0000 (22:35 +0100)]
core134: Ship updated vim
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 19 Jun 2019 11:24:06 +0000 (13:24 +0200)]
Remove old vim 7.4 data
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 19 Jun 2019 11:24:05 +0000 (13:24 +0200)]
vim: Update to 8.1
Please note:
If this gets merged, the update process must deal with the otherwise remaining
files in '/usr/share/vim74' (~16 MB).
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stéphane Pautrel [Tue, 18 Jun 2019 19:01:23 +0000 (20:01 +0100)]
Update French translation
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Tue, 18 Jun 2019 16:49:46 +0000 (18:49 +0200)]
core134: add kernel to updater
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Tue, 18 Jun 2019 16:42:02 +0000 (18:42 +0200)]
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Tue, 18 Jun 2019 16:41:19 +0000 (18:41 +0200)]
kernel: update to 4.14.127
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Tue, 18 Jun 2019 12:36:02 +0000 (14:36 +0200)]
linux-pae: fix grub.conf creation on pv machines
on some systems it seems that grub2 and it config also exist.
Michael Tremer [Tue, 18 Jun 2019 08:13:21 +0000 (09:13 +0100)]
core134: Ship changed general-functions.pl
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Marx [Tue, 18 Jun 2019 07:55:35 +0000 (09:55 +0200)]
BUG12070: Its not possible to use the underscore in email addresses
Using IPFire's Mailservice does not allow to enter a senders mail address with the underscore.
The function used to verify that is used from general-functions.pl.
Now the function 'validemail' allows the underscore in the address.
Fixes: #12070
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 17 Jun 2019 16:40:37 +0000 (17:40 +0100)]
core134: Ship updated unbound
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Mon, 17 Jun 2019 19:11:00 +0000 (21:11 +0200)]
unbound: Update to 1.9.2
For details see:
https://nlnetlabs.nl/pipermail/unbound-users/2019-June/011632.html
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 17 Jun 2019 14:08:00 +0000 (14:08 +0000)]
vpnmain.cgi: Fix writing ESP settings for PFS ciphers
The changes introduced due to #12091 caused IPsec ESP
to be invalid if PFS ciphers were selected. Code has
to read "!$pfs" instead of just "$pfs", as it should trigger
for ciphers _without_ Perfect Forward Secrecy.
Fixes #12099
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Sat, 15 Jun 2019 16:09:06 +0000 (18:09 +0200)]
Merge branch 'master' into next
Arne Fitzenreiter [Sat, 15 Jun 2019 15:38:47 +0000 (17:38 +0200)]
vpnmain.cgi: remove wrongh "shift-space"
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Fri, 14 Jun 2019 20:09:47 +0000 (22:09 +0200)]
hyperscan: increase min RAM per buildprocess to 1GB
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 14 Jun 2019 05:22:52 +0000 (06:22 +0100)]
core133: Ship jansson in update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Wed, 12 Jun 2019 17:57:21 +0000 (19:57 +0200)]
finish core133
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 12 Jun 2019 16:25:13 +0000 (17:25 +0100)]
core134: Ship updated OpenSSL
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 10 Jun 2019 18:55:00 +0000 (18:55 +0000)]
OpenSSL: lower priority for CBC ciphers in default cipherlist
In order to avoid CBC ciphers as often as possible (they contain
some known vulnerabilities), this changes the OpenSSL default
ciphersuite to:
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(128) Mac=SHA256
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
CAMELLIA256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA256
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
CAMELLIA128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
Since TLS servers usually override the clients' preference with their
own, this will neither break existing setups nor introduce huge
differences in the wild. Unfortunately, CBC ciphers cannot be disabled
at all, as they are still used by popular web sites.
TLS 1.3 ciphers will be added implicitly and can be omitted in the
ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing
AES-NI support for the majority of installations reporting to Fireinfo
(see https://fireinfo.ipfire.org/processors for details, AES-NI support
is 28.22% at the time of writing).
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 12 Jun 2019 16:18:23 +0000 (17:18 +0100)]
Start Core Update 134
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 12 Jun 2019 16:14:28 +0000 (17:14 +0100)]
unbound: Make some zones type-transparent
If we remove other records (like MX) from the response, we won't
be able to send mail to those hosts any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 12 Jun 2019 16:11:32 +0000 (17:11 +0100)]
unbound: Add yandex.com to safe search feature
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 13 Jun 2019 10:12:07 +0000 (11:12 +0100)]
unbound: safe search: Resolve hosts at startup
unbound is not able to expand CNAMEs in local-data. Therefore we
have to do it manually at startup.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 10 Jun 2019 19:02:00 +0000 (19:02 +0000)]
Tor: fix permissions after updating, too
Fixes #12088
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reported-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 11 Jun 2019 06:00:38 +0000 (07:00 +0100)]
core133: Ship updated wpa_supplicant
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Tue, 11 Jun 2019 13:32:15 +0000 (15:32 +0200)]
wpa_supplicant: Update to 2.8
For details see:
https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 11 Jun 2019 17:07:23 +0000 (17:07 +0000)]
smt: Only disable SMT when the kernel thinks it is vulnerable
On virtual machines, it does not make sense to disable SMT for the
virtual cores. This has to be done by the hypervisor.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 10 Jun 2019 18:22:00 +0000 (18:22 +0000)]
ship language files in Core Update 133
These were missing in Core Update 132, and some strings
(especially on the "CPU vulnerabilities" page) missed translations.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 10 Jun 2019 08:58:15 +0000 (09:58 +0100)]
Rootfile update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sun, 9 Jun 2019 15:55:34 +0000 (17:55 +0200)]
convert-ids-modifysids-file: Fix check if the ids is running.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sun, 9 Jun 2019 10:10:07 +0000 (12:10 +0200)]
hostapd: Update to 2.8
For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 8 Jun 2019 10:34:37 +0000 (11:34 +0100)]
Rootfile update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 7 Jun 2019 10:14:11 +0000 (11:14 +0100)]
Rootfile update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 7 Jun 2019 10:13:01 +0000 (11:13 +0100)]
core133: Ship updated knot package
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 6 Jun 2019 18:30:56 +0000 (20:30 +0200)]
knot: Update to 2.8.2
For details see:
https://www.knot-dns.cz/2019-06-05-version-282.html
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 5 Jun 2019 11:46:37 +0000 (12:46 +0100)]
Update contributors
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Tue, 4 Jun 2019 13:00:24 +0000 (15:00 +0200)]
suricata: Enable EVE logging
The EVE output facility outputs alerts, metadata, file info and protocol specific records through JSON.
for further informations please see --> https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Wed, 5 Jun 2019 18:56:35 +0000 (20:56 +0200)]
convert-ids-modifysids-file: Adjust code to use changed write_modify_sids_file function
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 5 Jun 2019 11:42:53 +0000 (12:42 +0100)]
core133: Ship snort configuration converter
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Wed, 5 Jun 2019 18:56:34 +0000 (20:56 +0200)]
convert-snort: Adjust code to use changed modify_sids_file function.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Wed, 5 Jun 2019 18:56:33 +0000 (20:56 +0200)]
ids-functions.pl: Rework function write_modify_sids_file().
Directly implement the logic to determine the used ruleset and if
IDS or IPS mode should be used into the function instead of pass those
details as arguments.
This helps to prevent from doing this stuff at several places again and again.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 5 Jun 2019 11:41:37 +0000 (12:41 +0100)]
core133: Ship IPS changes
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tim FitzGeorge [Wed, 5 Jun 2019 18:56:32 +0000 (20:56 +0200)]
suricata: correct rule actions in IPS mode
In IPS mode rule actions need to be have the action 'drop' for the
protection to work, however this is not appropriate for all rules.
Modify the generator for oinkmaster-modify-sids.conf to leave
rules with the action 'alert' here this is appropriate. Also add
a script to be run on update to correct existing downloaded rules.
Fixes #12086
Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 5 Jun 2019 11:34:44 +0000 (12:34 +0100)]
core133: Ship IDS ruleset updater
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Wed, 5 Jun 2019 16:27:10 +0000 (18:27 +0200)]
update-ids-ruleset: Run as unprivileged user.
Check if the script has been launched as privileged user (root) and drop all
permissions by switching to the "nobody" user and group.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 5 Jun 2019 04:08:31 +0000 (05:08 +0100)]
core133: Ship updated vpnmain.cgi file and regenerate configuration
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 5 Jun 2019 09:22:53 +0000 (10:22 +0100)]
vpnmain.cgi: Fix wrong cipher suite generation when PFS is disabled
Fixes: #12091
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 5 Jun 2019 09:54:29 +0000 (11:54 +0200)]
monit: Some fixes for 'monitrc'
Just cosmetics:
Removed all trailing spaces - there were a few...
Activated 'monit' start delay:
I activated this option to avoid running into a race condition while started through
'/etc/init.d/monit start'.
As mentioned in 'monit' manual:
"...if a service is slow to start, Monit can assume that the service is not running
and possibly try to start it [again] and raise an alert, while, in fact the service
is already about to start or already in its startup sequence."
This happened here during testing with (e.g.) Clamav.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 4 Jun 2019 23:33:36 +0000 (00:33 +0100)]
core133: Ship updated dhcp.cgi
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Bernhard Bitsch [Tue, 4 Jun 2019 10:24:00 +0000 (12:24 +0200)]
dhcp.cgi: Save fixed leases immediately after addition of a new lease
This changes the behaviour of the script to immediately save the added
lease to file but still remain in edit mode to make changes.
If the user does not make any changes, the lease is immediately saved
and there is no second click required to write it to file.
This a more natural flow that is expected by almost all users of this
feature.
Fixes: #12050
Signed-off-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 4 Jun 2019 22:55:17 +0000 (23:55 +0100)]
SMT: Disable when system is vulnerable to L1TF (Foreshadow)
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 4 Jun 2019 22:44:49 +0000 (23:44 +0100)]
Rootfile update for ARM kernels
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 4 Jun 2019 22:41:59 +0000 (23:41 +0100)]
Rootfile update for gcc on i586
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 4 Jun 2019 22:32:35 +0000 (23:32 +0100)]
core133: Ship updated PAM
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 5 Jun 2019 07:16:58 +0000 (09:16 +0200)]
linux-pam: Update to 1.3.1
For details see:
https://github.com/linux-pam/linux-pam/releases
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 4 Jun 2019 22:31:51 +0000 (23:31 +0100)]
core133: Ship updated rrdtool
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>