]>
git.ipfire.org Git - ipfire-2.x.git/log
Peter Müller [Sun, 4 Mar 2018 17:26:52 +0000 (18:26 +0100)]
test if nameservers with DNSSEC support return "ad"-flagged data
DNSSEC-validating nameservers return an "ad" (Authenticated Data)
flag in the DNS response header. This can be used as a negative
indicator for DNSSEC validation: In case a nameserver does not
return the flag, but failes to look up a domain with an invalid
signature, it does not support DNSSEC validation.
This makes it easier to detect nameservers which do not fully
comply to the RFCs or try to tamper DNS queries.
See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further details.
The second version of this patch avoids unnecessary usage of
grep. Thanks to Michael Tremer for the hint.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 4 Mar 2018 17:03:04 +0000 (18:03 +0100)]
Tor: update to 0.3.2.10
Update Tor to 0.3.2.10, which fixes some security and DoS
issues especially important for relays.
The release notes are available at:
https://blog.torproject.org/new-stable-tor-releases-security-fixes-and-dos-prevention-03210-03110-02915
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes: #11662
Peter Müller [Sun, 4 Mar 2018 16:57:15 +0000 (17:57 +0100)]
ClamAV: update to 0.99.4
Update ClamAV to 0.99.4 which fixes four security issues
and compatibility issues with GCC 6 and C++ 11.
The release note can be found here: http://blog.clamav.net/2018/03/clamav-0994-has-been-released.html
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 1 Mar 2018 19:58:11 +0000 (19:58 +0000)]
vpnmain.cgi: Fix reading common names from certificates
OpenSSL has changed the output of the subject lines of
certificates.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 28 Feb 2018 11:55:35 +0000 (11:55 +0000)]
apache: Require TLSv1.2 for access to the web user interface
This will work fine for FF 27 or newer, Chrome 30 or newer,
IE 11 on Windows 7 or newer, Opera 17 or newer, Safari 9 or
newer, Android 5.0 or newer and Java 8 or newer
Since IPFire is not supposed to host any other applications and
all have been removed in the last few Core Updates, only the web
user interface is served over HTTPS here. We clearly prefer
security over compatibility.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 7 Nov 2017 19:51:32 +0000 (20:51 +0100)]
change Apache TLS cipher list to "Mozilla Modern"
Change the TLS cipher list of Apache to "Mozilla Modern".
ECDSA is preferred over RSA to save CPU time on both server
and client. Clients without support for TLS 1.2 and AES will
experience connection failures.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 28 Feb 2018 11:49:47 +0000 (11:49 +0000)]
openssl: Apply ciphers patch before running Configure
This works just fine here.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller via Development [Tue, 27 Feb 2018 17:35:22 +0000 (18:35 +0100)]
set OpenSSL 1.1.0 DEFAULT cipher list to secure value
Only use secure cipher list for the OpenSSL DEFAULT list:
* ECDSA is preferred over RSA since it is faster and more scalable
* TLS 1.2 suites are preferred over anything older
* weak ciphers such as RC4 and 3DES have been eliminated
* AES-GCM is preferred over AES-CBC (known as "mac-then-encrypt" problem)
* ciphers without PFS are moved to the end of the cipher list
This patch leaves AES-CCM, AES-CCM8 and CHACHA20-POLY1305 suites
where they are since they are considered secure and there is no
need to change anything.
The DEFAULT cipher list is now (output of "openssl ciphers -v"):
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(128) Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES256-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(256) Mac=AEAD
DHE-RSA-AES256-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(128) Mac=AEAD
DHE-RSA-AES128-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-CCM8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(256) Mac=AEAD
AES256-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(256) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-CCM8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(128) Mac=AEAD
AES128-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(128) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
CAMELLIA256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA256
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
CAMELLIA128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
This has been discussed at 2017-12-04 (https://wiki.ipfire.org/devel/telco/2017-12-04)
and for a similar patch written for OpenSSL 1.0.x.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 28 Feb 2018 10:48:29 +0000 (10:48 +0000)]
core120: Call openvpnctrl with full path
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 26 Feb 2018 16:28:16 +0000 (16:28 +0000)]
Bump release of all packages linked against OpenSSL
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 26 Feb 2018 16:22:32 +0000 (16:22 +0000)]
core120: Ship everything that is linked against OpenSSL
This will make sure that everything is using the new version
of the library.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 26 Feb 2018 15:37:49 +0000 (15:37 +0000)]
Disable Path MTU discovery
This seems to be a failed concept and causes issues with transferring
large packets through an IPsec tunnel connection.
This configures the kernel to still respond to PMTU ICMP discovery
messages, but will not try this on its own.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 26 Feb 2018 15:34:10 +0000 (15:34 +0000)]
core120: Fix typo in initscript name
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 26 Feb 2018 13:06:34 +0000 (13:06 +0000)]
Rootfile update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 26 Feb 2018 11:12:20 +0000 (11:12 +0000)]
dhcp: Allow adding extra DHCP interfaces
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer via Development [Mon, 26 Feb 2018 07:00:15 +0000 (08:00 +0100)]
OpenVPN: Ship missing OpenSSL configuration file for update
Core 115 delivered a patch which prevents the '--ns-cert-type server is deprecated' message
and introduced also '--remote-cert-tls server' -->
https://patchwork.ipfire.org/patch/1441/ whereby the changed ovpn.cnf has not been delivered.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer via Development [Sun, 25 Feb 2018 13:49:49 +0000 (14:49 +0100)]
OpenVPN: New AES-GCM cipher for N2N and RW
AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior section.
HMAC selection for N2N will be disabled if AES-GCM is used since GCM provides an own message authentication (GMAC).
'auth *' line in N2N.conf will be deleted appropriately if AES-GCM is used since '--tls-auth' is not available for N2N.
HMAC selection menu for Roadwarriors is still available since '--tls-auth' is available for RWs
which uses the configuered HMAC even AES-GCM has been applied.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 22 Feb 2018 18:52:03 +0000 (18:52 +0000)]
openssl-compat: Do not try to apply missing padlock patch
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 22 Feb 2018 18:50:38 +0000 (18:50 +0000)]
openssl-compat: Add missing library path
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 21 Feb 2018 13:06:22 +0000 (13:06 +0000)]
core120: Remove deprecated sshd configuration option
This just created a warning and is now dropped
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 21 Feb 2018 12:55:36 +0000 (12:55 +0000)]
Revert "wget: Link against GnuTLS instead of OpenSSL"
This reverts commit
a46b159a8dc0d191ee57cf48b66be8a39fd7d9ec .
wget 1.19.4 supports linking against OpenSSL 1.1.0.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 21 Feb 2018 12:41:05 +0000 (12:41 +0000)]
core120: Remove forgotten PHP file
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 21 Feb 2018 12:39:55 +0000 (12:39 +0000)]
core120: Ship updated OpenSSL 1.1.0
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 21 Feb 2018 12:21:10 +0000 (12:21 +0000)]
Merge branch 'openssl-11' into next
Michael Tremer [Wed, 21 Feb 2018 12:20:57 +0000 (12:20 +0000)]
Start Core Update 120
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 21 Feb 2018 12:05:14 +0000 (12:05 +0000)]
core119: Reload apache after configuration changes
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 5 Dec 2017 13:43:17 +0000 (14:43 +0100)]
disable Apache server signature
Sending the server signature is unnecessary and might leak
some internal information (although ServerTokens is already
set to "Prod").
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 21 Feb 2018 11:24:48 +0000 (11:24 +0000)]
backup: Don't backup apache configuration, keys only
In the past the apache configuration was part of the backup
and may have been restored after Core Update 118 was installed
with PHP being dropped amongst other things.
This patch will make sure that only keys are being backuped.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 20 Feb 2018 20:10:30 +0000 (20:10 +0000)]
Rootfile update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 19 Feb 2018 23:44:57 +0000 (23:44 +0000)]
strongswan: Update to 5.6.2
Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
signatures that was caused by insufficient input validation.
One of the configurable parameters in algorithm identifier
structures for RSASSA-PSS signatures is the mask generation
function (MGF). Only MGF1 is currently specified for this purpose.
However, this in turn takes itself a parameter that specifies
the underlying hash function. strongSwan's parser did not
correctly handle the case of this parameter being absent,
causing an undefined data read.
This vulnerability has been registered as CVE-2018-6459.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 19 Feb 2018 23:42:17 +0000 (23:42 +0000)]
IPsec: Try to restart always-on tunnels immediately
When a tunnel that is in always-on configuration closes
unexpectedly, we can instruct strongSwan to restart it
immediately which is precisely what we do now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 17 Feb 2018 18:55:38 +0000 (18:55 +0000)]
Rootfile update for armv5tel
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 17 Feb 2018 13:36:37 +0000 (13:36 +0000)]
haproxy: Link against libatomic on ARM
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 16 Feb 2018 20:01:55 +0000 (20:01 +0000)]
i2c-tools: New package
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 16 Feb 2018 19:14:33 +0000 (19:14 +0000)]
flac: Update to 1.3.2
The previous version fails to build on i586
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 15 Feb 2018 19:34:50 +0000 (19:34 +0000)]
Rootfile update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Thu, 15 Feb 2018 04:43:49 +0000 (05:43 +0100)]
OpenVPN: Added needed directive for v2.4 update
script-security: The support for the 'system' flag has been removed due to security implications
with shell expansions when executing scripts via system() call.
For more informations: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage .
ncp-disable: Negotiable crypto parameters has been disabled for the first.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 14 Feb 2018 22:23:20 +0000 (22:23 +0000)]
core119: Ship changed proxy.cgi
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Bernhard Held [Mon, 12 Feb 2018 22:25:47 +0000 (23:25 +0100)]
proxy.cgi: remove excessive newlines in generated proxy.pac
Remove excessive newlines in generated proxy.pac
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 13 Feb 2018 21:07:04 +0000 (21:07 +0000)]
Rootfile update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 13 Feb 2018 16:35:08 +0000 (16:35 +0000)]
Bump toolchain version
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 13 Feb 2018 16:34:55 +0000 (16:34 +0000)]
Rootfile update for glibc on i586
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 13 Feb 2018 16:30:05 +0000 (16:30 +0000)]
nagios-plugins: Update rootfiles
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 13 Feb 2018 16:20:55 +0000 (16:20 +0000)]
postfix: Update rootfile
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 13 Feb 2018 10:24:04 +0000 (10:24 +0000)]
zlib: Fix name of logfile in toolchain build
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 13 Feb 2018 10:23:54 +0000 (10:23 +0000)]
sslh: Build without tcpwrappers
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 14:24:12 +0000 (14:24 +0000)]
toolchain: Add zlib
ccache needs this and usually comes with an own bundled
version but fails to build in version 3.4.1.
Since this is a small library only and we really want
ccache to use compression, we will build this indepently
and let ccache use it from the system.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 13:07:38 +0000 (13:07 +0000)]
Bump toolchain version
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 12:44:37 +0000 (12:44 +0000)]
Cleanup toolchain scripts
No functional changes, just some tidy up
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 12:12:08 +0000 (12:12 +0000)]
ccache: Update to 3.4.1
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 12:09:22 +0000 (12:09 +0000)]
PAM: Drop shipped configuration
This is outdated, broken and has hardcoded passwords.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 12:07:29 +0000 (12:07 +0000)]
Drop perl-DBD-mysql
This package is not used by anything and depends on MySQL
which has been dropped, too.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 12:05:46 +0000 (12:05 +0000)]
Drop MySQL
This is outdated and still on 5.0.x and nobody volunteered to
update this package.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 11:55:28 +0000 (11:55 +0000)]
asterisk: Do not depend on MySQL any more
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 11:52:07 +0000 (11:52 +0000)]
postfix: Don't depend on amavis
This can be used together but there is no need to
always install amavis when someone wants to use postfix
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 11:51:46 +0000 (11:51 +0000)]
postfix: Don't depend on MySQL any more
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 11:50:51 +0000 (11:50 +0000)]
postfix: Don't ship our own configuration
This is outdated and half of it is not maintained any more.
Users should configure postfix themselves based on the
default configuration.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 11:44:28 +0000 (11:44 +0000)]
Drop pammysql
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 11:42:47 +0000 (11:42 +0000)]
Drop tcpwrapper
This library has been unused for quite a while
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 11:40:07 +0000 (11:40 +0000)]
Drop mISDN userspace tools
This is unsupported for quite a while and nobody should be using this.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 11:33:51 +0000 (11:33 +0000)]
Drop capi4k-utils
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 11:31:14 +0000 (11:31 +0000)]
core119: Remove dropped lcr package during update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 11:29:53 +0000 (11:29 +0000)]
core119: Import changed packages
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 11:22:58 +0000 (11:22 +0000)]
Start Core Update 119
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 12 Feb 2018 11:18:01 +0000 (11:18 +0000)]
Rootfile update for bison
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Thu, 8 Feb 2018 08:54:58 +0000 (09:54 +0100)]
OpenVPN: Mark unsecure ciphers and DH-parameter as 'weak' in WUI menu
64 bit block ciphers like Blowfish, TDEA and CAST5 are vulnerable to the so called 'Birthday attacks' .
Infos for 'Sweet32' Birthday attacks can be found in here
https://sweet32.info/ .
An Overview of 64 bit clock ciphers can also be found in here
http://en.citizendium.org/wiki/Block_cipher/Catalogs/Cipher_list#64-bit_blocks
1024 bit Diffie-Hellman parameter has also been marked as weak causing the 'Logjam Attack' .
Infos for 'Logjam Attack' can be found in here
https://weakdh.org/ .
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 11 Feb 2018 23:23:54 +0000 (23:23 +0000)]
index.cgi: Properly show IPsec subnets
Fixes: #11604
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Wed, 7 Feb 2018 17:31:49 +0000 (18:31 +0100)]
CRL updater: Update script for OpenVPNs CRL
Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 .
Script checks the next update field from the CRL and executes an update before it expires.
Script is placed under fcron.daily for daily checks.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 7 Feb 2018 12:43:28 +0000 (12:43 +0000)]
openssl: Properly pass CFLAGS and LDFLAGS to build
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 2 Feb 2018 11:12:19 +0000 (11:12 +0000)]
Package openssl-compat (1.0.2.n)
This is provided for compatibility with binaries that have
been compiled against this version of OpenSSL.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 2 Feb 2018 10:59:37 +0000 (10:59 +0000)]
openssl: Rootfile update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Wed, 31 Jan 2018 09:34:59 +0000 (10:34 +0100)]
OpenVPN: Update to version 2.4.4
Changed LFS and ROOTFILE for OpenVPN 2.4.4 update.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 13 Jan 2018 12:00:08 +0000 (12:00 +0000)]
python-m2crypto: Install in correct directory
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 13 Jan 2018 11:59:37 +0000 (11:59 +0000)]
openssl: Enable engines
Some tools that depend on openssl won't compile without it
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 11 Jan 2018 11:49:31 +0000 (11:49 +0000)]
wget: Link against GnuTLS instead of OpenSSL
This version does not seem to be compatible with OpenSSL 1.1
and might be changed back to OpenSSL when ever it will compile.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 28 Nov 2017 16:51:51 +0000 (16:51 +0000)]
python-m2crypto: Update to 0.27.0
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 28 Nov 2017 16:48:20 +0000 (16:48 +0000)]
python-typing: Required for m2crypto
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 28 Nov 2017 16:39:38 +0000 (16:39 +0000)]
transmission: Patch to build against OpenSSL 1.1
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 28 Nov 2017 15:06:54 +0000 (15:06 +0000)]
net-snmp: Patch to build against OpenSSL 1.1
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 28 Nov 2017 13:58:29 +0000 (13:58 +0000)]
elinks: Patch to build against OpenSSL 1.1
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 28 Nov 2017 13:37:38 +0000 (13:37 +0000)]
ncat: Update to 7.60
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 28 Nov 2017 13:06:26 +0000 (13:06 +0000)]
krb5: Update to 1.15.2 to build against OpenSSL 1.1
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 28 Nov 2017 13:02:17 +0000 (13:02 +0000)]
openssh: Update to 7.6p1 and patch against OpenSSL 1.1
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 27 Nov 2017 13:19:20 +0000 (13:19 +0000)]
Net-SSLeay: Update to 1.82
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 27 Nov 2017 12:47:13 +0000 (12:47 +0000)]
cyrus-sasl: Disable OTP to build against OpenSSL 1.1
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 25 Nov 2017 13:03:13 +0000 (13:03 +0000)]
openssl: Update to version 1.1
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 11 Feb 2018 19:22:01 +0000 (19:22 +0000)]
make.sh: Bump toolchain version
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 11 Feb 2018 19:21:20 +0000 (19:21 +0000)]
qemu: Make it build with newer glibcs
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 11 Feb 2018 17:12:23 +0000 (17:12 +0000)]
nfs: Fix building with newer glibcs
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 11 Feb 2018 16:58:10 +0000 (16:58 +0000)]
glibc: Enable obsolete NSL
This will re-activate the deprecated NIS code on which lots of
software relies on so that we can have some extra time to migrate.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 11 Feb 2018 11:35:41 +0000 (11:35 +0000)]
Config: Set PREFIX either to TOOLS_DIR or /usr
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 11 Feb 2018 11:34:47 +0000 (11:34 +0000)]
make.sh: CFLAGS: There is no evidence that supports enabling retpoline in user space is a good idea
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 11 Feb 2018 11:34:17 +0000 (11:34 +0000)]
libtirpc: Fix build against newer glibcs
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 11 Feb 2018 11:31:56 +0000 (11:31 +0000)]
binutils: Update to 2.30
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 11 Feb 2018 11:20:01 +0000 (11:20 +0000)]
dma: Don't only use TLSv1
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 10 Feb 2018 14:42:36 +0000 (14:42 +0000)]
postfix: Temporarily disable NIS
This makes postfix FTBFS because glibc has removed their
RPC headers.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 10 Feb 2018 14:31:21 +0000 (14:31 +0000)]
glibc: Update to 2.27
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 10 Feb 2018 13:50:53 +0000 (13:50 +0000)]
flex: Patch against SEGV with newer glibc
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 10 Feb 2018 13:30:58 +0000 (13:30 +0000)]
Revert "make.sh: Add -fstack-clash-protection on platforms that support it"
This reverts commit
18b82970b81a5bbd31b8922440a97e43d6f01566 .
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 10 Feb 2018 13:20:14 +0000 (13:20 +0000)]
make.sh: Enable cheap out-of-bounds checks in C++ standard library
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>