Erik Kapfer [Sun, 6 Oct 2019 07:23:19 +0000 (09:23 +0200)]
ncat: Update to version 7.80
Several improvements has been added. This update is part of the nmap-7.80 update.
For the complete changelog take a look in here --> https://seclists.org/nmap-announce/2019/0 .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Sun, 6 Oct 2019 07:16:57 +0000 (09:16 +0200)]
nmap: Update to version 7.80
Several improvements, NSE scripts and libraries has been added.
The complete changelog can be found in here --> https://seclists.org/nmap-announce/2019/0 .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Fri, 4 Oct 2019 17:26:26 +0000 (19:26 +0200)]
tshark: Update to version 3.0.5
The jump from 3.0.2 to 3.0.5 includes several bugfixes, updated protocols and new and updated capture support.
The complete release notes can be found in here --> https://www.wireshark.org/docs/relnotes/ .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
firewall: always allow outgoing DNS traffic to root servers
Allowing outgoing DNS traffic (destination port 53, both TCP
and UDP) to the root servers is BCP for some reasons. First,
RFC 5011 assumes resolvers are able to fetch new trust ancors
from the root servers for a certain time period in order to
do key rollovers.
Second, Unbound shows some side effects if it cannot do trust
anchor signaling (see RFC 8145) or fetch the current trust anchor,
resulting in SERVFAILs for arbitrary requests a few minutes.
There is little security implication of allowing DNS traffic
to the root servers: An attacker might abuse this for exfiltrating
data via DNS queries, but is unable to infiltrate data unless
he gains control over at least one root server instance. If
there is no firewall ruleset in place which prohibits any other
DNS traffic than to chosen DNS servers, this patch will not
have security implications at all.
The second version of this patch does not use unnecessary xargs-
call nor changes anything else not related to this issue.
Fixes #12183
Cc: Michael Tremer <michael.tremer@ipfire.org> Suggested-by: Horace Michael <horace.michael@gmx.com> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Please refer to https://blog.torproject.org/new-release-tor-0416 for
release notes. This patch has to be applied after applying 9fb607ef6
(https://patchwork.ipfire.org/patch/2407/), which was not merged at
the time of writing.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
firewall: raise log rate limit for user generated rules, too
Having raised the overall log rate limit to 10 packet per second
in Core Update 136, this did not affected rules generated by the
user. In order to stay consistent, this patch also raises log rate
limit for these.
In order to avoid side effects on firewalls with slow disks, it
was probably better touch these categories separately, so testing
users won't be DoSsed instantly. :-)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Wed, 25 Sep 2019 10:05:52 +0000 (12:05 +0200)]
Net-SSLeay: Update to version 1.88
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.11/RELEASE-NOTES-bind-9.11.11.html
"Security Fixes
A race condition could trigger an assertion failure when a large
number of incoming packets were being rejected. This flaw is disclosed
in CVE-2019-6471. [GL #942]
...
Bug Fixes
Glue address records were not being returned in responses to root priming
queries; this has been corrected. [GL #1092]
Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
unexpected results; this has been fixed. [GL #1106]
named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are zero.
[GL #1159]
named-checkconf could crash during configuration if configured to use "geoip
continent" ACLs with legacy GeoIP. [GL #1163]
named-checkconf now correctly reports missing dnstap-output option when dnstap
is set. [GL #1136]
Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #1133]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Wed, 18 Sep 2019 05:03:34 +0000 (07:03 +0200)]
ovpn: Add ta.key check to main settings
Since Core 132 the 'TLS Channel Protection' is part of the global settings,
the ta.key generation check should also be in the main section otherwise it
won´t be created if not present.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Wed, 18 Sep 2019 05:03:33 +0000 (07:03 +0200)]
ovpn: Generate ta.key before dh-parameter
Fixes: #11964 and #12157
If slow boards or/and boards with low entropy needs too long to generate the DH-parameter, ovpnmain.cgi can get into a
"Script timed out before returning headers" and no further OpenSSl commands will be executed after dhparam is finished.
Since the ta.key are created after the DH-parameter, it won´t be produced in that case.
To prevent this, the DH-parameter will now be generated at the end.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://roy.marples.name/blog/dhcpcd-8-0-6-released
"inet6: Fix default route not being installed
DHCP: If root fs is network mounted, enable last lease extend
man: Fix lint errors.
BSD: avoid RTF_WASCLONED routes
DHCP: Give a better message when packet validation fails
DHCP: Ensure we have enough data to checksum IP and UDP
The last change fixes a potential DoS attack introduced in dhcpcd-8.0.3
when the checksuming code was changed to accomodate variable length
IP headers. The commit says since 7.2.0, but I've now decided that's not
the case."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Sun, 8 Sep 2019 17:38:49 +0000 (19:38 +0200)]
libnetfilter_queue: Update to 1.0.4
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Fri, 6 Sep 2019 12:52:51 +0000 (14:52 +0200)]
libhtp: Update to 0.5.30
Fixes #12170
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Wed, 18 Sep 2019 04:54:51 +0000 (06:54 +0200)]
IO-Socket-SSL: Update to version 2.066
Fix for "Undefined subroutine &IO::Socket::SSL::set_client_defaults called at /usr/libexec/git-core/git-send-email" problem.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Alex Koch [Sun, 1 Sep 2019 22:47:29 +0000 (00:47 +0200)]
zoneconf: reduce the width of inputs for vlanid
The inputs for the vlanids are overlapping the borders of their cells (using a recent Firefox on Linux Mint, Android or Windows 7). This patch fixes this by limiting the width to a fixed value.
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de> Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The settings file must be writeable for group "nobody" so
users can change their Tor settings via WebUI. Since other
files in /var/ipfire/tor/ does not need this workaround, only
the settings file permissions are changed.
Sorry for the late fix; this was reported by various people
in the forum, too (I was unaware of so many Tor users in our
community).
Fixes #12117
Reported-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Alex Koch [Sat, 31 Aug 2019 18:53:00 +0000 (20:53 +0200)]
WUI log-section Mail: add support for postfix addon
Expand the regex for the section dmi ("Mail") for /var/log/mail to include the log contents of postfix, in case the addon is installed.
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Alex Koch [Sat, 31 Aug 2019 18:52:59 +0000 (20:52 +0200)]
WUI log-section Mail: bugfix for dma
The prefix for dmi in /var/log/mail seems to have changed from "dma[<PID>]: " to "dma: ". This results in a bug where no lines are being shown at all in the WUI.
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>