Adolf Belka [Mon, 6 May 2024 16:58:20 +0000 (18:58 +0200)]
bacula: Update to version 13.0.4
- Update from version 11.0.6 to 13.0.4
- Update of rootfile
- Version 13.x has now been released for 12 months so updating the File Daemon to 13.x
should be good.
- Version 11.x was released 40 months ago.
- Changelog
The changes are all related to the Director and the Storage Daemon. The changelog states
that older file daemons "should" be compatible with 13.x DIR & SD. This change ensures
IPfire "is" compatible with the 13.x DIR & SD.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 4 May 2024 13:05:20 +0000 (15:05 +0200)]
update.sh: Add SPAMHAUS_DROP if SPAMHAUS_EDROP was previously used
- I realised that the previous patch for update.sh related to the ipblocklist removal
of ALIENVAULT and SPAMHAUS_EDROP only removed the SPAMHAUS_EDROP setting. It makes sense
to add SPAMHAUS_DROP to the settings file if SPAMHAUS_EDROP was previously used and
SPAMHAUS_DROP was not selected.
- This patch adds the above change.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 22 Apr 2024 16:44:00 +0000 (16:44 +0000)]
suricata.yaml: Fix Landlock path settings
Suricata will complain if it cannot read its own configuration file,
hence read-only access to /etc/suricata must be allowed. Since the list
applies to directories, rather than files, restricting read access to
only /usr/share/misc/magic.mgc is not possible; reading /usr/share/misc
must be allowed instead.
Fixes: #13645 Tested-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 22 Apr 2024 16:43:00 +0000 (16:43 +0000)]
linux: Properly load Landlock module
Fixes: #13645 Tested-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 26 Apr 2024 15:09:18 +0000 (15:09 +0000)]
unbound-dhcp-leases-bridge: Only reload if leases have actually changed
This patches changes that leases will always be written in
alphanumerical order so that we can later compare the newly generated
file with the previous version. If it has not changed, we skip reload
Unbound.
Suggested-by: Nick Howitt <nick@howitts.co.uk> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This change no longer renames the file, but removes the old link and
creates a new link for the temporary file. That helps us to jump out of
the code at any point without worrying about cleaning up the temporary
file.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 25 Apr 2024 20:43:02 +0000 (22:43 +0200)]
tzdata: Update to version 2024a
- Update from version 2023d to 2024a
- Update of rootfile not required
- Changelog
2024a
Briefly:
Kazakhstan unifies on UTC+5 beginning 2024-03-01.
Palestine springs forward a week later after Ramadan.
zic no longer pretends to support indefinite-past DST.
localtime no longer mishandles Ciudad Juárez in 2422.
Changes to future timestamps
Kazakhstan unifies on UTC+5. This affects Asia/Almaty and
Asia/Qostanay which together represent the eastern portion of the
country that will transition from UTC+6 on 2024-03-01 at 00:00 to
join the western portion. (Thanks to Zhanbolat Raimbekov.)
Palestine springs forward a week later than previously predicted
in 2024 and 2025. (Thanks to Heba Hamad.) Change spring-forward
predictions to the second Saturday after Ramadan, not the first;
this also affects other predictions starting in 2039.
Changes to past timestamps
Asia/Ho_Chi_Minh's 1955-07-01 transition occurred at 01:00
not 00:00. (Thanks to Đoàn Trần Công Danh.)
From 1947 through 1949, Toronto's transitions occurred at 02:00
not 00:00. (Thanks to Chris Walton.)
In 1911 Miquelon adopted standard time on June 15, not May 15.
Changes to code
The FROM and TO columns of Rule lines can no longer be "minimum"
or an abbreviation of "minimum", because TZif files do not support
DST rules that extend into the indefinite past - although these
rules were supported when TZif files had only 32-bit data, this
stopped working when 64-bit TZif files were introduced in 1995.
This should not be a problem for realistic data, since DST was
first used in the 20th century. As a transition aid, FROM columns
like "minimum" are now diagnosed and then treated as if they were
the year 1900; this should suffice for TZif files on old systems
with only 32-bit time_t, and it is more compatible with bugs in
2023c-and-earlier localtime.c. (Problem reported by Yoshito
Umaoka.)
localtime and related functions no longer mishandle some
timestamps that occur about 400 years after a switch to a time
zone with a DST schedule. In 2023d data this problem was visible
for some timestamps in November 2422, November 2822, etc. in
America/Ciudad_Juarez. (Problem reported by Gilmore Davidson.)
strftime %s now uses tm_gmtoff if available. (Problem and draft
patch reported by Dag-Erling Smørgrav.)
Changes to build procedure
The leap-seconds.list file is now copied from the IERS instead of
from its downstream counterpart at NIST, as the IERS version is
now in the public domain too and tends to be more up-to-date.
(Thanks to Martin Burnicki for liaisoning with the IERS.)
Changes to documentation
The strftime man page documents which struct tm members affect
which conversion specs, and that tzset is called. (Problems
reported by Robert Elz and Steve Summit.)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from version 3450200 to 3450300
- Update of rootfile not required
- Changelog 3450300
Fix a long-standing bug (going back to version 3.24.0) that might (rarely) cause
the "old.*" values of an UPDATE trigger to be incorrect if that trigger fires in
response to an UPSERT. Forum post 284955a3cd454a15.
Fix a bug in sum() that could cause it to return NULL when it should return
Infinity. Forum post 23b8688ef4.
Other trifling corrections and compiler warning fixes that have come up since the
previous patch release. See the timeline for details.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 22 Apr 2024 16:48:00 +0000 (16:48 +0000)]
kmod: Update to 32
Changelog according to the tarball's NEWS file:
- Improvements
- Use any hash algo known by kernel/openssl instead of keep needing
to update the mapping
- Teach kmod to load modprobe.d/depmod.d configuration from ${prefix}/lib
and allow it to be overriden during build with --with-distconfdir=DIR
- Make kernel modules directory configurable. This allows distro to
make kmod use only files from /usr regardless of having a compat
symlink in place.
- Install kmod.pc containing the features selected at build time.
- Install all tools and symlinks by default. Previously kmod relied on
distro packaging to set up the symlinks in place like modprobe,
depmod, lsmod, etc. Now those symlinks are created by kmod itself
and they are always placed in $bindir.
- Bug Fixes
- Fix warnings due to -Walloc-size
- Others
- Drop python bindings. Those were not update in ages and not compatible
with latest python releases.
- Cleanup test infra, dropping what was not used anymore
- Drop experimental tools `kmod insert` / `kmod remove`. Building those
was protected by a configure option never set by distros. They also
didn't gain enough traction to replace the older interfaces via
modprobe/insmod/rmmod.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 22 Apr 2024 16:03:00 +0000 (16:03 +0000)]
strongSwan: Update to 5.9.14
Please see https://github.com/strongswan/strongswan/releases/tag/5.9.14
for the changelog of this version.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 22 Apr 2024 16:01:00 +0000 (16:01 +0000)]
Lynis: Update to 3.1.1
Please see https://cisofy.com/changelog/lynis/#311 for the changelogs
since version 3.0.9.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 22 Apr 2024 15:58:00 +0000 (15:58 +0000)]
Tor: Update to 0.4.8.11
Full changelog according to https://gitlab.torproject.org/tpo/core/tor/-/raw/tor-0.4.8.11/ChangeLog:
Changes in version 0.4.8.11 - 2024-04-10
This is a minor release mostly to upgrade the fallbackdir list. Worth noting
also that directory authority running this version will now automatically
reject relays running the end of life 0.4.7.x version.
o Minor feature (authority):
- Reject 0.4.7.x series at the authority level. Closes ticket 40896.
o Minor feature (dirauth, tor26):
- New IP address and keys.
o Minor feature (directory authority):
- Allow BandwidthFiles "node_id" KeyValue without the dollar sign at
the start of the hexdigit, in order to easier database queries
combining Tor documents in which the relays fingerprint does not
include it. Fixes bug 40891; bugfix on 0.4.7 (all supported
versions of Tor).
o Minor features (fallbackdir):
- Regenerate fallback directories generated on April 10, 2024.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2024/04/10.
o Minor bugfixes (directory authorities):
- Add a warning when publishing a vote or signatures to another
directory authority fails. Fixes bug 40910; bugfix
on 0.2.0.3-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 19 Apr 2024 13:39:41 +0000 (15:39 +0200)]
backup.pl: removes any references to ALIENVAULT & SPAMHAUSEDROP from restores
- This patch ensures that if a restore is carried out from an earlier version that includes
ALIENVAULT and/or SPAMHAUS_EDROP that the references will be removed.
- This is the same code as was put into the update.sh file with the previous patch of this
set.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 19 Apr 2024 13:39:40 +0000 (15:39 +0200)]
update.sh: Remove existing entries for ALIENVAULT & SPAMHAUS_EDROP
- This removes any time entries in the modified file for either ALIENVAULT or
SPAMHAUS_EDROP.
- This also removes any blocklists for either of these sources from the /var/lib/ipblocklist
directory.
- This patch will ensure that any reference to either of these sources is removed from the
ipblocklist files.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 19 Apr 2024 13:39:39 +0000 (15:39 +0200)]
sources: Removal of ALIENVAULT and SPAMHAUS_EDROP from ipblocklist sources
- ALIENVAULT has not been updated since at least Nov 2022 but probably earlier. There is no
date for the file to be downloaded but a forum user has log messages from Nov 2022 that
indicate the file had not changed as therefore no download occurred.
- AT&T aquired AlienVault in August 2018. Somewhere between 2018 and 2022 the list stopped
getting updated. AlienVault references on the AT&T website are now for a different
product.
- Discussed in IPFire conf call of April 2024 and agreed to remove the ALIENVAULT
blocklist.
- On Apr 10th the Spamhaus eDROP list was merged with the Spamhaus DROP list. The eDROP
list is still available but is now empty. Trying to select the SPAMHAUS_EDROP list
gives an error message that the blocklist was found to be empty.
- This patch removes both the ALIENVAULT and the SPAMHAUS_EDROP lists from the ipblocklist
sources file.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:08 +0000 (17:01 +0200)]
oci-setup: Fixes bug12763
- This ensures that all ip route and ip rule commands are redirected to null if the output
is not used to feed into a variable.
- This will prevent any error messages related to empty iproute tables being displayed
during boot if an empty table is accessed.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:07 +0000 (17:01 +0200)]
gcp-setup: Fixes bug12763
- This ensures that all ip route and ip rule commands are redirected to null if the output
is not used to feed into a variable.
- This will prevent any error messages related to empty iproute tables being displayed
during boot if an empty table is accessed.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:06 +0000 (17:01 +0200)]
exoscale-setup: Fixes bug12763
- This ensures that all ip route and ip rule commands are redirected to null if the output
is not used to feed into a variable.
- This will prevent any error messages related to empty iproute tables being displayed
during boot if an empty table is accessed.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:05 +0000 (17:01 +0200)]
azure-setup: Fixes bug12763
- This ensures that all ip route and ip rule commands are redirected to null if the output
is not used to feed into a variable.
- This will prevent any error messages related to empty iproute tables being displayed
during boot if an empty table is accessed.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:04 +0000 (17:01 +0200)]
aws-setup: Fixes bug12763
- This ensures that all ip route and ip rule commands are redirected to null if the output
is not used to feed into a variable.
- This will prevent any error messages related to empty iproute tables being displayed
during boot if an empty table is accessed.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:03 +0000 (17:01 +0200)]
ip-up: Fixes bug12763
- This ensures that all ip route and ip rule commands are redirected to null if the output
is not used to feed into a variable.
- This will prevent any error messages related to empty iproute tables being displayed
during boot if an empty table is accessed.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:02 +0000 (17:01 +0200)]
red: Fixes bug12763
- This ensures that all ip route and ip rule commands are redirected to null if the output
is not used to feed into a variable.
- This will prevent any error messages related to empty iproute tables being displayed
during boot if an empty table is accessed.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:01 +0000 (17:01 +0200)]
static-routes: Fixes bug12763
- This ensures that all ip route and ip rule commands are redirected to null if the output
is not used to feed into a variable.
- This will prevent any error messages related to empty iproute tables being displayed
during boot.
- Tested on my vm system and confirmed that the fix in ipsec-interfaces stops the "FIB
table does not exist" and "RTNETLINK answers: no such file or directory" messages during
boot.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 Apr 2024 15:01:00 +0000 (17:01 +0200)]
ipsec-interfaces: Fixes bug12763
- Some of the ip route commands are not redirected to null. This causes the "FIB table does
not exist" message from bug12763
- This patch makes all ip route commands get redirected to null, preventing the error
message from being seen at boot.
- One of the ip rule commands is not redirected to null. This causes the "RTNETLINK
answers: no such file or directory" message.
- This patch makes all ip rule commands get redirected to null, preventing the error
message from being seen at boot.
- Additional patches in this set ensure that all ip route and ip rule commands in all
IPFire code is redirected to null unless the output of the ip route or ip rule command
is used in a variable for use elsewhere in the code.
- Tested on my vm system and confirmed that the fix in ipsec-interfaces stops the "FIB
table does not exist" and "RTNETLINK answers: no such file or directory" messages during
boot.
Fixes: Bug#12763 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 10 Apr 2024 11:39:39 +0000 (13:39 +0200)]
icinga: Removal of icinga addon
- As discussed in the Dev conf call on 2024-Jan-08
- The 1.x version of Icinga has been EOL since 2018
- The 2.x version would require a complete new configuration approach as the settings
and options are completely different to 1.x and so would be a start from scratch.
- removal of icinga from make.sh file
- removal of lfs file
- removal of rootfile
- removal of configuration file
- removal of backup includes file
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 9 Apr 2024 14:07:08 +0000 (16:07 +0200)]
sslh: Removal of sslh addon
- As discussed in the Dev conf call on 2024-Apr-08
- sslh has not been functioning since last update ion Sep 2021. Configuration syntax
was radically changed somewhere in the update from 1.7a(2013) to 1.22c in Sep 2021
- removal of sslh from make file
- removal of lfs file
- removal of rootfile
- removal of paks files
- removal of initscript
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Sat, 23 Mar 2024 23:28:40 +0000 (00:28 +0100)]
bind: Update to 9.16.49
For details see:
https://downloads.isc.org/isc/bind9/9.16.49/doc/arm/html/notes.html#notes-for-bind-9-16-49
"Bug Fixes
A regression in cache-cleaning code enabled memory use to grow
significantly more quickly than before, until the configured
max-cache-size limit was reached. This has been fixed. [GL #4596]
Using rndc flush inadvertently caused cache cleaning to become
less effective. This could ultimately lead to the configured
max-cache-size limit being exceeded and has now been fixed. [GL #4621]
The logic for cleaning up expired cached DNS records was tweaked to be
more aggressive. This change helps with enforcing max-cache-ttl and
max-ncache-ttl in a timely manner. [GL #4591]
It was possible to trigger a use-after-free assertion when the overmem
cache cleaning was initiated. This has been fixed. [GL #4595]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 8 Apr 2024 16:57:21 +0000 (18:57 +0200)]
configroot: Add in LOGDROPHOSTILExxx values
- I checked out doing a fresh install of CU184 and found that although the
LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries were selected as "on" the values were not
in the /var/ipfire/optionsfw/settings file.
- After some investigfation I realised that when I created the LOGDROPHOSTILE split into
incoming and outgoing I had not added them into the configroot lfs file.
- This patch adds the two entries and this was tested out with a fresh install and
confirmed to update the settings file.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 8 Apr 2024 14:57:49 +0000 (14:57 +0000)]
suricata: Enable midstream scanning
We require this because Suricata might be restarted due to development
or rule refreshment purposes. We should then try to resume any
decoders/app-layers wherever possible.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 5 Apr 2024 19:26:40 +0000 (21:26 +0200)]
suricata: Set midstream-policy to pass-packet
Set this value to the same as the exception-policy to keep in sync and
hopefully have the same behaviour. In case this option is not set an
ugly message about a not correctly set value will be logged to syslog
during startup.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 5 Apr 2024 19:26:37 +0000 (21:26 +0200)]
suricata: Update suricata.yaml
Updata the configuration file for suricata 7.
This includes:
* Default values for newly introduced features and parsers
* Enable recently added protocol parsers for HTTP2, QUIC, Telnet and Torrent
* Update of URL for documentation
* Fixes of various typos and other clarifications
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>