]>
git.ipfire.org Git - people/pmueller/ipfire-2.x.git/log
Michael Tremer [Fri, 14 Jun 2019 05:22:52 +0000 (06:22 +0100)]
core133: Ship jansson in update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Wed, 12 Jun 2019 17:57:21 +0000 (19:57 +0200)]
finish core133
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 12 Jun 2019 16:25:13 +0000 (17:25 +0100)]
core134: Ship updated OpenSSL
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 10 Jun 2019 18:55:00 +0000 (18:55 +0000)]
OpenSSL: lower priority for CBC ciphers in default cipherlist
In order to avoid CBC ciphers as often as possible (they contain
some known vulnerabilities), this changes the OpenSSL default
ciphersuite to:
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(128) Mac=SHA256
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
CAMELLIA256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA256
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
CAMELLIA128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
Since TLS servers usually override the clients' preference with their
own, this will neither break existing setups nor introduce huge
differences in the wild. Unfortunately, CBC ciphers cannot be disabled
at all, as they are still used by popular web sites.
TLS 1.3 ciphers will be added implicitly and can be omitted in the
ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing
AES-NI support for the majority of installations reporting to Fireinfo
(see https://fireinfo.ipfire.org/processors for details, AES-NI support
is 28.22% at the time of writing).
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 12 Jun 2019 16:18:23 +0000 (17:18 +0100)]
Start Core Update 134
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 12 Jun 2019 16:14:28 +0000 (17:14 +0100)]
unbound: Make some zones type-transparent
If we remove other records (like MX) from the response, we won't
be able to send mail to those hosts any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 12 Jun 2019 16:11:32 +0000 (17:11 +0100)]
unbound: Add yandex.com to safe search feature
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 13 Jun 2019 10:12:07 +0000 (11:12 +0100)]
unbound: safe search: Resolve hosts at startup
unbound is not able to expand CNAMEs in local-data. Therefore we
have to do it manually at startup.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 10 Jun 2019 19:02:00 +0000 (19:02 +0000)]
Tor: fix permissions after updating, too
Fixes #12088
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reported-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 11 Jun 2019 06:00:38 +0000 (07:00 +0100)]
core133: Ship updated wpa_supplicant
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Tue, 11 Jun 2019 13:32:15 +0000 (15:32 +0200)]
wpa_supplicant: Update to 2.8
For details see:
https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 11 Jun 2019 17:07:23 +0000 (17:07 +0000)]
smt: Only disable SMT when the kernel thinks it is vulnerable
On virtual machines, it does not make sense to disable SMT for the
virtual cores. This has to be done by the hypervisor.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 10 Jun 2019 18:22:00 +0000 (18:22 +0000)]
ship language files in Core Update 133
These were missing in Core Update 132, and some strings
(especially on the "CPU vulnerabilities" page) missed translations.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 10 Jun 2019 08:58:15 +0000 (09:58 +0100)]
Rootfile update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sun, 9 Jun 2019 15:55:34 +0000 (17:55 +0200)]
convert-ids-modifysids-file: Fix check if the ids is running.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sun, 9 Jun 2019 10:10:07 +0000 (12:10 +0200)]
hostapd: Update to 2.8
For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 8 Jun 2019 10:34:37 +0000 (11:34 +0100)]
Rootfile update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 7 Jun 2019 10:14:11 +0000 (11:14 +0100)]
Rootfile update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 7 Jun 2019 10:13:01 +0000 (11:13 +0100)]
core133: Ship updated knot package
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 6 Jun 2019 18:30:56 +0000 (20:30 +0200)]
knot: Update to 2.8.2
For details see:
https://www.knot-dns.cz/2019-06-05-version-282.html
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 5 Jun 2019 11:46:37 +0000 (12:46 +0100)]
Update contributors
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Tue, 4 Jun 2019 13:00:24 +0000 (15:00 +0200)]
suricata: Enable EVE logging
The EVE output facility outputs alerts, metadata, file info and protocol specific records through JSON.
for further informations please see --> https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Wed, 5 Jun 2019 18:56:35 +0000 (20:56 +0200)]
convert-ids-modifysids-file: Adjust code to use changed write_modify_sids_file function
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 5 Jun 2019 11:42:53 +0000 (12:42 +0100)]
core133: Ship snort configuration converter
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Wed, 5 Jun 2019 18:56:34 +0000 (20:56 +0200)]
convert-snort: Adjust code to use changed modify_sids_file function.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Wed, 5 Jun 2019 18:56:33 +0000 (20:56 +0200)]
ids-functions.pl: Rework function write_modify_sids_file().
Directly implement the logic to determine the used ruleset and if
IDS or IPS mode should be used into the function instead of pass those
details as arguments.
This helps to prevent from doing this stuff at several places again and again.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 5 Jun 2019 11:41:37 +0000 (12:41 +0100)]
core133: Ship IPS changes
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tim FitzGeorge [Wed, 5 Jun 2019 18:56:32 +0000 (20:56 +0200)]
suricata: correct rule actions in IPS mode
In IPS mode rule actions need to be have the action 'drop' for the
protection to work, however this is not appropriate for all rules.
Modify the generator for oinkmaster-modify-sids.conf to leave
rules with the action 'alert' here this is appropriate. Also add
a script to be run on update to correct existing downloaded rules.
Fixes #12086
Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 5 Jun 2019 11:34:44 +0000 (12:34 +0100)]
core133: Ship IDS ruleset updater
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Wed, 5 Jun 2019 16:27:10 +0000 (18:27 +0200)]
update-ids-ruleset: Run as unprivileged user.
Check if the script has been launched as privileged user (root) and drop all
permissions by switching to the "nobody" user and group.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 5 Jun 2019 04:08:31 +0000 (05:08 +0100)]
core133: Ship updated vpnmain.cgi file and regenerate configuration
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 5 Jun 2019 09:22:53 +0000 (10:22 +0100)]
vpnmain.cgi: Fix wrong cipher suite generation when PFS is disabled
Fixes: #12091
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 5 Jun 2019 09:54:29 +0000 (11:54 +0200)]
monit: Some fixes for 'monitrc'
Just cosmetics:
Removed all trailing spaces - there were a few...
Activated 'monit' start delay:
I activated this option to avoid running into a race condition while started through
'/etc/init.d/monit start'.
As mentioned in 'monit' manual:
"...if a service is slow to start, Monit can assume that the service is not running
and possibly try to start it [again] and raise an alert, while, in fact the service
is already about to start or already in its startup sequence."
This happened here during testing with (e.g.) Clamav.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 4 Jun 2019 23:33:36 +0000 (00:33 +0100)]
core133: Ship updated dhcp.cgi
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Bernhard Bitsch [Tue, 4 Jun 2019 10:24:00 +0000 (12:24 +0200)]
dhcp.cgi: Save fixed leases immediately after addition of a new lease
This changes the behaviour of the script to immediately save the added
lease to file but still remain in edit mode to make changes.
If the user does not make any changes, the lease is immediately saved
and there is no second click required to write it to file.
This a more natural flow that is expected by almost all users of this
feature.
Fixes: #12050
Signed-off-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 4 Jun 2019 22:55:17 +0000 (23:55 +0100)]
SMT: Disable when system is vulnerable to L1TF (Foreshadow)
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 4 Jun 2019 22:44:49 +0000 (23:44 +0100)]
Rootfile update for ARM kernels
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 4 Jun 2019 22:41:59 +0000 (23:41 +0100)]
Rootfile update for gcc on i586
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 4 Jun 2019 22:32:35 +0000 (23:32 +0100)]
core133: Ship updated PAM
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 5 Jun 2019 07:16:58 +0000 (09:16 +0200)]
linux-pam: Update to 1.3.1
For details see:
https://github.com/linux-pam/linux-pam/releases
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 4 Jun 2019 22:31:51 +0000 (23:31 +0100)]
core133: Ship updated rrdtool
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 5 Jun 2019 07:13:11 +0000 (09:13 +0200)]
rrdtool: Update to 1.7.2
For details see:
https://oss.oetiker.ch/rrdtool/pub/CHANGES
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
sfeddersen [Tue, 4 Jun 2019 19:49:22 +0000 (21:49 +0200)]
BUG 11487:solve problem with unexspected shutdown
Solve problem with unexspected shutdown problem when checking a single client.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 3 Jun 2019 08:20:05 +0000 (09:20 +0100)]
Rootfile update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 2 Jun 2019 21:52:57 +0000 (22:52 +0100)]
make.sh: Set default ccache size to 4G
Since we have now one cache for each architecture, we do not
need to make it too large.
The largest build (i586 because of the two kernels) uses around
2.5GB after one build. So 4G will give us some space.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 2 Jun 2019 21:49:42 +0000 (22:49 +0100)]
core133: Ship updated ovpnmain.cgi
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Sat, 1 Jun 2019 06:46:14 +0000 (08:46 +0200)]
ovpnmain.cgi: Fixed line break for LZO option
It is better readable if everything is in one line.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Fri, 31 May 2019 19:54:45 +0000 (21:54 +0200)]
monit: Update to 5.25.3
For details see:
https://mmonit.com/monit/changes/
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 29 May 2019 14:28:45 +0000 (15:28 +0100)]
make.sh: Have a ccache for each architecture
It does not make much sense to mix architectures into a single
ccache:
* There is never going to be a match
* The cache gets bigger and therefore slower
* If both architectures are being compiled one after the other and
the cache hits its maximum size, cached but still needed content
will be dropped
* Only both can be deleted together
This small change splits this into multiple caches. One per
architecture. Therefore we should be more efficient on builders
that build for multiple architectures.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 29 May 2019 14:24:29 +0000 (15:24 +0100)]
miau: Drop package
This is not maintained since 2010
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 29 May 2019 10:22:22 +0000 (11:22 +0100)]
openssl: Update to 1.1.1c
Fixes CVE-2019-1543
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 28 May 2019 12:05:50 +0000 (13:05 +0100)]
strongswan: Update to 5.8.0
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Tue, 28 May 2019 09:38:59 +0000 (11:38 +0200)]
tshark: Update to 3.0.2
Incl. one vulnerability and several bug fixes. For full overview --> https://www.wireshark.org/docs/relnotes/wireshark-3.0.2.html .
- Disabled geoip support since libmaxminddb is not presant.
- Added dictionary in ROOTFILE to prevent "radius: Could not open file: '/usr/share/wireshark/radius/dictionary' " .
- Added CMAKE build type
- Removed profile examples and htmls completly from ROOTFILE.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 28 May 2019 11:01:30 +0000 (12:01 +0100)]
ccache: Automatically set size to 8GB
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 28 May 2019 10:44:32 +0000 (11:44 +0100)]
core133: Ship toolchain changes
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 28 May 2019 10:41:46 +0000 (11:41 +0100)]
Rootfile update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 28 May 2019 10:36:06 +0000 (11:36 +0100)]
hyperscan: Limit amount of memory being used during build
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 27 May 2019 15:25:01 +0000 (16:25 +0100)]
ddns: Update to 011
Add support for two new providers and has some general bug fixes
included.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 27 May 2019 14:48:44 +0000 (15:48 +0100)]
core133: Ship updated IPS ruleset sources
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sun, 26 May 2019 18:11:55 +0000 (20:11 +0200)]
ruleset-sources: Update snort dl urls.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 27 May 2019 14:47:02 +0000 (15:47 +0100)]
tor: Ship updated CGI
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Sun, 26 May 2019 15:02:56 +0000 (17:02 +0200)]
tor.cgi: Disable debugging output
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 27 May 2019 14:42:50 +0000 (15:42 +0100)]
core133: Drop metadata for jansson package
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 27 May 2019 14:40:31 +0000 (15:40 +0100)]
core133: Ship hyperscan
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 27 May 2019 14:38:42 +0000 (15:38 +0100)]
hyperscan: Move rootfiles to arch directories
This package is only compiled on x86_64 and i586 and cannot
be packaged in any of the other architectures.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sun, 26 May 2019 17:56:47 +0000 (19:56 +0200)]
hyperscan: New package
This package adds hyperscan support to suricata
Fixes #12053.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sun, 26 May 2019 17:56:46 +0000 (19:56 +0200)]
ragel: New package
This is a build dependency of hyperscan
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sun, 26 May 2019 17:56:45 +0000 (19:56 +0200)]
colm: New package
This is a build dependency of ragel, which is a build dependency of
hyperscan.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sun, 26 May 2019 17:51:40 +0000 (19:51 +0200)]
asterisk: Remove dependency to jansson.
The package has become part of the main system.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sun, 26 May 2019 17:51:39 +0000 (19:51 +0200)]
jansson: Move to core system and update to 2.12
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 27 May 2019 13:37:23 +0000 (14:37 +0100)]
Rootfile update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Sun, 26 May 2019 15:27:16 +0000 (17:27 +0200)]
core133: readd late core132 changes to core133
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sun, 26 May 2019 15:23:54 +0000 (17:23 +0200)]
Merge branch 'master' into next
Arne Fitzenreiter [Sun, 26 May 2019 14:17:04 +0000 (16:17 +0200)]
core132: security conf should not executable
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Thu, 23 May 2019 00:50:29 +0000 (01:50 +0100)]
tor: Depend on libseccomp
Suggested-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 24 May 2019 15:45:33 +0000 (17:45 +0200)]
ids-functions.pl: Do not delete the whitelist file on rulesdir cleanup.
Fixes #12087.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sun, 26 May 2019 14:05:41 +0000 (16:05 +0200)]
core132: set correct permissions of security settings file.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 25 May 2019 05:39:38 +0000 (07:39 +0200)]
vulnerabilities.cgi: again change colours
red - vulnerable
blue - mitigated
green - not affected
because we not really trust the mitigations so they shound not green.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 25 May 2019 04:54:35 +0000 (06:54 +0200)]
vulnerabilities.cgi fix string handling
remove lf at the end for correct matching
and not strip "Mitigated:" if it was not full working and still
vulnerable.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 22 May 2019 10:08:43 +0000 (11:08 +0100)]
vulnerabilities.cgi: Regard mitigations that only mitigate something still as vulnerable
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 22 May 2019 10:05:20 +0000 (11:05 +0100)]
vulnerabilities.cgi: Simplify regexes
We can do the split in one.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 24 May 2019 05:55:03 +0000 (06:55 +0100)]
Merge branch 'toolchain' into next
Michael Tremer [Fri, 24 May 2019 05:54:16 +0000 (06:54 +0100)]
Merge remote-tracking branch 'ms/faster-build' into next
Michael Tremer [Fri, 24 May 2019 05:39:37 +0000 (06:39 +0100)]
core133: Ship updated squid
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Fri, 24 May 2019 18:46:59 +0000 (20:46 +0200)]
squid: Update to 4.7
For details see:
http://www.squid-cache.org/Versions/v4/changesets/
Fixes among other things the old 'filedescriptors' problem, so this patch was deleted.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 24 May 2019 05:37:21 +0000 (06:37 +0100)]
core133: Ship updated bind
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Fri, 24 May 2019 18:53:15 +0000 (20:53 +0200)]
bind: Update to 9.11.7
For details see:
http://ftp.isc.org/isc/bind9/9.11.7/RELEASE-NOTES-bind-9.11.7.html
"Security Fixes
The TCP client quota set using the tcp-clients option could be exceeded in some cases.
This could lead to exhaustion of file descriptors.
This flaw is disclosed in CVE-2018-5743. [GL #615]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 24 May 2019 05:35:46 +0000 (06:35 +0100)]
Start Core Update 133
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 24 May 2019 05:30:46 +0000 (06:30 +0100)]
.gitignore: Ignore some backup files
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 23 May 2019 00:50:29 +0000 (01:50 +0100)]
tor: Depend on libseccomp
Suggested-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 22 May 2019 14:29:32 +0000 (15:29 +0100)]
unbound: Safe Search: Enable Restrict-Moderate for YouTube
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 22 May 2019 10:23:07 +0000 (11:23 +0100)]
Update German translations
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 22 May 2019 10:08:43 +0000 (11:08 +0100)]
vulnerabilities.cgi: Regard mitigations that only mitigate something still as vulnerable
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 22 May 2019 10:05:20 +0000 (11:05 +0100)]
vulnerabilities.cgi: Simplify regexes
We can do the split in one.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Wed, 22 May 2019 10:34:41 +0000 (12:34 +0200)]
Merge branch 'master' into next
Arne Fitzenreiter [Wed, 22 May 2019 10:34:03 +0000 (12:34 +0200)]
vulnerablities: change to logic colours
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 22 May 2019 08:38:02 +0000 (10:38 +0200)]
Merge branch 'next'
Arne Fitzenreiter [Wed, 22 May 2019 08:33:20 +0000 (10:33 +0200)]
finish: core132
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 22 May 2019 08:22:53 +0000 (10:22 +0200)]
vulnerablities.cgi: add colours for vuln,smt and unknown output.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Tue, 21 May 2019 18:42:51 +0000 (20:42 +0200)]
kernel: update to 4.14.121
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>