Michael Tremer [Thu, 16 Apr 2020 19:27:08 +0000 (19:27 +0000)]
Package the official Go compiler
Since Go has a horrible build system which requires a Go
compiler to build the Go compiler and takes a very long
time to compile, we are following Rust and are using the
"official" pre-compiled release tarball.
We no longer ship the Go runtime, which mitigates the
risk of shipping any malware.
Because we currently only have one package using this
and which is only being compiled for x86_64, we are
only making Go available on this architecture.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
glibc calls clock_nanosleep_time64 syscall even if it not defined in
the headers for this arch and the seccomp filter kills the process
with because an unknown syscall.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 6 Apr 2020 15:10:25 +0000 (15:10 +0000)]
unbound: Set domains with local data into type transparent mode
Records which are from the same domain than the IPFire hostname
might not be returned by unbound. This change explicitely instructs
unbound to check local data before checking the global DNS.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Fri, 3 Apr 2020 14:25:01 +0000 (16:25 +0200)]
IDS: Dynamically generate and import the HTTP ports.
With this commit suricata reads the HTTP port declarations from a newly
introduced external file
(/var/ipfire/suricata/suricata-http-ports.yaml).
This file dynamically will be generated. HTTP ports always are the
default port "80" and "81" for update Accelerator and HTTP access to the
WUI. In case the Web-proxy is used, the configured proxy port and/or Transparent
Proxy port also will be declared as a HTTP port and written to that file.
In case one of the proxy ports will be changed, the HTTP port file will
be re-generated and suricate restarted if launched. Also if an old
backup with snort will be restored the convert script handles the
generation of the HTTP ports file.
Finally the suricata-generate-http-ports-file as a tiny script which
simply generates the http ports file and needs to be launched during the
installation of a core update. (The script will no be required
anymore, so it could be deleted afterwards.)
Fixes #12308.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Sun, 5 Apr 2020 11:03:24 +0000 (13:03 +0200)]
suricata.yaml: Re-add EVE log section.
Hopefully the EVE log will display some more content when trying to
debug suricata events and rules.
Fixes #12315.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Wed, 1 Apr 2020 12:17:00 +0000 (12:17 +0000)]
OpenSSL: update to 1.1.1f
Fixes #12345 (yes, that's the real bug ID :-) )
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Wed, 1 Apr 2020 08:32:40 +0000 (10:32 +0200)]
ids.cgi: Restart suricata if necessary when altering the ruleset.
Suricata does support re-reading it's configuration files and therfore
we need to restart it, if one or more ruleset files should be loaded or
not loaded anymore.
If simple some rules inside the same files are activated or deactivated
we are still fine to call the reload method to send suricata the signal
to reload its ruleset.
Fixes #12340.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 31 Mar 2020 09:49:04 +0000 (09:49 +0000)]
strongswan: Build sha3 plugin
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 31 Mar 2020 09:49:03 +0000 (09:49 +0000)]
strongswan: Update to 5.8.4
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Thu, 23 Jan 2020 21:28:00 +0000 (21:28 +0000)]
sysctl.conf: Turn on hard- and symlink protection
Cc: Michael Tremer <michael.tremer@ipfire.org> Cc: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 3 Feb 2020 18:35:00 +0000 (18:35 +0000)]
update language files for mail.cgi changes
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 3 Feb 2020 18:35:00 +0000 (18:35 +0000)]
mail.cgi: add support for implicit TLS usage
The second version of this patchset fixes reading empty configuration
files and superseds the first version (duh!).
Fixes #12161
Reported-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Tested-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 1 Feb 2020 20:26:00 +0000 (20:26 +0000)]
dma: update to 0.12
All of the dma patches in src/patches/ were merged into its upstream
repository by now, thus becoming obsolete and deleted by this patch.
Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 21 Mar 2020 19:40:00 +0000 (19:40 +0000)]
spectre-meltdown-checker: update to 0.43
Please refer to https://github.com/speed47/spectre-meltdown-checker/releases/tag/v0.43
for release notes.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Sat, 28 Mar 2020 08:32:24 +0000 (09:32 +0100)]
OpenVPN: Delete RRD dir if connection is deleted
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Wed, 25 Mar 2020 11:33:49 +0000 (12:33 +0100)]
bind: Update to 9.11.17
For details see:
https://downloads.isc.org/isc/bind9/9.11.17/RELEASE-NOTES-bind-9.11.17.html
"Notes for BIND 9.11.17
Feature Changes
The configure option --with-libxml2 now uses pkg-config to detect
libxml2 library availability. You will either have to install pkg-config
or specify the exact path where libxml2 has been installed on your
system. [GL #1635]
Bug Fixes
Fixed re-signing issues with inline zones which resulted in records
being re-signed late or not at all."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 27 Jan 2020 15:04:00 +0000 (15:04 +0000)]
avoid emitting VPN traffic to the internet if the IPS crashed
Due to strange NFQUEUE behaviour, traffic to remote VPN (IPsec or
OpenVPN) destinations was emitted to the internet (ppp0 or red0
interface) directly if the IPS was enabled but crashed during operation.
This patch places the IPSECBLOCK and OVPNBLOCK chains before the
ones responsible for forwarding traffic into the IPS.
Thanks to Michael for his debugging effort.
Partially fixes #12257
Cc: Michael Tremer <michael.tremer@ipfire.org> Cc: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 20 Jan 2020 20:05:00 +0000 (20:05 +0000)]
ssh_config: Do not set defaults explicitly
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 20 Jan 2020 20:04:00 +0000 (20:04 +0000)]
sshd_config: Do not set defaults explicitly
In order to keep configurations as small as possible and to make them
easier to read/audit, this patch omits all default configuration in the
OpenSSH server configuration file.
Further, it mentions where to refer for the full documentation.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 21 Mar 2020 20:08:00 +0000 (20:08 +0000)]
OpenSSH: update to 8.2p1
Please refer to https://www.openssh.com/txt/release-8.2 for release
announcements. Since glibc < 2.31 is used, no additional patching was
required in order to restore correct login functionality.
Cc: Marcel Lorenz <marcel.lorenz@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 5 Feb 2020 11:45:47 +0000 (11:45 +0000)]
resolv.conf: Add "trust-ad" option
Since we are running unbound locally which always runs DNSSEC
validation, we can simply trust it and pass the ad flag on to
applications which make use of it.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>