The second version of this patch avoids re-defining $db_handle.
Fixes: #12492 Cc: Stefan Schantl <stefan.schantl@ipfire.org Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-By: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The second version of this patch avoids re-defining $db_handle.
Fixes: #12492 Cc: Stefan Schantl <stefan.schantl@ipfire.org Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-By: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 7 Oct 2020 11:46:46 +0000 (11:46 +0000)]
/var/ipfire/ethernet/settings: Drop BROADCAST variable
This variable is no longer being used and was only used to
assign IP addresses to the individual interfaces.
However, the kernel knows best which IP address to select
as broadcast address for each network. Therefore we depend
on the kernel which allows us to support RFC3021.
Fixes: #12486 - no /31 transfer net available on red Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
We already pass -fstack-protector-strong, which might be overridden
by -fstack-protector-all. We also know that SSP works in our version
of libc and do not need to link against libssp.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 2 May 2020 19:57:54 +0000 (21:57 +0200)]
Python3: update to 3.8.2
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 3 May 2020 10:02:27 +0000 (12:02 +0200)]
python3-botocore: update to 1.16.1
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 3 May 2020 10:04:50 +0000 (12:04 +0200)]
python3-colorama: update to 0.4.3
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 3 May 2020 10:07:33 +0000 (12:07 +0200)]
python3-dateutil: update to 2.8.1
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 3 May 2020 10:09:49 +0000 (12:09 +0200)]
python3-docutils: update to 0.16
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 3 May 2020 10:11:19 +0000 (12:11 +0200)]
python3-jmespath: update to 0.9.5
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 3 May 2020 10:15:45 +0000 (12:15 +0200)]
python3-pyasn1: update to 0.4.8
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 3 May 2020 10:17:51 +0000 (12:17 +0200)]
python3-rsa: update to 4.0
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 3 May 2020 10:19:21 +0000 (12:19 +0200)]
python3-s3transfer: update to 0.3.3
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 3 May 2020 10:23:55 +0000 (12:23 +0200)]
python3-six: update to 1.14.0
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 5 Oct 2020 19:45:31 +0000 (19:45 +0000)]
sysctl.conf: prevent autoloading of TTY line disciplines
Malicious/vulnerable TTY line disciplines have been subject of some
kernel exploits such as CVE-2017-2636, and since - to put it in Greg
Kroah-Hatrman's words - we do not "trust the userspace to do the right
thing", this reduces local kernel attack surface.
Further, there is no legitimate reason why an unprivileged user should
load kernel modules during runtime, anyway.
See also:
- https://lkml.org/lkml/2019/4/15/890
- https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 5 Oct 2020 14:12:18 +0000 (14:12 +0000)]
sysctl.conf: prevent unintentional writes into attacker-controlled files and FIFOs
Similar to hard- and symlink protection introduced a while ago, this
patch enables protections against unintentional writes into
attacker-controlled regular files or FIFOs, where a program expected to
create new ones. This makes exploiting TOCTOU flaws harder.
See also: https://www.kernel.org/doc/Documentation/sysctl/fs.txt
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Thu, 1 Oct 2020 13:19:22 +0000 (15:19 +0200)]
freeradius: Update to version 3.0.21
Update includes several fixes (incl. CVE-2019-17185) and feature improvements.
A full overview of all changes can be found in here --> https://raw.githubusercontent.com/FreeRADIUS/freeradius-server/v3.0.x/doc/ChangeLog .
The freeradius-no-buildtime-cert-gen patch applies also with this version.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Thu, 1 Oct 2020 12:45:48 +0000 (14:45 +0200)]
lynis: Update to version 3.0.0
Several Fixes (incl. CVE-2019-13033 and CVE-2020-13882) and features has been added since the last version 2.6.4 .
For a full overview of the changes take a look in here --> https://cisofy.com/changelog/lynis/ .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Thu, 1 Oct 2020 12:37:14 +0000 (14:37 +0200)]
libsolv: Update to version 0.7.14
Several fixes and features has been added.
A full overview of all changes can be found in here --> https://github.com/openSUSE/libsolv/blob/master/package/libsolv.changes .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 30 Sep 2020 14:46:07 +0000 (14:46 +0000)]
sysctl.conf: drop RST packets for sockets in TIME-WAIT state
RFC 1337 describes various TCP (side channel) attacks against
prematurely closed connections stalling in TIME-WAIT state, such as DoS
or injecting arbitrary TCP segments, and recommends to silently discard
RST packets for sockets in this state.
While applications still tied to such sockets should tolerate invalid
input (thanks to Jon Postel), there is little legitimate reason to send
such RST packets altogether.
At the time of writing, no collateral damage related to active RFC 1337
implementations is known. Measuerements in productive environments did
not reveal any side effects either, which is why I consider enabling RFC
1337 implementation to be a safe change.
See also: https://tools.ietf.org/html/rfc1337
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Wed, 30 Sep 2020 13:06:07 +0000 (15:06 +0200)]
stunnel: Update to version 5.56
The version jump from 5.44 to 5.56 includes several 'LOW' and 'HIGH' urgent bugfixes which are also secure relevant.
A full overview of fixes and new features can be found in here --> https://www.stunnel.org/NEWS.html .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Wed, 30 Sep 2020 13:18:49 +0000 (15:18 +0200)]
keepalived: Update to version 2.1.5
The version jump from 2.0.20 to 2.1.5 includes several improvemnts and fixes.
The release notes can be overviewed in here --> https://www.keepalived.org/release-notes/Release-2.1.4.html .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 29 Sep 2020 07:21:30 +0000 (09:21 +0200)]
openssh: Update to 8.4p1
- Update openssh from version 8.3p1 to 8.4p1
See https://www.openssh.com/releasenotes.html
See https://www.openssh.com/portable.html#http for mirrors for source file
- No change to rootfiles
- Installed on virtual ipfire testbed and ssh connection successfully operated Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 29 Sep 2020 18:48:05 +0000 (20:48 +0200)]
bacula: Update to 9.6.6
- Update bacula from version 9.6.5 to 9.6.6
This is a minor bug release
See https://sourceforge.net/projects/bacula/files/bacula/9.6.6/ReleaseNotes/
Source file available at https://sourceforge.net/projects/bacula/files/bacula/9.6.6/bacula-9.6.6.tar.gz Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 29 Sep 2020 18:48:29 +0000 (20:48 +0200)]
bacula: Update to backup/includes definition
- Modified backup/includes file to backup the /var/bacula/working directory contents
rather than explicitly naming the state filename.
State filename could be varied if user modifies the port number for the file daemon
as the port number is part of the state filename Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>