Adolf Belka [Thu, 16 Jun 2022 21:31:59 +0000 (23:31 +0200)]
samba: Ship with CU169
- samba is linked to liblber from openldap. openldap was updated in CU168 but
I missed that samba had a dependency to one of its libraries.
- find-dependencies was not run on openldap liblber although looking at the openldap
rootfile it is clear that an sobump occurred.
- This patch increments the samba PAK_VER so that it will be shipped and therefore
have the library links updated.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Thu, 16 Jun 2022 21:16:36 +0000 (23:16 +0200)]
netatalk: Ship with CU169 - Fixes bug #12878
- netatalk is linked to liblber from openldap. openldap was updated in CU168 but
I missed that netatalk had a dependency to one of its libraries.
- find-dependencies was not run on openldap liblber although looking at the openldap
rootfile it is clear that an sobump occurred.
- This patch increments the netatalk PAK_VER so that it will be shipped and therefore
have the library links updated.
Fixes: Bug #12878 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Thu, 16 Jun 2022 21:31:59 +0000 (23:31 +0200)]
samba: Ship with CU169
- samba is linked to liblber from openldap. openldap was updated in CU168 but
I missed that samba had a dependency to one of its libraries.
- find-dependencies was not run on openldap liblber although looking at the openldap
rootfile it is clear that an sobump occurred.
- This patch increments the samba PAK_VER so that it will be shipped and therefore
have the library links updated.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Thu, 16 Jun 2022 21:16:36 +0000 (23:16 +0200)]
netatalk: Ship with CU169 - Fixes bug #12878
- netatalk is linked to liblber from openldap. openldap was updated in CU168 but
I missed that netatalk had a dependency to one of its libraries.
- find-dependencies was not run on openldap liblber although looking at the openldap
rootfile it is clear that an sobump occurred.
- This patch increments the netatalk PAK_VER so that it will be shipped and therefore
have the library links updated.
Fixes: Bug #12878 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Timo Eissler [Tue, 7 Jun 2022 15:53:23 +0000 (17:53 +0200)]
openvpn-authenticator: Change event and environment handling
Move reading of environment in it's own function because not all
events have a ENV block following and thus always reading the ENV
will cause RuntimeError("Unexpected environment line ...").
Michael Tremer [Wed, 4 May 2022 13:46:41 +0000 (14:46 +0100)]
openvpn-2fa: Import a prototype of an authenticator
This script runs aside of OpenVPN and connects to the management socket.
On the socket, OpenVPN will post any new clients trying to authenticate
which will be handled by the authenticator.
If a client has 2FA enabled, it will be challanged for the current token
which will then be checked in a second pass.
Clients which do not have 2FA enabled will just be authenticated no
matter what and tls-verify will have handled the rest.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Timo Eissler [Fri, 8 Apr 2022 08:50:20 +0000 (10:50 +0200)]
OpenVPN: Add support for 2FA / One-Time Password
Add two-factor authentication (2FA) to OpenVPN host connections with
one-time passwords.
The 2FA can be enabled or disabled per host connection and requires the
client to download it's configuration again after 2FA has beend enabled
for it.
Additionally the client needs to configure an TOTP application, like
"Google Authenticator" which then provides the second factor.
To faciliate this every connection with enabled 2FA
gets an "show qrcode" button after the "show file" button in the
host connection list to show the 2FA secret and an 2FA configuration QRCode.
When 2FA is enabled, the client needs to provide the second factor plus
the private key password (if set) to successfully authorize.
This only supports time based one-time passwords, TOTP with 30s
window and 6 digits, for now but we may update this in the future.
Signed-off-by: Timo Eissler <timo.eissler@ipfire.org>
Matthias Fischer [Thu, 16 Jun 2022 12:49:09 +0000 (14:49 +0200)]
bind: Update to 9.16.30
For details see:
https://downloads.isc.org/isc/bind9/9.16.30/doc/arm/html/notes.html#notes-for-bind-9-16-30
"Bug Fixes
The fetches-per-server quota is designed to adjust itself downward
automatically when an authoritative server times out too frequently.
Due to a coding error, that adjustment was applied incorrectly,
so that the quota for a congested server was always set to 1. This
has been fixed. [GL #3327]
DNSSEC-signed catalog zones were not being processed correctly. This
has been fixed. [GL #3380]
Key files were updated every time the dnssec-policy key manager ran,
whether the metadata had changed or not. named now checks whether
changes were applied before writing out the key files. [GL #3302]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
No changelog is provided, please refer to
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/
for all activity since the previous version.
This patch includes necessary directives for shipping added or modified
firmware files with Core Update 169, and deleting appropriate files on
existing installations.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 11 Jun 2022 10:55:19 +0000 (10:55 +0000)]
lynis: Update to 3.0.8
Full changelog as retrived from https://cisofy.com/changelog/lynis/#308:
- MALW-3274 - Detect McAfee VirusScan Command Line Scanner
- PKGS-7346 Check Alpine Package Keeper (apk)
- PKGS-7395 Check Alpine upgradeable packages
- EOL for Alpine Linux 3.14 and 3.15
- AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2)
- FILE-7524 - Test enhanced to support symlinks
- HTTP-6643 - Support ModSecurity version 2 and 3
- KRNL-5788 - Only run relevant tests and improved logging
- KRNL-5820 - Additional path for security/limits.conf
- KRNL-5830 - Check for /var/run/needs_restarting (Slackware)
- KRNL-5830 - Add a presence check for /boot/vmlinuz
- PRNT-2308 - Bugfix that prevented test from storing values correctly
- Extended location of PAM files for AARCH64
- Some messages in log improved
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Tue, 7 Jun 2022 20:09:07 +0000 (20:09 +0000)]
sysctl: For the sake of completeness, do not accept IPv6 redirects
While IPFire 2.x' web interface does not support IPv6, users can
technically run it with IPv6 by conducting the necessary configuration
changes manually.
To provide these systems as well, we should disable acceptance of ICMPv6
redirect packets - which is apparently not default in Linux, yet. :-/
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 11 Jun 2022 18:47:31 +0000 (18:47 +0000)]
Kernel: Disable support for RPC dprintk debugging
This is solely needed for debugging of NFS issues. Due to the attack
surface it introduces, grsecurity recommends to disable it; as we do not
have a strict necessity for this feature, it is best to follow that
recommendation for security reasons.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 11 Jun 2022 18:53:10 +0000 (18:53 +0000)]
Kernel: Enable YAMA support
See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for
the upstream rationale. Enabling YAMA gives us the benefit of additional
hardening options available, without any obvious downsides.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 10 May 2022 10:31:12 +0000 (12:31 +0200)]
lmdb: Update to version 0.9.29
- Update from version 0.9.24 to 0.9.29
- Update of rootfile not required
- Changelog - there is no changelog in the source tarball or on the Symas website or in
the github repository.
The following are extracted from the short log of the git commits
https://github.com/LMDB/lmdb/commits/LMDB_0.9.29/libraries/liblmdb
Release (0.9.29)
ITS#9500
ITS#9500 fix regression from ITS#8662
ITS#9376 simplify
ITS#9469 - Typo fixes
ITS#9461 fix typo
ITS#9461 refix ITS#9376
Release (0.9.28)
ITS#8662 Add -a append option to mdb_load
Return to RE
Release (0.9.27)
ITS#9376 Fixes for repeated deletes with xcursor
Return to engineering
Release 0.9.26
ITS#9278
Silence stupid fallthru warning
ITS#9278 fix robust mutex cleanup for FreeBSD
Return to engineering
Release 0.9.25
ITS#9155 lmdb: free mt_spill_pgs in non-nested txn on end
ITS#9118 - Fix typo in prev commit
ITS#9118 add MAP_NOSYNC for FreeBSD
return to release engineering, ITS#9068
ITS#9068 fix backslash escaping
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
manualpages: Add path and file extension to the configuration
This allows to correctly assign an URL to a file without relying
on unique base names.
A custom read function is required because General::readhash()
doesn't allow paths as hash keys. Modifying the existing functions
could affect other CGIs and was therefore dismissed.
Peter Müller [Sat, 4 Jun 2022 08:43:15 +0000 (08:43 +0000)]
Core Update 168: Ship fcrontab and rebuild it from scratch
This is necessary due to IDSv4 changes introducing changes to fcrontab.
While this patch will cause any custom cron jobs configured there to be
lost, it is better to start with a defined state rather than sed'ing
on this file.
Cc: Michael Tremer <michael.tremer@ipfire.org> Cc: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>