]>
git.ipfire.org Git - people/pmueller/ipfire-2.x.git/log
Arne Fitzenreiter [Sun, 26 May 2019 15:27:16 +0000 (17:27 +0200)]
core133: readd late core132 changes to core133
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sun, 26 May 2019 15:23:54 +0000 (17:23 +0200)]
Merge branch 'master' into next
Arne Fitzenreiter [Sun, 26 May 2019 14:17:04 +0000 (16:17 +0200)]
core132: security conf should not executable
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Thu, 23 May 2019 00:50:29 +0000 (01:50 +0100)]
tor: Depend on libseccomp
Suggested-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 24 May 2019 15:45:33 +0000 (17:45 +0200)]
ids-functions.pl: Do not delete the whitelist file on rulesdir cleanup.
Fixes #12087.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sun, 26 May 2019 14:05:41 +0000 (16:05 +0200)]
core132: set correct permissions of security settings file.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 25 May 2019 05:39:38 +0000 (07:39 +0200)]
vulnerabilities.cgi: again change colours
red - vulnerable
blue - mitigated
green - not affected
because we not really trust the mitigations so they shound not green.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 25 May 2019 04:54:35 +0000 (06:54 +0200)]
vulnerabilities.cgi fix string handling
remove lf at the end for correct matching
and not strip "Mitigated:" if it was not full working and still
vulnerable.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 22 May 2019 10:08:43 +0000 (11:08 +0100)]
vulnerabilities.cgi: Regard mitigations that only mitigate something still as vulnerable
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 22 May 2019 10:05:20 +0000 (11:05 +0100)]
vulnerabilities.cgi: Simplify regexes
We can do the split in one.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 24 May 2019 05:55:03 +0000 (06:55 +0100)]
Merge branch 'toolchain' into next
Michael Tremer [Fri, 24 May 2019 05:54:16 +0000 (06:54 +0100)]
Merge remote-tracking branch 'ms/faster-build' into next
Michael Tremer [Fri, 24 May 2019 05:39:37 +0000 (06:39 +0100)]
core133: Ship updated squid
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Fri, 24 May 2019 18:46:59 +0000 (20:46 +0200)]
squid: Update to 4.7
For details see:
http://www.squid-cache.org/Versions/v4/changesets/
Fixes among other things the old 'filedescriptors' problem, so this patch was deleted.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 24 May 2019 05:37:21 +0000 (06:37 +0100)]
core133: Ship updated bind
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Fri, 24 May 2019 18:53:15 +0000 (20:53 +0200)]
bind: Update to 9.11.7
For details see:
http://ftp.isc.org/isc/bind9/9.11.7/RELEASE-NOTES-bind-9.11.7.html
"Security Fixes
The TCP client quota set using the tcp-clients option could be exceeded in some cases.
This could lead to exhaustion of file descriptors.
This flaw is disclosed in CVE-2018-5743. [GL #615]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 24 May 2019 05:35:46 +0000 (06:35 +0100)]
Start Core Update 133
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 24 May 2019 05:30:46 +0000 (06:30 +0100)]
.gitignore: Ignore some backup files
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 23 May 2019 00:50:29 +0000 (01:50 +0100)]
tor: Depend on libseccomp
Suggested-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 22 May 2019 14:29:32 +0000 (15:29 +0100)]
unbound: Safe Search: Enable Restrict-Moderate for YouTube
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 22 May 2019 10:23:07 +0000 (11:23 +0100)]
Update German translations
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 22 May 2019 10:08:43 +0000 (11:08 +0100)]
vulnerabilities.cgi: Regard mitigations that only mitigate something still as vulnerable
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 22 May 2019 10:05:20 +0000 (11:05 +0100)]
vulnerabilities.cgi: Simplify regexes
We can do the split in one.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Wed, 22 May 2019 10:34:41 +0000 (12:34 +0200)]
Merge branch 'master' into next
Arne Fitzenreiter [Wed, 22 May 2019 10:34:03 +0000 (12:34 +0200)]
vulnerablities: change to logic colours
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 22 May 2019 08:38:02 +0000 (10:38 +0200)]
Merge branch 'next'
Arne Fitzenreiter [Wed, 22 May 2019 08:33:20 +0000 (10:33 +0200)]
finish: core132
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 22 May 2019 08:22:53 +0000 (10:22 +0200)]
vulnerablities.cgi: add colours for vuln,smt and unknown output.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Tue, 21 May 2019 18:42:51 +0000 (20:42 +0200)]
kernel: update to 4.14.121
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Tue, 21 May 2019 18:36:16 +0000 (20:36 +0200)]
vnstat: fix errormessage at first boot
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Tue, 21 May 2019 13:03:21 +0000 (15:03 +0200)]
configroot: create main/security settings file
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Tue, 21 May 2019 13:02:54 +0000 (15:02 +0200)]
web-user-interface: update rootfile
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 20 May 2019 20:55:55 +0000 (21:55 +0100)]
core132: Ship vulnerabilities.cgi
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 20 May 2019 20:54:05 +0000 (21:54 +0100)]
SMT: Show status on vulnerabilities.cgi
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 20 May 2019 20:39:03 +0000 (21:39 +0100)]
vulnerabilities.cgi: Disable debugging output
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 20 May 2019 20:38:20 +0000 (21:38 +0100)]
Add the new vulnerabilities CGI file to the System menu
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 20 May 2019 20:30:26 +0000 (21:30 +0100)]
SMT: Apply settings according to configuration
SMT can be forced on.
By default, all systems that are vulnerable to RIDL/Fallout
will have SMT disabled by default.
Systems that are not vulnerable to that will keep SMT enabled.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 20 May 2019 20:17:17 +0000 (21:17 +0100)]
Add new CGI file to show CPU vulnerability status
This is supposed to help users to have an idea about
the status of the used hardware.
Additionally, it allows users to enable/disable SMT.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 20 May 2019 18:10:15 +0000 (19:10 +0100)]
suricata: Ship updated rule download script
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Mon, 20 May 2019 18:06:22 +0000 (20:06 +0200)]
update-ids-ruleset: Release ids_page_lock when the downloader fails.
Fixes #12085.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 18 May 2019 15:14:00 +0000 (15:14 +0000)]
ids.cgi: Fix upstream proxy validation
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 20 May 2019 17:04:49 +0000 (18:04 +0100)]
spectre-meltdown-checker: Update to 0.41
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stéphane Pautrel [Mon, 20 May 2019 09:59:12 +0000 (10:59 +0100)]
Update French translation
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 20 May 2019 09:56:13 +0000 (10:56 +0100)]
zoneconf: Reindent with tabs
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 20 May 2019 09:55:02 +0000 (10:55 +0100)]
Update translations
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Florian Bührle [Sun, 19 May 2019 21:33:45 +0000 (23:33 +0200)]
Added reboot notice
Added a reboot notice and made table rows more distinguishable by
alternating their background color. This improves usability.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Florian Bührle [Sun, 19 May 2019 21:04:24 +0000 (23:04 +0200)]
zoneconf: Switch rows/columns
This change is necessary because the table can grow larger than the main
container if a user has many NICs on their machine.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 20 May 2019 09:52:42 +0000 (10:52 +0100)]
Update contributors
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 20 May 2019 09:52:16 +0000 (10:52 +0100)]
core132: Ship updated ovpnmain.cgi file
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Sat, 27 Apr 2019 14:05:51 +0000 (16:05 +0200)]
ovpn_reorganize_encryption: Integrate LZO from global to advanced section
Fixes: #11819
- Since the Voracle vulnerability, LZO is better placed under advanced section cause under specific circumstances it is exploitable.
- Warning/hint has been added in the option defaults description.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 20 May 2019 09:51:09 +0000 (10:51 +0100)]
Update translations
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Sat, 27 Apr 2019 14:05:50 +0000 (16:05 +0200)]
ovpn_reorganize_encryption: Added tls-auth into global section
- Since HMAC selection is already in global section, it makes sense to keep the encryption togehter.
- Given tls-auth better understandable name.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Sat, 27 Apr 2019 14:05:49 +0000 (16:05 +0200)]
ovpn_reorganize_encryption: Integrate HMAC selection to global section
Fixes: #12009 and #11824
- Since HMACs will be used in any configuration it is better placed in the global menu.
- Adapted global section to advanced and marked sections with a headline for better overview.
- Deleted old headline in advanced section cause it is not needed anymore.
- Added check if settings do not includes 'DAUTH', if possible SHA512 will be used and written to settings file.
Old configurations with SHA1 will be untouched.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 20 May 2019 09:48:25 +0000 (10:48 +0100)]
tshark: Drop special package scripts
We are not doing anything different from the default here,
so we do not need an extra copy of them.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Sun, 19 May 2019 04:37:03 +0000 (06:37 +0200)]
tshark: New addon
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Oliver Fuhrer [Sun, 19 May 2019 13:30:52 +0000 (15:30 +0200)]
BUG 11696: VPN Subnets missing from wpad.dat
This patch fixes the behavior in 11696 and adds IPSEC and OpenVPN n2n subnets to wpad.dat so they don't pass through the proxy.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 20 May 2019 09:09:26 +0000 (10:09 +0100)]
tor: Bump release version
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 18 May 2019 14:40:00 +0000 (14:40 +0000)]
Tor: specify correct user for default configuration
While being built with user/group set to "tor", the default
configuration still contains the old username.
This patch adjusts it to the correct value. The issue was
caused by insufficient testing, which I apologise for.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Mon, 20 May 2019 05:24:04 +0000 (07:24 +0200)]
make.sh: comment to update backupiso if version change
It was to offten forgotten to update the backupiso script
that need to download the matching iso from the servers
so i added a comment.
no functional change
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Mon, 20 May 2019 05:14:12 +0000 (07:14 +0200)]
core132: add log.dat to updater
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Sun, 19 May 2019 13:54:32 +0000 (15:54 +0200)]
suricata: Fixed logs.dat regex for suricata
Fixes: #12084
Since the Suricata regex did not match the messages output, Suricata was not displayed in the "System Logs" section in the WUI.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Sun, 19 May 2019 16:52:23 +0000 (18:52 +0200)]
suricata: Limit to a maximum of "16" netfilter queues.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Sat, 18 May 2019 08:25:54 +0000 (09:25 +0100)]
Update contributors
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 May 2019 22:36:53 +0000 (23:36 +0100)]
Update translations
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Marx [Thu, 24 May 2018 10:38:39 +0000 (12:38 +0200)]
BUG11505: Captive Portal: no way to remove an uploaded logo
added a delete button
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 May 2019 19:30:13 +0000 (20:30 +0100)]
core132: Ship updated apache configuration
A reload would be sufficient.
I could not find why apache needs to be restarted.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 15 May 2019 17:01:00 +0000 (17:01 +0000)]
httpd: prefer AES-GCM ciphers over AES-CBC
CBC ciphers are vulnerable to a bunch of attacks (being
rather academic so far) such as MAC-then-encrypt or
padding oracle.
These seem to be more serious (see
https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities
for further readings) which is why they should be used
for interoperability purposes only.
I plan to remove AES-CBC ciphers for the WebUI at the
end of the year, provided overall security landscape
has not changed until that.
This patch changes the WebUI cipherlist to:
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
(AES-CBC + ECDSA will be preferred over RSA for performance
reasons. As this cipher order cannot be trivially rebuilt with
OpenSSL cipher stings, it has to be hard-coded.)
All working clients will stay compatible.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 17 May 2019 18:52:27 +0000 (19:52 +0100)]
Fix version information in backupiso script
Fixes: #12083
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Arne Fitzenreiter [Fri, 17 May 2019 05:10:52 +0000 (07:10 +0200)]
kernel: update to 4.14.120
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 16 May 2019 12:26:04 +0000 (14:26 +0200)]
kernel: update to 4.14.119
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 15 May 2019 11:17:26 +0000 (13:17 +0200)]
intel-microcode: update to
20190514
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 14 May 2019 09:02:03 +0000 (10:02 +0100)]
Update kernel rootfiles for armv5tel
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 13 May 2019 15:31:14 +0000 (16:31 +0100)]
Update kernel rootfiles for aarch64
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 12 May 2019 09:21:32 +0000 (10:21 +0100)]
xtables-addons: Explicitely add path for alternative kernels
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 12 May 2019 09:20:57 +0000 (10:20 +0100)]
linux: Fix touching incorrect version.h
This file has moved and the touch command created an empty version
of the file which caused that builds depending on that did not
complete.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 12 May 2019 08:28:10 +0000 (09:28 +0100)]
linux: objtool does not exist on all platforms
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 11 May 2019 03:24:29 +0000 (04:24 +0100)]
core132: Ship changes to unbound
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 11 May 2019 03:19:37 +0000 (04:19 +0100)]
unbound: Add Safe Search
This is a feature that will filter adult content from search
engine's results.
The old method of rewriting the HTTP request no longer works.
This method changes the DNS response for supported search engines
which violates our belief in DNSSEC and won't allow these search
engines to ever enable DNSSEC.
However, there is no better solution available to this and this
an optional feature, too.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Michael Tremer [Sat, 11 May 2019 03:18:08 +0000 (04:18 +0100)]
core132: Ship updated urlfilter.cgi
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 30 Apr 2019 16:06:08 +0000 (17:06 +0100)]
URL Filter: Drop Safe Search feature
This is not working for quite some time now because all search
engines have moved over to HTTPS. Therefore we no longer can
manipulate the URL query string.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 11 May 2019 01:20:15 +0000 (02:20 +0100)]
igmpproxy: Update to 0.2.1
This updates the package to its latest upstream version and should
be able to support IGMPv3.
Fixes: #12074
Suggested-by: Marc Roland <marc.roland@outlook.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 10 May 2019 09:25:46 +0000 (10:25 +0100)]
xtables-addons: Automatically detect location of kernel source
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 10 May 2019 09:12:50 +0000 (10:12 +0100)]
linux: Install kernel build system to /lib/modules
This is necessary so that we can clean up /usr/src after
each build and do not waste any space on the massive kernel
source.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 10 May 2019 09:10:25 +0000 (10:10 +0100)]
make.sh: Append -ipfire to fake kernel string
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 10 May 2019 02:38:49 +0000 (03:38 +0100)]
make.sh: Automatically enable build ramdisk on systems with 4GB RAM or more
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 9 May 2019 17:16:20 +0000 (18:16 +0100)]
iptables: Fix build without kernel source
The layer7 filter header files were not installed into /usr/include
and therefore we needed to keep the whole kernel source tree.
This is just a waste of space and this patch fixes this.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 8 May 2019 18:16:26 +0000 (19:16 +0100)]
make.sh: Mount /usr/src in memory for faster build
This patch enables that /usr/src is a ramdisk which should
give us fewer I/O operations when extracting tarballs or
writing small intermediate files by the compiler.
In some virtualised environments this should bring a good
performance boost.
There is no persistent data stored in this directory and
some persistent directories are mounted over it.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Koch [Thu, 9 May 2019 21:55:58 +0000 (23:55 +0200)]
Pakfire: Add Core-Version to "status"
Add the IPFire-Core-Version to the status message.
Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 9 May 2019 20:06:00 +0000 (20:06 +0000)]
Tor: update to 0.4.0.5
See https://blog.torproject.org/new-release-tor-0405 for release
announcements.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 10 May 2019 03:20:17 +0000 (04:20 +0100)]
core132: Ship updated hwdata
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 9 May 2019 13:40:00 +0000 (13:40 +0000)]
hwdata: update PCI/USB databases
PCI IDs: 2019-05-03 03:15:03
USB IDs: 2019-05-08 20:34:05
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 10 May 2019 03:19:05 +0000 (04:19 +0100)]
core132: Ship updated ca-certificates
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 9 May 2019 13:24:00 +0000 (13:24 +0000)]
update ca-certificates CA bundle
Update the CA certificates list to what Mozilla NSS ships currently.
The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 10 May 2019 03:16:39 +0000 (04:16 +0100)]
Update translations
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 10 May 2019 02:36:58 +0000 (03:36 +0100)]
Config: Disable XZ parallelism by default
Exporting XZ_OPT caused that every time xz was called, it automatically
enabled parallelism. The make systemm also launches multiple processes
at the same time to use more processor cores at the same time.
The combination of this causes memory exhaustion even on large systems
and has no performance gain. Therefore this is disabled by default
and only enabled where we need it which is already the case.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Florian Bührle [Sat, 11 May 2019 12:38:39 +0000 (14:38 +0200)]
zoneconf: Fix bug that resultet from last fix
Fix bug that prevents users from assigning NIC to RED if RED is in PPP
mode
Florian Bührle [Sat, 11 May 2019 11:28:12 +0000 (13:28 +0200)]
zoneconf: Fix bug in NIC assignment; Change visibility of unused zones
Fix a bug that allows users to add multiple NICs to non-bridged zones.
This fix includes a new error message.
Unused zones are now invisible instead of grey.
Michael Tremer [Thu, 9 May 2019 13:51:40 +0000 (14:51 +0100)]
routing: Fix potential authenticated XSS in input processing
An authenticated Stored XSS (Cross-site Scripting) exists in the
(https://192.168.0.241:444/cgi-bin/routing.cgi) Routing Table Entries
via the "Remark" text box or "remark" parameter. This is due to a
lack of user input validation in "Remark" text box or "remark"
parameter. It allows an authenticated WebGUI user with privileges
for the affected page to execute Stored Cross-site Scripting in
the Routing Table Entries (/cgi-bin/routing.cgi), which helps
attacker to redirect the victim to a attacker's phishing page.
The Stored XSS get prompted on the victims page whenever victim
tries to access the Routing Table Entries configuraiton page.
An attacker get access to the victim's session by performing
the CSRF and gather the cookie and session id's or possibly can
change the victims configuration using this Stored XSS.
This attack can possibly spoof the victim's informations.
Fixes: #12072
Reported-by: Dharmesh Baskaran <dharmesh201093@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 9 May 2019 15:16:35 +0000 (17:16 +0200)]
zoneconf: Remove red warning
This is a bit shouty and there are various places where we do not
warn about this problem, so this patch makes it more consistent.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 9 May 2019 15:13:52 +0000 (17:13 +0200)]
zoneconf: Fix spelling
This patch mainly changes "Macvtap" to the branded spelling and removes
short forms as well as hyphenation in German compound nouns.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>