Alex Koch [Sun, 1 Sep 2019 22:47:29 +0000 (00:47 +0200)]
zoneconf: reduce the width of inputs for vlanid
The inputs for the vlanids are overlapping the borders of their cells (using a recent Firefox on Linux Mint, Android or Windows 7). This patch fixes this by limiting the width to a fixed value.
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de> Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The settings file must be writeable for group "nobody" so
users can change their Tor settings via WebUI. Since other
files in /var/ipfire/tor/ does not need this workaround, only
the settings file permissions are changed.
Sorry for the late fix; this was reported by various people
in the forum, too (I was unaware of so many Tor users in our
community).
Fixes #12117
Reported-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Alex Koch [Sat, 31 Aug 2019 18:53:00 +0000 (20:53 +0200)]
WUI log-section Mail: add support for postfix addon
Expand the regex for the section dmi ("Mail") for /var/log/mail to include the log contents of postfix, in case the addon is installed.
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Alex Koch [Sat, 31 Aug 2019 18:52:59 +0000 (20:52 +0200)]
WUI log-section Mail: bugfix for dma
The prefix for dmi in /var/log/mail seems to have changed from "dma[<PID>]: " to "dma: ". This results in a bug where no lines are being shown at all in the WUI.
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Alex Koch [Sun, 1 Sep 2019 21:34:58 +0000 (23:34 +0200)]
zabbix_agentd: Update to 4.2.6
Release Notes: https://www.zabbix.com/rn/rn4.2.6
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
"DHCP: Work with IP headers with options
script: Assert that env string are correctly terminated
script: Terminate env strings with no value
script: Don't attempt to use an invalid env string
route: Fix NULL deference error when using static routes
ARP: Respect IFF_NOARP
DHCP: Add support for ARPHRD_NONE interfaces
DHCP: Allow full DHCP support for PtP interfaces, but not by default
DragonFlyBSD: 500704 announces IPv6 address flag changes
control: sends correct buffer to listeners"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Fri, 23 Aug 2019 16:49:04 +0000 (18:49 +0200)]
clamav: Update to 0.101.4
For details see:
https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
"An out of bounds write was possible within ClamAV's NSIS bzip2
library when attempting decompression in cases where the number
of selectors exceeded the max limit set by the library (CVE-2019-12900).
The issue has been resolved by respecting that limit.
Thanks to Martin Simmons for reporting the issue here.
The zip bomb vulnerability mitigated in 0.101.3 has been assigned
the CVE identifier CVE-2019-12625. Unfortunately, a workaround for
the zip-bomb mitigation was immediately identified. To remediate
the zip-bomb scan time issue, a scan time limit has been introduced
in 0.101.4.
This limit now resolves ClamAV's vulnerability to CVE-2019-12625."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Fri, 23 Aug 2019 16:42:43 +0000 (18:42 +0200)]
bind: Update to 9.11.10
For details see:
https://downloads.isc.org/isc/bind9/9.11.10/RELEASE-NOTES-bind-9.11.10.html
"Security Fixes
A race condition could trigger an assertion failure when a large
number of incoming packets were being rejected.
This flaw is disclosed in CVE-2019-6471. [GL #942]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
I had added this for spamassassin but now the geoip-converter needs it too.
It was not pushed yet so there is no need to remove it from pakfire databases.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.9/RELEASE-NOTES-bind-9.11.9.html
"Security Fixes
A race condition could trigger an assertion failure when a large
number of incoming packets were being rejected.
This flaw is disclosed in CVE-2019-6471. [GL #942]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
"NetBSD: Can be build without ARP support but listen to kernel DaD
ND6: Removed NA support from SMALL builds
ND6: Remove and warn about NA issues on OS's other than NetBSD and Linux
script: /tmp files are now cleaned up for systems without open_memstream(3)
configure: open_memstream(3) detected on recent glibc
DHCP: Avoid duplicate read of UDP socket when BPF is also open
IP: Avoid adding address if already exists on OS other than Linux
IP6: Avoid adding address is already exists on Solaris
route: Fixed a NULL de-reference error on statically configured routes
DHCP6: Move to REQUEST when any IA has error no-binding in RENEW/REBIND
DragonFlyBSD: Now compiles and works for
IP: Accept packets with IP header options"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 29 Jul 2019 20:00:00 +0000 (20:00 +0000)]
firewall: raise log rate limit to 10 packets per second
Previous setting was to log 10 packets per minute for each
event logging is turned on. This made debugging much harder,
as the limit was rather strict and chances of dropping a
packet without logging it were good.
This patch changes the log rate limit to 10 packets per
second per event, to avoid DoS attacks against the log file.
I plan to drop log rate limit entirely in future changes,
if a better solution for this attack vector is available.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Cc: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk> Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
grub-mkconfig has written the device name instead of uuid's
because the /dev/disk-by-uuid node of the new filesystem was missing
run "udevadm trigger" to create this nodes before install grub.
fixes: #12116
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>