]>
git.ipfire.org Git - people/pmueller/ipfire-2.x.git/log
Matthias Fischer [Thu, 6 Nov 2014 22:53:01 +0000 (23:53 +0100)]
wget: Update to 1.16
Arne Fitzenreiter [Thu, 16 Oct 2014 09:36:21 +0000 (11:36 +0200)]
Merge branch 'next'
Conflicts:
make.sh
Arne Fitzenreiter [Thu, 16 Oct 2014 09:34:20 +0000 (11:34 +0200)]
core85: set version to core85.
Michael Tremer [Wed, 15 Oct 2014 20:55:54 +0000 (22:55 +0200)]
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
Michael Tremer [Wed, 15 Oct 2014 20:55:26 +0000 (22:55 +0200)]
apache: Disable SSLv3 by default for the IPFire webinterface
Arne Fitzenreiter [Wed, 15 Oct 2014 19:44:29 +0000 (21:44 +0200)]
openssl-compat: update to 0.9.8zc
Michael Tremer [Wed, 15 Oct 2014 17:48:16 +0000 (19:48 +0200)]
Create Core Update 85
Michael Tremer [Wed, 15 Oct 2014 17:19:15 +0000 (19:19 +0200)]
openssl: Update to version 1.0.1j
OpenSSL Security Advisory [15 Oct 2014]
=======================================
SRTP Memory Leak (CVE-2014-3513)
================================
Severity: High
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that
have been compiled with OPENSSL_NO_SRTP defined are not affected.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
This issue was reported to OpenSSL on 26th September 2014, based on an original
issue and patch developed by the LibreSSL project. Further analysis of the issue
was performed by the OpenSSL team.
The fix was developed by the OpenSSL team.
Session Ticket Memory Leak (CVE-2014-3567)
==========================================
Severity: Medium
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
This issue was reported to OpenSSL on 8th October 2014.
The fix was developed by Stephen Henson of the OpenSSL core team.
SSL 3.0 Fallback protection
===========================
Severity: Medium
OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
to block the ability for a MITM attacker to force a protocol
downgrade.
Some client applications (such as browsers) will reconnect using a
downgraded protocol to work around interoperability bugs in older
servers. This could be exploited by an active man-in-the-middle to
downgrade connections to SSL 3.0 even if both sides of the connection
support higher protocols. SSL 3.0 contains a number of weaknesses
including POODLE (CVE-2014-3566).
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
https://www.openssl.org/~bodo/ssl-poodle.pdf
Support for TLS_FALLBACK_SCSV was developed by Adam Langley and Bodo Moeller.
Build option no-ssl3 is incomplete (CVE-2014-3568)
==================================================
Severity: Low
When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
This issue was reported to OpenSSL by Akamai Technologies on 14th October 2014.
The fix was developed by Akamai and the OpenSSL team.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv_20141015.txt
Note: the online version of the advisory may be updated with additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
Ersan Yildirim [Mon, 13 Oct 2014 08:19:45 +0000 (10:19 +0200)]
Update Turkish translation
Arne Fitzenreiter [Fri, 10 Oct 2014 16:13:13 +0000 (18:13 +0200)]
Merge branch 'next'
Arne Fitzenreiter [Fri, 10 Oct 2014 16:11:52 +0000 (18:11 +0200)]
core84: add update-lang-cache.
this file is missing on some machines.
Arne Fitzenreiter [Tue, 7 Oct 2014 16:37:01 +0000 (18:37 +0200)]
Merge remote-tracking branch 'origin/next'
Michael Tremer [Tue, 7 Oct 2014 12:54:12 +0000 (14:54 +0200)]
firewall: Use correct interface for RED
Michael Tremer [Mon, 6 Oct 2014 10:23:35 +0000 (12:23 +0200)]
bash: Update to version 4.3.30
Fixes #10633.
Arne Fitzenreiter [Sun, 5 Oct 2014 13:12:44 +0000 (15:12 +0200)]
p2pblock: fix flush rules if all p2p's are allowed.
Arne Fitzenreiter [Sat, 4 Oct 2014 12:18:16 +0000 (14:18 +0200)]
p2pblock: ipp2p must run before CONNTRACK.
And can only used for blocking, not for accept conenections bacause connections must already established for detecting protocol types.
Arne Fitzenreiter [Sat, 4 Oct 2014 11:53:49 +0000 (13:53 +0200)]
Merge branch 'next'
Michael Tremer [Sat, 4 Oct 2014 11:52:15 +0000 (13:52 +0200)]
firewall: fix rules.pl for old rules without ratelimiting.
Michael Tremer [Thu, 2 Oct 2014 16:21:51 +0000 (18:21 +0200)]
squid: Update to 3.4.8
Contains some security fixes:
* CVE-2014-6270
http://www.squid-cache.org/Advisories/SQUID-2014_3.txt
* CVE-2014-7141
CVE-2014-7142
http://www.squid-cache.org/Advisories/SQUID-2014_4.txt
Arne Fitzenreiter [Tue, 30 Sep 2014 21:53:00 +0000 (23:53 +0200)]
Merge remote-tracking branch 'origin/next'
Arne Fitzenreiter [Tue, 30 Sep 2014 21:49:47 +0000 (23:49 +0200)]
bash: rootfile update.
Arne Fitzenreiter [Tue, 30 Sep 2014 17:30:45 +0000 (19:30 +0200)]
Merge remote-tracking branch 'origin/next'
Michael Tremer [Sat, 26 Jul 2014 19:08:12 +0000 (21:08 +0200)]
parted: Update to 3.1.
Arne Fitzenreiter [Tue, 30 Sep 2014 07:33:27 +0000 (09:33 +0200)]
set PAK_VER to core84.
Arne Fitzenreiter [Tue, 30 Sep 2014 07:32:01 +0000 (09:32 +0200)]
Merge remote-tracking branch 'origin/next'
Michael Tremer [Sat, 26 Jul 2014 20:02:03 +0000 (22:02 +0200)]
readline: Re-add accidentially deleted patches of -compat package
Michael Tremer [Mon, 29 Sep 2014 19:29:57 +0000 (21:29 +0200)]
bash: Import patch for version 4.3.27
See #10633
Michael Tremer [Mon, 29 Sep 2014 11:52:16 +0000 (13:52 +0200)]
core84: Add updated readline
Michael Tremer [Sat, 26 Jul 2014 17:56:54 +0000 (19:56 +0200)]
readline: Update to 6.3.
Michael Tremer [Fri, 26 Sep 2014 10:46:44 +0000 (12:46 +0200)]
bash: Import upstream fixes
Michael Tremer [Thu, 25 Sep 2014 17:38:23 +0000 (19:38 +0200)]
bash: Import fix for CVE-2014-7169
http://www.openwall.com/lists/oss-security/2014/09/25/10
Conflicts:
lfs/bash
Michael Tremer [Wed, 24 Sep 2014 19:02:22 +0000 (21:02 +0200)]
bash: Fix for CVE-2014-6271
A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override
or bypass environment restrictions to execute shell commands.
Certain services and applications allow remote unauthenticated
attackers to provide environment variables, allowing them to exploit
this issue.
Michael Tremer [Sat, 26 Jul 2014 18:00:17 +0000 (20:00 +0200)]
bash: Update to 4.3.
Conflicts:
lfs/bash
Arne Fitzenreiter [Mon, 29 Sep 2014 11:44:26 +0000 (13:44 +0200)]
fix merge problem.
Michael Tremer [Sun, 28 Sep 2014 11:32:17 +0000 (13:32 +0200)]
core84: Add changed /etc/rc.d/init.d/network
Michael Tremer [Sun, 28 Sep 2014 11:31:53 +0000 (13:31 +0200)]
Merge remote-tracking branch 'teissler/bug_10454' into next
Timo Eissler [Sat, 27 Sep 2014 21:28:04 +0000 (23:28 +0200)]
network: move start of static-routes
Fixes #10454
Create static routes after network interfaces are initialised.
Timo Eissler [Sat, 27 Sep 2014 21:16:57 +0000 (23:16 +0200)]
network: fix coding style
Michael Tremer [Sat, 27 Sep 2014 21:00:05 +0000 (23:00 +0200)]
Merge remote-tracking branch 'teissler/bug_10535' into next
Michael Tremer [Sat, 27 Sep 2014 20:59:05 +0000 (22:59 +0200)]
Fix wording. Remove "got".
Fixes #10632
Timo Eissler [Sat, 27 Sep 2014 20:24:26 +0000 (22:24 +0200)]
urlfilter.cgi: enhance file extension blocking
Fixes #10535
Add flv, mkv and mp4 as audio/video file exentions.
Add 7z as archive file extension.
Michael Tremer [Sat, 27 Sep 2014 18:43:49 +0000 (20:43 +0200)]
core84: Add changed urlfilter.cgi
Michael Tremer [Sat, 27 Sep 2014 18:43:23 +0000 (20:43 +0200)]
Merge remote-tracking branch 'teissler/Bug_10415' into next
Timo Eissler [Fri, 26 Sep 2014 20:15:13 +0000 (22:15 +0200)]
urlfilter.cgi: safe search enhancements
Fixes: #10415
Activate bing safe search.
Add nwshp to google url patterns.
Alexander Marx [Wed, 17 Sep 2014 13:52:45 +0000 (15:52 +0200)]
squid-accounting: set right permissions of html directory for graphs and logo
Michael Tremer [Fri, 26 Sep 2014 11:03:48 +0000 (13:03 +0200)]
core84: Add changed files from #10620
Michael Tremer [Fri, 26 Sep 2014 11:03:22 +0000 (13:03 +0200)]
Merge remote-tracking branch 'amarx/BUG10620' into next
Michael Tremer [Fri, 26 Sep 2014 11:02:28 +0000 (13:02 +0200)]
Merge remote-tracking branch 'amarx/BUG10615' into next
Michael Tremer [Fri, 26 Sep 2014 11:00:38 +0000 (13:00 +0200)]
core84: Add changed files from fw-checksubnet branch
Michael Tremer [Fri, 26 Sep 2014 10:59:26 +0000 (12:59 +0200)]
Merge remote-tracking branch 'amarx/fw-checksubnet' into next
Michael Tremer [Fri, 26 Sep 2014 10:58:13 +0000 (12:58 +0200)]
core84: Add changed files from the firewall-dnat branch
Michael Tremer [Fri, 26 Sep 2014 10:55:55 +0000 (12:55 +0200)]
Merge remote-tracking branch 'amarx/firewall-dnat' into next
Conflicts:
config/firewall/rules.pl
Michael Tremer [Fri, 26 Sep 2014 10:42:27 +0000 (12:42 +0200)]
bash: Import upstream patches for CVE-2014-6271 and CVE-2014-7169
Michael Tremer [Fri, 26 Sep 2014 10:25:48 +0000 (12:25 +0200)]
core84: Add dnsmasq update
Michael Tremer [Fri, 26 Sep 2014 10:24:16 +0000 (12:24 +0200)]
Create core update 84
Michael Tremer [Fri, 26 Sep 2014 10:21:18 +0000 (12:21 +0200)]
Merge branch 'master' into next
Michael Tremer [Thu, 25 Sep 2014 19:16:01 +0000 (21:16 +0200)]
dnsmasq: Update to 2.72
Arne Fitzenreiter [Thu, 25 Sep 2014 18:37:55 +0000 (20:37 +0200)]
core83: set version to core83.
Arne Fitzenreiter [Thu, 25 Sep 2014 18:36:06 +0000 (20:36 +0200)]
core83: reload init at update because glibc changes.
Michael Tremer [Thu, 25 Sep 2014 17:38:23 +0000 (19:38 +0200)]
bash: Import fix for CVE-2014-7169
http://www.openwall.com/lists/oss-security/2014/09/25/10
Michael Tremer [Wed, 24 Sep 2014 18:39:43 +0000 (20:39 +0200)]
Merge branch 'master' into next
Michael Tremer [Wed, 24 Sep 2014 18:38:59 +0000 (20:38 +0200)]
core83: add changed files
Michael Tremer [Wed, 24 Sep 2014 18:31:55 +0000 (20:31 +0200)]
Create core update 83
Michael Tremer [Wed, 24 Sep 2014 16:48:35 +0000 (18:48 +0200)]
bash: Fix for CVE-2014-6271
A flaw was found in the way Bash evaluated certain specially crafted
environment variables. An attacker could use this flaw to override
or bypass environment restrictions to execute shell commands.
Certain services and applications allow remote unauthenticated
attackers to provide environment variables, allowing them to exploit
this issue.
Stefan Schantl [Sat, 20 Sep 2014 09:49:39 +0000 (11:49 +0200)]
urlfilter.cgi: Fix path to squidGuard binary when converting custom blacklists.
Fixes #10626.
Alexander Marx [Fri, 5 Sep 2014 06:12:44 +0000 (08:12 +0200)]
fw-groups: fix language strings
Stefan Schantl [Tue, 16 Sep 2014 18:37:16 +0000 (20:37 +0200)]
logs.cgi/ids.dat: Change url for snort sid details.
Fixes #10578.
Alexander Marx [Thu, 11 Sep 2014 15:13:07 +0000 (17:13 +0200)]
BUG10620: reload firewall.local in rules.pl, no longer in initscript
Alexander Marx [Thu, 11 Sep 2014 13:10:48 +0000 (15:10 +0200)]
BUG10615: fix wrong values in firewall.cgi
Alexander Marx [Thu, 11 Sep 2014 12:01:28 +0000 (14:01 +0200)]
BUG10615 part3: adapt rules.pl to use connectionlimit and ratelimit
Alexander Marx [Thu, 11 Sep 2014 11:59:54 +0000 (13:59 +0200)]
BUG10615 part2: Add ratelimit to firewallgui
Alexander Marx [Thu, 11 Sep 2014 08:59:25 +0000 (10:59 +0200)]
BUG10615 part1: Add connectionlimit to firewallgui
Arne Fitzenreiter [Tue, 9 Sep 2014 17:20:54 +0000 (19:20 +0200)]
openssl-compat: update to 0.9.8zb.
Arne Fitzenreiter [Tue, 9 Sep 2014 15:57:27 +0000 (17:57 +0200)]
Merge remote-tracking branch 'origin/master' into core82
Arne Fitzenreiter [Tue, 9 Sep 2014 15:54:27 +0000 (17:54 +0200)]
xen-image: add xz-aware xen version hint to README.
Michael Tremer [Sat, 6 Sep 2014 16:44:50 +0000 (18:44 +0200)]
general-functions.pl: Fix perl coding error
Michael Tremer [Thu, 4 Sep 2014 09:13:41 +0000 (11:13 +0200)]
general-functions.pl: Fix syntax error
Michael Tremer [Wed, 3 Sep 2014 20:23:04 +0000 (22:23 +0200)]
general-functions.pl: Subroutine getnetworkip() accepted multiple arguments
Michael Tremer [Sat, 6 Sep 2014 16:44:50 +0000 (18:44 +0200)]
general-functions.pl: Fix perl coding error
Arne Fitzenreiter [Fri, 5 Sep 2014 19:56:01 +0000 (21:56 +0200)]
rsync: update to 3.1.1.
Alexander Marx [Fri, 5 Sep 2014 06:09:54 +0000 (08:09 +0200)]
fw-groups: cleanup checksubnets
Now the checksubnets function from general-functions.pl is used.
Michael Tremer [Thu, 4 Sep 2014 09:13:41 +0000 (11:13 +0200)]
general-functions.pl: Fix syntax error
Michael Tremer [Wed, 3 Sep 2014 20:23:04 +0000 (22:23 +0200)]
general-functions.pl: Subroutine getnetworkip() accepted multiple arguments
Michael Tremer [Wed, 3 Sep 2014 19:49:01 +0000 (21:49 +0200)]
glibc: Import several fixes from RHEL.
Fixes #10611, CVE-2014-5119 among other bug fixes.
Alexander Marx [Mon, 1 Sep 2014 09:11:25 +0000 (11:11 +0200)]
Squid-accounting: revert setlocale because thevalues are not correctly with this setting
Michael Tremer [Thu, 28 Aug 2014 15:01:44 +0000 (17:01 +0200)]
proxy.cgi: Move ACL definitions up
ACl definitions could not be used in some other directives
unless they are defined earlier.
Michael Tremer [Thu, 28 Aug 2014 14:09:31 +0000 (16:09 +0200)]
squid: Update to 3.4.7
Solves a DoS issue "Ignore Range headers with unidentifiable byte-range values"
filed under security advisory SQUID-2014:2 and CVE-2014-3609.
Michael Tremer [Sun, 24 Aug 2014 13:22:04 +0000 (15:22 +0200)]
findutils: Cannot use exec here or the lockfile won't be removed
Michael Tremer [Sun, 24 Aug 2014 13:14:25 +0000 (15:14 +0200)]
minidlna: Update to 1.1.3
Fixes #10573
Michael Tremer [Sun, 24 Aug 2014 12:46:06 +0000 (14:46 +0200)]
findutils: Run updatedb once a week
As suggested in bug #10303
Arne Fitzenreiter [Sat, 23 Aug 2014 15:06:40 +0000 (17:06 +0200)]
Merge branch 'core82' of ssh://git.ipfire.org/pub/git/ipfire-2.x into core82
Arne Fitzenreiter [Sat, 23 Aug 2014 07:36:01 +0000 (09:36 +0200)]
perl-PDF-API2: rootfile fix for arm.
Arne Fitzenreiter [Fri, 22 Aug 2014 15:03:19 +0000 (17:03 +0200)]
samba: bump PAK_VER.
Arne Fitzenreiter [Fri, 22 Aug 2014 10:05:39 +0000 (12:05 +0200)]
sane: depends on cups libs.
Arne Fitzenreiter [Fri, 22 Aug 2014 07:27:18 +0000 (09:27 +0200)]
core82: add iputils to update.
Arne Fitzenreiter [Fri, 22 Aug 2014 07:17:27 +0000 (09:17 +0200)]
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
Conflicts:
lfs/iputils
Arne Fitzenreiter [Thu, 21 Aug 2014 21:38:30 +0000 (23:38 +0200)]
core82: finish update
Michael Tremer [Thu, 21 Aug 2014 14:12:43 +0000 (16:12 +0200)]
firewall: Fix initialization when RED has not been brought up yet
Michael Tremer [Thu, 21 Aug 2014 08:47:11 +0000 (10:47 +0200)]
Rootfile update
Michael Tremer [Thu, 21 Aug 2014 08:46:34 +0000 (10:46 +0200)]
initscripts: Remove old firewall-reload symlink