Adolf Belka [Wed, 16 Dec 2020 12:33:22 +0000 (13:33 +0100)]
Fix for bug 10743
This adds in the option to have "deny known clients" in dhcpd.conf
This is applied to the range command so applies to the dynamic addresses
given.
If you have just a range statement say in blue then if you are not using
vlans you could have the situation where a known host in green might end
up getting a lease from the blue range. Here a deny known-clients makes
sense. Your range in this case would be limited to only unknown clients if
deny known-clients was selected.
dhcp WUI has been modified to add in this command. Error message has been
added to check that a range has been specified if the deny unknown clients
checkbox has been selected.
Language files updated with additional items (English, German & Dutch).
For more information on the history of this please see the bugzilla entry Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Dec 2020 11:23:57 +0000 (12:23 +0100)]
dehydrated: Update to 0.7.0
- Update dehydrated from 0.6.5 to 0.7.0
- No changes to the rootfiles
- This update patch also addresses bug #12425
The changes from the interim patch mentioned in bug #12425 are included into this update
- Changes for all releases can be found at https://github.com/dehydrated-io/dehydrated/releases
- Changes for this version update
Added
Support for external account bindings
Special support for ZeroSSL
Support presets for some CAs instead of requiring URLs
Allow requesting preferred chain (--preferred-chain)
Added method to show CAs current terms of service (--display-terms)
Allow setting path to domains.txt using cli arguments (--domains-txt)
Added new cli command --cleanupdelete which deletes old files instead of archiving them
Fixed
No more silent failures on broken hook-scripts
Better error-handling with KEEP_GOING enabled
Check actual order status instead of assuming it's valid
Don't include keyAuthorization in challenge validation (RFC compliance)
Changed
Using EC secp384r1 as default certificate type
Use JSON.sh to parse JSON
Use account URL instead of account ID (RFC compliance)
Dehydrated now has a new home: https://github.com/dehydrated-io/dehydrated
Added OCSP_FETCH and OCSP_DAYS to per-certificate configurable options
Cleanup now also removes dangling symlinks
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 18 Dec 2020 21:07:16 +0000 (22:07 +0100)]
hplip: Update to 3.20.11
- Update from 3.18.6 to 3.20.11 (16 updates)
- See Release notes for bug fixes and support for additional printers
https://sourceforge.net/p/hplip/news/
- Update of rootfile :-)
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 17 Dec 2020 20:01:59 +0000 (21:01 +0100)]
bird: Update to 2.0.7
Update bird from 2.0.6 to 2.0.7
Changes from changelog
- BGP: Fix reconfiguration with import table
*Change of some options requires route refresh, but when import table is
active, channel reload is done from it instead of doing full route
refresh. So in this case we request it internally.
- Doc: Minor documentation fixes
- Nest: Handle non-MPLS on MPLS case in recursive route update
*When non-MPLS recursive route resolves to MPLS underlying route,
then it should get MPLS labels from the the underlying route.
- Nest: Handle PtP links in recursive route update
*Underlying (IGP) route may lead to PtP link, in this case it does not
need gateway. Which is different than direct route without gateway.
*When recursive (BGP) route uses PtP route, it should not use recursive
next hop as immediate next hop, while for direct routes it should.
- Nest: Fix recursive route update
*Missing cleanup can lead to dangling pointer to old next hops.
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 17 Dec 2020 16:13:28 +0000 (17:13 +0100)]
htop: Update to 3.0.3
Update htop from 3.0.2 to 3.0.3
See the Change Log for details of changes
https://github[.]com/htop-dev/htop/blob/master/ChangeLog Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 16 Dec 2020 18:28:05 +0000 (19:28 +0100)]
sqlite: Update to 3.34.0
-Update sqlite from 3.26.0 to 3.34.0
See https://sqlite[.]org/chronology[.]html for history between
these releases.
-Have reviewed all release notes between these two releases and there
are no deprecations.
-No change to rootfile. Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
ummeegge [Sun, 6 Dec 2020 10:08:59 +0000 (10:08 +0000)]
Pam: Update to version 1.5.1
Several fixes and improvements since the current available 1.3.1 version are included.
CVE-2020-27780 has also been fixed.
For a full release overview --> https://github.com/linux-pam/linux-pam/releases .
Signed-off-by: ummeegge <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Dec 2020 14:01:36 +0000 (15:01 +0100)]
Fix for bug 12539
The installer recognises cups and cups-filters both as cups and puts
two instances of cups in the add-on services table.
Based on input from Michael Tremer this patch replaces the command
returning the second element between hyphens with one that takes
what comes after "meta-" using Perl code rather than a shell command.
The second find command was changed as per Michael's suggestion.
Tested in my ipfire test bed system and only results in one cups
entry. Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
ummeegge [Sun, 6 Dec 2020 15:03:45 +0000 (15:03 +0000)]
tshark: Update to version 3.4.0
- Since tshark uses since 3.4.0 an always enabled asynchronous DNS
resolution, c-ares is a needed dependency.
- Since the current actual version 3.2.6 a lot of bug fixes, fixed
vulnerabilities, updated features, new protocols but also updated
protocols has been integrated.
A full overview of all changes can be found in here -->
Update to version 3.2.7:
https://www.wireshark.org/docs/relnotes/wireshark-3.2.7.html
Update to version 3.2.8:
https://www.wireshark.org/docs/relnotes/wireshark-3.2.8.html
Update to version 3.4.0
https://www.wireshark.org/docs/relnotes/wireshark-3.4.0.html
Signed-off-by: ummeegge <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
ummeegge [Sun, 6 Dec 2020 15:03:44 +0000 (15:03 +0000)]
c-ares: New package. Needed as tshark Dependency
- Since tshark uses with version 3.4.0 an always enabled asynchronous DNS
resolution c-ares is a needed dependency.
- Since curl can also use c-ares --> https://c-ares.haxx.se/ it has been
placed in make.sh before curl even no compiletime options has been set
to enable this. c-ares has also been placed in packages and not in common
which would be needed if it should be used for curl too.
Signed-off-by: ummeegge <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 5 Dec 2020 14:51:11 +0000 (15:51 +0100)]
bacula: Update to use IPFire initscript
Bacula install used the bacula initscript for starting and stopping bacula.
This works fine but results in no pid or memory input in the addons table
under services.
Using the IPFire initscript also successfully starts and stops bacula with
no problems but also provides the pid and memory information in the services
addons table.
- rootfiles adjusted to remove the reference to bacula-ctl-fd
- lfs/bacula adjusted to remove the init.d/bacula link generation
remove the "rm -f /root/.rnd" command. This file is not present
and I have not seen this command in any other lfs file that I
have looked at.
- new bacula initscript created
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The X.509 GeneralName type is a generic type for representing different types
of names. One of those name types is known as EDIPartyName. OpenSSL provides a
function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
to see if they are equal or not. This function behaves incorrectly when both
GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
may occur leading to a possible denial of service attack.
OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
1) Comparing CRL distribution point names between an available CRL and a CRL
distribution point embedded in an X509 certificate
2) When verifying that a timestamp response token signer matches the timestamp
authority name (exposed via the API functions TS_RESP_verify_response and
TS_RESP_verify_token)
If an attacker can control both items being compared then that attacker could
trigger a crash. For example if the attacker can trick a client or server into
checking a malicious certificate against a malicious CRL then this may occur.
Note that some applications automatically download CRLs based on a URL embedded
in a certificate. This checking happens prior to the signatures on the
certificate and CRL being verified. OpenSSL's s_server, s_client and verify
tools have support for the "-crl_download" option which implements automatic
CRL downloading and this attack has been demonstrated to work against those
tools.
Note that an unrelated bug means that affected versions of OpenSSL cannot parse
or construct correct encodings of EDIPARTYNAME. However it is possible to
construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence
trigger this attack.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Wed, 2 Dec 2020 14:04:08 +0000 (15:04 +0100)]
location-functions.pl: Remove accidently keept 2nd DB init call.
The get_full_country_name() function had an accidenlty and not longer
required call of the DB init function.
This is a waste of memory and a known problem, especially on systems
with less than 1GB of RAM, where the application which uses libloc in
such a redundant way crashes.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Wed, 25 Nov 2020 22:26:03 +0000 (22:26 +0000)]
OpenVPN: Update to version 2.5.0
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Tested-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This improves the usability of the zone configuration by marking assigned
NICs in the zone color. The highlighting is initially applied to the static
HTML output, and JavaScript is used to follow changes made by the user.
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
zoneconf.cgi: Make output HTML 5 standard compliant
This fixes two minor violations of the HTML standard:
- <a> elements may not contain nested <button> elements:
Replace the button with a simple hyperlink, because it was only used as a link anyway.
- "id" attributes may not contain whitespace:
Remove unneeded attribute, use hyphens instead of spaces.
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 20 Oct 2020 13:28:25 +0000 (13:28 +0000)]
openvpn: Actually apply configured parameters
OpenVPN is an absolute mess. The behaviour of configuration
parameters has been changed over the time; default values have been
changed over time; and it looks like nobody is actually testing
anything any more.
I have been spending hours today on figuring out why OpenVPN
is so damn slow. On a Lightning Wire Labs IPFire Mini Appliance
it achieves about 100 MBit/s in the default configuration when
"openssl speed -evp aes-256-gcm" achieves over 3.5 GBit/s.
Changing any of the cryptography parameters does not change
anything. Throughput remains around 100 MBit/s.
I finally set "cipher none" and "auth none" which disables
encryption and authentication altogether but does not increase
throughput. From here on it was absolutely clear that it was
not a crypto issue.
OpenVPN tries to be smart here and does its own fragmentation.
This is the worst idea I have heard of all day, because that job
is normally done best by the OS.
Various settings which allow the user to "tune" this are grossly
ineffective - let alone it isn't even clear what I am supposed
to configure anywhere. Setting "fragment 1500" weirdly still
does not convince openvpn to generate a packet that is longer
than 1400 bytes. Who'd a thunk?
There is a number of other parameters to set the MTU or which
are related to it (tun-mtu, link-mtu, fragment, mssfix).
On top of all of this we have two "bugs" in ovpnmain.cgi which
are being fixed in this patch:
1) mssfix can be configured by the user. However, we always
enable it in openvpn. The default is on, we only add "mssfix"
which simply turns it on.
It is now being disabled when the user has chosen so in the
web UI. I do not know if this is backwards-compatible.
2) We cap the MTU (tun-mtu) at 1500 bytes when fragment is being
used. So it becomes pointless that the user can this and the
user is not being made aware of this when they hit the save
button.
This was added when we added path MTU discovery. Since that
did not work and was removed, we can remove this now, too.
I archived a solid 500-600 MBit/s of goodput with these settings:
* Disable mssfix
* Set "fragment" to 0
* Set MTU to 9000
I am sure the MTU could be further increased to have bigger packets,
but I did not test how badly this will affect latency of the tunnel.
OpenVPN seems to only be able to handle a certain amount of packets
a second - no matter what. With larger packets, the throughput of
the tunnel increases, but latency might as well.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Cc: Erik Kapfer <erik.kapfer@ipfire.org> Cc: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 4 Nov 2020 21:28:50 +0000 (22:28 +0100)]
Tor: allow enforcing distinct Guard relays or countries
In order to make deanonymisation harder, especially high-risk Tor users
might want to use certain Guard relays only (for example operated by
people they trust), enforce Tor to use Guard relays in certain countries
only (for example countries with very strict data protection laws or
poor diplomatic relations), or avoid Guard relays in certain countries
entirely.
Since Tor sticks to sampled Guards for a long time (usually within the
range of months), restricting those is believed to cause less harm to a
users' anonymity than restricting Exit relays, since their diversity of
a generic Tor user is significantly higher.
This patch extends the Tor CGI for restricting Guard nodes to certain
countries or relays matching certain fingerprints.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 4 Nov 2020 21:28:22 +0000 (22:28 +0100)]
Tor: allow multiple countries to be selected for Exit relays
This extends the functionality of the Tor CGI in order to be able to
select multiple countries for possible Exit relays, which is - in terms
of anonymity - less worse than limiting all Tor circuits to a single
country.
For example, a user might want to avoid Exit relays in more than one
country, and permit Tor to use Exit relays elesewhere, and vice versa.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 23 Nov 2020 12:08:48 +0000 (13:08 +0100)]
apcupsd: addition of backup/includes definition
Added a backup/includes file for apcupsd to backup the
/etc/apcupsd/ directory where all the configuration files
are stored. Currently there is no backup available to
save the state of any changes carried out to the configuration
or action files. Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Core 152: the script "network-hotplug-bridges" now reads the variable ${ZONE}_STP from /var/ipfire/ethernet/settings so that STP can be turned on and off for each bridge
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>