For details see (2.49):
https://dlcdn.apache.org//httpd/CHANGES_2.4.49
For 2.51:
https://dlcdn.apache.org//httpd/CHANGES_2.4.51
"SECURITY: CVE-2021-42013: Path Traversal and Remote Code
Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
fix of CVE-2021-41773) (cve.mitre.org)
It was found that the fix for CVE-2021-41773 in Apache HTTP
Server 2.4.50 was insufficient..."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 4 Oct 2021 17:52:21 +0000 (18:52 +0100)]
QoS: Make outgoing packet processing use CONNMARK
This will significantly reduce the load when classifying outgoing
traffic as there won't be any overhead as soon as the connection has
been classified. The classficiation is being stored in the iptables MARK
which will be copied to CONNMARK if changed.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 4 Oct 2021 17:52:20 +0000 (18:52 +0100)]
QoS: Drop support for hardcoded ACK rules
This feature has to go in order to take advantage of CONNMARK which will
drastically decrease CPU load when passing packets.
We no longer will see every packet in the QOS-INC chain in order to
change classification of that packet. It is also party counter-intuitive
to have parts of one connection in one class and the corresponding ACK
packets in another.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 4 Oct 2021 17:52:18 +0000 (18:52 +0100)]
QoS: Use the two right hand bytes to mark packets
In order to not deal with any marks from NAT and the IPS, this patch
adds masks to all places where packets are being marked for individual
QoS classes.
Instead of being able to use the "fw" match in tc, we have to use the
u32 to apply the mask.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 4 Oct 2021 17:52:17 +0000 (18:52 +0100)]
firewall: Only check relevant bits for NAT fix rules
In order to use the highest two bits for surciata bypass, we will need
to make sure that whenever we compare any other marks, we do not care
about anything else.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 24 Sep 2021 09:14:50 +0000 (10:14 +0100)]
media.cgi: Fix parsing output of iostat
Since the last update of sysstat, the output of iostat has changed and
the web user interface showed wrong values.
This is now being fixed in this patch.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 17 Sep 2021 11:42:29 +0000 (11:42 +0000)]
kernel: Enable all cgroups on all architectures
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 17 Sep 2021 11:42:28 +0000 (11:42 +0000)]
kernel: Zero-init all stack variables by default
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 17 Sep 2021 11:42:27 +0000 (11:42 +0000)]
kernel: Enable support for TPM hardware
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 17 Sep 2021 11:42:26 +0000 (11:42 +0000)]
kernel: Enable ExFAT on all architectures
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 17 Sep 2021 11:42:25 +0000 (11:42 +0000)]
kernel: Enable frontswap
"Frontswap provides a “transcendent memory” interface for swap pages. In
some environments, dramatic performance savings may be obtained because
swapped pages are saved in RAM (or a RAM-like device) instead of a swap
disk."
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 17 Sep 2021 11:42:24 +0000 (11:42 +0000)]
kernel: Disable network security hooks
This is a feature we do not use and it should therefore be disabled
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 17 Sep 2021 11:42:23 +0000 (11:42 +0000)]
kernel: Disable OpenvSwitch
We do not use this and so we should not build it to save space.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 17 Sep 2021 11:42:22 +0000 (11:42 +0000)]
kernel: Disable any runtime testing
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 17 Sep 2021 11:42:21 +0000 (11:42 +0000)]
kernel: Disable SLUB debugging
This is not necessary on our systems and according to the documentation
will reduce code size of the allocator which will result in better
performance.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 17 Sep 2021 11:42:20 +0000 (11:42 +0000)]
kernel: Enable Pressure Stall Information
This is a new type of metric to find out what resource is currently a
bottleneck for the whole system. We might use this for graphs.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 17 Sep 2021 11:42:19 +0000 (11:42 +0000)]
kernel: Disable IRQ time accounting
This feature is now disabled (was disabled on ARM before) as we do not
need it:
"Select this option to enable fine granularity task irq time accounting.
This is done by reading a timestamp on each transitions between softirq
and hardirq state, so there can be a small performance impact."
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 17 Sep 2021 11:42:18 +0000 (11:42 +0000)]
kernel: Disable suspending systems to RAM
We do not make any use of this functionality
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 17 Sep 2021 11:42:17 +0000 (11:42 +0000)]
kernel: Change timer tick to 1000Hz
This change is required to make the system respond faster to any
realtime events (sending or receiving data packets).
It will wake up at least one core 1000 times a second which will result
in finer timer granularity and make scheduling smoother. HTB for
example sends large packet bursts on each timer even to keep up data
rates which is not helpful for most applications.
The change might increase resource consumption and overhead slightly on
some systems, but since we are running in an idle-dyntick configuration,
we should not keep awake any cores that have not been awake before.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 13 Sep 2021 11:22:06 +0000 (13:22 +0200)]
libyang: New dependency for frr build
- Impementation of libyang-2.0.7 as a dependency for the build of frr
- Creation of rootfile with all entries commented out so that it is only used for the build
libyang is a YANG data modelling language parser and toolkit written (and providing API)
in C.In the future if there is demand to use these functions in frr then this package
may need to be moved from a build only option to a dependency for frr providing the
yang libraries.
- Added into make.sh just before frr
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 13 Sep 2021 11:22:05 +0000 (13:22 +0200)]
frr: Update to version 8.0.1
- This v2 version used the frr-8.0.1 source instead of the frr-frr-8.0 source
- Update from 6.0 to 8.0.1
- 8.0.1 requires libyang for the build. Introduced with separate patch in this series.
- 6.0 is only compilable with python2.
python3 compatability was introduced in version 7.4
- Previously confirmed that building frr-8.0 was successful with only python3 available
- Added --disable-static to the ./configure options.
- Rootfile updated
- Changelog from 6.0 to 8.0.1 is too large to include here. It can be viewed to obtain
more details at https://github.com/FRRouting/frr/releases
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 20 Aug 2021 20:06:13 +0000 (22:06 +0200)]
freeradius: Update to 3.0.23 and disable python to allow running without python2
- Added --without-rlm_python to ./configure to allow running without python2
- Updated rootfile
- Updated patch for preventing cert generation during buildtime to work with new
version of source code
- Update from 3.0.21 to 3.0.23
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 9 Aug 2021 20:32:53 +0000 (22:32 +0200)]
updatexlrator.cgi: Fix Bug 10477 - Update Accelerator disk usage statistics are very cramped in 2.15 beta1
- This bug has been open for a long time and is still valid. The Cache statistics on
the Update accelerator configuration page are jammed closely together making it
not so easy to see what the numbers are.
- Implemented similar approach as used on the Memory table section of the Memory
information page.
- Installed on vm testbed machine and confirmed to provide the desired layout.
Tested-by Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Tested-by: Bernhard Bitsch <bbitsch@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sun, 8 Aug 2021 20:57:48 +0000 (22:57 +0200)]
Update language files: fix for Bug 12671 - remove evil spirits - demon vs daemon
- demon used in place of daemon in the language files
- This patch corrects that and fixes bug #12671
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Support for the graphs of "services.cgi" is implemented,
but it was forgotten to add this to the list of origins.
This patch fixes the list and prevents possibly missing graphs.
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This parameter can either be "host" or "net", but the existing check
only allows "net" entries. Since other entries are also valid but
don't require further action, this patch removes the error message.
Fixes: #12686 Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 2 Sep 2021 14:10:59 +0000 (16:10 +0200)]
spice-protocol: Update to 0.14.3 and enable build without python2
- v2 version adds $(MAKETUNING) variable to ninja build command
- Update from 0.12.13 to 0.14.3
- Update rootfile
- Remove automake py-compile line from lfs. This only works with python2
Not clear why this line was put into the lfs. Searched the documentation of spice
and qemu and could not find any reference to needing any of the python modules in spice
to be installed either as modules or compiled in. The only references found in general
searches were to modules such as python-virtinst, python-spice-client-gtk or
python-websockify, none of which are in the python modules in spice.
- Removing the automake py-compile line from the lfs enables spice-protocol, spice and
qemu to build without python2 being present.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 2 Sep 2021 14:10:58 +0000 (16:10 +0200)]
spice: Update version to 0.15.0
- v2 version of series to add $(MAKETUNING) variable to ninja in spice-protocol
- Update from 0.14.0 to 0.15.0
- Update rootfile
- Version 0.15.0 of spice requires version 0.14.3 or higher of spice-protocol
- Changelog
Major Changes in 0.15:
This is the first release in the new 0.15.x stable series. This release should
be ready for production use.
* Minor updates to CI
* Some compatibility with OpenSSL
* Change the behavior of handle_dev_start ignoring multiple start requests
* Ignore multiple calls to handle_dev_stop
* Pick up newer spice-common to fix a buffer overflow issue
Major Changes in 0.14.91:
**IMPORTANT**
0.14.91 is the first release candidate for the stable 0.15.x series. While some
bugs might still be present, it should be reasonably stable. If you are looking
for stability for daily use, please keep using the latest 0.14.x release.
* Support UNIX abstract sockets
* Fix some potential thread race condition in RedClient
* Many cleanups in the code
* Improve migration test script
* Update in protocol documentation
* Improve Meson build
* Removed CELT support
* Update CI
* Removed QXLWorker definition, it was deprecated 6 years ago
* Fix some compatibility with MacOS
* Fix some compatibility with Windows
* Move the project to C++
* Some fixes for SASL dealing with WebDAV
* Fix minor Coverity reports
* Add Doxygen support, manually built with "make doxy"
* Support more mouse buttons (up to 16 buttons)
* CVE-2020-14355 multiple buffer overflow vulnerabilities in QUIC decoding
code
Major Changes in 0.14.3:
Main changes are WebSocket and support for Windows.
* Add support for WebSocket, this will allow to use spice-html5 without proxy
* Support Windows, now Qemu Windows can be build enabling Spice
* Fix some alignment problem
* Converted some documentation to Asciidoc format to make easier to update,
updated some
* Minor compatibility fix for PPC64EL and ARMHF
* Minor fixes for big endian machines like MIPS
* Avoid some crashes with some buggy guest drivers, simply ignore the invalid
request
* Fix for old OpenSSL versions
* Minor fix for Windows clients and brushes, fixed an issue with Photoshop
under Windows 7
* Add ability to query video-codecs
* Small use-after-free fix
* Fix for debugging recording/replaying using QUIC images
* Fix a regression where spice reported no monitors to the client
* Fix DoS in spicevmc if WebDAV used
* Updated and improved test migration script
* Some minor fixes to smartcard support
* Avoid possible disconnection using proxies using a in-flow keepalive
mechanism
Major Changes in 0.14.2:
Main changes are support for Meson build and graphic device info
messages allowing to better support multi-monitor configurations.
* CVE-2019-3813: fix off-by-one error in group/slot boundary check
* support H265 in stream-channel
* add support for building with meson/ninja
* minor tests fixes improving CI
* set char device state for smartcard, allowing Qemu optimization
* improve red-parse-qxl.c interface making it more consistent
* add some instrumentation for streaming device
* QXL interface: add a function to identify monitors in the guest
(spice_qxl_set_device_info)
* add support for GraphicsDeviceInfo messages
* video-stream: prevent crash on stream reattach
* make channel client callbacks virtual functions
* bumped minimum required glib version to 2.38
* attempt to have a reliable led state for keyboard modifiers
Major Changes in 0.14.1:
The main change in this release is the addition of a new protocol extension
in order to support streaming the remote display as a video stream rather than
going through the QXL protocol. Together with spice-streaming-agent, and/or with
more work on the qemu/spice-server side, this should allow streaming of 3D
accelerated VMs in the future. At this point, this part of spice-server is
still a work in progress (multi-monitor support and various features are
missing).
* add new org.spice-space.stream.0 channel used for passing an encoded video
stream from the guest to the client
* add support for TCP_CORK to reduce the amount of packets that we send
* fix CVE-2018-10873
* fix cursor related migration crash
* fix regression causing sound recording to be muted after
client disconnection/reconnection (introduced in 0.13.90)
* fix regression in corner cases where images could be sent uncompressed
when they used to be compressed with QUIC
* disable TLS 1.0 support
* CELT 0.5.1 support is now disabled by default. If celt051-devel is installed
at build-time, --enable-celt051/--disable-celt051 must be explicitly specified
* drop support for unsupported OpenSSL version. OpenSSL 1.0.0 or newer is now
required
* bumped minimum required glib version to 2.32
* endianness fixes
* (small) leak fixes
* usual round of code cleanups
* not directly related to this release, but the upstream git repository is now
hosted on gitlab.freedesktop.org
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 20 Aug 2021 20:04:28 +0000 (22:04 +0200)]
libtasn1: New program required as build dependency for p11-kit
- creation of lfs and rootfile for libtasn1
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 20 Aug 2021 20:04:27 +0000 (22:04 +0200)]
p11-kit: New program required for python3 compatibility of ca-certificates
- creation of lfs and rootfile for implementation of p11-kit
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 20 Aug 2021 20:04:26 +0000 (22:04 +0200)]
make.sh: Added p11-kit and libtasn1 for python3 based ca-certificates approach
- p11-kit required for certs extraction in building of python3 compatible ca-certificates
- p11-kit requires libtasn1 as a build dependency
- p11-kit and libtasn1 added to make.sh
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 20 Aug 2021 20:04:25 +0000 (22:04 +0200)]
ca-certificates: Update to work with python3 version of certdata2pem.py
- Implement python3 version of certdata2pem.py script from fedora
- Modify build.sh to work with python3 script that uses p11-kit based on fedora
approach - https://src.fedoraproject.org/rpms/ca-certificates/tree/rawhide
- Extraction of cert files now uses p11-kit which requires libtasn1 as a build
dependency
- Updated rootfile
- Updated ca-certificates installed into a vm and confirmed to download a file from an
https site with the same results as with existing ca-certfictaes system
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sun, 5 Sep 2021 11:30:47 +0000 (13:30 +0200)]
openssh: Update version to 8.7p1
- Update from 8.6p1 to 8.7p1
- Update of rootfile not required
- Changelog is too long to include here. Full details can be found in the ChangeLog file
in the source tarball or at
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ChangeLog
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sun, 5 Sep 2021 11:30:32 +0000 (13:30 +0200)]
libssh: Update to version 0.9.6
- Update from 0.9.3 to 0.9.6
0.9.4 and 0.9.6 are security releases
- Update rootfile
- Changelog
libssh 0.9.6 security release
This is a security release of libssh to address CVE-2021-3634 (moderate impact), a
possible heap-buffer overflow when rekeying. A workaround exists. More details can be
found in the advisory.
In addition the 0.9.6 version addresses some memory leaks in error path, an AEAD
handshake and some more.
CVE-2021-3634: Fix possible heap-buffer overflow when rekeying with different key exchange mechanism
Fix several memory leaks on error paths
Reset pending_call_state on disconnect
Fix handshake bug with AEAD ciphers and no HMAC overlap
Use OPENSSL_CRYPTO_LIBRARIES in CMake
Ignore request success and failure message if they are not expected
Support more identity files in configuration
Avoid setting compiler flags directly in CMake
Support build directories with special characters
Include stdlib.h to avoid crash in Windows
Fix sftp_new_channel constructs an invalid object
Fix Ninja multiple rules error
Several tests fixes
libssh 0.9.5
The libssh team is happy to announce another bugfix release of libssh as version
0.9.5. It offers bug fixes for several issues found by our users.
This includes a fix for CVE-2020-16135, however we do not see how this would be
exploitable at all. If you find a security bug in libssh please don’t just assign a
CVE, talk to us first.
CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
Improve handling of library initialization (T222)
Fix parsing of subsecond times in SFTP (T219)
Make the documentation reproducible
Remove deprecated API usage in OpenSSL
Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
Define version in one place (T226)
Prevent invalid free when using different C runtimes than OpenSSL (T229)
Compatibility improvements to testsuite
libssh 0.9.4 security release
This is a security release of libssh to address CVE-2020-1730 (moderate impact), a
possible Denial of Service (DoS) in client and server when handling AES-CTR keys with
OpenSSL. A workaround exists. More details can be found in the advisory.
In addition the this version addresses several memory leaks and adds support for
diffie-hellman-group14-sha256 key exchange.
Fixed CVE-2020-1730 (Possible DoS in client and server when handling AES-CTR keys with OpenSSL)
Added diffie-hellman-group14-sha256
Fixed several possible memory leaks
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Tue, 24 Aug 2021 15:50:48 +0000 (15:50 +0000)]
vpnmain.cgi: Do not interpret $? as error code of move()
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 24 Aug 2021 15:50:47 +0000 (15:50 +0000)]
IPsec: Do not interpret $? as error code of move()
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 24 Aug 2021 15:50:46 +0000 (15:50 +0000)]
IPsec: Fix extra whitespace in exported certificates
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 24 Aug 2021 21:29:04 +0000 (23:29 +0200)]
strongswan: Update to version 5.9.3
- Update from 5.9.2 to 5.9.3
- Update of rootfile not required
- Changelog
strongswan-5.9.3
- Added AES_ECB, SHA-3 and SHAKE-256 support to wolfssl plugin.
- Added AES_CCM and SHA-3 signature support to openssl plugin.
- The x509 and openssl plugins now consider the authorityKeyIdentifier, if
available, before verifying signatures, which avoids unnecessary signature
verifications after a CA key rollover if both certificates are loaded.
- The pkcs11 plugin better handles optional attributes like CKA_TRUSTED, which
previously depended on a version check.
- charon-nm now supports using SANs as client identities, not only full DNs.
- charon-tkm now handles IKE encryption.
- A MOBIKE update is sent again if a a change in the NAT mappings is detected
but the endpoints stay the same.
- Converted most of the test case scenarios to the vici interface
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 1 Sep 2021 20:21:00 +0000 (22:21 +0200)]
ffmpeg: Update deps to use sdl2 in place of sdl
- This patch needs to go together with the patch updating sdl to sdl2
https://patchwork.ipfire.org/project/ipfire/patch/20210824212848.1311257-1-adolf.belka@ipfire.org/
- Update deps line in lfs to use sdl2 in place of sdl
- Update rootfile
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 24 Aug 2021 21:28:48 +0000 (23:28 +0200)]
sdl2: Replace sdl with sdl2. Update to version 2.0.16
- Update from 1.2.15 (2013) to 2.0.16 (2021)
- Source file name changed from SDL to SDL2 so also deleted old sdl and created sdl2
files for rootfile and lfs
- Changelog is too large to include here. Details can be found in the WhatsNew.txt file
in the source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 4 Sep 2021 13:53:11 +0000 (15:53 +0200)]
Tor: update to 0.4.6.7
Full changelog as per https://gitweb.torproject.org/tor.git/plain/ChangeLog?h=tor-0.4.6.7:
Changes in version 0.4.6.7 - 2021-08-16
This version fixes several bugs from earlier versions of Tor,
including one that could lead to a denial-of-service attack. Everyone
running an earlier version, whether as a client, a relay, or an onion
service, should upgrade to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
o Major bugfixes (cryptography, security):
- Resolve an assertion failure caused by a behavior mismatch between
our batch-signature verification code and our single-signature
verification code. This assertion failure could be triggered
remotely, leading to a denial of service attack. We fix this issue
by disabling batch verification. Fixes bug 40078; bugfix on
0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
CVE-2021-38385. Found by Henry de Valence.
o Minor feature (fallbackdir):
- Regenerate fallback directories list. Close ticket 40447.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2021/08/12.
o Minor bugfix (crypto):
- Disable the unused batch verification feature of ed25519-donna.
Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry
de Valence.
o Minor bugfixes (onion service):
- Send back the extended SOCKS error 0xF6 (Onion Service Invalid
Address) for a v2 onion address. Fixes bug 40421; bugfix
on 0.4.6.2-alpha.
o Minor bugfixes (relay):
- Reduce the compression level for data streaming from HIGH to LOW
in order to reduce CPU load on the directory relays. Fixes bug
40301; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (timekeeping):
- Calculate the time of day correctly on systems where the time_t
type includes leap seconds. (This is not the case on most
operating systems, but on those where it occurs, our tor_timegm
function did not correctly invert the system's gmtime function,
which could result in assertion failures when calculating voting
schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 7 Sep 2021 15:01:25 +0000 (15:01 +0000)]
udev: Enable ntuple offloading feature in supported NICs
We are using CPU-affinity and packet steering functions in various
places in IPFire, but packets might still be received on a random CPU
core.
This feature enables that packets that belong to the same connection
(i.e. have the save tuple) will be steered to the same queue. This will
increase cache locality and decrease locking which results in higher
throughput.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://blog.clamav.net/2021/09/clamav-01040-released.html
New requirements and major changes:
"As of ClamAV 0.104, CMake is required to build ClamAV
...
The built-in LLVM for the bytecode runtime has been removed."
But since the current 'llvm 12.0.1' version refused to be build
"...you will need to supply the development libraries for LLVM
version 3.6.2" - which is ~6 years old - I gave up with 'llvm'
and stayed with the bytecode "interpreter".
Cited:
"The bytecode interpreter is the default runtime for bytecode
signatures just as it was in ClamAV 0.103.
@ALL:
In 'clamav 0.104.0' there is no appropriate cmake option for
"CONFIGURE_FLAGS = --disable-fanotify" for ARM buildings anymore.
Perhaps there is a kernel option for this?
=> https://docs.clamav.net/manual/OnAccess.html#requirements
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Thu, 19 Aug 2021 12:07:06 +0000 (12:07 +0000)]
glibc: Fix CVE-2021-33574 and follow-up issue
The mq_notify function has a potential use-after-free issue when using a
notification type of SIGEV_THREAD and a thread attribute with a non-default
affinity mask.
The fix for this introduced a NULL pointer dereference.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 5 Aug 2021 21:01:52 +0000 (23:01 +0200)]
wlanap.cgi: Access db.txt in place of using regdbdump on regulatory.bin
- wlanap.cgi was using regdbdump from crda to create a text based list of the
wireless settings by country database.
- With the removal of crda as part of the removal of python2 this option could not be
used.
- wireless-regdb also has a text based database list in the source tarball and this
patch makes wlanap.cgi read this list into the @countrylist_cmd variable
- This needs to be tested by someone that has an IPFire system with wifi that can access
and evaluate wlanap.cgi to confirm that this change functions as expected.
- This version changes the name of the stored text file from db.txt to regulatorydb.txt
- The command to read the data from regulatorydb.txt into @countrylist_cmd has been
corrected
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 5 Aug 2021 21:01:51 +0000 (23:01 +0200)]
wireless-regdb: Use db.txt file for wlanap.cgi
- db.txt is the text file version of the wireless settings by country database
- Using db.txt means that regdbdump from crda is not required by wlanap.cgi
- This patch copies the db.txt file from the source tarball to /lib/firmware/ where
it can be read by wlanap.cgi
- This version of the patch renames the db.txt file to regulatorydb.txt
- Updated rootfile to include regulatorydb.txt
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 5 Aug 2021 21:01:49 +0000 (23:01 +0200)]
python-setuptools: Removal of this python2 module.
- With the removal of python-m2crypto then this module is not longer required as a
dependency.
- python3-setuptools was already released into Core Update 157
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 5 Aug 2021 21:01:48 +0000 (23:01 +0200)]
python-typing: Removal of this python2 module.
- With the removal of python-m2crypto then python-typing is no longer rerquired as a
dependency.
- The functionality of the python2 typing module is built in to python3.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 5 Aug 2021 21:01:46 +0000 (23:01 +0200)]
crda: removal from kernel 4.15 and onwards.
- From kernel 4.15 and onwards the function of what crda does is built into the kernel.
- Tested the removal of crda with kernel 4.14.232 and kernel 5.10.45
Country code set by "iw reg set NL" was recognised with kernel 5.10.45 and set at
the global value of 00 with kernel 4.14.232 confirming the kernel built in option is
working without the prescence of crda
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 5 Aug 2021 21:01:45 +0000 (23:01 +0200)]
make.sh: Remove crda and remaining python2 modules
- crda only works with python2 version of m2crypto
python-m2crypto requires python-setuptools and python-typing
- With Linux kernel 4.15 and later the country code status check that crda did is built
into the kernel.
- So from kernel 4.15, crda can be removed, which allows removal of m2crypto, setuptools
and typing.
- python-typing is built into python3 so no additional python3 module required.
- python3 version of python-setuptools has already been installed.
- python3 version of python-m2crypto is not required. python-m2crypto is only used for the
build of crda.
- ipaddr can be removed as the function of this python2 module is built into python3 with
ipaddress.py
- removal of crda tested with 5.10.45 kernel and the setting of a country code was
recognised. If this test carried out with crda removed and 4.14.232 kernel then country
code stays defined as the global code "00".
- wlanap.cgi uses regdbdump from crda to create a text based list of the
wireless settings by country database. With the removal of crda a modification is
required to wireless-reg to copy the db.txt file to a specific location that wlan.cgi
can then access. db.txt is the text file version of the wireless settings by country
database.
- This series version copies the db.txt file and renames it regulatorydb.txt and places it in
/lib/firmware/
- This series version also corrects the loading command from regulatorydb.txt into the
@countrylist_cmd variable
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>