Michael Tremer [Tue, 16 Jun 2020 15:40:44 +0000 (15:40 +0000)]
firewall: Always enable connection tracking for GRE
If this module is not being loaded, the kernel will mark any
GRE connection as INVALID in connection tracking, which will
be then silently dropped by a firewall rule.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 31 Dec 2016 15:59:19 +0000 (16:59 +0100)]
squidguard: Update to 1.5-beta
Changelog:
"Release 1.5
2010-09-09 Fixed inconsistent blocking (bug 59). Replaced defined routine
in sgDB.c
2010-09-08 Added Russian translation from Vladimir Ipatov to squidGuard.cgi.in.
2009-10-19 Fixed two bypass problems with URLs which length is close to the limit
defined by MAX_BUF. The resulting proxy line exceeds this limit and causes
either squid or squidGuard to properly block a site.
2009-10-15 Fixed a problem with very long URLs. SquidGuard will go into
emergency mode when a overlong URLs are encountered. The emergency mode causes an
entire stop of blocking. This is not appropriate in this situation.
2009-09-30 Added patch by beber and gentoo (thank you!) to fix a problem when cross
compiling (bug 56).
2009-09-27 Added patch by gentoo to fix alocal warnings (bug 57).
2009-09-15 Added a feature to send log messages to syslog based on the patch from
Jun Jiang (thank you). (bug 42) In order to use syslog you have to run
configure with the new option "--with-syslog". In the configuration file you need to add a
line "syslog enable". If any other value but "enable" is used syslog is disabled and logging
to squidGuard.log takes place as usual. The following log level are used: DEBUG, NOTICE,
WARN, ERROR and EMERG. The local4 syslog facility is used by default. If you want to change
this, use the configure option "--with-syslog-facility=<facility>".
2009-09-12 Anonymized passwords (for connecting to the ldap or mysql server) written
to logfiles when squidGuard is starting. Added two configure options for choosing
different location for the LDAP include and library files.
2009-08-25 Added patch to check IP addresses against LDAP. Patch by Denis Bonnenfant
(bug 41) - thank you.
2009-08-23 Added patch to allow quoted strings in the configuration file (bug 53).
For more information see README.QuotedStrings. Thanks to Iain Fothergill for providing
the patch. Removed the fix for usernames starting with a number because it breaks the
time declarations.
2009-05-08 Added patch by INL to enable blocking against DNS based blacklists (bug 55).
Fixed re-opened bug 12: a problem with regular expressions. An entry like "www\.google\.de"
did not block www.google.de which it was supposed to do.
Solving this issue solved bug 46 as well.
2009-03-08 Fixed bug 52: Sometimes squidGuard crashes with an overflow
error message for vsprintf. Thanks to Dirk Schoebel for suggesting the proper fix.
Fixed bug 49: Using numeric username made squidGuard goes into emergency mode. This
has been fixed. Usernames can now start with a number, be numeric and can additionally
contain the following characters: @,à,é,è,ñ,á,ì,í,ò,ó,ù,ú."
Signed-off-by: Matthias Fischer <matthias.fischer at ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 10 Jun 2020 22:08:12 +0000 (00:08 +0200)]
gnutls: Update to 3.6.14
For details see:
https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004648.html
"** libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
The TLS server would not bind the session ticket encryption key with a
value supplied by the application until the initial key rotation, allowing
attacker to bypass authentication in TLS 1.3 and recover previous
conversations in TLS 1.2 (#1011).
[GNUTLS-SA-2020-06-03, CVSS: high]
** libgnutls: Fixed handling of certificate chain with cross-signed
intermediate CA certificates (#1008).
** libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).
** libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
(2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
Key Identifier (AKI) properly (#989, #991).
** certtool: PKCS #7 attributes are now printed with symbolic names (!1246).
** libgnutls: Added several improvements on Windows Vista and later releases
(!1257, !1254, !1256). Most notably the system random number generator now
uses Windows BCrypt* API if available (!1255).
** libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
Also both accelerated and non-accelerated implementations check key block
according to FIPS-140-2 IG A.9 (!1233).
** libgnutls: Added support for AES-SIV ciphers (#463).
** libgnutls: Added support for 192-bit AES-GCM cipher (!1267).
** libgnutls: No longer use internal symbols exported from Nettle (!1235)
** API and ABI modifications:
GNUTLS_CIPHER_AES_128_SIV: Added
GNUTLS_CIPHER_AES_256_SIV: Added
GNUTLS_CIPHER_AES_192_GCM: Added
gnutls_pkcs7_print_signature_info: Added"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 9 Jun 2020 18:51:12 +0000 (18:51 +0000)]
kernel: disable CONFIG_UPROBES
Quoted from #12433:
> Uprobes is the user-space counterpart to kprobes: they enable instrumentation
> applications (such as 'perf probe') to establish unintrusive probes in
> user-space binaries and libraries, by executing handler functions when the
> probes are hit by user-space applications.
>
> ( These probes come in the form of single-byte breakpoints, managed by the
> kernel and kept transparent to the probed application. )
IMHO this can be safely disabled, as there is little if any need to debug
userspace programs _that_ deeply on an IPFire machine.
Fixes: #12433 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 9 Jun 2020 17:57:51 +0000 (17:57 +0000)]
kernel: enable CONFIG_FORTIFY_SOURCE on armv5tel
Partially fixes: #12369
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 9 Jun 2020 17:55:58 +0000 (17:55 +0000)]
kernel: enable CONFIG_FORTIFY_SOUCRE on aarch64
Partially fixes: #12369
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 9 Jun 2020 17:50:14 +0000 (17:50 +0000)]
kernel: enable CONFIG_SLUB_DEBUG on aarch64 and armv5tel
Fixes: #12377 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 9 Jun 2020 17:18:49 +0000 (17:18 +0000)]
kernel: enable CONFIG_RANDOMIZE_BASE on armv5tel
Partially fixes: #12363
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sun, 7 Jun 2020 16:49:01 +0000 (16:49 +0000)]
kernel: enable CONFIG_RANDOMIZE_BASE on aarch64
Partially fixes: #12363
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sun, 7 Jun 2020 16:57:59 +0000 (16:57 +0000)]
kernel: enable CONFIG_SECCOMP on aarch64 and armv5tel
Fixes: #12366 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sun, 7 Jun 2020 16:32:26 +0000 (16:32 +0000)]
kernel: disable CONFIG_MODIFY_LDT_SYSCALL on i586 and x86_64
Fixes: #12382 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
kernel: backport "random: try to actively add entropy"
this backports https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/char/random.c?id=50ee7529ec4500c88f8664560770a7a1b65db72b
to gather enough entropy for initialise the crng faster.
Of some machines like the APU it will need forever if
the machine only wait for entropy without doing anything else.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 18 Apr 2020 08:48:24 +0000 (10:48 +0200)]
kernel: disable CONFIG_DEBUG_LIST on i586(-pae)
Fixes: #12378 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 18 Apr 2020 08:42:19 +0000 (10:42 +0200)]
kernel: enable CONFIG_SCHED_STACK_END_CHECK on x86_64, armv5tel and aarch64
> This option checks for a stack overrun on calls to schedule(). If the stack
> end location is found to be over written always panic as the content of the
> corrupted region can no longer be trusted. This is to ensure no erroneous
> behaviour occurs which could result in data corruption or a sporadic crash at a
> later stage once the region is examined. The runtime overhead introduced is
> minimal.
Fixes: #12376 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 18 Apr 2020 08:24:08 +0000 (10:24 +0200)]
kernel: disable CONFIG_USELIB on x86_64 and i586(-pae)
> This option enables the uselib syscall a system call used in the dynamic
> linker from libc5 and earlier. glibc does not use this system call. If you
> intend to run programs built on libc5 or earlier you may need to enable this
> syscall. Current systems running glibc can safely disable this.
In my point of view, the last sentence matches our situation.
Fixes: #12379 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 18 Apr 2020 08:16:23 +0000 (10:16 +0200)]
kernel: enable CONFIG_DEBUG_WX on aarch64
Since this is described as 'Generate a warning if any W+X mappings are
found at boot.', it most likely does not break anything and can be
safely enabled.
Fixes: #12373 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 14 Apr 2020 14:32:47 +0000 (16:32 +0200)]
kernel: enable page poisoning on x86_64
This is already active on i586 and prevents information leaks from freed
data.
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Wed, 1 Apr 2020 15:23:00 +0000 (15:23 +0000)]
Kernel: drop bluetooth support
The bluetooth addon was recently removed by commit 592be1d206e45ad42736b352d96e42ebca50123a, which is why we do not need to
carry the corresponding kernel modules around anymore.
The second version of this patch correctly updates kernel configuration
files via "make oldconfig" as requested by Arne.
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Tue, 26 May 2020 18:46:29 +0000 (20:46 +0200)]
knot: Update to 2.9.5
For details see:
https://www.knot-dns.cz/2020-05-25-version-295.html
"Bugfixes:
Old ZSK can be withdrawn too early during a ZSK rollover if maximum
zone TTL is computed automatically
Server responds SERVFAIL to ANY queries on empty non-terminal nodes
Improvements:
Also module onlinesign returns minimized responses to ANY queries
Linking against libcap-ng can be disabled via a configure option"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The message "ls: cannot access '*.bz2': No such file or directory" comes
from the 'ls' command prior to creating the *.md5-files for *.bz2, *.img.xz
and *.iso files.
But on most builds we have especially no more bzip2 compressed images anymore.
This message can usually be ignored and is just irritating.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 20 May 2020 12:29:48 +0000 (12:29 +0000)]
ids-functions.pl: Quote array of subnets
Reported-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Tue, 19 May 2020 12:38:11 +0000 (14:38 +0200)]
bind: Update to 9.11.19
For details see:
https://downloads.isc.org/isc/bind9/9.11.19/RELEASE-NOTES-bind-9.11.19.html
"Security Fixes
To prevent exhaustion of server resources by a maliciously
configured domain, the number of recursive queries that can be
triggered by a request before aborting recursion has been further
limited. Root and top-level domain servers are no longer exempt from
the max-recursion-queries limit. Fetches for missing name server
address records are limited to 4 for any domain. This issue was
disclosed in CVE-2020-8616. [GL #1388]
Replaying a TSIG BADTIME response as a request could trigger
an assertion failure. This was disclosed in CVE-2020-8617. [GL
#1703]
Feature Changes
Message IDs in inbound AXFR transfers are now checked for
consistency. Log messages are emitted for streams with inconsistent
message IDs. [GL #1674]
Bug Fixes
When running on a system with support for Linux capabilities, named
drops root privileges very soon after system startup. This was
causing a spurious log message, "unable to set effective uid to 0:
Operation not permitted", which has now been silenced. [GL #1042]
[GL #1090]
When named-checkconf -z was run, it would sometimes incorrectly set
its exit code. It reflected the status of the last view found;
if zone-loading errors were found in earlier configured views but
not in the last one, the exit code indicated success. Thanks
to Graham Clinch. [GL #1807]
When built without LMDB support, named failed to restart after
a zone with a double quote (") in its name was added with rndc
addzone. Thanks to Alberto Fernández. [GL #1695]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Tue, 12 May 2020 19:29:32 +0000 (21:29 +0200)]
clamav: Update to 0.102.3
For details see:
https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html
"ClamAV 0.102.3 is a bug patch release to address the following issues.
- CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module
in ClamAV 0.102.2 that could cause a Denial-of-Service (DoS) condition.
Improper bounds checking of an unsigned variable results in an
out-of-bounds read which causes a crash.
- CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV
0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition.
Improper size checking of a buffer used to initialize AES decryption
routines results in an out-of-bounds read which may cause a crash. Bug
found by OSS-Fuzz.
- Fix "Attempt to allocate 0 bytes" error when parsing some PDF
documents.
- Fix a couple of minor memory leaks.
- Updated libclamunrar to UnRAR 5.9.2."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sun, 10 May 2020 15:50:06 +0000 (15:50 +0000)]
hwdata: update PCI database
PCI IDs: 2020-05-07 03:15:02
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Sat, 9 May 2020 06:04:48 +0000 (06:04 +0000)]
tshark: Update to version 3.2.3
This update includes several bugfixes but also updated protocols.
For a full overview, in here -->
https://www.wireshark.org/docs/relnotes/wireshark-3.2.3.html the
changelog can be found.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Fri, 8 May 2020 06:23:19 +0000 (06:23 +0000)]
libseccomp: Update to version 2.4.3
- Add list of authorized release signatures to README.md
- Fix multiplexing issue with s390/s390x shm* syscalls
- Remove the static flag from libseccomp tools compilation
- Add define for __SNR_ppoll
- Update our Travis CI configuration to use Ubuntu 18.04
- Disable live python tests in Travis CI
- Use default python, rather than nightly python, in TravisCI
- Fix potential memory leak identified by clang in the scmp_bpf_sim too
The changelog can be found in here https://github.com/seccomp/libseccomp/blob/master/CHANGELOG .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>