Stefan Schantl [Sat, 5 Mar 2022 18:13:39 +0000 (19:13 +0100)]
optionsfw.cgi: Add default settings for newly added options.
If no settings for those features can be obtained from the settings
file, set them to the following defaults.
* DROPSPOOFEDMARTIAN -> on (yes)
* DROPHOSTILE -> off (no - because only fresh installed systems should
do this)
* LOGDROPCTINVALID -> on (yes)
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sat, 5 Mar 2022 15:27:17 +0000 (16:27 +0100)]
ids-functions.pl: Merge same named rulefiles during extract.
In case a rulestarball contains several same-named rulefiles
they have been overwritten each time and so only contained the content
from the last extracted one.
Now the content of those files will be merged by appending the content
to the first extracted one for each time.
Fixes #12792.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sat, 5 Mar 2022 15:27:17 +0000 (16:27 +0100)]
ids-functions.pl: Merge same named rulefiles during extract.
In case a rulestarball contains several same-named rulefiles
they have been overwritten each time and so only contained the content
from the last extracted one.
Now the content of those files will be merged by appending the content
to the first extracted one for each time.
Fixes #12792.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Sun, 27 Feb 2022 13:49:02 +0000 (14:49 +0100)]
rules.pl: Allow dynamic destory of loaded but unused ipset sets.
Instead of stupidly destroying all ipsets, we now grab the already loaded sets
and compare them with the loaded sets during runtime of the script.
So we are now able to determine which sets are not longer required and
safely can destroy (unload) at a later time.
This saves us from taking care about dropping/flushing rules which are
based on ipset before we can destroy them - because only unused sets are
affected.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Inspired-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 2 Mar 2022 21:01:57 +0000 (21:01 +0000)]
update ca-certificates CA bundle
Update the CA certificates list to what Mozilla NSS ships currently.
The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
Please note that the certdata.txt file only appears to drop MD5
checksums in favour of SHA256, so there is no need in shipping
ca-certificates with the next Core Update.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Wed, 2 Mar 2022 21:12:54 +0000 (21:12 +0000)]
Tor: Update to 0.4.6.10
Full changelog as per https://gitweb.torproject.org/tor.git/plain/ChangeLog?h=tor-0.4.6.10 :
Changes in version 0.4.6.10 - 2022-02-04
This version contains minor bugfixes but one in particular is that relays
don't advertise onion service v2 support at the protocol version level.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on February 04, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/02/04.
o Minor bugfix (logging):
- Update a log notice dead URL to a working one. Fixes bug 40544;
bugfix on 0.3.5.1-alpha.
o Minor bugfix (relay):
- Remove the HSDir and HSIntro onion service v2 protocol versions so
relay stop advertising that they support them. Fixes bug 40509;
bugfix on 0.3.5.17.
o Minor bugfixes (MetricsPort, Prometheus):
- Add double quotes to the label values of the onion service
metrics. Fixes bug 40552; bugfix on 0.4.5.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Stefan Schantl [Thu, 3 Mar 2022 04:49:43 +0000 (05:49 +0100)]
update-ids-ruleset: Always drop the lock file if it has been created during runtime.
In some situations or if an error happened, the lock file could be
keep on the system. In such a case the IDS page would be locked forever
until user interaction or reboot of the system.
Now the script checks if it has created such a lock and release it when
the script exists.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org>
Michael Tremer [Fri, 4 Mar 2022 10:29:23 +0000 (10:29 +0000)]
backup: Don't restore excluded files
Sometimes, we restore a backup that has been created earlier before
exclude files have been changed. To avoid overwriting those files, we
will consider the exlude list upon restore.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stéphane Pautrel [Tue, 22 Feb 2022 12:39:06 +0000 (12:39 +0000)]
fr: Update French translation
- 24 strings have been added (drop hostile and spoofed martians, fw red,
ids options and provider, pakfire update messages...)
- 3 strings have been inproved
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 22 Feb 2022 12:51:32 +0000 (12:51 +0000)]
suricata: Fix check for level one cache line size
riscv64 does not return any value on our machine (maybe because it is
emulated?). "undefined" is however seen as a valid value, which makes
the build fail.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 22 Feb 2022 12:51:30 +0000 (12:51 +0000)]
kernel: Add a basic configuration for riscv64
This kernel configuration is a copy of our kernel configuration for
x86_64 on which I ran "make olddefconfig" which will set any unknown
values to their defaults.
This exists so that we have some kernel (which I did not try to boot) to
complete the build process.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 22 Feb 2022 12:51:25 +0000 (12:51 +0000)]
gcc: Compile without ZSTD
GCC can use ZSTD to compress debugging/LTO information in binary
objects. However, on riscv64, compiling zstd requires libatomic which is
not available at this point.
In order to make the build work, we explicitely disable ZSTD in GCC and
build ZSTD after libatomic is available.
Although ZSTD offers great compression, we won't have any disadvantages
through this change since we do not ship any debugging information and
at this point in time to not use LTO.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 22 Feb 2022 12:51:24 +0000 (12:51 +0000)]
strip: Make this work when cross-compiling
The host might not have the correct tools to strip a foreign
architecture, therefore we need to use the cross tools.
The crosstools might be built in an architecture that they
cannot strip themselves and since they are not being part of the
packaged toolchain, we will just skip them.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 21 Feb 2022 17:24:56 +0000 (17:24 +0000)]
oci: user-data: Try to decode base64 content
Terraform only supports sending any shell scripts encoded in base64
which is however not required by Oracle. Therefore we have to test if
the script is encoded or not.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Michael Tremer [Mon, 21 Feb 2022 18:43:17 +0000 (18:43 +0000)]
oci-cli: Ship egg metadata
This package tries to identify if it is actually installed and does that
in a rather unorthodox way. So, thoses files are needed to run the "oci"
command. Only god knows why.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Feb 2022 13:11:21 +0000 (14:11 +0100)]
expat: Update to version 2.4.6 - Security/CVE fixes
- Update from 2.4.4 to 2.4.6
- Update of rootfile
- Changelog
Release 2.4.6 Sun February 20 2022
Bug fixes:
#566 Fix a regression introduced by the fix for CVE-2022-25313
in release 2.4.5 that affects applications that (1)
call function XML_SetElementDeclHandler and (2) are
parsing XML that contains nested element declarations
(e.g. "<!ELEMENT junk ((bar|foo|xyz+), zebra*)>").
Release 2.4.5 Fri February 18 2022
Security fixes:
#562 CVE-2022-25235 -- Passing malformed 2- and 3-byte UTF-8
sequences (e.g. from start tag names) to the XML
processing application on top of Expat can cause
arbitrary damage (e.g. code execution) depending
on how invalid UTF-8 is handled inside the XML
processor; validation was not their job but Expat's.
Exploits with code execution are known to exist.
#561 CVE-2022-25236 -- Passing (one or more) namespace separator
characters in "xmlns[:prefix]" attribute values
made Expat send malformed tag names to the XML
processor on top of Expat which can cause
arbitrary damage (e.g. code execution) depending
on such unexpectable cases are handled inside the XML
processor; validation was not their job but Expat's.
Exploits with code execution are known to exist.
#558 CVE-2022-25313 -- Fix stack exhaustion in doctype parsing
that could be triggered by e.g. a 2 megabytes
file with a large number of opening braces.
Expected impact is denial of service or potentially
arbitrary code execution.
#560 CVE-2022-25314 -- Fix integer overflow in function copyString;
only affects the encoding name parameter at parser creation
time which is often hardcoded (rather than user input),
takes a value in the gigabytes to trigger, and a 64-bit
machine. Expected impact is denial of service.
#559 CVE-2022-25315 -- Fix integer overflow in function storeRawNames;
needs input in the gigabytes and a 64-bit machine.
Expected impact is denial of service or potentially
arbitrary code execution.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
pool.ipfire.org cannot resolved. Now try both default dns
servers. If one works dns is working.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Fri, 18 Feb 2022 22:40:55 +0000 (22:40 +0000)]
firewall: Make logging of conntrack INVALIDs configureable
In theory, logging of dropped packets classified by conntrack as being
INVALID should never be disabled, since one wants to have a paper trail
of what his/her firewall is doing.
However, conntrack seems to drop a lot of (at the first glance
legitimate) packets, hence bloating the logs, making spotting the
important firewall hits more difficult.
This patch therefore adds the option to disable logging of packets being
dropped by conntrack due to INVALID state.
Please note:
- This patch does not add this category to the firewall hits graph.
- The variables in this patch ("LOGDROPCTINVALID") should make it clear
that it is about toggling _logging_, not the actual _dropping_. Other
variables are still in need of being renamed to clarify this, which
will be done in a dedicated patch.
- Also, the changes made to update.sh need to take place in
config/rootfiles/core/164/update.sh for "master", since this patch has
been developed against "next". Kindly cherry-pick the necessary
changes.
Partially fixes: #12778
Reported-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>