Michael Tremer [Thu, 25 Mar 2021 14:36:34 +0000 (14:36 +0000)]
openssl: Update to 1.1.1k
From https://www.openssl.org/news/secadv/20210325.txt:
OpenSSL Security Advisory [25 March 2021]
=========================================
CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450)
========================================================================
Severity: High
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
certificates present in a certificate chain. It is not set by default.
Starting from OpenSSL version 1.1.1h a check to disallow certificates in
the chain that have explicitly encoded elliptic curve parameters was added
as an additional strict check.
An error in the implementation of this check meant that the result of a
previous check to confirm that certificates in the chain are valid CA
certificates was overwritten. This effectively bypasses the check
that non-CA certificates must not be able to issue other certificates.
If a "purpose" has been configured then there is a subsequent opportunity
for checks that the certificate is a valid CA. All of the named "purpose"
values implemented in libcrypto perform this check. Therefore, where
a purpose is set the certificate chain will still be rejected even when the
strict flag has been used. A purpose is set by default in libssl client and
server certificate verification routines, but it can be overridden or
removed by an application.
In order to be affected, an application must explicitly set the
X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
for the certificate verification or, in the case of TLS client or server
applications, override the default purpose.
OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1k.
OpenSSL 1.0.2 is not impacted by this issue.
This issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk
from Akamai and was discovered by Xiang Ding and others at Akamai. The fix was
developed by Tomáš Mráz.
NULL pointer deref in signature_algorithms processing (CVE-2021-3449)
=====================================================================
Severity: High
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits
the signature_algorithms extension (where it was present in the initial
ClientHello), but includes a signature_algorithms_cert extension then a NULL
pointer dereference will result, leading to a crash and a denial of service
attack.
A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which
is the default configuration). OpenSSL TLS clients are not impacted by this
issue.
All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions
should upgrade to OpenSSL 1.1.1k.
OpenSSL 1.0.2 is not impacted by this issue.
This issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix was
developed by Peter Kästle and Samuel Sapalski from Nokia.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update tshark from 3.4.2 to 3.4.3
- Update rootfile
- Changelog is too long to include here.
See ChangeLog file in source tarball
29 bugfixes included
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update stunnel from 5.57 to 5.58
- Update rootfile
- Changelog
Version 5.58, 2021.02.20, urgency: HIGH
Security bugfixes
The "redirect" option was fixed to properly handle unauthenticated requests (thx to Martin Stein).
Fixed a double free with OpenSSL older than 1.1.0 (thx to Petr Strukov).
OpenSSL DLLs updated to version 1.1.1j.
New features
New 'protocolHeader' service-level option to insert custom 'connect' protocol negotiation headers. This feature can be used to impersonate other software (e.g. web browsers).
'protocolHost' can also be used to control the client SMTP protocol negotiation HELO/EHLO value.
Initial FIPS 3.0 support.
Bugfixes
X.509v3 extensions required by modern versions of OpenSSL are added to generated self-signed test certificates.
Fixed a tiny memory leak in configuration file reload error handling (thx to Richard Könning).
Merged Debian 05-typos.patch (thx to Peter Pentchev).
Merged with minor changes Debian 06-hup-separate.patch (thx to Peter Pentchev).
Merged Debian 07-imap-capabilities.patch (thx to Ansgar).
Merged Debian 08-addrconfig-workaround.patch (thx to Peter Pentchev).
Fixed tests on the WSL2 platform.
NSIS installer updated to version 3.06 to fix a multiuser installation bug on some platforms, including 64-bit XP.
Fixed engine initialization (thx to Petr Strukov).
FIPS TLS feature is reported when a provider or container is available, and not when FIPS control API is available.
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update sqlite from 3.34.0 to 3.34.1
- Update rootfile
- Changelog
Fix a potential use-after-free bug when processing a a subquery with
both a correlated WHERE clause and a "HAVING 0" clause and where the
parent query is an aggregate.
Fix documentation typos
Fix minor problems in extensions.
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update qpdf from 10.1.0 to 10.3.0
- Updated rootfile
- Changelog is too long to fully include here
See ChangeLog file in source tarball
Bug fixes in 10.3.0
* The last several changes are in support of fixing more complex
cases of keeping form fields working properly through page copying
operations. Fixes #509.
Bug fixes in 10.2.0
* From qpdf CLI, --pages and --split-pages will properly preserve
interactive form functionality. Fixes #340.
* From qpdf CLI, --overlay and --underlay will copy annotations
and form fields from overlay/underlay file. Fixes #395.
* Add new option --password-file=file for reading the decryption
password from a file. file may be "-" to read from standard input.
Fixes #499.
* By default, give an error if a user attempts to encrypt a file
with a 256-bit key, a non-empty user password, and an empty owner
password. Such files are insecure since they can be opened with no
password. To allow explicit creation of files like this, pass the
new --allow-insecure option. Thanks to github user RobK88 for a
detailed analysis and for reporting this issue. Fixes #501.
* Bug fix: if a form XObject lacks a resources dictionary,
consider any names in that form XObject to be referenced from the
containing page. This is compliant with older PDF versions. Also
detect if any form XObjects have any unresolved names and, if so,
don't remove unreferenced resources from them or from the page
that contains them. Fixes #494.
* Give warnings instead of segfaulting if a QPDF operation is
attempted after calling closeInputSource(). Fixes #495.
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update nagios-plugins from 2.2.1 to 2.3.3
- Updated rootfile
- Changelog is too long to include here
See ChangeLog file in source tarball
80 bugs fixed with the last four releases
- Latest version og nagios-plugins is recommended by update of nagios_nrpe
to 4.0.3
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update nagios_nrpe from 3.2.1 to 4.0.3
- No update for rootfile
- Changelog
[4.0.3](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.0.3) - 2020-04-28
**FIXES**
- Fixed nasty_metachars not being read from config file (#235) (Sebastian Wolf)
[4.0.2](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.0.2) - 2020-03-11
**FIXES**
- Fixed buffer length calculations/writing past memory boundaries on some systems (#227, #228) (Andreas Baumann, hariwe, Sebastian Wolf)
- Fixed use of uninitialized variable when validating requests (#229) (hariwe, Sebastian Wolf)
[4.0.1](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.0.1) - 2020-01-22
**FIXES**
* Fixed syslog flooding with CRC-checking errors when both plugin and agent were updated to version 4 (Sebastian Wolf)
[4.0.0](https://github.com/NagiosEnterprises/nrpe/releases/tag/nrpe-4.0.0) - 2019-01-13
Note: This update includes security fixes which affect both the check_nrpe plugin and
the NRPE daemon. The latest version of NRPE is still able to interoperate with previous
versions, but for best results, both programs should be updated.
**ENHANCEMENTS**
* Added TLSv1.3 and TLSv1.3+ support for systems that have it (Nigel Yong, Rahul Golam)
* Added IPv6 ip address to list of default allow_from hosts (Troy Lea)
* Added -D option to disable logging to syslog (Tom Griep, Sebastian Wolf)
* Added -3 option to force check_nrpe to use NRPE v3 packets
* OpenRC: provide a default path for nrpe.cfg (Michael Orlitzky)
* OpenRC: Use RC_SVCNAME over a hard-coded PID file (j-licht)
**FIXES**
* Checks for '!' now only occur inside the command buffer (Joni Eskelinen)
* NRPE daemon is more resilient to DOS attacks (Leonid Vasiliev)
* allowed_hosts will no longer test getaddrinfo records against the wrong protocol (dombenson)
* nasty_metachars will now handle C escape sequences properly when specified in the config file (Sebastian Wolf)
* Calculated packet sizes now struct padding/alignment when sending and receiving messages (Sebastian Wolf)
* Buffer sizes are now checked before use in packet size calculation (Sebastian Wolf)
* When using `include_dir`, individual files' errors do not prevent the remaining files from being read (Sebastian Wolf)
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update nano from 5.5 to 5.6
- No update for rootfile
- Changelog
Changes between v5.5 and v5.6:
Benno Schulenberg (52):
build: avoid a warning about duplicate symbol when building from tarball
build: detect a build from git also when building out of tree
build: include a workaround only for versions of ncurses that need it
bump version numbers and add a news item for the 5.6 release
color: do not look for another 'end' match after already finding one
color: give highlighted text its own color, to not look like marked text
color: recompile the file-probing regexes a little faster with REG_NOSUB
color: use bright yellow to highlight a search match
color: use inverse video for highlighting when there are no colors
debug: add timing instruments to cache precalculation and screen refresh
display: for a large paste or insertion, recalculate the multiline cache
docs: correct the description of --quickblank for the changed base value
docs: correct the formatting of a comment in the sample nanorc
docs: correct the word order for Alt+D in the cheat sheet -- it changed
docs: mention the new 'set highlightcolor' option
docs: remove all mentions of --markmatch and 'set markmatch'
docs: say that --minibar is modified by --constantshow and --stateflags
feedback: make Full Justify show a message also when using --minibar
gnulib: update to its current upstream state
minibar: show a message a little longer when --quickblank isn't used
minibar: show cursor position + character code only with --constantshow
minibar: show the state flags only when --stateflags is used
minibar: suppress the toggling feedback for M-C, but show it for M-Y/M-P
options: remove --markmatch and 'set markmatch', as the behavior is gone
painting: always do backtracking for the first row of the screen
painting: trigger a refresh when a second start match appears on a line
painting: trigger fewer unneeded full-screen refreshes
painting: when finding an end match, set its multidata right away
scrolling: keep centering after large paste, also when line numbers widen
search: just highlight the found occurrence, instead of marking it
search: make highlighting the standard, non-changeable behavior
tweaks: avoid the vague possibility of advancing beyond end-of-line
tweaks: be slightly more efficient in marking lines as WOULDBE
tweaks: call wattron()/wattroff() only when actually painting something
tweaks: correct a comment, improve another, and trim some verbosity
tweaks: don't bother comparing virgin multidata with current situation
tweaks: don't bother initializing freshly allocated multidata
tweaks: don't bother wiping the multidata before recomputing it
tweaks: elide a function that is now just one line
tweaks: frob a condition, to be more concise, and reshuffle another
tweaks: frob some comments, and adjust indentation after previous change
tweaks: frob some comments, and reshuffle two fragments of code
tweaks: frob two fragments of code, to be more readable
tweaks: make a skipping condition more precise
tweaks: remove an old fix that was made superfluous by a recent fix
tweaks: remove a strangely placed warning
tweaks: rename six symbols, to be more straightforward
tweaks: reshuffle some code, and reduce the scope of a variable
tweaks: reshuffle three conditions into a better order
tweaks: rewrap and reindent a few lines
tweaks: rewrap two lines, for esthetics
tweaks: stop evaluating a rule when the match is offscreen to the right
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update ipset from 7.10 to 7.11
- No update to rootfile
- Changelog
- Parse port before trying by service name (Haw Loeung)
- Silence unused-but-set-variable warnings (reported by
Serhey Popovych)
- Handle -Werror=implicit-fallthrough= in debug mode compiling
- ipset: fix print format warning (Neutron Soutmun)
- Updated utilities
- Argument parsing buffer overflow in ipset_parse_argv fixed
(reported by Marshall Whittaker)
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update iproute2 from 5.10.0 to 5.11.0
- Updated rootfile
- Changelog extracted from commits
lib/fs: Fix single return points for get_cgroup2_* Andrea Claudi
lib/fs: avoid double call to mkdir on make_path() Andrea Claudi
lib/bpf: Fix and simplify bpf_mnt_check_target() Andrea Claudi
lib/namespace: fix ip -all netns return code Andrea Claudi
ip: lwtunnel: seg6: bail out if table ids are invalid Andrea Claudi
tc: m_gate: use SPRINT_BUF when needed Andrea Claudi
man8/bridge.8: be explicit that "flood" is an egress setting Vladimir Oltean
man8/bridge.8: explain self vs master for "bridge fdb add" Vladimir Oltean
man8/bridge.8: fix which one of self/master is default for "bridge fdb" Vladimir Oltean
man8/bridge.8: explain what a local FDB entry is Vladimir Oltean
man8/bridge.8: document that "local" is default for "bridge fdb add" Vladimir Oltean
man8/bridge.8: document the "permanent" flag for "bridge fdb add" Vladimir Oltean
rdma: Fix statistics bind/unbing argument handling Ido Kalir
uapi: pick up rpl.h fix Stephen Hemminger
iproute: force rtm_dst_len to 32/128 Luca Boccassi
ss: Add clarification about host conditions with multiple familes to man Thayne McCombs
Add documentation of ss filter to man page Thayne McCombs
iplink: print warning for missing VF data Edwin Peer
ss: do not emit warn while dumping MPTCP on old kernels Paolo Abeni
man: tc-taprio.8: document the full offload feature Vladimir Oltean
iplink_bareudp: cleanup help message and man page Guillaume Nault
vrf: fix ip vrf exec with libbpf Luca Boccassi
vrf: print BPF log buffer if bpf_program_load fails Luca Boccassi
build: Fix link errors on some systems Roi Dayan
tc: flower: fix json output with mpls lse Guillaume Nault
dcb: Change --Netns/-N to --netns/-n Petr Machata
dcb: Plug a leaking DCB socket buffer Petr Machata
dcb: Set values with RTM_SETDCB type Petr Machata
uapi: update if_link.h from upstream Stephen Hemminger
include: uapi: Carry dcbnl.h Petr Machata
uapi: update kernel headers to 5.11 pre rc1
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update hplip from 3.20.11 to 3.21.2
- Updated rootfile
- Changelog
Added support for following new Distro's:
Fedora 33
Manjaro 20.2
Debian 10.7
RHEL 8.3
RHEL 7.7
RHEL 7.8
RHEL 7.9
Added support for the following new Printers:
HP LaserJet Enterprise M406dn
HP LaserJet Enterprise M407dn
HP LaserJet Enterprise MFP M430f
HP LaserJet Enterprise MFP M431f
HP LaserJet Managed E40040dn
HP LaserJet Managed MFP E42540f
HP Color LaserJet Enterprise M455dn
HP Color LaserJet Managed E45028dn
HP Color LaserJet Enterprise MFP M480f
HP Color LaserJet Managed MFP E47528f
HP PageWide XL 3920 MFP
HP PageWide XL 4200 Printer
HP PageWide XL 4200 Multifunction Printer
HP PageWide XL 4700 Printer
HP PageWide XL 4700 Multifunction Printer
HP PageWide XL 5200 Printer
HP PageWide XL 5200 Multifunction Printer
HP PageWide XL 8200 Printer
HP Laserjet M207d
HP Laserjet M208d
HP Laserjet M209d
HP Laserjet M210d
HP Laserjet M212d
HP Lasejet M211d
HP Laserjet M209dw
HP Laserjet M209dwe
HP Laserjet M210dw
HP Laserjet M210dwe
HP Laserjet M212dw
HP LaserJet M212dwe
HP Laserjet M208dw
HP Laserjet M207dw
HP Laserjet M211dw
HP LaserJet MFP M234dw
HP LaserJet MFP M234dwe
HP LaserJet MFP M233d
HP LaserJet MFP M232d
HP LaserJet MFP M235d
HP LaserJet MFP M237d
HP LaserJet MFP M236d
HP LaserJet MFP M232dw
HP LaserJet MFP M232dwc
HP LaserJet MFP M233dw
HP LaserJet MFP M236dw
HP LaserJet MFP M235dw
HP LaserJet MFP M235dwe
HP LaserJet MFP M237dwe
HP LaserJet MFP M237dw
HP LaserJet MFP M232sdn
HP LaserJet MFP M233sdn
HP LaserJet MFP M236sdn
HP LaserJet MFP M234sdn
HP LaserJet MFP M234sdne
HP LaserJet MFP M235sdn
HP LaserJet MFP M235sdne
HP LaserJet MFP M237sdne
HP LaserJet MFP M237sdn
HP LaserJet MFP M232sdw
HP LaserJet MFP M233sdw
HP LaserJet MFP M236sdw
HP LaserJet MFP M234sdw
HP LaserJet MFP M234sdwe
HP LaserJet MFP M235sdw
HP LaserJet MFP M235sdwe
HP LaserJet MFP M237sdwe
HP LaserJet MFP M237sdw
Signed-off-by: Adolf Belka (ipfire) <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Use the traffic class description field to identify similar classes.
This ensures that a class used in both the up- and down-link is
printed with matching colors in both graphs.
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 5 Mar 2021 17:41:28 +0000 (18:41 +0100)]
openssh: Update to 8.5p1
- Update Openssh from 8.4p1 to 8.5p1
- rootfiles not changed
- ssh access by keys tested with 8.5p1 and successfully worked
- Full Release notes can be read at https://www.openssh.com/releasenotes.html
- Future deprecation notice
It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K.
In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1
hash algorithm in conjunction with the RSA public key algorithm.
OpenSSH will disable this signature scheme by default in the near
future.
Note that the deactivation of "ssh-rsa" signatures does not necessarily
require cessation of use for RSA keys. In the SSH protocol, keys may be
capable of signing using multiple algorithms. In particular, "ssh-rsa"
keys are capable of signing using "rsa-sha2-256" (RSA/SHA256),
"rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of
these is being turned off by default.
- Checked if the weak ssh-rsa public key algorithm was being used with
openssh8.4p1 by running
ssh -oHostKeyAlgorithms=-ssh-rsa user@host
host verification was successful with no issue so IPFire will not be
affected by this deprecation when it happens
- Potentially-incompatible changes
* ssh(1), sshd(8): this release changes the first-preference signature
algorithm from ECDSA to ED25519.
This did not affect my use of ssh login but I use ED25519 as the only
key algorithm that I use. It might be good to get it tested by
someone who has ECDSA and ED25519 keys and prefers ECDSA
Remaining changes don't look likely to affect IPFire users
- Bugfixes
* ssh(1): Prefix keyboard interactive prompts with "(user@host)" to
make it easier to determine which connection they are associated
with in cases like scp -3, ProxyJump, etc. bz#3224
* sshd(8): fix sshd_config SetEnv directives located inside Match
blocks. GHPR201
* ssh(1): when requesting a FIDO token touch on stderr, inform the
user once the touch has been recorded.
* ssh(1): prevent integer overflow when ridiculously large
ConnectTimeout values are specified, capping the effective value
(for most platforms) at 24 days. bz#3229
* ssh(1): consider the ECDSA key subtype when ordering host key
algorithms in the client.
* ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to
PubkeyAcceptedAlgorithms. The previous name incorrectly suggested
that it control allowed key algorithms, when this option actually
specifies the signature algorithms that are accepted. The previous
name remains available as an alias. bz#3253
* ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and
HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms.
* sftp-server(8): add missing lsetstat@openssh.com documentation
and advertisement in the server's SSH2_FXP_VERSION hello packet.
* ssh(1), sshd(8): more strictly enforce KEX state-machine by
banning packet types once they are received. Fixes memleak caused
by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078).
* sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit
platforms instead of being limited by LONG_MAX. bz#3206
* Minor man page fixes (capitalization, commas, etc.) bz#3223
* sftp(1): when doing an sftp recursive upload or download of a
read-only directory, ensure that the directory is created with
write and execute permissions in the interim so that the transfer
can actually complete, then set the directory permission as the
final step. bz#3222
* ssh-keygen(1): document the -Z, check the validity of its argument
earlier and provide a better error message if it's not correct.
bz#2879
* ssh(1): ignore comments at the end of config lines in ssh_config,
similar to what we already do for sshd_config. bz#2320
* sshd_config(5): mention that DisableForwarding is valid in a
sshd_config Match block. bz3239
* sftp(1): fix incorrect sorting of "ls -ltr" under some
circumstances. bz3248.
* ssh(1), sshd(8): fix potential integer truncation of (unlikely)
timeout values. bz#3250
* ssh(1): make hostbased authentication send the signature algorithm
in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type.
This make HostbasedAcceptedAlgorithms do what it is supposed to -
filter on signature algorithm and not key type.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>