For details see:
https://downloads.isc.org/isc/bind9/9.11.11/RELEASE-NOTES-bind-9.11.11.html
"Security Fixes
A race condition could trigger an assertion failure when a large
number of incoming packets were being rejected. This flaw is disclosed
in CVE-2019-6471. [GL #942]
...
Bug Fixes
Glue address records were not being returned in responses to root priming
queries; this has been corrected. [GL #1092]
Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
unexpected results; this has been fixed. [GL #1106]
named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are zero.
[GL #1159]
named-checkconf could crash during configuration if configured to use "geoip
continent" ACLs with legacy GeoIP. [GL #1163]
named-checkconf now correctly reports missing dnstap-output option when dnstap
is set. [GL #1136]
Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #1133]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Wed, 18 Sep 2019 05:03:34 +0000 (07:03 +0200)]
ovpn: Add ta.key check to main settings
Since Core 132 the 'TLS Channel Protection' is part of the global settings,
the ta.key generation check should also be in the main section otherwise it
won´t be created if not present.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Wed, 18 Sep 2019 05:03:33 +0000 (07:03 +0200)]
ovpn: Generate ta.key before dh-parameter
Fixes: #11964 and #12157
If slow boards or/and boards with low entropy needs too long to generate the DH-parameter, ovpnmain.cgi can get into a
"Script timed out before returning headers" and no further OpenSSl commands will be executed after dhparam is finished.
Since the ta.key are created after the DH-parameter, it won´t be produced in that case.
To prevent this, the DH-parameter will now be generated at the end.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://roy.marples.name/blog/dhcpcd-8-0-6-released
"inet6: Fix default route not being installed
DHCP: If root fs is network mounted, enable last lease extend
man: Fix lint errors.
BSD: avoid RTF_WASCLONED routes
DHCP: Give a better message when packet validation fails
DHCP: Ensure we have enough data to checksum IP and UDP
The last change fixes a potential DoS attack introduced in dhcpcd-8.0.3
when the checksuming code was changed to accomodate variable length
IP headers. The commit says since 7.2.0, but I've now decided that's not
the case."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Sun, 8 Sep 2019 17:38:49 +0000 (19:38 +0200)]
libnetfilter_queue: Update to 1.0.4
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Fri, 6 Sep 2019 12:52:51 +0000 (14:52 +0200)]
libhtp: Update to 0.5.30
Fixes #12170
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Wed, 18 Sep 2019 04:54:51 +0000 (06:54 +0200)]
IO-Socket-SSL: Update to version 2.066
Fix for "Undefined subroutine &IO::Socket::SSL::set_client_defaults called at /usr/libexec/git-core/git-send-email" problem.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Alex Koch [Sun, 1 Sep 2019 22:47:29 +0000 (00:47 +0200)]
zoneconf: reduce the width of inputs for vlanid
The inputs for the vlanids are overlapping the borders of their cells (using a recent Firefox on Linux Mint, Android or Windows 7). This patch fixes this by limiting the width to a fixed value.
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de> Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The settings file must be writeable for group "nobody" so
users can change their Tor settings via WebUI. Since other
files in /var/ipfire/tor/ does not need this workaround, only
the settings file permissions are changed.
Sorry for the late fix; this was reported by various people
in the forum, too (I was unaware of so many Tor users in our
community).
Fixes #12117
Reported-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Alex Koch [Sat, 31 Aug 2019 18:53:00 +0000 (20:53 +0200)]
WUI log-section Mail: add support for postfix addon
Expand the regex for the section dmi ("Mail") for /var/log/mail to include the log contents of postfix, in case the addon is installed.
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Alex Koch [Sat, 31 Aug 2019 18:52:59 +0000 (20:52 +0200)]
WUI log-section Mail: bugfix for dma
The prefix for dmi in /var/log/mail seems to have changed from "dma[<PID>]: " to "dma: ". This results in a bug where no lines are being shown at all in the WUI.
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Alex Koch [Sun, 1 Sep 2019 21:34:58 +0000 (23:34 +0200)]
zabbix_agentd: Update to 4.2.6
Release Notes: https://www.zabbix.com/rn/rn4.2.6
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
"DHCP: Work with IP headers with options
script: Assert that env string are correctly terminated
script: Terminate env strings with no value
script: Don't attempt to use an invalid env string
route: Fix NULL deference error when using static routes
ARP: Respect IFF_NOARP
DHCP: Add support for ARPHRD_NONE interfaces
DHCP: Allow full DHCP support for PtP interfaces, but not by default
DragonFlyBSD: 500704 announces IPv6 address flag changes
control: sends correct buffer to listeners"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Fri, 23 Aug 2019 16:49:04 +0000 (18:49 +0200)]
clamav: Update to 0.101.4
For details see:
https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
"An out of bounds write was possible within ClamAV's NSIS bzip2
library when attempting decompression in cases where the number
of selectors exceeded the max limit set by the library (CVE-2019-12900).
The issue has been resolved by respecting that limit.
Thanks to Martin Simmons for reporting the issue here.
The zip bomb vulnerability mitigated in 0.101.3 has been assigned
the CVE identifier CVE-2019-12625. Unfortunately, a workaround for
the zip-bomb mitigation was immediately identified. To remediate
the zip-bomb scan time issue, a scan time limit has been introduced
in 0.101.4.
This limit now resolves ClamAV's vulnerability to CVE-2019-12625."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Fri, 23 Aug 2019 16:42:43 +0000 (18:42 +0200)]
bind: Update to 9.11.10
For details see:
https://downloads.isc.org/isc/bind9/9.11.10/RELEASE-NOTES-bind-9.11.10.html
"Security Fixes
A race condition could trigger an assertion failure when a large
number of incoming packets were being rejected.
This flaw is disclosed in CVE-2019-6471. [GL #942]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
I had added this for spamassassin but now the geoip-converter needs it too.
It was not pushed yet so there is no need to remove it from pakfire databases.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.9/RELEASE-NOTES-bind-9.11.9.html
"Security Fixes
A race condition could trigger an assertion failure when a large
number of incoming packets were being rejected.
This flaw is disclosed in CVE-2019-6471. [GL #942]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
"NetBSD: Can be build without ARP support but listen to kernel DaD
ND6: Removed NA support from SMALL builds
ND6: Remove and warn about NA issues on OS's other than NetBSD and Linux
script: /tmp files are now cleaned up for systems without open_memstream(3)
configure: open_memstream(3) detected on recent glibc
DHCP: Avoid duplicate read of UDP socket when BPF is also open
IP: Avoid adding address if already exists on OS other than Linux
IP6: Avoid adding address is already exists on Solaris
route: Fixed a NULL de-reference error on statically configured routes
DHCP6: Move to REQUEST when any IA has error no-binding in RENEW/REBIND
DragonFlyBSD: Now compiles and works for
IP: Accept packets with IP header options"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>