Peter Müller [Sun, 7 Jun 2020 16:32:26 +0000 (16:32 +0000)]
kernel: disable CONFIG_MODIFY_LDT_SYSCALL on i586 and x86_64
Fixes: #12382 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
kernel: backport "random: try to actively add entropy"
this backports https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/char/random.c?id=50ee7529ec4500c88f8664560770a7a1b65db72b
to gather enough entropy for initialise the crng faster.
Of some machines like the APU it will need forever if
the machine only wait for entropy without doing anything else.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 18 Apr 2020 08:48:24 +0000 (10:48 +0200)]
kernel: disable CONFIG_DEBUG_LIST on i586(-pae)
Fixes: #12378 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 18 Apr 2020 08:42:19 +0000 (10:42 +0200)]
kernel: enable CONFIG_SCHED_STACK_END_CHECK on x86_64, armv5tel and aarch64
> This option checks for a stack overrun on calls to schedule(). If the stack
> end location is found to be over written always panic as the content of the
> corrupted region can no longer be trusted. This is to ensure no erroneous
> behaviour occurs which could result in data corruption or a sporadic crash at a
> later stage once the region is examined. The runtime overhead introduced is
> minimal.
Fixes: #12376 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 18 Apr 2020 08:24:08 +0000 (10:24 +0200)]
kernel: disable CONFIG_USELIB on x86_64 and i586(-pae)
> This option enables the uselib syscall a system call used in the dynamic
> linker from libc5 and earlier. glibc does not use this system call. If you
> intend to run programs built on libc5 or earlier you may need to enable this
> syscall. Current systems running glibc can safely disable this.
In my point of view, the last sentence matches our situation.
Fixes: #12379 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 18 Apr 2020 08:16:23 +0000 (10:16 +0200)]
kernel: enable CONFIG_DEBUG_WX on aarch64
Since this is described as 'Generate a warning if any W+X mappings are
found at boot.', it most likely does not break anything and can be
safely enabled.
Fixes: #12373 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 14 Apr 2020 14:32:47 +0000 (16:32 +0200)]
kernel: enable page poisoning on x86_64
This is already active on i586 and prevents information leaks from freed
data.
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Wed, 1 Apr 2020 15:23:00 +0000 (15:23 +0000)]
Kernel: drop bluetooth support
The bluetooth addon was recently removed by commit 592be1d206e45ad42736b352d96e42ebca50123a, which is why we do not need to
carry the corresponding kernel modules around anymore.
The second version of this patch correctly updates kernel configuration
files via "make oldconfig" as requested by Arne.
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Tue, 26 May 2020 18:46:29 +0000 (20:46 +0200)]
knot: Update to 2.9.5
For details see:
https://www.knot-dns.cz/2020-05-25-version-295.html
"Bugfixes:
Old ZSK can be withdrawn too early during a ZSK rollover if maximum
zone TTL is computed automatically
Server responds SERVFAIL to ANY queries on empty non-terminal nodes
Improvements:
Also module onlinesign returns minimized responses to ANY queries
Linking against libcap-ng can be disabled via a configure option"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The message "ls: cannot access '*.bz2': No such file or directory" comes
from the 'ls' command prior to creating the *.md5-files for *.bz2, *.img.xz
and *.iso files.
But on most builds we have especially no more bzip2 compressed images anymore.
This message can usually be ignored and is just irritating.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 20 May 2020 12:29:48 +0000 (12:29 +0000)]
ids-functions.pl: Quote array of subnets
Reported-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Tue, 19 May 2020 12:38:11 +0000 (14:38 +0200)]
bind: Update to 9.11.19
For details see:
https://downloads.isc.org/isc/bind9/9.11.19/RELEASE-NOTES-bind-9.11.19.html
"Security Fixes
To prevent exhaustion of server resources by a maliciously
configured domain, the number of recursive queries that can be
triggered by a request before aborting recursion has been further
limited. Root and top-level domain servers are no longer exempt from
the max-recursion-queries limit. Fetches for missing name server
address records are limited to 4 for any domain. This issue was
disclosed in CVE-2020-8616. [GL #1388]
Replaying a TSIG BADTIME response as a request could trigger
an assertion failure. This was disclosed in CVE-2020-8617. [GL
#1703]
Feature Changes
Message IDs in inbound AXFR transfers are now checked for
consistency. Log messages are emitted for streams with inconsistent
message IDs. [GL #1674]
Bug Fixes
When running on a system with support for Linux capabilities, named
drops root privileges very soon after system startup. This was
causing a spurious log message, "unable to set effective uid to 0:
Operation not permitted", which has now been silenced. [GL #1042]
[GL #1090]
When named-checkconf -z was run, it would sometimes incorrectly set
its exit code. It reflected the status of the last view found;
if zone-loading errors were found in earlier configured views but
not in the last one, the exit code indicated success. Thanks
to Graham Clinch. [GL #1807]
When built without LMDB support, named failed to restart after
a zone with a double quote (") in its name was added with rndc
addzone. Thanks to Alberto Fernández. [GL #1695]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Tue, 12 May 2020 19:29:32 +0000 (21:29 +0200)]
clamav: Update to 0.102.3
For details see:
https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html
"ClamAV 0.102.3 is a bug patch release to address the following issues.
- CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module
in ClamAV 0.102.2 that could cause a Denial-of-Service (DoS) condition.
Improper bounds checking of an unsigned variable results in an
out-of-bounds read which causes a crash.
- CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV
0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition.
Improper size checking of a buffer used to initialize AES decryption
routines results in an out-of-bounds read which may cause a crash. Bug
found by OSS-Fuzz.
- Fix "Attempt to allocate 0 bytes" error when parsing some PDF
documents.
- Fix a couple of minor memory leaks.
- Updated libclamunrar to UnRAR 5.9.2."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sun, 10 May 2020 15:50:06 +0000 (15:50 +0000)]
hwdata: update PCI database
PCI IDs: 2020-05-07 03:15:02
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Sat, 9 May 2020 06:04:48 +0000 (06:04 +0000)]
tshark: Update to version 3.2.3
This update includes several bugfixes but also updated protocols.
For a full overview, in here -->
https://www.wireshark.org/docs/relnotes/wireshark-3.2.3.html the
changelog can be found.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Fri, 8 May 2020 06:23:19 +0000 (06:23 +0000)]
libseccomp: Update to version 2.4.3
- Add list of authorized release signatures to README.md
- Fix multiplexing issue with s390/s390x shm* syscalls
- Remove the static flag from libseccomp tools compilation
- Add define for __SNR_ppoll
- Update our Travis CI configuration to use Ubuntu 18.04
- Disable live python tests in Travis CI
- Use default python, rather than nightly python, in TravisCI
- Fix potential memory leak identified by clang in the scmp_bpf_sim too
The changelog can be found in here https://github.com/seccomp/libseccomp/blob/master/CHANGELOG .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Thu, 7 May 2020 10:46:15 +0000 (12:46 +0200)]
OpenVPN: Update to version 2.4.9
Beneath several smaller fixes, this version fixes also some OpenSSL problems but also CVE-2020-11810.
The full changelog can be found in here https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 29 Apr 2020 19:33:04 +0000 (19:33 +0000)]
random: Initialise the kernel's PRNG earlier
Since more processes depend on good randomness, we need to
make sure that the kernel's PRNG is initialized as early as
possible.
For systems without a HWRNG, we will need to fall back to our
noisy loop and wait until we have enough randomness.
This patch also removes saving and restoring the seed. This
is no longer useful because the kernel's PRNG only takes any
input after it has successfully been seeded from other sources.
Hence adding this seed does not increase its randomness.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This is the first release after Suricata joined the Oss-Fuzz program, leading to
discovery of a number of (potential) security issues. We expect that in the coming
months we’ll fix more such issues, as the fuzzers increase their coverage and we
continue to improve the seed corpus.
Feature #3481: GRE ERSPAN Type 1 Support
Feature #3613: Teredo port configuration
Feature #3673: datasets: add ‘dataset-remove’ unix command
Bug #3240: Dataset hash-size or prealloc invalid value logging
Bug #3241: Dataset reputation invalid value logging
Bug #3342: Suricata 5.0 crashes while parsing SMB data
Bug #3450: signature with sticky buffer with subsequent pcre check in a different buffer loads but will never match
Bug #3491: Backport 5 BUG_ON(strcasecmp(str, “any”) in DetectAddressParseString
Bug #3507: rule parsing: memory leaks
Bug #3526: 5.0.x Kerberos vulnerable to TCP splitting evasion
Bug #3534: Skip over ERF_TYPE_META records
Bug #3552: file logging: complete files sometimes marked ‘TRUNCATED’
Bug #3571: rust: smb compile warnings
Bug #3573: TCP Fast Open – Bypass of stateless alerts
Bug #3574: Behavior for tcp fastopen
Bug #3576: Segfault when facing malformed SNMP rules
Bug #3577: SIP: Input not parsed when header values contain trailing spaces
Bug #3580: Faulty signature with two threshold keywords does not generate an error and never match
Bug #3582: random failures on sip and http-evader suricata-verify tests
Bug #3585: htp: asan issue
Bug #3592: Segfault on SMTP TLS
Bug #3598: rules: memory leaks in pktvar keyword
Bug #3600: rules: bad address block leads to stack exhaustion
Bug #3602: rules: crash on ‘internal’-only keywords
Bug #3604: rules: missing ‘consumption’ of transforms before pkt_data would lead to crash
Bug #3606: rules: minor memory leak involving pcre_get_substring
Bug #3609: ssl/tls: ASAN issue in SSLv3ParseHandshakeType
Bug #3610: defrag: asan issue
Bug #3612: rules/bsize: memory issue during parsing
Bug #3614: build-info and configure wrongly display libnss status
Bug #3644: Invalid memory read on malformed rule with Lua script
Bug #3646: rules: memory leaks on failed rules
Bug #3649: CIDR Parsing Issue
Bug #3651: FTP response buffering against TCP stream
Bug #3653: Recursion stack-overflow in parsing YAML configuration
Bug #3660: Multiple DetectEngineReload and bad insertion into linked list lead to buffer overflow
Bug #3665: FTP: Incorrect ftp_memuse calculation.
Bug #3667: Signature with an IP range creates one IPOnlyCIDRItem by signe IP address
Bug #3669: Rules reload with Napatech can hang Suricata UNIX manager process
Bug #3672: coverity: data directory handling issues
Bug #3674: Protocol detection evasion by packet splitting
Optimization #3406: filestore rules are loaded without warning when filestore is not enabled
Task #3478: libhtp 0.5.33
Task #3514: SMTP should place restraints on variable length items (e.g., filenames)
Documentation #3543: doc: add ipv4.hdr and ipv6.hdr
Bundled libhtp 0.5.33
Bundled Suricata-Update 1.1.2
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 28 Apr 2020 16:35:56 +0000 (18:35 +0200)]
libhtp: update to 0.5.33
(Scanty) release notes:
0.5.33 (27 April 2020)
----------------------
- compression bomb protection
- memory handling issue found by Oss-Fuzz
- improve handling of anomalies in traffic
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 28 Apr 2020 14:47:01 +0000 (16:47 +0200)]
Postfix: update to 3.5.1
Please refer to http://www.postfix.org/announcements/postfix-3.5.1.html
for further information.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 27 Apr 2020 15:41:47 +0000 (17:41 +0200)]
graph.pl: fix intendation of user CPU load
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 27 Apr 2020 15:25:15 +0000 (17:25 +0200)]
graphs.pl: use brackets instead of hypens
This simply makes more sense in most languages, as INPUT, OUTPUT and
FORWARD are special cases of firewall hits in general.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 27 Apr 2020 15:24:52 +0000 (17:24 +0200)]
de.pl: mention technical detail regarding new not SYN packets
Since an appropriate translation of the firewall hits graph is not
possible due to limited space, mentioning "NewNotSYN" at least clarifies
the relationship between "Verworfene neue Pakete ohne SYN-Markierung
protokollieren" and "NewNotSYN".
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 27 Apr 2020 15:24:27 +0000 (17:24 +0200)]
en.pl: fix spelling of "SYN"
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 27 Apr 2020 15:24:06 +0000 (17:24 +0200)]
graphs.pl: fix spelling of "SYN"
This merely is a cosmetic change, but since we are dealing with network
packets here, the SYN flag must be capitalised.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>