Adolf Belka [Mon, 23 Nov 2020 12:08:48 +0000 (13:08 +0100)]
apcupsd: addition of backup/includes definition
Added a backup/includes file for apcupsd to backup the
/etc/apcupsd/ directory where all the configuration files
are stored. Currently there is no backup available to
save the state of any changes carried out to the configuration
or action files. Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Core 152: the script "network-hotplug-bridges" now reads the variable ${ZONE}_STP from /var/ipfire/ethernet/settings so that STP can be turned on and off for each bridge
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
ummeegge [Wed, 11 Nov 2020 18:12:25 +0000 (18:12 +0000)]
OpenVPN: Add start of static routes in client N2N
Fixes: #12529
- If a client N2N configuration will be imported into IPFire systems,
a line will be added which calls the --up script to restart the
static route initscript. Since this is IPFire specific, i will only be
added via import on IPFire system.
- Deleted unneeded line in CLIENTCONF section.
- Added description to SERVERCONF section.
Signed-off-by: ummeegge <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 11 Nov 2020 14:14:09 +0000 (15:14 +0100)]
location-functions.pl: add functions for fetching AS information
The second version of this patch only unifies the licence banner, but
leaves GPLv2 untouched. In addition, functions have been changed to use
a script-wide location database handle, as introduced in commit b62d7e0cc71cc1ff23d66dd8baf0f5f3c5c7a29b.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 3 Nov 2020 10:48:09 +0000 (11:48 +0100)]
rules.pl: apply location filter to ppp0 if configured
In order to prevent collateral damage to internal traffic, commit c69c820025c21713cdb77eae3dd4fa61ca71b5fb introduced applying location
block on red0 as a sanity check.
On systems configured to use PPPoE, however, traffic appears on the ppp0
interface instead. This patch checks if a system is configured to use
this connection method, and applies the location filter to this
interface. red0 is used otherwise.
Fixes: #12519 Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 11 Nov 2020 13:45:06 +0000 (14:45 +0100)]
spectre-meltdown-checker: update to 0.44
Full changelog as per https://github.com/speed47/spectre-meltdown-checker/releases/tag/v0.44 :
feat: add support for SRBDS related vulnerabilities
feat: add zstd kernel decompression (#370)
enh: arm: add experimental support for binary arm images
enh: rsb filling: no longer need the 'strings' tool to check for kernel support in live mode
fix: fwdb: remove Intel extract tempdir on exit
fix: has_vmm: ignore kernel threads when looking for a hypervisor (fixes #278)
fix: fwdb: use the commit date as the intel fwdb version
fix: fwdb: update Intel's repository URL
fix: arm64: cve-2017-5753: kernels 4.19+ use a different nospec macro
fix: on CPU parse info under FreeBSD
chore: github: add check run on pull requests
chore: fwdb: update to v165.20201021+i20200616
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 7 Nov 2020 12:59:08 +0000 (12:59 +0000)]
DNS: Make YouTube configurable for Safe Search
When safe search is enabled, it is being enabled on YouTube, too.
This creates problems in some scenarios like schools where politics
is being tought as well as other subjects that might be censored by
YouTube (i.e. election TV spots).
Therefore it is now possible to exclude YouTube from Safe Search
but keep it enabled for the search engines.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sat, 7 Nov 2020 18:47:23 +0000 (19:47 +0100)]
locations-functions.pl: Allow get_locations() function to skip special locations.
When adding "no_special_locations" to the function call as argument
the special locations liks "A1, A2, A3 etc" will not be added to the
returned array as available locations.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
smooky@v16.de [Thu, 5 Nov 2020 20:38:06 +0000 (21:38 +0100)]
socat-1.7.3.4 added missing entry to make.sh
Entry to make.sh for socat added.
Was forgotten before and thus Pakfire distributed an empty addon.
Thanks to Matthias Fischer for clarifying why the distributed addon was empty.
Signed-off-by: Marcel Follert (Smooky) <smooky@v16.de> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 3 Nov 2020 15:14:17 +0000 (16:14 +0100)]
sysctl.conf: include PID in file names of generated core dumps
This is recommended by various Linux hardening guides in order to
prevent accidential overwriting of existing core dumps. While it has
probably little to no relevance to the average IPFire user, enabling it
won't harm and fixes a Lynis warning. :-)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 3 Nov 2020 14:33:52 +0000 (15:33 +0100)]
lynis: update to 3.0.1
Full changelog obtained from: https://cisofy.com/changelog/lynis/#301
- Detection of Alpine Linux
- Detection of CloudLinux
- Detection of Kali Linux
- Detection of Linux Mint
- Detection of macOS Big Sur (11.0)
- Detection of Pop!_OS
- Detection of PHP 7.4
- Malware detection tool: Microsoft Defender ATP
- New flag: --slow-warning to allow tests more time before showing a
warning
- Test TIME-3185 to check systemd-timesyncd synchronized time
- rsh host file permissions
- AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash
versions
- BOOT-5122 - Presence check for grub.d added
- CRYP-7902 - Added support for certificates in DER format
- CRYP-7931 - Added data to report
- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted)
- FILE-6430 - Don't grep nonexistant modprobe.d files
- FIRE-4535 - Set initial firewall state
- INSE-8312 - Corrected text on screen
- KRNL-5728 - Handle zipped kernel configuration correctly
- KRNL-5830 - Improved version detection for non-symlinked kernel
- MALW-3280 - Extended detection of BitDefender
- TIME-3104 - Find more time synchronization commands
- TIME-3182 - Corrected detection of time peers
- Fix: hostid generation routine would sometimes show too short IDs
- Fix: language detection
- Generic improvements for macOS
- German translation updated
- End-of-life database updated
- Several minor code enhancements
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 3 Nov 2020 11:50:18 +0000 (12:50 +0100)]
tor.cgi: look up Tor relay country codes using libloc
Tor provides a function to resolve a relay's IP address into a country
code by taking advantage of a (heavily outdated) GeoIP database shipped
with it.
We should consequently use libloc for doing this, since it can be
confusing if those results differ from active connections in the
connection tracking CGI (where we _use_ libloc) and such tasks are why
we invented libloc in the first place. :-)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 3 Nov 2020 11:26:42 +0000 (12:26 +0100)]
tzdata: update to 2020d
The pacificnew file has been dropped by IANA. Adding the "factory" file
makes sense to have a reasonable default in case the time zone is
unknown, which, however, should not happen in case of IPFire 2.x - just
trying to be consistent here.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 3 Nov 2020 09:52:27 +0000 (10:52 +0100)]
Bash: apply patches 12 through 18 as well
Those fix some unintentional behaviour regarding autocompletion I
stumbled across the other day. While there seems nothing security
relevant in this, it irons out a few bugs.
The full and up-to-date list of all Bash 5.0 patches can be obtained
from https://ftp.gnu.org/gnu/bash/bash-5.0-patches/ .
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
sometime a stale nmbd or smbd process prevent start of samba.
this change should kill all processes.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is a security release in order to address
CVE-2020-14318 (Missing handle permissions check in SMB1/2/3 ChangeNotify),
CVE-2020-14323 (Unprivileged user can crash winbind) and
CVE-2020-14383 (An authenticated user can crash the DCE/RPC DNS with easily
crafted records).
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is a security release in order to address
CVE-2020-14318 (Missing handle permissions check in SMB1/2/3 ChangeNotify),
CVE-2020-14323 (Unprivileged user can crash winbind) and
CVE-2020-14383 (An authenticated user can crash the DCE/RPC DNS with easily
crafted records).
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 27 Oct 2020 13:20:56 +0000 (14:20 +0100)]
OpenSSH: Fix initscript to actually kill the daemon
The SSH daemon was not terminated properly because killproc
tried to terminate all processes with that name. That caused
that the master daemon respawned some processed which were
therefore not killed because killproc determined a list of
PIDs only once before starting sending signals.
This patch only kills the master process which is being
determined by using sshd's pid file.
That results in all established connections not being
interrupted any more.
Furthermore, the loadproc function checks if any processes
with the given name are already running which could be true
if there are any connections still open.
That check is being disabled with the -f switch and sshd
will always be launched.
"/etc/init.d/sshd stop" might now print FAIL if only the
master process, but no connection processes were terminated.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Fri, 23 Oct 2020 19:27:07 +0000 (21:27 +0200)]
drop SpamAssassin add-on
This package has not been maintained well and is thereof outdated. At
the time of writing, we neither
(a) have a maintainer for this nor
(b) believe it is wise to run a full-featured content scanner on a
firewall for security purposes. (We can make do with Postfix, as it
is known for being a very robust MTA and providess less attack
surface than something actually inspecting transferred messages.)
Thereof, this patch drops the SpamAssassin add-on. In case it is desired
in future versions of IPFire, it can be easily reverted, restoring the
functionality and behaviour before.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Fri, 23 Oct 2020 19:26:43 +0000 (21:26 +0200)]
drop Amavis add-on
This package has not been maintained well and is thereof outdated. At
the time of writing, we neither
(a) have a maintainer for this nor
(b) believe it is wise to run a full-featured content scanner on a
firewall for security purposes. (We can make do with Postfix, as it
is known for being a very robust MTA and providess less attack
surface than something actually inspecting transferred messages.)
Thereof, this patch drops the Amavis add-on. In case it is desired in
future versions of IPFire, it can be easily reverted, restoring the
functionality and behaviour before.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>