Matthias Fischer [Thu, 27 Jun 2019 20:07:40 +0000 (22:07 +0200)]
dhcpcd: Update to 7.2.3
For details see: Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
https://roy.marples.name/blog/dhcpcd-7-2-3-released
"Minor update with the following changes:
OpenBSD: compiles again
BSD: Check RTM lengths incase of kernel issues
DHCP6: Don't stop even when last router goes away
DHCP6: Fix inform from RA
hostname: Fix short hostname check"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
unbound: use nic carrier instead of /var/ipfire/red/active
This speed boot with static settings and no link and
dhcp on intel nics if the mtu is changed by the dhcp lease
because the nic loose the carrier and restart the dhcp action
at mtu set.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Fri, 21 Jun 2019 12:31:26 +0000 (14:31 +0200)]
bind: Update to 9.11.8
For Details see:
https://downloads.isc.org/isc/bind9/9.11.8/RELEASE-NOTES-bind-9.11.8.html
"Security Fixes
A race condition could trigger an assertion failure when a large number
of incoming packets were being rejected.
This flaw is disclosed in CVE-2019-6471. [GL #942]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Marx [Thu, 20 Jun 2019 05:04:30 +0000 (07:04 +0200)]
BUG12015: Redirecting to Captive portal does not work after IPFire restart
When the Captive portal is enabled, the needed firewall rules are applied. But when restarting IPFire,
the rules are not applied because there is no call to do so.
Added call to captivectrl in the initscrip 'firewall'.
Fixes: #12015 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Marx [Tue, 18 Jun 2019 07:55:35 +0000 (09:55 +0200)]
BUG12070: Its not possible to use the underscore in email addresses
Using IPFire's Mailservice does not allow to enter a senders mail address with the underscore.
The function used to verify that is used from general-functions.pl.
Now the function 'validemail' allows the underscore in the address.
Fixes: #12070 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 17 Jun 2019 14:08:00 +0000 (14:08 +0000)]
vpnmain.cgi: Fix writing ESP settings for PFS ciphers
The changes introduced due to #12091 caused IPsec ESP
to be invalid if PFS ciphers were selected. Code has
to read "!$pfs" instead of just "$pfs", as it should trigger
for ciphers _without_ Perfect Forward Secrecy.
Fixes #12099
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since TLS servers usually override the clients' preference with their
own, this will neither break existing setups nor introduce huge
differences in the wild. Unfortunately, CBC ciphers cannot be disabled
at all, as they are still used by popular web sites.
TLS 1.3 ciphers will be added implicitly and can be omitted in the
ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing
AES-NI support for the majority of installations reporting to Fireinfo
(see https://fireinfo.ipfire.org/processors for details, AES-NI support
is 28.22% at the time of writing).
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 10 Jun 2019 19:02:00 +0000 (19:02 +0000)]
Tor: fix permissions after updating, too
Fixes #12088
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reported-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Tue, 4 Jun 2019 13:00:24 +0000 (15:00 +0200)]
suricata: Enable EVE logging
The EVE output facility outputs alerts, metadata, file info and protocol specific records through JSON.
for further informations please see --> https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Acked-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Wed, 5 Jun 2019 18:56:33 +0000 (20:56 +0200)]
ids-functions.pl: Rework function write_modify_sids_file().
Directly implement the logic to determine the used ruleset and if
IDS or IPS mode should be used into the function instead of pass those
details as arguments.
This helps to prevent from doing this stuff at several places again and again.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tim FitzGeorge [Wed, 5 Jun 2019 18:56:32 +0000 (20:56 +0200)]
suricata: correct rule actions in IPS mode
In IPS mode rule actions need to be have the action 'drop' for the
protection to work, however this is not appropriate for all rules.
Modify the generator for oinkmaster-modify-sids.conf to leave
rules with the action 'alert' here this is appropriate. Also add
a script to be run on update to correct existing downloaded rules.
Fixes #12086
Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk> Tested-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Just cosmetics:
Removed all trailing spaces - there were a few...
Activated 'monit' start delay:
I activated this option to avoid running into a race condition while started through
'/etc/init.d/monit start'.
As mentioned in 'monit' manual:
"...if a service is slow to start, Monit can assume that the service is not running
and possibly try to start it [again] and raise an alert, while, in fact the service
is already about to start or already in its startup sequence."
This happened here during testing with (e.g.) Clamav.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 29 May 2019 14:28:45 +0000 (15:28 +0100)]
make.sh: Have a ccache for each architecture
It does not make much sense to mix architectures into a single
ccache:
* There is never going to be a match
* The cache gets bigger and therefore slower
* If both architectures are being compiled one after the other and
the cache hits its maximum size, cached but still needed content
will be dropped
* Only both can be deleted together
This small change splits this into multiple caches. One per
architecture. Therefore we should be more efficient on builders
that build for multiple architectures.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Tue, 28 May 2019 09:38:59 +0000 (11:38 +0200)]
tshark: Update to 3.0.2
Incl. one vulnerability and several bug fixes. For full overview --> https://www.wireshark.org/docs/relnotes/wireshark-3.0.2.html .
- Disabled geoip support since libmaxminddb is not presant.
- Added dictionary in ROOTFILE to prevent "radius: Could not open file: '/usr/share/wireshark/radius/dictionary' " .
- Added CMAKE build type
- Removed profile examples and htmls completly from ROOTFILE.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>