'dmz' => 'AÇIK BÖLGE',
'dmz pinhole configuration' => 'Açık bölge yapılandırma',
'dmz pinhole rule added' => 'Açık bölge kuralı eklendi; Açık bölge
yeniden başlatılıyor',
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
since the last update made changes for the webinterface of OpenVPN, it's
time to remove unused translations and update the remaining ones for
downloading the client configuration.
Starting here with the German translation.
Best regards
Peer Dietzmann
'dmz pinhole configuration' => 'Einstellungen des DMZ-Schlupfloches',
'dmz pinhole rule added' => 'Regel für DMZ-Schlupfloch hinzugefügt;
Starte DMZ-Schlupfloch neu',
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 28 Sep 2025 21:06:00 +0000 (21:06 +0000)]
OpenSSH: Amend upstream default cipher changes
This patch implements the following change made to OpenSSH server
upstream in version 10.0:
* sshd(8): this release disables finite field (a.k.a modp)
Diffie-Hellman key exchange in sshd by default. Specifically,
this removes the "diffie-hellman-group*" and
"diffie-hellman-group-exchange-*" methods from the default
KEXAlgorithms list. The client is unchanged and continues to
support these methods by default. Finite field Diffie Hellman
is slow and computationally expensive for the same security
level as Elliptic Curve DH or PQ key agreement while offering
no redeeming advantages. ECDH has been specified for the SSH
protocol for 15 years and some form of ECDH has been the default
key exchange in OpenSSH for the last 14 years.
In addition, for both OpenSSH server and client, the following upstream
change made in version 9.9 is implemented:
* ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256
is now used by default for key agreement. This algorithm is
considered to be safe against attack by quantum computers,
is guaranteed to be no less strong than the popular
curve25519-sha256 algorithm, has been standardised by NIST
and is considerably faster than the previous default.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 28 Sep 2025 21:05:00 +0000 (21:05 +0000)]
OpenSSH: Prefer AES-GCM ciphers over AES-CTR
This reflects the following change made upstream in OpenSSH 9.9:
* ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher
for the connection. The default cipher preference list is now
Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR
(128/192/256).
However, we keep preferring AES-GCM over Chacha/Poly, as hardware
acceleration often grants the former a better performance, while there
is no security advance of Chacha/Poly usage over 256 bit AES-GCM.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 28 Sep 2025 19:51:00 +0000 (19:51 +0000)]
initscripts: Always wait for xtables lock when running iptables commands
If not explicitly instructed to do so, iptables by default aborts with
an error message such as
> Can't lock /run/xtables.lock: Resource temporarily unavailable
> Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
if the Xtables lock is still set, i.e., another iptables operation is
currently in progress. This causes iptables commands not to be executed
at all if there are delays during the boot procedure, e.g. due to slow
PPPoE dial-up procedure or similar.
To ensure deterministic behavior, this match modifies initscripts to
always execute iptables to wait for the Xtables lock to be removed, to
make sure iptables rules are installed properly (the "firewall"
initscript is doing so already).
Fixes: #13896 - OpenVPN RW port not opened in firewall after reboot Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Tested-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 28 Sep 2025 22:29:00 +0000 (22:29 +0000)]
Tor: Update to 0.4.8.18
Changes in version 0.4.8.18 - 2025-09-16
This is a minor release with a major onion service directory cache (HSDir)
bug fix. A series of minor bugfixes as well. As always, we strongly recommend
to upgrade as soon as possible.
o Major bugfixes (onion service directory cache):
- Preserve the download counter of an onion service descriptor
across descriptor uploads, so that recently updated descriptors
don't get pruned if there is memory pressure soon after update.
Additionally, create a separate torrc option MaxHSDirCacheBytes
that defaults to the former 20% of MaxMemInQueues threshold, but
can be controlled by relay operators under DoS. Also enforce this
theshold during HSDir uploads. Fixes bug 41006; bugfix
on 0.4.8.14.
o Minor feature (padding, logging):
- Reduce the amount of messages being logged related to channel
padding timeout when log level is "notice".
o Minor features (fallbackdir):
- Regenerate fallback directories generated on September 16, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/09/16.
o Minor bugfix (conflux):
- Remove the pending nonce if we realize that the nonce of the
unlinked circuit is not tracked anymore. Should avoid the non
fatal assert triggered with a control port circuit event. Fixes
bug 41037; bugfix on 0.4.8.15.
o Minor bugfixes (circuit handling):
- Prevent circuit_mark_for_close() from being called twice on the
same circuit. Second fix attempt Fixes bug 41106; bugfix
on 0.4.8.17
o Minor bugfixes (threads):
- Make thread control POSIX compliant. Fixes bug 41109; bugfix
on 0.4.8.17-dev.
Changes in version 0.4.8.17 - 2025-06-30
This is a minor providing a series of minor features especially in the realm
of TLS. It also brings a new set of recommended and required sub protocols.
And finally, few minor bugfixes, nothing major. As always, we strongly
recommend you upgrade as soon as possible.
o Minor features (security, TLS):
- When we are running with OpenSSL 3.5.0 or later, support using the
ML-KEM768 for post-quantum key agreement. Closes ticket 41041.
o Minor feature (client, TLS):
- Set the TLS 1.3 cipher list instead of falling back on the
default value.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on June 30, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/06/30.
o Minor features (hsdesc POW):
- Tolerate multiple PoW schemes in onion service descriptors, for
future extensibility. Implements torspec ticket 272.
o Minor features (performance TLS):
- When running with with OpenSSL 3.0.0 or later, support using
X25519 for TLS key agreement. (This should slightly improve
performance for TLS session establishment.)
o Minor features (portability):
- Fix warnings when compiling with GCC 15. Closes ticket 41079.
o Minor features (recommended protocols):
- Directory authorities now vote to recommend that clients support
certain protocols beyond those that are required. These include
improved support for connecting to relays on IPv6, NtorV3, and
congestion control. Part of ticket 40836.
o Minor features (required protocols):
- Directory authorities now vote to require clients to support the
authenticated SENDME feature, which was introduced in
0.4.1.1-alpha. Part of ticket 40836.
- Directory authorities now vote to require relays to support
certain protocols, all of which have been implemented since
0.4.7.4-alpha or earlier. These include improved support for
connecting to relays on IPv6, NtorV3, running as a rate-limited
introduction point, authenticated SENDMEs, and congestion control.
Part of ticket 40836.
o Minor bugfix (conflux):
- Avoid a non fatal assert when describing a conflux circuit on the
control port after being prepped to be freed. Fixes bug 41037;
bugfix on 0.4.8.15.
o Minor bugfixes (circuit handling):
- Prevent circuit_mark_for_close() from being called twice on the
same circuit. Fixes bug 40951; bugfix on 0.4.8.16-dev.
o Minor bugfixes (compiler warnings):
- Make sure the two bitfields in the half-closed edge struct are
unsigned, as we're using them for boolean values and assign 1 to
them. Fixes bug 40911; bugfix on 0.4.7.2-alpha.
o Minor bugfixes (threads, memory):
- Improvements in cleanup of resources used by threads. Fixes bug
40991; bugfix on 0.4.8.13-dev.
- Rework start and exit of worker threads.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 25 Sep 2025 17:22:53 +0000 (19:22 +0200)]
expat: Update to version 2.7.3
- Update from version 2.7.2 to 2.7.3
- Update of rootfile
- Changelog
2.7.3
Security fixes:
Fix alignment of internal allocations for some non-amd64
architectures (e.g. sparc32); fixes up on the fix to
CVE-2025-59375 from #1034 (of Expat 2.7.2 and related
backports)
Fix a class of false positives where input should have been
rejected with error XML_ERROR_ASYNC_ENTITY; regression from
CVE-2024-8176 fix pull request #973 (of Expat 2.7.0 and
related backports). Please check the added unit tests for
example documents.
Other changes:
Prove and regression-proof absence of integer overflow
from function expat_realloc
Remove "harmless" cast that truncated a size_t to unsigned
Autotools: Remove "ln -s" discovery
docs: Be consistent with use of floating point around
XML_SetAllocTrackerMaximumAmplification
docs: Make it explicit that XML_GetCurrentColumnNumber starts at 0
docs: Better integrate the effect of the activation thresholds
docs: Fix an in-comment typo in expat.h
docs: Fix a typo in README.md
docs: Improve change log of release 2.7.2
xmlwf: Resolve use of functions XML_GetErrorLineNumber
and XML_GetErrorColumnNumber
Windows: Normalize .bat files to CRLF line endings
Version info bumped from 12:0:11 (libexpat*.so.1.11.0)
to 12:1:11 (libexpat*.so.1.11.1); see https://verbump.de/
for what these numbers do
Infrastructure:
CI: Cleanup UndefinedBehaviorSanitizer fatality
CI|Linux: Stop aborting at first job failure
CI|FreeBSD: Upgrade to FreeBSD 15.0
CI|FreeBSD: Do not install CMake meta-package
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 25 Sep 2025 11:12:52 +0000 (13:12 +0200)]
proxy.cgi: Further fix for bug 13893
- Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter
for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the
description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi
which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those in the
bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD
Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 24 Sep 2025 16:36:12 +0000 (18:36 +0200)]
ovpnmain.cgi: Remove the auth-nocache directive from clients
This seems to have some weird effects on Windows clients using OpenVPN
2.6.14 where username/password popup appears after one hour. Since we
don't use any real username/password authentication, we will have to
make sure that the client keeps using the fake data that we have added
to the configuration.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 24 Sep 2025 16:30:59 +0000 (18:30 +0200)]
openvpn: Return something if the authentication is in an unknown state
Sometimes, the clients seem to be sending a PUSH_REQUEST which is not
receiving a reply from the server. That is because the authenticator
might not respond at all on the socket.
In that case, we should just aim to restart the authentication and hope
that the client will come back with something that we expected.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Wed, 24 Sep 2025 06:11:48 +0000 (08:11 +0200)]
zabbix_agentd: Update to 7.0.18 (LTS)
- Update of rootfile not required
Bugs fixed:
- ZBX-26723 Fixed Zabbix Agent active remote command getting timeout applied due to incorrect parsing of JSON
- ZBX-26697 Fixed memory error in sender when trying to read invalid response
- ZBX-26477 Fixed vfs.dir.get ignoring entries with 0 unixtime and fixed vfs.file.get having null values for time fields in this case
- ZBX-26143 Fixed duplicated address issue after redirection and disabled history upload on Agent connection failure until the connection is re-established
Full changelogs:
- https://www.zabbix.com/rn/rn7.0.17
- https://www.zabbix.com/rn/rn7.0.18
- https://www.zabbix.com/rn/rn7.0.10
- https://www.zabbix.com/rn/rn7.0.11
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 22 Sep 2025 13:08:26 +0000 (14:08 +0100)]
arpwatch: Add status command to the initscript
This is not very reliable as the exit codes are not very clean, but it
is good enough to tell the user on the terminal whether arpwatch is
running and it will fix the web UI output.
Fixes: #13874 - Arpwatch does not display correct status on service.cgi Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 23 Jul 2025 14:59:56 +0000 (16:59 +0200)]
hostapd: Introduce new WiFi modes to accomodate all different modes
Using just 802.11ac does not entirely cover how the hardware could be
configured. Some devices support 20, 40, 80 or even 160 MHz channels
which is now being implemented here.
The channel offsets are computed manually or will be automatically
selected by hostapd if we are using ACS.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 17 Jul 2025 18:07:10 +0000 (18:07 +0000)]
hostapd: Rebase the configuration on the upstream default config
Most options are added, but not enabled. There are however the following
changes:
* Enable Operating Channel Validation
* Enable Fast BSS Transition (802.11r)
* Support for 802.11ax and 802.11be
* Disable the internal randomness pool
* Enable Interworking (802.11u)
* Enable Fast Session Transfer (FST)
* Enable Multiband Operation support
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 20 Sep 2025 14:02:01 +0000 (14:02 +0000)]
arpwatch: Fix the envelope sender
arpwatch invokes sendmail without passing the envelope sender
explicitely. This causes that mails can get rejected if the From: header
does not match the envelope sender.
This patch passes the correct address as the envelope sender.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Increase default to `num-queries-per-thread: 2048`, when unbound is compiled with libevent. It makes saturation of the task queue more resource intensive and less practical. Thanks to Shiming Liu, Network and Information Security Lab, Tsinghua University for the report.
Merge #1276: Auto-configure '-slabs' values.
Change default for so-sndbuf to 1m, to mitigate a cross-layer issue where the UDP socket send buffers are exhausted waiting for ARP/NDP resolution. Thanks to Reflyable for the report.
Adjusted so-sndbuf default to 4m.
Merge #1289 from Roland van Rijswijk-Deij: Add extra statistic to track the number of signature validation operations. Adds 'num.valops' to extended statistics.
Fix #1303: [FR] Disable TLSv1.2.
unbound-control cache_lookup <domains> prints the cached rrsets and messages for those.
unbound-control cache_lookup +t allows tld and root names. And subnet cache contents are printed.
Fix #1319: [FR] zone status for Unbound auth-zones.
Bug Fixes
Fix #1272: assertion failure testcode/unitverify.c:202.
Merge #1275: Use macros for the fr_check_changed* functions.
Fix for parallel build of dnstap protoc-c output.
Fix dnstap to use protoc.
Sync unbound and unbound-checkconf log output for unknown modules.
Fix #1281: forward-zone "name: ." conflicts with auth-zone "name: ." in 1.23.0, but worked in 1.22.0.
Fix #1283: Unsafe usage of atoi() while parsing the configuration file.
Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on broken auth zones that include unsigned out of zone (above apex) data. Could lead to hang while trying to prove a wildcard answer.
Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug) by adding a log_assert() to safeguard future development.
Fix #1282: log-destaddr fail on long ipv6 addresses.
Fix config of slab values when there is no config file.
Fix for cname chain length with qtype ANY and qname minimisation. Thanks to Jim Greenwood from Nominet for the report.
Merge #1285: RST man pages. It introduces restructuredText man pages to sync the online and source code man page documentation. The templated man pages (*.in) are still part of the repo but generated with docutils from their .rst counterpart. Documentation on how to generate those (mainly for core developers) is in README.man.
Add more checks about respip in unbound-checkconf. Also fixes #310: unbound-checkconf not reporting RPZ configuration error.
Fix #1288: [FR] Improve fuzzing of unbound by adapting the netbound program.
Small manpage corrections for the 'disable-dnssec-lame-check' option.
Fix unbound-anchor certificate file read for line ends and end of file.
Fix comment for the dname_remove_label_limit_len function.
iana portlist updated.
Fix bitwise operators in conditional expressions with parentheses.
Fix conditional expressions with parentheses for bitwise and.
Fix header return value description for skip_pkt_rrs and parse_edns_from_query_pkt.
Fix to check control-interface addresses in unbound-checkconf.
Fix #1295: Windows 32-bit binaries download seems to be missing dll dependency.
Fix for consistent use of local zone CNAME alias for configured auth zones. Now it also applies to downstream configured auth zones.
Fix #1296: DNS over QUIC depends on a very outdated version of ngtcp2. Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0.
Merge #1297: edns-subnet: fix NULL_AFTER_DEREF on subnetmod.
Fix rrset cache create allocation failure case.
Fix #1293: EDE 6 is attached to insecure cached answers when client sends the CD bit.
Fix #1247: forward-first: ssl handshake failed on root nameservers.
For #1247, turn off fetch-policy for delegation when looking into parent side name servers that may not update the addresses and hit NXNS limits.
For #1247, replay test (added tcp_transport to outnet_serviced_query).
Merge #1299: Fix typos.
Generate ltmain.sh and configure again.
Fix #1300: Is 'sock-queue-timeout' a linux only feature.
For #1300: implement sock-queue-timeout for FreeBSD as well.
Fix layout of comm_point_udp_ancil_callback.
Fix to improve dnstap discovery on Fedora.
Fix detection of SSL_CTX_set_tmp_ecdh function.
For #1301: configure cant find SSL_is_quic in OpenSSL 3.5.1.
For #1289: test num.valops in existing stat_values.tdir.
For #1289: add num.valops in the unbound-control man page.
Add unit tests for non-ecs aggregation.
Fix to not set rlimits in the unit tests.
iana portlist updated.
Redis checks for server down and throttles reconnects.
Fix redis cachedb module gettimeofday init failure.
Fix testbound test program to accurately output packets from hex.
Fix #1309: incorrectly reclaimed tcp handler can cause data corruption and segfault.
Fix to use assertions for consistency checks in #1309 reclaimed tcp handlers.
Fix edns subnet, so that the subquery without subnet is stored in global cache if the querier used 0.0.0.0/0 and the name and address do not receive subnet treatment. If the name and address are configured for subnet, it is stored in the subnet cache.
Fix dname_str for printout of long names. Thanks to Jan Komissar for the fix.
Fix that edns-subnet failure to create a subquery errors as servfail, and not formerror.
Fix to whitespace in dname_str.
Fix that unbound-control dump_cache releases the cache locks every so often, so that the server stays responsive.
Fix to remove debug from cache_lookup.
Fix to unlock cache_lookup message for malformed records.
Fix to increase responsiveness of dump_cache.
Fix to decouple file descriptor activity and cache lookups in dump_cache.
Fix cache_lookup subnet printout to wipe zero part of the prefix.
Fix cache_lookup subnet print to not print messages without rrsets and perform in-depth check on node in the addrtree.
Fix to check for extraneous command arguments for unbound-control, when the command takes no arguments but there are arguments present.
Fix #1317: Unbound starts too early. Add Wants=network-online.target under [Unit] in unbound.service.
Fix for #1317: Fix contrib/unbound.service comment path for systemd network configuration.
For #1318: Fix compile warnings for DoH compile on windows.
Fix sha1 enable environment variable in test code on windows.
Fix that the zone acquired timestamp is set after the zonefile is read.
Fix ports workflow to install expat for macos.
Fix unbound-control dump_cache for double unlock of lruhash table.
Fix setup_listen_sslctx warning for nettle compile.
Limit the number of consecutive reads on an HTTP/2 session. Thanks to Gal Bar Nahum for exposing the possibility of infinite reads on the session.
Fix for #1324: Fix to free edns options scratch in ratelimit case.
Fix #1235: Outdated Python2 code in unbound/pythonmod/examples/log.py.
Fix #1324: Memory leak in 'msgparse.c' in 'parse_edns_options_from_query(...)'.
Fix indentation in tcp-mss option parsing.
For #1328: make depend.
Update documentation for using "SET ... EX" in Redis.
Document max buffer sizes for Redis commands.
Update man pages.
Fix #1332: CNAME chains are sometimes not followed when RPZs add a local CNAME rewrite.
Update contrib/aaaa-filter-iterator.patch so it applies on 1.24.0.
Small debug output improvement when attaching an EDE.
Fix to print warning for when so-sndbuf setsockopt is not granted.
Too many quotes for the EDE message debug printout."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
