Stephen Cuka [Fri, 18 Apr 2025 21:28:33 +0000 (15:28 -0600)]
pakfire.cgi: Change titles on confirmation pages.
- Change confirmation page titles from 'Request' to 'Install' and 'Remove'.
Signed-off-by: Stephen Cuka <stephen@firemypi.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This functions uses the newly introduced downloader to fetch
the pulic IPv4 address on red and will replace the current used one
from the general-functions.pl library.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://github.com/htop-dev/htop/blob/main/ChangeLog
"What's new in version 3.4.1
* Support for PMAPI v3 for PCP
* PCP code cleanups
* Proper checks for strchrnul
* Code cleanup in the NetworkIOMeter
* Improved documentation for the --user option
* Display stuck processes on Darwin
* Handle issues when the monotonic clock runs backwards
* Fix builds using native curses on NetBSD"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Apr 2025 12:53:40 +0000 (14:53 +0200)]
smartmontools: Add update of drive database
- Existing install uses database provide with source tarball. The database is also
updated on a periodic basis which can vary between a few weeks up to 6 months or so.
- The last release was back in Aug 2023 so the database all users will have is quite old.
- This patch adds a script into the monthly fcron directory that will run the
update-smart-drivedb script from the smartmontools installation. This script downloads
the database file via https and also checks the signature of the file to ensure that
it has not been changed in any way. The script is run with the -q (quiet) option.
The script checks if the downloaded database is corrupted ands will not install it if
it is corrupted. It checks if the database has changed since the last version
installed on the system. If not changed it does not replace the file.
- Tested this out with my production IPFire system and I ended up with the latest
database from 3 weeks ago.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Apr 2025 18:43:44 +0000 (20:43 +0200)]
netovpnrw.cgi: Fixes bug13838 - additional file name correction for collectd-5.x
- One location in netovpnrw.cgi was missed with a filename change coming from the collectd
update.
- This resulted in missing graph content for the openvpn road warrior graphs.
- Tested out on my production IPFire system. Making the change resulted in the grahs
being visible again.
Fixes: Bug13838 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Apr 2025 18:43:43 +0000 (20:43 +0200)]
graphs.pl: Fixes bug13838 - additional file name corrections for collectd-5.x
- Two locations in graphs.pl were missed with filename changes coming from the collectd
update.
- These result in missing graph content for the openvpn road warrior graphs.
- Tested out on my production IPFire system. Making the changes resulted in the grahs
being visible again.
Fixes: bug13838 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 2 Apr 2025 20:25:40 +0000 (22:25 +0200)]
libarchive: Update to version 3.7.9
- Update from version 3.7.7 to 3.7.9
- Update of rootfile
- 3 CVE fixes in 3.7.8
- Changelog
3.7.9
Important bugfixes:
a regression in libarchive 3.7.8 regarding GNU sparse entries was fixed
(#2558)
3.7.8
Security fixes:
tar reader: Handle truncation in the middle of a GNU long linkname (#2422,
CVE-2024-57970)
unzip: fix null pointer dereference (#2532, CVE-2025-1632)
tar reader: fix unchecked return value in list_item_verbose() (#2532,
CVE-2025-25724)
Important bugfixes:
7zip reader: add SPARC (#2399) and POWERPC (#2459) filter support for
non-LZMA compressors
tar reader: Ignore ustar size when pax size is present (#2405)
tar writer: Fix bug when -s/a/b/ used more than once with b flag (#2435)
cpio: Fix a Y2038 bug on Windows (#2471)
libarchive: Handle ARCHIVE_FILTER_LZOP in archive_read_append_filter (#2519)
libarchive: Adding missing seeker function to archive_read_open_FILE() (#2539)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 8 Apr 2025 21:37:27 +0000 (23:37 +0200)]
xz: Update to version 5.8.1
- Update from version 5.8.0 to 5.8.1
- Update of rootfile
- Changelog
5.8.1
IMPORTANT: This includes a security fix for CVE-2025-31115 which
affects XZ Utils from 5.3.3alpha to 5.8.0. No new 5.4.x or 5.6.x
releases will be made, but the fix is in the v5.4 and v5.6 branches
in the xz Git repository. A standalone patch for all affected
versions is available as well.
* Multithreaded .xz decoder (lzma_stream_decoder_mt()):
- Fix a bug that could at least result in a crash with
invalid input. (CVE-2025-31115)
- Fix a performance bug: Only one thread was used if the whole
input file was provided at once to lzma_code(), the output
buffer was big enough, timeout was disabled, and LZMA_FINISH
was used. There are no bug reports about this, thus it's
possible that no real-world application was affected.
* Avoid <stdalign.h> even with C11/C17 compilers. This fixes the
build with Oracle Developer Studio 12.6 on Solaris 10 when the
compiler is in C11 mode (the header doesn't exist).
* Autotools: Restore compatibility with GNU make versions older
than 4.0 by creating the package using GNU gettext 0.23.1
infrastructure instead of 0.24.
* Update Croatian translation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 2 Apr 2025 20:25:39 +0000 (22:25 +0200)]
kmod: Update to version 34.2
- Update from version 34.1 to 34.2
- Update of rootfile not required
- Changelog
34.2
NEWS: squash a couple of typos
libkmod: fix buffer-overflow in weakdep_to_char
testsuite: Add modprobe -c test for weakdep
autotools: Fix generated files in tarball
kmod 34.2
libkmod: release memory on builtin error path
libkmod: fix buffer-overflow in weakdep_to_char
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 2 Apr 2025 20:25:38 +0000 (22:25 +0200)]
jansson: Update to version 2.14.1
- Update from version 2.14 to 2.14.1
- Update of rootfile
- Changelog
2.14.1
Fixes:
- Fix thread safety of encoding and decoding when `uselocale` or `newlocale`
is used to switch locales inside the threads (#674, #675, #677. Thanks to
Bruno Haible for the report and help with fixing.)
- Use David M. Gay's `dtoa()` algorithm to avoid misprinting issues of real
numbers that are not exactly representable as a `double` (#680).
If this is not desirable, use `./configure --disable-dtoa` or `cmake
-DUSE_DTOA=OFF .`
Build:
- Make test output nicer in CMake based builds (#683)
- Simplify tests (#685)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 2 Apr 2025 20:25:37 +0000 (22:25 +0200)]
gdbm: Update to version 1.25
- Update from version 1.24 to 1.25
- Update of rootfile not required
- Changelog
1.25
New function: gdbm_open_ext
This function provides a general-purpose interface for opening and
creating GDBM files. It combines the possibilities of gdbm_open
and gdbm_fd_open and provides detailed control over database file
locking.
New gdbmtool command: collisions
The command prints the collision chains for the current bucket, or
for the buckets identified by its arguments:
collisions
Display collisions for the current bucket.
collisions N
Display collisions for bucket N.
collisions N0 N1
Display collisions for the range of buckets [N0, N1].
Pipelines in gdbmtool
The output of a gdbmtool command can be connected to the input of a
shell command using the traditional pipeline syntax.
Fix a bug in block coalescing code
Other bugfixes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 2 Apr 2025 20:25:36 +0000 (22:25 +0200)]
ffmpeg: Update to version 7.1.1
- Update from version 7.1 to 7.1.1
- Update of rootfile
- Changelog
7.1.1
avformat/hls: Partially revert "reduce default max reload to 3"
avformat/mov: (v4) fix get_eia608_packet
avformat/iff: Check that we have a stream in read_dst_frame()
avcodec/aac/aacdec_lpd: Limit get_unary()
avcodec/aac/aacdec_usac: Simplify decode_usac_scale_factors()
avcodec/aac/aacdec: Clear SFO on error
avformat/mlvdec: fix size checks
avformat/wavdec: Fix overflow of intermediate in block_align check
avformat/mxfdec: Check edit unit for overflow in mxf_set_current_edit_unit()
avformat/hls: Fix twitter
avcodec/vvc/refs: fix negative pps_scaling_win offsets
libavformat/hls: Be more restrictive on mpegts extensions
avformat/hls: .ts is always ok even if its a mov/mp4
avcodec/h263dec: Check against previous dimensions instead of coded
avformat/hls: Print input format in error message
avformat/hls: Be more picky on extensions
avformat/iamf_parse: ensure there's at most one of each parameter types in
audio elements
avformat/iamf_parse: add missing constrains for num_parameters in
audio_element_oub()
avformat/iamf_parse: add missing av_free() call on failure path
lavc/hevcdec: unbreak WPP/progress2 code
fate: Add a dependency on ffprobe for fate-flcl1905
checkasm: aacencdsp: Actually test nonzero values in quant_bands
x86: aacencdsp: Fix negating signed values in aac_quantize_bands
rtmpproto: Avoid rare crashes in the fail: codepath in rtmp_open
configure: Improve the check for the rsync --contimeout option
avutil/downmix_info: add missing semicolon
doc/t2h: Support texinfo 7.1 and 7.2 pretest
avfilter/drawtext: fix memory leak when using "reinit" runtime command
avutil/downmix_info: zero the allocated buffer
avformat/mov: fix overflow in drift timestamp calculation
Changelog: update
avformat/mxfdec: Check avio_read() success in mxf_decrypt_triplet()
avcodec/huffyuvdec: Initialize whole output for decode_gray_bitstream()
avformat/iamf_reader: Initialize padding and check read in ff_iamf_read_packet()
avformat/ipmovie: Check signature_buffer read
avformat/wtvdec: Initialize buf
avcodec/cbs_vp9: Initialize VP9RawSuperframeIndex
avformat/vqf: Propagate errors from add_metadata()
avformat/vqf: Check avio_read() in add_metadata()
avcodec/ffv1enc: Fix RCT for GBR colorspace
avformat/dashdec: Check whitelist
avutil/avstring: dont mess with NULL pointers in av_match_list()
avfilter/vf_v360: Fix NULL pointer use
avcodec/mpegvideo_enc: Check FLV1 resolution limits
avcodec/ffv1enc: Fix handling of 32bit unsigned symbols
avformat/mov: perform sanity checks for heif before index building
avformat/mov: Factorize sanity check out
avcodec/vc1dec: Clear block_index in vc1_decode_reset()
avcodec/aacsbr_template: Clear n_q on error
avformat/iamf_parse: Check output_channel_count
avcodec/osq: Fixes several undefined overflows in do_decode()
swscale/output: Fix undefined overflow in yuv2rgba64_full_X_c_template()
avfilter/af_pan: Fix sscanf() use
avfilter/vf_grayworld: Use the correct pointer for av_log()
avfilter/vf_addroi: Add missing NULL termination to addroi_var_names[]()
avcodec/get_buffer: Use av_buffer_mallocz() for audio same as its done for video
avformat/jpegxl_anim_dec: clear buffer padding
avformat/rmdec: check that buf if completely filled
avcodec/cfhdenc: Clear dwt_tmp
avcodec/hapdec: Clear tex buffer
avformat/mxfdec: Check that key was read sucessfull
avformat/hevc: fix writing hvcC when no arrays are provided in hvcC-formatted
input
avformat/rtpdec: int overflow in start_time_realtime
avcodec/decode: Fix incorrect enum type used in side_data_map()
avformat/mov: fix crash when trying to get a fragment time for a non-existing
fragment
avformat/libssh: fix credential variables typo
avformat/hlsenc: check return value of avcodec_parameters_copy()
avformat/dashdec: format open_demux_for_component()
avformat/dashdec: check return code of avcodec_parameters_copy()
avformat/dashdec: return ret directly in open_demux_for_component()
avformat/smoothstreamingenc: check return value of avcodec_parameters_copy()
avcodec/cbs_av1: fix variable shadowing in cbs_av1_split_fragment()
doc/demuxers/dvdvideo: seeking is supported, remove outdated statement
avformat/dvdvideodec: check return code of ff_dvdclut_yuv_to_rgb()
avformat/dvdvideodec: fix missing last chapter marker due to off-by-one
avformat/dvdvideodec: don't allow seeking beyond dvdnav reported duration
avformat/dvdvideodec: discard duplicate or partial AC3 samples
avformat/dvdvideodec: drop packets with unset PTS or DTS
avformat/dvdvideodec: remove unnecessary need_parsing argument
avformat/dvdvideodec: open subdemuxer after initializing IFO headers
avformat/dvdvideodec: remove auto value for menu_lu option
avformat/dvdvideodec: default menu_vts option to 1 and clarify description
avformat/dvdvideodec: check the length of a NAV packet when reading titles
avformat/dvdvideodec: reset the subdemuxer on discontinuity instead of flushing
avformat/dvdvideodec: simplify dvdvideo_read_packet()
avformat/dvdvideodec: enable chapter calculation for menus
avformat/dvdvideodec: standardize the NAV packet event signal
avformat/dvdvideodec: move memcpy below missed NAV packet warning
avformat/dvdvideodec: remove "auto" value for -pg option, default to 1
avformat/dvdvideodec: measure duration of the current menu VOBU in state
avformat/dvdvideodec: fix menu PGC number off-by-one in state
avformat/dvdvideodec: remove unused headers
lavc/aarch64: Fix ff_pred16x16_plane_neon_10
lavc/aarch64: Fix ff_pred8x8_plane_neon_10
aarch64/vvc: Fix clip in alf
vp9: recon: Use emulated edge to prevent buffer overflows
arm: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter
aarch64: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter
avformat/rpl: Fix check for negative values
avformat/mlvdec: Check avio_read()
avcodec/aac/aacdec: Free channel layout
avformat/mov: dereference pointer after null check
avcodec/utils: Fix block align overflow for ADPCM_IMA_WAV
avformat/matroskadec: Check pre_ns for overflow
tools/target_dec_fuzzer: Adjust threshold for EACMV
tools/target_dec_fuzzer: Adjust threshold for MVC1
tools/target_dec_fuzzer: Adjust Threshold for indeo5
avutil/timecode: Avoid fps overflow in av_timecode_get_smpte_from_framenum()
avcodec/aac/aacdec_usac: Dont leave type at a invalid value
avcodec/aac/aacdec_usac: Clean ics2->max_sfb when first SCE fails
avcodec/webp: Check ref_x/y
avcodec/ilbcdec: Initialize tempbuff2
swscale/swscale_unscaled: Fix odd height with nv24_to_yuv420p_chroma()
avcodec/hevc/hevcdec: initialize qp_y_tab
avformat/qcp: Check for read failure in header
avcodec/eatgq: Check bytestream2_get_buffer() for failure
avformat/dxa: check bpc
swscale/slice: clear allocated memory in alloc_lines()
avcodec/h2645_parse: Ignore NAL with nuh_layer_id == 63
avcodec/mjpegdec: Disallow progressive bayer images
avformat/icodec: fix integer overflow with nb_pal
doc/developer: Document relationship between git accounts and MAINTAINERS
doc/infra: Document trac backup system
doc/infra: Document gitolite
avformat/vividas: Check avio_read() for failure
avformat/ilbc: Check avio_read() for failure
avformat/nistspheredec: Clear buffer
avformat/mccdec: Initialize and check rate.den
avformat/rpl: check channels
INSTALL: explain the circular dependency issue and solution
avformat/mpegts: Initialize predefined_SLConfigDescriptor_seen
avformat/mxfdec: Fix overflow in midpoint computation
swscale/output: used unsigned for bit accumulation
swscale/rgb2rgb_template: Fix ff_rgb24toyv12_c() with odd height
avcodec/rangecoder: only perform renorm check/loop for callers that need it
avcodec/ffv1: add a named constant for the quant table size
avcodec/ffv1: RCT is only possible with RGB
avcodec/ffv1enc: Fix RCT with RGB64
avcodec/ffv1dec: Fix end computation with ec=2
avcodec/ffv1enc: Move slice termination into threads
avcodec/ffv1enc: Prevent generation of files with broken slices
avformat/matroskadec: Check desc_bytes so bits fit in 64bit
avformat/mov: Avoid overflow in dts
avcodec/ffv1enc: Correct error message about unsupported version
avcodec/ffv1: Store and reuse sx/sy
avcodec/ffv1enc: Slice combination is unsupported
avcodec/ffv1enc: 2Pass mode is not possible with golomb coding
avfilter/buffersrc: check for valid sample rate
avcodec/libdav1d: clear the buffered Dav1dData on decoding failure
avformat/iamf_writer: ensure the stream groups are not empty
avformat/iamf_writer: fix setting num_samples_per_frame for OPUS
avformat/iamf_parse: fix setting duration for the last subblock in a
parameter definition
avformat/iamf_parse: add checks to parameter definition durations
avformat/iamf_parse: reject ambisonics mode > 1
checkasm: Print benchmarks of C-only functions
avcodec/ac3dec: fix downmix logic for eac3
avcodec/codec_desc: remove Intra Only prop for AAC
avcodec/mediacodecdec: set set keyframe flag in output frames
avcodec/libfdk-aacenc: set keyframe in output packets
avcodec/libfdk-aacdec: set keyframe flag and profile in output frames
avcodec/audiotoolboxnec: set set keyframe flag in output packets
avcodec/audiotoolboxdec: set set keyframe flag in output frames
avcodec/aacenc: set keyframe flag in output packets
avcodec/aac/aacdec: set keyframe flag in output frames
avcodec/aac_parser: set key_frame and profile
avformat/mov: don't unconditionally set all audio packets in fragments as key
frames
avformat/matroskadec: set all frames in a keyframe simple box as keyframes
avformat/test/movenc: set audio packets as key frames
avformat/movenc: write stss boxes for xHE-AAC
avformat/spdifdec: parse headers for audio codecs
avformat/movenc: don't disable edit lists when writing CMAF output
avcodec/libfdk-aacenc: export CPB properties
avformat/movenc: don't write a calculated avgBitrate when the provided one is
unset
libavutil/riscv: Make use of elf_aux_info() on FreeBSD / OpenBSD riscv
libavutil/ppc: defines involving bit shifts should be unsigned
libavutil/ppc: Include the hardware feature flags like the other archs
lavu/riscv: fix compilation without Vector support
avfilter/f_loop: fix aloop activate logic
avfilter/f_loop: fix length of aloop leftover buffer
avfilter/vf_zscale: align the frame buffers
lavfi/vf_zscale: fix call to av_pix_fmt_count_planes
lavfi/vf_zscale: fix tmp buffer ptr alignment for zimg_filter_graph_process
avfilter/framepool: align the frame buffers
avcodec/h2645_sei: use the RefStruct API for film_grain_characteristics
avcodec/aom_film_grain: allocate film grain metadata dynamically
avformat/mov: use an array of pointers for heif_item
avformat/mov: split off heif item initialization to its own function
avformat/mov: factorize getting the current item
lavc/h264idct: fix RISC-V group multiplier
lavc/h264dsp: move RISC-V fn pointers to .data.rel.ro
avcodec/jpegxl_parser: fix reading lz77-pair as initial entropy symbol
avcodec/jpegxl_parser: check entropy_decoder_read_symbol return value
avcodec/cbs_h266: Fix regression in DVB clip introduced by 93281630a71c06642adfebebb0d4b105a4e02e91
avcodec/x86/vvc: add prototypes for OF functions
Document stream specifier syntax change from 46cbe4ab5c
fftools/ffplay: fix crash when vk renderer is null
avutil/wchar_filename: re-introduce explicit cast of void* to char*
fate/ffmpeg: add samples dependency to fate-ffmpeg-spec-disposition
fftools/ffmpeg_filter: treat apad filter as a source
lavc/avcodec: fix global/private option precendence
avfilter/framesync: fix forward EOF pts
avcodec/vaapi_encode: fix compilation without CONFIG_VAAPI_1
libavcodec: x86: Remove an explicit include of config.asm
checkasm: lls: Use relative tolerances rather than absolute ones
arm: Consistently use proper interworking function returns
avcodec/libx265: unbreak build for X265_BUILD >= 213
fftools: log unconnected filter output label
fftools: do not access out of bounds filtergraph
avcodec/mediacodecenc: Fix access of uninitialized value
avformat/img2enc: Fix integer truncation when frame_pts is enabled
avformat/internal: Add ff_get_frame_filename
avformat/mov: don't return the latest stream when an item stream is expected
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 1 Apr 2025 20:50:02 +0000 (22:50 +0200)]
backup.pl: Fixes bug13737 - restarts ipsec to use the restored certs etc
- This adds a check if the ipsec server is enabled. If it is then ipsecctrl is run to
restart ipsec and ensure that the restored certs are all being used.
- Tested this out on my vm testbed and confirmed that with this I could restore a backup
and make the client connection as previously set up.
- Without this I had to press the Save button on the ipsec WUI page to get the certs
etc being used.
Fixes: bug13737 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 1 Apr 2025 18:08:00 +0000 (20:08 +0200)]
backup.pl: Fixes bug13737 - restarts ipsec to use the restored certs etc
- This adds a check if the ipsec server is enabled. If it is then ipsecctrl is run to
restart ipsec and ensure that the restored certs are all being used.
- Tested this out on my vm testbed and confirmed that with this I could restore a backup
and make the client connection as previously set up.
- Without this I had to press the Save button on the ipsec WUI page to get the certs
etc being used.
Fixes: bug13737 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 1 Apr 2025 18:07:59 +0000 (20:07 +0200)]
include: Add the contents of the ipsec certs directory to the backup
- Previously only the .pem files were bacdked up from the /var/ipfire/certs/ directory.
That was okay in the past as the serial and index files never changed after the
root/host cert set waqs created.
- With the renew process then the serial and index files get updated and these are needed
to match with the cert status that was backed up. Otherwise you could end up with one
set of values in the serial and index files that did not match with the restored
certs.
- This patch adds all the contents of the certs directory to the backup.
- Tested out on my vm testbed and successfully restored a backup and was able to connect
with the same client settings.
Fixes: bug13737 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 1 Apr 2025 18:07:58 +0000 (20:07 +0200)]
vpnmain.cgi: Fixes bug13737 - revoke any deleted client certificate
- As the serial number is incremented now for each new cert that is created, then when a
client cert is deleted from the ipsec list in the wui then that cert must be revoked
otherwise it will still be listed in the .index file as a valid certificate and then
the certificate name and DN could never be used again.
- Running the revoke command when deleting a client cert leaves the details in the .index
file but the same name can then be re-used and will get a new serial number etc.
Fixes: bug13737 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- This first part removes all usages of &cleanssldatabase with the client certificates.
This is not needed here. If used then the serial number would be moved back to 01 when
an existing client certificate is removged or a new one created, even if no errors
occurred.
- The usage of &cleanssldatabase has also been removed from the root/host cert creation
if it was successful, otherwise the index file is moved back to being empty and the
serial file to containing 01.
- The only usage now of the &cleanssldatabase is for when the root/host cert set is
being created or if an uploaded cert has been checked as good to install.
- This now means that each time a new client certificate is created the serial number
is incremented.
- The removal of the x509 root/host cert also unlinks all .pem files in the certs
directory and therefore also all the 01.pem, 02.pem etc files so the
&cleanssldatabase routine no longer needs to unlink the 01.pem file
- The &newcleanssldatabase script is no longer needed, as the &cleanssldatabase commands
used covers the required cleaning, so it has been removed.
- This patch together with the others from this set have been tested out on my vm system
and I was able to create a new root/host cert set and then new client certs and make
an ipsec certificate connection successfully. I could then renew the host cert and
the client connection still worked.
Fixes: bug13737 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 1 Apr 2025 12:26:50 +0000 (14:26 +0200)]
core194: Ship changed openssl.cnf file from CU184
- openssl.cnf had copy_extensions = copyall added to the [ IPFire ] section as part of
the ipsec host cert renewal process but the file was missed to be shipped with the
Core Update 184 update. So only users doing fresh installs of CU184 or later will
have the updated openssl.cnf file.
- This patch rectifies that situation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 31 Mar 2025 14:35:26 +0000 (16:35 +0200)]
firewall: Explicitely don't NAT any aliases
It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / people / ms / ipfire-2.x.git / log
