Michael Tremer [Thu, 4 Mar 2021 15:08:25 +0000 (15:08 +0000)]
core155: It looks like our tooling can't handle this
Python3 has a common rootfile for x86_64 and aarch64 and separate files
for armv5tel and i586. The core update build scripts cannot deal with
this which makes it necessary to create individual links to the correct
rootfile for each architecture.
Third time lucky.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 2 Mar 2021 18:43:06 +0000 (18:43 +0000)]
firewall: Remove ALGs from UI
This change drops the UIs that could enable ALGs for various protocols.
Those have been all forcibly disabled because "NAT Slipstream".
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Suggested-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Remove custom functions and use network-functions.pl instead to detect
the available zones correctly. This also removes the requirement that
a device must be assigned for a zone to become visible/configurable.
Fixes: #12568 Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changes & new features:
- Add CSS for STP options, add texts to language files
- Read STP settings from ethernet configuration and display inputs
- Validate and save STP settings
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Roberto Peña [Sun, 21 Feb 2021 11:11:47 +0000 (12:11 +0100)]
Add Spanish translations for Captive Portal
- Ran ./make lang before adding translations and git status was clear
- Ran ./make lang after adding translations and git status included also
doc/language_issues.pl although I did not change anything for Polish
and it was clear before making any changes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Fri, 19 Feb 2021 17:44:27 +0000 (18:44 +0100)]
bind: Update to 9.11.28
For details see:
https://downloads.isc.org/isc/bind9/9.11.28/RELEASE-NOTES-bind-9.11.28.html
"Notes for BIND 9.11.28
Security Fixes
When tkey-gssapi-keytab or tkey-gssapi-credential was configured,
a specially crafted GSS-TSIG query could cause a buffer overflow in the
ISC implementation of SPNEGO (a protocol enabling negotiation of the
security mechanism to use for GSSAPI authentication). This flaw could
be exploited to crash named. Theoretically, it also enabled remote code
execution, but achieving the latter is very difficult in real-world
conditions. (CVE-2020-8625)
This vulnerability was responsibly reported to us as ZDI-CAN-12302
by Trend Micro Zero Day Initiative. [GL #2354]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 16 Feb 2021 17:28:17 +0000 (17:28 +0000)]
openssl: Update to 1.1.1j
Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841)
====================================================================
Severity: Moderate
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to
create a unique hash value based on the issuer and serial number data contained
within an X509 certificate. However it fails to correctly handle any errors
that may occur while parsing the issuer field (which might occur if the issuer
field is maliciously constructed). This may subsequently result in a NULL
pointer deref and a crash leading to a potential denial of service attack.
The function X509_issuer_and_serial_hash() is never directly called by OpenSSL
itself so applications are only vulnerable if they use this function directly
and they use it on certificates that may have been obtained from untrusted
sources.
OpenSSL versions 1.1.1i and below are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1j.
OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL
1.0.2 is out of support and no longer receiving public updates. Premium support
customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade
to 1.1.1j.
This issue was reported to OpenSSL on 15th December 2020 by Tavis Ormandy from
Google. The fix was developed by Matt Caswell.
OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a
server that is configured to support both SSLv2 and more recent SSL and TLS
versions then a check is made for a version rollback attack when unpadding an
RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are
supposed to use a special form of padding. A server that supports greater than
SSLv2 is supposed to reject connection attempts from a client where this special
form of padding is present, because this indicates that a version rollback has
occurred (i.e. both client and server support greater than SSLv2, and yet this
is the version that is being requested).
The implementation of this padding check inverted the logic so that the
connection attempt is accepted if the padding is present, and rejected if it
is absent. This means that such as server will accept a connection if a version
rollback attack has occurred. Further the server will erroneously reject a
connection if a normal SSLv2 connection attempt is made.
Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this
issue. In order to be vulnerable a 1.0.2 server must:
1) have configured SSLv2 support at compile time (this is off by default),
2) have configured SSLv2 support at runtime (this is off by default),
3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite
list)
OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to
this issue. The underlying error is in the implementation of the
RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING
padding mode used by various other functions. Although 1.1.1 does not support
SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the
RSA_SSLV23_PADDING padding mode. Applications that directly call that function
or use that padding mode will encounter this issue. However since there is no
support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a
security issue in that version.
OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium
support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should
upgrade to 1.1.1j.
This issue was reported to OpenSSL on 21st January 2021 by D. Katz and Joel
Luellwitz from Trustwave. The fix was developed by Matt Caswell.
Integer overflow in CipherUpdate (CVE-2021-23840)
=================================================
Severity: Low
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow
the output length argument in some cases where the input length is close to the
maximum permissable length for an integer on the platform. In such cases the
return value from the function call will be 1 (indicating success), but the
output length value will be negative. This could cause applications to behave
incorrectly or crash.
OpenSSL versions 1.1.1i and below are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1j.
OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL
1.0.2 is out of support and no longer receiving public updates. Premium support
customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade
to 1.1.1j.
This issue was reported to OpenSSL on 13th December 2020 by Paul Kehrer. The fix
was developed by Matt Caswell.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 16 Feb 2021 17:28:17 +0000 (17:28 +0000)]
openssl: Update to 1.1.1j
Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841)
====================================================================
Severity: Moderate
The OpenSSL public API function X509_issuer_and_serial_hash() attempts to
create a unique hash value based on the issuer and serial number data contained
within an X509 certificate. However it fails to correctly handle any errors
that may occur while parsing the issuer field (which might occur if the issuer
field is maliciously constructed). This may subsequently result in a NULL
pointer deref and a crash leading to a potential denial of service attack.
The function X509_issuer_and_serial_hash() is never directly called by OpenSSL
itself so applications are only vulnerable if they use this function directly
and they use it on certificates that may have been obtained from untrusted
sources.
OpenSSL versions 1.1.1i and below are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1j.
OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL
1.0.2 is out of support and no longer receiving public updates. Premium support
customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade
to 1.1.1j.
This issue was reported to OpenSSL on 15th December 2020 by Tavis Ormandy from
Google. The fix was developed by Matt Caswell.
OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a
server that is configured to support both SSLv2 and more recent SSL and TLS
versions then a check is made for a version rollback attack when unpadding an
RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are
supposed to use a special form of padding. A server that supports greater than
SSLv2 is supposed to reject connection attempts from a client where this special
form of padding is present, because this indicates that a version rollback has
occurred (i.e. both client and server support greater than SSLv2, and yet this
is the version that is being requested).
The implementation of this padding check inverted the logic so that the
connection attempt is accepted if the padding is present, and rejected if it
is absent. This means that such as server will accept a connection if a version
rollback attack has occurred. Further the server will erroneously reject a
connection if a normal SSLv2 connection attempt is made.
Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this
issue. In order to be vulnerable a 1.0.2 server must:
1) have configured SSLv2 support at compile time (this is off by default),
2) have configured SSLv2 support at runtime (this is off by default),
3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite
list)
OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to
this issue. The underlying error is in the implementation of the
RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING
padding mode used by various other functions. Although 1.1.1 does not support
SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the
RSA_SSLV23_PADDING padding mode. Applications that directly call that function
or use that padding mode will encounter this issue. However since there is no
support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a
security issue in that version.
OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium
support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should
upgrade to 1.1.1j.
This issue was reported to OpenSSL on 21st January 2021 by D. Katz and Joel
Luellwitz from Trustwave. The fix was developed by Matt Caswell.
Integer overflow in CipherUpdate (CVE-2021-23840)
=================================================
Severity: Low
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow
the output length argument in some cases where the input length is close to the
maximum permissable length for an integer on the platform. In such cases the
return value from the function call will be 1 (indicating success), but the
output length value will be negative. This could cause applications to behave
incorrectly or crash.
OpenSSL versions 1.1.1i and below are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1j.
OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL
1.0.2 is out of support and no longer receiving public updates. Premium support
customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade
to 1.1.1j.
This issue was reported to OpenSSL on 13th December 2020 by Paul Kehrer. The fix
was developed by Matt Caswell.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 16 Feb 2021 13:30:10 +0000 (14:30 +0100)]
dhcp.cgi: Fix incorrect { placement from patch 3724
- When patch 3724 was created for bug #10743 a curly bracket was placed in the wrong place
This results in the overlap of two if loops meaning that there will be no validity
check carried out on Default Lease Time if Deny Known Clients is not checked.
- This patch moves the { bracket to the right location.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 12 Feb 2021 17:59:15 +0000 (18:59 +0100)]
sysvinit: Update to 2.98
- Update sysvinit from 2.88dsf to 2.98
- From version 2.89 mounpoint build was not enabled as standard
- Patch created to modify Makefile to define mountpoint to be built
- Update of rootfiles
- Changelog is ~400 lines long from 2.88dsf to 2.98
- For details see the Changelog in the doc directory in the tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 11 Feb 2021 12:41:29 +0000 (13:41 +0100)]
wirelessclient.cgi: Fix for bug #12571
- Wirelessclient shows priority 0 to be most preferred and priority 4 as
least preferred. Based on forum posters experience and the wpa_supplicant
man page it is the other way round.
- This patch moves the least preferred title to priority 0 and vice versa
- Will ask bug reporter to test out the patch and confirm it works. The page
is only shown if you have a wifi connection on red.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 10 Feb 2021 11:06:02 +0000 (12:06 +0100)]
python-xattr: Removal of addon
- Update of attr causes current version of python-xattr to fail to build
- Following input from Michael Tremer
- This package was orihinally required for pakfire 3 which no longer depends on it
- This is a python 2 module. Python 2 is EOL
- lfs and rootfile removed from IPFire
- make.sh updated to remove python-xattr entry
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 10 Feb 2021 11:05:44 +0000 (12:05 +0100)]
attr: Update to 2.4.48
- Update attr from 2.4.47 (2013) to 2.4.48 (2018)
- Update rootfiles
- Changelog in tarball only goes up to 2.4.44 so extracted changes
from commits between 2.4.47 and release of 2.4.48
v2.4.48
attr: Fix segmentation fault Andreas Gruenbacher
po: update Andreas Gruenbacher
setfacl: Include errno.h Andreas Gruenbacher
copy_action: drop unused alloca.h include Mike Frysinger
include: add uninstall target to fix distcheck Mike Frysinger
attr_copy_{fd,file}: sync changes between the files Mike Frysinger
xattr.conf: do not copy security.evm Stefan Berger
Cleanup visibility of API functions Yury Usishchev
Cleanup config.h usage Yury Usishchev
Use stdint types consistently Felix Janda
walk_tree_rec: Add parentheses to clarify code Andreas Gruenbacher
Reintroduce symbols that used to be syscall wrappers Dmitry V. Levin
Do not export symbols that are not supposed to be exported Dmitry V. Levin
Add explicit symbol versioning for attr_copy_action Dmitry V. Levin
ignore configure.lineno Mike Frysinger
walk_tree: mark internal variables as static Dmitry V. Levin
Remove the attr.5 man page (moved to man-pages) Andreas Gruenbacher
Remove <attr/xattr.h> and the syscall wrappers Andreas Gruenbacher
Remove the section 2 man pages Andreas Gruenbacher
Remove outdated tests from test/attr.test Andreas Gruenbacher
Remove test/ext/fs.test Andreas Gruenbacher
Add setfattr --raw option Andreas Gruenbacher
Properly set and report empty attribute values Andreas Gruenbacher
Man pages: Minor fixes Andreas Gruenbacher
build: unbreak attr_copy_fd() and attr_copy_file(). Nick Alcock
attr: Don't report a NULL attribute name when -l (list) fails Andreas Gruenbacher
attr_list / attr_listf: Fix cursor off-by-one error Andreas Gruenbacher
Portability fix: <alloca.h> is Linux specific Emmanuel Dreyfus
Portability fixes Emmanuel Dreyfus
telldir return value and seekdir second parameters are of type long Cristian Rodríguez
License fixes Andreas Gruenbacher
test: fix cleanup & running as root Mike Frysinger
include examples/ in dist tarball Mike Frysinger
build: ship a pkgconfig file for libattr Jan Engelhardt
build: make use of an aux-dir to stow away helper scripts Jan Engelhardt
avoid glibc-specific DECLS defines Mike Frysinger
build: drop attrincludedir, use pkgincludedir Jan Engelhardt
disable installation of man(2) pages by default Mike Frysinger
po: regenerate files after move Mike Frysinger
modernize build system Mike Frysinger
test: make running parallel/out-of-tree safe Mike Frysinger
move gettext logic into misc.h Mike Frysinger
punt debian/rpm packaging logic Mike Frysinger
Suppress deprecation warnings when building attr and libattr Andreas Gruenbacher
Add a default /etc/xattr.conf file Andreas Gruenbacher
Mark the Irix compatibility functions as deprecated Andreas Gruenbacher
Make attr_get and attr_getf behave as described in the man page Andreas Gruenbacher
Use autoreconf rather than autoconf to regenerate the files. Fabrice Bauzac
.gitignore: ignore *~ and config.h.in. Fabrice Bauzac
Fix ATTR_OP_REMOVE operation in attr_multi()
Makefile: rename configure.in to configure.ac
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 9 Feb 2021 20:23:25 +0000 (21:23 +0100)]
collectd: Update due to autoconf change
- collectd fails to build with autoconf-2.71
Required running of autoupdate on configure.in
and addition of --with-fp-layout=nothing to configure options
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>