ipfire-2.x.git
11 days agoupdate credits.cgi and langs doku master
Arne Fitzenreiter [Thu, 2 Jul 2020 11:22:17 +0000 (11:22 +0000)] 
update credits.cgi and langs doku

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agoWIO - shutdown function removed, adjustments to IPsec status display
Stephan Feddersen [Sun, 28 Jun 2020 10:48:59 +0000 (12:48 +0200)] 
WIO - shutdown function removed, adjustments to IPsec status display

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agoWIO - shutdown function removed, adjustments to IPsec status display
Stephan Feddersen [Sun, 28 Jun 2020 10:47:54 +0000 (12:47 +0200)] 
WIO - shutdown function removed, adjustments to IPsec status display

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agoWIO - shutdown function removed, adjustments to IPsec status display
Stephan Feddersen [Sun, 28 Jun 2020 10:47:01 +0000 (12:47 +0200)] 
WIO - shutdown function removed, adjustments to IPsec status display

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agoWIO - hutdown function removed, adjustments to IPsec status display
Stephan Feddersen [Sun, 28 Jun 2020 10:45:41 +0000 (12:45 +0200)] 
WIO - hutdown function removed, adjustments to IPsec status display

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agoWIO - shutdown function removed, adjustments to IPsec status display
Stephan Feddersen [Sun, 28 Jun 2020 10:44:18 +0000 (12:44 +0200)] 
WIO - shutdown function removed, adjustments to IPsec status display

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agoWIO - shutdown function removed, adjustments to IPsec status display
Stephan Feddersen [Sun, 28 Jun 2020 10:41:55 +0000 (12:41 +0200)] 
WIO - shutdown function removed, adjustments to IPsec status display

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agoWIO - cleaned up language files
Stephan Feddersen [Sun, 28 Jun 2020 10:34:18 +0000 (12:34 +0200)] 
WIO - cleaned up language files

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agoWIO - new version 1.3.2-9
Stephan Feddersen [Sun, 28 Jun 2020 10:29:26 +0000 (12:29 +0200)] 
WIO - new version 1.3.2-9

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agoremove nf_log_ipv4 from sysctl.conf
Arne Fitzenreiter [Wed, 1 Jul 2020 12:17:11 +0000 (12:17 +0000)] 
remove nf_log_ipv4 from sysctl.conf

the revert commit has failed and sysctl.conf should still shipped to fix
machines in next tree.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agofirewall: Configure TRACE target to log to syslog
Michael Tremer [Mon, 29 Jun 2020 14:53:17 +0000 (14:53 +0000)] 
firewall: Configure TRACE target to log to syslog

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agocore147: add ntp
Arne Fitzenreiter [Wed, 1 Jul 2020 12:11:51 +0000 (12:11 +0000)] 
core147: add ntp

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agontp: Update to 4.2.8p15
Matthias Fischer [Sun, 28 Jun 2020 07:01:33 +0000 (09:01 +0200)] 
ntp: Update to 4.2.8p15

For details see:
http://support.ntp.org/bin/view/Main/SecurityNotice#June_2020_ntp_4_2_8p15_NTP_Relea

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agocore147: add proxy.cgi
Arne Fitzenreiter [Wed, 1 Jul 2020 12:09:45 +0000 (12:09 +0000)] 
core147: add proxy.cgi

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agoRevert "proxy: Remove AUTH_IPCACHE_TTL"
Peter Müller [Sun, 21 Jun 2020 10:57:29 +0000 (10:57 +0000)] 
Revert "proxy: Remove AUTH_IPCACHE_TTL"

This reverts commit dc637f087fe07ab26ae1dee00133da69bab5e6a1.

Rationale: "authenticate_ip_ttl" can be safely used as it does not
introduces an authentication bypass, but saves relationships between
successfully authenticated users and their IP addresses.

"max_user_ip" depends on such an authentication cache, so credential
sharing between several IPs (on purpose or by chance) can be detected
properly. This is useful in case of crompromised machines and/or
attackers in internal networks having stolen proxy authentication
credentials.

Quoted from squid.conf.documented or man 5 squid.conf:

>       acl aclname max_user_ip [-s] number
>         # This will be matched when the user attempts to log in from more
>         # than <number> different ip addresses. The authenticate_ip_ttl
>         # parameter controls the timeout on the ip entries. [fast]
>         # If -s is specified the limit is strict, denying browsing
>         # from any further IP addresses until the ttl has expired. Without
>         # -s Squid will just annoy the user by "randomly" denying requests.
>         # (the counter is reset each time the limit is reached and a
>         # request is denied)
>         # NOTE: in acceleration mode or where there is mesh of child proxies,
>         # clients may appear to come from multiple addresses if they are
>         # going through proxy farms, so a limit of 1 may cause user problems.

Fixes: #11994

Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agoproxy.cgi: remove old CVS licence clutter
Peter Müller [Sun, 21 Jun 2020 10:57:00 +0000 (10:57 +0000)] 
proxy.cgi: remove old CVS licence clutter

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agocore147: add openssh
Arne Fitzenreiter [Sat, 27 Jun 2020 14:34:22 +0000 (14:34 +0000)] 
core147: add openssh

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agoOpenSSH: update to 8.3p1
Peter Müller [Mon, 22 Jun 2020 15:39:33 +0000 (15:39 +0000)] 
OpenSSH: update to 8.3p1

Fixes: #12418

Cc: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agocore147: add ca-certificates
Arne Fitzenreiter [Sat, 27 Jun 2020 14:28:18 +0000 (14:28 +0000)] 
core147: add ca-certificates

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agoupdate ca-certificates CA bundle
Peter Müller [Sat, 20 Jun 2020 09:37:22 +0000 (09:37 +0000)] 
update ca-certificates CA bundle

Update the CA certificates list to what Mozilla NSS ships currently.

The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agocore147: add bind
Arne Fitzenreiter [Sat, 27 Jun 2020 14:24:44 +0000 (14:24 +0000)] 
core147: add bind

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agobind: Update to 9.11.20
Matthias Fischer [Fri, 19 Jun 2020 17:18:21 +0000 (19:18 +0200)] 
bind: Update to 9.11.20

For details see:
https://downloads.isc.org/isc/bind9/9.11.20/RELEASE-NOTES-bind-9.11.20.html

"Security Fixes

    It was possible to trigger an INSIST failure when a zone with
    an interior wildcard label was queried in a certain pattern. This
    was disclosed in CVE-2020-8619. [GL #1111] [GL #1718]

New Features

    dig and other tools can now print the Extended DNS Error (EDE)
    option when it appears in a request or a response. [GL #1835]

Bug Fixes

    When fully updating the NSEC3 chain for a large zone via IXFR,
    a temporary loss of performance could be experienced on the
    secondary server when answering queries for nonexistent data that
    required DNSSEC proof of non-existence (in other words, queries that
    required the server to find and to return NSEC3 data). The
    unnecessary processing step that was causing this delay has now been
    removed. [GL #1834]

    A data race in lib/dns/resolver.c:log_formerr() that could lead
    to an assertion failure was fixed. [GL #1808]

    Previously, provide-ixfr no; failed to return up-to-date responses
    when the serial number was greater than or equal to the current
    serial number. [GL #1714]

    named-checkconf -p could include spurious text in server-addresses
    statements due to an uninitialized DSCP value. This has been fixed.
    [GL #1812]

    The ARM has been updated to indicate that the TSIG session key is
    generated when named starts, regardless of whether it is needed. [GL
    #1842]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agoinstaller: update filecount
Arne Fitzenreiter [Sat, 27 Jun 2020 10:27:10 +0000 (12:27 +0200)] 
installer: update filecount

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agogmp: update arm rootfiles
Arne Fitzenreiter [Sat, 27 Jun 2020 05:47:43 +0000 (07:47 +0200)] 
gmp: update arm rootfiles

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agolinux-firmware: update to 20200519
Arne Fitzenreiter [Sat, 20 Jun 2020 06:55:06 +0000 (08:55 +0200)] 
linux-firmware: update to 20200519

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agoremove old core146 openvpn symlink that break build.
Arne Fitzenreiter [Sat, 20 Jun 2020 06:53:31 +0000 (08:53 +0200)] 
remove old core146 openvpn symlink that break build.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agocore174: Ship updated files from gcloud branch
Michael Tremer [Fri, 19 Jun 2020 12:44:14 +0000 (12:44 +0000)] 
core174: Ship updated files from gcloud branch

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agobacula: Update to 9.6.5
Adolf Belka [Tue, 16 Jun 2020 18:43:52 +0000 (20:43 +0200)] 
bacula: Update to 9.6.5

- Update bacula from version 9.0.6 to 9.6.5
  Version 9.0.6 is over two and a half years old.
- Update config options in lfs to include bacula recommended smartalloc option.
  "This enables the inclusion of the Smartalloc orphaned buffer detection
  code. This option is highly recommended. Because we never build without this option,
  you may experience problems if it is not enabled. In this case, simply re-enable the
  option. We strongly recommend keeping this option enabled as it helps detect memory
  leaks. This configuration parameter is used while building Bacula"
- Add install, uninstall and update files in src/paks/bacula
- Updated backup/includes to backup the config file and the File Daemon state file.

Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agocore147: Ship dhcpcd
Michael Tremer [Thu, 18 Jun 2020 10:39:03 +0000 (10:39 +0000)] 
core147: Ship dhcpcd

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agodhcpcd: Update to 9.1.2
Matthias Fischer [Tue, 16 Jun 2020 17:48:35 +0000 (19:48 +0200)] 
dhcpcd: Update to 9.1.2

For details see:
https://roy.marples.name/blog/dhcpcd-9-1-2-released.html

    "Fix installing dhcpcd-definitions.conf rather than embedding it
    NetBSD: free ARP state once IPv4LL address announced
    Linux: fix compile for older distros
    udev: disable plugin for non Linux OS's
    BSD: Mark RA dervied addresses as AUTOCONF on NetBSD-current
    BSD: Only mark static routes from dhcpcd.conf as static
    DHCP6: Ensure requested addresses are requested
    DHCP6: Fix prefix length calculation when no prefix specified
    privsep: Implement a resource limited sandbox [1]
    privsep: Remove inet and dns pledges from master process
    privsep: call getifaddrs when the BSD lacks SIOCGIFALIAS
    privsep: free getifaddrs the right way if from privsep or not

[1] You will see a control proxy process now. This is for the resource
limited sandbox so that we can isolate requests over the control socket.
For NetBSD, FreeBSD and derivatives such as DragonFlyBSD this is
a massive win as these OS now enjoy a similar level of protection
as Capsicum or Pledge, but without the syscall filtering."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agosysctl: Load nf_log_ipv4 as default logging module for TRACE target
Michael Tremer [Tue, 16 Jun 2020 15:42:33 +0000 (15:42 +0000)] 
sysctl: Load nf_log_ipv4 as default logging module for TRACE target

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agofirewall: Always enable connection tracking for GRE
Michael Tremer [Tue, 16 Jun 2020 15:40:44 +0000 (15:40 +0000)] 
firewall: Always enable connection tracking for GRE

If this module is not being loaded, the kernel will mark any
GRE connection as INVALID in connection tracking, which will
be then silently dropped by a firewall rule.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agosquidGuard: Update to 1.6.0
Michael Tremer [Tue, 16 Jun 2020 15:40:20 +0000 (15:40 +0000)] 
squidGuard: Update to 1.6.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agosquidGuard: Update to 1.6.0
Michael Tremer [Tue, 16 Jun 2020 10:35:26 +0000 (10:35 +0000)] 
squidGuard: Update to 1.6.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agocore147: Ship squidguard
Michael Tremer [Tue, 16 Jun 2020 09:01:24 +0000 (09:01 +0000)] 
core147: Ship squidguard

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agosquidguard: Update to 1.5-beta
Matthias Fischer [Sat, 31 Dec 2016 15:59:19 +0000 (16:59 +0100)] 
squidguard: Update to 1.5-beta

Changelog:

"Release 1.5

2010-09-09 Fixed inconsistent blocking (bug 59).  Replaced defined routine
in sgDB.c

2010-09-08 Added Russian translation from Vladimir Ipatov to squidGuard.cgi.in.

2009-10-19 Fixed two bypass problems with URLs which length is close to the limit
defined by MAX_BUF. The resulting proxy line exceeds this limit and causes
either squid or squidGuard to properly block a site.

2009-10-15 Fixed a problem with very long URLs. SquidGuard will go into
emergency mode when a overlong URLs are encountered. The emergency mode causes an
entire stop of blocking. This is not appropriate in this situation.

2009-09-30 Added patch by beber and gentoo (thank you!) to fix a problem when cross
compiling (bug 56).

2009-09-27 Added patch by gentoo to fix alocal warnings (bug 57).

2009-09-15 Added a feature to send log messages to syslog based on the patch from
Jun Jiang (thank you). (bug 42) In order to use syslog you have to run
configure with the new option "--with-syslog". In the configuration file you need to add a
line "syslog enable". If any other value but "enable" is used syslog is disabled and logging
to squidGuard.log takes place as usual. The following log level are used: DEBUG, NOTICE,
WARN, ERROR and EMERG. The local4 syslog facility is used by default. If you want to change
this, use the configure option "--with-syslog-facility=<facility>".

2009-09-12 Anonymized passwords (for connecting to the ldap or mysql server) written
to logfiles when squidGuard is starting. Added two configure options for choosing
different location for the LDAP include and library files.

2009-08-25 Added patch to check IP addresses against LDAP. Patch by Denis Bonnenfant
(bug 41) - thank you.

2009-08-23 Added patch to allow quoted strings in the configuration file (bug 53).
For more information see README.QuotedStrings. Thanks to Iain Fothergill for providing
the patch. Removed the fix for usernames starting with a number because it breaks the
time declarations.

2009-05-08 Added patch by INL to enable blocking against DNS based blacklists (bug 55).
Fixed re-opened bug 12: a problem with regular expressions. An entry like "www\.google\.de"
did not block www.google.de which it was supposed to do.
Solving this issue solved bug 46 as well.

2009-03-08 Fixed bug 52: Sometimes squidGuard crashes with an overflow
error message for vsprintf. Thanks to Dirk Schoebel for suggesting the proper fix.
Fixed bug 49: Using numeric username made squidGuard goes into emergency mode. This
has been fixed. Usernames can now start with a number, be numeric and can additionally
contain the following characters: @,à,é,è,ñ,á,ì,í,ò,ó,ù,ú."

Signed-off-by: Matthias Fischer <matthias.fischer at ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agostrace: This package now links against elfutils
Michael Tremer [Wed, 10 Jun 2020 08:19:51 +0000 (08:19 +0000)] 
strace: This package now links against elfutils

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agocore147: Ship iproute2
Michael Tremer [Tue, 16 Jun 2020 08:49:36 +0000 (08:49 +0000)] 
core147: Ship iproute2

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoiproute2: Update to 5.7.0
Matthias Fischer [Sun, 14 Jun 2020 06:50:13 +0000 (08:50 +0200)] 
iproute2: Update to 5.7.0

For details see:
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/?h=v5.7.0

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agojoe: Update to 4.6
Matthias Fischer [Sat, 13 Jun 2020 22:13:30 +0000 (00:13 +0200)] 
joe: Update to 4.6

For details see:
https://joe-editor.sourceforge.io/NEWS.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agocore147: Ship updated crypto libraries
Michael Tremer [Tue, 16 Jun 2020 08:46:51 +0000 (08:46 +0000)] 
core147: Ship updated crypto libraries

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agogmp 6.2.0: Fixed rootfile for i586
Matthias Fischer [Thu, 11 Jun 2020 17:20:08 +0000 (19:20 +0200)] 
gmp 6.2.0: Fixed rootfile for i586

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agolibgpg-error: Update to 1.38
Matthias Fischer [Thu, 11 Jun 2020 16:07:29 +0000 (18:07 +0200)] 
libgpg-error: Update to 1.38

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agolibassuan: Update to 2.5.3
Matthias Fischer [Thu, 11 Jun 2020 16:06:27 +0000 (18:06 +0200)] 
libassuan: Update to 2.5.3

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agolibgcrypt: Update to 1.8.5
Matthias Fischer [Thu, 11 Jun 2020 16:05:05 +0000 (18:05 +0200)] 
libgcrypt: Update to 1.8.5

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agogmp 6.2.0: Fixed lfs for i586
Matthias Fischer [Thu, 11 Jun 2020 10:02:45 +0000 (12:02 +0200)] 
gmp 6.2.0: Fixed lfs for i586

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agogmp: Update to 6.2.0
Matthias Fischer [Wed, 10 Jun 2020 22:08:13 +0000 (00:08 +0200)] 
gmp: Update to 6.2.0

Needed for gnutls 3.6.14

For details see:
https://gmplib.org/gmp6.2

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agognutls: Update to 3.6.14
Matthias Fischer [Wed, 10 Jun 2020 22:08:12 +0000 (00:08 +0200)] 
gnutls: Update to 3.6.14

For details see:
https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004648.html

"** libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
   The TLS server would not bind the session ticket encryption key with a
   value supplied by the application until the initial key rotation, allowing
   attacker to bypass authentication in TLS 1.3 and recover previous
   conversations in TLS 1.2 (#1011).
   [GNUTLS-SA-2020-06-03, CVSS: high]

** libgnutls: Fixed handling of certificate chain with cross-signed
   intermediate CA certificates (#1008).

** libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).

** libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
   (2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
   Key Identifier (AKI) properly (#989, #991).

** certtool: PKCS #7 attributes are now printed with symbolic names (!1246).

** libgnutls: Added several improvements on Windows Vista and later releases
   (!1257, !1254, !1256). Most notably the system random number generator now
   uses Windows BCrypt* API if available (!1255).

** libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
   Also both accelerated and non-accelerated implementations check key block
   according to FIPS-140-2 IG A.9 (!1233).

** libgnutls: Added support for AES-SIV ciphers (#463).

** libgnutls: Added support for 192-bit AES-GCM cipher (!1267).

** libgnutls: No longer use internal symbols exported from Nettle (!1235)

** API and ABI modifications:
GNUTLS_CIPHER_AES_128_SIV: Added
GNUTLS_CIPHER_AES_256_SIV: Added
GNUTLS_CIPHER_AES_192_GCM: Added
gnutls_pkcs7_print_signature_info: Added"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoborgbackup: Update to 1.1.13
Matthias Fischer [Wed, 10 Jun 2020 21:51:21 +0000 (23:51 +0200)] 
borgbackup: Update to 1.1.13

For details see:
https://borgbackup.readthedocs.io/en/stable/changes.html#changelog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agohaproxy: Update to 2.1.7
Matthias Fischer [Wed, 10 Jun 2020 21:46:15 +0000 (23:46 +0200)] 
haproxy: Update to 2.1.7

For details see:
http://www.haproxy.org/download/2.1/src/CHANGELOG

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agocore147: Ship squid
Michael Tremer [Tue, 16 Jun 2020 08:37:48 +0000 (08:37 +0000)] 
core147: Ship squid

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agosquid: Update to 4.12
Matthias Fischer [Wed, 10 Jun 2020 21:38:52 +0000 (23:38 +0200)] 
squid: Update to 4.12

For details see:
http://www.squid-cache.org/Versions/v4/changesets/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoStart Core Update 147
Michael Tremer [Tue, 16 Jun 2020 08:35:09 +0000 (08:35 +0000)] 
Start Core Update 147

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agonetworking: Set configured MTU to all network zones
Michael Tremer [Mon, 15 Jun 2020 15:32:41 +0000 (15:32 +0000)] 
networking: Set configured MTU to all network zones

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agogcp: Google Cloud only supports an MTU of 1460
Michael Tremer [Mon, 15 Jun 2020 15:22:00 +0000 (15:22 +0000)] 
gcp: Google Cloud only supports an MTU of 1460

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoaws: Configure MTU to maximum of 9001 on GREEN/ORANGE
Michael Tremer [Mon, 15 Jun 2020 15:20:49 +0000 (15:20 +0000)] 
aws: Configure MTU to maximum of 9001 on GREEN/ORANGE

AWS supports jumbo-frames which IPFire can take advantage of
to increase network throughput internally.

The MTU for RED was left as 1500 to avoid packet fragmentation
in the cloud network and have IPFire do that job.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoweb: Hide certain menu items when running in cloud environments
Michael Tremer [Mon, 15 Jun 2020 15:07:35 +0000 (15:07 +0000)] 
web: Hide certain menu items when running in cloud environments

This used to be only hidden on AWS.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agogcloud: Add function to detect whether we are running on GCP
Michael Tremer [Mon, 15 Jun 2020 15:07:15 +0000 (15:07 +0000)] 
gcloud: Add function to detect whether we are running on GCP

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoaws-functions.pl: Drop file and move functions to general-functions.pl
Michael Tremer [Mon, 15 Jun 2020 15:01:42 +0000 (15:01 +0000)] 
aws-functions.pl: Drop file and move functions to general-functions.pl

There is not enough stuff that it is justified to have an own file.

This patch therefore merges everything into general-functions.pl.

There are no functional changes.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agogcp: Add host route for gateway during initialisation
Michael Tremer [Fri, 12 Jun 2020 16:05:00 +0000 (16:05 +0000)] 
gcp: Add host route for gateway during initialisation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agogcp: Always automatically enable serial console
Michael Tremer [Fri, 12 Jun 2020 10:43:26 +0000 (10:43 +0000)] 
gcp: Always automatically enable serial console

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agogcp: Add initscript to import configuration
Michael Tremer [Fri, 12 Jun 2020 10:40:56 +0000 (10:40 +0000)] 
gcp: Add initscript to import configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agocloud-init: Launch custom script when detecting Google Cloud
Michael Tremer [Wed, 28 Aug 2019 11:51:22 +0000 (11:51 +0000)] 
cloud-init: Launch custom script when detecting Google Cloud

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agocore146: add openvpn core146 v2.25-core146
Arne Fitzenreiter [Tue, 16 Jun 2020 11:36:20 +0000 (11:36 +0000)] 
core146: add openvpn

openvpn was missed in core145 so add it again.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agovulnerabilities.cgi: add srdbs (CVE-2020-0543)
Arne Fitzenreiter [Sat, 13 Jun 2020 10:23:46 +0000 (12:23 +0200)] 
vulnerabilities.cgi: add srdbs (CVE-2020-0543)

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agointel-microcode: update to 20200609
Arne Fitzenreiter [Fri, 12 Jun 2020 15:47:29 +0000 (17:47 +0200)] 
intel-microcode: update to 20200609

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agokernel: update to 4.14.184
Arne Fitzenreiter [Fri, 12 Jun 2020 14:04:48 +0000 (16:04 +0200)] 
kernel: update to 4.14.184

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agokernel: disable CONFIG_UPROBES
Peter Müller [Tue, 9 Jun 2020 18:51:12 +0000 (18:51 +0000)] 
kernel: disable CONFIG_UPROBES

Quoted from #12433:
> Uprobes is the user-space counterpart to kprobes: they enable instrumentation
> applications (such as 'perf probe') to establish unintrusive probes in
> user-space binaries and libraries, by executing handler functions when the
> probes are hit by user-space applications.
>
> ( These probes come in the form of single-byte breakpoints, managed by the
> kernel and kept transparent to the probed application. )

IMHO this can be safely disabled, as there is little if any need to debug
userspace programs _that_ deeply on an IPFire machine.

Fixes: #12433

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agokernel: enable CONFIG_FORTIFY_SOURCE on armv5tel
Peter Müller [Tue, 9 Jun 2020 17:57:51 +0000 (17:57 +0000)] 
kernel: enable CONFIG_FORTIFY_SOURCE on armv5tel

Partially fixes: #12369

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agokernel: enable CONFIG_FORTIFY_SOUCRE on aarch64
Peter Müller [Tue, 9 Jun 2020 17:55:58 +0000 (17:55 +0000)] 
kernel: enable CONFIG_FORTIFY_SOUCRE on aarch64

Partially fixes: #12369

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agokernel: enable CONFIG_SLUB_DEBUG on aarch64 and armv5tel
Peter Müller [Tue, 9 Jun 2020 17:50:14 +0000 (17:50 +0000)] 
kernel: enable CONFIG_SLUB_DEBUG on aarch64 and armv5tel

Fixes: #12377

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agokernel: fix diabling CONFIG_MODFIFY_LDT_SYSCALL
Arne Fitzenreiter [Wed, 10 Jun 2020 14:21:49 +0000 (16:21 +0200)] 
kernel: fix diabling CONFIG_MODFIFY_LDT_SYSCALL

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agoRevert "kernel: enable CONFIG_RANDOMIZE_BASE on aarch64"
Arne Fitzenreiter [Wed, 10 Jun 2020 14:20:34 +0000 (16:20 +0200)] 
Revert "kernel: enable CONFIG_RANDOMIZE_BASE on aarch64"

with enabled CONFIG_RAMDOIZE_BASE the linking of xtables
and maybee other external kernel modules fail on aarch64

This reverts commit 8379ab44b8b0d7efd24101dbfe32913d4cebcb2e.

4 weeks agokernel: enable CONFIG_RANDOMIZE_BASE on armv5tel
Peter Müller [Tue, 9 Jun 2020 17:18:49 +0000 (17:18 +0000)] 
kernel: enable CONFIG_RANDOMIZE_BASE on armv5tel

Partially fixes: #12363

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agokernel: enable CONFIG_RANDOMIZE_BASE on aarch64
Peter Müller [Sun, 7 Jun 2020 16:49:01 +0000 (16:49 +0000)] 
kernel: enable CONFIG_RANDOMIZE_BASE on aarch64

Partially fixes: #12363

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agokernel: enable CONFIG_HARDENED_USERCOPY on aarch64 and armv5tel
Peter Müller [Sun, 7 Jun 2020 16:37:04 +0000 (16:37 +0000)] 
kernel: enable CONFIG_HARDENED_USERCOPY on aarch64 and armv5tel

Fixes: #12365

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agokernel: enable CONFIG_SECCOMP on aarch64 and armv5tel
Peter Müller [Sun, 7 Jun 2020 16:57:59 +0000 (16:57 +0000)] 
kernel: enable CONFIG_SECCOMP on aarch64 and armv5tel

Fixes: #12366

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agokernel: disable CONFIG_ACPI_CUSTOM_METHOD on x86_64 and i586
Peter Müller [Sun, 7 Jun 2020 16:40:35 +0000 (16:40 +0000)] 
kernel: disable CONFIG_ACPI_CUSTOM_METHOD on x86_64 and i586

This is dangerous as it allows replacing the running kernel without
rebooting. Kernel Self Protection Project people recommend to keep it
disabled.

Fixes: #12372

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agokernel: disable CONFIG_MODIFY_LDT_SYSCALL on i586 and x86_64
Peter Müller [Sun, 7 Jun 2020 16:32:26 +0000 (16:32 +0000)] 
kernel: disable CONFIG_MODIFY_LDT_SYSCALL on i586 and x86_64

Fixes: #12382

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agosquid-accounting: remove deps that are moved to core
Arne Fitzenreiter [Fri, 5 Jun 2020 20:43:58 +0000 (20:43 +0000)] 
squid-accounting: remove deps that are moved to core

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agoMerge branch 'master' into next
Arne Fitzenreiter [Thu, 4 Jun 2020 15:16:39 +0000 (15:16 +0000)] 
Merge branch 'master' into next

5 weeks agocore145: Remove double-added configuration lines for OpenVPN core145
Michael Tremer [Thu, 4 Jun 2020 14:32:22 +0000 (14:32 +0000)] 
core145: Remove double-added configuration lines for OpenVPN

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agoMerge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Thu, 4 Jun 2020 06:59:28 +0000 (08:59 +0200)] 
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

5 weeks agostart core146 and add the kernel
Arne Fitzenreiter [Thu, 4 Jun 2020 06:49:28 +0000 (08:49 +0200)] 
start core146 and add the kernel

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agokernel: update to 4.14.183
Arne Fitzenreiter [Thu, 4 Jun 2020 06:37:00 +0000 (08:37 +0200)] 
kernel: update to 4.14.183

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agocore145: Update OpenVPN server configuration only when necessary v2.25-core145
Michael Tremer [Wed, 3 Jun 2020 14:41:12 +0000 (14:41 +0000)] 
core145: Update OpenVPN server configuration only when necessary

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agocore145: Update OpenVPN server configuration only when necessary
Michael Tremer [Wed, 3 Jun 2020 14:41:12 +0000 (14:41 +0000)] 
core145: Update OpenVPN server configuration only when necessary

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agokernel: backport "random: try to actively add entropy"
Arne Fitzenreiter [Fri, 1 May 2020 08:33:02 +0000 (10:33 +0200)] 
kernel: backport "random: try to actively add entropy"

this backports https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/char/random.c?id=50ee7529ec4500c88f8664560770a7a1b65db72b
to gather enough entropy for initialise the crng faster.
Of some machines like the APU it will need forever if
the machine only wait for entropy without doing anything else.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agodrop xen-inage-builder
Arne Fitzenreiter [Tue, 2 Jun 2020 16:37:22 +0000 (18:37 +0200)] 
drop xen-inage-builder

this depends on linux-pae and has failed to boot
since a while.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agokernel: drop extra i586-pae kernel
Arne Fitzenreiter [Tue, 2 Jun 2020 16:34:44 +0000 (18:34 +0200)] 
kernel: drop extra i586-pae kernel

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agokernel: disable CONFIG_DEBUG_LIST on i586(-pae)
Peter Müller [Sat, 18 Apr 2020 08:48:24 +0000 (10:48 +0200)] 
kernel: disable CONFIG_DEBUG_LIST on i586(-pae)

Fixes: #12378

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agokernel: enable CONFIG_SCHED_STACK_END_CHECK on x86_64, armv5tel and aarch64
Peter Müller [Sat, 18 Apr 2020 08:42:19 +0000 (10:42 +0200)] 
kernel: enable CONFIG_SCHED_STACK_END_CHECK on x86_64, armv5tel and aarch64

> This option checks for a stack overrun on calls to schedule(). If the stack
> end location is found to be over written always panic as the content of the
> corrupted region can no longer be trusted. This is to ensure no erroneous
> behaviour occurs which could result in data corruption or a sporadic crash at a
> later stage once the region is examined. The runtime overhead introduced is
> minimal.

Fixes: #12376

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agokernel: disable CONFIG_USELIB on x86_64 and i586(-pae)
Peter Müller [Sat, 18 Apr 2020 08:24:08 +0000 (10:24 +0200)] 
kernel: disable CONFIG_USELIB on x86_64 and i586(-pae)

> This option enables the uselib syscall a system call used in the dynamic
> linker from libc5 and earlier. glibc does not use this system call. If you
> intend to run programs built on libc5 or earlier you may need to enable this
> syscall. Current systems running glibc can safely disable this.

In my point of view, the last sentence matches our situation.

Fixes: #12379

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agokernel: enable CONFIG_DEBUG_WX on aarch64
Peter Müller [Sat, 18 Apr 2020 08:16:23 +0000 (10:16 +0200)] 
kernel: enable CONFIG_DEBUG_WX on aarch64

Since this is described as 'Generate a warning if any W+X mappings are
found at boot.', it most likely does not break anything and can be
safely enabled.

Fixes: #12373

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agokernel: enable page poisoning on x86_64
Peter Müller [Tue, 14 Apr 2020 14:32:47 +0000 (16:32 +0200)] 
kernel: enable page poisoning on x86_64

This is already active on i586 and prevents information leaks from freed
data.

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agoKernel: drop Memstick support
Peter Müller [Wed, 1 Apr 2020 15:25:00 +0000 (15:25 +0000)] 
Kernel: drop Memstick support

These are not needed anymore since Sony announced EOL in 2010 and there
is no legitimate use case for such hardware on a firewall system.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agoKernel: drop bluetooth support
Peter Müller [Wed, 1 Apr 2020 15:23:00 +0000 (15:23 +0000)] 
Kernel: drop bluetooth support

The bluetooth addon was recently removed by commit
592be1d206e45ad42736b352d96e42ebca50123a, which is why we do not need to
carry the corresponding kernel modules around anymore.

The second version of this patch correctly updates kernel configuration
files via "make oldconfig" as requested by Arne.

Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 weeks agocore145: found more urlfilter db files to cleanup
Arne Fitzenreiter [Sat, 30 May 2020 18:04:33 +0000 (18:04 +0000)] 
core145: found more urlfilter db files to cleanup

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 weeks agocore145: remove converted urlfilter database
Arne Fitzenreiter [Sat, 30 May 2020 17:33:40 +0000 (17:33 +0000)] 
core145: remove converted urlfilter database

to force rebuilt with new db.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 weeks agonetatalk: Add krb5 as a dependency
Michael Tremer [Thu, 28 May 2020 19:00:47 +0000 (19:00 +0000)] 
netatalk: Add krb5 as a dependency

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>