ipfire-2.x.git
12 days agoMerge remote-tracking branch 'origin/next' core135 master
Arne Fitzenreiter [Fri, 9 Aug 2019 21:55:36 +0000 (23:55 +0200)] 
Merge remote-tracking branch 'origin/next'

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agoclose core135
Arne Fitzenreiter [Fri, 9 Aug 2019 21:50:15 +0000 (23:50 +0200)] 
close core135

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
12 days agokernel: update to 4.14.138
Arne Fitzenreiter [Fri, 9 Aug 2019 21:47:55 +0000 (23:47 +0200)] 
kernel: update to 4.14.138

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
13 days agodhcpcd: add noip4ll parameter to config
Arne Fitzenreiter [Fri, 9 Aug 2019 10:31:46 +0000 (12:31 +0200)] 
dhcpcd: add noip4ll parameter to config

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
13 days agoinitskripts: smt: hide error on cpu's that not support smt at all
Arne Fitzenreiter [Fri, 9 Aug 2019 06:14:29 +0000 (08:14 +0200)] 
initskripts: smt: hide error on cpu's that not support smt at all

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
13 days agopartresize: check for apu only if dmi is present
Arne Fitzenreiter [Fri, 9 Aug 2019 06:02:19 +0000 (08:02 +0200)] 
partresize: check for apu only if dmi is present

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agosysctl: add seperate sysctl-x86_64.conf and move x86_64 only parameters
Arne Fitzenreiter [Thu, 8 Aug 2019 07:30:49 +0000 (09:30 +0200)] 
sysctl: add seperate sysctl-x86_64.conf and move x86_64 only parameters

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agocore135: add updated leds initskript to updater
Arne Fitzenreiter [Wed, 7 Aug 2019 20:56:49 +0000 (20:56 +0000)] 
core135: add updated leds initskript to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agocore135: add u-boot changes to updater
Arne Fitzenreiter [Wed, 7 Aug 2019 20:53:58 +0000 (20:53 +0000)] 
core135: add u-boot changes to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agocore135: add missing kernel rootfiles
Arne Fitzenreiter [Wed, 7 Aug 2019 20:52:50 +0000 (20:52 +0000)] 
core135: add missing kernel rootfiles

2 weeks agocore135: add kernel to updater
Arne Fitzenreiter [Wed, 7 Aug 2019 20:46:07 +0000 (20:46 +0000)] 
core135: add kernel to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agokernel: update to 4.14.137
Arne Fitzenreiter [Wed, 7 Aug 2019 20:38:25 +0000 (20:38 +0000)] 
kernel: update to 4.14.137

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agoclamav: update to 0.101.3
Arne Fitzenreiter [Wed, 7 Aug 2019 20:16:46 +0000 (22:16 +0200)] 
clamav: update to 0.101.3

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agosetup: add ignore to all no nic assigned errors
Arne Fitzenreiter [Tue, 6 Aug 2019 09:17:41 +0000 (09:17 +0000)] 
setup: add ignore to all no nic assigned errors

2 weeks agou-boot-friendlyarm: add u-boot for nanopi-r1 to boot from eMMC
Arne Fitzenreiter [Tue, 6 Aug 2019 04:32:22 +0000 (04:32 +0000)] 
u-boot-friendlyarm: add u-boot for nanopi-r1 to boot from eMMC

this is a heavy patched version and should replaced when stock
u-boot is able to boot from h3 eMMC.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agou-boot: enable boot from additional mmc device
Arne Fitzenreiter [Sun, 4 Aug 2019 08:54:50 +0000 (08:54 +0000)] 
u-boot: enable boot from additional mmc device

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agou-boot: switch default sunxi dtb to nanopi-r1
Arne Fitzenreiter [Thu, 1 Aug 2019 07:22:04 +0000 (07:22 +0000)] 
u-boot: switch default sunxi dtb to nanopi-r1

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agoled initskript: add nanopi-r1
Arne Fitzenreiter [Thu, 1 Aug 2019 07:18:20 +0000 (07:18 +0000)] 
led initskript: add nanopi-r1

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agopartresize: add copy of broadcom firmware settings for nanopi-r1
Arne Fitzenreiter [Thu, 1 Aug 2019 07:09:34 +0000 (07:09 +0000)] 
partresize: add copy of broadcom firmware settings for nanopi-r1

I added this to partresize like the APU scon enable because this
is the only script that runs on flashimage at first boot only and
remount root writeable.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agorpi-firmware: create copy of RPI3 brcm 43430 configfile.
Arne Fitzenreiter [Wed, 31 Jul 2019 11:03:33 +0000 (11:03 +0000)] 
rpi-firmware: create copy of RPI3 brcm 43430 configfile.

the AP21xx need a different config so store the rpi version as backup.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agokernel: remove old modules folder before kernel build
Arne Fitzenreiter [Tue, 30 Jul 2019 18:28:57 +0000 (18:28 +0000)] 
kernel: remove old modules folder before kernel build

the build fails at creating source symlinks for external
modules build if it already exists.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agokernel: update arm-multi patchset
Arne Fitzenreiter [Tue, 30 Jul 2019 18:24:09 +0000 (18:24 +0000)] 
kernel: update arm-multi patchset

this add FriendlyElec nanopi-r1 devicetree file.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agopcenginges-firmware: skip build on arm
Arne Fitzenreiter [Wed, 24 Jul 2019 10:37:10 +0000 (12:37 +0200)] 
pcenginges-firmware: skip build on arm

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agobird: Update to 2.0.4
Michael Tremer [Mon, 22 Jul 2019 20:11:44 +0000 (21:11 +0100)] 
bird: Update to 2.0.4

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agopcengines-firmware: rootfile update
Arne Fitzenreiter [Wed, 17 Jul 2019 15:19:01 +0000 (17:19 +0200)] 
pcengines-firmware: rootfile update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agopcengines-firmware: update to 4.9.0.7
Arne Fitzenreiter [Wed, 17 Jul 2019 15:16:25 +0000 (17:16 +0200)] 
pcengines-firmware: update to 4.9.0.7

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agoiperf3: update to 3.7
Arne Fitzenreiter [Wed, 17 Jul 2019 11:15:33 +0000 (13:15 +0200)] 
iperf3: update to 3.7

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agoiperf: update to 2.0.13
Arne Fitzenreiter [Wed, 17 Jul 2019 11:15:01 +0000 (13:15 +0200)] 
iperf: update to 2.0.13

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agoinitskripts: fix i586 rootfile
Arne Fitzenreiter [Wed, 17 Jul 2019 11:12:46 +0000 (13:12 +0200)] 
initskripts: fix i586 rootfile

5 weeks agounbound: rework dns-forwader handling
Arne Fitzenreiter [Tue, 16 Jul 2019 09:14:41 +0000 (11:14 +0200)] 
unbound: rework dns-forwader handling

add check if red interface has an IPv4 address before test the servers at
red up and simply remove forwarders at down process.

This also fix the hung at dhcpd shutdown.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agounbound-dhcp-leases-bridge: handle PTR generation parameter
Peter Müller [Sun, 14 Jul 2019 14:38:00 +0000 (14:38 +0000)] 
unbound-dhcp-leases-bridge: handle PTR generation parameter

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reported-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agounbound: update root.hints to 2019070301
Arne Fitzenreiter [Sun, 14 Jul 2019 05:45:51 +0000 (07:45 +0200)] 
unbound: update root.hints to 2019070301

IPv4 of server B has changed. Other changes are whitespace only.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 weeks agocore135: Ship updated squid
Michael Tremer [Tue, 9 Jul 2019 08:54:55 +0000 (09:54 +0100)] 
core135: Ship updated squid

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agosquid: Update to 4.8
Matthias Fischer [Wed, 10 Jul 2019 12:20:22 +0000 (14:20 +0200)] 
squid: Update to 4.8

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoCore Update 135: ship updated tzdata
Peter Müller [Sat, 6 Jul 2019 09:34:00 +0000 (09:34 +0000)] 
Core Update 135: ship updated tzdata

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agocore135: Ship updated sysctl.conf
Michael Tremer [Thu, 4 Jul 2019 10:21:42 +0000 (11:21 +0100)] 
core135: Ship updated sysctl.conf

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agosysctl: improve KASLR effectiveness for mmap
Peter Müller [Thu, 4 Jul 2019 19:15:00 +0000 (19:15 +0000)] 
sysctl: improve KASLR effectiveness for mmap

By feeding more random bits into mmap allocation, the
effectiveness of KASLR will be improved, making attacks
trying to bypass address randomisation more difficult.

Changed sysctl values are:

vm.mmap_rnd_bits = 32 (default: 28)
vm.mmap_rnd_compat_bits = 16 (default: 8)

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agounbound: check if red/iface exists before read it
Arne Fitzenreiter [Thu, 4 Jul 2019 18:42:47 +0000 (20:42 +0200)] 
unbound: check if red/iface exists before read it

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
7 weeks agotzdata: update to 2019b
Peter Müller [Thu, 4 Jul 2019 17:51:00 +0000 (17:51 +0000)] 
tzdata: update to 2019b

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agocore135: Ship forgotten ddns package
Michael Tremer [Wed, 3 Jul 2019 13:57:04 +0000 (14:57 +0100)] 
core135: Ship forgotten ddns package

This was updated before, but I forgot to ship it in the updater.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agocore135: Ship cloud-init changes
Michael Tremer [Mon, 1 Jul 2019 06:55:53 +0000 (07:55 +0100)] 
core135: Ship cloud-init changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agoRevert "Generate a VHD image"
Michael Tremer [Mon, 1 Jul 2019 06:54:19 +0000 (07:54 +0100)] 
Revert "Generate a VHD image"

This reverts commit ee0e3beb39da302fb9735b8b3846ee675192b350.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agoazure: Do not drop last byte of MAC addresses
Michael Tremer [Fri, 21 Jun 2019 03:54:54 +0000 (04:54 +0100)] 
azure: Do not drop last byte of MAC addresses

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agoEnable serial console on all Azure instances
Michael Tremer [Sun, 16 Jun 2019 12:39:07 +0000 (13:39 +0100)] 
Enable serial console on all Azure instances

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agocloud-init: Move detection functions into initscript function library
Michael Tremer [Sat, 15 Jun 2019 10:22:28 +0000 (11:22 +0100)] 
cloud-init: Move detection functions into initscript function library

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agoGenerate a VHD image
Michael Tremer [Thu, 13 Jun 2019 11:18:52 +0000 (12:18 +0100)] 
Generate a VHD image

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agocloud-init: Import experimental configuration script for Azure
Michael Tremer [Fri, 14 Jun 2019 16:28:39 +0000 (16:28 +0000)] 
cloud-init: Import experimental configuration script for Azure

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agocloud-init: Execute setup script for Azure if needed
Michael Tremer [Fri, 14 Jun 2019 15:42:09 +0000 (15:42 +0000)] 
cloud-init: Execute setup script for Azure if needed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agocloud-init: Add function to detect if we are running on Azure
Michael Tremer [Fri, 14 Jun 2019 15:31:35 +0000 (15:31 +0000)] 
cloud-init: Add function to detect if we are running on Azure

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agoRename AWS initscript to cloud-init
Michael Tremer [Fri, 14 Jun 2019 15:25:40 +0000 (15:25 +0000)] 
Rename AWS initscript to cloud-init

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agoflash-image: Align image to 1MB boundary
Michael Tremer [Fri, 21 Jun 2019 03:54:47 +0000 (04:54 +0100)] 
flash-image: Align image to 1MB boundary

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agocore135: Ship updated packages/files
Michael Tremer [Mon, 1 Jul 2019 06:52:57 +0000 (07:52 +0100)] 
core135: Ship updated packages/files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agoStart Core Update 135
Michael Tremer [Mon, 1 Jul 2019 06:50:48 +0000 (07:50 +0100)] 
Start Core Update 135

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agokernel: update to 4.14.131
Arne Fitzenreiter [Thu, 27 Jun 2019 16:18:41 +0000 (18:18 +0200)] 
kernel: update to 4.14.131

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 weeks agonettle: Update to 3.5.1
Matthias Fischer [Fri, 28 Jun 2019 08:23:41 +0000 (10:23 +0200)] 
nettle: Update to 3.5.1

For details see:
https://git.lysator.liu.se/nettle/nettle/blob/master/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 weeks agodhcpcd: Update to 7.2.3
Matthias Fischer [Thu, 27 Jun 2019 20:07:40 +0000 (22:07 +0200)] 
dhcpcd: Update to 7.2.3

For details see: Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
https://roy.marples.name/blog/dhcpcd-7-2-3-released

"Minor update with the following changes:

   OpenBSD: compiles again
   BSD: Check RTM lengths incase of kernel issues
   DHCP6: Don't stop even when last router goes away
   DHCP6: Fix inform from RA
   hostname: Fix short hostname check"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agounbound: use nic carrier instead of /var/ipfire/red/active
Arne Fitzenreiter [Sat, 29 Jun 2019 09:36:49 +0000 (11:36 +0200)] 
unbound: use nic carrier instead of /var/ipfire/red/active

This speed boot with static settings and no link and
dhcp on intel nics if the mtu is changed by the dhcp lease
because the nic loose the carrier and restart the dhcp action
at mtu set.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
7 weeks agokernel: update to 4.14.131
Arne Fitzenreiter [Thu, 27 Jun 2019 16:18:41 +0000 (18:18 +0200)] 
kernel: update to 4.14.131

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 weeks agolinux: Fix rootfile to ship GeoIP modules
Michael Tremer [Mon, 24 Jun 2019 13:39:30 +0000 (14:39 +0100)] 
linux: Fix rootfile to ship GeoIP modules

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agointel-microcode: update to 20190618
Arne Fitzenreiter [Sat, 22 Jun 2019 18:59:32 +0000 (20:59 +0200)] 
intel-microcode: update to 20190618

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agoMerge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Sat, 22 Jun 2019 14:01:16 +0000 (16:01 +0200)] 
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

2 months agokernel: 4.14.129
Arne Fitzenreiter [Sat, 22 Jun 2019 14:00:37 +0000 (16:00 +0200)] 
kernel: 4.14.129

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agofinish core134
Arne Fitzenreiter [Sat, 22 Jun 2019 06:47:55 +0000 (08:47 +0200)] 
finish core134

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agomc: Update to 4.8.23
Matthias Fischer [Mon, 24 Jun 2019 11:07:32 +0000 (13:07 +0200)] 
mc: Update to 4.8.23

For details see:
http://midnight-commander.org/wiki/NEWS-4.8.23

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoUpdate contributors
Michael Tremer [Fri, 21 Jun 2019 00:39:42 +0000 (01:39 +0100)] 
Update contributors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore134: Ship updated firewall initscript
Michael Tremer [Fri, 21 Jun 2019 00:38:59 +0000 (01:38 +0100)] 
core134: Ship updated firewall initscript

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore134: Ship updated bind
Michael Tremer [Fri, 21 Jun 2019 00:38:22 +0000 (01:38 +0100)] 
core134: Ship updated bind

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agobind: Update to 9.11.8
Matthias Fischer [Fri, 21 Jun 2019 12:31:26 +0000 (14:31 +0200)] 
bind: Update to 9.11.8

For Details see:
https://downloads.isc.org/isc/bind9/9.11.8/RELEASE-NOTES-bind-9.11.8.html

"Security Fixes
    A race condition could trigger an assertion failure when a large number
    of incoming packets were being rejected.
    This flaw is disclosed in CVE-2019-6471. [GL #942]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoBUG12015: Redirecting to Captive portal does not work after IPFire restart
Alexander Marx [Thu, 20 Jun 2019 05:04:30 +0000 (07:04 +0200)] 
BUG12015: Redirecting to Captive portal does not work after IPFire restart

When the Captive portal is enabled, the needed firewall rules are applied. But when restarting IPFire,
the rules are not applied because there is no call to do so.
Added call to captivectrl in the initscrip 'firewall'.

Fixes: #12015

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore134: ship core133 late fixes again
Arne Fitzenreiter [Fri, 21 Jun 2019 09:58:58 +0000 (11:58 +0200)] 
core134: ship core133 late fixes again

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agoMerge remote-tracking branch 'origin/master' into next
Arne Fitzenreiter [Thu, 20 Jun 2019 07:35:59 +0000 (09:35 +0200)] 
Merge remote-tracking branch 'origin/master' into next

2 months agokernel: remove RPi DMA allignment revert
Arne Fitzenreiter [Thu, 20 Jun 2019 07:33:17 +0000 (09:33 +0200)] 
kernel: remove RPi DMA allignment revert

TODO: test if RPi works without now or if we need to
revert more of the allignment patches.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agoKernel: update to 4.14.128
Arne Fitzenreiter [Wed, 19 Jun 2019 19:01:29 +0000 (21:01 +0200)] 
Kernel: update to 4.14.128

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agocore134: Ship updated vim
Michael Tremer [Tue, 18 Jun 2019 21:35:23 +0000 (22:35 +0100)] 
core134: Ship updated vim

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRemove old vim 7.4 data
Matthias Fischer [Wed, 19 Jun 2019 11:24:06 +0000 (13:24 +0200)] 
Remove old vim 7.4 data

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agovim: Update to 8.1
Matthias Fischer [Wed, 19 Jun 2019 11:24:05 +0000 (13:24 +0200)] 
vim: Update to 8.1

Please note:
If this gets merged, the update process must deal with the otherwise remaining
files in '/usr/share/vim74' (~16 MB).

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoUpdate French translation
Stéphane Pautrel [Tue, 18 Jun 2019 19:01:23 +0000 (20:01 +0100)] 
Update French translation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore134: add kernel to updater
Arne Fitzenreiter [Tue, 18 Jun 2019 16:49:46 +0000 (18:49 +0200)] 
core134: add kernel to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agoMerge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Tue, 18 Jun 2019 16:42:02 +0000 (18:42 +0200)] 
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

2 months agokernel: update to 4.14.127
Arne Fitzenreiter [Tue, 18 Jun 2019 16:41:19 +0000 (18:41 +0200)] 
kernel: update to 4.14.127

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agolinux-pae: fix grub.conf creation on pv machines
Arne Fitzenreiter [Tue, 18 Jun 2019 12:36:02 +0000 (14:36 +0200)] 
linux-pae: fix grub.conf creation on pv machines

on some systems it seems that grub2 and it config also exist.

2 months agocore134: Ship changed general-functions.pl
Michael Tremer [Tue, 18 Jun 2019 08:13:21 +0000 (09:13 +0100)] 
core134: Ship changed general-functions.pl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoBUG12070: Its not possible to use the underscore in email addresses
Alexander Marx [Tue, 18 Jun 2019 07:55:35 +0000 (09:55 +0200)] 
BUG12070: Its not possible to use the underscore in email addresses

Using IPFire's Mailservice does not allow to enter a senders mail address with the underscore.
The function used to verify that is used from general-functions.pl.
Now the function 'validemail' allows the underscore in the address.

Fixes: #12070

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore134: Ship updated unbound
Michael Tremer [Mon, 17 Jun 2019 16:40:37 +0000 (17:40 +0100)] 
core134: Ship updated unbound

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agounbound: Update to 1.9.2
Matthias Fischer [Mon, 17 Jun 2019 19:11:00 +0000 (21:11 +0200)] 
unbound: Update to 1.9.2

For details see:
https://nlnetlabs.nl/pipermail/unbound-users/2019-June/011632.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agovpnmain.cgi: Fix writing ESP settings for PFS ciphers v2.23-core133
Peter Müller [Mon, 17 Jun 2019 14:08:00 +0000 (14:08 +0000)] 
vpnmain.cgi: Fix writing ESP settings for PFS ciphers

The changes introduced due to #12091 caused IPsec ESP
to be invalid if PFS ciphers were selected. Code has
to read "!$pfs" instead of just "$pfs", as it should trigger
for ciphers _without_ Perfect Forward Secrecy.

Fixes #12099

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoMerge branch 'master' into next
Arne Fitzenreiter [Sat, 15 Jun 2019 16:09:06 +0000 (18:09 +0200)] 
Merge branch 'master' into next

2 months agovpnmain.cgi: remove wrongh "shift-space"
Arne Fitzenreiter [Sat, 15 Jun 2019 15:38:47 +0000 (17:38 +0200)] 
vpnmain.cgi: remove wrongh "shift-space"

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agohyperscan: increase min RAM per buildprocess to 1GB
Arne Fitzenreiter [Fri, 14 Jun 2019 20:09:47 +0000 (22:09 +0200)] 
hyperscan: increase min RAM per buildprocess to 1GB

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agocore133: Ship jansson in update
Michael Tremer [Fri, 14 Jun 2019 05:22:52 +0000 (06:22 +0100)] 
core133: Ship jansson in update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agofinish core133
Arne Fitzenreiter [Wed, 12 Jun 2019 17:57:21 +0000 (19:57 +0200)] 
finish core133

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agocore134: Ship updated OpenSSL
Michael Tremer [Wed, 12 Jun 2019 16:25:13 +0000 (17:25 +0100)] 
core134: Ship updated OpenSSL

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoOpenSSL: lower priority for CBC ciphers in default cipherlist
Peter Müller [Mon, 10 Jun 2019 18:55:00 +0000 (18:55 +0000)] 
OpenSSL: lower priority for CBC ciphers in default cipherlist

In order to avoid CBC ciphers as often as possible (they contain
some known vulnerabilities), this changes the OpenSSL default
ciphersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

Since TLS servers usually override the clients' preference with their
own, this will neither break existing setups nor introduce huge
differences in the wild. Unfortunately, CBC ciphers cannot be disabled
at all, as they are still used by popular web sites.

TLS 1.3 ciphers will be added implicitly and can be omitted in the
ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing
AES-NI support for the majority of installations reporting to Fireinfo
(see https://fireinfo.ipfire.org/processors for details, AES-NI support
is 28.22% at the time of writing).

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoStart Core Update 134
Michael Tremer [Wed, 12 Jun 2019 16:18:23 +0000 (17:18 +0100)] 
Start Core Update 134

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agounbound: Make some zones type-transparent
Michael Tremer [Wed, 12 Jun 2019 16:14:28 +0000 (17:14 +0100)] 
unbound: Make some zones type-transparent

If we remove other records (like MX) from the response, we won't
be able to send mail to those hosts any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agounbound: Add yandex.com to safe search feature
Michael Tremer [Wed, 12 Jun 2019 16:11:32 +0000 (17:11 +0100)] 
unbound: Add yandex.com to safe search feature

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agounbound: safe search: Resolve hosts at startup
Michael Tremer [Thu, 13 Jun 2019 10:12:07 +0000 (11:12 +0100)] 
unbound: safe search: Resolve hosts at startup

unbound is not able to expand CNAMEs in local-data. Therefore we
have to do it manually at startup.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoTor: fix permissions after updating, too
Peter Müller [Mon, 10 Jun 2019 19:02:00 +0000 (19:02 +0000)] 
Tor: fix permissions after updating, too

Fixes #12088

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reported-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated wpa_supplicant
Michael Tremer [Tue, 11 Jun 2019 06:00:38 +0000 (07:00 +0100)] 
core133: Ship updated wpa_supplicant

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agowpa_supplicant: Update to 2.8
Matthias Fischer [Tue, 11 Jun 2019 13:32:15 +0000 (15:32 +0200)] 
wpa_supplicant: Update to 2.8

For details see:
https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>