Michael Tremer [Fri, 7 Aug 2020 11:50:00 +0000 (11:50 +0000)]
make.sh: Remove -mindirect-branch=thunk and -mfunction-return=thunk as default
I cannot find any evidence that this is helpful and no other
distribution has this as default. Packages that are vulnerable to these
attacks (i.e. the kernel) add these flags as appropriate automatically.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 12 Aug 2020 09:18:44 +0000 (09:18 +0000)]
bacula: Fix build with GCC 10
GCC 10 aborts compilation when nunbers are (potentially) out of range
when casted from one type to another:
fstype.c: In function 'bool fstype(FF_PKT*, char*, int)':
fstype.c:207:12: error: narrowing conversion of '4283649346' from
'unsigned int' to 'int' [-Wnarrowing]
207 | case 0xFF534D42: fstype = "cifs"; break; /*
CIFS_MAGIC_NUMBER */
| ^~~~~~~~~~
fstype.c:216:12: error: narrowing conversion of '4187351113' from
'unsigned int' to 'int' [-Wnarrowing]
216 | case 0xf995e849: fstype = "hpfs"; break; /*
HPFS_SUPER_MAGIC */
| ^~~~~~~~~~
fstype.c:217:12: error: narrowing conversion of '2508478710' from
'unsigned int' to 'int' [-Wnarrowing]
217 | case 0x958458f6: fstype = "hugetlbfs"; break; /*
HUGETLBFS_MAGIC */
| ^~~~~~~~~~
fstype.c:234:12: error: narrowing conversion of '2768370933' from
'unsigned int' to 'int' [-Wnarrowing]
234 | case 0xa501FCF5: fstype = "vxfs"; break;
| ^~~~~~~~~~
fstype.c:237:12: error: narrowing conversion of '2435016766' from
'unsigned int' to 'int' [-Wnarrowing]
237 | case 0x9123683e: fstype = "btrfs"; break;
| ^~~~~~~~~~
Does nobody build this for 32 bit any more?
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 11 Aug 2020 15:56:43 +0000 (15:56 +0000)]
spandsp: Update to 0.0.6
This package - for some reason - does not build on i586 with
the latest version of glibc. The reason is that MMX instructions
are being used which are not allowed on i586.
However, since the assembler has not been changed, this should
have been caught before. Weird.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 2 May 2020 09:52:25 +0000 (11:52 +0200)]
de.pl: fix misleading translation
The 'geoip' key is being used in the firewall.cgi for configuring GeoIP
as a source or destination. "konfigurieren" is misleading in this
context.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 25 Jul 2020 19:08:37 +0000 (19:08 +0000)]
network-functions.pl: add missing unit tests for changed, network membership procedure
Cc: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk> Cc: Alexander Marx <alexander.marx@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 25 Jul 2020 19:08:07 +0000 (19:08 +0000)]
network-functions.pl: fix network membership test
This is based on an orphaned patch provided by Tim FitzGeorge and
_finally_ fixes incorrect network membership calculations. Those were
are usability pain in the ass deluxe, as they rendered some combinations
of configuring OpenVPN and IPsec services unusable.
Fixes: #11235 Fixes: #12263 Cc: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk> Cc: Michael Tremer <michael.tremer@ipfire.org> Cc: Alexander Marx <alexander.marx@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 28 Jul 2020 18:17:43 +0000 (18:17 +0000)]
bacula: Correction to 9.6.5
- Corrected Download URL to remove filename from the end of it. This is defined separately.
- Corrected to include install command for backup file which was missed in previous patch.
- Added backup file to rootfiles list. Signed-off-by: Adolf Belka<ahb.ipfire@gmail.com> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 28 Jul 2020 17:18:19 +0000 (17:18 +0000)]
core148: Do not update the location database straight away
This process takes a long time and stalls the update process.
Since the cronjob is being called once an hour, all systems will
very quickly pull a recent database which will then be extracted
in the background not disrupting the Core Update process.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Sat, 11 Jul 2020 10:11:02 +0000 (12:11 +0200)]
convert-to-location: Regenerate firewall chains.
The firewall chain for location based rules has been renamed to
LOCATIONBLOCK and therefore the fiewall needs to be restarted and
the chains regenerated.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Rationale: "authenticate_ip_ttl" can be safely used as it does not
introduces an authentication bypass, but saves relationships between
successfully authenticated users and their IP addresses.
"max_user_ip" depends on such an authentication cache, so credential
sharing between several IPs (on purpose or by chance) can be detected
properly. This is useful in case of crompromised machines and/or
attackers in internal networks having stolen proxy authentication
credentials.
Quoted from squid.conf.documented or man 5 squid.conf:
> acl aclname max_user_ip [-s] number
> # This will be matched when the user attempts to log in from more
> # than <number> different ip addresses. The authenticate_ip_ttl
> # parameter controls the timeout on the ip entries. [fast]
> # If -s is specified the limit is strict, denying browsing
> # from any further IP addresses until the ttl has expired. Without
> # -s Squid will just annoy the user by "randomly" denying requests.
> # (the counter is reset each time the limit is reached and a
> # request is denied)
> # NOTE: in acceleration mode or where there is mesh of child proxies,
> # clients may appear to come from multiple addresses if they are
> # going through proxy farms, so a limit of 1 may cause user problems.
Fixes: #11994 Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>