ipfire-2.x.git
3 years agoMerge remote-tracking branch 'origin/next'
Arne Fitzenreiter [Sat, 27 Jan 2018 18:14:47 +0000 (19:14 +0100)] 
Merge remote-tracking branch 'origin/next'

3 years agofinish core118
Arne Fitzenreiter [Sat, 27 Jan 2018 18:13:14 +0000 (19:13 +0100)] 
finish core118

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agoclamav: Update to 0.99.3
Matthias Fischer [Fri, 26 Jan 2018 16:43:24 +0000 (17:43 +0100)] 
clamav: Update to 0.99.3

Excerpt from 'README':

"ClamAV 0.99.3 is a hotfix release to patch a set of vulnerabilities.

- fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420,
  CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377,
  CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
- also included are 2 minor fixes to properly detect openssl install
  locations on FreeBSD 11, and prevent false warnings about zlib 1.2.1#
  version numbers."

For details see:
http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agolibvirt: update to version 4.0
Jonatan Schlag [Fri, 19 Jan 2018 18:29:03 +0000 (19:29 +0100)] 
libvirt: update to version 4.0

This version works for me. Some others do not ..

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agopython3-libvirt: drop this package
Jonatan Schlag [Fri, 19 Jan 2018 18:29:02 +0000 (19:29 +0100)] 
python3-libvirt: drop this package

Since it is some work to update this package accordingly to the libvirt
version  and facing the fact that I know nobody who using this I suggest to drop this. If we
need this later we can just revert the commit.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoqemu: update to version 2.11
Jonatan Schlag [Fri, 19 Jan 2018 18:29:01 +0000 (19:29 +0100)] 
qemu: update to version 2.11

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agospice: update to version 0.14
Jonatan Schlag [Fri, 19 Jan 2018 18:29:00 +0000 (19:29 +0100)] 
spice: update to version 0.14

For changelog see:
https://cgit.freedesktop.org/spice/spice/tree/NEWS

This update alos fixes: CVE-2016-9577, CVE-2016-9578, CVE-2017-7506

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agospice-protocol: update to version 0.12.13
Jonatan Schlag [Fri, 19 Jan 2018 18:28:59 +0000 (19:28 +0100)] 
spice-protocol: update to version 0.12.13

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoopus: update to version 1.2.1
Jonatan Schlag [Fri, 19 Jan 2018 18:28:58 +0000 (19:28 +0100)] 
opus: update to version 1.2.1

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agopyparsing: update to version 2.2.0
Jonatan Schlag [Fri, 19 Jan 2018 18:28:57 +0000 (19:28 +0100)] 
pyparsing: update to version 2.2.0

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoRevert "Add Intel microcode updates from Jan 2018"
Michael Tremer [Wed, 24 Jan 2018 16:08:22 +0000 (16:08 +0000)] 
Revert "Add Intel microcode updates from Jan 2018"

This reverts commit d404b1dba2a357e3683dbf62b95cefc41075c4ef.

Intel has pulled these microcode updates because of
random system reboots and systems becoming unstable.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoRevert "core118: Ship microcode updates for Intel processors"
Michael Tremer [Wed, 24 Jan 2018 16:07:58 +0000 (16:07 +0000)] 
Revert "core118: Ship microcode updates for Intel processors"

This reverts commit c015d425d177a18927f56cebd0d1b4d29a827d8b.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship updated wget
Michael Tremer [Wed, 24 Jan 2018 16:07:11 +0000 (16:07 +0000)] 
core118: Ship updated wget

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agowget: Update to 1.9.4
Matthias Fischer [Wed, 24 Jan 2018 07:32:24 +0000 (08:32 +0100)] 
wget: Update to 1.9.4

Excerpts from changelog (Details => http://git.savannah.gnu.org/cgit/wget.git):

"Switch off compression by default

Gzip compression has a number of bugs which need to be ironed out before we can support it
by default. Some of these stem from a misunderstanding of the HTTP spec, but a lot of them
are also due to many web servers not
being compliant with RFC 7231.

With this commit, I am marking GZip compression support as experimental
in GNU Wget pending further investigation and the addition of tests.

* src/http.c (gethttp): Fix bug that prevented all files from being decompressed

* src/host.c (sufmatch): Fix to domain matching

Replace HTTP urls with HTTPS where valid

Avoid redirecting output to file when tcgetpgrp fails
* src/log.c (check_redirect_output): tcgetpgrp can return -1 (ENOTTY),
be sure to check whether a valid controlling terminal exists before
redirecting. (Fixes: #51181)

Fix heap overflow in HTTP protocol handling (CVE-2017-13090)

Fix stack overflow in HTTP protocol handling (CVE-2017-13089)"

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agonano: Update to 2.9.2
Matthias Fischer [Wed, 24 Jan 2018 07:10:42 +0000 (08:10 +0100)] 
nano: Update to 2.9.2

For details see:
https://www.nano-editor.org/news.php

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship updated sed
Michael Tremer [Wed, 24 Jan 2018 16:06:32 +0000 (16:06 +0000)] 
core118: Ship updated sed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agosed: Update to 4.4
Matthias Fischer [Tue, 23 Jan 2018 21:18:48 +0000 (22:18 +0100)] 
sed: Update to 4.4

Hi,

'sed' hasn't been updated in IPFire for a few years - I thought it could
be worthy an update:

Excerpt from 'NEWS':

"* Noteworthy changes in release 4.4 (2017-02-03) [stable]

  sed could segfault when invoked with specific combination of newlines
  in the input and regex pattern. [Bug introduced in sed-4.3]"

"Noteworthy changes" from release 4.2.2 to 4.3 can be found in 'NEWS' file, too much
to list them all...

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship LZ4
Michael Tremer [Tue, 23 Jan 2018 13:21:36 +0000 (13:21 +0000)] 
core118: Ship LZ4

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoLZ4: New compression library.
Erik Kapfer [Mon, 22 Jan 2018 18:04:59 +0000 (19:04 +0100)] 
LZ4: New compression library.

New lossless data compression algorithm.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship updated squid
Michael Tremer [Tue, 23 Jan 2018 13:09:37 +0000 (13:09 +0000)] 
core118: Ship updated squid

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agosquid 3.5.27: Patch for SA 2018:2
Matthias Fischer [Mon, 22 Jan 2018 16:49:52 +0000 (17:49 +0100)] 
squid 3.5.27: Patch for SA 2018:2

As announced, here is the second patch for 'squid 3.5.27'.

For details about this and the previous patch (2018_1) regarding "ESI Response
processing" and "HTTP message processing", see:

http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-announce-ADVISORY-SQUID-2018-1-Denial-of-Service-issue-in-ESI-Response-processing-tp4684618.html

http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-announce-ADVISORY-SQUID-2018-2-Denial-of-Service-issue-in-HTTP-Message-processing-td4684617.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agosquid 3.5.27: Patch for SA 2018:1
Matthias Fischer [Sat, 20 Jan 2018 17:50:51 +0000 (18:50 +0100)] 
squid 3.5.27: Patch for SA 2018:1

http://www.squid-cache.org/Versions/v3/3.5/changesets/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agofirewall: Suppress warning about uninitialized array in GeoIP code
Michael Tremer [Mon, 22 Jan 2018 13:20:04 +0000 (13:20 +0000)] 
firewall: Suppress warning about uninitialized array in GeoIP code

Fixes #11597

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agopoppler is now linking against glib2
Michael Tremer [Mon, 22 Jan 2018 13:12:56 +0000 (13:12 +0000)] 
poppler is now linking against glib2

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoship updated CA bundle
Peter Müller [Thu, 18 Jan 2018 14:51:31 +0000 (15:51 +0100)] 
ship updated CA bundle

Add new generated CA bundle files to updater and remove
accidentally inserted blank line at the end of certdata.txt .

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoupdate ca-certificates CA bundle
Peter Müller [Thu, 18 Jan 2018 14:51:26 +0000 (15:51 +0100)] 
update ca-certificates CA bundle

Update the CA certificates list to what Mozilla NSS ships currently.

The original file can be retrieved from: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship updated bind package
Michael Tremer [Sat, 20 Jan 2018 15:34:56 +0000 (15:34 +0000)] 
core118: Ship updated bind package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agobind: Update to 9.11.2-P1
Matthias Fischer [Wed, 17 Jan 2018 23:16:30 +0000 (00:16 +0100)] 
bind: Update to 9.11.2-P1

Fixes CVE-2017-3145 (https://kb.isc.org/article/AA-01542)

For details see:
http://ftp.isc.org/isc/bind9/9.11.2-P1/RELEASE-NOTES-bind-9.11.2-P1.html

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agosyslogdctrl: Fix compiler error and SEGV
Michael Tremer [Sat, 20 Jan 2018 14:51:40 +0000 (14:51 +0000)] 
syslogdctrl: Fix compiler error and SEGV

Fixes #11574

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoRevert "misc-progs: syslogdctrl: Fix data type of protocol variable"
Michael Tremer [Sat, 20 Jan 2018 14:45:10 +0000 (14:45 +0000)] 
Revert "misc-progs: syslogdctrl: Fix data type of protocol variable"

This reverts commit b269686f885757f5b251f04e50c3e87d2aebaf64.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship updated unbound
Michael Tremer [Sat, 20 Jan 2018 14:38:56 +0000 (14:38 +0000)] 
core118: Ship updated unbound

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agounbound: Update to 1.6.8
Matthias Fischer [Fri, 19 Jan 2018 19:48:31 +0000 (20:48 +0100)] 
unbound: Update to 1.6.8

For details see:
http://www.unbound.net/download.html

Fixes CVE-2017-15105: vulnerability in the processing of wildcard synthesized NSEC records,
=> https://unbound.net/downloads/CVE-2017-15105.txt

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship dmidecode
Michael Tremer [Sat, 20 Jan 2018 14:35:49 +0000 (14:35 +0000)] 
core118: Ship dmidecode

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agodmidecode: update to version 3.1
Jonatan Schlag [Fri, 19 Jan 2018 17:57:46 +0000 (18:57 +0100)] 
dmidecode: update to version 3.1

The removed patches are included in this version so there is no need
that we apply them.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship updated glib2
Michael Tremer [Sun, 14 Jan 2018 15:45:10 +0000 (15:45 +0000)] 
core118: Ship updated glib2

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoglib: Fix rootfile
Michael Tremer [Sat, 13 Jan 2018 11:58:26 +0000 (11:58 +0000)] 
glib: Fix rootfile

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoglib2: Update to 2.54.3
Michael Tremer [Thu, 11 Jan 2018 16:44:54 +0000 (16:44 +0000)] 
glib2: Update to 2.54.3

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship microcode updates for Intel processors
Michael Tremer [Sun, 14 Jan 2018 15:43:57 +0000 (15:43 +0000)] 
core118: Ship microcode updates for Intel processors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agotor: Update to 0.3.2.9
Matthias Fischer [Wed, 10 Jan 2018 20:22:12 +0000 (21:22 +0100)] 
tor: Update to 0.3.2.9

For details see:
https://gitweb.torproject.org/tor.git/plain/ReleaseNotes?id=tor-0.3.2.9

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoAdd Intel microcode updates from Jan 2018
Jonatan Schlag [Sun, 14 Jan 2018 13:16:31 +0000 (14:16 +0100)] 
Add Intel microcode updates from Jan 2018

Add intel microcode to the distribution and configure dracut in a way
that the microcode is loaded early in the boot process.

Fixes #11590

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Acknowledged-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship updated urlfilter.dat
Michael Tremer [Wed, 10 Jan 2018 16:55:46 +0000 (16:55 +0000)] 
core118: Ship updated urlfilter.dat

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agourlfilter.dat: Added Older/Newer links at top of page
Matthias Fischer [Tue, 26 Dec 2017 12:36:20 +0000 (13:36 +0100)] 
urlfilter.dat: Added Older/Newer links at top of page

Hi,

Triggered by:
https://forum.ipfire.org/viewtopic.php?f=4&t=19998#p112930

Added 'Older'/'Newer'-links for better page browsing.

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship modified captive.cgi
Michael Tremer [Wed, 10 Jan 2018 16:44:53 +0000 (16:44 +0000)] 
core118: Ship modified captive.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoForgot to change language strings in captive.cgi
Matthias Fischer [Wed, 10 Jan 2018 16:04:56 +0000 (17:04 +0100)] 
Forgot to change language strings in captive.cgi

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agomdns-repeater: Stupid me has botched the rootfile
Michael Tremer [Wed, 10 Jan 2018 11:31:54 +0000 (11:31 +0000)] 
mdns-repeater: Stupid me has botched the rootfile

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship updated hdparm
Michael Tremer [Tue, 9 Jan 2018 14:14:10 +0000 (14:14 +0000)] 
core118: Ship updated hdparm

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoUpdate translations
Michael Tremer [Tue, 9 Jan 2018 14:06:30 +0000 (14:06 +0000)] 
Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoFixed missing 'Captive' localization string for 'logs.dat'
Matthias Fischer [Tue, 9 Jan 2018 13:11:33 +0000 (14:11 +0100)] 
Fixed missing 'Captive' localization string for 'logs.dat'

Added 'Captive' localization string in 'de/en.pl'.

After a fresh install of Core 117, the system log shows a blank line
for 'Captive Portal' entries.

Deleted translation for 'Captive menu' and changed '30-network.menu' accordingly
to avoid duplicate translation strings.

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agohdparm: Update to 9.53
Matthias Fischer [Mon, 8 Jan 2018 16:55:05 +0000 (17:55 +0100)] 
hdparm: Update to 9.53

Changes from 9.52 to 9.53:

- Read Drive Capacity fixes from Iestyn Walters.
- SET MAX ADDRESS fixes from Tom Yan <tom.ty89@gmail.com>.
- added --security-prompt-for-password to --security-help output.
- fwdownload changes from Jihoon Lee.

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship updated gzip
Michael Tremer [Tue, 9 Jan 2018 14:04:58 +0000 (14:04 +0000)] 
core118: Ship updated gzip

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agogzip: Update to 1.9
Matthias Fischer [Mon, 8 Jan 2018 17:14:30 +0000 (18:14 +0100)] 
gzip: Update to 1.9

Excerpt from 'NEWS':

"* Noteworthy changes in release 1.9 (2018-01-07) [stable]

** Bug fixes

  gzip -d -S SUFFIX file.SUFFIX would fail for any upper-case byte in SUFFIX.
  E.g., before, this command would fail:
    $ :|gzip > kT && gzip -d -S T kT
    gzip: kT: unknown suffix -- ignored
  [bug present since the beginning]

  When decompressing data in 'pack' format, gzip no longer mishandles
  leading zeros in the end-of-block code.  [bug introduced in gzip-1.6]

  When converting from system-dependent time_t format to the 32-bit
  unsigned MTIME format used in gzip files, if a timestamp does not
  fit gzip now substitutes zero instead of the timestamp's low-order
  32 bits, as per Internet RFC 1952.  When converting from MTIME to
  time_t format, if a timestamp does not fit gzip now warns and
  substitutes the nearest in-range value instead of crashing or
  silently substituting an implementation-defined value (typically,
  the timestamp's low-order bits).  This affects timestamps before
  1970 and after 2106, and timestamps after 2038 on platforms with
  32-bit signed time_t.  [bug present since the beginning]

  Commands implemented via shell scripts are now more consistent about
  failure status.  For example, 'gunzip --help >/dev/full' now
  consistently exits with status 1 (error), instead of with status 2
  (warning) on some platforms.  [bug present since the beginning]

  Support for VMS and Amiga has been removed.  It was not working anyway,
  and it reportedly caused file name glitches on MS-Windowsish platforms."

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agomdns-repeater: New package
Michael Tremer [Tue, 9 Jan 2018 14:03:39 +0000 (14:03 +0000)] 
mdns-repeater: New package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agomake.sh: Show correct architecture when in chroot
Michael Tremer [Mon, 8 Jan 2018 21:47:14 +0000 (21:47 +0000)] 
make.sh: Show correct architecture when in chroot

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship update accelerator downloader
Michael Tremer [Sun, 7 Jan 2018 19:51:07 +0000 (19:51 +0000)] 
core118: Ship update accelerator downloader

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoFix bug 11567 updxlrator: don't prematurely release lock file
Justin Luth [Sat, 30 Dec 2017 06:25:50 +0000 (09:25 +0300)] 
Fix bug 11567 updxlrator: don't prematurely release lock file

With Microsoft's new style of downloading updates,
where portions of a patch are requested multiple times per second,
it has become extremely common for downloads to reach > 100%.
Due to an early unlinking of the "lock" file, there is a big window of
opportunity (between the unlink and wget actually saving some data)
for multiple download/wget threads to start, adding to the same file.
So not only is bandwidth wasted by duplicate downloads running
simultaneously, but the resulting file is corrupt anyway.

The problem is noticed more often by low bandwidth users
(who need the benefits of updxlrator the most)
because then wget's latency is even longer, creating
a very wide window of opportunity.

Ultimately, this needs something like "flock", where the
file is set and tested in one operation. But for now,
settle with the current test / create lock solution, and
just stop unnecessarily releasing the lock.

Since the file already exists as a lock when wget starts,
wget now must ALWAYS run with --continue, which
works fine on a zero-sized file.

Signed-off-by: Justin Luth <jluth@mail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoupdxlrator: show hostaddr in debuglog
Justin Luth [Sat, 30 Dec 2017 05:48:37 +0000 (08:48 +0300)] 
updxlrator: show hostaddr in debuglog

There is nowhere in the debuglog any indication of
which client is requesting the file that updxlrator
is providing (or caching). Especially for those
huge Windows 10 downloads, it is valuable to
see which client is requesting them, especially
when the same client requests the same download
multiple times a second.

This only impacts users who turn on debugging.

Signed-off-by: Justin Luth <jluth@mail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoFix bug 11558 updxlrator: use mirror mode for SHA1, filenames
Justin Luth [Sat, 30 Dec 2017 19:12:01 +0000 (22:12 +0300)] 
Fix bug 11558 updxlrator: use mirror mode for SHA1, filenames

Most Microsoft updates now contain an SHA1 hash in the filename.
Since these files are uniquely identifiable, use mirror mode
(which creates a hash of just the filename instead of the entire URL)
to cache them. (But first check the URL cache to see if it
has been downloaded as a URL already.)

This is a HUGELY needed fix. Windows 10 updates are 5+ GB
per month, and we lose several days of bandwidth downloading
duplicates from different mirrors. Sometimes a single client
will request the same patch from multiple mirrors. That's bad.
This patch will save a ton of bandwidth, and lots of disk space.

The patch limits the SHA1 test to microsoft only, but it
could be easily expanded to other vendors if there is a need.

Signed-off-by: Justin Luth <jluth@mail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship updated update accelerator
Michael Tremer [Sun, 7 Jan 2018 19:28:28 +0000 (19:28 +0000)] 
core118: Ship updated update accelerator

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoFix bug 10504: match download's sourceurl mangling in, updxlrator
Justin Luth [Fri, 29 Dec 2017 14:12:27 +0000 (17:12 +0300)] 
Fix bug 10504: match download's sourceurl mangling in, updxlrator

Updatexlrator stores its files in a hash of the URL.

The download utility mangles the URL for [+/~], but
the updxlrator only does it for [/]. Thus, download
stores the result as one hash, and updxlrator looks for it
with a different hash. The result is that the file is
re-downloaded every time by both the client, and updxlrator.

This is fixed by making updxlrator mangle the url in the
same way as the downloader. apt-get install g++ would
be a good test for this.

Signed-off-by: Justin Luth  <jluth@mail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship updated ids.cgi
Michael Tremer [Sun, 7 Jan 2018 19:22:27 +0000 (19:22 +0000)] 
core118: Ship updated ids.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agosnort 2.9.11.1: 'ids.cgi' - Update for snort rules download url
Matthias Fischer [Sat, 6 Jan 2018 08:18:39 +0000 (09:18 +0100)] 
snort 2.9.11.1: 'ids.cgi' - Update for snort rules download url

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship updated snort
Michael Tremer [Sun, 7 Jan 2018 19:21:35 +0000 (19:21 +0000)] 
core118: Ship updated snort

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agosnort: Update to 2.9.11.1
Matthias Fischer [Fri, 5 Jan 2018 17:28:00 +0000 (18:28 +0100)] 
snort: Update to 2.9.11.1

For details see:

Release notes:
https://snort.org/downloads/snort/release_notes_2.9.11.1.txt

Changelog:
https://snort.org/downloads/snort/changelog_2.9.11.1.txt

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship updated fireinfo.cgi
Michael Tremer [Sun, 7 Jan 2018 19:19:12 +0000 (19:19 +0000)] 
core118: Ship updated fireinfo.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agouse HTTPS for links to fireinfo.ipfire.org
Peter Müller [Sun, 7 Jan 2018 10:01:36 +0000 (11:01 +0100)] 
use HTTPS for links to fireinfo.ipfire.org

Since fireinfo.ipfire.org is now supporting HTTPS, the
links in the WebUI should point to the secure version of the site.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoship updated showrequestfromcountry.cgi file
Peter Müller [Sun, 7 Jan 2018 12:55:05 +0000 (13:55 +0100)] 
ship updated showrequestfromcountry.cgi file

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agofix GeoIP lookup in showrequestfromcountry.dat
Peter Müller [Sun, 7 Jan 2018 12:52:11 +0000 (13:52 +0100)] 
fix GeoIP lookup in showrequestfromcountry.dat

This issue was caused by the rewrite of the perl GeoIP
library.

Fixes #11571.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Tested-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoUpdate rootfiles
Michael Tremer [Fri, 5 Jan 2018 18:04:47 +0000 (18:04 +0000)] 
Update rootfiles

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Drop PHP files in updater
Michael Tremer [Fri, 5 Jan 2018 13:45:37 +0000 (13:45 +0000)] 
core118: Drop PHP files in updater

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Restart apache to drop PHP module
Michael Tremer [Fri, 5 Jan 2018 13:41:32 +0000 (13:41 +0000)] 
core118: Restart apache to drop PHP module

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoDrop PHP
Michael Tremer [Fri, 5 Jan 2018 13:37:25 +0000 (13:37 +0000)] 
Drop PHP

This is no longer needed and in the telephone conference
on Dec 4th, it was decided to drop it.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoDrop owncloud
Michael Tremer [Fri, 5 Jan 2018 13:28:59 +0000 (13:28 +0000)] 
Drop owncloud

We are going to remove PHP and owncloud requires it

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoDrop mediatomb
Michael Tremer [Fri, 5 Jan 2018 13:26:33 +0000 (13:26 +0000)] 
Drop mediatomb

This didn't build and run in ages and has been removed from
the repositories quite a while ago.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoDrop openmailadmin config (forgot this last time)
Michael Tremer [Fri, 5 Jan 2018 13:24:21 +0000 (13:24 +0000)] 
Drop openmailadmin config (forgot this last time)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoRootfiles update
Michael Tremer [Fri, 5 Jan 2018 13:18:50 +0000 (13:18 +0000)] 
Rootfiles update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agomake.sh: lowering parallel buildprocesses
Arne Fitzenreiter [Mon, 18 Dec 2017 15:48:13 +0000 (16:48 +0100)] 
make.sh: lowering parallel buildprocesses

higher values raise the system load but not speedup the build

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agoDrop tunctl
Michael Tremer [Sat, 16 Dec 2017 12:39:31 +0000 (12:39 +0000)] 
Drop tunctl

We don't use this at all

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoDrop phpSANE
Michael Tremer [Sat, 16 Dec 2017 12:38:01 +0000 (12:38 +0000)] 
Drop phpSANE

The upstream project is dead.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoDrop cacti
Michael Tremer [Sat, 16 Dec 2017 12:35:12 +0000 (12:35 +0000)] 
Drop cacti

This package was discontinued upstream and seems to be
a bit more lively again. However, nobody of the team
wants to maintain cacti. Therefore this is being dropped
for now.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoDrop openmailadmin package
Michael Tremer [Sat, 16 Dec 2017 12:33:05 +0000 (12:33 +0000)] 
Drop openmailadmin package

This is EOL upstream for over ten years now and therefore
we cannot continue to support this either.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoDrop nagios
Michael Tremer [Sat, 16 Dec 2017 12:31:47 +0000 (12:31 +0000)] 
Drop nagios

This is no longer maintained and icinga is available.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agonagios nrpe: Depend on nagios-plugins package instead of main nagios package
Michael Tremer [Sat, 16 Dec 2017 12:29:43 +0000 (12:29 +0000)] 
nagios nrpe: Depend on nagios-plugins package instead of main nagios package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoDecouple nagios-plugins from icinga
Michael Tremer [Sat, 16 Dec 2017 12:29:06 +0000 (12:29 +0000)] 
Decouple nagios-plugins from icinga

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Reload apache to make configuration changes take effect
Michael Tremer [Sat, 16 Dec 2017 12:18:45 +0000 (12:18 +0000)] 
core118: Reload apache to make configuration changes take effect

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoprevent loading resources from external sites
Peter Müller [Sun, 3 Dec 2017 19:34:02 +0000 (20:34 +0100)] 
prevent loading resources from external sites

Make Apache transmit a CSP (Content Security Policy) header
for WebUI and Captive Portal contents.

This prevents some XSS and content injection attacks, especially
in case no transport encryption (Captive Portal!) can be used.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Add changed apache configuration
Michael Tremer [Sat, 16 Dec 2017 12:16:54 +0000 (12:16 +0000)] 
core118: Add changed apache configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoprevent IE from interpreting HTML MIME type
Peter Müller [Sun, 3 Dec 2017 17:10:47 +0000 (18:10 +0100)] 
prevent IE from interpreting HTML MIME type

Add X-Content-Type-Options header to prevent Internet Explorer
from interpreting the MIME type of a server answer on its own,
which could lead to security risks.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoDrop nagiosql
Michael Tremer [Thu, 14 Dec 2017 17:48:24 +0000 (17:48 +0000)] 
Drop nagiosql

This is no longer maintained any more and therefore being dropped

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agomark 3DES and 1024 bit DH params as weak
Peter Müller [Sun, 10 Dec 2017 10:17:16 +0000 (11:17 +0100)] 
mark 3DES and 1024 bit DH params as weak

These are not considered secure anymore but are unfortunately
still needed in some cases (legacy hardware, ...).

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agofireinfo: Update to 2.1.12
Michael Tremer [Thu, 14 Dec 2017 17:44:20 +0000 (17:44 +0000)] 
fireinfo: Update to 2.1.12

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship updated language files
Michael Tremer [Thu, 14 Dec 2017 16:47:01 +0000 (16:47 +0000)] 
core118: Ship updated language files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoupdate german translations
Peter Müller [Sun, 10 Dec 2017 10:09:35 +0000 (11:09 +0100)] 
update german translations

Correct some grammar errors and unify spelling of interface names (GREEN vs. GRÜN).

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore118: Ship updated openssh
Michael Tremer [Thu, 14 Dec 2017 16:44:44 +0000 (16:44 +0000)] 
core118: Ship updated openssh

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoopenssh: update to 7.6p1
Peter Müller [Tue, 5 Dec 2017 13:48:01 +0000 (14:48 +0100)] 
openssh: update to 7.6p1

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoupdate tor to 0.3.1.9
Peter Müller [Fri, 8 Dec 2017 14:44:02 +0000 (15:44 +0100)] 
update tor to 0.3.1.9

Release Notes: https://gitweb.torproject.org/tor.git/plain/ReleaseNotes?id=tor-0.3.1.9

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoStart Core Update 118
Michael Tremer [Thu, 14 Dec 2017 15:55:27 +0000 (15:55 +0000)] 
Start Core Update 118

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoMerge branch 'next' core117 v2.19-core117
Arne Fitzenreiter [Tue, 12 Dec 2017 20:36:55 +0000 (21:36 +0100)] 
Merge branch 'next'

3 years agofinish core117
Arne Fitzenreiter [Tue, 12 Dec 2017 20:36:25 +0000 (21:36 +0100)] 
finish core117

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agoMerge remote-tracking branch 'origin/next'
Arne Fitzenreiter [Tue, 12 Dec 2017 20:33:10 +0000 (21:33 +0100)] 
Merge remote-tracking branch 'origin/next'

3 years agopakfire: Properly check if we have our key with our fingerprint
Michael Tremer [Tue, 12 Dec 2017 19:40:01 +0000 (19:40 +0000)] 
pakfire: Properly check if we have our key with our fingerprint

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>