ipfire-2.x.git
6 years agoMerge remote-tracking branch 'amarx/BUG10797' into next
Michael Tremer [Mon, 13 Apr 2015 09:28:57 +0000 (11:28 +0200)] 
Merge remote-tracking branch 'amarx/BUG10797' into next

6 years agoBUG10797: Fix addontable in services.cgi when using squid-accounting addon
Alexander Marx [Mon, 13 Apr 2015 06:36:00 +0000 (08:36 +0200)] 
BUG10797: Fix addontable in services.cgi when using squid-accounting addon

When squid-accounting addon is installed, it shows up under services.cgi
as "squid" service which is wrong.

6 years agoMerge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
Stefan Schantl [Sun, 12 Apr 2015 21:23:40 +0000 (23:23 +0200)] 
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

6 years agoovpnmain.cgi: Fix layout of CA related elements.
Stefan Schantl [Sun, 12 Apr 2015 21:18:11 +0000 (23:18 +0200)] 
ovpnmain.cgi: Fix layout of CA related elements.

Those elements where displayed out of the main box in the past.

6 years agoMerge remote-tracking branch 'origin/master' into next
Arne Fitzenreiter [Sun, 12 Apr 2015 20:53:06 +0000 (22:53 +0200)] 
Merge remote-tracking branch 'origin/master' into next

6 years agocollectd: Ignore errors from OpenVPN configuration file
Michael Tremer [Sun, 12 Apr 2015 20:44:50 +0000 (22:44 +0200)] 
collectd: Ignore errors from OpenVPN configuration file

6 years agoovpnmain.cgi: Remove DDEVICE setting
Michael Tremer [Sun, 12 Apr 2015 20:33:41 +0000 (22:33 +0200)] 
ovpnmain.cgi: Remove DDEVICE setting

This was used to select a TUN or TAP device from which TAP
was never supported anyway.

6 years agocore89: Fix permissions of collectd.vpn after update
Michael Tremer [Sun, 12 Apr 2015 20:33:16 +0000 (22:33 +0200)] 
core89: Fix permissions of collectd.vpn after update

6 years agocore89: Do not add collectd include multiple times
Michael Tremer [Sun, 12 Apr 2015 20:28:42 +0000 (22:28 +0200)] 
core89: Do not add collectd include multiple times

6 years agohostapd: remove MADWIFI from initskript
Arne Fitzenreiter [Sat, 11 Apr 2015 20:23:31 +0000 (22:23 +0200)] 
hostapd: remove MADWIFI from initskript

6 years agowlansp.cgi: remove MADWIFI functions.
Arne Fitzenreiter [Sat, 11 Apr 2015 20:18:26 +0000 (22:18 +0200)] 
wlansp.cgi: remove MADWIFI functions.

6 years agowlanap.cgi: hide "no IR" channels
Arne Fitzenreiter [Sat, 11 Apr 2015 20:09:18 +0000 (22:09 +0200)] 
wlanap.cgi: hide "no IR" channels

6 years agohostapd: update to 2.4
Arne Fitzenreiter [Sat, 11 Apr 2015 20:03:03 +0000 (22:03 +0200)] 
hostapd: update to 2.4

6 years agowpa_supplicant: update to 2.4
Arne Fitzenreiter [Sat, 11 Apr 2015 20:02:33 +0000 (22:02 +0200)] 
wpa_supplicant: update to 2.4

6 years agoMerge branch 'master' into next
Arne Fitzenreiter [Sat, 11 Apr 2015 19:58:09 +0000 (21:58 +0200)] 
Merge branch 'master' into next

Conflicts:
lfs/monit

6 years agovpn-statistic: fix removal of rw rrd-data
Alexander Marx [Sat, 11 Apr 2015 05:12:32 +0000 (07:12 +0200)] 
vpn-statistic: fix removal of rw rrd-data

Due to a missing slash the rrd data of a deleted rrd-connection was not
deleted

6 years agovpn-statistic: move collectd converter to the right place
Alexander Marx [Sat, 11 Apr 2015 03:34:34 +0000 (05:34 +0200)] 
vpn-statistic: move collectd converter to the right place

Build of cdrom will fail if the converter script is not moved to the
right place

6 years agovpn-statistic: fix alignment of graph legend for n2n graphs
Alexander Marx [Fri, 10 Apr 2015 13:47:10 +0000 (15:47 +0200)] 
vpn-statistic: fix alignment of graph legend for n2n graphs

6 years agopound: Decrease the size of the DH key to 1024 bits
Michael Tremer [Fri, 10 Apr 2015 11:48:47 +0000 (13:48 +0200)] 
pound: Decrease the size of the DH key to 1024 bits

Generating a 2048 bit key takes way too long to be feasible
at build time.

6 years agoopenvpn: Stop N2N connections before they are removed
Michael Tremer [Fri, 10 Apr 2015 11:32:48 +0000 (13:32 +0200)] 
openvpn: Stop N2N connections before they are removed

6 years agoopenvpn: Move remving files in /var/run to openvpnctrl
Michael Tremer [Fri, 10 Apr 2015 11:27:32 +0000 (13:27 +0200)] 
openvpn: Move remving files in /var/run to openvpnctrl

6 years agocore89: Update OpenVPN configuration during the update
Alexander Marx [Fri, 10 Apr 2015 11:16:33 +0000 (13:16 +0200)] 
core89: Update OpenVPN configuration during the update

6 years agoovpnmain.cgi: Remove duplicate code to remove a connection
Alexander Marx [Fri, 10 Apr 2015 11:13:02 +0000 (13:13 +0200)] 
ovpnmain.cgi: Remove duplicate code to remove a connection

6 years agoovpnmain.cgi: Fix indentation and code cleanup
Alexander Marx [Fri, 10 Apr 2015 11:12:14 +0000 (13:12 +0200)] 
ovpnmain.cgi: Fix indentation and code cleanup

No functional change

6 years agosetup: Has been moved to /usr/sbin
Michael Tremer [Thu, 9 Apr 2015 15:56:47 +0000 (17:56 +0200)] 
setup: Has been moved to /usr/sbin

The setup program has been moved from /usr/local/sbin/setup
to /usr/sbin/setup to comply better with FHS. The old copy
was left in the file system on updated systems and was
preferred when called from the shell which is not intended.

The old file is now removed and to make sure every system
has got the new file it is shipped once again.

6 years agovpn-statistic: change title of ovpn n2n site
Alexander Marx [Wed, 8 Apr 2015 17:53:17 +0000 (19:53 +0200)] 
vpn-statistic: change title of ovpn n2n site

additionally print errormessages to /dev/null when no rrd data is found

6 years agoopenvpn: Remove stat files when connections are removed
Michael Tremer [Thu, 9 Apr 2015 15:18:44 +0000 (17:18 +0200)] 
openvpn: Remove stat files when connections are removed

6 years agoopenvpn: Remove RRDs when removing all connections at once
Michael Tremer [Thu, 9 Apr 2015 15:11:16 +0000 (17:11 +0200)] 
openvpn: Remove RRDs when removing all connections at once

6 years agoopenvpn: Update collectd configuration when connections are started/stopped
Alexander Marx [Thu, 9 Apr 2015 14:44:07 +0000 (16:44 +0200)] 
openvpn: Update collectd configuration when connections are started/stopped

6 years agoopenvpn: Properly remove all RRDs after a connection is removed
Michael Tremer [Thu, 9 Apr 2015 14:32:39 +0000 (16:32 +0200)] 
openvpn: Properly remove all RRDs after a connection is removed

6 years agoMerge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
Michael Tremer [Thu, 9 Apr 2015 13:36:45 +0000 (15:36 +0200)] 
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

6 years agostrongswan: Rootfile update
Michael Tremer [Thu, 9 Apr 2015 13:36:27 +0000 (15:36 +0200)] 
strongswan: Rootfile update

6 years agobackports: rt2x00 supress more queue warnings
Arne Fitzenreiter [Thu, 9 Apr 2015 13:34:14 +0000 (15:34 +0200)] 
backports: rt2x00 supress more queue warnings

6 years agohostapd: increase EAPOL timeouts
Arne Fitzenreiter [Thu, 9 Apr 2015 13:32:42 +0000 (15:32 +0200)] 
hostapd: increase EAPOL timeouts

Android clients need more time because sleep modes and low wlan interrupt priority.

6 years agostrongswan: rootfile update
Arne Fitzenreiter [Thu, 9 Apr 2015 13:29:25 +0000 (15:29 +0200)] 
strongswan: rootfile update

6 years agovpn-statistic: move collectd.vpn to /var/ipfire/ovpn/
Alexander Marx [Wed, 8 Apr 2015 17:20:13 +0000 (19:20 +0200)] 
vpn-statistic: move collectd.vpn to /var/ipfire/ovpn/

collectd.vpn needs to be within /var/ipfire/ovpn so that the
ovpnmain.cgi is able to write the status files from the n2n connections
to the file.

6 years agovpn-statistic: create collectd wrapper to restart collectd when first vpn was created
Alexander Marx [Tue, 7 Apr 2015 13:35:31 +0000 (15:35 +0200)] 
vpn-statistic: create collectd wrapper to restart collectd when first vpn was created

This wrapper is only used, when the first openvpn RW is created. Then
the collectd has to be restarted to get the vpn Data and create rrd Data

6 years agovpn-statistic: change title of ovpn RW statistic page
Alexander Marx [Wed, 8 Apr 2015 17:50:56 +0000 (19:50 +0200)] 
vpn-statistic: change title of ovpn RW statistic page

additionally print errors to /dev/null if no rrd data is found

6 years agovpn-statistic: added title for graph sites
Alexander Marx [Wed, 8 Apr 2015 17:47:51 +0000 (19:47 +0200)] 
vpn-statistic: added title for graph sites

6 years agoBUG10790: create dummy ovpnserver.log in /var/run
Alexander Marx [Tue, 7 Apr 2015 13:22:46 +0000 (15:22 +0200)] 
BUG10790: create dummy ovpnserver.log in /var/run

6 years agodnsmasq: fix initskript
Arne Fitzenreiter [Tue, 31 Mar 2015 08:09:46 +0000 (10:09 +0200)] 
dnsmasq: fix initskript

-add timestamp filename
-pull user config after define default parameter

6 years agohaproxy: Provide a better example configuration that works
Michael Tremer [Sat, 4 Apr 2015 12:38:38 +0000 (14:38 +0200)] 
haproxy: Provide a better example configuration that works

6 years agodnsmasq: Import latest patches from upstream
Michael Tremer [Sat, 4 Apr 2015 13:23:17 +0000 (15:23 +0200)] 
dnsmasq: Import latest patches from upstream

6 years agocollectd: Fix typo in "derive"
Michael Tremer [Thu, 9 Apr 2015 12:33:54 +0000 (14:33 +0200)] 
collectd: Fix typo in "derive"

6 years agoMerge remote-tracking branch 'earl/tor' into next
Michael Tremer [Wed, 8 Apr 2015 20:47:32 +0000 (22:47 +0200)] 
Merge remote-tracking branch 'earl/tor' into next

6 years agotor: update to 0.2.5.12
Jan Paul Tuecking [Wed, 8 Apr 2015 05:45:16 +0000 (07:45 +0200)] 
tor: update to 0.2.5.12

6 years agocore89: Add openvpnctrl to updater
Michael Tremer [Tue, 7 Apr 2015 18:52:34 +0000 (20:52 +0200)] 
core89: Add openvpnctrl to updater

6 years agoMerge remote-tracking branch 'earl/tor' into next
Michael Tremer [Sun, 5 Apr 2015 10:38:51 +0000 (12:38 +0200)] 
Merge remote-tracking branch 'earl/tor' into next

6 years agodnsmasq: Import latest patches from upstream
Michael Tremer [Sat, 4 Apr 2015 13:23:17 +0000 (15:23 +0200)] 
dnsmasq: Import latest patches from upstream

6 years agohaproxy: Provide a better example configuration that works
Michael Tremer [Sat, 4 Apr 2015 12:38:38 +0000 (14:38 +0200)] 
haproxy: Provide a better example configuration that works

6 years agomont addon: added missing dir /var/lib/monit to distribution
Dirk Wagner [Sun, 22 Mar 2015 21:33:30 +0000 (22:33 +0100)] 
mont addon: added missing dir /var/lib/monit to distribution

Conflicts:
lfs/monit

6 years agoMerge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
Michael Tremer [Sat, 4 Apr 2015 12:17:12 +0000 (14:17 +0200)] 
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

6 years agoMerge remote-tracking branch 'glotzi/monit' into next
Michael Tremer [Sat, 4 Apr 2015 12:14:19 +0000 (14:14 +0200)] 
Merge remote-tracking branch 'glotzi/monit' into next

6 years agoMerge remote-tracking branch 'glotzi/asterisk-update' into next
Michael Tremer [Sat, 4 Apr 2015 12:12:53 +0000 (14:12 +0200)] 
Merge remote-tracking branch 'glotzi/asterisk-update' into next

6 years agonfs-server: Drop kernel version check from initscript.
Stefan Schantl [Sat, 4 Apr 2015 11:59:11 +0000 (13:59 +0200)] 
nfs-server: Drop kernel version check from initscript.

As suggested on the bugtracker, the kernel version check completely has been
removed.

Fixes #10760.

6 years agoUpdate translations
Michael Tremer [Sat, 4 Apr 2015 11:17:34 +0000 (13:17 +0200)] 
Update translations

6 years agoMerge branch 'nfs-server-fix' into next
Stefan Schantl [Fri, 3 Apr 2015 17:19:34 +0000 (19:19 +0200)] 
Merge branch 'nfs-server-fix' into next

6 years agonfs-server: Fix kernel version check in initscript.
Stefan Schantl [Fri, 3 Apr 2015 16:59:12 +0000 (18:59 +0200)] 
nfs-server: Fix kernel version check in initscript.

nfsd requires a mounted nfsd filesystem which has been introduced in
the kernel 2.6 tree. To determine the current running kernel, a check
was included in the initscript which works fine until we switched to a kernel
version 3.x.

This commit fixes this check, so the nfs-server will startup again.

Fixes #10760.

6 years agotor: update to 0.2.5.11
Jan Paul Tuecking [Fri, 3 Apr 2015 01:05:24 +0000 (03:05 +0200)] 
tor: update to 0.2.5.11

6 years agodnsmasq: fix initskript
Arne Fitzenreiter [Tue, 31 Mar 2015 08:09:46 +0000 (10:09 +0200)] 
dnsmasq: fix initskript

-add timestamp filename
-pull user config after define default parameter

6 years agoMerge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
Michael Tremer [Mon, 30 Mar 2015 22:59:59 +0000 (00:59 +0200)] 
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

6 years agostrongswan: Update to 5.3.0
Michael Tremer [Mon, 30 Mar 2015 22:55:21 +0000 (00:55 +0200)] 
strongswan: Update to 5.3.0

Enable support for CCM and CTR

6 years agoMerge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
Michael Tremer [Mon, 30 Mar 2015 22:55:47 +0000 (00:55 +0200)] 
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

6 years agostrongswan: Update to 5.3.0
Michael Tremer [Mon, 30 Mar 2015 22:55:21 +0000 (00:55 +0200)] 
strongswan: Update to 5.3.0

Enable support for CCM and CTR

6 years agorootfile update: apache2 cyrus-sasl logrotate
Arne Fitzenreiter [Mon, 30 Mar 2015 18:30:03 +0000 (20:30 +0200)] 
rootfile update: apache2 cyrus-sasl logrotate

6 years agoinstaller: add option to disable grafic mode for grub.
Arne Fitzenreiter [Mon, 30 Mar 2015 11:11:40 +0000 (13:11 +0200)] 
installer: add option to disable grafic mode for grub.

add novga to kernel commandline for the installer to add
GFXMODE="none" to /etc/default/grub.

6 years agokernel: backports: rt2800usb: suppress more queue warnings
Arne Fitzenreiter [Sun, 29 Mar 2015 20:43:56 +0000 (22:43 +0200)] 
kernel: backports: rt2800usb: suppress more queue warnings

6 years agokernel: fix hyperv net driver for legacy hyperv 2008.
Arne Fitzenreiter [Sun, 29 Mar 2015 17:46:14 +0000 (19:46 +0200)] 
kernel: fix hyperv net driver for legacy hyperv 2008.

6 years agokernel: disable igb vendor modul build
Arne Fitzenreiter [Sun, 29 Mar 2015 17:38:12 +0000 (19:38 +0200)] 
kernel: disable igb vendor modul build

the igb that is included to driver backports seems to be better.

6 years agoMerge remote-tracking branch 'origin/next' into kernel-test
Arne Fitzenreiter [Sun, 29 Mar 2015 17:33:04 +0000 (19:33 +0200)] 
Merge remote-tracking branch 'origin/next' into kernel-test

Conflicts:
lfs/openssl-compat

6 years agokernel: update to 3.14.37
Arne Fitzenreiter [Sun, 29 Mar 2015 17:29:55 +0000 (19:29 +0200)] 
kernel: update to 3.14.37

6 years agotar: fix toolchain build
Arne Fitzenreiter [Sun, 29 Mar 2015 11:35:16 +0000 (13:35 +0200)] 
tar: fix toolchain build

6 years agoAllow flash-images to compile on Ubuntu: delay to allow automount/dismount
Justin Luth [Sat, 28 Mar 2015 09:39:47 +0000 (12:39 +0300)] 
Allow flash-images to compile on Ubuntu: delay to allow automount/dismount

6 years agomont addon: added missing dir /var/lib/monit to distribution
Dirk Wagner [Sun, 22 Mar 2015 21:33:30 +0000 (22:33 +0100)] 
mont addon: added missing dir /var/lib/monit to distribution

6 years agoMerge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into monit
Dirk Wagner [Sun, 22 Mar 2015 17:39:26 +0000 (18:39 +0100)] 
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into monit

6 years agoddns.cgi: Drop code for proto handling.
Stefan Schantl [Fri, 20 Mar 2015 17:53:44 +0000 (18:53 +0100)] 
ddns.cgi: Drop code for proto handling.

6 years agoset version to IPFire-2.17 core89
Arne Fitzenreiter [Fri, 20 Mar 2015 10:20:45 +0000 (11:20 +0100)] 
set version to IPFire-2.17 core89

6 years agoopenssl: Fix soname version of build
Arne Fitzenreiter [Thu, 19 Mar 2015 18:16:33 +0000 (19:16 +0100)] 
openssl: Fix soname version of build

6 years agoMerge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Thu, 19 Mar 2015 18:19:32 +0000 (19:19 +0100)] 
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

6 years agocyrus-sasl: Update to version 2.1.26
Arne Fitzenreiter [Thu, 19 Mar 2015 18:18:49 +0000 (19:18 +0100)] 
cyrus-sasl: Update to version 2.1.26

6 years agoapache2: Update to version 2.2.29
Arne Fitzenreiter [Thu, 19 Mar 2015 18:18:23 +0000 (19:18 +0100)] 
apache2: Update to version 2.2.29

6 years agoopenssl: Rebase "disable SSLv2, SSLv3" patch
Michael Tremer [Thu, 19 Mar 2015 15:04:35 +0000 (16:04 +0100)] 
openssl: Rebase "disable SSLv2, SSLv3" patch

6 years agoopenssl: Remove "fix parallel build" patch
Michael Tremer [Thu, 19 Mar 2015 15:03:58 +0000 (16:03 +0100)] 
openssl: Remove "fix parallel build" patch

6 years agoopenssl: Update weak-ciphers and build patches
Michael Tremer [Thu, 19 Mar 2015 14:54:43 +0000 (15:54 +0100)] 
openssl: Update weak-ciphers and build patches

6 years agoopenssl: Remove support for cryptodev
Michael Tremer [Thu, 19 Mar 2015 14:47:13 +0000 (15:47 +0100)] 
openssl: Remove support for cryptodev

The patches won't apply any more and there does not seem
support from upstream for the latest versions of OpenSSL

6 years agoopenssl: Update to version 1.0.1m and 0.9.8zf
Michael Tremer [Thu, 19 Mar 2015 14:13:07 +0000 (15:13 +0100)] 
openssl: Update to version 1.0.1m and 0.9.8zf

http://openssl.org/news/secadv_20150319.txt

OpenSSL Security Advisory [19 Mar 2015]
=======================================

OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
=====================================================

Severity: High

If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
invalid signature algorithms extension a NULL pointer dereference will occur.
This can be exploited in a DoS attack against the server.

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 users should upgrade to 1.0.2a.

This issue was was reported to OpenSSL on 26th February 2015 by David Ramos
of Stanford University. The fix was developed by Stephen Henson and Matt
Caswell of the OpenSSL development team.

Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
============================================================================

Severity: High

This security issue was previously announced by the OpenSSL project and
classified as "low" severity. This severity rating has now been changed to
"high".

This was classified low because it was originally thought that server RSA
export ciphersuite support was rare: a client was only vulnerable to a MITM
attack against a server which supports an RSA export ciphersuite. Recent
studies have shown that RSA export ciphersuites support is far more common.

This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team. It was previously announced in the OpenSSL
security advisory on 8th January 2015.

Multiblock corrupted pointer (CVE-2015-0290)
============================================

Severity: Moderate

OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This feature
only applies on 64 bit x86 architecture platforms that support AES NI
instructions. A defect in the implementation of "multiblock" can cause OpenSSL's
internal write buffer to become incorrectly set to NULL when using non-blocking
IO. Typically, when the user application is using a socket BIO for writing, this
will only result in a failed connection. However if some other BIO is used then
it is likely that a segmentation fault will be triggered, thus enabling a
potential DoS attack.

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 users should upgrade to 1.0.2a.

This issue was reported to OpenSSL on 13th February 2015 by Daniel Danner and
Rainer Mueller. The fix was developed by Matt Caswell of the OpenSSL development
team.

Segmentation fault in DTLSv1_listen (CVE-2015-0207)
===================================================

Severity: Moderate

The DTLSv1_listen function is intended to be stateless and processes the initial
ClientHello from many peers. It is common for user code to loop over the call to
DTLSv1_listen until a valid ClientHello is received with an associated cookie. A
defect in the implementation of DTLSv1_listen means that state is preserved in
the SSL object from one invocation to the next that can lead to a segmentation
fault. Errors processing the initial ClientHello can trigger this scenario. An
example of such an error could be that a DTLS1.0 only client is attempting to
connect to a DTLS1.2 only server.

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2a.

This issue was reported to OpenSSL on 27th January 2015 by Per Allansson. The
fix was developed by Matt Caswell of the OpenSSL development team.

Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)
===================================================

Severity: Moderate

The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
certificate signature algorithm consistency this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.

This issue was discovered and fixed by Stephen Henson of the OpenSSL
development team.

Segmentation fault for invalid PSS parameters (CVE-2015-0208)
=============================================================

Severity: Moderate

The signature verification routines will crash with a NULL pointer
dereference if presented with an ASN.1 signature using the RSA PSS
algorithm and invalid parameters. Since these routines are used to verify
certificate signature algorithms this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 users should upgrade to 1.0.2a

This issue was was reported to OpenSSL on 31st January 2015 by Brian Carpenter
and a fix developed by Stephen Henson of the OpenSSL development team.

ASN.1 structure reuse memory corruption (CVE-2015-0287)
=======================================================

Severity: Moderate

Reusing a structure in ASN.1 parsing may allow an attacker to cause
memory corruption via an invalid write. Such reuse is and has been
strongly discouraged and is believed to be rare.

Applications that parse structures containing CHOICE or ANY DEFINED BY
components may be affected. Certificate parsing (d2i_X509 and related
functions) are however not affected. OpenSSL clients and servers are
not affected.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.

This issue was discovered by Emilia Käsper and a fix developed by
Stephen Henson of the OpenSSL development team.

PKCS7 NULL pointer dereferences (CVE-2015-0289)
===============================================

Severity: Moderate

The PKCS#7 parsing code does not handle missing outer ContentInfo correctly.
An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
missing content and trigger a NULL pointer dereference on parsing.

Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
otherwise parse PKCS#7 structures from untrusted sources are
affected. OpenSSL clients and servers are not affected.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.

This issue was reported to OpenSSL on February 16th 2015 by Michal
Zalewski (Google) and a fix developed by Emilia Käsper of the OpenSSL
development team.

Base64 decode (CVE-2015-0292)
=============================

Severity: Moderate

A vulnerability existed in previous versions of OpenSSL related to the
processing of base64 encoded data. Any code path that reads base64 data from an
untrusted source could be affected (such as the PEM processing routines).
Maliciously crafted base 64 data could trigger a segmenation fault or memory
corruption. This was addressed in previous versions of OpenSSL but has not been
included in any security advisory until now.

This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1h.
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 0.9.8 users should upgrade to 0.9.8za.

The fix for this issue can be identified by commits d0666f289a (1.0.1),
84fe686173 (1.0.0) and 9febee0272 (0.9.8). This issue was originally reported by
Robert Dugal and subsequently by David Ramos.

DoS via reachable assert in SSLv2 servers (CVE-2015-0293)
=========================================================

Severity: Moderate

A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
servers that both support SSLv2 and enable export cipher suites by sending
a specially crafted SSLv2 CLIENT-MASTER-KEY message.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.

This issue was discovered by Sean Burford (Google) and Emilia Käsper
(OpenSSL development team) in March 2015 and the fix was developed by
Emilia Käsper.

Empty CKE with client auth and DHE (CVE-2015-1787)
==================================================

Severity: Moderate

If client auth is used then a server can seg fault in the event of a DHE
ciphersuite being selected and a zero length ClientKeyExchange message being
sent by the client. This could be exploited in a DoS attack.

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 users should upgrade to 1.0.2a.

This issue was discovered and the fix was developed by Matt Caswell of the
OpenSSL development team.

Handshake with unseeded PRNG (CVE-2015-0285)
============================================

Severity: Low

Under certain conditions an OpenSSL 1.0.2 client can complete a handshake with
an unseeded PRNG. The conditions are:
- The client is on a platform where the PRNG has not been seeded automatically,
and the user has not seeded manually
- A protocol specific client method version has been used (i.e. not
SSL_client_methodv23)
- A ciphersuite is used that does not require additional random data from the
PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).

If the handshake succeeds then the client random that has been used will have
been generated from a PRNG with insufficient entropy and therefore the output
may be predictable.

For example using the following command with an unseeded openssl will succeed on
an unpatched platform:

openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 users should upgrade to 1.0.2a.

This issue was discovered and the fix was developed by Matt Caswell of the
OpenSSL development team.

Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)
===============================================================

Severity: Low

A malformed EC private key file consumed via the d2i_ECPrivateKey function could
cause a use after free condition. This, in turn, could cause a double
free in several private key parsing functions (such as d2i_PrivateKey
or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
for applications that receive EC private keys from untrusted
sources. This scenario is considered rare.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.

This issue was discovered by the BoringSSL project and fixed in their commit
517073cd4b. The OpenSSL fix was developed by Matt Caswell of the OpenSSL
development team.

X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)
===================================================

Severity: Low

The function X509_to_X509_REQ will crash with a NULL pointer dereference if
the certificate key is invalid. This function is rarely used in practice.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.

This issue was discovered by Brian Carpenter and a fix developed by Stephen
Henson of the OpenSSL development team.

Note
====

As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
releases will be provided after that date. Users of these releases are advised
to upgrade.

References
==========

URL for this Security Advisory:
https://www.openssl.org/news/secadv_20150319.txt

Note: the online version of the advisory may be updated with additional
details over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html

6 years agomonit addon: update to 5.12.1
Dirk Wagner [Thu, 19 Mar 2015 12:31:05 +0000 (13:31 +0100)] 
monit addon: update to 5.12.1

6 years agoopenssh: Update to version 6.8p1
Michael Tremer [Wed, 18 Mar 2015 14:51:37 +0000 (15:51 +0100)] 
openssh: Update to version 6.8p1

6 years agoopenssh: Update to version 6.8p1
Michael Tremer [Wed, 18 Mar 2015 14:51:37 +0000 (15:51 +0100)] 
openssh: Update to version 6.8p1

6 years agoRemove some left-over files
Michael Tremer [Wed, 18 Mar 2015 14:18:14 +0000 (15:18 +0100)] 
Remove some left-over files

6 years agoMerge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into monit
Dirk Wagner [Wed, 18 Mar 2015 09:46:29 +0000 (10:46 +0100)] 
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into monit

6 years agofireinfo: Forbid string "Serial"
Michael Tremer [Tue, 17 Mar 2015 21:23:13 +0000 (22:23 +0100)] 
fireinfo: Forbid string "Serial"

6 years agoApplied patches for not using md5. Additionally, the root CA is no 4096 bits, host...
Wolfgang Apolinarski [Sat, 14 Mar 2015 14:33:35 +0000 (15:33 +0100)] 
Applied patches for not using md5. Additionally, the root CA is no 4096 bits, host/clients are 2048 bits (both RSA). Openssl is now choosing the random seed automatically, removed the '-rand' parameter.

6 years agoMerge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
Michael Tremer [Tue, 17 Mar 2015 19:42:17 +0000 (20:42 +0100)] 
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

6 years agoMerge branch 'master' into next
Arne Fitzenreiter [Tue, 17 Mar 2015 13:09:05 +0000 (14:09 +0100)] 
Merge branch 'master' into next

6 years agoprepare core88.
Arne Fitzenreiter [Tue, 17 Mar 2015 13:08:13 +0000 (14:08 +0100)] 
prepare core88.

6 years agoMerge branch 'master' into next
Arne Fitzenreiter [Tue, 17 Mar 2015 13:05:56 +0000 (14:05 +0100)] 
Merge branch 'master' into next

6 years agocore89: stop/start ipsec, rewrite ddns config with new cgi.
Arne Fitzenreiter [Tue, 17 Mar 2015 13:03:31 +0000 (14:03 +0100)] 
core89: stop/start ipsec, rewrite ddns config with new cgi.

6 years agocore89: add changed packages to updater.
Arne Fitzenreiter [Tue, 17 Mar 2015 12:56:51 +0000 (13:56 +0100)] 
core89: add changed packages to updater.

6 years agocore89: remove all sqlite meta-data files.
Arne Fitzenreiter [Tue, 17 Mar 2015 12:54:19 +0000 (13:54 +0100)] 
core89: remove all sqlite meta-data files.