ipfire-2.x.git
20 months agostage2: Rootfile update for update-ids-ruleset script
Stefan Schantl [Wed, 26 Sep 2018 12:38:46 +0000 (14:38 +0200)] 
stage2: Rootfile update for update-ids-ruleset script

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
20 months agoIDS: Introduce update-ids-ruleset
Stefan Schantl [Wed, 26 Sep 2018 12:11:31 +0000 (14:11 +0200)] 
IDS: Introduce update-ids-ruleset

This script periodly will be called by fcron
and is responsible for downloading and altering
the ruleset, if autoupdate of the configured ruleset is
enabled.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
20 months agoids-functions.pl: Add backend code to handle the "cron" function of suricatactrl
Stefan Schantl [Wed, 26 Sep 2018 12:09:53 +0000 (14:09 +0200)] 
ids-functions.pl: Add backend code to handle the "cron" function of suricatactrl

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
20 months agosuricatactrl: Add "cron" command
Stefan Schantl [Wed, 26 Sep 2018 11:54:14 +0000 (13:54 +0200)] 
suricatactrl: Add "cron" command

This command allows to enable the automatic update
of the used IDS ruleset and to specify the update interval.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
20 months agoids.cgi: Only write oinkmaster-modify-sids.conf if neccessary.
Stefan Schantl [Wed, 26 Sep 2018 11:02:28 +0000 (13:02 +0200)] 
ids.cgi: Only write oinkmaster-modify-sids.conf if neccessary.

Only write to the file if the runmode of the IDS has been changed.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
20 months agologs.cgi/log.dat: Fix pattern to display oinkmaster related messages
Stefan Schantl [Tue, 11 Sep 2018 10:28:28 +0000 (12:28 +0200)] 
logs.cgi/log.dat: Fix pattern to display oinkmaster related messages

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
20 months agoids.cgi: Set state of used rulefile to on if it contains rules
Stefan Schantl [Tue, 11 Sep 2018 10:00:31 +0000 (12:00 +0200)] 
ids.cgi: Set state of used rulefile to on if it contains rules

Only set the state of a used rulefile to "on" if it is present in
the %idsrules hash. This happens if it contains at least one rule.

This prevents from showing a rulefile in the ruleset section if, it
does not exist anymore or does not contains any rules at all.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
20 months agoids.cgi: Introduce whitelisting of IP-addresses
Stefan Schantl [Tue, 11 Sep 2018 08:21:00 +0000 (10:21 +0200)] 
ids.cgi: Introduce whitelisting of IP-addresses

If an IP-address has been added to the whitelist, any traffic from
this host will not longer inspected by suricata.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
20 months agologs.cgi/ids.dat: Dont display/export empty events.
Stefan Schantl [Thu, 6 Sep 2018 11:28:20 +0000 (13:28 +0200)] 
logs.cgi/ids.dat: Dont display/export empty events.

Check if the current processed event has at least datetime and a title.
Otherwise skip it.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
20 months agologs.cgi/ids.dat: Ease list of reported events
Stefan Schantl [Thu, 6 Sep 2018 11:22:18 +0000 (13:22 +0200)] 
logs.cgi/ids.dat: Ease list of reported events

Just ease the strict layout by adding a simple line break.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
20 months agologs.cgi/ids.dat: Adjust code to show suricata events
Stefan Schantl [Thu, 6 Sep 2018 10:09:34 +0000 (12:09 +0200)] 
logs.cgi/ids.dat: Adjust code to show suricata events

As default show the events generated by suricata and if
for a certain selected date no suricata log is available
try to fall-back to read the events from the old snort
alert files (if available).

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agoids.cgi: Hide rules config section if no rules a present
Stefan Schantl [Thu, 30 Aug 2018 16:18:26 +0000 (18:18 +0200)] 
ids.cgi: Hide rules config section if no rules a present

Do not show the rules config section anymore if there is not
ruleset available.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agoEnable threshold file in suricata.yaml
Stefan Schantl [Thu, 30 Aug 2018 13:12:29 +0000 (15:12 +0200)] 
Enable threshold file in suricata.yaml

Enable and specify the path to the threshold-file in the suricata.yaml,
otherwise the programm is trying to read it from a build-in default
location and prints the following error message:

Error opening file: "/etc/suricata//threshold.config": No such file or directory

Fixes #11837.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agosuricata: Add files to be backuped
Stefan Schantl [Thu, 30 Aug 2018 12:13:37 +0000 (14:13 +0200)] 
suricata: Add files to be backuped

Now all oinkmaster related config files and suricata
related yaml files in "/var/ipfire/suricata/" will be
included into the backups.

Also the entire ruleset is part of the backup, so after a
backup has been restored, the IDS can be used in the same way
as before.

Fixes #11835.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agosuricata: Rule files are now located in /var/lib/suricata
Stefan Schantl [Wed, 29 Aug 2018 10:34:08 +0000 (12:34 +0200)] 
suricata: Rule files are now located in /var/lib/suricata

Place the rulefiles from now in "/var/lib/suricata".

Fixes #11834

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agosuricata: Do not ship an example configuration file
Stefan Schantl [Wed, 29 Aug 2018 10:27:12 +0000 (12:27 +0200)] 
suricata: Do not ship an example configuration file

Stop shipping a full example configuration file for suricata.

Fixes #11836.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agoids.cgi: Create file for used rulefiles on first execution if not present
Stefan Schantl [Wed, 29 Aug 2018 09:50:59 +0000 (11:50 +0200)] 
ids.cgi: Create file for used rulefiles on first execution if not present

Create this file on first execution of the script if it does not exist yet.
This will allow suricata to imediately be started. Otherwise the ruleset has
to be downloaded and configured before this file has been created and suricata
could be launched.

Fixes #11833.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agoids.cgi: Fix get_memory_usage()
Stefan Schantl [Wed, 29 Aug 2018 08:55:32 +0000 (10:55 +0200)] 
ids.cgi: Fix get_memory_usage()

Change the get_memory_usage() function to grab and return the
memory usage of the entire process, containing all sub-processes and
threads.

Fixes #11821

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agoids-functions.pl: Early abort downloadruleset() if no ruleset is configured
Stefan Schantl [Mon, 27 Aug 2018 13:11:28 +0000 (15:11 +0200)] 
ids-functions.pl: Early abort downloadruleset() if no ruleset is configured

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agoids-functions.pl: Also check and fix the permissions of rulespath
Stefan Schantl [Sat, 25 Aug 2018 13:48:58 +0000 (15:48 +0200)] 
ids-functions.pl: Also check and fix the permissions of rulespath

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agosuricata: Fix rootfile
Stefan Schantl [Sat, 25 Aug 2018 13:22:53 +0000 (15:22 +0200)] 
suricata: Fix rootfile

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agolfs/suricata: Move classification and reference config to /etc/suricata/rules
Stefan Schantl [Fri, 24 Aug 2018 13:15:09 +0000 (15:15 +0200)] 
lfs/suricata: Move classification and reference config to /etc/suricata/rules

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agoids-functions.pl: Add priviate function _check_rulesdir_permissions()
Stefan Schantl [Fri, 24 Aug 2018 12:55:40 +0000 (14:55 +0200)] 
ids-functions.pl: Add priviate function _check_rulesdir_permissions()

This function checks if all files located in /etc/suricata/rules are
writable by the effective user and group (nobody:nobody) and if not
calls suricatactl to fix it.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agosuricatactrl: Add fix-rules-dir command
Stefan Schantl [Fri, 24 Aug 2018 12:54:34 +0000 (14:54 +0200)] 
suricatactrl: Add fix-rules-dir command

This command is used to set the ownership and permissions
back to nobody:nobdoy which is used by the WUI to write the
ruleset.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agosuricatactrl: Add reload command
Stefan Schantl [Fri, 24 Aug 2018 12:26:24 +0000 (14:26 +0200)] 
suricatactrl: Add reload command

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agosuricata.yaml: Start moving to IPFire specific configuration
Stefan Schantl [Fri, 24 Aug 2018 09:11:15 +0000 (11:11 +0200)] 
suricata.yaml: Start moving to IPFire specific configuration

Remove a lot of stuff and options which are deactivated during compiling,
unsupported by the plattform or not used in IPFire.

Add an advice to the full documented suricata-example.yaml file which also
is shipped by IPFire.

More work needs to be done.

See #11808

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agosuricata.yaml: Adjust classification and reference config location
Stefan Schantl [Fri, 24 Aug 2018 08:54:07 +0000 (10:54 +0200)] 
suricata.yaml: Adjust classification and reference config location

Both files are included in the various rulesets, therefore use them
from the rules folder.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agosuricata.yaml: Fix include statement for homenet file
Stefan Schantl [Fri, 24 Aug 2018 08:28:42 +0000 (10:28 +0200)] 
suricata.yaml: Fix include statement for homenet file

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agosuricata: Fix initscript when using a single core machine
Stefan Schantl [Fri, 24 Aug 2018 08:04:33 +0000 (10:04 +0200)] 
suricata: Fix initscript when using a single core machine

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agoids.cgi: Create oinkmaster related files at first call
Stefan Schantl [Fri, 24 Aug 2018 05:39:04 +0000 (07:39 +0200)] 
ids.cgi: Create oinkmaster related files at first call

With this commit, the CGI file will create the oinkmaster related
files during first run if they does not exist.

Fixes #11822.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agoids-functions.pl: Add function to create empty files
Stefan Schantl [Fri, 24 Aug 2018 05:37:10 +0000 (07:37 +0200)] 
ids-functions.pl: Add function to create empty files

This generic function can be used to create any kind of emtpy files -
it just requires the full path and filename to work.

If the specified file exists at calltime, the function will abort
to prevent from overwriting existing files and content.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agoFix merge conflicts during merge of next and the suricata branch
Stefan Schantl [Thu, 23 Aug 2018 08:34:17 +0000 (10:34 +0200)] 
Fix merge conflicts during merge of next and the suricata branch

21 months agoMerge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
Stefan Schantl [Thu, 23 Aug 2018 08:32:21 +0000 (10:32 +0200)] 
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

21 months agocore124: Ship updated firewall.cgi
Michael Tremer [Wed, 22 Aug 2018 13:46:53 +0000 (14:46 +0100)] 
core124: Ship updated firewall.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agoBUG11805: Firewall rule with source orange and target firewall-interface-orange not...
Alexander Marx [Wed, 22 Aug 2018 09:23:16 +0000 (11:23 +0200)] 
BUG11805: Firewall rule with source orange and target firewall-interface-orange not possible

Now its possible to create a rule with orange source and target orange interface of the firewall.

Fixes: #11805

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agocore124: Fix typo in rootfile
Michael Tremer [Wed, 22 Aug 2018 13:17:15 +0000 (14:17 +0100)] 
core124: Fix typo in rootfile

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agocore124: Ship updated AWS setup scripts
Michael Tremer [Wed, 22 Aug 2018 13:06:53 +0000 (14:06 +0100)] 
core124: Ship updated AWS setup scripts

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agoDrop the network-trigger script
Michael Tremer [Wed, 22 Aug 2018 13:05:43 +0000 (14:05 +0100)] 
Drop the network-trigger script

This is done at boot time and doesn't normally need to be done again.

On AWS or in the setup, renaming any network interfaces is being
handled automatically.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agofirstsetup: There is no need to restart udev here
Michael Tremer [Wed, 22 Aug 2018 13:02:43 +0000 (14:02 +0100)] 
firstsetup: There is no need to restart udev here

All network interfaces are renamed accordingly in setup

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agoaws: Let udev rename all network interfaces
Michael Tremer [Wed, 22 Aug 2018 13:00:39 +0000 (14:00 +0100)] 
aws: Let udev rename all network interfaces

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agooinkmaster: Ship IPFire specific config file
Stefan Schantl [Wed, 22 Aug 2018 08:37:44 +0000 (10:37 +0200)] 
oinkmaster: Ship IPFire specific config file

Ship an IPFire specific configuration file for oinkmaster.

This allows oinkmaster to do all the great rule modifications which
have been introduced by the new ids.cgi file.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agoids.cgi: Rework handling of enabled/disabled sids
Stefan Schantl [Wed, 22 Aug 2018 06:39:57 +0000 (08:39 +0200)] 
ids.cgi: Rework handling of enabled/disabled sids

Now the enabled or disabled sids are stored in a single
hash instead of two arrays, which easily can be modified.

When saving the ruleset, the new read_enabled_disabled_sids() function
will be used to read-in the current (old) saved enabled or disabled sids
and add them to the new hash structure.

After adding or modifiying sids to the hash, the entries will be written
to the corresponding files.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agoids.cgi: Add function to read the enabled/disabled sid files
Stefan Schantl [Wed, 22 Aug 2018 06:38:16 +0000 (08:38 +0200)] 
ids.cgi: Add function to read the enabled/disabled sid files

This function is used to read-in the files for enabled or disabled sid
files and stores the sid and their state into a temporary hash which will
be returned by the function.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agonano: Update to 2.9.8
Matthias Fischer [Tue, 21 Aug 2018 16:27:02 +0000 (18:27 +0200)] 
nano: Update to 2.9.8

For details see:
https://www.nano-editor.org/news.php

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agoids.cgi: Fix check if the IDS is running
Stefan Schantl [Tue, 21 Aug 2018 17:18:01 +0000 (19:18 +0200)] 
ids.cgi: Fix check if the IDS is running

The correct function name is ids_is_running()!

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agocore124: Ship updated backup include/exclude files
Michael Tremer [Tue, 21 Aug 2018 14:06:22 +0000 (15:06 +0100)] 
core124: Ship updated backup include/exclude files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agobackup: Add root's SSH keys and settings
Michael Tremer [Tue, 21 Aug 2018 14:05:40 +0000 (15:05 +0100)] 
backup: Add root's SSH keys and settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agobackup: Add custom squid configuration files
Michael Tremer [Tue, 21 Aug 2018 14:05:13 +0000 (15:05 +0100)] 
backup: Add custom squid configuration files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agobackup: Order incldue/exclude alphabetically
Michael Tremer [Tue, 21 Aug 2018 10:32:04 +0000 (11:32 +0100)] 
backup: Order incldue/exclude alphabetically

Nothing has been added or removed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agogcc: x86_64 add libspp to rootfile
Arne Fitzenreiter [Mon, 20 Aug 2018 14:22:20 +0000 (16:22 +0200)] 
gcc: x86_64 add libspp to rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
21 months agoids.cgi: Add backend code to handle switch between IDS and IPS mode
Stefan Schantl [Sat, 18 Aug 2018 12:48:30 +0000 (14:48 +0200)] 
ids.cgi: Add backend code to handle switch between IDS and IPS mode

This commit adds the required backend code to allow switching
between IDS and IPS mode of suricata.

Technically the behaviour of suricata is specified by the rules -
each of them can contain the action "alert" or "drop" (There are
more actions supported but these two are currently the important one)

When running in IDS mode, the ruleset does not need to be touched,
because the default action is "alert". When switching to IPS mode,
the CGI writes a single line to "oinkmaster-modify-sids.conf" which
is included by oinkmaster and modify the action for each single rule
from alert to drop.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agoids.cgi: Allow to switch between IDS/IPS mode
Stefan Schantl [Sat, 18 Aug 2018 08:16:12 +0000 (10:16 +0200)] 
ids.cgi: Allow to switch between IDS/IPS mode

Add the option to select the runmode for suricata, wheater it
should run in intrusion detection mode or intrusion prevention mode.

If the option has not configured yet, it defaults to IPS mode.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agoids-functions.pl: Display error if oinkmaster cannot be executed
Stefan Schantl [Sat, 18 Aug 2018 08:01:14 +0000 (10:01 +0200)] 
ids-functions.pl: Display error if oinkmaster cannot be executed

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agoids-functions.pl: Log correct error message if download fails
Stefan Schantl [Fri, 17 Aug 2018 06:49:06 +0000 (08:49 +0200)] 
ids-functions.pl: Log correct error message if download fails

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agosuricata: Fix detection of enabled IDS on zone in initscript
Stefan Schantl [Fri, 17 Aug 2018 06:45:47 +0000 (08:45 +0200)] 
suricata: Fix detection of enabled IDS on zone in initscript

I accidently commited the wrong file in the previous commit.
This is the fixed and working version.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agosuricata: Give 644 permissions to the suricata pidfile
Stefan Schantl [Fri, 17 Aug 2018 06:24:19 +0000 (08:24 +0200)] 
suricata: Give 644 permissions to the suricata pidfile

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agoruleset-sources: Move to suricata optimized ruleset when using emerginthreads.
Stefan Schantl [Fri, 17 Aug 2018 05:36:54 +0000 (07:36 +0200)] 
ruleset-sources: Move to suricata optimized ruleset when using emerginthreads.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agobind: Update to 9.11.4-P1
Matthias Fischer [Thu, 16 Aug 2018 18:56:03 +0000 (20:56 +0200)] 
bind: Update to 9.11.4-P1

Fixes CVE-2018-5740 and CVE-2018-5738.

For details see:
http://ftp.isc.org/isc/bind9/9.11.4-P1/RELEASE-NOTES-bind-9.11.4-P1.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agocore124: Ship updated pciutils
Michael Tremer [Thu, 16 Aug 2018 17:55:49 +0000 (18:55 +0100)] 
core124: Ship updated pciutils

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agopciutils: update to 3.5.6
Peter Müller [Thu, 16 Aug 2018 15:10:58 +0000 (17:10 +0200)] 
pciutils: update to 3.5.6

The third version of this patch superseds the first and
second one which were broken due to bugs in the MUAs GPG
implementation.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agocore124: Ship updated ids.cgi
Michael Tremer [Thu, 16 Aug 2018 17:54:41 +0000 (18:54 +0100)] 
core124: Ship updated ids.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agodownload ET IDS rules via HTTPS
Peter Müller [Thu, 16 Aug 2018 15:09:41 +0000 (17:09 +0200)] 
download ET IDS rules via HTTPS

The Emerging Threats ruleset server supports HTTPS. It should
be used for downloading the ruleset in IPFire, too.

This also needs to be applied on the upcoming ids.cgi file for Suricata
which I will do in a second patch.

The third version of this patch superseds the first and
second one which were broken due to bugs in the MUAs GPG
implementation.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agoPostfix: update to 3.3.1
Peter Müller [Thu, 16 Aug 2018 15:08:04 +0000 (17:08 +0200)] 
Postfix: update to 3.3.1

This updates Postfix to recent 3.3.x series, which contains
some new features. Release announcement available at
http://www.postfix.org/announcements/postfix-3.3.1.html

The third version of this patch superseds the first and
second one which were broken due to bugs in the MUAs GPG
implementation.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agosuricata: Add code to create iptables rules to the initscript
Stefan Schantl [Thu, 16 Aug 2018 16:51:13 +0000 (18:51 +0200)] 
suricata: Add code to create iptables rules to the initscript

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agofirewall: Add chains for IPS (suricata)
Stefan Schantl [Thu, 16 Aug 2018 16:50:39 +0000 (18:50 +0200)] 
firewall: Add chains for IPS (suricata)

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
21 months agocore124: Ship updated bind
Michael Tremer [Thu, 16 Aug 2018 12:05:47 +0000 (13:05 +0100)] 
core124: Ship updated bind

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agobind: Update to 9.11.4
Matthias Fischer [Sun, 22 Jul 2018 15:11:53 +0000 (17:11 +0200)] 
bind: Update to 9.11.4

For details see:
http://ftp.isc.org/isc/bind9/9.11.4/RELEASE-NOTES-bind-9.11.4.html

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agocore124: Don't re-generate the initrd
Michael Tremer [Thu, 16 Aug 2018 12:02:56 +0000 (13:02 +0100)] 
core124: Don't re-generate the initrd

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agocore124: Re-install bootloader during update
Michael Tremer [Thu, 16 Aug 2018 12:02:37 +0000 (13:02 +0100)] 
core124: Re-install bootloader during update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agocore124: Ship EFI changes
Michael Tremer [Thu, 16 Aug 2018 12:01:01 +0000 (13:01 +0100)] 
core124: Ship EFI changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agoMerge remote-tracking branch 'origin/efi' into next
Michael Tremer [Thu, 16 Aug 2018 11:49:13 +0000 (12:49 +0100)] 
Merge remote-tracking branch 'origin/efi' into next

21 months agocore124: Ship update localnet init script
Michael Tremer [Thu, 16 Aug 2018 11:47:55 +0000 (12:47 +0100)] 
core124: Ship update localnet init script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agoStart Core Update 124
Michael Tremer [Thu, 16 Aug 2018 11:47:06 +0000 (12:47 +0100)] 
Start Core Update 124

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agolocalnet: Properly format and quote variables
Michael Tremer [Thu, 16 Aug 2018 11:42:25 +0000 (12:42 +0100)] 
localnet: Properly format and quote variables

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agolocalnet: Correctly set domain name
Michael Tremer [Thu, 16 Aug 2018 11:41:52 +0000 (12:41 +0100)] 
localnet: Correctly set domain name

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agocore123: ship updated unbound initskript
Arne Fitzenreiter [Wed, 15 Aug 2018 11:30:07 +0000 (13:30 +0200)] 
core123: ship updated unbound initskript

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
21 months agoaws: Hide pakfire update output
Michael Tremer [Wed, 15 Aug 2018 10:50:14 +0000 (11:50 +0100)] 
aws: Hide pakfire update output

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agoaws: Write user-data log to file only
Michael Tremer [Wed, 15 Aug 2018 10:49:30 +0000 (11:49 +0100)] 
aws: Write user-data log to file only

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agoaws: Execute reboot when an update requires one
Michael Tremer [Wed, 15 Aug 2018 10:45:27 +0000 (11:45 +0100)] 
aws: Execute reboot when an update requires one

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agoFix typo in unbound initscript
Michael Tremer [Wed, 15 Aug 2018 10:25:38 +0000 (11:25 +0100)] 
Fix typo in unbound initscript

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agoaws: Set PATH to search in /usr/local/(s)bin
Michael Tremer [Wed, 15 Aug 2018 10:11:56 +0000 (11:11 +0100)] 
aws: Set PATH to search in /usr/local/(s)bin

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agoaws: Import pakfire keys before the first launch
Michael Tremer [Wed, 15 Aug 2018 10:10:59 +0000 (11:10 +0100)] 
aws: Import pakfire keys before the first launch

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agoaws: Log output of user-data script to /root/user-data.log
Michael Tremer [Wed, 15 Aug 2018 10:09:55 +0000 (11:09 +0100)] 
aws: Log output of user-data script to /root/user-data.log

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agocore123: ship updated logs.cgi/ids.dat
Arne Fitzenreiter [Wed, 15 Aug 2018 10:19:29 +0000 (12:19 +0200)] 
core123: ship updated logs.cgi/ids.dat

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
21 months agoaws: Install all available updates first
Michael Tremer [Wed, 15 Aug 2018 09:11:08 +0000 (10:11 +0100)] 
aws: Install all available updates first

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agoaws: Setup DNS during init phase
Michael Tremer [Wed, 15 Aug 2018 09:10:13 +0000 (10:10 +0100)] 
aws: Setup DNS during init phase

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agocore123: set pakfire version
Arne Fitzenreiter [Wed, 15 Aug 2018 05:30:53 +0000 (07:30 +0200)] 
core123: set pakfire version

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
21 months agocore123: Ship updated backup.pl
Michael Tremer [Tue, 14 Aug 2018 19:39:17 +0000 (20:39 +0100)] 
core123: Ship updated backup.pl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agoFixes for 'backup.pl' (Bug #11816)
Matthias Fischer [Tue, 14 Aug 2018 19:34:38 +0000 (21:34 +0200)] 
Fixes for 'backup.pl' (Bug #11816)

Hi,

Fixes #11816
(https://bugzilla.ipfire.org/show_bug.cgi?id=11816 and
https://bugzilla.ipfire.org/attachment.cgi?id=608):

"[root@ipfire ~]# backupctrl exclude
...
tar: The following options were used after any non-optional arguments in
archive create or update mode.  These options are positional and affect
only arguments that follow them.  Please, rearrange them properly.
tar: --exclude-from '/var/ipfire/backup/exclude.user' has no effect
tar: Exiting with failure status due to previous errors"

Please test - I got no errors anymore.

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agocore123: Ship openssl-compat, too
Michael Tremer [Tue, 14 Aug 2018 19:37:54 +0000 (20:37 +0100)] 
core123: Ship openssl-compat, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agocore123: Ship updated openssl
Arne Fitzenreiter [Tue, 14 Aug 2018 18:29:03 +0000 (20:29 +0200)] 
core123: Ship updated openssl

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
21 months agoMerge remote-tracking branch 'ms/aws-cli' into next
Michael Tremer [Tue, 14 Aug 2018 18:14:58 +0000 (19:14 +0100)] 
Merge remote-tracking branch 'ms/aws-cli' into next

21 months agoopenssl: Update to 1.1.0i and 1.0.2p
Michael Tremer [Tue, 14 Aug 2018 18:12:53 +0000 (19:12 +0100)] 
openssl: Update to 1.1.0i and 1.0.2p

 Changes between 1.1.0h and 1.1.0i [14 Aug 2018]

  *) Client DoS due to large DH parameter

     During key agreement in a TLS handshake using a DH(E) based ciphersuite a
     malicious server can send a very large prime value to the client. This will
     cause the client to spend an unreasonably long period of time generating a
     key for this prime resulting in a hang until the client has finished. This
     could be exploited in a Denial Of Service attack.

     This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
     (CVE-2018-0732)
     [Guido Vranken]

  *) Cache timing vulnerability in RSA Key Generation

     The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
     a cache timing side channel attack. An attacker with sufficient access to
     mount cache timing attacks during the RSA key generation process could
     recover the private key.

     This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
     Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
     (CVE-2018-0737)
     [Billy Brumley]

  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
     parameter is no longer accepted, as it leads to a corrupt table.  NULL
     pem_str is reserved for alias entries only.
     [Richard Levitte]

  *) Revert blinding in ECDSA sign and instead make problematic addition
     length-invariant. Switch even to fixed-length Montgomery multiplication.
     [Andy Polyakov]

  *) Change generating and checking of primes so that the error rate of not
     being prime depends on the intended use based on the size of the input.
     For larger primes this will result in more rounds of Miller-Rabin.
     The maximal error rate for primes with more than 1080 bits is lowered
     to 2^-128.
     [Kurt Roeckx, Annie Yousar]

  *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
     [Kurt Roeckx]

  *) Add blinding to ECDSA and DSA signatures to protect against side channel
     attacks discovered by Keegan Ryan (NCC Group).
     [Matt Caswell]

  *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
     now allow empty (zero character) pass phrases.
     [Richard Levitte]

  *) Certificate time validation (X509_cmp_time) enforces stricter
     compliance with RFC 5280. Fractional seconds and timezone offsets
     are no longer allowed.
     [Emilia Käsper]

  *) Fixed a text canonicalisation bug in CMS

     Where a CMS detached signature is used with text content the text goes
     through a canonicalisation process first prior to signing or verifying a
     signature. This process strips trailing space at the end of lines, converts
     line terminators to CRLF and removes additional trailing line terminators
     at the end of a file. A bug in the canonicalisation process meant that
     some characters, such as form-feed, were incorrectly treated as whitespace
     and removed. This is contrary to the specification (RFC5485). This fix
     could mean that detached text data signed with an earlier version of
     OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
     signed with a fixed OpenSSL may fail to verify with an earlier version of
     OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
     and use the "-binary" flag (for the "cms" command line application) or set
     the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
     [Matt Caswell]

 Changes between 1.0.2o and 1.0.2p [14 Aug 2018]

  *) Client DoS due to large DH parameter

     During key agreement in a TLS handshake using a DH(E) based ciphersuite a
     malicious server can send a very large prime value to the client. This will
     cause the client to spend an unreasonably long period of time generating a
     key for this prime resulting in a hang until the client has finished. This
     could be exploited in a Denial Of Service attack.

     This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
     (CVE-2018-0732)
     [Guido Vranken]

  *) Cache timing vulnerability in RSA Key Generation

     The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
     a cache timing side channel attack. An attacker with sufficient access to
     mount cache timing attacks during the RSA key generation process could
     recover the private key.

     This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
     Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
     (CVE-2018-0737)
     [Billy Brumley]

  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
     parameter is no longer accepted, as it leads to a corrupt table.  NULL
     pem_str is reserved for alias entries only.
     [Richard Levitte]

  *) Revert blinding in ECDSA sign and instead make problematic addition
     length-invariant. Switch even to fixed-length Montgomery multiplication.
     [Andy Polyakov]

  *) Change generating and checking of primes so that the error rate of not
     being prime depends on the intended use based on the size of the input.
     For larger primes this will result in more rounds of Miller-Rabin.
     The maximal error rate for primes with more than 1080 bits is lowered
     to 2^-128.
     [Kurt Roeckx, Annie Yousar]

  *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
     [Kurt Roeckx]

  *) Add blinding to ECDSA and DSA signatures to protect against side channel
     attacks discovered by Keegan Ryan (NCC Group).
     [Matt Caswell]

  *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
     now allow empty (zero character) pass phrases.
     [Richard Levitte]

  *) Certificate time validation (X509_cmp_time) enforces stricter
     compliance with RFC 5280. Fractional seconds and timezone offsets
     are no longer allowed.
     [Emilia Käsper]

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agopython3-s3transfer: Fix rootfile
Michael Tremer [Tue, 14 Aug 2018 14:13:24 +0000 (15:13 +0100)] 
python3-s3transfer: Fix rootfile

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agopython3-pyasn1: New package as required by aws-cli
Michael Tremer [Tue, 14 Aug 2018 13:52:33 +0000 (14:52 +0100)] 
python3-pyasn1: New package as required by aws-cli

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agopython3-rsa: New package as required by aws-cli
Michael Tremer [Tue, 14 Aug 2018 13:44:30 +0000 (14:44 +0100)] 
python3-rsa: New package as required by aws-cli

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agopython3-s3transfer: New package as required by aws-cli
Michael Tremer [Tue, 14 Aug 2018 13:38:11 +0000 (14:38 +0100)] 
python3-s3transfer: New package as required by aws-cli

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agopython3-yaml: New paclage as required by aws-cli
Michael Tremer [Tue, 14 Aug 2018 13:19:33 +0000 (14:19 +0100)] 
python3-yaml: New paclage as required by aws-cli

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agopython3-docutils: New package as required by aws-cli
Michael Tremer [Tue, 14 Aug 2018 13:11:38 +0000 (14:11 +0100)] 
python3-docutils: New package as required by aws-cli

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
21 months agopython3-colorama: New package as required by aws-cli
Michael Tremer [Tue, 14 Aug 2018 13:04:03 +0000 (14:04 +0100)] 
python3-colorama: New package as required by aws-cli

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>