ipfire-2.x.git
18 months agodhcpcd: Update to 8.1.0
Matthias Fischer [Sat, 12 Oct 2019 23:05:57 +0000 (01:05 +0200)] 
dhcpcd: Update to 8.1.0

For details see:
https://roy.marples.name/blog/dhcpcd-8-1-0-released

"DragonFlyBSD: Improved rc.d handling
Fix carrier status after a route socket overflow
Allow domain spaced options
DHCP: Allow not sending Force Renew Nonce or Reconf Accept
IPv4LL: Now passes Apple Bonjour test versions 1.4 and 1.5
ARP: Fix a typo and remove pragma (thus working with old gcc)
DHCP6: Fix a cosmetic issue with infinite leases
DHCP6: SLA 0 and Prefix Len 0 will now add a delegated /64 address
Ignore some virtual interfaces such as Tap and Bridge by default
BPF: Move validation logic out of BPF and back into dhcpcd"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: close update
Arne Fitzenreiter [Sat, 12 Oct 2019 15:57:59 +0000 (15:57 +0000)] 
core137: close update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: restart updated services
Arne Fitzenreiter [Sat, 12 Oct 2019 15:56:40 +0000 (15:56 +0000)] 
core137: restart updated services

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agokernel: update to 4.14.149
Arne Fitzenreiter [Sat, 12 Oct 2019 11:12:03 +0000 (13:12 +0200)] 
kernel: update to 4.14.149

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agorust: update armv5tel rootfile
Arne Fitzenreiter [Wed, 9 Oct 2019 18:23:05 +0000 (20:23 +0200)] 
rust: update armv5tel rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agorust: add i586 and aarch64 rootfile
Arne Fitzenreiter [Wed, 9 Oct 2019 16:11:32 +0000 (18:11 +0200)] 
rust: add i586 and aarch64 rootfile

todo: armv5tel is still missing...

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agosane: add special aarch64 rootfile
Arne Fitzenreiter [Wed, 9 Oct 2019 16:10:23 +0000 (18:10 +0200)] 
sane: add special aarch64 rootfile

libsane-qcam is not available for aarch64 so we need an extra rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agosane: rootfile update
Arne Fitzenreiter [Wed, 9 Oct 2019 16:06:54 +0000 (18:06 +0200)] 
sane: rootfile update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agotshark: rootfile update
Arne Fitzenreiter [Wed, 9 Oct 2019 16:05:50 +0000 (18:05 +0200)] 
tshark: rootfile update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agospeedtest-cli: add rootfile
Arne Fitzenreiter [Wed, 9 Oct 2019 16:04:30 +0000 (18:04 +0200)] 
speedtest-cli: add rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agosane/stage2: remove sanedloop
Arne Fitzenreiter [Wed, 9 Oct 2019 06:37:23 +0000 (08:37 +0200)] 
sane/stage2: remove sanedloop

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agorust: fix typo
Arne Fitzenreiter [Tue, 8 Oct 2019 19:49:01 +0000 (19:49 +0000)] 
rust: fix typo

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agorust: fix md5 sums for i586 and arm
Arne Fitzenreiter [Tue, 8 Oct 2019 19:44:54 +0000 (19:44 +0000)] 
rust: fix md5 sums for i586 and arm

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agosuricata: Enable rust support
Stefan Schantl [Mon, 7 Oct 2019 18:44:05 +0000 (20:44 +0200)] 
suricata: Enable rust support

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agorust: New package.
Stefan Schantl [Mon, 7 Oct 2019 18:44:04 +0000 (20:44 +0200)] 
rust: New package.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoncat: Update to version 7.80
Erik Kapfer [Sun, 6 Oct 2019 07:23:19 +0000 (09:23 +0200)] 
ncat: Update to version 7.80

Several improvements has been added. This update is part of the nmap-7.80 update.
For the complete changelog take a look in here --> https://seclists.org/nmap-announce/2019/0 .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agonmap: Update to version 7.80
Erik Kapfer [Sun, 6 Oct 2019 07:16:57 +0000 (09:16 +0200)] 
nmap: Update to version 7.80

Several improvements, NSE scripts and libraries has been added.
The complete changelog can be found in here --> https://seclists.org/nmap-announce/2019/0 .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: ship libpcap
Arne Fitzenreiter [Tue, 8 Oct 2019 19:05:50 +0000 (19:05 +0000)] 
core137: ship libpcap

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agolibpcap: Update to 1.9.1
Matthias Fischer [Sat, 5 Oct 2019 07:37:15 +0000 (09:37 +0200)] 
libpcap: Update to 1.9.1

For details see:
https://www.tcpdump.org/libpcap-changes.txt

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: ship unbound
Arne Fitzenreiter [Tue, 8 Oct 2019 19:03:50 +0000 (19:03 +0000)] 
core137: ship unbound

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agounbound: Update to 1.9.4
Matthias Fischer [Sat, 5 Oct 2019 07:09:29 +0000 (09:09 +0200)] 
unbound: Update to 1.9.4

For details see:
https://nlnetlabs.nl/pipermail/unbound-users/2019-October/011832.html

"This release is a fix for vulnerability CVE-2019-16866 that causes a
failure when a specially crafted query is received."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agotcpdump: Update to 4.9.3
Matthias Fischer [Sat, 5 Oct 2019 07:05:25 +0000 (09:05 +0200)] 
tcpdump: Update to 4.9.3

For details see:
https://www.tcpdump.org/tcpdump-changes.txt

"Fix buffer overflow/overread vulnerabilities:
      CVE-2017-16808 (AoE)
      CVE-2018-14468 (FrameRelay)
      CVE-2018-14469 (IKEv1)
      CVE-2018-14470 (BABEL)
      CVE-2018-14466 (AFS/RX)
      CVE-2018-14461 (LDP)
      CVE-2018-14462 (ICMP)
      CVE-2018-14465 (RSVP)
      CVE-2018-14881 (BGP)
      CVE-2018-14464 (LMP)
      CVE-2018-14463 (VRRP)
      CVE-2018-14467 (BGP)
      CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled)
      CVE-2018-10105 (SMB - too unreliably reproduced, SMB printing disabled)
      CVE-2018-14880 (OSPF6)
      CVE-2018-16451 (SMB)
      CVE-2018-14882 (RPL)
      CVE-2018-16227 (802.11)
      CVE-2018-16229 (DCCP)
      CVE-2018-16301 (was fixed in libpcap)
      CVE-2018-16230 (BGP)
      CVE-2018-16452 (SMB)
      CVE-2018-16300 (BGP)
      CVE-2018-16228 (HNCP)
      CVE-2019-15166 (LMP)
      CVE-2019-15167 (VRRP)
    Fix for cmdline argument/local issues:
      CVE-2018-14879 (tcpdump -V)"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoclamav: Update to 0.102.0
Matthias Fischer [Sat, 5 Oct 2019 06:59:04 +0000 (08:59 +0200)] 
clamav: Update to 0.102.0

For details see:
https://blog.clamav.net/2019/10/clamav-01020-has-been-released.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agonano: Update to 4.5
Matthias Fischer [Sat, 5 Oct 2019 06:51:15 +0000 (08:51 +0200)] 
nano: Update to 4.5

For details see:
https://www.nano-editor.org/news.php

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agotshark: Update to version 3.0.5
Erik Kapfer [Fri, 4 Oct 2019 17:26:26 +0000 (19:26 +0200)] 
tshark: Update to version 3.0.5

The jump from 3.0.2 to 3.0.5 includes several bugfixes, updated protocols and new and updated capture support.
The complete release notes can be found in here --> https://www.wireshark.org/docs/relnotes/ .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: ship strongwan and vpnmain.cgi
Arne Fitzenreiter [Tue, 8 Oct 2019 18:56:47 +0000 (18:56 +0000)] 
core137: ship strongwan and vpnmain.cgi

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoIPsec: Add support for Curve448
Michael Tremer [Wed, 2 Oct 2019 10:31:54 +0000 (10:31 +0000)] 
IPsec: Add support for Curve448

This is supported since strongswan 5.7.2 and is a good alternative
to Curve25519 because Curve448 is almost equally secure but performs
faster.

  https://en.wikipedia.org/wiki/Curve448

This is enabled by default although we do not expect many other
implementations to be able to support this.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agostrongswan: Update 5.8.1
Michael Tremer [Wed, 2 Oct 2019 10:31:53 +0000 (10:31 +0000)] 
strongswan: Update 5.8.1

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agospeedtest-cli: New package
Michael Tremer [Wed, 2 Oct 2019 08:53:50 +0000 (08:53 +0000)] 
speedtest-cli: New package

This is a CLI implementation to test the speed of an internet
connection.

I find this quite useful when there is no access to a client
computer on the network and this will give you a rough idea
about the connection speed.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoWIO:Add fr language
Stephan Feddersen [Tue, 1 Oct 2019 20:07:39 +0000 (22:07 +0200)] 
WIO:Add fr language

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoWIO: Add french translation file
Stephan Feddersen [Tue, 1 Oct 2019 20:01:40 +0000 (22:01 +0200)] 
WIO: Add french translation file

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: ship updated unbound initskript
Arne Fitzenreiter [Tue, 8 Oct 2019 18:50:04 +0000 (18:50 +0000)] 
core137: ship updated unbound initskript

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agofirewall: always allow outgoing DNS traffic to root servers
peter.mueller@ipfire.org [Tue, 1 Oct 2019 15:22:00 +0000 (15:22 +0000)] 
firewall: always allow outgoing DNS traffic to root servers

Allowing outgoing DNS traffic (destination port 53, both TCP
and UDP) to the root servers is BCP for some reasons. First,
RFC 5011 assumes resolvers are able to fetch new trust ancors
from the root servers for a certain time period in order to
do key rollovers.

Second, Unbound shows some side effects if it cannot do trust
anchor signaling (see RFC 8145) or fetch the current trust anchor,
resulting in SERVFAILs for arbitrary requests a few minutes.

There is little security implication of allowing DNS traffic
to the root servers: An attacker might abuse this for exfiltrating
data via DNS queries, but is unable to infiltrate data unless
he gains control over at least one root server instance. If
there is no firewall ruleset in place which prohibits any other
DNS traffic than to chosen DNS servers, this patch will not
have security implications at all.

The second version of this patch does not use unnecessary xargs-
call nor changes anything else not related to this issue.

Fixes #12183

Cc: Michael Tremer <michael.tremer@ipfire.org>
Suggested-by: Horace Michael <horace.michael@gmx.com>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agounbound: Add option to force using TCP for upstream servers
Michael Tremer [Tue, 1 Oct 2019 11:36:16 +0000 (12:36 +0100)] 
unbound: Add option to force using TCP for upstream servers

Some users have problems to reach DNS servers. This change adds an option
which allows to force using TCP for upstream name servers.

This is a good workaround for users behind a broken Fritz!Box in modem
mode which does not allow resolving any records of the root zone.

The name server tests in the script will also only use TCP.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoshairport-sync: Update to 3.3.2
Michael Tremer [Sun, 29 Sep 2019 15:07:58 +0000 (15:07 +0000)] 
shairport-sync: Update to 3.3.2

This version now requires libdaemon and brings various improvements
for sound quality and stability.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agosane: Update to 1.0.28
Michael Tremer [Sun, 29 Sep 2019 14:50:31 +0000 (14:50 +0000)] 
sane: Update to 1.0.28

This patch updates the package and removes the sanedloop script
which was needed to launch saned, but that program can now run
in standalone mode.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: ship suricata
Arne Fitzenreiter [Tue, 8 Oct 2019 18:38:52 +0000 (18:38 +0000)] 
core137: ship suricata

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agosuricata: Update to 4.1.5
Matthias Fischer [Fri, 27 Sep 2019 16:08:49 +0000 (18:08 +0200)] 
suricata: Update to 4.1.5

Changelog:
"4.1.5 -- 2019-09-24

Feature #3068: protocol parser: vxlan (4.1.x)
Bug #2841: False positive alerts firing after upgrade suricata 3.0 -> 4.1.0 (4.1.x)
Bug #2966: filestore (v1 and v2): dropping of "unwanted" files (4.1.x)
Bug #3008: rust: updated libc crate causes depration warnings (4.1.x)
Bug #3044: tftp: missing logs because of broken tx handling (4.1.x)
Bug #3067: GeoIP keyword depends on now discontinued legacy GeoIP database (4.1.x)
Bug #3094: Fedora rawhide af-packet compilation err (4.1.x)
Bug #3123: bypass keyword: Suricata 4.1.x Segmentation Faults (4.1.x)
Bug #3129: Fixes warning about size of integers in string formats (4.1.x)
Bug #3159: SC_ERR_PCAP_DISPATCH with message "error code -2" upon rule reload completion (4.1.x)
Bug #3164: Suricata 4.1.4: NSS Shutdown triggers crashes in test mode
Bug #3168: tls: out of bounds read
Bug #3170: defrag: out of bounds read
Bug #3173: ipv4: ts field decoding oob read
Bug #3175: File_data inspection depth while inspecting base64 decoded data (4.1.x)
Bug #3184: decode/der: crafted input can lead to resource starvation
Bug #3186: Multiple Content-Length headers causes HTP_STREAM_ERROR (4.1.x)
Bug #3187: GET/POST HTTP-request with no Content-Length, http_client_body miss (4.1.x)"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoiproute2: Update to 5.3.0
Matthias Fischer [Thu, 26 Sep 2019 17:44:11 +0000 (19:44 +0200)] 
iproute2: Update to 5.3.0

For details see:
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/?h=v5.3.0

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: ship knot
Arne Fitzenreiter [Tue, 8 Oct 2019 18:36:24 +0000 (18:36 +0000)] 
core137: ship knot

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoknot: Update to 2.8.4
Matthias Fischer [Thu, 26 Sep 2019 17:40:31 +0000 (19:40 +0200)] 
knot: Update to 2.8.4

For details see:
https://www.knot-dns.cz/2019-09-24-version-284.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agomtr: update to 0.93
peter.mueller@ipfire.org [Wed, 25 Sep 2019 19:05:00 +0000 (19:05 +0000)] 
mtr: update to 0.93

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoTor: update to 0.4.1.6
peter.mueller@ipfire.org [Wed, 25 Sep 2019 15:15:00 +0000 (15:15 +0000)] 
Tor: update to 0.4.1.6

Please refer to https://blog.torproject.org/new-release-tor-0416 for
release notes. This patch has to be applied after applying 9fb607ef6
(https://patchwork.ipfire.org/patch/2407/), which was not merged at
the time of writing.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agofirewall: raise log rate limit for user generated rules, too
peter.mueller@ipfire.org [Wed, 25 Sep 2019 15:06:00 +0000 (15:06 +0000)] 
firewall: raise log rate limit for user generated rules, too

Having raised the overall log rate limit to 10 packet per second
in Core Update 136, this did not affected rules generated by the
user. In order to stay consistent, this patch also raises log rate
limit for these.

In order to avoid side effects on firewalls with slow disks, it
was probably better touch these categories separately, so testing
users won't be DoSsed instantly. :-)

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: ship Net_SSLeay
Arne Fitzenreiter [Tue, 8 Oct 2019 18:26:22 +0000 (18:26 +0000)] 
core137: ship Net_SSLeay

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoNet-SSLeay: Update to version 1.88
Erik Kapfer [Wed, 25 Sep 2019 10:05:52 +0000 (12:05 +0200)] 
Net-SSLeay: Update to version 1.88

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agonano: Update to 4.4
Matthias Fischer [Tue, 24 Sep 2019 17:24:44 +0000 (19:24 +0200)] 
nano: Update to 4.4

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: ship libssh
Arne Fitzenreiter [Tue, 8 Oct 2019 18:21:17 +0000 (18:21 +0000)] 
core137: ship libssh

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agobird: Update to 2.0.6
Michael Tremer [Mon, 23 Sep 2019 15:01:47 +0000 (15:01 +0000)] 
bird: Update to 2.0.6

Minor update which will enable support for RPKI because libssh is
now present.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agolibssh: New package
Michael Tremer [Mon, 23 Sep 2019 15:01:46 +0000 (15:01 +0000)] 
libssh: New package

This is required by Bird to support RPKI.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: ship updated logrotate.conf
Arne Fitzenreiter [Tue, 8 Oct 2019 18:17:44 +0000 (18:17 +0000)] 
core137: ship updated logrotate.conf

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoAdded Mail log file to '/etc/logrotate.conf'
Matthias Fischer [Sun, 22 Sep 2019 07:02:48 +0000 (09:02 +0200)] 
Added Mail log file to '/etc/logrotate.conf'

Fixes Bug #12155: logrotate wasn't set up to rotate this file.

For details see:
https://bugzilla.ipfire.org/show_bug.cgi?id=12155

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: ship tzdata
Arne Fitzenreiter [Tue, 8 Oct 2019 18:14:43 +0000 (18:14 +0000)] 
core137: ship tzdata

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agotzcode / tzdata: Update to 2019c
Matthias Fischer [Sun, 22 Sep 2019 06:49:48 +0000 (08:49 +0200)] 
tzcode / tzdata: Update to 2019c

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: ship wpa_supplicant
Arne Fitzenreiter [Tue, 8 Oct 2019 18:10:23 +0000 (18:10 +0000)] 
core137: ship wpa_supplicant

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agohostapd: Update to 2.9
Matthias Fischer [Fri, 20 Sep 2019 18:51:36 +0000 (20:51 +0200)] 
hostapd: Update to 2.9

For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agowpa_supplicant: Update to 2.9
Matthias Fischer [Fri, 20 Sep 2019 18:51:35 +0000 (20:51 +0200)] 
wpa_supplicant: Update to 2.9

For details see:
https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: ship bind
Arne Fitzenreiter [Tue, 8 Oct 2019 18:08:04 +0000 (18:08 +0000)] 
core137: ship bind

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agobind: Update to 9.11.11
Matthias Fischer [Fri, 20 Sep 2019 18:43:19 +0000 (20:43 +0200)] 
bind: Update to 9.11.11

For details see:
https://downloads.isc.org/isc/bind9/9.11.11/RELEASE-NOTES-bind-9.11.11.html

"Security Fixes

   A race condition could trigger an assertion failure when a large
   number of incoming packets were being rejected. This flaw is disclosed
   in CVE-2019-6471. [GL #942]

...

Bug Fixes

   Glue address records were not being returned in responses to root priming
   queries; this has been corrected. [GL #1092]

   Interaction between DNS64 and RPZ No Data rule (CNAME *.) could cause
   unexpected results; this has been fixed. [GL #1106]

   named-checkconf now checks DNS64 prefixes to ensure bits 64-71 are zero.
   [GL #1159]

   named-checkconf could crash during configuration if configured to use "geoip
   continent" ACLs with legacy GeoIP. [GL #1163]

   named-checkconf now correctly reports missing dnstap-output option when dnstap
   is set. [GL #1136]

   Handle ETIMEDOUT error on connect() with a non-blocking socket. [GL #1133]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: ship changed ovpnmain.cgi
Arne Fitzenreiter [Tue, 8 Oct 2019 18:06:13 +0000 (18:06 +0000)] 
core137: ship changed ovpnmain.cgi

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoovpn: Add ta.key check to main settings
Erik Kapfer [Wed, 18 Sep 2019 05:03:34 +0000 (07:03 +0200)] 
ovpn: Add ta.key check to main settings

Since Core 132 the 'TLS Channel Protection' is part of the global settings,
the ta.key generation check should also be in the main section otherwise it
won´t be created if not present.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoovpn: Generate ta.key before dh-parameter
Erik Kapfer [Wed, 18 Sep 2019 05:03:33 +0000 (07:03 +0200)] 
ovpn: Generate ta.key before dh-parameter

Fixes: #11964 and #12157

If slow boards or/and boards with low entropy needs too long to generate the DH-parameter, ovpnmain.cgi can get into a
"Script timed out before returning headers" and no further OpenSSl commands will be executed after dhparam is finished.
Since the ta.key are created after the DH-parameter, it won´t be produced in that case.
To prevent this, the DH-parameter will now be generated at the end.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoTor: update to 0.4.1.5
peter.mueller@ipfire.org [Tue, 17 Sep 2019 17:25:00 +0000 (17:25 +0000)] 
Tor: update to 0.4.1.5

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: add pcre
Arne Fitzenreiter [Tue, 8 Oct 2019 18:02:23 +0000 (18:02 +0000)] 
core137: add pcre

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agopcre: Update to 8.43
Matthias Fischer [Sun, 15 Sep 2019 16:23:21 +0000 (18:23 +0200)] 
pcre: Update to 8.43

For details see:
http://www.pcre.org/original/changelog.txt

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: add dhcpcd
Arne Fitzenreiter [Tue, 8 Oct 2019 17:59:39 +0000 (17:59 +0000)] 
core137: add dhcpcd

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agodhcpcd: Update to 8.0.6
Matthias Fischer [Sat, 14 Sep 2019 16:02:33 +0000 (18:02 +0200)] 
dhcpcd: Update to 8.0.6

For details see:
https://roy.marples.name/blog/dhcpcd-8-0-6-released

"inet6: Fix default route not being installed
DHCP: If root fs is network mounted, enable last lease extend
man: Fix lint errors.
BSD: avoid RTF_WASCLONED routes
DHCP: Give a better message when packet validation fails
DHCP: Ensure we have enough data to checksum IP and UDP

The last change fixes a potential DoS attack introduced in dhcpcd-8.0.3
when the checksuming code was changed to accomodate variable length
IP headers. The commit says since 7.2.0, but I've now decided that's not
the case."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: add iproute2
Arne Fitzenreiter [Tue, 8 Oct 2019 17:57:32 +0000 (17:57 +0000)] 
core137: add iproute2

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoiproute2: Update to 5.2.0
Matthias Fischer [Wed, 11 Sep 2019 16:07:47 +0000 (18:07 +0200)] 
iproute2: Update to 5.2.0

For details see:
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: add iptables and collectd
Arne Fitzenreiter [Tue, 8 Oct 2019 17:53:36 +0000 (17:53 +0000)] 
core137: add iptables and collectd

collectd is linked to libip4tc so we need to ship this also

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoiptables: Update to 1.8.3
Matthias Fischer [Wed, 11 Sep 2019 16:03:27 +0000 (18:03 +0200)] 
iptables: Update to 1.8.3

For details see:
https://www.netfilter.org/projects/iptables/files/changes-iptables-1.8.3.txt

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: add libnetfilter_queue
Arne Fitzenreiter [Tue, 8 Oct 2019 17:49:09 +0000 (17:49 +0000)] 
core137: add libnetfilter_queue

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agolibnetfilter_queue: Update to 1.0.4
Stefan Schantl [Sun, 8 Sep 2019 17:38:49 +0000 (19:38 +0200)] 
libnetfilter_queue: Update to 1.0.4

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agocore137: add libhtp
Arne Fitzenreiter [Tue, 8 Oct 2019 17:46:29 +0000 (17:46 +0000)] 
core137: add libhtp

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agolibhtp: Update to 0.5.30
Stefan Schantl [Fri, 6 Sep 2019 12:52:51 +0000 (14:52 +0200)] 
libhtp: Update to 0.5.30

Fixes #12170

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agokernel: update to 4.14.148
Arne Fitzenreiter [Mon, 7 Oct 2019 21:37:56 +0000 (23:37 +0200)] 
kernel: update to 4.14.148

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agokernel: update to 4.14.147
Arne Fitzenreiter [Sat, 5 Oct 2019 12:42:09 +0000 (14:42 +0200)] 
kernel: update to 4.14.147

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agokernel: update to 4.14.146
Arne Fitzenreiter [Sat, 21 Sep 2019 18:44:52 +0000 (20:44 +0200)] 
kernel: update to 4.14.146

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agokernel: Backport patch to fix a netfilter contrack related issue.
Stefan Schantl [Fri, 20 Sep 2019 18:33:05 +0000 (20:33 +0200)] 
kernel: Backport patch to fix a netfilter contrack related issue.

This fixes the packet drop issue when using suricata on IPFire.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agostart core137 and add kernel and IO-Socket-SSL to updater
Arne Fitzenreiter [Sat, 21 Sep 2019 09:52:02 +0000 (09:52 +0000)] 
start core137 and add kernel and IO-Socket-SSL to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agomake.sh: fix tmpfs build on 32bit machines core136 v2.23-core136
Arne Fitzenreiter [Wed, 18 Sep 2019 16:31:26 +0000 (16:31 +0000)] 
make.sh: fix tmpfs build on 32bit machines

the inode count of tmpfs defaults on availbable low memory page count
which is too low on 32bit machines

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoglibc: enbable parallel build for locales
Arne Fitzenreiter [Wed, 18 Sep 2019 16:30:49 +0000 (16:30 +0000)] 
glibc: enbable parallel build for locales

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
18 months agoIO-Socket-SSL: Update to version 2.066
Erik Kapfer [Wed, 18 Sep 2019 04:54:51 +0000 (06:54 +0200)] 
IO-Socket-SSL: Update to version 2.066

Fix for "Undefined subroutine &IO::Socket::SSL::set_client_defaults called at /usr/libexec/git-core/git-send-email" problem.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
19 months agocore136: apply local sshd config and restart sshd at update
Arne Fitzenreiter [Sat, 14 Sep 2019 18:13:21 +0000 (18:13 +0000)] 
core136: apply local sshd config and restart sshd at update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
19 months agocore136: fix typo at GeoIP update
Arne Fitzenreiter [Sat, 14 Sep 2019 16:20:27 +0000 (16:20 +0000)] 
core136: fix typo at GeoIP update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
19 months agocore136: ship perl-CGI and perl-Switch
Arne Fitzenreiter [Sat, 14 Sep 2019 15:21:41 +0000 (15:21 +0000)] 
core136: ship perl-CGI and perl-Switch

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
19 months agocore136: ship updated perl scripts
Arne Fitzenreiter [Sat, 14 Sep 2019 15:18:29 +0000 (15:18 +0000)] 
core136: ship updated perl scripts

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
19 months agoMerge branch 'next'
Arne Fitzenreiter [Thu, 12 Sep 2019 10:57:09 +0000 (12:57 +0200)] 
Merge branch 'next'

19 months agofinish core136
Arne Fitzenreiter [Thu, 12 Sep 2019 10:54:35 +0000 (12:54 +0200)] 
finish core136

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
19 months agoupdate contributor list
Arne Fitzenreiter [Thu, 12 Sep 2019 10:53:28 +0000 (12:53 +0200)] 
update contributor list

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
19 months agocore136: ship updated zoneconf.cgi
Arne Fitzenreiter [Thu, 12 Sep 2019 10:20:45 +0000 (10:20 +0000)] 
core136: ship updated zoneconf.cgi

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
19 months agozoneconf: reduce the width of inputs for vlanid
Alex Koch [Sun, 1 Sep 2019 22:47:29 +0000 (00:47 +0200)] 
zoneconf: reduce the width of inputs for vlanid

The inputs for the vlanids are overlapping the borders of their cells (using a recent Firefox on Linux Mint, Android or Windows 7). This patch fixes this by limiting the width to a fixed value.

Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
19 months agoopenssl: update to 1.1.1d
Arne Fitzenreiter [Wed, 11 Sep 2019 17:57:35 +0000 (17:57 +0000)] 
openssl: update to 1.1.1d

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
19 months agocore136: update logwatch crontab entry
Arne Fitzenreiter [Wed, 11 Sep 2019 17:38:32 +0000 (17:38 +0000)] 
core136: update logwatch crontab entry

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
19 months agoBUG 12036: logwatch now starts at 00:05am to avoid conflicts with logrotate
Matthias Fischer [Sat, 31 Aug 2019 20:13:19 +0000 (22:13 +0200)] 
BUG 12036: logwatch now starts at 00:05am to avoid conflicts with logrotate

Problem:
Every once in a while 'logwatch' creates an empty log file with 0 Bytes.

Probably 'logwatch' conflicts with the logrotate job which is
launched at the same time.

To avoid this in the future, the start of logwatch was postponed for
four minutes.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
19 months agocore136: ship logrotate
Arne Fitzenreiter [Wed, 11 Sep 2019 16:57:20 +0000 (16:57 +0000)] 
core136: ship logrotate

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
19 months agologrotate: Update to 3.5.1
Matthias Fischer [Sun, 1 Sep 2019 07:37:26 +0000 (09:37 +0200)] 
logrotate: Update to 3.5.1

For details see:
https://github.com/logrotate/logrotate/releases

"use correct create mode in examples/btmp (#257)"
=> https://github.com/logrotate/logrotate/pull/257

"fix several bugs found by fuzzing (#254)"
=> https://github.com/logrotate/logrotate/issues/254

"do not abort globbing on a broken symlink (#251)"
=> https://github.com/logrotate/logrotate/issues/251

"rearrange logrotate.8 man page to improve readability (#248)"
=> https://github.com/logrotate/logrotate/pull/248

"encourage admins to use the su directive in logrotate.8 man page (#236)"
=> https://github.com/logrotate/logrotate/pull/236

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
19 months agoTor: fix permission of /var/ipfire/tor/settings
peter.mueller@ipfire.org [Sat, 7 Sep 2019 17:52:00 +0000 (17:52 +0000)] 
Tor: fix permission of /var/ipfire/tor/settings

The settings file must be writeable for group "nobody" so
users can change their Tor settings via WebUI. Since other
files in /var/ipfire/tor/ does not need this workaround, only
the settings file permissions are changed.

Sorry for the late fix; this was reported by various people
in the forum, too (I was unaware of so many Tor users in our
community).

Fixes #12117

Reported-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
19 months agocore136: ship changed log.dat
Arne Fitzenreiter [Wed, 11 Sep 2019 16:52:23 +0000 (16:52 +0000)] 
core136: ship changed log.dat

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
19 months agoWUI log-section Mail: add support for postfix addon
Alex Koch [Sat, 31 Aug 2019 18:53:00 +0000 (20:53 +0200)] 
WUI log-section Mail: add support for postfix addon

Expand the regex for the section dmi ("Mail") for /var/log/mail to include the log contents of postfix, in case the addon is installed.

Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>