knot: Update to 2.8.3

For details see:
https://www.knot-dns.cz/2019-07-16-version-283.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

bind: Update to 9.11.9

For details see:
https://downloads.isc.org/isc/bind9/9.11.9/RELEASE-NOTES-bind-9.11.9.html

"Security Fixes

   A race condition could trigger an assertion failure when a large
   number of incoming packets were being rejected.
   This flaw is disclosed in CVE-2019-6471. [GL #942]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

apache: Update to 2.4.41

For details see:
http://mirror.dkd.de/apache//httpd/CHANGES_2.4.41

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

dhcpcd: Update to 8.0.2

For details see:
https://roy.marples.name/

"NetBSD: Can be build without ARP support but listen to kernel DaD
ND6: Removed NA support from SMALL builds
ND6: Remove and warn about NA issues on OS's other than NetBSD and Linux
script: /tmp files are now cleaned up for systems without open_memstream(3)
configure: open_memstream(3) detected on recent glibc
DHCP: Avoid duplicate read of UDP socket when BPF is also open
IP: Avoid adding address if already exists on OS other than Linux
IP6: Avoid adding address is already exists on Solaris
route: Fixed a NULL de-reference error on statically configured routes
DHCP6: Move to REQUEST when any IA has error no-binding in RENEW/REBIND
DragonFlyBSD: Now compiles and works for
IP: Accept packets with IP header options"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Postfix: update to 3.4.6

See http://www.postfix.org/announcements/postfix-3.4.6.html
for release notes.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

patch: update to 2.7.6

Note: This does not fix CVE-2019-13636 and CVE-2019-13638
as fixes did not make it into upstream vanilla patch, yet.

See also: https://www.debian.org/security/2019/dsa-4489

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

update ca-certificates CA bundle

Update the CA certificates list to what Mozilla NSS ships currently.

The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: Ship updated firewall script

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

firewall: raise log rate limit to 10 packets per second

Previous setting was to log 10 packets per minute for each
event logging is turned on. This made debugging much harder,
as the limit was rather strict and chances of dropping a
packet without logging it were good.

This patch changes the log rate limit to 10 packets per
second per event, to avoid DoS attacks against the log file.
I plan to drop log rate limit entirely in future changes,
if a better solution for this attack vector is available.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

gcc: Build the Go compiler

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

freeradius: Update rootfile

This removes all SSL modules.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tshark: Fix parallel build

The variable name was incorrect and therefore a parallel
build was never attempted.

This this package already takes a lot of time to build, even
more is being saved now.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

freeradius: Build without SSL

The version check is entirely broken.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

freeradius: Build package without generating certificates

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

freeradius: Disable openssl version check

freeradius seems to care about which version it has been
compiled with and refuses to start. This switch disables
this behaviour.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

keepalived: Enable auto-start

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

keepalived: Backup the whole configuration directory

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

installer: fix grub.conf root uuid entry

grub-mkconfig has written the device name instead of uuid's
because the /dev/disk-by-uuid node of the new filesystem was missing
run "udevadm trigger" to create this nodes before install grub.

fixes: #12116

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

initskripts: move unbound down after network down

this remove a bunch of unbound errors at shutdown because
network down try to reconfigure unbond. (e.g. disable forwarders)

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

start core136

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

close core135

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

kernel: update to 4.14.138

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

dhcpcd: add noip4ll parameter to config

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

initskripts: smt: hide error on cpu's that not support smt at all

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

partresize: check for apu only if dmi is present

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

sysctl: add seperate sysctl-x86_64.conf and move x86_64 only parameters

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core135: add updated leds initskript to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core135: add u-boot changes to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core135: add missing kernel rootfiles

core135: add kernel to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

kernel: update to 4.14.137

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

clamav: update to 0.101.3

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

setup: add ignore to all no nic assigned errors

u-boot-friendlyarm: add u-boot for nanopi-r1 to boot from eMMC

this is a heavy patched version and should replaced when stock
u-boot is able to boot from h3 eMMC.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

u-boot: enable boot from additional mmc device

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

u-boot: switch default sunxi dtb to nanopi-r1

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

led initskript: add nanopi-r1

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

partresize: add copy of broadcom firmware settings for nanopi-r1

I added this to partresize like the APU scon enable because this
is the only script that runs on flashimage at first boot only and
remount root writeable.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

rpi-firmware: create copy of RPI3 brcm 43430 configfile.

the AP21xx need a different config so store the rpi version as backup.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

kernel: remove old modules folder before kernel build

the build fails at creating source symlinks for external
modules build if it already exists.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

kernel: update arm-multi patchset

this add FriendlyElec nanopi-r1 devicetree file.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

pcenginges-firmware: skip build on arm

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

bird: Update to 2.0.4

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pcengines-firmware: rootfile update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

pcengines-firmware: update to 4.9.0.7

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

iperf3: update to 3.7

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

iperf: update to 2.0.13

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

initskripts: fix i586 rootfile

unbound: rework dns-forwader handling

add check if red interface has an IPv4 address before test the servers at
red up and simply remove forwarders at down process.

This also fix the hung at dhcpd shutdown.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

unbound-dhcp-leases-bridge: handle PTR generation parameter

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reported-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: update root.hints to 2019070301

IPv4 of server B has changed. Other changes are whitespace only.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core135: Ship updated squid

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid: Update to 4.8

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Core Update 135: ship updated tzdata

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core135: Ship updated sysctl.conf

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

sysctl: improve KASLR effectiveness for mmap

By feeding more random bits into mmap allocation, the
effectiveness of KASLR will be improved, making attacks
trying to bypass address randomisation more difficult.

Changed sysctl values are:

vm.mmap_rnd_bits = 32 (default: 28)
vm.mmap_rnd_compat_bits = 16 (default: 8)

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: check if red/iface exists before read it

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

tzdata: update to 2019b

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core135: Ship forgotten ddns package

This was updated before, but I forgot to ship it in the updater.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core135: Ship cloud-init changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "Generate a VHD image"

This reverts commit ee0e3beb39da302fb9735b8b3846ee675192b350.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

azure: Do not drop last byte of MAC addresses

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Enable serial console on all Azure instances

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cloud-init: Move detection functions into initscript function library

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Generate a VHD image

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cloud-init: Import experimental configuration script for Azure

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cloud-init: Execute setup script for Azure if needed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cloud-init: Add function to detect if we are running on Azure

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rename AWS initscript to cloud-init

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

flash-image: Align image to 1MB boundary

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core135: Ship updated packages/files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Start Core Update 135

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nettle: Update to 3.5.1

For details see:
https://git.lysator.liu.se/nettle/nettle/blob/master/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dhcpcd: Update to 7.2.3

For details see: Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
https://roy.marples.name/blog/dhcpcd-7-2-3-released

"Minor update with the following changes:

   OpenBSD: compiles again
   BSD: Check RTM lengths incase of kernel issues
   DHCP6: Don't stop even when last router goes away
   DHCP6: Fix inform from RA
   hostname: Fix short hostname check"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: use nic carrier instead of /var/ipfire/red/active

This speed boot with static settings and no link and
dhcp on intel nics if the mtu is changed by the dhcp lease
because the nic loose the carrier and restart the dhcp action
at mtu set.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

kernel: update to 4.14.131

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

linux: Fix rootfile to ship GeoIP modules

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

mc: Update to 4.8.23

For details see:
http://midnight-commander.org/wiki/NEWS-4.8.23

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

intel-microcode: update to 20190618

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

kernel: 4.14.129

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

finish core134

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Update contributors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core134: Ship updated firewall initscript

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core134: Ship updated bind

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bind: Update to 9.11.8

For Details see:
https://downloads.isc.org/isc/bind9/9.11.8/RELEASE-NOTES-bind-9.11.8.html

"Security Fixes
    A race condition could trigger an assertion failure when a large number
    of incoming packets were being rejected.
    This flaw is disclosed in CVE-2019-6471. [GL #942]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

BUG12015: Redirecting to Captive portal does not work after IPFire restart

When the Captive portal is enabled, the needed firewall rules are applied. But when restarting IPFire,
the rules are not applied because there is no call to do so.
Added call to captivectrl in the initscrip 'firewall'.

Fixes: #12015
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core134: ship core133 late fixes again

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge remote-tracking branch 'origin/master' into next

kernel: remove RPi DMA allignment revert

TODO: test if RPi works without now or if we need to
revert more of the allignment patches.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Kernel: update to 4.14.128

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core134: Ship updated vim

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Remove old vim 7.4 data

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vim: Update to 8.1

Please note:
If this gets merged, the update process must deal with the otherwise remaining
files in '/usr/share/vim74' (~16 MB).

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update French translation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core134: add kernel to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

kernel: update to 4.14.127

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

linux-pae: fix grub.conf creation on pv machines

on some systems it seems that grub2 and it config also exist.

core134: Ship changed general-functions.pl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>