rename core99 to core100 for inserting another OpenSSL Security update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core99: Ship updated xz

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bison: update to 3.0.4

Update bison to the last version from Linux from Scratch.

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

xz: update to 5.2.2

Update xz to last version from Linux from Scratch.

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

m4: update to 1.4.17

Update m4 to last version from Linux from Scratch.

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Update source upload URL

There is no longer a SSH service on source.ipfire.org.

The usual login on git.ipfire.org should be used instead.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

flash-images: change root uuid replacer sed

i cannot really test this on my systems.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

flash-image: set RAMDISK_MODE=2

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

init-functions: enable autoramdisk with 400MB

The 512MB raspberry pi reserve some memory for buffers and gpu
so there are a bit less than 490 MB free.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

flash-image: fix root uuid on some build machines.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

kernel: update to 3.14.61

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge remote-tracking branch 'origin/master' into next

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Conflicts:
make.sh

glibc: disable patches that break build on arm.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core98: new update with glibc security fixes.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

glibc: new RHEL6 patches / fix CVE-2015-7547 and more

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

rename core98 to 99 for glibc security update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

squid 3.4.14: Bugfix for #4431 (C code is not compiled with CFLAGS)

For details see: http://bugs.squid-cache.org/show_bug.cgi?id=4431

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

backports: remove all old media modules.

more modules are renamed or merged into other modules.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

dracut: remove marvell sdio modules from initrd.

this allows to switch to uap module on dreamplug.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core98: Ship changed /etc/ppp/ip-up

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

New IP-address of 'ping.ipfire.org'

Telekom gateways (e.g.) don't answer 'pings', therefor '/etc/ppp/ip-up'
uses 'ping.ipfire.org' for the 'gateway Graph' in 'Status / Network (other'.
After moving the infrastructure, several IP addresses were changed.
'178.63.73.246' doesn't work anymore for 'ping.ipfire.org', its now '81.3.27.38'.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core98: Ship recently updated grep and sed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

grep: Update to 2.22

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

sed: Update to 4.2.2

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

kernel: disable grsecurity KSTACKOVERFLOW.

this is the reason for crashes usb lan dongles and media devices.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

firewall: Fix MAC filter

Packets destined for the firewall coming in from the blue
device where accepted too early to be processed by the
firewall input chain rules.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

wirelessctrl: Remove some unused code

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dhcpcd: rework mtu handling on buggy nic's

some nic's loose the carrier after setting new mtu.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core98: Ship updated tzdata

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tzdata: Update to 2016a

Fixes https://bugzilla.ipfire.org/show_bug.cgi?id=11034

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: update to 3.14.60

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

set core to 98 and move 97 to oldcore

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core97: remove some core98 files from update filelist.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

finish core97

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

openssl: security update to 1.0.2f

changes:
* DH small subgroups - CVE-2016-0701
* SSLv2 doesn't block disabled ciphers - CVE-2015-3197
* Reject DH handshakes with parameters shorter than 1024 bits

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

finish core97

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

openssl: security update to 1.0.2f

changes:
* DH small subgroups - CVE-2016-0701
* SSLv2 doesn't block disabled ciphers - CVE-2015-3197
* Reject DH handshakes with parameters shorter than 1024 bits

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

hwdate: update databases

pci.ids: 2016.01.28
usb.ids: 2015.12.17

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core97: prepare new core97 with openssl and openssh update.

the update itself has to be done...

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

vdr_eepg: fix source download.

the external server has changed the compression so the md5 has changed.
Always use the IPFire server as primary download source.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

openssh: Update to 7.1p2

Fixes CVE-2016-0777

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hwdate: update databases

pci.ids: 2016.01.28
usb.ids: 2015.12.17

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core97: prepare new core97 with openssl and openssh update.

the update itself has to be done...

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

rename core97 to 98 because we have to insert OpenSSL security update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

backports: update to 4.2.6

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

rsync: update to 3.1.2

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

kernel: update to 3.14.59

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core96: don't overwrite grub defaults.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

squid: Actually make --with-filedescriptors work

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core97: Ship updated CGI files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge remote-tracking branch 'meitelwein/web-gui-ipv6' into next

Merge remote-tracking branch 'origin/master' into next

cmake: Disable parallelism

Building cmake uses a high amount of memory (>2G) and
fails to build on my system. Using less processes reduces
memory usage and lets the build succeed.

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core97: Ship iptables conntrack changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge remote-tracking branch 'ms/iptables-conntrack' into next

Merge branch 'hyper-v-fixes' into next

toolchain: fix build on hosts that not support strong stackprotect

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core97: Ship updated webaccess.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

webaccess.cgi: Fixed language settings.

Fix for #10879. Added also use strict.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Improve hardening by using -fstack-protector-strong

This functionality is now available for us since we updated
to GCC 4.9 and just improves the stack smashing protector
in GCC.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nano: Update to 2.5.1

Excerpt form 'NEWS':
"It includes fixes for a syntax-highlighting bug and a positionlog bug,
it disables a time-eating multiline regex in the C syntax,
and it adds an escape hatch to the WriteOut menu when
--tempfile is used: the discardbuffer command, ^Q.  It
also has translation updates for fifteen languages, and
a small fix in the softwrap code."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core97: Ship updated openssh

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openssh: Update to 7.1p2

Fixes CVE-2016-0777

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

toolchain: bump version number

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

gcc: remove gdb python files also in root build.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

toolchain: move *.py remove to correct pass.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

toolchain: enable bootstrap and remove *.py files from lib.

only with bootstrap the gcc pass2 build works on arm.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

kernel: disable RANDSTRUCT

RANDSRUCT is incompatible with ccache build.

fixes #10905
fixes #11012

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core97: Ship updated ntp

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ntp 4.2.8p5: removed obsolete patch file

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ntp: Update to 4.2.8p5

"...addresses 1 medium-severity security issue, 14 bugfixes,
and contains other improvements over 4.2.8p4."

For a complete list, see:
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

grub: Disable hardening for grub-script-check

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ccache: Include hash of compiler specs in hashing

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

No code changes, fixed formatting by replacing spaces with tabs

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

timectrl: Stop ntp daemon when disabled

Fixes #11000

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fixed detection of firewall chain when bridge is used for ipv6

Signed-off-by: Michael Eitelwein <michael@eitelwein.net>

Firewall chain was not extracted correctly when ipv6 uses bridge

Signed-off-by: Michael Eitelwein <michael@eitelwein.net>

toolchain: fix full toolchain crossbuild

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

binutils: update to 2.24

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Fix regex to extract firewall chain for ipv6 in showrequestfrom*.dat

If bridged ipv6 is used, $iface is taken from PHYSIN
In the log line the order of fields is "... IN=XY OUT=XY PHYSIN=XY ..."

Signed-off-by: Michael Eitelwein <michael@eitelwein.net>

Enable correct display of ipv6 entries in Firewall log pages of web UI.

3 main changes:
 - Fill $iface and $out from PHYSIN and PHYSOUT when looking at bridged packets, othwerwise fill from IN and OUT
 - Recognize ipv4 and ipv6 address style for $srcaddr and $dstaddr
 - Match color coding of tables to pie charts (see seperate patch sent earlier)

I am using the bridged ipv6 setup as proposed in the wiki. I do not think this breaks anything when not using ipv6. So it would be nice to include this even if ipv6 is not officially supported yet. It is quite useful when using the ipv6 setup.

Signed-off-by: Michael Eitelwein <michael@eitelwein.net>
---

owncloud: updated to version 7.0.11

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dnsdist: Don't build on ARM

There seem to be some serious C++ issues in this so that
it won't build on ARM.

At the moment I do not have any resources to look further
into this, so I just disable building this package for
all ARM architectures.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

QoS: Improve saving enabled/disable state

It was reported that the QoS did not stop when
the user clicked the "stop" button. This patch
fixes that.

Fixes #10664

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>

qosctrl: Cleanup code by replacing hardcoded paths

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core97: Ship updated openvpn package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpn: Update to version 2.3.7, added --verify-x509-name directive.

The tls-remote directive is deprecated and will be removed with
OpenVPN version 2.4 . Added instead --verify-x509-name HOST name
into ovpnmain.cgi.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bind: Update to 9.10.3-P2

Changelog:

[security]
Update allowed OpenSSL versions as named is potentially
vulnerable to CVE-2015-3193.

[maint]
H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53. [RT #40556]

[security]
Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]

[security]
Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core97: Ship dnsmasq

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dnsmasq 2.75: latest patches from upstream

Same procedure as... :-)

Best to all for xmas and 2016!

Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core97: Ship pgrep with the updater

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ncurses: rootfile update.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

dnsdist: rootfile update.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diffutils: rootfile update.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

gcc: include libstdc++ to rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>