Matthias Fischer [Thu, 24 Dec 2020 00:09:04 +0000 (01:09 +0100)]
Update (and cosmetic fixes) for 'pakfire.cgi': Added GUI entry for existing, but unused translation string
While preparing the Core153 update, I found by chance that a language string had been added from
Core152 to Core153 which I couldn't find in any CGI-file.
The translation suggested that this string ('Available Updates') could belong to 'pakfire.cgi'.
And I thought that on the pakfire GUI something was actually missing: the heading above the
box listing the 'Available Updates'. Don't know why I didn't saw this before.
So tried to add these missing heading. I hope I made it right...
Some cosmetic fixes:
I also added some space around the text for 'Available Addons' and 'Installed Addons'
because the text lines weren't separated. There is no seen wordwrapping. This required deleting
some unwanted '<br />' in the affected translation strings.
I tried this about 4 years ago, but somehow this patch got lost.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 24 Dec 2020 10:56:13 +0000 (11:56 +0100)]
country.cgi: Cosmetic fix for 'Back'-button'
While testing Peter's patch for Bug #12560 I noticed that the standard 'back'-button
at the end of the page - like in 'ipinfo.cgi' - was implemented as a text string.
I just took the code segment with the 'back'-*image* from 'ipinfo.cgi' to make this
link looking similar to the other pages.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 23 Dec 2020 14:03:32 +0000 (15:03 +0100)]
libloc: update to 0.9.5 and backport fix for #12554
This patch updates libloc to 0.9.5, deletes the upstream patchset from
version 0.9.4, and includes a latest upstream patch to backport a fix
for #12554.
Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 22 Dec 2020 16:01:25 +0000 (17:01 +0100)]
remote.cgi: cosmetic changes
- Swap colour generation to improve readability in case of no active SSH logins
- Unify table layout
- Improve German "SSH host key" translation to avoid Deppenleerzeichen
This patch does not introduce functional changes.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 21 Dec 2020 21:25:34 +0000 (22:25 +0100)]
texinfo: update to 6.7
Full changelog as retrieved from https://git.savannah.gnu.org/cgit/texinfo.git/plain/NEWS:
6.7 (23 September 2019)
* Language:
. support of index subentries and sub-subentries with @subentry
. new commands @seeentry and @seealso in index entries
. no need to wrap Top node in @ifnottex - omitted automatically when
processed with TeX
. UTF-8 is the default input encoding
* texi2any
. for HTML output, mark index nodes in menus and tables of contents
with the 'rel' attribute of the 'a' tag.
. TOP_NODE_UP is now only used in HTML if TOP_NODE_UP_URL is set.
Also TOP_NODE_UP should now be formatted in the output format.
In HTML TOP_NODE_UP should be suitable for inclusion in HTML
element attributes, so for instance should not contain elements.
. support of noderename.cnf files has been removed
. INPUT_PERL_ENCODING, INPUT_ENCODING_NAME, NODE_FILE_EXTENSION,
NODE_FILENAMES, SHORTEXTN and TOP_NODE_FILE removed as customization
variables.
. TOP_NODE_FILE_TARGET now contains the extension.
. error messages translated when the XS parser module is in use
* texi2dvi
. unconditionally run in --batch mode, i.e. without stopping if there
is a TeX error
. keep on going after a TeX error if the index files changed
. with --tidy (or --build-dir), avoid reading index files from previous
runs where --tidy was not used
* info
. for a tree search (with M-/), '}' and '{' work as well as 'M-}' and
'M-{' to go through the results
Peter Müller [Mon, 21 Dec 2020 19:02:10 +0000 (20:02 +0100)]
ccache: update to 3.7.12
Please refer to https://ccache.dev/news.html#2020-10-01 for a list of
all release notes since version 3.4.1, it is unfortunately way too long
to be added here. :-]
Since ccache is not part of the distribution itself, no rootfile updates
were necessary.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 16 Dec 2020 12:33:22 +0000 (13:33 +0100)]
Fix for bug 10743
This adds in the option to have "deny known clients" in dhcpd.conf
This is applied to the range command so applies to the dynamic addresses
given.
If you have just a range statement say in blue then if you are not using
vlans you could have the situation where a known host in green might end
up getting a lease from the blue range. Here a deny known-clients makes
sense. Your range in this case would be limited to only unknown clients if
deny known-clients was selected.
dhcp WUI has been modified to add in this command. Error message has been
added to check that a range has been specified if the deny unknown clients
checkbox has been selected.
Language files updated with additional items (English, German & Dutch).
For more information on the history of this please see the bugzilla entry Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 21 Dec 2020 11:23:57 +0000 (12:23 +0100)]
dehydrated: Update to 0.7.0
- Update dehydrated from 0.6.5 to 0.7.0
- No changes to the rootfiles
- This update patch also addresses bug #12425
The changes from the interim patch mentioned in bug #12425 are included into this update
- Changes for all releases can be found at https://github.com/dehydrated-io/dehydrated/releases
- Changes for this version update
Added
Support for external account bindings
Special support for ZeroSSL
Support presets for some CAs instead of requiring URLs
Allow requesting preferred chain (--preferred-chain)
Added method to show CAs current terms of service (--display-terms)
Allow setting path to domains.txt using cli arguments (--domains-txt)
Added new cli command --cleanupdelete which deletes old files instead of archiving them
Fixed
No more silent failures on broken hook-scripts
Better error-handling with KEEP_GOING enabled
Check actual order status instead of assuming it's valid
Don't include keyAuthorization in challenge validation (RFC compliance)
Changed
Using EC secp384r1 as default certificate type
Use JSON.sh to parse JSON
Use account URL instead of account ID (RFC compliance)
Dehydrated now has a new home: https://github.com/dehydrated-io/dehydrated
Added OCSP_FETCH and OCSP_DAYS to per-certificate configurable options
Cleanup now also removes dangling symlinks
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 18 Dec 2020 21:07:16 +0000 (22:07 +0100)]
hplip: Update to 3.20.11
- Update from 3.18.6 to 3.20.11 (16 updates)
- See Release notes for bug fixes and support for additional printers
https://sourceforge.net/p/hplip/news/
- Update of rootfile :-)
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 17 Dec 2020 20:01:59 +0000 (21:01 +0100)]
bird: Update to 2.0.7
Update bird from 2.0.6 to 2.0.7
Changes from changelog
- BGP: Fix reconfiguration with import table
*Change of some options requires route refresh, but when import table is
active, channel reload is done from it instead of doing full route
refresh. So in this case we request it internally.
- Doc: Minor documentation fixes
- Nest: Handle non-MPLS on MPLS case in recursive route update
*When non-MPLS recursive route resolves to MPLS underlying route,
then it should get MPLS labels from the the underlying route.
- Nest: Handle PtP links in recursive route update
*Underlying (IGP) route may lead to PtP link, in this case it does not
need gateway. Which is different than direct route without gateway.
*When recursive (BGP) route uses PtP route, it should not use recursive
next hop as immediate next hop, while for direct routes it should.
- Nest: Fix recursive route update
*Missing cleanup can lead to dangling pointer to old next hops.
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 17 Dec 2020 16:13:28 +0000 (17:13 +0100)]
htop: Update to 3.0.3
Update htop from 3.0.2 to 3.0.3
See the Change Log for details of changes
https://github[.]com/htop-dev/htop/blob/master/ChangeLog Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 16 Dec 2020 18:28:05 +0000 (19:28 +0100)]
sqlite: Update to 3.34.0
-Update sqlite from 3.26.0 to 3.34.0
See https://sqlite[.]org/chronology[.]html for history between
these releases.
-Have reviewed all release notes between these two releases and there
are no deprecations.
-No change to rootfile. Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
ummeegge [Sun, 6 Dec 2020 10:08:59 +0000 (10:08 +0000)]
Pam: Update to version 1.5.1
Several fixes and improvements since the current available 1.3.1 version are included.
CVE-2020-27780 has also been fixed.
For a full release overview --> https://github.com/linux-pam/linux-pam/releases .
Signed-off-by: ummeegge <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Dec 2020 14:01:36 +0000 (15:01 +0100)]
Fix for bug 12539
The installer recognises cups and cups-filters both as cups and puts
two instances of cups in the add-on services table.
Based on input from Michael Tremer this patch replaces the command
returning the second element between hyphens with one that takes
what comes after "meta-" using Perl code rather than a shell command.
The second find command was changed as per Michael's suggestion.
Tested in my ipfire test bed system and only results in one cups
entry. Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
ummeegge [Sun, 6 Dec 2020 15:03:45 +0000 (15:03 +0000)]
tshark: Update to version 3.4.0
- Since tshark uses since 3.4.0 an always enabled asynchronous DNS
resolution, c-ares is a needed dependency.
- Since the current actual version 3.2.6 a lot of bug fixes, fixed
vulnerabilities, updated features, new protocols but also updated
protocols has been integrated.
A full overview of all changes can be found in here -->
Update to version 3.2.7:
https://www.wireshark.org/docs/relnotes/wireshark-3.2.7.html
Update to version 3.2.8:
https://www.wireshark.org/docs/relnotes/wireshark-3.2.8.html
Update to version 3.4.0
https://www.wireshark.org/docs/relnotes/wireshark-3.4.0.html
Signed-off-by: ummeegge <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
ummeegge [Sun, 6 Dec 2020 15:03:44 +0000 (15:03 +0000)]
c-ares: New package. Needed as tshark Dependency
- Since tshark uses with version 3.4.0 an always enabled asynchronous DNS
resolution c-ares is a needed dependency.
- Since curl can also use c-ares --> https://c-ares.haxx.se/ it has been
placed in make.sh before curl even no compiletime options has been set
to enable this. c-ares has also been placed in packages and not in common
which would be needed if it should be used for curl too.
Signed-off-by: ummeegge <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 5 Dec 2020 14:51:11 +0000 (15:51 +0100)]
bacula: Update to use IPFire initscript
Bacula install used the bacula initscript for starting and stopping bacula.
This works fine but results in no pid or memory input in the addons table
under services.
Using the IPFire initscript also successfully starts and stops bacula with
no problems but also provides the pid and memory information in the services
addons table.
- rootfiles adjusted to remove the reference to bacula-ctl-fd
- lfs/bacula adjusted to remove the init.d/bacula link generation
remove the "rm -f /root/.rnd" command. This file is not present
and I have not seen this command in any other lfs file that I
have looked at.
- new bacula initscript created
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The X.509 GeneralName type is a generic type for representing different types
of names. One of those name types is known as EDIPartyName. OpenSSL provides a
function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
to see if they are equal or not. This function behaves incorrectly when both
GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
may occur leading to a possible denial of service attack.
OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
1) Comparing CRL distribution point names between an available CRL and a CRL
distribution point embedded in an X509 certificate
2) When verifying that a timestamp response token signer matches the timestamp
authority name (exposed via the API functions TS_RESP_verify_response and
TS_RESP_verify_token)
If an attacker can control both items being compared then that attacker could
trigger a crash. For example if the attacker can trick a client or server into
checking a malicious certificate against a malicious CRL then this may occur.
Note that some applications automatically download CRLs based on a URL embedded
in a certificate. This checking happens prior to the signatures on the
certificate and CRL being verified. OpenSSL's s_server, s_client and verify
tools have support for the "-crl_download" option which implements automatic
CRL downloading and this attack has been demonstrated to work against those
tools.
Note that an unrelated bug means that affected versions of OpenSSL cannot parse
or construct correct encodings of EDIPARTYNAME. However it is possible to
construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence
trigger this attack.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Wed, 2 Dec 2020 14:04:08 +0000 (15:04 +0100)]
location-functions.pl: Remove accidently keept 2nd DB init call.
The get_full_country_name() function had an accidenlty and not longer
required call of the DB init function.
This is a waste of memory and a known problem, especially on systems
with less than 1GB of RAM, where the application which uses libloc in
such a redundant way crashes.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Wed, 25 Nov 2020 22:26:03 +0000 (22:26 +0000)]
OpenVPN: Update to version 2.5.0
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Tested-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This improves the usability of the zone configuration by marking assigned
NICs in the zone color. The highlighting is initially applied to the static
HTML output, and JavaScript is used to follow changes made by the user.
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
zoneconf.cgi: Make output HTML 5 standard compliant
This fixes two minor violations of the HTML standard:
- <a> elements may not contain nested <button> elements:
Replace the button with a simple hyperlink, because it was only used as a link anyway.
- "id" attributes may not contain whitespace:
Remove unneeded attribute, use hyphens instead of spaces.
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 20 Oct 2020 13:28:25 +0000 (13:28 +0000)]
openvpn: Actually apply configured parameters
OpenVPN is an absolute mess. The behaviour of configuration
parameters has been changed over the time; default values have been
changed over time; and it looks like nobody is actually testing
anything any more.
I have been spending hours today on figuring out why OpenVPN
is so damn slow. On a Lightning Wire Labs IPFire Mini Appliance
it achieves about 100 MBit/s in the default configuration when
"openssl speed -evp aes-256-gcm" achieves over 3.5 GBit/s.
Changing any of the cryptography parameters does not change
anything. Throughput remains around 100 MBit/s.
I finally set "cipher none" and "auth none" which disables
encryption and authentication altogether but does not increase
throughput. From here on it was absolutely clear that it was
not a crypto issue.
OpenVPN tries to be smart here and does its own fragmentation.
This is the worst idea I have heard of all day, because that job
is normally done best by the OS.
Various settings which allow the user to "tune" this are grossly
ineffective - let alone it isn't even clear what I am supposed
to configure anywhere. Setting "fragment 1500" weirdly still
does not convince openvpn to generate a packet that is longer
than 1400 bytes. Who'd a thunk?
There is a number of other parameters to set the MTU or which
are related to it (tun-mtu, link-mtu, fragment, mssfix).
On top of all of this we have two "bugs" in ovpnmain.cgi which
are being fixed in this patch:
1) mssfix can be configured by the user. However, we always
enable it in openvpn. The default is on, we only add "mssfix"
which simply turns it on.
It is now being disabled when the user has chosen so in the
web UI. I do not know if this is backwards-compatible.
2) We cap the MTU (tun-mtu) at 1500 bytes when fragment is being
used. So it becomes pointless that the user can this and the
user is not being made aware of this when they hit the save
button.
This was added when we added path MTU discovery. Since that
did not work and was removed, we can remove this now, too.
I archived a solid 500-600 MBit/s of goodput with these settings:
* Disable mssfix
* Set "fragment" to 0
* Set MTU to 9000
I am sure the MTU could be further increased to have bigger packets,
but I did not test how badly this will affect latency of the tunnel.
OpenVPN seems to only be able to handle a certain amount of packets
a second - no matter what. With larger packets, the throughput of
the tunnel increases, but latency might as well.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Cc: Erik Kapfer <erik.kapfer@ipfire.org> Cc: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
