6 years agovpn-stats: Use more descriptive menu entry names
Michael Tremer [Tue, 14 Apr 2015 18:05:32 +0000 (20:05 +0200)] 
vpn-stats: Use more descriptive menu entry names

6 years agovpn-statistic: add URI::escape for openvpn names with special chars
Alexander Marx [Mon, 13 Apr 2015 14:26:48 +0000 (16:26 +0200)] 
vpn-statistic: add URI::escape for openvpn names with special chars

6 years agovpn-statistic: add collectd parameters to imported n2n packages
Alexander Marx [Tue, 14 Apr 2015 09:53:28 +0000 (11:53 +0200)] 
vpn-statistic: add collectd parameters to imported n2n packages

6 years agovpn-statistic: update old n2n configs in update.sh
Alexander Marx [Mon, 13 Apr 2015 13:03:17 +0000 (15:03 +0200)] 
vpn-statistic: update old n2n configs in update.sh

6 years agocollectd: Ignore any errors if openvpn status files are missing
Michael Tremer [Mon, 13 Apr 2015 13:45:52 +0000 (15:45 +0200)] 
collectd: Ignore any errors if openvpn status files are missing

6 years agocore89: Move converter to the end because collectd should be restarted at last
Michael Tremer [Mon, 13 Apr 2015 09:39:08 +0000 (11:39 +0200)] 
core89: Move converter to the end because collectd should be restarted at last

6 years agovpn-stats: Show daily graph as *all* other graphs do, too
Michael Tremer [Mon, 13 Apr 2015 08:57:09 +0000 (10:57 +0200)] 
vpn-stats: Show daily graph as *all* other graphs do, too

6 years agocore89: Fix permissions of /var/ipfire/dns
Michael Tremer [Mon, 13 Apr 2015 08:49:14 +0000 (10:49 +0200)] 
core89: Fix permissions of /var/ipfire/dns

6 years agocore89: Create temporary files in update to avoid reboot
Michael Tremer [Mon, 13 Apr 2015 08:24:44 +0000 (10:24 +0200)] 
core89: Create temporary files in update to avoid reboot

6 years agocollectd: Ignore errors from OpenVPN configuration file
Michael Tremer [Sun, 12 Apr 2015 20:44:50 +0000 (22:44 +0200)] 
collectd: Ignore errors from OpenVPN configuration file

6 years agoovpnmain.cgi: Remove DDEVICE setting
Michael Tremer [Sun, 12 Apr 2015 20:33:41 +0000 (22:33 +0200)] 
ovpnmain.cgi: Remove DDEVICE setting

This was used to select a TUN or TAP device from which TAP
was never supported anyway.

6 years agocore89: Fix permissions of collectd.vpn after update
Michael Tremer [Sun, 12 Apr 2015 20:33:16 +0000 (22:33 +0200)] 
core89: Fix permissions of collectd.vpn after update

6 years agocore89: Do not add collectd include multiple times
Michael Tremer [Sun, 12 Apr 2015 20:28:42 +0000 (22:28 +0200)] 
core89: Do not add collectd include multiple times

6 years agovpn-statistic: fix removal of rw rrd-data
Alexander Marx [Sat, 11 Apr 2015 05:12:32 +0000 (07:12 +0200)] 
vpn-statistic: fix removal of rw rrd-data

Due to a missing slash the rrd data of a deleted rrd-connection was not

6 years agovpn-statistic: move collectd converter to the right place
Alexander Marx [Sat, 11 Apr 2015 03:34:34 +0000 (05:34 +0200)] 
vpn-statistic: move collectd converter to the right place

Build of cdrom will fail if the converter script is not moved to the
right place

6 years agovpn-statistic: fix alignment of graph legend for n2n graphs
Alexander Marx [Fri, 10 Apr 2015 13:47:10 +0000 (15:47 +0200)] 
vpn-statistic: fix alignment of graph legend for n2n graphs

6 years agoopenvpn: Stop N2N connections before they are removed
Michael Tremer [Fri, 10 Apr 2015 11:32:48 +0000 (13:32 +0200)] 
openvpn: Stop N2N connections before they are removed

6 years agoopenvpn: Move remving files in /var/run to openvpnctrl
Michael Tremer [Fri, 10 Apr 2015 11:27:32 +0000 (13:27 +0200)] 
openvpn: Move remving files in /var/run to openvpnctrl

6 years agocore89: Update OpenVPN configuration during the update
Alexander Marx [Fri, 10 Apr 2015 11:16:33 +0000 (13:16 +0200)] 
core89: Update OpenVPN configuration during the update

6 years agoovpnmain.cgi: Remove duplicate code to remove a connection
Alexander Marx [Fri, 10 Apr 2015 11:13:02 +0000 (13:13 +0200)] 
ovpnmain.cgi: Remove duplicate code to remove a connection

6 years agoovpnmain.cgi: Fix indentation and code cleanup
Alexander Marx [Fri, 10 Apr 2015 11:12:14 +0000 (13:12 +0200)] 
ovpnmain.cgi: Fix indentation and code cleanup

No functional change

6 years agosetup: Has been moved to /usr/sbin
Michael Tremer [Thu, 9 Apr 2015 15:56:47 +0000 (17:56 +0200)] 
setup: Has been moved to /usr/sbin

The setup program has been moved from /usr/local/sbin/setup
to /usr/sbin/setup to comply better with FHS. The old copy
was left in the file system on updated systems and was
preferred when called from the shell which is not intended.

The old file is now removed and to make sure every system
has got the new file it is shipped once again.

6 years agovpn-statistic: change title of ovpn n2n site
Alexander Marx [Wed, 8 Apr 2015 17:53:17 +0000 (19:53 +0200)] 
vpn-statistic: change title of ovpn n2n site

additionally print errormessages to /dev/null when no rrd data is found

6 years agoopenvpn: Remove stat files when connections are removed
Michael Tremer [Thu, 9 Apr 2015 15:18:44 +0000 (17:18 +0200)] 
openvpn: Remove stat files when connections are removed

6 years agoopenvpn: Remove RRDs when removing all connections at once
Michael Tremer [Thu, 9 Apr 2015 15:11:16 +0000 (17:11 +0200)] 
openvpn: Remove RRDs when removing all connections at once

6 years agoopenvpn: Update collectd configuration when connections are started/stopped
Alexander Marx [Thu, 9 Apr 2015 14:44:07 +0000 (16:44 +0200)] 
openvpn: Update collectd configuration when connections are started/stopped

6 years agoopenvpn: Properly remove all RRDs after a connection is removed
Michael Tremer [Thu, 9 Apr 2015 14:32:39 +0000 (16:32 +0200)] 
openvpn: Properly remove all RRDs after a connection is removed

6 years agovpn-statistic: move collectd.vpn to /var/ipfire/ovpn/
Alexander Marx [Wed, 8 Apr 2015 17:20:13 +0000 (19:20 +0200)] 
vpn-statistic: move collectd.vpn to /var/ipfire/ovpn/

collectd.vpn needs to be within /var/ipfire/ovpn so that the
ovpnmain.cgi is able to write the status files from the n2n connections
to the file.

6 years agovpn-statistic: create collectd wrapper to restart collectd when first vpn was created
Alexander Marx [Tue, 7 Apr 2015 13:35:31 +0000 (15:35 +0200)] 
vpn-statistic: create collectd wrapper to restart collectd when first vpn was created

This wrapper is only used, when the first openvpn RW is created. Then
the collectd has to be restarted to get the vpn Data and create rrd Data

6 years agovpn-statistic: change title of ovpn RW statistic page
Alexander Marx [Wed, 8 Apr 2015 17:50:56 +0000 (19:50 +0200)] 
vpn-statistic: change title of ovpn RW statistic page

additionally print errors to /dev/null if no rrd data is found

6 years agovpn-statistic: added title for graph sites
Alexander Marx [Wed, 8 Apr 2015 17:47:51 +0000 (19:47 +0200)] 
vpn-statistic: added title for graph sites

6 years agoBUG10790: create dummy ovpnserver.log in /var/run
Alexander Marx [Tue, 7 Apr 2015 13:22:46 +0000 (15:22 +0200)] 
BUG10790: create dummy ovpnserver.log in /var/run

6 years agodnsmasq: fix initskript
Arne Fitzenreiter [Tue, 31 Mar 2015 08:09:46 +0000 (10:09 +0200)] 
dnsmasq: fix initskript

-add timestamp filename
-pull user config after define default parameter

6 years agohaproxy: Provide a better example configuration that works
Michael Tremer [Sat, 4 Apr 2015 12:38:38 +0000 (14:38 +0200)] 
haproxy: Provide a better example configuration that works

6 years agodnsmasq: Import latest patches from upstream
Michael Tremer [Sat, 4 Apr 2015 13:23:17 +0000 (15:23 +0200)] 
dnsmasq: Import latest patches from upstream

6 years agocollectd: Fix typo in "derive"
Michael Tremer [Thu, 9 Apr 2015 12:33:54 +0000 (14:33 +0200)] 
collectd: Fix typo in "derive"

6 years agocore89: Add openvpnctrl to updater
Michael Tremer [Tue, 7 Apr 2015 18:52:34 +0000 (20:52 +0200)] 
core89: Add openvpnctrl to updater

6 years agomont addon: added missing dir /var/lib/monit to distribution
Dirk Wagner [Sun, 22 Mar 2015 21:33:30 +0000 (22:33 +0100)] 
mont addon: added missing dir /var/lib/monit to distribution


6 years agotar: fix toolchain build
Arne Fitzenreiter [Sun, 29 Mar 2015 11:35:16 +0000 (13:35 +0200)] 
tar: fix toolchain build

6 years agoset version to IPFire-2.17 core89
Arne Fitzenreiter [Fri, 20 Mar 2015 10:20:45 +0000 (11:20 +0100)] 
set version to IPFire-2.17 core89

6 years agoopenssl: Fix soname version of build
Arne Fitzenreiter [Thu, 19 Mar 2015 18:16:33 +0000 (19:16 +0100)] 
openssl: Fix soname version of build

6 years agoopenssl: Rebase "disable SSLv2, SSLv3" patch
Michael Tremer [Thu, 19 Mar 2015 15:04:35 +0000 (16:04 +0100)] 
openssl: Rebase "disable SSLv2, SSLv3" patch

6 years agoopenssl: Remove "fix parallel build" patch
Michael Tremer [Thu, 19 Mar 2015 15:03:58 +0000 (16:03 +0100)] 
openssl: Remove "fix parallel build" patch

6 years agoopenssl: Update weak-ciphers and build patches
Michael Tremer [Thu, 19 Mar 2015 14:54:43 +0000 (15:54 +0100)] 
openssl: Update weak-ciphers and build patches

6 years agoopenssl: Remove support for cryptodev
Michael Tremer [Thu, 19 Mar 2015 14:47:13 +0000 (15:47 +0100)] 
openssl: Remove support for cryptodev

The patches won't apply any more and there does not seem
support from upstream for the latest versions of OpenSSL

6 years agoopenssl: Update to version 1.0.1m and 0.9.8zf
Michael Tremer [Thu, 19 Mar 2015 14:13:07 +0000 (15:13 +0100)] 
openssl: Update to version 1.0.1m and 0.9.8zf


OpenSSL Security Advisory [19 Mar 2015]

OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)

Severity: High

If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
invalid signature algorithms extension a NULL pointer dereference will occur.
This can be exploited in a DoS attack against the server.

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 users should upgrade to 1.0.2a.

This issue was was reported to OpenSSL on 26th February 2015 by David Ramos
of Stanford University. The fix was developed by Stephen Henson and Matt
Caswell of the OpenSSL development team.

Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)

Severity: High

This security issue was previously announced by the OpenSSL project and
classified as "low" severity. This severity rating has now been changed to

This was classified low because it was originally thought that server RSA
export ciphersuite support was rare: a client was only vulnerable to a MITM
attack against a server which supports an RSA export ciphersuite. Recent
studies have shown that RSA export ciphersuites support is far more common.

This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1k.
OpenSSL 1.0.0 users should upgrade to 1.0.0p.
OpenSSL 0.9.8 users should upgrade to 0.9.8zd.

This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan
Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen
Henson of the OpenSSL core team. It was previously announced in the OpenSSL
security advisory on 8th January 2015.

Multiblock corrupted pointer (CVE-2015-0290)

Severity: Moderate

OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This feature
only applies on 64 bit x86 architecture platforms that support AES NI
instructions. A defect in the implementation of "multiblock" can cause OpenSSL's
internal write buffer to become incorrectly set to NULL when using non-blocking
IO. Typically, when the user application is using a socket BIO for writing, this
will only result in a failed connection. However if some other BIO is used then
it is likely that a segmentation fault will be triggered, thus enabling a
potential DoS attack.

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 users should upgrade to 1.0.2a.

This issue was reported to OpenSSL on 13th February 2015 by Daniel Danner and
Rainer Mueller. The fix was developed by Matt Caswell of the OpenSSL development

Segmentation fault in DTLSv1_listen (CVE-2015-0207)

Severity: Moderate

The DTLSv1_listen function is intended to be stateless and processes the initial
ClientHello from many peers. It is common for user code to loop over the call to
DTLSv1_listen until a valid ClientHello is received with an associated cookie. A
defect in the implementation of DTLSv1_listen means that state is preserved in
the SSL object from one invocation to the next that can lead to a segmentation
fault. Errors processing the initial ClientHello can trigger this scenario. An
example of such an error could be that a DTLS1.0 only client is attempting to
connect to a DTLS1.2 only server.

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2a.

This issue was reported to OpenSSL on 27th January 2015 by Per Allansson. The
fix was developed by Matt Caswell of the OpenSSL development team.

Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286)

Severity: Moderate

The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
certificate signature algorithm consistency this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.

This issue was discovered and fixed by Stephen Henson of the OpenSSL
development team.

Segmentation fault for invalid PSS parameters (CVE-2015-0208)

Severity: Moderate

The signature verification routines will crash with a NULL pointer
dereference if presented with an ASN.1 signature using the RSA PSS
algorithm and invalid parameters. Since these routines are used to verify
certificate signature algorithms this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 users should upgrade to 1.0.2a

This issue was was reported to OpenSSL on 31st January 2015 by Brian Carpenter
and a fix developed by Stephen Henson of the OpenSSL development team.

ASN.1 structure reuse memory corruption (CVE-2015-0287)

Severity: Moderate

Reusing a structure in ASN.1 parsing may allow an attacker to cause
memory corruption via an invalid write. Such reuse is and has been
strongly discouraged and is believed to be rare.

Applications that parse structures containing CHOICE or ANY DEFINED BY
components may be affected. Certificate parsing (d2i_X509 and related
functions) are however not affected. OpenSSL clients and servers are
not affected.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.

This issue was discovered by Emilia Käsper and a fix developed by
Stephen Henson of the OpenSSL development team.

PKCS7 NULL pointer dereferences (CVE-2015-0289)

Severity: Moderate

The PKCS#7 parsing code does not handle missing outer ContentInfo correctly.
An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
missing content and trigger a NULL pointer dereference on parsing.

Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
otherwise parse PKCS#7 structures from untrusted sources are
affected. OpenSSL clients and servers are not affected.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.

This issue was reported to OpenSSL on February 16th 2015 by Michal
Zalewski (Google) and a fix developed by Emilia Käsper of the OpenSSL
development team.

Base64 decode (CVE-2015-0292)

Severity: Moderate

A vulnerability existed in previous versions of OpenSSL related to the
processing of base64 encoded data. Any code path that reads base64 data from an
untrusted source could be affected (such as the PEM processing routines).
Maliciously crafted base 64 data could trigger a segmenation fault or memory
corruption. This was addressed in previous versions of OpenSSL but has not been
included in any security advisory until now.

This issue affects OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.1 users should upgrade to 1.0.1h.
OpenSSL 1.0.0 users should upgrade to 1.0.0m.
OpenSSL 0.9.8 users should upgrade to 0.9.8za.

The fix for this issue can be identified by commits d0666f289a (1.0.1),
84fe686173 (1.0.0) and 9febee0272 (0.9.8). This issue was originally reported by
Robert Dugal and subsequently by David Ramos.

DoS via reachable assert in SSLv2 servers (CVE-2015-0293)

Severity: Moderate

A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
servers that both support SSLv2 and enable export cipher suites by sending
a specially crafted SSLv2 CLIENT-MASTER-KEY message.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.

This issue was discovered by Sean Burford (Google) and Emilia Käsper
(OpenSSL development team) in March 2015 and the fix was developed by
Emilia Käsper.

Empty CKE with client auth and DHE (CVE-2015-1787)

Severity: Moderate

If client auth is used then a server can seg fault in the event of a DHE
ciphersuite being selected and a zero length ClientKeyExchange message being
sent by the client. This could be exploited in a DoS attack.

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 users should upgrade to 1.0.2a.

This issue was discovered and the fix was developed by Matt Caswell of the
OpenSSL development team.

Handshake with unseeded PRNG (CVE-2015-0285)

Severity: Low

Under certain conditions an OpenSSL 1.0.2 client can complete a handshake with
an unseeded PRNG. The conditions are:
- The client is on a platform where the PRNG has not been seeded automatically,
and the user has not seeded manually
- A protocol specific client method version has been used (i.e. not
- A ciphersuite is used that does not require additional random data from the
PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).

If the handshake succeeds then the client random that has been used will have
been generated from a PRNG with insufficient entropy and therefore the output
may be predictable.

For example using the following command with an unseeded openssl will succeed on
an unpatched platform:

openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA

This issue affects OpenSSL version: 1.0.2

OpenSSL 1.0.2 users should upgrade to 1.0.2a.

This issue was discovered and the fix was developed by Matt Caswell of the
OpenSSL development team.

Use After Free following d2i_ECPrivatekey error (CVE-2015-0209)

Severity: Low

A malformed EC private key file consumed via the d2i_ECPrivateKey function could
cause a use after free condition. This, in turn, could cause a double
free in several private key parsing functions (such as d2i_PrivateKey
or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
for applications that receive EC private keys from untrusted
sources. This scenario is considered rare.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.

This issue was discovered by the BoringSSL project and fixed in their commit
517073cd4b. The OpenSSL fix was developed by Matt Caswell of the OpenSSL
development team.

X509_to_X509_REQ NULL pointer deref (CVE-2015-0288)

Severity: Low

The function X509_to_X509_REQ will crash with a NULL pointer dereference if
the certificate key is invalid. This function is rarely used in practice.

This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0
and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2a
OpenSSL 1.0.1 users should upgrade to 1.0.1m.
OpenSSL 1.0.0 users should upgrade to 1.0.0r.
OpenSSL 0.9.8 users should upgrade to 0.9.8zf.

This issue was discovered by Brian Carpenter and a fix developed by Stephen
Henson of the OpenSSL development team.


As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
releases will be provided after that date. Users of these releases are advised
to upgrade.


URL for this Security Advisory:

Note: the online version of the advisory may be updated with additional
details over time.

For details of OpenSSL severity classifications please see:

6 years agoopenssh: Update to version 6.8p1
Michael Tremer [Wed, 18 Mar 2015 14:51:37 +0000 (15:51 +0100)] 
openssh: Update to version 6.8p1

6 years agofireinfo: Forbid string "Serial"
Michael Tremer [Tue, 17 Mar 2015 21:23:13 +0000 (22:23 +0100)] 
fireinfo: Forbid string "Serial"

6 years agoprepare core88.
Arne Fitzenreiter [Tue, 17 Mar 2015 13:08:13 +0000 (14:08 +0100)] 
prepare core88.

6 years agocore89: stop/start ipsec, rewrite ddns config with new cgi.
Arne Fitzenreiter [Tue, 17 Mar 2015 13:03:31 +0000 (14:03 +0100)] 
core89: stop/start ipsec, rewrite ddns config with new cgi.

6 years agocore89: add changed packages to updater.
Arne Fitzenreiter [Tue, 17 Mar 2015 12:56:51 +0000 (13:56 +0100)] 
core89: add changed packages to updater.

6 years agocore89: remove all sqlite meta-data files.
Arne Fitzenreiter [Tue, 17 Mar 2015 12:54:19 +0000 (13:54 +0100)] 
core89: remove all sqlite meta-data files.

6 years agomove core88 to 89.
Arne Fitzenreiter [Tue, 17 Mar 2015 12:50:38 +0000 (13:50 +0100)] 
move core88 to 89.

6 years agocore88: Add collectd to updater
Michael Tremer [Thu, 12 Mar 2015 12:25:29 +0000 (13:25 +0100)] 
core88: Add collectd to updater

6 years agoopenssl-compat: Disable SSLv3 and SSLv2 as well
Michael Tremer [Thu, 12 Mar 2015 12:14:26 +0000 (13:14 +0100)] 
openssl-compat: Disable SSLv3 and SSLv2 as well

6 years agoAdd more missing files of Core Update 88
Michael Tremer [Thu, 12 Mar 2015 12:07:44 +0000 (13:07 +0100)] 
Add more missing files of Core Update 88

6 years agodnsmasq: Import more patches from upstream
Michael Tremer [Tue, 10 Mar 2015 15:21:58 +0000 (16:21 +0100)] 
dnsmasq: Import more patches from upstream

6 years agodnsmasq: Enable DNSSEC timestamp feature
Michael Tremer [Tue, 10 Mar 2015 15:22:09 +0000 (16:22 +0100)] 
dnsmasq: Enable DNSSEC timestamp feature

This disables DNSSEC until the system clock has been set correctly.
There is a circular dependency on working DNS and being able to
resolve DNS records in order to reach a time server. Systems without
a RTC or empty RTC battery will start up with time way in the past
in which all DNSSEC signatures are invalid.

6 years agocore88: Add ddns.cgi to updater
Michael Tremer [Thu, 12 Mar 2015 11:58:04 +0000 (12:58 +0100)] 
core88: Add ddns.cgi to updater

6 years agoddns.cgi: Add token handling for zzzz.io.
Stefan Schantl [Sun, 7 Sep 2014 13:44:19 +0000 (15:44 +0200)] 
ddns.cgi: Add token handling for zzzz.io.

6 years agoopenssl: Disable SSLv3 and SSLv2 by default
Michael Tremer [Thu, 12 Mar 2015 11:55:40 +0000 (12:55 +0100)] 
openssl: Disable SSLv3 and SSLv2 by default

This patch will disable SSLv3 and SSLv2 by default but leaves
the protocol compiled in into the library so that applications
can use it when they still need it (e.g. sslscan).

6 years agoRevert "openssl: Disable SSLv2 and SSLv3."
Michael Tremer [Thu, 12 Mar 2015 11:55:05 +0000 (12:55 +0100)] 
Revert "openssl: Disable SSLv2 and SSLv3."

This reverts commit 98a5192ef2f3cde9b9c6867f69f3a400f3c62ec5.

6 years agolang.pl: Always fall back to English
Michael Tremer [Mon, 9 Mar 2015 23:04:55 +0000 (00:04 +0100)] 
lang.pl: Always fall back to English

Fixes #10769

6 years agoset version to 2.17-core88.
Arne Fitzenreiter [Sat, 7 Mar 2015 09:18:50 +0000 (10:18 +0100)] 
set version to 2.17-core88.

6 years agoinitskripts: rootfile update.
Arne Fitzenreiter [Sat, 7 Mar 2015 09:17:17 +0000 (10:17 +0100)] 
initskripts: rootfile update.

6 years agobackup: make include file parsing more robust.
Arne Fitzenreiter [Fri, 6 Mar 2015 16:22:18 +0000 (17:22 +0100)] 
backup: make include file parsing more robust.

6 years agoinstaller+setup: Update translations
Michael Tremer [Thu, 5 Mar 2015 21:12:38 +0000 (22:12 +0100)] 
installer+setup: Update translations

6 years agoddns: Update to 007.
Stefan Schantl [Thu, 5 Mar 2015 18:37:47 +0000 (19:37 +0100)] 
ddns: Update to 007.

6 years agohaproxy: New package
Michael Tremer [Thu, 5 Mar 2015 13:48:16 +0000 (14:48 +0100)] 
haproxy: New package

6 years agoAccidentially disabled nmap build
Michael Tremer [Thu, 5 Mar 2015 12:44:50 +0000 (13:44 +0100)] 
Accidentially disabled nmap build

6 years agoMove Core Update 86 and 87 files to oldcore directory
Michael Tremer [Thu, 5 Mar 2015 11:55:32 +0000 (12:55 +0100)] 
Move Core Update 86 and 87 files to oldcore directory

6 years agoclamav: Fix compiling
Michael Tremer [Thu, 5 Mar 2015 11:54:22 +0000 (12:54 +0100)] 
clamav: Fix compiling

glibc headers were not correctly included

6 years agontfs-3g: Ship all user-space tools with the package
Michael Tremer [Wed, 4 Mar 2015 22:59:43 +0000 (23:59 +0100)] 
ntfs-3g: Ship all user-space tools with the package

6 years agoMerge remote-tracking branch 'mfischer/ntfs-3g' into next
Michael Tremer [Wed, 4 Mar 2015 22:58:58 +0000 (23:58 +0100)] 
Merge remote-tracking branch 'mfischer/ntfs-3g' into next

6 years agoMerge remote-tracking branch 'origin/master' into next
Michael Tremer [Wed, 4 Mar 2015 22:58:47 +0000 (23:58 +0100)] 
Merge remote-tracking branch 'origin/master' into next


6 years agostrongswan: Update solution for strongswan bug #816
Michael Tremer [Wed, 4 Mar 2015 22:54:10 +0000 (23:54 +0100)] 
strongswan: Update solution for strongswan bug #816

6 years agodnsmasq: Import latest git version of dnsmasq
Michael Tremer [Wed, 4 Mar 2015 22:27:27 +0000 (23:27 +0100)] 
dnsmasq: Import latest git version of dnsmasq

6 years agoowncloud: updated to version 7.0.3
Daniel Weismüller [Wed, 4 Mar 2015 13:37:39 +0000 (14:37 +0100)] 
owncloud: updated to version 7.0.3

6 years agoMerge remote-tracking branch 'amarx/BUG10756' into next
Michael Tremer [Tue, 3 Mar 2015 20:13:46 +0000 (21:13 +0100)] 
Merge remote-tracking branch 'amarx/BUG10756' into next

6 years agoteamspeak: Remove package
Michael Tremer [Tue, 3 Mar 2015 20:11:34 +0000 (21:11 +0100)] 
teamspeak: Remove package

This is an old version any way and just used to download the
pre-compiled data from the servers of the vendor.

6 years agoasterisk: sqlite is not an add-on package any more
Michael Tremer [Tue, 3 Mar 2015 20:07:23 +0000 (21:07 +0100)] 
asterisk: sqlite is not an add-on package any more

6 years agologrotate: Fix an empty /etc/logrotate.d directory
Michael Tremer [Tue, 3 Mar 2015 16:57:38 +0000 (17:57 +0100)] 
logrotate: Fix an empty /etc/logrotate.d directory

Fixes #10625

6 years agoRevert "pound: Allow to use legacy renegotiation."
Michael Tremer [Tue, 3 Mar 2015 11:44:00 +0000 (12:44 +0100)] 
Revert "pound: Allow to use legacy renegotiation."

This reverts commit 09e3b0fa356c087b27ca7197024bf0210455a73c.

6 years agovpnmain.cgi: Added inclusion of ipsec.user-post.conf to the end of ipsec.conf in...
Christoph Anderegg [Mon, 2 Mar 2015 21:10:13 +0000 (22:10 +0100)] 
vpnmain.cgi: Added inclusion of ipsec.user-post.conf to the end of ipsec.conf in order to allow connection parameters to be overwritten in ipsec.user.conf.

6 years agopound: Allow to use legacy renegotiation.
Michael Tremer [Fri, 16 May 2014 15:13:19 +0000 (17:13 +0200)] 
pound: Allow to use legacy renegotiation.

6 years agontfs-3g: Update to 2014.2.15
Matthias Fischer [Mon, 2 Mar 2015 20:12:20 +0000 (21:12 +0100)] 
ntfs-3g: Update to 2014.2.15
fuse: Update to 2.9.3

6 years agoBUG10756: fixes possibillity to enable logging when editing a rule. Also remark can...
Alexander Marx [Mon, 2 Mar 2015 14:33:44 +0000 (15:33 +0100)] 
BUG10756: fixes possibillity to enable logging when editing a rule. Also remark can be deleted

6 years agoBUG10756: consolidate rulecheck
Alexander Marx [Mon, 2 Mar 2015 14:20:32 +0000 (15:20 +0100)] 
BUG10756: consolidate rulecheck

6 years agoinstaller: Cut off disk description if it gets too long
Michael Tremer [Thu, 26 Feb 2015 12:54:07 +0000 (13:54 +0100)] 
installer: Cut off disk description if it gets too long

6 years agocore88: Include fwhosts.cgi fixes in the update
Michael Tremer [Thu, 26 Feb 2015 10:11:38 +0000 (11:11 +0100)] 
core88: Include fwhosts.cgi fixes in the update

6 years agoMerge remote-tracking branch 'amarx/BUG10753' into next
Michael Tremer [Thu, 26 Feb 2015 10:11:04 +0000 (11:11 +0100)] 
Merge remote-tracking branch 'amarx/BUG10753' into next

6 years agoBUG10753: Fix servicegroups to have only max. 15 services per protocol
Alexander Marx [Wed, 25 Feb 2015 07:09:05 +0000 (08:09 +0100)] 
BUG10753: Fix servicegroups to have only max. 15 services per protocol

6 years agoclamav: update to 0.98.6.
Arne Fitzenreiter [Mon, 23 Feb 2015 15:53:07 +0000 (16:53 +0100)] 
clamav: update to 0.98.6.

6 years agosamba: security update to 3.6.25.
Arne Fitzenreiter [Mon, 23 Feb 2015 15:51:15 +0000 (16:51 +0100)] 
samba: security update to 3.6.25.

Fix CVE-2015-0240 (unexpected code execution in smbd).

6 years agoclamav: Update to 0.98.5
Matthias Fischer [Sat, 6 Dec 2014 21:15:53 +0000 (22:15 +0100)] 
clamav: Update to 0.98.5

6 years agoMerge branch 'master' into next
Arne Fitzenreiter [Sun, 22 Feb 2015 22:44:39 +0000 (23:44 +0100)] 
Merge branch 'master' into next

6 years agocore87: remove grub2 config/image on xen.
Arne Fitzenreiter [Sun, 22 Feb 2015 21:57:04 +0000 (22:57 +0100)] 
core87: remove grub2 config/image on xen.

6 years agocore87: don't recreate S19checkfstab and S70console startlinks.
Arne Fitzenreiter [Sat, 21 Feb 2015 18:28:06 +0000 (19:28 +0100)] 
core87: don't recreate S19checkfstab and S70console startlinks.

6 years agoMerge branch 'core87' of git.ipfire.org:/pub/git/ipfire-2.x into core87
Arne Fitzenreiter [Sat, 21 Feb 2015 15:59:50 +0000 (16:59 +0100)] 
Merge branch 'core87' of git.ipfire.org:/pub/git/ipfire-2.x into core87

6 years agocore87: add glibc to arm update.
Arne Fitzenreiter [Sat, 21 Feb 2015 15:54:15 +0000 (16:54 +0100)] 
core87: add glibc to arm update.