Adolf Belka [Tue, 16 Jun 2020 18:43:52 +0000 (20:43 +0200)]
bacula: Update to 9.6.5
- Update bacula from version 9.0.6 to 9.6.5
Version 9.0.6 is over two and a half years old.
- Update config options in lfs to include bacula recommended smartalloc option.
"This enables the inclusion of the Smartalloc orphaned buffer detection
code. This option is highly recommended. Because we never build without this option,
you may experience problems if it is not enabled. In this case, simply re-enable the
option. We strongly recommend keeping this option enabled as it helps detect memory
leaks. This configuration parameter is used while building Bacula"
- Add install, uninstall and update files in src/paks/bacula
- Updated backup/includes to backup the config file and the File Daemon state file.
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Tue, 16 Jun 2020 17:48:35 +0000 (19:48 +0200)]
dhcpcd: Update to 9.1.2
For details see:
https://roy.marples.name/blog/dhcpcd-9-1-2-released.html
"Fix installing dhcpcd-definitions.conf rather than embedding it
NetBSD: free ARP state once IPv4LL address announced
Linux: fix compile for older distros
udev: disable plugin for non Linux OS's
BSD: Mark RA dervied addresses as AUTOCONF on NetBSD-current
BSD: Only mark static routes from dhcpcd.conf as static
DHCP6: Ensure requested addresses are requested
DHCP6: Fix prefix length calculation when no prefix specified
privsep: Implement a resource limited sandbox [1]
privsep: Remove inet and dns pledges from master process
privsep: call getifaddrs when the BSD lacks SIOCGIFALIAS
privsep: free getifaddrs the right way if from privsep or not
[1] You will see a control proxy process now. This is for the resource
limited sandbox so that we can isolate requests over the control socket.
For NetBSD, FreeBSD and derivatives such as DragonFlyBSD this is
a massive win as these OS now enjoy a similar level of protection
as Capsicum or Pledge, but without the syscall filtering."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 16 Jun 2020 15:40:44 +0000 (15:40 +0000)]
firewall: Always enable connection tracking for GRE
If this module is not being loaded, the kernel will mark any
GRE connection as INVALID in connection tracking, which will
be then silently dropped by a firewall rule.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 31 Dec 2016 15:59:19 +0000 (16:59 +0100)]
squidguard: Update to 1.5-beta
Changelog:
"Release 1.5
2010-09-09 Fixed inconsistent blocking (bug 59). Replaced defined routine
in sgDB.c
2010-09-08 Added Russian translation from Vladimir Ipatov to squidGuard.cgi.in.
2009-10-19 Fixed two bypass problems with URLs which length is close to the limit
defined by MAX_BUF. The resulting proxy line exceeds this limit and causes
either squid or squidGuard to properly block a site.
2009-10-15 Fixed a problem with very long URLs. SquidGuard will go into
emergency mode when a overlong URLs are encountered. The emergency mode causes an
entire stop of blocking. This is not appropriate in this situation.
2009-09-30 Added patch by beber and gentoo (thank you!) to fix a problem when cross
compiling (bug 56).
2009-09-27 Added patch by gentoo to fix alocal warnings (bug 57).
2009-09-15 Added a feature to send log messages to syslog based on the patch from
Jun Jiang (thank you). (bug 42) In order to use syslog you have to run
configure with the new option "--with-syslog". In the configuration file you need to add a
line "syslog enable". If any other value but "enable" is used syslog is disabled and logging
to squidGuard.log takes place as usual. The following log level are used: DEBUG, NOTICE,
WARN, ERROR and EMERG. The local4 syslog facility is used by default. If you want to change
this, use the configure option "--with-syslog-facility=<facility>".
2009-09-12 Anonymized passwords (for connecting to the ldap or mysql server) written
to logfiles when squidGuard is starting. Added two configure options for choosing
different location for the LDAP include and library files.
2009-08-25 Added patch to check IP addresses against LDAP. Patch by Denis Bonnenfant
(bug 41) - thank you.
2009-08-23 Added patch to allow quoted strings in the configuration file (bug 53).
For more information see README.QuotedStrings. Thanks to Iain Fothergill for providing
the patch. Removed the fix for usernames starting with a number because it breaks the
time declarations.
2009-05-08 Added patch by INL to enable blocking against DNS based blacklists (bug 55).
Fixed re-opened bug 12: a problem with regular expressions. An entry like "www\.google\.de"
did not block www.google.de which it was supposed to do.
Solving this issue solved bug 46 as well.
2009-03-08 Fixed bug 52: Sometimes squidGuard crashes with an overflow
error message for vsprintf. Thanks to Dirk Schoebel for suggesting the proper fix.
Fixed bug 49: Using numeric username made squidGuard goes into emergency mode. This
has been fixed. Usernames can now start with a number, be numeric and can additionally
contain the following characters: @,à,é,è,ñ,á,ì,í,ò,ó,ù,ú."
Signed-off-by: Matthias Fischer <matthias.fischer at ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 10 Jun 2020 22:08:12 +0000 (00:08 +0200)]
gnutls: Update to 3.6.14
For details see:
https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004648.html
"** libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
The TLS server would not bind the session ticket encryption key with a
value supplied by the application until the initial key rotation, allowing
attacker to bypass authentication in TLS 1.3 and recover previous
conversations in TLS 1.2 (#1011).
[GNUTLS-SA-2020-06-03, CVSS: high]
** libgnutls: Fixed handling of certificate chain with cross-signed
intermediate CA certificates (#1008).
** libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).
** libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
(2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
Key Identifier (AKI) properly (#989, #991).
** certtool: PKCS #7 attributes are now printed with symbolic names (!1246).
** libgnutls: Added several improvements on Windows Vista and later releases
(!1257, !1254, !1256). Most notably the system random number generator now
uses Windows BCrypt* API if available (!1255).
** libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
Also both accelerated and non-accelerated implementations check key block
according to FIPS-140-2 IG A.9 (!1233).
** libgnutls: Added support for AES-SIV ciphers (#463).
** libgnutls: Added support for 192-bit AES-GCM cipher (!1267).
** libgnutls: No longer use internal symbols exported from Nettle (!1235)
** API and ABI modifications:
GNUTLS_CIPHER_AES_128_SIV: Added
GNUTLS_CIPHER_AES_256_SIV: Added
GNUTLS_CIPHER_AES_192_GCM: Added
gnutls_pkcs7_print_signature_info: Added"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 9 Jun 2020 18:51:12 +0000 (18:51 +0000)]
kernel: disable CONFIG_UPROBES
Quoted from #12433:
> Uprobes is the user-space counterpart to kprobes: they enable instrumentation
> applications (such as 'perf probe') to establish unintrusive probes in
> user-space binaries and libraries, by executing handler functions when the
> probes are hit by user-space applications.
>
> ( These probes come in the form of single-byte breakpoints, managed by the
> kernel and kept transparent to the probed application. )
IMHO this can be safely disabled, as there is little if any need to debug
userspace programs _that_ deeply on an IPFire machine.
Fixes: #12433 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 9 Jun 2020 17:57:51 +0000 (17:57 +0000)]
kernel: enable CONFIG_FORTIFY_SOURCE on armv5tel
Partially fixes: #12369
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 9 Jun 2020 17:55:58 +0000 (17:55 +0000)]
kernel: enable CONFIG_FORTIFY_SOUCRE on aarch64
Partially fixes: #12369
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 9 Jun 2020 17:50:14 +0000 (17:50 +0000)]
kernel: enable CONFIG_SLUB_DEBUG on aarch64 and armv5tel
Fixes: #12377 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 9 Jun 2020 17:18:49 +0000 (17:18 +0000)]
kernel: enable CONFIG_RANDOMIZE_BASE on armv5tel
Partially fixes: #12363
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sun, 7 Jun 2020 16:49:01 +0000 (16:49 +0000)]
kernel: enable CONFIG_RANDOMIZE_BASE on aarch64
Partially fixes: #12363
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sun, 7 Jun 2020 16:57:59 +0000 (16:57 +0000)]
kernel: enable CONFIG_SECCOMP on aarch64 and armv5tel
Fixes: #12366 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sun, 7 Jun 2020 16:32:26 +0000 (16:32 +0000)]
kernel: disable CONFIG_MODIFY_LDT_SYSCALL on i586 and x86_64
Fixes: #12382 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>