core133: Ship updated rrdtool

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

rrdtool: Update to 1.7.2

For details see:
https://oss.oetiker.ch/rrdtool/pub/CHANGES

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

BUG 11487:solve problem with unexspected shutdown

Solve problem with unexspected shutdown problem when checking a single client.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Set default ccache size to 4G

Since we have now one cache for each architecture, we do not
need to make it too large.

The largest build (i586 because of the two kernels) uses around
2.5GB after one build. So 4G will give us some space.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship updated ovpnmain.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fixed line break for LZO option

It is better readable if everything is in one line.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

monit: Update to 5.25.3

For details see:
https://mmonit.com/monit/changes/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Have a ccache for each architecture

It does not make much sense to mix architectures into a single
ccache:

* There is never going to be a match
* The cache gets bigger and therefore slower
* If both architectures are being compiled one after the other and
  the cache hits its maximum size, cached but still needed content
  will be dropped
* Only both can be deleted together

This small change splits this into multiple caches. One per
architecture. Therefore we should be more efficient on builders
that build for multiple architectures.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

miau: Drop package

This is not maintained since 2010

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openssl: Update to 1.1.1c

Fixes CVE-2019-1543

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

strongswan: Update to 5.8.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tshark: Update to 3.0.2

Incl. one vulnerability and several bug fixes. For full overview --> https://www.wireshark.org/docs/relnotes/wireshark-3.0.2.html .

- Disabled geoip support since libmaxminddb is not presant.
- Added dictionary in ROOTFILE to prevent "radius: Could not open file: '/usr/share/wireshark/radius/dictionary' " .
- Added CMAKE build type
- Removed profile examples and htmls completly from ROOTFILE.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ccache: Automatically set size to 8GB

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship toolchain changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hyperscan: Limit amount of memory being used during build

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ddns: Update to 011

Add support for two new providers and has some general bug fixes
included.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship updated IPS ruleset sources

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ruleset-sources: Update snort dl urls.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tor: Ship updated CGI

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tor.cgi: Disable debugging output

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Drop metadata for jansson package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship hyperscan

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hyperscan: Move rootfiles to arch directories

This package is only compiled on x86_64 and i586 and cannot
be packaged in any of the other architectures.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hyperscan: New package

This package adds hyperscan support to suricata

Fixes #12053.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ragel: New package

This is a build dependency of hyperscan

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

colm: New package

This is a build dependency of ragel, which is a build dependency of
hyperscan.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

asterisk: Remove dependency to jansson.

The package has become part of the main system.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

jansson: Move to core system and update to 2.12

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: readd late core132 changes to core133

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'master' into next

core132: security conf should not executable

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

tor: Depend on libseccomp

Suggested-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ids-functions.pl: Do not delete the whitelist file on rulesdir cleanup.

Fixes #12087.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core132: set correct permissions of security settings file.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

vulnerabilities.cgi: again change colours

red - vulnerable
blue - mitigated
green - not affected

because we not really trust the mitigations so they shound not green.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

vulnerabilities.cgi fix string handling

remove lf at the end for correct matching
and not strip "Mitigated:" if it was not full working and still
vulnerable.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

vulnerabilities.cgi: Regard mitigations that only mitigate something still as vulnerable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vulnerabilities.cgi: Simplify regexes

We can do the split in one.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'toolchain' into next

Merge remote-tracking branch 'ms/faster-build' into next

core133: Ship updated squid

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid: Update to 4.7

For details see:

http://www.squid-cache.org/Versions/v4/changesets/

Fixes among other things the old 'filedescriptors' problem, so this patch was deleted.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship updated bind

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bind: Update to 9.11.7

For details see:
http://ftp.isc.org/isc/bind9/9.11.7/RELEASE-NOTES-bind-9.11.7.html

"Security Fixes

  The TCP client quota set using the tcp-clients option could be exceeded in some cases.
  This could lead to exhaustion of file descriptors.
  This flaw is disclosed in CVE-2018-5743. [GL #615]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Start Core Update 133

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

.gitignore: Ignore some backup files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tor: Depend on libseccomp

Suggested-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Safe Search: Enable Restrict-Moderate for YouTube

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update German translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vulnerabilities.cgi: Regard mitigations that only mitigate something still as vulnerable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vulnerabilities.cgi: Simplify regexes

We can do the split in one.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'master' into next

vulnerablities: change to logic colours

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'next'

finish: core132

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

vulnerablities.cgi: add colours for vuln,smt and unknown output.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

kernel: update to 4.14.121

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

vnstat: fix errormessage at first boot

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

configroot: create main/security settings file

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

web-user-interface: update rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core132: Ship vulnerabilities.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

SMT: Show status on vulnerabilities.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vulnerabilities.cgi: Disable debugging output

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add the new vulnerabilities CGI file to the System menu

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

SMT: Apply settings according to configuration

SMT can be forced on.

By default, all systems that are vulnerable to RIDL/Fallout
will have SMT disabled by default.

Systems that are not vulnerable to that will keep SMT enabled.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add new CGI file to show CPU vulnerability status

This is supposed to help users to have an idea about
the status of the used hardware.

Additionally, it allows users to enable/disable SMT.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

suricata: Ship updated rule download script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

update-ids-ruleset: Release ids_page_lock when the downloader fails.

Fixes #12085.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ids.cgi: Fix upstream proxy validation

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

spectre-meltdown-checker: Update to 0.41

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update French translation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zoneconf: Reindent with tabs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Added reboot notice

Added a reboot notice and made table rows more distinguishable by
alternating their background color. This improves usability.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zoneconf: Switch rows/columns

This change is necessary because the table can grow larger than the main
container if a user has many NICs on their machine.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update contributors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core132: Ship updated ovpnmain.cgi file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpn_reorganize_encryption: Integrate LZO from global to advanced section

Fixes: #11819
- Since the Voracle vulnerability, LZO is better placed under advanced section cause under specific circumstances it is exploitable.
- Warning/hint has been added in the option defaults description.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpn_reorganize_encryption: Added tls-auth into global section

- Since HMAC selection is already in global section, it makes sense to keep the encryption togehter.
- Given tls-auth better understandable name.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpn_reorganize_encryption: Integrate HMAC selection to global section

Fixes: #12009 and #11824
- Since HMACs will be used in any configuration it is better placed in the global menu.
- Adapted global section to advanced and marked sections with a headline for better overview.
- Deleted old headline in advanced section cause it is not needed anymore.
- Added check if settings do not includes 'DAUTH', if possible SHA512 will be used and written to settings file.
    Old configurations with SHA1 will be untouched.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tshark: Drop special package scripts

We are not doing anything different from the default here,
so we do not need an extra copy of them.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tshark: New addon

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

BUG 11696: VPN Subnets missing from wpad.dat

This patch fixes the behavior in 11696 and adds IPSEC and OpenVPN n2n subnets to wpad.dat so they don't pass through the proxy.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tor: Bump release version

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Tor: specify correct user for default configuration

While being built with user/group set to "tor", the default
configuration still contains the old username.

This patch adjusts it to the correct value. The issue was
caused by insufficient testing, which I apologise for.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: comment to update backupiso if version change

It was to offten forgotten to update the backupiso script
that need to download the matching iso from the servers
so i added a comment.

no functional change

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core132: add log.dat to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

suricata: Fixed logs.dat regex for suricata

Fixes: #12084
Since the Suricata regex did not match the messages output, Suricata was not displayed in the "System Logs" section in the WUI.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

suricata: Limit to a maximum of "16" netfilter queues.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Update contributors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

BUG11505: Captive Portal: no way to remove an uploaded logo

added a delete button

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core132: Ship updated apache configuration

A reload would be sufficient.

I could not find why apache needs to be restarted.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

httpd: prefer AES-GCM ciphers over AES-CBC

CBC ciphers are vulnerable to a bunch of attacks (being
rather academic so far) such as MAC-then-encrypt or
padding oracle.

These seem to be more serious (see
https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities
for further readings) which is why they should be used
for interoperability purposes only.

I plan to remove AES-CBC ciphers for the WebUI at the
end of the year, provided overall security landscape
has not changed until that.

This patch changes the WebUI cipherlist to:
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256

(AES-CBC + ECDSA will be preferred over RSA for performance
reasons. As this cipher order cannot be trivially rebuilt with
OpenSSL cipher stings, it has to be hard-coded.)

All working clients will stay compatible.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fix version information in backupiso script

Fixes: #12083
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: update to 4.14.120

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>