New IP-address of 'ping.ipfire.org'

Telekom gateways (e.g.) don't answer 'pings', therefor '/etc/ppp/ip-up'
uses 'ping.ipfire.org' for the 'gateway Graph' in 'Status / Network (other'.
After moving the infrastructure, several IP addresses were changed.
'178.63.73.246' doesn't work anymore for 'ping.ipfire.org', its now '81.3.27.38'.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core98: Ship recently updated grep and sed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

grep: Update to 2.22

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

sed: Update to 4.2.2

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

kernel: disable grsecurity KSTACKOVERFLOW.

this is the reason for crashes usb lan dongles and media devices.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

firewall: Fix MAC filter

Packets destined for the firewall coming in from the blue
device where accepted too early to be processed by the
firewall input chain rules.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

wirelessctrl: Remove some unused code

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dhcpcd: rework mtu handling on buggy nic's

some nic's loose the carrier after setting new mtu.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core98: Ship updated tzdata

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tzdata: Update to 2016a

Fixes https://bugzilla.ipfire.org/show_bug.cgi?id=11034

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: update to 3.14.60

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

set core to 98 and move 97 to oldcore

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

finish core97

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

openssl: security update to 1.0.2f

changes:
* DH small subgroups - CVE-2016-0701
* SSLv2 doesn't block disabled ciphers - CVE-2015-3197
* Reject DH handshakes with parameters shorter than 1024 bits

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

hwdate: update databases

pci.ids: 2016.01.28
usb.ids: 2015.12.17

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core97: prepare new core97 with openssl and openssh update.

the update itself has to be done...

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

rename core97 to 98 because we have to insert OpenSSL security update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

backports: update to 4.2.6

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

rsync: update to 3.1.2

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

kernel: update to 3.14.59

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

squid: Actually make --with-filedescriptors work

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core97: Ship updated CGI files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge remote-tracking branch 'meitelwein/web-gui-ipv6' into next

Merge remote-tracking branch 'origin/master' into next

cmake: Disable parallelism

Building cmake uses a high amount of memory (>2G) and
fails to build on my system. Using less processes reduces
memory usage and lets the build succeed.

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core97: Ship iptables conntrack changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge remote-tracking branch 'ms/iptables-conntrack' into next

Merge branch 'hyper-v-fixes' into next

toolchain: fix build on hosts that not support strong stackprotect

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core97: Ship updated webaccess.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

webaccess.cgi: Fixed language settings.

Fix for #10879. Added also use strict.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Improve hardening by using -fstack-protector-strong

This functionality is now available for us since we updated
to GCC 4.9 and just improves the stack smashing protector
in GCC.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nano: Update to 2.5.1

Excerpt form 'NEWS':
"It includes fixes for a syntax-highlighting bug and a positionlog bug,
it disables a time-eating multiline regex in the C syntax,
and it adds an escape hatch to the WriteOut menu when
--tempfile is used: the discardbuffer command, ^Q.  It
also has translation updates for fifteen languages, and
a small fix in the softwrap code."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core97: Ship updated openssh

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openssh: Update to 7.1p2

Fixes CVE-2016-0777

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

toolchain: bump version number

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

gcc: remove gdb python files also in root build.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

toolchain: move *.py remove to correct pass.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

toolchain: enable bootstrap and remove *.py files from lib.

only with bootstrap the gcc pass2 build works on arm.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

kernel: disable RANDSTRUCT

RANDSRUCT is incompatible with ccache build.

fixes #10905
fixes #11012

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core97: Ship updated ntp

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ntp 4.2.8p5: removed obsolete patch file

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ntp: Update to 4.2.8p5

"...addresses 1 medium-severity security issue, 14 bugfixes,
and contains other improvements over 4.2.8p4."

For a complete list, see:
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

grub: Disable hardening for grub-script-check

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ccache: Include hash of compiler specs in hashing

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

No code changes, fixed formatting by replacing spaces with tabs

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

timectrl: Stop ntp daemon when disabled

Fixes #11000

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fixed detection of firewall chain when bridge is used for ipv6

Signed-off-by: Michael Eitelwein <michael@eitelwein.net>

Firewall chain was not extracted correctly when ipv6 uses bridge

Signed-off-by: Michael Eitelwein <michael@eitelwein.net>

toolchain: fix full toolchain crossbuild

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

binutils: update to 2.24

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Fix regex to extract firewall chain for ipv6 in showrequestfrom*.dat

If bridged ipv6 is used, $iface is taken from PHYSIN
In the log line the order of fields is "... IN=XY OUT=XY PHYSIN=XY ..."

Signed-off-by: Michael Eitelwein <michael@eitelwein.net>

Enable correct display of ipv6 entries in Firewall log pages of web UI.

3 main changes:
 - Fill $iface and $out from PHYSIN and PHYSOUT when looking at bridged packets, othwerwise fill from IN and OUT
 - Recognize ipv4 and ipv6 address style for $srcaddr and $dstaddr
 - Match color coding of tables to pie charts (see seperate patch sent earlier)

I am using the bridged ipv6 setup as proposed in the wiki. I do not think this breaks anything when not using ipv6. So it would be nice to include this even if ipv6 is not officially supported yet. It is quite useful when using the ipv6 setup.

Signed-off-by: Michael Eitelwein <michael@eitelwein.net>
---

owncloud: updated to version 7.0.11

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dnsdist: Don't build on ARM

There seem to be some serious C++ issues in this so that
it won't build on ARM.

At the moment I do not have any resources to look further
into this, so I just disable building this package for
all ARM architectures.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

QoS: Improve saving enabled/disable state

It was reported that the QoS did not stop when
the user clicked the "stop" button. This patch
fixes that.

Fixes #10664

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>

qosctrl: Cleanup code by replacing hardcoded paths

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core97: Ship updated openvpn package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpn: Update to version 2.3.7, added --verify-x509-name directive.

The tls-remote directive is deprecated and will be removed with
OpenVPN version 2.4 . Added instead --verify-x509-name HOST name
into ovpnmain.cgi.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bind: Update to 9.10.3-P2

Changelog:

[security]
Update allowed OpenSSL versions as named is potentially
vulnerable to CVE-2015-3193.

[maint]
H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53. [RT #40556]

[security]
Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]

[security]
Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core97: Ship dnsmasq

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dnsmasq 2.75: latest patches from upstream

Same procedure as... :-)

Best to all for xmas and 2016!

Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core97: Ship pgrep with the updater

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ncurses: rootfile update.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

dnsdist: rootfile update.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

diffutils: rootfile update.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

gcc: include libstdc++ to rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

vdr_eepg: fix source download.

the external server has changed the compression so the md5 has changed.
Always use the IPFire server as primary download source.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core96: remove rrd ramdisk entry from fstab

kernel: apply arm-multi grsecurity fixes only at arm-multi build

dnsdist: New package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

lua: New package

Simple scripting language. Supposed to be fast. Needed for dnsdist.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Disable packaging mediatomb

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

linux: Fix build of kernel and headers package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core96: Regenerate language cache

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

linux: Backport Hyper-V network driver

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: Add grsecurity compile fix

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

mediatomb: Disable build because it FTBFS

The upstream project seems to be dead

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

gcc: Update armv5tel rootfile

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

gcc: Update x86_64 rootfile

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

gcc: Update to version 4.9.3

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

glibc: Fix headers to build with new GCC

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libmpc: New package

A dependency for GCC

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core97: Ship updated bind package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Create Core Update 97

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Move Core Update 96 to oldcore

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bind: Update to 9.10.3

bind: Update to 9.10.3

Security fixes:
An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286]

A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys.
This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212]

A specially crafted query could trigger an assertion failure in message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046]

On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server.
This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795]

Bug fixes:
Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573]

A race during shutdown or reconfiguration could cause an assertion failure in mem.c. [RT #38979]

Some answer formatting options didn't work correctly with dig +short. [RT #39291]

Malformed records of some types, including NSAP and UNSPEC, could trigger assertion failures when loading text zone files. [RT #40274] [RT #40285]

Fixed a possible crash in ratelimiter.c caused by NOTIFY messages being removed from the wrong rate limiter queue. [RT #40350]

The default rrset-order of random was inconsistently applied. [RT #40456]

BADVERS responses from broken authoritative name servers were not handled correctly. [RT #40427]

Several bugs have been fixed in the RPZ implementation.

For a complete list, see:
https://kb.isc.org/article/AA-01306/0/BIND-9.10.3-Release-Notes.html

Regards,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core96: Correctly call qosctrl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core96: Fix deleting the old ramdisk directory

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core96: set pakfire version to 96.

curl: Fix certificate validation

curl did not find the certificate bundle so that server
certificates could not be verified.

Fixes #10995

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

strongswan: Update to 5.3.5

Also ships a fix for #853 upstream.

Fixes #10998

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core96: Ship updated grub

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

grub 2.00: Bugfix for CVE-2015-8370

See: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html

"A vulnerability in Grub2 has been found. Versions from 1.98 (December, 2009)
to 2.02 (December, 2015) are affected. The vulnerability can be exploited
under certain circumstances, allowing local attackers to bypass any kind of
authentication (plain or hashed passwords). And so, the attacker may take
control of the computer."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dnsmasq 2.75: latest upstream patches ;-)

The neverending story continues...

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>