guardian.cgi: Create config and ignore file if they does not exist.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Prevent from blocking the used DNS servers.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Use private subfunction for gateway and DNS server detection.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Add function to generate the guardian.ignore file.

This function is responsible for collecting all required data,
like the green, blue, orange (if the interfaces are available),
red, gateway and used DNS server IP-addresses.

It will add als these addresses and the configured and enabled
user-defined ignored addresses/networks to the ignore file of
guardian to prevent from blocking any of them.

Note:

The IPFire and RED inteface related addresses also will be added
to the ignore file, even if there is no user-defined entry in the
list.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Use ignored config file.

The CGI now uses an own ignored configuration file for
storing host addresses and/or subnets which should be
ignored by guardian.

This allows to add remarks for them and to enable or disable
each entry individally at any time.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Use "getipstat" binary.

Rework the GetBlockedHosts() to use the "getipstat" binary
instead of the not longer available "guardianctrl" binary.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Send commands through socket connection.

The guardianctrl binary does not longer exists, use
the Guardian::Socket module to send various commands
by using the provided socket client.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Adjust code for generating the config file.

The config file format and values have been changed, so the
code to do the generation has to be adjusted.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Drop option for configure the path to the snort alertfile.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Rename hash keys for enabled modules.

Rename the hash key names of enabled parser modules,
(services which should be monitored by guardian) to
keep the same name sheme than in the guardian config
file.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Adjust CGI to use Locale::Codes::Country.

The module has been renamed some time ago.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Disable debugging.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Suppress warnings for ${Header::colourgreen} variable.

Reference #10748.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Fix unititalized value "GUARDIAN_ENABLE_OWNCLOUD".

When the owncloud addon is not installed, this value was not
initialized correctly.

Reference #10748.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Use variable $pid instead of array element.

This will prevent from a lot of perl suggestions in the
apache error log.

Reference #10748.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Fix path to meta-owncloud.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Add configure options for owncloud.

The related options only will be displayed when the owncloud addon
has been installed.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Allways read-in settings.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Some more input validation.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Correct indentation when writing out the config file.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Add dropdown for PriorityLevel selection.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Fix and improve input validation.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Reload guardian if config or the ignorelist changes.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Add option to configure the BlockCount.

Some small code fixes.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Accidently hardcoded some descriptions.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Add dropdown to select the used loglevel.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Remove code for options which have been dropped from guardian.

Guardian does not longer require the information for the red interface from
the configfile.

Guardian does not longer support a targetfile.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Add options to enable/disable some built-in functions from guardian.

This commit allows to enable or disable the monitoring of the snort alertfile
and to switch off the blocking of SSH and HTTPD Brute-force attempts.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Remove code for Blockinterfaces.

We don't need this code anymore because we dropped interface support
from guardian.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Connect subboxes with input elements to the main boxes.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Sort blocked IP addresses.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Add hyperlink to ipinfo page for blocked hosts.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: Autodetect the used interface for red.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

guardian.cgi: New page to configure and interact with guardian.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

nginx: Update to 1.8.1

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: update arm buildfix patch

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core104: add kernel to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

kernel: update to 3.14.74

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

backports: add upstream driver fixes.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Firewall: Add Services SSMTP and submission

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nano 2.6.1: fix in rootfile

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core104: Include recent changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Change case of the unit "bit" from "Bit" to "bit" in web UI

The correct case for "kilobit" is "kilobit", not "kiloBit".
And the same applies for Mbit, Gbit etc.
Reference is https://en.wikipedia.org/wiki/Kilobit

This commit changes the texts used in the web UI, so
that it correctly displays as "bit", "kbit", "Mbit" etc.

This fixes bugzilla item 10918.

Signed-off-by: Alf Høgemark <alf@i100.no>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nano: Update to 2.6.1

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fix potential HTTPoxy vulnerability

https://httpoxy.org/

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

freeradius: New package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update qemu to version 2.6

This patch update qemu to version 2.6
For changelogs see:
http://wiki.qemu.org/ChangeLog/2.5
http://wiki.qemu.org/ChangeLog/2.6

Qemu try to built with bluez, but before version 2.6 bluez was not used
by qemu on IPFire, so I think it is better to disable bluez because
nobody needs it before version 2.6 and our bluez  is not the latest
version so I think this will cause more problems than benefits.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update spice to version 0.12.8

This is an security update.
Recent were 2 serious security vulnerabilities published.
This patch update spice to a version which is not vulnerable.

Changelog:

Changes in 0.12.8:

==================
* Fixes for CVE-2016-0749 and CVE-2016-2150

Changes in 0.12.7:
==================
* spice-server will now send TCP keepalive probes on the TCP connections
  it
  uses. This can prevent unwanted idle disconnections if proxies are
  used
  between the client and the host.
* Fix important memory usage when the webdav channel is used
* Do not disconnect when the client requests an unsupported compression
  type
* Fix a few race conditions
* Fix display glitch when using XSpice
* Improve help string for 'replay -s'
* Fix crashes in corner cases (buggy spice-html5 + win10, vnc + SPICE
  port
  configured, USB webcam redirection over a slow link)
* Fix various compilation warning when building on 32 bit machines
* Some fixes for big-endian machines, more work is likely to be needed
* Do not build static libraries by default, this can be reenabled with
  --enable-static
* Fix small leak in MJPEG code

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libtiff: Bump release

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libtiff: update to 4.0.6

The pak version from spandsp sane and foomatic are increased by one
to ship packages build against new libtiff.

A compat is not needed

http://www.remotesensing.org/libtiff/v4.0.6.html

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Reviewed-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core104: Ship recently updated which

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

which: update to 2.21

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update spice-protocol to 0.12.11

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: Fix broken syntax in configuration file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Build bzip2 before pcre

pcre is now depending on bzip2

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fix in libvirt install.sh/uninstall.sh

The libvirt daemon was not started after installation because the
initscritp is named 'libvirtd' not like the package 'libvirt'.
The same problem appear in the uninstall.sh. The service was not
stopped.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core104: Ship recently updated packages

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

acpid: update to 2.0.26

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pcre: update to 8.39

http://www.pcre.org/original/changelog.txt

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

popt: update to 1.16

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

curl: update to 7.49.1

https://curl.haxx.se/changes.html#7_49_1

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

iputils: update to s20160308

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

acl: update to 2.2.52

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libcap: update to 2.25

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

collectd: Ignore *phys, macvtap* and vnet* interfaces

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dnsmasq 2.76: latest patches from upstream (004-009)

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dnsmasq 2.76: latest patches from upstream (001-003)

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

p7zip: add CVE-2016-2334 and CVE-2016-2335 patches

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

kernel: disable amd ccp support

ccp based trng of the apu2 produce none random data.
Aes accleration is also not used because IPFire prefere
AES-NI if this is supported.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Fix compound nouns for mail service feature

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: arm7-multi: enable ohci_hcd

needed for usb1.1 support on BananaPi

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

kernel: update to 3.14.74

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

backports: r8152 add lenovo and nvidia usb id

this id's are blacklisted in new cdc_ether module
because the r8152 module should used but the
3.14 module not know this id's.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core104: Ship updated libarchive

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libarchive: update to 3.2.1

Fixes CVE-2016-4301
Libarchive mtree parse_device Code Execution Vulnerability

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core 104: Add updated snort.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

core 104: Add changed ids.cgi.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

snort: Rootfile update.

Rootfile update for snort 2.9.8.2 which has been overlocked in
commit 5a5e5f04a7cb2a6c39be2a53205d42b99ab80885.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

Add updated ddns to core 104.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

ddns: Update to version 010.

This update fixes some smaller issues on various dynamic DNS
providers and adds support for DuckDNS as new provider.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

Change the default qemu user and group of libvirt

Changes the libvirt user to nobody and the group to kvm this is a bit
safer as to use root for both.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Qemu: add a group kvm to access /dev/kvm eaiser

As a normal user, it is not possible to use qemu with KVM. This is bad
because it is better when it is possible to start the machine with a
less privileged user. To achieve this a group KVM is created and the
access to /dev/kvm is allowed for this group. So every user in this
group can use qemu with KVM.
This change is also useful for libvirt because the VMs can be started
with user nobody and group kvm.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core104: Ship updated shadow-utils and remove old files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

shadow: update to 4.2.1

The "groups" from the coreutils package is used (/usr/bin/groups)

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core104: Ship updated pakfire functions.sh

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fix in pakfire functions.sh

The if statement in line 89 and 99 are useless with the -e
conditional expression because it returns true if the path ist a
regular file or a directory.
So "/etc/init.d/ " returns true and "/etc/init.d/avahi" return also true,
but the statement should return only true if we have a regular file.
So -f if the right conditional expression, and we only try to execute
the init script if the path "/etc/init.d/${1}" points to a regular file.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Change the default libvirt remote user to libvirt-remote

It is possible to communicate per ssh via a socket with libvirt. It is
not a good idea to do this as root, so the remote user is now
libvirt-remote. Only this user or users in the group libvirt-remote can
communicate with the socket.
The user libvirt-remote is created without a password. The users have to
set a password for this user after installation.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core104: Add ntp update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ntp: Update to 4.2.8p8

It addresses 1 high- and 4 low--severity security issues, 4 bugfixes,
and contains other improvements over 4.2.8p7.

For a complete list, see:
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ntp: Update to 4.2.8p7

It addresses 11 low- and medium-severity security issues, 16 bugfixes,
and contains other improvements over 4.2.8p6.

For a complete list, see:
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ntp: Update to 4.2.8p6

"...addresses 9 low- and medium-severity security issues, 10 bugfixes,
and contains other improvements over 4.2.8p5."

For a complete list, see:
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core104: Add wget update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wget: Update to 1.18

Excerpt from annoncement:

"This version fixes a security vulnerability (CVE-2016-4971) present in
all old versions of wget.  The vulnerability was discovered by Dawid
Golunski which were reported to us by Beyond Security's SecuriTeam.

On a server redirect from HTTP to a FTP resource, wget would trust the
HTTP server and uses the name in the redirected URL as the destination
filename.
This behaviour was changed and now it works similarly as a redirect from
HTTP to another HTTP resource so the original name is used as
the destination file.  To keep the previous behaviour the user must
provide --trust-server-names."

Best,
Mat-backfromholidays-thias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wget: Update to 1.17.1

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Start Core Update 104

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core103: Restart squid and rebuild cache

The swap.state file may be broken and so we delete this here and
let squid rebuild the cache at the next start.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

finish core 103

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>