Matthias Fischer [Sat, 14 Jan 2017 12:10:43 +0000 (13:10 +0100)]
bind: Update to 9.11.0-P2
For details see:
https://ftp.isc.org/isc/bind9/9.11.0-P2/RELEASE-NOTES-bind-9.11.0-P2.html
"BIND 9.11.0-P2 addresses the security issues described in CVE-2016-9131, CVE-2016-9147,
CVE-2016-9444 and CVE-2016-9778.
...
Security Fixes
A coding error in the nxdomain-redirect feature could lead to an assertion failure if the
redirection namespace was served from a local authoritative data source such as a local zone
or a DLZ instead of via recursive lookup. This flaw is disclosed in CVE-2016-9778. [RT
Named could mishandle authority sections that were missing RRSIGs triggering an assertion
failure. This flaw is disclosed in CVE-2016-9444. [RT # 43632]
Named mishandled some responses where covering RRSIG records are returned without the
requested data resulting in a assertion failure. This flaw is disclosed in CVE-2016-9147.
[RT #43548]
Named incorrectly tried to cache TKEY records which could trigger a assertion failure when
there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522]
It was possible to trigger assertions when processing a response. This flaw is disclosed in
CVE-2016-8864. [RT #43465]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Marx [Tue, 10 Jan 2017 14:13:58 +0000 (15:13 +0100)]
BUG11278: enable creation from subnets of internal networks
In firewallgroups it was not possible to create new networks that are subnets of
IPFire internal networks. Now this is possible for all internal networks.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Jonatan Schlag [Mon, 2 Jan 2017 15:17:08 +0000 (16:17 +0100)]
Improvement of backup iso script
The backup iso script did not check the arch of the host. On x86_64 host
the wrong iso was downloaded.
Furthermore, there were some if clauses which could cause trouble which
I also tried to improve.
(For example: -e is valid if we have a directory or a file, but we want
to check for a file only )
Fixes: 11258 Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://www.nano-editor.org/news.php
"GNU nano 2.7.3 "Ontbijtkoek" wipes away a handful of bugs:
your editor is now able to handle filenames that contain
newlines, avoids a brief flash of color when switching
between buffers that are governed by different syntaxes,
makes the Shift+Ctrl+Arrow keys select text again on a
Linux console, is more resistant against malformations
in the positionlog file, and does not crash when ^C is
typed on systems where it produces the code KEY_CANCEL.
Oh, and it no longer mistakenly warns about editing an
unlocked file just after saving a new one. That's it.
Tastes great with thick butter."
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Jonatan Schlag [Thu, 29 Dec 2016 19:37:32 +0000 (20:37 +0100)]
network: Support bridge mode for zones
This bridge mode is supposed to be used for virtual environments
to create a network zone as a bridge and have virtual machines inside
it. Other physical interfaces can also be added to the bridge.
This is very similar to the MACVTAP bridge feature but still works
when the link of any (or all) physical interfaces is down.
Fixes: #11252 Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 29 Dec 2016 16:04:29 +0000 (16:04 +0000)]
libpng: Update to version 1.2.57
These all fix a potential "NULL dereference" bug that has existed in libpng
since version 0.71 of June 26, 1995. To be vulnerable, an application
has to load a text chunk into the png structure, then delete all text, then
add another text chunk to the same png structure, which seems to be
an unlikely sequence, but it has happened.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Fri, 16 Dec 2016 17:06:51 +0000 (18:06 +0100)]
bind: Update to 9.11.0-P1
http://ftp.isc.org/isc/bind9/9.11.0-P1/RELEASE-NOTES-bind-9.11.0-P1.html:
"BIND 9.11.0-P1 addresses the security issue described in CVE-2016-8864"
https://access.redhat.com/security/cve/cve-2016-8864:
"A denial of service flaw was found in the way BIND handled responses
containing a DNAME answer. A remote attacker could use this flaw to
make named exit unexpectedly with an assertion failure via a specially
crafted DNS response."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 14 Dec 2016 12:45:07 +0000 (12:45 +0000)]
unbound: Test for working EDNS buffer size and adjust accordingly
Some networks have equipment that fails to forward DNS queries
with EDNS and the DO bit set. They might even lose the replies.
This patch will adjust unbound so that it will not try to receive
too large replies and falls back to TCP earlier. This creates
some higher load on the DNS servers but at least gives us
working DNS.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 1 Dec 2016 17:13:07 +0000 (17:13 +0000)]
unbound: Fix DNS forwarder test
The previous version aborted when the validation test
suceeded, but this is not always sufficient in case a
provider filters any DNSKEY, DS or RRSIG records.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This causes trouble when you try to resolve a record like
a.b.blah.com where b.blah.com responds with NXDOMAIN. unbound
won't try to resolve a.b.blah.com because it is assumed that
everything longer than b.blah.com does not exist which is
probably not good usability.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Alexander Marx [Mon, 31 Oct 2016 11:19:15 +0000 (12:19 +0100)]
BUG11242: Fix for adding 2 VPN Hosts/network with same name
If one has an IPSec network named "aaa" and an OpenVPn Host with the same name
it was not possible to group them together because of the same name.
Now the Network type is also checked wich allows Entries with same name, but different networks.
Fixes: #11242 Signed-off-by: Alexander Marx <alexander.marx@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 2 Nov 2016 15:42:40 +0000 (15:42 +0000)]
unbound: Fix for DNS forwarding of .local zones
These are traditionally used for Windows domains and should not
be used for that. However if they are used like this, DNSSEC
validation cannot be used.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 2 Nov 2016 15:42:40 +0000 (15:42 +0000)]
unbound: Fix for DNS forwarding of .local zones
These are traditionally used for Windows domains and should not
be used for that. However if they are used like this, DNSSEC
validation cannot be used.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
It appears that htpasswd is not salting any passwords that are
stored with the SHA (-s) algorithm. MD5 passwords however are
salted.
That leads us to the conclusion that the "MD5 algorithm" in htpasswd
is more secure than the "SHA algorithm" although the hash function
itself should be stronger.
With a rainbow table, cracking "SHA" is easily done.
A rainbow table for "MD5" + salt would be way too large to be
efficiently stored.
Hence this commit is reverted to old behaviour to avoid the clear
failure of design in SHA.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Michael Tremer [Sat, 15 Oct 2016 17:08:22 +0000 (19:08 +0200)]
unbound-dhcp-bridge: Rewrite update algorithm
Before the bridge tries reading any existing leases from unbound
but this makes it difficult to destinguish between what is a DHCP lease,
static host entry or anything else.
This patch will change the bridge back to just remember what has been
added to the cache already which makes it easier to keep track.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 15 Oct 2016 17:08:22 +0000 (19:08 +0200)]
unbound-dhcp-bridge: Rewrite update algorithm
Before the bridge tries reading any existing leases from unbound
but this makes it difficult to destinguish between what is a DHCP lease,
static host entry or anything else.
This patch will change the bridge back to just remember what has been
added to the cache already which makes it easier to keep track.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Marcel Lorenz [Fri, 7 Oct 2016 16:26:38 +0000 (18:26 +0200)]
netpbm: update to 10.47.61
To keep the files in the right place, the files are installed into the build directory
and only the files which are useful are copied to the usual places in /usr.
projects / ipfire-2.x.git / log
