pound: Drop package which isn't very actively maintained any more

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Drop generating a global rootfile

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Fix printing a log line

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Continue producing nice output after screen has been resized

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core117: Ship updated vpnmain.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vpnmain.cgi: Disable compression by default

The compression is causing some interoperatibility issues
and does not really compress data very much - even when the
data is quite compressible.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

apache: Wait until apache has stopped when we want to stop it

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

apache: Ensure that not everyone can read the keys

This would become a security risk if anyone gets
shell access as any user to copy out the HTTPS keys.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

boost: disable parallel build

this need more than 1GB ram on arm

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

samba: import security updates from redhead

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

make.sh: Don't try to dump a non-existing logfile

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Show architecture we are building the toolchain for

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Fix typo

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Refactor build status code

This replaces the old lines that make the build
output pretty and replaces it by a version that showns
progress as it is going on as well as providing useful
output when the console is non-interactive.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Compress toolchain using XZ

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Refactor renice and root check

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Cleanup prepareenv

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: TARGET_ARCH has been replaced by BUILD_ARCH

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Merge make-functions into make.sh

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Move toolchain from /tools to /tools_${arch}

This will allow us to run multiple builds on the same
system at the same time (or at least have them on disk).

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Drop option to generate a source ISO

This is a very weird way to distribute sources in 2017.
Let's save the environment and stop using CDs.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core117: Reload apache for change of configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

disable SSL compression and session tickets in Apache

Ensure that Apache never uses SSL compression, which is vulnerable,
and turn off session tickets since the might cause impact to PFS.

Based against next, supersedes first version.

Reported-by: Wolfgang Apolinarski <wolfgang.apolinarski@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Retire the IPFire CA

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core117: Ship updated CA bundle

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

update ca-certificate CA bundle

Update the CA certificate list to what Mozilla NSS ships currently.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core117: Ship changes in pakfire

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

validate GPG keys by fingerprint

Validate GPG keys by fingerprint and not by 8-bit key-ID.

This makes exploiting bug #11539 harder, but not impossible
and does not affect existing installations.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core117: Ship latest GeoIP changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

GeoIP: Add lookup function for convenience

Instead of opening the database again for each lookup,
we will read it into memory on first use and every lookup
after that will be coming from cache.

Reviewed-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

geoip-functions.pl: Fix typos and formatting

Reviewed-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Default to armv5tel on armv7* build hosts

We won't offer a native port to ARMv7 in the near future
and to default to an architecture that is working on these
machines, we select armv5tel as default

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "make.sh: Use -pipe in CFLAGS when host has >1GB of memory"

This reverts commit 7e1639a4810e5e70db94fdb0a0a98593d50d4290.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive portal: Require authorization before redirecting to proxy

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core117: Ship updated routing.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

BUG11466: fix routing.cgi the function call in routing.cgi was fixed to call the new "exact" function.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Network-functions: add check if variables are defined

in function network_equal and network2bin a check for undefined variables were missing.
added them.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core117: Ship updated network-functions.pl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

BUG11466: Fix network_equal function

The network_equal function only tested the subnet addresses of two given networks which lead to
errormessages saying "This is the green network"
The fix tests netwok and subnet IP's to fix this

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core117: Ship changed files of the webUI

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

link to HTTPS version of www.ipfire.org in WebUI

Change links to www.ipfire.org in WebUI themes since the website
now uses HTTPS.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Tor: Use relay mode as default setting

Set the default operating mode to "relay" in the Tor WebUI
configuration page.

Running a Tor exit relay may cause legal trouble in some
countries and should not be the default setting to prevent
users from accidentally running an exit router.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Start Core Update 117

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Silence error when upstream name servers cannot be read

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Calculate MAKETUNING depending on available memory

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Remove setting the EDITOR variable which we don't use

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Add function to determine how many CPU cores the build host has

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Use -pipe in CFLAGS when host has >1GB of memory

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Determine how much memory the build host has

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: One month is only 30 days instead of 210

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core116: stop apache before extracting updated files

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core116: replace apache restart by stop and start

restart seems not work after replace apache...

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core116: ship updated wget

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

finish core116

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core116: set need_reboot flag

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core116: ship openssh

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core116: fix openssl symlink

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

wget: Update file extension

Upstream does not distribute XZ compressed tarballs any more

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openssl: Update to 1.0.2m

* bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
* Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wget: Update to 1.19.2

Fixes CVE-2017-13089

A stack-based buffer overflow when processing chunked, encoded HTTP
responses was found in wget. By tricking an unsuspecting user into
connecting to a malicious HTTP server, an attacker could exploit
this flaw to potentially execute arbitrary code.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core116: Ship updated apache

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update to Apache 2.4.29

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core116: Ship updated proxy.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

proxy.cgi: Even more cosmetics

Another clickable link for 'proxy.cgi', this time for 'Cache Manager Interface' - this one opens in a new window.

And: This time - hopefully - with correct '_blank'-attribute (deleted the backslashes) - based on current 'next'.

Plus: Deleted some "blind" tabs - found by chance.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core116: Ship snort

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

snort: Update to 2.9.11

For details see:

Release notes:
https://snort.org/downloads/snort/release_notes_2.9.11.txt

Changelog:
https://snort.org/downloads/snort/changelog_2.9.11.txt

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Start Core Update 116

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

xz: Update to 5.2.3

For details see:
https://git.tukaani.org/?p=xz.git;a=blob;f=NEWS;hb=HEAD

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

drop httpscert and merge to apache initskript

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core115: Add missing parameter to actually generate new certificates

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

finish core115

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core115: add extrahd.cgi to updater

this file was missing in early core114 testbuilds so ship it again.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'master' into core115

redirect to TLS WebUI if authorisation required

Do not allow credentials being submitted in plaintext to Apache.
Instead, redirect the user with a 301 to the TLS version of IPFire's
web interface.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "Use best XZ compression for smaller images and packages"

This reverts commit 5fd54721c2275def506ac54cc2e4e810f57fa491.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "cdrom: Use -8 as compression parameter"

This reverts commit 77ad762c430761bbf2d4be03bf2836d99685359d.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cdrom: Use -8 as compression parameter

This is a better compromise on memory usage and file size

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Use best XZ compression for smaller images and packages

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cdrom: Change format to XZ and compress in parallel

This allows us to use all processor cores to compress
the image faster.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

packages: Compress in parallel

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Fix localisations

Voucher was used instead of coupon in English, and Coupon
was used instead of Gutschein in German.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Simplify coupon time selection

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Reindent code for better readability

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Localise GREEN/BLUE

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core115: Ship logrotate

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

logrotate: Update to 3.13.0

For details see:
https://github.com/logrotate/logrotate/releases

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

PDF-API2: Add optional dependencies to read TrueType fonts

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Make perl-PDF-API2 part of the base system

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

PDF-API2: Update to 2.033

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wpa_supplicant: Update to 2.6

For details see:
https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

KRACK attack: Patch wpa_supplicant & hostapd

A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys. Such
reinstallation of the encryption key can result in two different types
of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.

This fixes: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
  CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086,
  CVE-2017-13087, CVE-2017-13088

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

KRACK attack: Patch wpa_supplicant & hostapd

A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys. Such
reinstallation of the encryption key can result in two different types
of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.

This fixes: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
  CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086,
  CVE-2017-13087, CVE-2017-13088

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Allow PDF export of coupons

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

captive: Add headline to T&C box

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Download sources via HTTPS

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

installer: Fix detection if we have the correct ISO image mounted

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

installer: Allow download of ISO images over HTTPS

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipfire-netboot: Update to v2.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Update to 1.6.7

For details see:
http://www.unbound.net/download.html

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>