Bump toolchain version

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Cleanup toolchain scripts

No functional changes, just some tidy up

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ccache: Update to 3.4.1

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

PAM: Drop shipped configuration

This is outdated, broken and has hardcoded passwords.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop perl-DBD-mysql

This package is not used by anything and depends on MySQL
which has been dropped, too.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop MySQL

This is outdated and still on 5.0.x and nobody volunteered to
update this package.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

asterisk: Do not depend on MySQL any more

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

postfix: Don't depend on amavis

This can be used together but there is no need to
always install amavis when someone wants to use postfix

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

postfix: Don't depend on MySQL any more

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

postfix: Don't ship our own configuration

This is outdated and half of it is not maintained any more.

Users should configure postfix themselves based on the
default configuration.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop pammysql

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop tcpwrapper

This library has been unused for quite a while

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop mISDN userspace tools

This is unsupported for quite a while and nobody should be using this.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop capi4k-utils

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core119: Remove dropped lcr package during update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core119: Import changed packages

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Start Core Update 119

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update for bison

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

OpenVPN: Mark unsecure ciphers and DH-parameter as 'weak' in WUI menu

64 bit block ciphers like Blowfish, TDEA and CAST5 are vulnerable to the so called 'Birthday attacks' .
    Infos for 'Sweet32' Birthday attacks can be found in here
        https://sweet32.info/ .
    An Overview of 64 bit clock ciphers can also be found in here
        http://en.citizendium.org/wiki/Block_cipher/Catalogs/Cipher_list#64-bit_blocks

1024 bit Diffie-Hellman parameter has also been marked as weak causing the 'Logjam Attack' .
   Infos for 'Logjam Attack' can be found in here
        https://weakdh.org/ .

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

index.cgi: Properly show IPsec subnets

Fixes: #11604
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Bump toolchain version

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

qemu: Make it build with newer glibcs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nfs: Fix building with newer glibcs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

glibc: Enable obsolete NSL

This will re-activate the deprecated NIS code on which lots of
software relies on so that we can have some extra time to migrate.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Config: Set PREFIX either to TOOLS_DIR or /usr

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: CFLAGS: There is no evidence that supports enabling retpoline in user space is a good idea

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libtirpc: Fix build against newer glibcs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

binutils: Update to 2.30

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dma: Don't only use TLSv1

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

postfix: Temporarily disable NIS

This makes postfix FTBFS because glibc has removed their
RPC headers.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

glibc: Update to 2.27

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

flex: Patch against SEGV with newer glibc

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "make.sh: Add -fstack-clash-protection on platforms that support it"

This reverts commit 18b82970b81a5bbd31b8922440a97e43d6f01566.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Enable cheap out-of-bounds checks in C++ standard library

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Add -fstack-clash-protection on platforms that support it

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: CFLAGS remove --param=ssp-buffer-size=4

This flag is useless with -fstack-protector-strong

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pam: Update to 1.30.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: make requires pkg-config to run autoconf

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

iproute2: Update to 4.14.1

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostname: Update to 3.20

Drops dependency to obsolete RPCSVC code in glibc.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make: Patch against SEGV when using globbing functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

toolchain: Add bison

This is required by glibc 2.27

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

gcc: fix gmp download

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

toolchain: update to gcc-7.3.0 and enable retpolines on x86_64 and i586

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

mdadm: fix build with gcc-7

sarg: update to 2.3.11 (needed for gcc-7)

powertop: update to v2.9 (needed for gcc-7)

bwm-ng: update to 0.6.1-f54b3fa (needed for gcc-7)

diffultis: update to 3.1.6 (needed for gcc-7)

u-boot: link missing header for gcc-7

vdr: disabled because it will not build with gcc-7

unbound: Fix reverse lookup zones

These should be stubs and overlay the internal zones that
unbound comes with.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes: #11625

Fix capitalisation of "Root Certificate"

Reported-by: Tom Rymes <trymes@rymes.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes: #10595

Update: nut to 2.7.4

Signed-off-by: Paul T. Simmons <mbatranch@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bacula: Update to 9.0.6

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop lcr

Does not build with newer versions of Asterisk

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

asterisk: Update to 13.18.5

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add new package: jansson

A JSON library required by asterisk >= 13

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvmtools: Update to 10.2.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

haproxy: Update to version 1.8.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

stunnel: Update to 5.44

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nginx: Update to 1.13.7

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

swig: Update to 3.0.12

Required to build recent versions of m2crypto.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

postfix: Update to 3.2.4

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop libevent2-compat which doesn't build against OpenSSL 1.1

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core118: Ship changed vpnmain.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

syslogdctrl: Fix sed syntax issues

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core118: Ship changed ovpnmain.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

remove dropped pakages to make sure that apache not miss php files.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core118: Ship forgotten menu file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

finish core118

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

clamav: Update to 0.99.3

Excerpt from 'README':

"ClamAV 0.99.3 is a hotfix release to patch a set of vulnerabilities.

- fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420,
  CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377,
  CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
- also included are 2 minor fixes to properly detect openssl install
  locations on FreeBSD 11, and prevent false warnings about zlib 1.2.1#
  version numbers."

For details see:
http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libvirt: update to version 4.0

This version works for me. Some others do not ..

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

python3-libvirt: drop this package

Since it is some work to update this package accordingly to the libvirt
version  and facing the fact that I know nobody who using this I suggest to drop this. If we
need this later we can just revert the commit.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

qemu: update to version 2.11

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

spice: update to version 0.14

For changelog see:
https://cgit.freedesktop.org/spice/spice/tree/NEWS

This update alos fixes: CVE-2016-9577, CVE-2016-9578, CVE-2017-7506

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

spice-protocol: update to version 0.12.13

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

opus: update to version 1.2.1

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pyparsing: update to version 2.2.0

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "Add Intel microcode updates from Jan 2018"

This reverts commit d404b1dba2a357e3683dbf62b95cefc41075c4ef.

Intel has pulled these microcode updates because of
random system reboots and systems becoming unstable.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "core118: Ship microcode updates for Intel processors"

This reverts commit c015d425d177a18927f56cebd0d1b4d29a827d8b.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core118: Ship updated wget

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wget: Update to 1.9.4

Excerpts from changelog (Details => http://git.savannah.gnu.org/cgit/wget.git):

"Switch off compression by default

Gzip compression has a number of bugs which need to be ironed out before we can support it
by default. Some of these stem from a misunderstanding of the HTTP spec, but a lot of them
are also due to many web servers not
being compliant with RFC 7231.

With this commit, I am marking GZip compression support as experimental
in GNU Wget pending further investigation and the addition of tests.

* src/http.c (gethttp): Fix bug that prevented all files from being decompressed

* src/host.c (sufmatch): Fix to domain matching

Replace HTTP urls with HTTPS where valid

Avoid redirecting output to file when tcgetpgrp fails
* src/log.c (check_redirect_output): tcgetpgrp can return -1 (ENOTTY),
be sure to check whether a valid controlling terminal exists before
redirecting. (Fixes: #51181)

Fix heap overflow in HTTP protocol handling (CVE-2017-13090)

Fix stack overflow in HTTP protocol handling (CVE-2017-13089)"

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nano: Update to 2.9.2

For details see:
https://www.nano-editor.org/news.php

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core118: Ship updated sed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

sed: Update to 4.4

Hi,

'sed' hasn't been updated in IPFire for a few years - I thought it could
be worthy an update:

Excerpt from 'NEWS':

"* Noteworthy changes in release 4.4 (2017-02-03) [stable]

  sed could segfault when invoked with specific combination of newlines
  in the input and regex pattern. [Bug introduced in sed-4.3]"

"Noteworthy changes" from release 4.2.2 to 4.3 can be found in 'NEWS' file, too much
to list them all...

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core118: Ship LZ4

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

LZ4: New compression library.

New lossless data compression algorithm.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core118: Ship updated squid

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid 3.5.27: Patch for SA 2018:2

As announced, here is the second patch for 'squid 3.5.27'.

For details about this and the previous patch (2018_1) regarding "ESI Response
processing" and "HTTP message processing", see:

http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-announce-ADVISORY-SQUID-2018-1-Denial-of-Service-issue-in-ESI-Response-processing-tp4684618.html

http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-announce-ADVISORY-SQUID-2018-2-Denial-of-Service-issue-in-HTTP-Message-processing-td4684617.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid 3.5.27: Patch for SA 2018:1

http://www.squid-cache.org/Versions/v3/3.5/changesets/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall: Suppress warning about uninitialized array in GeoIP code

Fixes #11597

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

poppler is now linking against glib2

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ship updated CA bundle

Add new generated CA bundle files to updater and remove
accidentally inserted blank line at the end of certdata.txt .

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

update ca-certificates CA bundle

Update the CA certificates list to what Mozilla NSS ships currently.

The original file can be retrieved from: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core118: Ship updated bind package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bind: Update to 9.11.2-P1

Fixes CVE-2017-3145 (https://kb.isc.org/article/AA-01542)

For details see:
http://ftp.isc.org/isc/bind9/9.11.2-P1/RELEASE-NOTES-bind-9.11.2-P1.html

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

syslogdctrl: Fix compiler error and SEGV

Fixes #11574

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "misc-progs: syslogdctrl: Fix data type of protocol variable"

This reverts commit b269686f885757f5b251f04e50c3e87d2aebaf64.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core118: Ship updated unbound

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>