Revert "linux: Fix rootfile to ship GeoIP modules"

This reverts commit 460b6b40018b2900229b51396ab7ef92cf75768c.

linux: Fix rootfile to ship GeoIP modules

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vpnmain.cgi: Fix writing ESP settings for PFS ciphers

The changes introduced due to #12091 caused IPsec ESP
to be invalid if PFS ciphers were selected. Code has
to read "!$pfs" instead of just "$pfs", as it should trigger
for ciphers _without_ Perfect Forward Secrecy.

Fixes #12099

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vpnmain.cgi: remove wrongh "shift-space"

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core133: Ship jansson in update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

finish core133

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Tor: fix permissions after updating, too

Fixes #12088

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reported-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship updated wpa_supplicant

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wpa_supplicant: Update to 2.8

For details see:
https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

smt: Only disable SMT when the kernel thinks it is vulnerable

On virtual machines, it does not make sense to disable SMT for the
virtual cores. This has to be done by the hypervisor.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ship language files in Core Update 133

These were missing in Core Update 132, and some strings
(especially on the "CPU vulnerabilities" page) missed translations.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

convert-ids-modifysids-file: Fix check if the ids is running.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Update to 2.8

For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship updated knot package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

knot: Update to 2.8.2

For details see:
https://www.knot-dns.cz/2019-06-05-version-282.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update contributors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

suricata: Enable EVE logging

The EVE output facility outputs alerts, metadata, file info and protocol specific records through JSON.
for further informations please see --> https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

convert-ids-modifysids-file: Adjust code to use changed write_modify_sids_file function

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship snort configuration converter

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

convert-snort: Adjust code to use changed modify_sids_file function.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ids-functions.pl: Rework function write_modify_sids_file().

Directly implement the logic to determine the used ruleset and if
IDS or IPS mode should be used into the function instead of pass those
details as arguments.

This helps to prevent from doing this stuff at several places again and again.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship IPS changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

suricata: correct rule actions in IPS mode

In IPS mode rule actions need to be have the action 'drop' for the
protection to work, however this is not appropriate for all rules.
Modify the generator for oinkmaster-modify-sids.conf to leave
rules with the action 'alert' here this is appropriate.  Also add
a script to be run on update to correct existing downloaded rules.

Fixes #12086

Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship IDS ruleset updater

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

update-ids-ruleset: Run as unprivileged user.

Check if the script has been launched as privileged user (root) and drop all
permissions by switching to the "nobody" user and group.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship updated vpnmain.cgi file and regenerate configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vpnmain.cgi: Fix wrong cipher suite generation when PFS is disabled

Fixes: #12091
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

monit: Some fixes for 'monitrc'

Just cosmetics:
Removed all trailing spaces - there were a few...

Activated 'monit' start delay:
I activated this option to avoid running into a race condition while started through
'/etc/init.d/monit start'.

As mentioned in 'monit' manual:
"...if a service is slow to start, Monit can assume that the service is not running
and possibly try to start it [again] and raise an alert, while, in fact the service
is already about to start or already in its startup sequence."

This happened here during testing with (e.g.) Clamav.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship updated dhcp.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dhcp.cgi: Save fixed leases immediately after addition of a new lease

This changes the behaviour of the script to immediately save the added
lease to file but still remain in edit mode to make changes.

If the user does not make any changes, the lease is immediately saved
and there is no second click required to write it to file.

This a more natural flow that is expected by almost all users of this
feature.

Fixes: #12050
Signed-off-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

SMT: Disable when system is vulnerable to L1TF (Foreshadow)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update for ARM kernels

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update for gcc on i586

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship updated PAM

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

linux-pam: Update to 1.3.1

For details see:
https://github.com/linux-pam/linux-pam/releases

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship updated rrdtool

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

rrdtool: Update to 1.7.2

For details see:
https://oss.oetiker.ch/rrdtool/pub/CHANGES

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

BUG 11487:solve problem with unexspected shutdown

Solve problem with unexspected shutdown problem when checking a single client.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Set default ccache size to 4G

Since we have now one cache for each architecture, we do not
need to make it too large.

The largest build (i586 because of the two kernels) uses around
2.5GB after one build. So 4G will give us some space.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship updated ovpnmain.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fixed line break for LZO option

It is better readable if everything is in one line.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

monit: Update to 5.25.3

For details see:
https://mmonit.com/monit/changes/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Have a ccache for each architecture

It does not make much sense to mix architectures into a single
ccache:

* There is never going to be a match
* The cache gets bigger and therefore slower
* If both architectures are being compiled one after the other and
  the cache hits its maximum size, cached but still needed content
  will be dropped
* Only both can be deleted together

This small change splits this into multiple caches. One per
architecture. Therefore we should be more efficient on builders
that build for multiple architectures.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

miau: Drop package

This is not maintained since 2010

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openssl: Update to 1.1.1c

Fixes CVE-2019-1543

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

strongswan: Update to 5.8.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tshark: Update to 3.0.2

Incl. one vulnerability and several bug fixes. For full overview --> https://www.wireshark.org/docs/relnotes/wireshark-3.0.2.html .

- Disabled geoip support since libmaxminddb is not presant.
- Added dictionary in ROOTFILE to prevent "radius: Could not open file: '/usr/share/wireshark/radius/dictionary' " .
- Added CMAKE build type
- Removed profile examples and htmls completly from ROOTFILE.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ccache: Automatically set size to 8GB

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship toolchain changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hyperscan: Limit amount of memory being used during build

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ddns: Update to 011

Add support for two new providers and has some general bug fixes
included.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship updated IPS ruleset sources

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ruleset-sources: Update snort dl urls.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tor: Ship updated CGI

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tor.cgi: Disable debugging output

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Drop metadata for jansson package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship hyperscan

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hyperscan: Move rootfiles to arch directories

This package is only compiled on x86_64 and i586 and cannot
be packaged in any of the other architectures.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hyperscan: New package

This package adds hyperscan support to suricata

Fixes #12053.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ragel: New package

This is a build dependency of hyperscan

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

colm: New package

This is a build dependency of ragel, which is a build dependency of
hyperscan.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

asterisk: Remove dependency to jansson.

The package has become part of the main system.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

jansson: Move to core system and update to 2.12

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: readd late core132 changes to core133

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'master' into next

core132: security conf should not executable

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

tor: Depend on libseccomp

Suggested-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ids-functions.pl: Do not delete the whitelist file on rulesdir cleanup.

Fixes #12087.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core132: set correct permissions of security settings file.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

vulnerabilities.cgi: again change colours

red - vulnerable
blue - mitigated
green - not affected

because we not really trust the mitigations so they shound not green.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

vulnerabilities.cgi fix string handling

remove lf at the end for correct matching
and not strip "Mitigated:" if it was not full working and still
vulnerable.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

vulnerabilities.cgi: Regard mitigations that only mitigate something still as vulnerable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vulnerabilities.cgi: Simplify regexes

We can do the split in one.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'toolchain' into next

Merge remote-tracking branch 'ms/faster-build' into next

core133: Ship updated squid

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid: Update to 4.7

For details see:

http://www.squid-cache.org/Versions/v4/changesets/

Fixes among other things the old 'filedescriptors' problem, so this patch was deleted.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core133: Ship updated bind

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bind: Update to 9.11.7

For details see:
http://ftp.isc.org/isc/bind9/9.11.7/RELEASE-NOTES-bind-9.11.7.html

"Security Fixes

  The TCP client quota set using the tcp-clients option could be exceeded in some cases.
  This could lead to exhaustion of file descriptors.
  This flaw is disclosed in CVE-2018-5743. [GL #615]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Start Core Update 133

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

.gitignore: Ignore some backup files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tor: Depend on libseccomp

Suggested-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Safe Search: Enable Restrict-Moderate for YouTube

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update German translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vulnerabilities.cgi: Regard mitigations that only mitigate something still as vulnerable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vulnerabilities.cgi: Simplify regexes

We can do the split in one.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'master' into next

vulnerablities: change to logic colours

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'next'

finish: core132

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

vulnerablities.cgi: add colours for vuln,smt and unknown output.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

kernel: update to 4.14.121

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

vnstat: fix errormessage at first boot

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

configroot: create main/security settings file

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>