ipfire-2.x.git
2 days agotor: Depend on libseccomp next
Michael Tremer [Thu, 23 May 2019 00:50:29 +0000 (01:50 +0100)]
tor: Depend on libseccomp

Suggested-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 days agounbound: Safe Search: Enable Restrict-Moderate for YouTube
Michael Tremer [Wed, 22 May 2019 14:29:32 +0000 (15:29 +0100)]
unbound: Safe Search: Enable Restrict-Moderate for YouTube

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 days agoUpdate German translations
Michael Tremer [Wed, 22 May 2019 10:23:07 +0000 (11:23 +0100)]
Update German translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 days agovulnerabilities.cgi: Regard mitigations that only mitigate something still as vulnerable
Michael Tremer [Wed, 22 May 2019 10:08:43 +0000 (11:08 +0100)]
vulnerabilities.cgi: Regard mitigations that only mitigate something still as vulnerable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 days agovulnerabilities.cgi: Simplify regexes
Michael Tremer [Wed, 22 May 2019 10:05:20 +0000 (11:05 +0100)]
vulnerabilities.cgi: Simplify regexes

We can do the split in one.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 days agoMerge branch 'master' into next
Arne Fitzenreiter [Wed, 22 May 2019 10:34:41 +0000 (12:34 +0200)]
Merge branch 'master' into next

3 days agovulnerablities: change to logic colours
Arne Fitzenreiter [Wed, 22 May 2019 10:34:03 +0000 (12:34 +0200)]
vulnerablities: change to logic colours

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agoMerge branch 'next'
Arne Fitzenreiter [Wed, 22 May 2019 08:38:02 +0000 (10:38 +0200)]
Merge branch 'next'

3 days agofinish: core132
Arne Fitzenreiter [Wed, 22 May 2019 08:33:20 +0000 (10:33 +0200)]
finish: core132

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agovulnerablities.cgi: add colours for vuln,smt and unknown output.
Arne Fitzenreiter [Wed, 22 May 2019 08:22:53 +0000 (10:22 +0200)]
vulnerablities.cgi: add colours for vuln,smt and unknown output.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agokernel: update to 4.14.121
Arne Fitzenreiter [Tue, 21 May 2019 18:42:51 +0000 (20:42 +0200)]
kernel: update to 4.14.121

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 days agovnstat: fix errormessage at first boot
Arne Fitzenreiter [Tue, 21 May 2019 18:36:16 +0000 (20:36 +0200)]
vnstat: fix errormessage at first boot

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 days agoconfigroot: create main/security settings file
Arne Fitzenreiter [Tue, 21 May 2019 13:03:21 +0000 (15:03 +0200)]
configroot: create main/security settings file

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 days agoweb-user-interface: update rootfile
Arne Fitzenreiter [Tue, 21 May 2019 13:02:54 +0000 (15:02 +0200)]
web-user-interface: update rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 days agocore132: Ship vulnerabilities.cgi
Michael Tremer [Mon, 20 May 2019 20:55:55 +0000 (21:55 +0100)]
core132: Ship vulnerabilities.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 days agoSMT: Show status on vulnerabilities.cgi
Michael Tremer [Mon, 20 May 2019 20:54:05 +0000 (21:54 +0100)]
SMT: Show status on vulnerabilities.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 days agovulnerabilities.cgi: Disable debugging output
Michael Tremer [Mon, 20 May 2019 20:39:03 +0000 (21:39 +0100)]
vulnerabilities.cgi: Disable debugging output

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 days agoAdd the new vulnerabilities CGI file to the System menu
Michael Tremer [Mon, 20 May 2019 20:38:20 +0000 (21:38 +0100)]
Add the new vulnerabilities CGI file to the System menu

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 days agoSMT: Apply settings according to configuration
Michael Tremer [Mon, 20 May 2019 20:30:26 +0000 (21:30 +0100)]
SMT: Apply settings according to configuration

SMT can be forced on.

By default, all systems that are vulnerable to RIDL/Fallout
will have SMT disabled by default.

Systems that are not vulnerable to that will keep SMT enabled.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 days agoAdd new CGI file to show CPU vulnerability status
Michael Tremer [Mon, 20 May 2019 20:17:17 +0000 (21:17 +0100)]
Add new CGI file to show CPU vulnerability status

This is supposed to help users to have an idea about
the status of the used hardware.

Additionally, it allows users to enable/disable SMT.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 days agosuricata: Ship updated rule download script
Michael Tremer [Mon, 20 May 2019 18:10:15 +0000 (19:10 +0100)]
suricata: Ship updated rule download script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 days agoupdate-ids-ruleset: Release ids_page_lock when the downloader fails.
Stefan Schantl [Mon, 20 May 2019 18:06:22 +0000 (20:06 +0200)]
update-ids-ruleset: Release ids_page_lock when the downloader fails.

Fixes #12085.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 days agoids.cgi: Fix upstream proxy validation
Peter Müller [Sat, 18 May 2019 15:14:00 +0000 (15:14 +0000)]
ids.cgi: Fix upstream proxy validation

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 days agospectre-meltdown-checker: Update to 0.41
Michael Tremer [Mon, 20 May 2019 17:04:49 +0000 (18:04 +0100)]
spectre-meltdown-checker: Update to 0.41

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agoUpdate French translation
Stéphane Pautrel [Mon, 20 May 2019 09:59:12 +0000 (10:59 +0100)]
Update French translation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agozoneconf: Reindent with tabs
Michael Tremer [Mon, 20 May 2019 09:56:13 +0000 (10:56 +0100)]
zoneconf: Reindent with tabs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agoUpdate translations
Michael Tremer [Mon, 20 May 2019 09:55:02 +0000 (10:55 +0100)]
Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agoAdded reboot notice
Florian Bührle [Sun, 19 May 2019 21:33:45 +0000 (23:33 +0200)]
Added reboot notice

Added a reboot notice and made table rows more distinguishable by
alternating their background color. This improves usability.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agozoneconf: Switch rows/columns
Florian Bührle [Sun, 19 May 2019 21:04:24 +0000 (23:04 +0200)]
zoneconf: Switch rows/columns

This change is necessary because the table can grow larger than the main
container if a user has many NICs on their machine.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agoUpdate contributors
Michael Tremer [Mon, 20 May 2019 09:52:42 +0000 (10:52 +0100)]
Update contributors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agocore132: Ship updated ovpnmain.cgi file
Michael Tremer [Mon, 20 May 2019 09:52:16 +0000 (10:52 +0100)]
core132: Ship updated ovpnmain.cgi file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agoovpn_reorganize_encryption: Integrate LZO from global to advanced section
Erik Kapfer [Sat, 27 Apr 2019 14:05:51 +0000 (16:05 +0200)]
ovpn_reorganize_encryption: Integrate LZO from global to advanced section

Fixes: #11819

- Since the Voracle vulnerability, LZO is better placed under advanced section cause under specific circumstances it is exploitable.
- Warning/hint has been added in the option defaults description.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agoUpdate translations
Michael Tremer [Mon, 20 May 2019 09:51:09 +0000 (10:51 +0100)]
Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agoovpn_reorganize_encryption: Added tls-auth into global section
Erik Kapfer [Sat, 27 Apr 2019 14:05:50 +0000 (16:05 +0200)]
ovpn_reorganize_encryption: Added tls-auth into global section

- Since HMAC selection is already in global section, it makes sense to keep the encryption togehter.
- Given tls-auth better understandable name.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agoovpn_reorganize_encryption: Integrate HMAC selection to global section
Erik Kapfer [Sat, 27 Apr 2019 14:05:49 +0000 (16:05 +0200)]
ovpn_reorganize_encryption: Integrate HMAC selection to global section

Fixes: #12009 and #11824

- Since HMACs will be used in any configuration it is better placed in the global menu.
- Adapted global section to advanced and marked sections with a headline for better overview.
- Deleted old headline in advanced section cause it is not needed anymore.
- Added check if settings do not includes 'DAUTH', if possible SHA512 will be used and written to settings file.
    Old configurations with SHA1 will be untouched.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agotshark: Drop special package scripts
Michael Tremer [Mon, 20 May 2019 09:48:25 +0000 (10:48 +0100)]
tshark: Drop special package scripts

We are not doing anything different from the default here,
so we do not need an extra copy of them.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agotshark: New addon
Erik Kapfer [Sun, 19 May 2019 04:37:03 +0000 (06:37 +0200)]
tshark: New addon

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agoBUG 11696: VPN Subnets missing from wpad.dat
Oliver Fuhrer [Sun, 19 May 2019 13:30:52 +0000 (15:30 +0200)]
BUG 11696: VPN Subnets missing from wpad.dat

This patch fixes the behavior in 11696 and adds IPSEC and OpenVPN n2n subnets to wpad.dat so they don't pass through the proxy.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agotor: Bump release version
Michael Tremer [Mon, 20 May 2019 09:09:26 +0000 (10:09 +0100)]
tor: Bump release version

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agoTor: specify correct user for default configuration
Peter Müller [Sat, 18 May 2019 14:40:00 +0000 (14:40 +0000)]
Tor: specify correct user for default configuration

While being built with user/group set to "tor", the default
configuration still contains the old username.

This patch adjusts it to the correct value. The issue was
caused by insufficient testing, which I apologise for.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 days agomake.sh: comment to update backupiso if version change
Arne Fitzenreiter [Mon, 20 May 2019 05:24:04 +0000 (07:24 +0200)]
make.sh: comment to update backupiso if version change

It was to offten forgotten to update the backupiso script
that need to download the matching iso from the servers
so i added a comment.

no functional change

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 days agocore132: add log.dat to updater
Arne Fitzenreiter [Mon, 20 May 2019 05:14:12 +0000 (07:14 +0200)]
core132: add log.dat to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 days agosuricata: Fixed logs.dat regex for suricata
Erik Kapfer [Sun, 19 May 2019 13:54:32 +0000 (15:54 +0200)]
suricata: Fixed logs.dat regex for suricata

Fixes: #12084

Since the Suricata regex did not match the messages output, Suricata was not displayed in the "System Logs" section in the WUI.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 days agosuricata: Limit to a maximum of "16" netfilter queues.
Stefan Schantl [Sun, 19 May 2019 16:52:23 +0000 (18:52 +0200)]
suricata: Limit to a maximum of "16" netfilter queues.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
7 days agoUpdate contributors
Michael Tremer [Sat, 18 May 2019 08:25:54 +0000 (09:25 +0100)]
Update contributors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 days agoUpdate translations
Michael Tremer [Fri, 17 May 2019 22:36:53 +0000 (23:36 +0100)]
Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 days agoBUG11505: Captive Portal: no way to remove an uploaded logo
Alexander Marx [Thu, 24 May 2018 10:38:39 +0000 (12:38 +0200)]
BUG11505: Captive Portal: no way to remove an uploaded logo

added a delete button

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 days agocore132: Ship updated apache configuration
Michael Tremer [Fri, 17 May 2019 19:30:13 +0000 (20:30 +0100)]
core132: Ship updated apache configuration

A reload would be sufficient.

I could not find why apache needs to be restarted.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 days agohttpd: prefer AES-GCM ciphers over AES-CBC
Peter Müller [Wed, 15 May 2019 17:01:00 +0000 (17:01 +0000)]
httpd: prefer AES-GCM ciphers over AES-CBC

CBC ciphers are vulnerable to a bunch of attacks (being
rather academic so far) such as MAC-then-encrypt or
padding oracle.

These seem to be more serious (see
https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities
for further readings) which is why they should be used
for interoperability purposes only.

I plan to remove AES-CBC ciphers for the WebUI at the
end of the year, provided overall security landscape
has not changed until that.

This patch changes the WebUI cipherlist to:
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256

(AES-CBC + ECDSA will be preferred over RSA for performance
reasons. As this cipher order cannot be trivially rebuilt with
OpenSSL cipher stings, it has to be hard-coded.)

All working clients will stay compatible.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 days agoFix version information in backupiso script
Michael Tremer [Fri, 17 May 2019 18:52:27 +0000 (19:52 +0100)]
Fix version information in backupiso script

Fixes: #12083
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 days agokernel: update to 4.14.120
Arne Fitzenreiter [Fri, 17 May 2019 05:10:52 +0000 (07:10 +0200)]
kernel: update to 4.14.120

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
9 days agokernel: update to 4.14.119
Arne Fitzenreiter [Thu, 16 May 2019 12:26:04 +0000 (14:26 +0200)]
kernel: update to 4.14.119

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
10 days agointel-microcode: update to 20190514
Arne Fitzenreiter [Wed, 15 May 2019 11:17:26 +0000 (13:17 +0200)]
intel-microcode: update to 20190514

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agocore132: Ship changes to unbound
Michael Tremer [Sat, 11 May 2019 03:24:29 +0000 (04:24 +0100)]
core132: Ship changes to unbound

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agounbound: Add Safe Search
Michael Tremer [Sat, 11 May 2019 03:19:37 +0000 (04:19 +0100)]
unbound: Add Safe Search

This is a feature that will filter adult content from search
engine's results.

The old method of rewriting the HTTP request no longer works.

This method changes the DNS response for supported search engines
which violates our belief in DNSSEC and won't allow these search
engines to ever enable DNSSEC.

However, there is no better solution available to this and this
an optional feature, too.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
2 weeks agocore132: Ship updated urlfilter.cgi
Michael Tremer [Sat, 11 May 2019 03:18:08 +0000 (04:18 +0100)]
core132: Ship updated urlfilter.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agoURL Filter: Drop Safe Search feature
Michael Tremer [Tue, 30 Apr 2019 16:06:08 +0000 (17:06 +0100)]
URL Filter: Drop Safe Search feature

This is not working for quite some time now because all search
engines have moved over to HTTPS. Therefore we no longer can
manipulate the URL query string.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agoigmpproxy: Update to 0.2.1
Michael Tremer [Sat, 11 May 2019 01:20:15 +0000 (02:20 +0100)]
igmpproxy: Update to 0.2.1

This updates the package to its latest upstream version and should
be able to support IGMPv3.

Fixes: #12074
Suggested-by: Marc Roland <marc.roland@outlook.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agoPakfire: Add Core-Version to "status"
Alexander Koch [Thu, 9 May 2019 21:55:58 +0000 (23:55 +0200)]
Pakfire: Add Core-Version to "status"

Add the IPFire-Core-Version to the status message.

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agoTor: update to 0.4.0.5
Peter Müller [Thu, 9 May 2019 20:06:00 +0000 (20:06 +0000)]
Tor: update to 0.4.0.5

See https://blog.torproject.org/new-release-tor-0405 for release
announcements.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agocore132: Ship updated hwdata
Michael Tremer [Fri, 10 May 2019 03:20:17 +0000 (04:20 +0100)]
core132: Ship updated hwdata

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agohwdata: update PCI/USB databases
Peter Müller [Thu, 9 May 2019 13:40:00 +0000 (13:40 +0000)]
hwdata: update PCI/USB databases

PCI IDs: 2019-05-03 03:15:03
USB IDs: 2019-05-08 20:34:05

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agocore132: Ship updated ca-certificates
Michael Tremer [Fri, 10 May 2019 03:19:05 +0000 (04:19 +0100)]
core132: Ship updated ca-certificates

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agoupdate ca-certificates CA bundle
Peter Müller [Thu, 9 May 2019 13:24:00 +0000 (13:24 +0000)]
update ca-certificates CA bundle

Update the CA certificates list to what Mozilla NSS ships currently.

The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agoUpdate translations
Michael Tremer [Fri, 10 May 2019 03:16:39 +0000 (04:16 +0100)]
Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agoConfig: Disable XZ parallelism by default
Michael Tremer [Fri, 10 May 2019 02:36:58 +0000 (03:36 +0100)]
Config: Disable XZ parallelism by default

Exporting XZ_OPT caused that every time xz was called, it automatically
enabled parallelism. The make systemm also launches multiple processes
at the same time to use more processor cores at the same time.

The combination of this causes memory exhaustion even on large systems
and has no performance gain. Therefore this is disabled by default
and only enabled where we need it which is already the case.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agozoneconf: Fix bug that resultet from last fix
Florian Bührle [Sat, 11 May 2019 12:38:39 +0000 (14:38 +0200)]
zoneconf: Fix bug that resultet from last fix

Fix bug that prevents users from assigning NIC to RED if RED is in PPP
mode

2 weeks agozoneconf: Fix bug in NIC assignment; Change visibility of unused zones
Florian Bührle [Sat, 11 May 2019 11:28:12 +0000 (13:28 +0200)]
zoneconf: Fix bug in NIC assignment; Change visibility of unused zones

Fix a bug that allows users to add multiple NICs to non-bridged zones.
This fix includes a new error message.

Unused zones are now invisible instead of grey.

2 weeks agorouting: Fix potential authenticated XSS in input processing
Michael Tremer [Thu, 9 May 2019 13:51:40 +0000 (14:51 +0100)]
routing: Fix potential authenticated XSS in input processing

An authenticated Stored XSS (Cross-site Scripting) exists in the
(https://192.168.0.241:444/cgi-bin/routing.cgi) Routing Table Entries
via the "Remark" text box  or "remark" parameter. This is due to a
lack of user input validation in "Remark" text box  or "remark"
parameter. It allows an authenticated WebGUI user with privileges
for the affected page to execute Stored Cross-site Scripting in
the Routing Table Entries (/cgi-bin/routing.cgi), which helps
attacker to redirect the victim to a attacker's phishing page.

The Stored XSS get prompted on the victims page whenever victim
tries to access the Routing Table Entries configuraiton page.

An attacker get access to the victim's session by performing
the CSRF and gather the cookie and session id's or possibly can
change the victims configuration using this Stored XSS.

This attack can possibly spoof the victim's informations.

Fixes: #12072
Reported-by: Dharmesh Baskaran <dharmesh201093@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agozoneconf: Remove red warning
Michael Tremer [Thu, 9 May 2019 15:16:35 +0000 (17:16 +0200)]
zoneconf: Remove red warning

This is a bit shouty and there are various places where we do not
warn about this problem, so this patch makes it more consistent.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agozoneconf: Fix spelling
Michael Tremer [Thu, 9 May 2019 15:13:52 +0000 (17:13 +0200)]
zoneconf: Fix spelling

This patch mainly changes "Macvtap" to the branded spelling and removes
short forms as well as hyphenation in German compound nouns.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agozoneconf: Move "None" option to the top
Michael Tremer [Thu, 9 May 2019 15:11:24 +0000 (17:11 +0200)]
zoneconf: Move "None" option to the top

This is a more natural order of the options to me

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agoweb-user-interface: Ship new zoneconf.cgi file
Michael Tremer [Thu, 9 May 2019 14:43:04 +0000 (15:43 +0100)]
web-user-interface: Ship new zoneconf.cgi file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agocore132: Ship updated captive.cgi
Michael Tremer [Thu, 9 May 2019 12:17:16 +0000 (13:17 +0100)]
core132: Ship updated captive.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agocaptive: Fix potential authenticated XSS in title processing
Michael Tremer [Tue, 7 May 2019 20:36:21 +0000 (21:36 +0100)]
captive: Fix potential authenticated XSS in title processing

An authenticated Stored XSS (Cross-site Scripting) exists in the
(https://localhost:444/cgi-bin/captive.cgi) Captive Portal via the
"Title of Login Page" text box or "TITLE" parameter. This is due to
a lack of user input validation in "Title of Login Page" text box
or "TITLE" parameter. It allows an authenticated WebGUI user with
privileges for the affected page to execute Stored Cross-site
Scripting in the Captive Portal page (/cgi-bin/captive.cgi), which
helps attacker to redirect the victim to a attacker's page.

The Stored XSS get prompted on the victims page whenever victim
tries to access the Captive Portal page.

An attacker get access to the victim's session by performing the
CSRF and gather the cookie and session id's or possibly can
change the victims configuration using this Stored XSS.

This attack can possibly spoof the victim's informations.

Fixes: #12071
Reported-by: Dharmesh Baskaran <dharmesh201093@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agoguardian: Remove snort related options.
Stefan Schantl [Tue, 7 May 2019 17:17:16 +0000 (19:17 +0200)]
guardian: Remove snort related options.

IPFire has moved to suricata as IDS/IPS system, therefore all snort related
options has become obsolete.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agocore132: Ship VLAN GUI
Michael Tremer [Wed, 8 May 2019 11:14:46 +0000 (12:14 +0100)]
core132: Ship VLAN GUI

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agowebif: Add a GUI for configuring VLAN interfaces
Florian Bührle [Wed, 8 May 2019 10:56:18 +0000 (11:56 +0100)]
webif: Add a GUI for configuring VLAN interfaces

This patch adds a new CGI file which allows users to edit the
VLAN configuration as well as configuring zones as bridges.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agoudev: Accept MAC addresses for PARENT_DEV
Florian Bührle [Wed, 8 May 2019 10:43:11 +0000 (11:43 +0100)]
udev: Accept MAC addresses for PARENT_DEV

This allows us to create VLAN interfaces even when the
name of the parent interface might vary.

This patch also appends the VLAN tag to interfaces
when the zone is in bridge mode.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agoguardian: Remove snort related options.
Stefan Schantl [Tue, 7 May 2019 17:17:16 +0000 (19:17 +0200)]
guardian: Remove snort related options.

IPFire has moved to suricata as IDS/IPS system, therefore all snort related
options has become obsolete.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 weeks agosquid: Link against libatomic on ARM
Michael Tremer [Tue, 7 May 2019 21:54:11 +0000 (22:54 +0100)]
squid: Link against libatomic on ARM

This package failed to build on ARM because atomic functions
are being emulated on ARM32 and the required library was not
linked.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agoxfsprogs: Disable LTO on armv5tel
Michael Tremer [Tue, 7 May 2019 20:19:53 +0000 (21:19 +0100)]
xfsprogs: Disable LTO on armv5tel

LTO fails on ARM, but since we do not require it, we can
disable it here.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agocore132: Ship updated pakfire files
Michael Tremer [Tue, 7 May 2019 22:53:43 +0000 (23:53 +0100)]
core132: Ship updated pakfire files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agozabbix_agentd: Add UserParameter for Pakfire Status
Alexander Koch [Sat, 27 Apr 2019 19:26:46 +0000 (21:26 +0200)]
zabbix_agentd: Add UserParameter for Pakfire Status

Ship the UserParameter for monitoring the status of pakfire for keeping track of available updates etc.

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agoPakfire: Add new command line argument "status"
Alexander Koch [Sat, 27 Apr 2019 19:26:45 +0000 (21:26 +0200)]
Pakfire: Add new command line argument "status"

This enables Pakfire to return a Status-Summary for the Current Core-Update-Level, time since last updates, the availability of a core-/packet-update and if a reboot is required to complete an update. This can be used by monitoring agents (e.g. zabbix_agentd) to monitor the update status of the IPFire device.

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agozabbix_agentd: update to 4.2.1
Alexander Koch [Sat, 27 Apr 2019 19:26:44 +0000 (21:26 +0200)]
zabbix_agentd: update to 4.2.1

Release notes: https://www.zabbix.com/rn/rn4.2.1

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agocore132: Ship updated libedit
Michael Tremer [Tue, 7 May 2019 22:50:26 +0000 (23:50 +0100)]
core132: Ship updated libedit

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agolibedit: Update to 20190324-3.1
Matthias Fischer [Wed, 1 May 2019 17:32:15 +0000 (19:32 +0200)]
libedit: Update to 20190324-3.1

For details see:
https://thrysoee.dk/editline/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agocore132: Ship updated knot
Michael Tremer [Tue, 7 May 2019 22:49:47 +0000 (23:49 +0100)]
core132: Ship updated knot

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agoknot: Update to 2.8.1
Matthias Fischer [Wed, 1 May 2019 17:28:16 +0000 (19:28 +0200)]
knot: Update to 2.8.1

For details see:
https://www.knot-dns.cz/2019-04-09-version-281.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agocore132: Ship updated bind
Michael Tremer [Tue, 7 May 2019 22:48:41 +0000 (23:48 +0100)]
core132: Ship updated bind

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agobind: Update to 9.11.6-P1
Matthias Fischer [Sat, 27 Apr 2019 00:19:34 +0000 (02:19 +0200)]
bind: Update to 9.11.6-P1

For details see:
http://ftp.isc.org/isc/bind9/9.11.6-P1/RELEASE-NOTES-bind-9.11.6-P1.html

"Security Fixes

 The TCP client quota set using the tcp-clients option could be exceeded in some cases.
 This could lead to exhaustion of file descriptors. This flaw is disclosed in CVE-2018-5743.
 [GL #615]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agocore132: Ship updated dhcpcd
Michael Tremer [Tue, 7 May 2019 22:46:36 +0000 (23:46 +0100)]
core132: Ship updated dhcpcd

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agodhcpcd: Update to 7.2.2
Matthias Fischer [Sat, 4 May 2019 19:59:15 +0000 (21:59 +0200)]
dhcpcd: Update to 7.2.2

For details see:
https://roy.marples.name/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 weeks agofirewall: Allow SNAT rules with RED interface
Michael Tremer [Tue, 7 May 2019 22:44:44 +0000 (23:44 +0100)]
firewall: Allow SNAT rules with RED interface

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agosuricata: Update to 4.1.4 core131 v2.23-core131
Stefan Schantl [Wed, 1 May 2019 18:19:01 +0000 (20:19 +0200)]
suricata: Update to 4.1.4

This is a minor update to the latest available version from
the suricata 4.1 series.

Fixes #12068.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agosuricata: Update to 4.1.4
Stefan Schantl [Wed, 1 May 2019 18:19:01 +0000 (20:19 +0200)]
suricata: Update to 4.1.4

This is a minor update to the latest available version from
the suricata 4.1 series.

Fixes #12068.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agosuricata: Remove PID file on stop
Stefan Schantl [Wed, 1 May 2019 15:03:06 +0000 (17:03 +0200)]
suricata: Remove PID file on stop

Force the initscript to remove the PID file when calling "stop" section.

If suricata crashes during startup, the PID file still remains and the service
cannot be started anymore until the file has been deleted.

Now when calling "stop" or "restart" the PID file will be deleted and the service
can be used again.

Fixes #12067.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agoupdate-ids-ruleset: Set correct ownership for the rulestarball.
Stefan Schantl [Wed, 1 May 2019 14:49:25 +0000 (16:49 +0200)]
update-ids-ruleset: Set correct ownership for the rulestarball.

The script usualy will be executed by cron which will start it with
root permissions, so the downloaded tarball is owned by this user.

This has to be changed to the user which runs the WUI (nobody:nobody) to
allow, changing the ruleset to an other one and to display the ruleset area.

Fixes #12066

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agoMerge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Wed, 1 May 2019 16:04:36 +0000 (18:04 +0200)]
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next