ipfire-2.x.git
3 weeks agofinish: core132
Arne Fitzenreiter [Wed, 22 May 2019 08:33:20 +0000 (10:33 +0200)]
finish: core132

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agovulnerablities.cgi: add colours for vuln,smt and unknown output.
Arne Fitzenreiter [Wed, 22 May 2019 08:22:53 +0000 (10:22 +0200)]
vulnerablities.cgi: add colours for vuln,smt and unknown output.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agokernel: update to 4.14.121
Arne Fitzenreiter [Tue, 21 May 2019 18:42:51 +0000 (20:42 +0200)]
kernel: update to 4.14.121

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agovnstat: fix errormessage at first boot
Arne Fitzenreiter [Tue, 21 May 2019 18:36:16 +0000 (20:36 +0200)]
vnstat: fix errormessage at first boot

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agoconfigroot: create main/security settings file
Arne Fitzenreiter [Tue, 21 May 2019 13:03:21 +0000 (15:03 +0200)]
configroot: create main/security settings file

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agoweb-user-interface: update rootfile
Arne Fitzenreiter [Tue, 21 May 2019 13:02:54 +0000 (15:02 +0200)]
web-user-interface: update rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agocore132: Ship vulnerabilities.cgi
Michael Tremer [Mon, 20 May 2019 20:55:55 +0000 (21:55 +0100)]
core132: Ship vulnerabilities.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoSMT: Show status on vulnerabilities.cgi
Michael Tremer [Mon, 20 May 2019 20:54:05 +0000 (21:54 +0100)]
SMT: Show status on vulnerabilities.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agovulnerabilities.cgi: Disable debugging output
Michael Tremer [Mon, 20 May 2019 20:39:03 +0000 (21:39 +0100)]
vulnerabilities.cgi: Disable debugging output

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoAdd the new vulnerabilities CGI file to the System menu
Michael Tremer [Mon, 20 May 2019 20:38:20 +0000 (21:38 +0100)]
Add the new vulnerabilities CGI file to the System menu

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoSMT: Apply settings according to configuration
Michael Tremer [Mon, 20 May 2019 20:30:26 +0000 (21:30 +0100)]
SMT: Apply settings according to configuration

SMT can be forced on.

By default, all systems that are vulnerable to RIDL/Fallout
will have SMT disabled by default.

Systems that are not vulnerable to that will keep SMT enabled.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoAdd new CGI file to show CPU vulnerability status
Michael Tremer [Mon, 20 May 2019 20:17:17 +0000 (21:17 +0100)]
Add new CGI file to show CPU vulnerability status

This is supposed to help users to have an idea about
the status of the used hardware.

Additionally, it allows users to enable/disable SMT.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agosuricata: Ship updated rule download script
Michael Tremer [Mon, 20 May 2019 18:10:15 +0000 (19:10 +0100)]
suricata: Ship updated rule download script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoupdate-ids-ruleset: Release ids_page_lock when the downloader fails.
Stefan Schantl [Mon, 20 May 2019 18:06:22 +0000 (20:06 +0200)]
update-ids-ruleset: Release ids_page_lock when the downloader fails.

Fixes #12085.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoids.cgi: Fix upstream proxy validation
Peter Müller [Sat, 18 May 2019 15:14:00 +0000 (15:14 +0000)]
ids.cgi: Fix upstream proxy validation

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agospectre-meltdown-checker: Update to 0.41
Michael Tremer [Mon, 20 May 2019 17:04:49 +0000 (18:04 +0100)]
spectre-meltdown-checker: Update to 0.41

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoUpdate French translation
Stéphane Pautrel [Mon, 20 May 2019 09:59:12 +0000 (10:59 +0100)]
Update French translation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agozoneconf: Reindent with tabs
Michael Tremer [Mon, 20 May 2019 09:56:13 +0000 (10:56 +0100)]
zoneconf: Reindent with tabs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoUpdate translations
Michael Tremer [Mon, 20 May 2019 09:55:02 +0000 (10:55 +0100)]
Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoAdded reboot notice
Florian Bührle [Sun, 19 May 2019 21:33:45 +0000 (23:33 +0200)]
Added reboot notice

Added a reboot notice and made table rows more distinguishable by
alternating their background color. This improves usability.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agozoneconf: Switch rows/columns
Florian Bührle [Sun, 19 May 2019 21:04:24 +0000 (23:04 +0200)]
zoneconf: Switch rows/columns

This change is necessary because the table can grow larger than the main
container if a user has many NICs on their machine.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoUpdate contributors
Michael Tremer [Mon, 20 May 2019 09:52:42 +0000 (10:52 +0100)]
Update contributors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agocore132: Ship updated ovpnmain.cgi file
Michael Tremer [Mon, 20 May 2019 09:52:16 +0000 (10:52 +0100)]
core132: Ship updated ovpnmain.cgi file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoovpn_reorganize_encryption: Integrate LZO from global to advanced section
Erik Kapfer [Sat, 27 Apr 2019 14:05:51 +0000 (16:05 +0200)]
ovpn_reorganize_encryption: Integrate LZO from global to advanced section

Fixes: #11819

- Since the Voracle vulnerability, LZO is better placed under advanced section cause under specific circumstances it is exploitable.
- Warning/hint has been added in the option defaults description.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoUpdate translations
Michael Tremer [Mon, 20 May 2019 09:51:09 +0000 (10:51 +0100)]
Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoovpn_reorganize_encryption: Added tls-auth into global section
Erik Kapfer [Sat, 27 Apr 2019 14:05:50 +0000 (16:05 +0200)]
ovpn_reorganize_encryption: Added tls-auth into global section

- Since HMAC selection is already in global section, it makes sense to keep the encryption togehter.
- Given tls-auth better understandable name.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoovpn_reorganize_encryption: Integrate HMAC selection to global section
Erik Kapfer [Sat, 27 Apr 2019 14:05:49 +0000 (16:05 +0200)]
ovpn_reorganize_encryption: Integrate HMAC selection to global section

Fixes: #12009 and #11824

- Since HMACs will be used in any configuration it is better placed in the global menu.
- Adapted global section to advanced and marked sections with a headline for better overview.
- Deleted old headline in advanced section cause it is not needed anymore.
- Added check if settings do not includes 'DAUTH', if possible SHA512 will be used and written to settings file.
    Old configurations with SHA1 will be untouched.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agotshark: Drop special package scripts
Michael Tremer [Mon, 20 May 2019 09:48:25 +0000 (10:48 +0100)]
tshark: Drop special package scripts

We are not doing anything different from the default here,
so we do not need an extra copy of them.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agotshark: New addon
Erik Kapfer [Sun, 19 May 2019 04:37:03 +0000 (06:37 +0200)]
tshark: New addon

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoBUG 11696: VPN Subnets missing from wpad.dat
Oliver Fuhrer [Sun, 19 May 2019 13:30:52 +0000 (15:30 +0200)]
BUG 11696: VPN Subnets missing from wpad.dat

This patch fixes the behavior in 11696 and adds IPSEC and OpenVPN n2n subnets to wpad.dat so they don't pass through the proxy.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agotor: Bump release version
Michael Tremer [Mon, 20 May 2019 09:09:26 +0000 (10:09 +0100)]
tor: Bump release version

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agoTor: specify correct user for default configuration
Peter Müller [Sat, 18 May 2019 14:40:00 +0000 (14:40 +0000)]
Tor: specify correct user for default configuration

While being built with user/group set to "tor", the default
configuration still contains the old username.

This patch adjusts it to the correct value. The issue was
caused by insufficient testing, which I apologise for.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 weeks agomake.sh: comment to update backupiso if version change
Arne Fitzenreiter [Mon, 20 May 2019 05:24:04 +0000 (07:24 +0200)]
make.sh: comment to update backupiso if version change

It was to offten forgotten to update the backupiso script
that need to download the matching iso from the servers
so i added a comment.

no functional change

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agocore132: add log.dat to updater
Arne Fitzenreiter [Mon, 20 May 2019 05:14:12 +0000 (07:14 +0200)]
core132: add log.dat to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agosuricata: Fixed logs.dat regex for suricata
Erik Kapfer [Sun, 19 May 2019 13:54:32 +0000 (15:54 +0200)]
suricata: Fixed logs.dat regex for suricata

Fixes: #12084

Since the Suricata regex did not match the messages output, Suricata was not displayed in the "System Logs" section in the WUI.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 weeks agosuricata: Limit to a maximum of "16" netfilter queues.
Stefan Schantl [Sun, 19 May 2019 16:52:23 +0000 (18:52 +0200)]
suricata: Limit to a maximum of "16" netfilter queues.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agoUpdate contributors
Michael Tremer [Sat, 18 May 2019 08:25:54 +0000 (09:25 +0100)]
Update contributors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 weeks agoUpdate translations
Michael Tremer [Fri, 17 May 2019 22:36:53 +0000 (23:36 +0100)]
Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 weeks agoBUG11505: Captive Portal: no way to remove an uploaded logo
Alexander Marx [Thu, 24 May 2018 10:38:39 +0000 (12:38 +0200)]
BUG11505: Captive Portal: no way to remove an uploaded logo

added a delete button

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 weeks agocore132: Ship updated apache configuration
Michael Tremer [Fri, 17 May 2019 19:30:13 +0000 (20:30 +0100)]
core132: Ship updated apache configuration

A reload would be sufficient.

I could not find why apache needs to be restarted.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 weeks agohttpd: prefer AES-GCM ciphers over AES-CBC
Peter Müller [Wed, 15 May 2019 17:01:00 +0000 (17:01 +0000)]
httpd: prefer AES-GCM ciphers over AES-CBC

CBC ciphers are vulnerable to a bunch of attacks (being
rather academic so far) such as MAC-then-encrypt or
padding oracle.

These seem to be more serious (see
https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities
for further readings) which is why they should be used
for interoperability purposes only.

I plan to remove AES-CBC ciphers for the WebUI at the
end of the year, provided overall security landscape
has not changed until that.

This patch changes the WebUI cipherlist to:
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256

(AES-CBC + ECDSA will be preferred over RSA for performance
reasons. As this cipher order cannot be trivially rebuilt with
OpenSSL cipher stings, it has to be hard-coded.)

All working clients will stay compatible.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 weeks agoFix version information in backupiso script
Michael Tremer [Fri, 17 May 2019 18:52:27 +0000 (19:52 +0100)]
Fix version information in backupiso script

Fixes: #12083
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 weeks agokernel: update to 4.14.120
Arne Fitzenreiter [Fri, 17 May 2019 05:10:52 +0000 (07:10 +0200)]
kernel: update to 4.14.120

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agokernel: update to 4.14.119
Arne Fitzenreiter [Thu, 16 May 2019 12:26:04 +0000 (14:26 +0200)]
kernel: update to 4.14.119

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agointel-microcode: update to 20190514
Arne Fitzenreiter [Wed, 15 May 2019 11:17:26 +0000 (13:17 +0200)]
intel-microcode: update to 20190514

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agoUpdate kernel rootfiles for armv5tel
Michael Tremer [Tue, 14 May 2019 09:02:03 +0000 (10:02 +0100)]
Update kernel rootfiles for armv5tel

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 weeks agoUpdate kernel rootfiles for aarch64
Michael Tremer [Mon, 13 May 2019 15:31:14 +0000 (16:31 +0100)]
Update kernel rootfiles for aarch64

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 weeks agoxtables-addons: Explicitely add path for alternative kernels
Michael Tremer [Sun, 12 May 2019 09:21:32 +0000 (10:21 +0100)]
xtables-addons: Explicitely add path for alternative kernels

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 weeks agolinux: Fix touching incorrect version.h
Michael Tremer [Sun, 12 May 2019 09:20:57 +0000 (10:20 +0100)]
linux: Fix touching incorrect version.h

This file has moved and the touch command created an empty version
of the file which caused that builds depending on that did not
complete.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 weeks agolinux: objtool does not exist on all platforms
Michael Tremer [Sun, 12 May 2019 08:28:10 +0000 (09:28 +0100)]
linux: objtool does not exist on all platforms

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocore132: Ship changes to unbound
Michael Tremer [Sat, 11 May 2019 03:24:29 +0000 (04:24 +0100)]
core132: Ship changes to unbound

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agounbound: Add Safe Search
Michael Tremer [Sat, 11 May 2019 03:19:37 +0000 (04:19 +0100)]
unbound: Add Safe Search

This is a feature that will filter adult content from search
engine's results.

The old method of rewriting the HTTP request no longer works.

This method changes the DNS response for supported search engines
which violates our belief in DNSSEC and won't allow these search
engines to ever enable DNSSEC.

However, there is no better solution available to this and this
an optional feature, too.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
5 weeks agocore132: Ship updated urlfilter.cgi
Michael Tremer [Sat, 11 May 2019 03:18:08 +0000 (04:18 +0100)]
core132: Ship updated urlfilter.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoURL Filter: Drop Safe Search feature
Michael Tremer [Tue, 30 Apr 2019 16:06:08 +0000 (17:06 +0100)]
URL Filter: Drop Safe Search feature

This is not working for quite some time now because all search
engines have moved over to HTTPS. Therefore we no longer can
manipulate the URL query string.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoigmpproxy: Update to 0.2.1
Michael Tremer [Sat, 11 May 2019 01:20:15 +0000 (02:20 +0100)]
igmpproxy: Update to 0.2.1

This updates the package to its latest upstream version and should
be able to support IGMPv3.

Fixes: #12074
Suggested-by: Marc Roland <marc.roland@outlook.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoxtables-addons: Automatically detect location of kernel source
Michael Tremer [Fri, 10 May 2019 09:25:46 +0000 (10:25 +0100)]
xtables-addons: Automatically detect location of kernel source

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agolinux: Install kernel build system to /lib/modules
Michael Tremer [Fri, 10 May 2019 09:12:50 +0000 (10:12 +0100)]
linux: Install kernel build system to /lib/modules

This is necessary so that we can clean up /usr/src after
each build and do not waste any space on the massive kernel
source.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agomake.sh: Append -ipfire to fake kernel string
Michael Tremer [Fri, 10 May 2019 09:10:25 +0000 (10:10 +0100)]
make.sh: Append -ipfire to fake kernel string

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agomake.sh: Automatically enable build ramdisk on systems with 4GB RAM or more
Michael Tremer [Fri, 10 May 2019 02:38:49 +0000 (03:38 +0100)]
make.sh: Automatically enable build ramdisk on systems with 4GB RAM or more

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoiptables: Fix build without kernel source
Michael Tremer [Thu, 9 May 2019 17:16:20 +0000 (18:16 +0100)]
iptables: Fix build without kernel source

The layer7 filter header files were not installed into /usr/include
and therefore we needed to keep the whole kernel source tree.

This is just a waste of space and this patch fixes this.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agomake.sh: Mount /usr/src in memory for faster build
Michael Tremer [Wed, 8 May 2019 18:16:26 +0000 (19:16 +0100)]
make.sh: Mount /usr/src in memory for faster build

This patch enables that /usr/src is a ramdisk which should
give us fewer I/O operations when extracting tarballs or
writing small intermediate files by the compiler.

In some virtualised environments this should bring a good
performance boost.

There is no persistent data stored in this directory and
some persistent directories are mounted over it.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoPakfire: Add Core-Version to "status"
Alexander Koch [Thu, 9 May 2019 21:55:58 +0000 (23:55 +0200)]
Pakfire: Add Core-Version to "status"

Add the IPFire-Core-Version to the status message.

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoTor: update to 0.4.0.5
Peter Müller [Thu, 9 May 2019 20:06:00 +0000 (20:06 +0000)]
Tor: update to 0.4.0.5

See https://blog.torproject.org/new-release-tor-0405 for release
announcements.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocore132: Ship updated hwdata
Michael Tremer [Fri, 10 May 2019 03:20:17 +0000 (04:20 +0100)]
core132: Ship updated hwdata

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agohwdata: update PCI/USB databases
Peter Müller [Thu, 9 May 2019 13:40:00 +0000 (13:40 +0000)]
hwdata: update PCI/USB databases

PCI IDs: 2019-05-03 03:15:03
USB IDs: 2019-05-08 20:34:05

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocore132: Ship updated ca-certificates
Michael Tremer [Fri, 10 May 2019 03:19:05 +0000 (04:19 +0100)]
core132: Ship updated ca-certificates

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoupdate ca-certificates CA bundle
Peter Müller [Thu, 9 May 2019 13:24:00 +0000 (13:24 +0000)]
update ca-certificates CA bundle

Update the CA certificates list to what Mozilla NSS ships currently.

The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoUpdate translations
Michael Tremer [Fri, 10 May 2019 03:16:39 +0000 (04:16 +0100)]
Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoConfig: Disable XZ parallelism by default
Michael Tremer [Fri, 10 May 2019 02:36:58 +0000 (03:36 +0100)]
Config: Disable XZ parallelism by default

Exporting XZ_OPT caused that every time xz was called, it automatically
enabled parallelism. The make systemm also launches multiple processes
at the same time to use more processor cores at the same time.

The combination of this causes memory exhaustion even on large systems
and has no performance gain. Therefore this is disabled by default
and only enabled where we need it which is already the case.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agozoneconf: Fix bug that resultet from last fix
Florian Bührle [Sat, 11 May 2019 12:38:39 +0000 (14:38 +0200)]
zoneconf: Fix bug that resultet from last fix

Fix bug that prevents users from assigning NIC to RED if RED is in PPP
mode

5 weeks agozoneconf: Fix bug in NIC assignment; Change visibility of unused zones
Florian Bührle [Sat, 11 May 2019 11:28:12 +0000 (13:28 +0200)]
zoneconf: Fix bug in NIC assignment; Change visibility of unused zones

Fix a bug that allows users to add multiple NICs to non-bridged zones.
This fix includes a new error message.

Unused zones are now invisible instead of grey.

5 weeks agorouting: Fix potential authenticated XSS in input processing
Michael Tremer [Thu, 9 May 2019 13:51:40 +0000 (14:51 +0100)]
routing: Fix potential authenticated XSS in input processing

An authenticated Stored XSS (Cross-site Scripting) exists in the
(https://192.168.0.241:444/cgi-bin/routing.cgi) Routing Table Entries
via the "Remark" text box  or "remark" parameter. This is due to a
lack of user input validation in "Remark" text box  or "remark"
parameter. It allows an authenticated WebGUI user with privileges
for the affected page to execute Stored Cross-site Scripting in
the Routing Table Entries (/cgi-bin/routing.cgi), which helps
attacker to redirect the victim to a attacker's phishing page.

The Stored XSS get prompted on the victims page whenever victim
tries to access the Routing Table Entries configuraiton page.

An attacker get access to the victim's session by performing
the CSRF and gather the cookie and session id's or possibly can
change the victims configuration using this Stored XSS.

This attack can possibly spoof the victim's informations.

Fixes: #12072
Reported-by: Dharmesh Baskaran <dharmesh201093@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agozoneconf: Remove red warning
Michael Tremer [Thu, 9 May 2019 15:16:35 +0000 (17:16 +0200)]
zoneconf: Remove red warning

This is a bit shouty and there are various places where we do not
warn about this problem, so this patch makes it more consistent.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agozoneconf: Fix spelling
Michael Tremer [Thu, 9 May 2019 15:13:52 +0000 (17:13 +0200)]
zoneconf: Fix spelling

This patch mainly changes "Macvtap" to the branded spelling and removes
short forms as well as hyphenation in German compound nouns.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agozoneconf: Move "None" option to the top
Michael Tremer [Thu, 9 May 2019 15:11:24 +0000 (17:11 +0200)]
zoneconf: Move "None" option to the top

This is a more natural order of the options to me

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoweb-user-interface: Ship new zoneconf.cgi file
Michael Tremer [Thu, 9 May 2019 14:43:04 +0000 (15:43 +0100)]
web-user-interface: Ship new zoneconf.cgi file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocore132: Ship updated captive.cgi
Michael Tremer [Thu, 9 May 2019 12:17:16 +0000 (13:17 +0100)]
core132: Ship updated captive.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocaptive: Fix potential authenticated XSS in title processing
Michael Tremer [Tue, 7 May 2019 20:36:21 +0000 (21:36 +0100)]
captive: Fix potential authenticated XSS in title processing

An authenticated Stored XSS (Cross-site Scripting) exists in the
(https://localhost:444/cgi-bin/captive.cgi) Captive Portal via the
"Title of Login Page" text box or "TITLE" parameter. This is due to
a lack of user input validation in "Title of Login Page" text box
or "TITLE" parameter. It allows an authenticated WebGUI user with
privileges for the affected page to execute Stored Cross-site
Scripting in the Captive Portal page (/cgi-bin/captive.cgi), which
helps attacker to redirect the victim to a attacker's page.

The Stored XSS get prompted on the victims page whenever victim
tries to access the Captive Portal page.

An attacker get access to the victim's session by performing the
CSRF and gather the cookie and session id's or possibly can
change the victims configuration using this Stored XSS.

This attack can possibly spoof the victim's informations.

Fixes: #12071
Reported-by: Dharmesh Baskaran <dharmesh201093@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoguardian: Remove snort related options.
Stefan Schantl [Tue, 7 May 2019 17:17:16 +0000 (19:17 +0200)]
guardian: Remove snort related options.

IPFire has moved to suricata as IDS/IPS system, therefore all snort related
options has become obsolete.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agocore132: Ship VLAN GUI
Michael Tremer [Wed, 8 May 2019 11:14:46 +0000 (12:14 +0100)]
core132: Ship VLAN GUI

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agowebif: Add a GUI for configuring VLAN interfaces
Florian Bührle [Wed, 8 May 2019 10:56:18 +0000 (11:56 +0100)]
webif: Add a GUI for configuring VLAN interfaces

This patch adds a new CGI file which allows users to edit the
VLAN configuration as well as configuring zones as bridges.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoudev: Accept MAC addresses for PARENT_DEV
Florian Bührle [Wed, 8 May 2019 10:43:11 +0000 (11:43 +0100)]
udev: Accept MAC addresses for PARENT_DEV

This allows us to create VLAN interfaces even when the
name of the parent interface might vary.

This patch also appends the VLAN tag to interfaces
when the zone is in bridge mode.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoguardian: Remove snort related options.
Stefan Schantl [Tue, 7 May 2019 17:17:16 +0000 (19:17 +0200)]
guardian: Remove snort related options.

IPFire has moved to suricata as IDS/IPS system, therefore all snort related
options has become obsolete.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agosquid: Link against libatomic on ARM
Michael Tremer [Tue, 7 May 2019 21:54:11 +0000 (22:54 +0100)]
squid: Link against libatomic on ARM

This package failed to build on ARM because atomic functions
are being emulated on ARM32 and the required library was not
linked.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoxfsprogs: Disable LTO on armv5tel
Michael Tremer [Tue, 7 May 2019 20:19:53 +0000 (21:19 +0100)]
xfsprogs: Disable LTO on armv5tel

LTO fails on ARM, but since we do not require it, we can
disable it here.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocore132: Ship updated pakfire files
Michael Tremer [Tue, 7 May 2019 22:53:43 +0000 (23:53 +0100)]
core132: Ship updated pakfire files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agozabbix_agentd: Add UserParameter for Pakfire Status
Alexander Koch [Sat, 27 Apr 2019 19:26:46 +0000 (21:26 +0200)]
zabbix_agentd: Add UserParameter for Pakfire Status

Ship the UserParameter for monitoring the status of pakfire for keeping track of available updates etc.

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoPakfire: Add new command line argument "status"
Alexander Koch [Sat, 27 Apr 2019 19:26:45 +0000 (21:26 +0200)]
Pakfire: Add new command line argument "status"

This enables Pakfire to return a Status-Summary for the Current Core-Update-Level, time since last updates, the availability of a core-/packet-update and if a reboot is required to complete an update. This can be used by monitoring agents (e.g. zabbix_agentd) to monitor the update status of the IPFire device.

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agozabbix_agentd: update to 4.2.1
Alexander Koch [Sat, 27 Apr 2019 19:26:44 +0000 (21:26 +0200)]
zabbix_agentd: update to 4.2.1

Release notes: https://www.zabbix.com/rn/rn4.2.1

Signed-off-by: Alexander Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocore132: Ship updated libedit
Michael Tremer [Tue, 7 May 2019 22:50:26 +0000 (23:50 +0100)]
core132: Ship updated libedit

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agolibedit: Update to 20190324-3.1
Matthias Fischer [Wed, 1 May 2019 17:32:15 +0000 (19:32 +0200)]
libedit: Update to 20190324-3.1

For details see:
https://thrysoee.dk/editline/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocore132: Ship updated knot
Michael Tremer [Tue, 7 May 2019 22:49:47 +0000 (23:49 +0100)]
core132: Ship updated knot

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoknot: Update to 2.8.1
Matthias Fischer [Wed, 1 May 2019 17:28:16 +0000 (19:28 +0200)]
knot: Update to 2.8.1

For details see:
https://www.knot-dns.cz/2019-04-09-version-281.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocore132: Ship updated bind
Michael Tremer [Tue, 7 May 2019 22:48:41 +0000 (23:48 +0100)]
core132: Ship updated bind

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agobind: Update to 9.11.6-P1
Matthias Fischer [Sat, 27 Apr 2019 00:19:34 +0000 (02:19 +0200)]
bind: Update to 9.11.6-P1

For details see:
http://ftp.isc.org/isc/bind9/9.11.6-P1/RELEASE-NOTES-bind-9.11.6-P1.html

"Security Fixes

 The TCP client quota set using the tcp-clients option could be exceeded in some cases.
 This could lead to exhaustion of file descriptors. This flaw is disclosed in CVE-2018-5743.
 [GL #615]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocore132: Ship updated dhcpcd
Michael Tremer [Tue, 7 May 2019 22:46:36 +0000 (23:46 +0100)]
core132: Ship updated dhcpcd

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agodhcpcd: Update to 7.2.2
Matthias Fischer [Sat, 4 May 2019 19:59:15 +0000 (21:59 +0200)]
dhcpcd: Update to 7.2.2

For details see:
https://roy.marples.name/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agofirewall: Allow SNAT rules with RED interface
Michael Tremer [Tue, 7 May 2019 22:44:44 +0000 (23:44 +0100)]
firewall: Allow SNAT rules with RED interface

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agosuricata: Update to 4.1.4 core131 v2.23-core131
Stefan Schantl [Wed, 1 May 2019 18:19:01 +0000 (20:19 +0200)]
suricata: Update to 4.1.4

This is a minor update to the latest available version from
the suricata 4.1 series.

Fixes #12068.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 weeks agosuricata: Update to 4.1.4
Stefan Schantl [Wed, 1 May 2019 18:19:01 +0000 (20:19 +0200)]
suricata: Update to 4.1.4

This is a minor update to the latest available version from
the suricata 4.1 series.

Fixes #12068.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>