ipfire-2.x.git
2 months agoOpenSSL: lower priority for CBC ciphers in default cipherlist
Peter Müller [Mon, 10 Jun 2019 18:55:00 +0000 (18:55 +0000)] 
OpenSSL: lower priority for CBC ciphers in default cipherlist

In order to avoid CBC ciphers as often as possible (they contain
some known vulnerabilities), this changes the OpenSSL default
ciphersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

Since TLS servers usually override the clients' preference with their
own, this will neither break existing setups nor introduce huge
differences in the wild. Unfortunately, CBC ciphers cannot be disabled
at all, as they are still used by popular web sites.

TLS 1.3 ciphers will be added implicitly and can be omitted in the
ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing
AES-NI support for the majority of installations reporting to Fireinfo
(see https://fireinfo.ipfire.org/processors for details, AES-NI support
is 28.22% at the time of writing).

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoStart Core Update 134
Michael Tremer [Wed, 12 Jun 2019 16:18:23 +0000 (17:18 +0100)] 
Start Core Update 134

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agounbound: Make some zones type-transparent
Michael Tremer [Wed, 12 Jun 2019 16:14:28 +0000 (17:14 +0100)] 
unbound: Make some zones type-transparent

If we remove other records (like MX) from the response, we won't
be able to send mail to those hosts any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agounbound: Add yandex.com to safe search feature
Michael Tremer [Wed, 12 Jun 2019 16:11:32 +0000 (17:11 +0100)] 
unbound: Add yandex.com to safe search feature

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agounbound: safe search: Resolve hosts at startup
Michael Tremer [Thu, 13 Jun 2019 10:12:07 +0000 (11:12 +0100)] 
unbound: safe search: Resolve hosts at startup

unbound is not able to expand CNAMEs in local-data. Therefore we
have to do it manually at startup.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoTor: fix permissions after updating, too
Peter Müller [Mon, 10 Jun 2019 19:02:00 +0000 (19:02 +0000)] 
Tor: fix permissions after updating, too

Fixes #12088

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reported-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated wpa_supplicant
Michael Tremer [Tue, 11 Jun 2019 06:00:38 +0000 (07:00 +0100)] 
core133: Ship updated wpa_supplicant

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agowpa_supplicant: Update to 2.8
Matthias Fischer [Tue, 11 Jun 2019 13:32:15 +0000 (15:32 +0200)] 
wpa_supplicant: Update to 2.8

For details see:
https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agosmt: Only disable SMT when the kernel thinks it is vulnerable
Michael Tremer [Tue, 11 Jun 2019 17:07:23 +0000 (17:07 +0000)] 
smt: Only disable SMT when the kernel thinks it is vulnerable

On virtual machines, it does not make sense to disable SMT for the
virtual cores. This has to be done by the hypervisor.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoship language files in Core Update 133
Peter Müller [Mon, 10 Jun 2019 18:22:00 +0000 (18:22 +0000)] 
ship language files in Core Update 133

These were missing in Core Update 132, and some strings
(especially on the "CPU vulnerabilities" page) missed translations.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRootfile update
Michael Tremer [Mon, 10 Jun 2019 08:58:15 +0000 (09:58 +0100)] 
Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoconvert-ids-modifysids-file: Fix check if the ids is running.
Stefan Schantl [Sun, 9 Jun 2019 15:55:34 +0000 (17:55 +0200)] 
convert-ids-modifysids-file: Fix check if the ids is running.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agohostapd: Update to 2.8
Matthias Fischer [Sun, 9 Jun 2019 10:10:07 +0000 (12:10 +0200)] 
hostapd: Update to 2.8

For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRootfile update
Michael Tremer [Sat, 8 Jun 2019 10:34:37 +0000 (11:34 +0100)] 
Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRootfile update
Michael Tremer [Fri, 7 Jun 2019 10:14:11 +0000 (11:14 +0100)] 
Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated knot package
Michael Tremer [Fri, 7 Jun 2019 10:13:01 +0000 (11:13 +0100)] 
core133: Ship updated knot package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoknot: Update to 2.8.2
Matthias Fischer [Thu, 6 Jun 2019 18:30:56 +0000 (20:30 +0200)] 
knot: Update to 2.8.2

For details see:
https://www.knot-dns.cz/2019-06-05-version-282.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoUpdate contributors
Michael Tremer [Wed, 5 Jun 2019 11:46:37 +0000 (12:46 +0100)] 
Update contributors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agosuricata: Enable EVE logging
Erik Kapfer [Tue, 4 Jun 2019 13:00:24 +0000 (15:00 +0200)] 
suricata: Enable EVE logging

The EVE output facility outputs alerts, metadata, file info and protocol specific records through JSON.
for further informations please see --> https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoconvert-ids-modifysids-file: Adjust code to use changed write_modify_sids_file function
Stefan Schantl [Wed, 5 Jun 2019 18:56:35 +0000 (20:56 +0200)] 
convert-ids-modifysids-file: Adjust code to use changed write_modify_sids_file function

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship snort configuration converter
Michael Tremer [Wed, 5 Jun 2019 11:42:53 +0000 (12:42 +0100)] 
core133: Ship snort configuration converter

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoconvert-snort: Adjust code to use changed modify_sids_file function.
Stefan Schantl [Wed, 5 Jun 2019 18:56:34 +0000 (20:56 +0200)] 
convert-snort: Adjust code to use changed modify_sids_file function.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoids-functions.pl: Rework function write_modify_sids_file().
Stefan Schantl [Wed, 5 Jun 2019 18:56:33 +0000 (20:56 +0200)] 
ids-functions.pl: Rework function write_modify_sids_file().

Directly implement the logic to determine the used ruleset and if
IDS or IPS mode should be used into the function instead of pass those
details as arguments.

This helps to prevent from doing this stuff at several places again and again.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship IPS changes
Michael Tremer [Wed, 5 Jun 2019 11:41:37 +0000 (12:41 +0100)] 
core133: Ship IPS changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agosuricata: correct rule actions in IPS mode
Tim FitzGeorge [Wed, 5 Jun 2019 18:56:32 +0000 (20:56 +0200)] 
suricata: correct rule actions in IPS mode

In IPS mode rule actions need to be have the action 'drop' for the
protection to work, however this is not appropriate for all rules.
Modify the generator for oinkmaster-modify-sids.conf to leave
rules with the action 'alert' here this is appropriate.  Also add
a script to be run on update to correct existing downloaded rules.

Fixes #12086

Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship IDS ruleset updater
Michael Tremer [Wed, 5 Jun 2019 11:34:44 +0000 (12:34 +0100)] 
core133: Ship IDS ruleset updater

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoupdate-ids-ruleset: Run as unprivileged user.
Stefan Schantl [Wed, 5 Jun 2019 16:27:10 +0000 (18:27 +0200)] 
update-ids-ruleset: Run as unprivileged user.

Check if the script has been launched as privileged user (root) and drop all
permissions by switching to the "nobody" user and group.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated vpnmain.cgi file and regenerate configuration
Michael Tremer [Wed, 5 Jun 2019 04:08:31 +0000 (05:08 +0100)] 
core133: Ship updated vpnmain.cgi file and regenerate configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agovpnmain.cgi: Fix wrong cipher suite generation when PFS is disabled
Michael Tremer [Wed, 5 Jun 2019 09:22:53 +0000 (10:22 +0100)] 
vpnmain.cgi: Fix wrong cipher suite generation when PFS is disabled

Fixes: #12091
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agomonit: Some fixes for 'monitrc'
Matthias Fischer [Wed, 5 Jun 2019 09:54:29 +0000 (11:54 +0200)] 
monit: Some fixes for 'monitrc'

Just cosmetics:
Removed all trailing spaces - there were a few...

Activated 'monit' start delay:
I activated this option to avoid running into a race condition while started through
'/etc/init.d/monit start'.

As mentioned in 'monit' manual:
"...if a service is slow to start, Monit can assume that the service is not running
and possibly try to start it [again] and raise an alert, while, in fact the service
is already about to start or already in its startup sequence."

This happened here during testing with (e.g.) Clamav.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated dhcp.cgi
Michael Tremer [Tue, 4 Jun 2019 23:33:36 +0000 (00:33 +0100)] 
core133: Ship updated dhcp.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agodhcp.cgi: Save fixed leases immediately after addition of a new lease
Bernhard Bitsch [Tue, 4 Jun 2019 10:24:00 +0000 (12:24 +0200)] 
dhcp.cgi: Save fixed leases immediately after addition of a new lease

This changes the behaviour of the script to immediately save the added
lease to file but still remain in edit mode to make changes.

If the user does not make any changes, the lease is immediately saved
and there is no second click required to write it to file.

This a more natural flow that is expected by almost all users of this
feature.

Fixes: #12050
Signed-off-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoSMT: Disable when system is vulnerable to L1TF (Foreshadow)
Michael Tremer [Tue, 4 Jun 2019 22:55:17 +0000 (23:55 +0100)] 
SMT: Disable when system is vulnerable to L1TF (Foreshadow)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRootfile update for ARM kernels
Michael Tremer [Tue, 4 Jun 2019 22:44:49 +0000 (23:44 +0100)] 
Rootfile update for ARM kernels

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRootfile update for gcc on i586
Michael Tremer [Tue, 4 Jun 2019 22:41:59 +0000 (23:41 +0100)] 
Rootfile update for gcc on i586

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated PAM
Michael Tremer [Tue, 4 Jun 2019 22:32:35 +0000 (23:32 +0100)] 
core133: Ship updated PAM

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agolinux-pam: Update to 1.3.1
Matthias Fischer [Wed, 5 Jun 2019 07:16:58 +0000 (09:16 +0200)] 
linux-pam: Update to 1.3.1

For details see:
https://github.com/linux-pam/linux-pam/releases

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated rrdtool
Michael Tremer [Tue, 4 Jun 2019 22:31:51 +0000 (23:31 +0100)] 
core133: Ship updated rrdtool

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agorrdtool: Update to 1.7.2
Matthias Fischer [Wed, 5 Jun 2019 07:13:11 +0000 (09:13 +0200)] 
rrdtool: Update to 1.7.2

For details see:
https://oss.oetiker.ch/rrdtool/pub/CHANGES

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoBUG 11487:solve problem with unexspected shutdown
sfeddersen [Tue, 4 Jun 2019 19:49:22 +0000 (21:49 +0200)] 
BUG 11487:solve problem with unexspected shutdown

Solve problem with unexspected shutdown problem when checking a single client.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRootfile update
Michael Tremer [Mon, 3 Jun 2019 08:20:05 +0000 (09:20 +0100)] 
Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agomake.sh: Set default ccache size to 4G
Michael Tremer [Sun, 2 Jun 2019 21:52:57 +0000 (22:52 +0100)] 
make.sh: Set default ccache size to 4G

Since we have now one cache for each architecture, we do not
need to make it too large.

The largest build (i586 because of the two kernels) uses around
2.5GB after one build. So 4G will give us some space.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated ovpnmain.cgi
Michael Tremer [Sun, 2 Jun 2019 21:49:42 +0000 (22:49 +0100)] 
core133: Ship updated ovpnmain.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoovpnmain.cgi: Fixed line break for LZO option
Erik Kapfer [Sat, 1 Jun 2019 06:46:14 +0000 (08:46 +0200)] 
ovpnmain.cgi: Fixed line break for LZO option

It is better readable if everything is in one line.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agomonit: Update to 5.25.3
Matthias Fischer [Fri, 31 May 2019 19:54:45 +0000 (21:54 +0200)] 
monit: Update to 5.25.3

For details see:
https://mmonit.com/monit/changes/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agomake.sh: Have a ccache for each architecture
Michael Tremer [Wed, 29 May 2019 14:28:45 +0000 (15:28 +0100)] 
make.sh: Have a ccache for each architecture

It does not make much sense to mix architectures into a single
ccache:

* There is never going to be a match
* The cache gets bigger and therefore slower
* If both architectures are being compiled one after the other and
  the cache hits its maximum size, cached but still needed content
  will be dropped
* Only both can be deleted together

This small change splits this into multiple caches. One per
architecture. Therefore we should be more efficient on builders
that build for multiple architectures.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agomiau: Drop package
Michael Tremer [Wed, 29 May 2019 14:24:29 +0000 (15:24 +0100)] 
miau: Drop package

This is not maintained since 2010

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoopenssl: Update to 1.1.1c
Michael Tremer [Wed, 29 May 2019 10:22:22 +0000 (11:22 +0100)] 
openssl: Update to 1.1.1c

Fixes CVE-2019-1543

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agostrongswan: Update to 5.8.0
Michael Tremer [Tue, 28 May 2019 12:05:50 +0000 (13:05 +0100)] 
strongswan: Update to 5.8.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agotshark: Update to 3.0.2
Erik Kapfer [Tue, 28 May 2019 09:38:59 +0000 (11:38 +0200)] 
tshark: Update to 3.0.2

Incl. one vulnerability and several bug fixes. For full overview --> https://www.wireshark.org/docs/relnotes/wireshark-3.0.2.html .

- Disabled geoip support since libmaxminddb is not presant.
- Added dictionary in ROOTFILE to prevent "radius: Could not open file: '/usr/share/wireshark/radius/dictionary' " .
- Added CMAKE build type
- Removed profile examples and htmls completly from ROOTFILE.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoccache: Automatically set size to 8GB
Michael Tremer [Tue, 28 May 2019 11:01:30 +0000 (12:01 +0100)] 
ccache: Automatically set size to 8GB

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship toolchain changes
Michael Tremer [Tue, 28 May 2019 10:44:32 +0000 (11:44 +0100)] 
core133: Ship toolchain changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRootfile update
Michael Tremer [Tue, 28 May 2019 10:41:46 +0000 (11:41 +0100)] 
Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agohyperscan: Limit amount of memory being used during build
Michael Tremer [Tue, 28 May 2019 10:36:06 +0000 (11:36 +0100)] 
hyperscan: Limit amount of memory being used during build

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoddns: Update to 011
Michael Tremer [Mon, 27 May 2019 15:25:01 +0000 (16:25 +0100)] 
ddns: Update to 011

Add support for two new providers and has some general bug fixes
included.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated IPS ruleset sources
Michael Tremer [Mon, 27 May 2019 14:48:44 +0000 (15:48 +0100)] 
core133: Ship updated IPS ruleset sources

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoruleset-sources: Update snort dl urls.
Stefan Schantl [Sun, 26 May 2019 18:11:55 +0000 (20:11 +0200)] 
ruleset-sources: Update snort dl urls.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agotor: Ship updated CGI
Michael Tremer [Mon, 27 May 2019 14:47:02 +0000 (15:47 +0100)] 
tor: Ship updated CGI

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agotor.cgi: Disable debugging output
Erik Kapfer [Sun, 26 May 2019 15:02:56 +0000 (17:02 +0200)] 
tor.cgi: Disable debugging output

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Drop metadata for jansson package
Michael Tremer [Mon, 27 May 2019 14:42:50 +0000 (15:42 +0100)] 
core133: Drop metadata for jansson package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship hyperscan
Michael Tremer [Mon, 27 May 2019 14:40:31 +0000 (15:40 +0100)] 
core133: Ship hyperscan

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agohyperscan: Move rootfiles to arch directories
Michael Tremer [Mon, 27 May 2019 14:38:42 +0000 (15:38 +0100)] 
hyperscan: Move rootfiles to arch directories

This package is only compiled on x86_64 and i586 and cannot
be packaged in any of the other architectures.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agohyperscan: New package
Stefan Schantl [Sun, 26 May 2019 17:56:47 +0000 (19:56 +0200)] 
hyperscan: New package

This package adds hyperscan support to suricata

Fixes #12053.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoragel: New package
Stefan Schantl [Sun, 26 May 2019 17:56:46 +0000 (19:56 +0200)] 
ragel: New package

This is a build dependency of hyperscan

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocolm: New package
Stefan Schantl [Sun, 26 May 2019 17:56:45 +0000 (19:56 +0200)] 
colm: New package

This is a build dependency of ragel, which is a build dependency of
hyperscan.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoasterisk: Remove dependency to jansson.
Stefan Schantl [Sun, 26 May 2019 17:51:40 +0000 (19:51 +0200)] 
asterisk: Remove dependency to jansson.

The package has become part of the main system.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agojansson: Move to core system and update to 2.12
Stefan Schantl [Sun, 26 May 2019 17:51:39 +0000 (19:51 +0200)] 
jansson: Move to core system and update to 2.12

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRootfile update
Michael Tremer [Mon, 27 May 2019 13:37:23 +0000 (14:37 +0100)] 
Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: readd late core132 changes to core133
Arne Fitzenreiter [Sun, 26 May 2019 15:27:16 +0000 (17:27 +0200)] 
core133: readd late core132 changes to core133

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agoMerge branch 'master' into next
Arne Fitzenreiter [Sun, 26 May 2019 15:23:54 +0000 (17:23 +0200)] 
Merge branch 'master' into next

2 months agocore132: security conf should not executable core132
Arne Fitzenreiter [Sun, 26 May 2019 14:17:04 +0000 (16:17 +0200)] 
core132: security conf should not executable

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agotor: Depend on libseccomp
Michael Tremer [Thu, 23 May 2019 00:50:29 +0000 (01:50 +0100)] 
tor: Depend on libseccomp

Suggested-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoids-functions.pl: Do not delete the whitelist file on rulesdir cleanup.
Stefan Schantl [Fri, 24 May 2019 15:45:33 +0000 (17:45 +0200)] 
ids-functions.pl: Do not delete the whitelist file on rulesdir cleanup.

Fixes #12087.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agocore132: set correct permissions of security settings file.
Arne Fitzenreiter [Sun, 26 May 2019 14:05:41 +0000 (16:05 +0200)] 
core132: set correct permissions of security settings file.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agovulnerabilities.cgi: again change colours
Arne Fitzenreiter [Sat, 25 May 2019 05:39:38 +0000 (07:39 +0200)] 
vulnerabilities.cgi: again change colours

red - vulnerable
blue - mitigated
green - not affected

because we not really trust the mitigations so they shound not green.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agovulnerabilities.cgi fix string handling
Arne Fitzenreiter [Sat, 25 May 2019 04:54:35 +0000 (06:54 +0200)] 
vulnerabilities.cgi fix string handling

remove lf at the end for correct matching
and not strip "Mitigated:" if it was not full working and still
vulnerable.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agovulnerabilities.cgi: Regard mitigations that only mitigate something still as vulnerable
Michael Tremer [Wed, 22 May 2019 10:08:43 +0000 (11:08 +0100)] 
vulnerabilities.cgi: Regard mitigations that only mitigate something still as vulnerable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agovulnerabilities.cgi: Simplify regexes
Michael Tremer [Wed, 22 May 2019 10:05:20 +0000 (11:05 +0100)] 
vulnerabilities.cgi: Simplify regexes

We can do the split in one.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoMerge branch 'toolchain' into next
Michael Tremer [Fri, 24 May 2019 05:55:03 +0000 (06:55 +0100)] 
Merge branch 'toolchain' into next

2 months agoMerge remote-tracking branch 'ms/faster-build' into next
Michael Tremer [Fri, 24 May 2019 05:54:16 +0000 (06:54 +0100)] 
Merge remote-tracking branch 'ms/faster-build' into next

2 months agocore133: Ship updated squid
Michael Tremer [Fri, 24 May 2019 05:39:37 +0000 (06:39 +0100)] 
core133: Ship updated squid

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agosquid: Update to 4.7
Matthias Fischer [Fri, 24 May 2019 18:46:59 +0000 (20:46 +0200)] 
squid: Update to 4.7

For details see:

http://www.squid-cache.org/Versions/v4/changesets/

Fixes among other things the old 'filedescriptors' problem, so this patch was deleted.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated bind
Michael Tremer [Fri, 24 May 2019 05:37:21 +0000 (06:37 +0100)] 
core133: Ship updated bind

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agobind: Update to 9.11.7
Matthias Fischer [Fri, 24 May 2019 18:53:15 +0000 (20:53 +0200)] 
bind: Update to 9.11.7

For details see:
http://ftp.isc.org/isc/bind9/9.11.7/RELEASE-NOTES-bind-9.11.7.html

"Security Fixes

  The TCP client quota set using the tcp-clients option could be exceeded in some cases.
  This could lead to exhaustion of file descriptors.
  This flaw is disclosed in CVE-2018-5743. [GL #615]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoStart Core Update 133
Michael Tremer [Fri, 24 May 2019 05:35:46 +0000 (06:35 +0100)] 
Start Core Update 133

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months ago.gitignore: Ignore some backup files
Michael Tremer [Fri, 24 May 2019 05:30:46 +0000 (06:30 +0100)] 
.gitignore: Ignore some backup files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agotor: Depend on libseccomp
Michael Tremer [Thu, 23 May 2019 00:50:29 +0000 (01:50 +0100)] 
tor: Depend on libseccomp

Suggested-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agounbound: Safe Search: Enable Restrict-Moderate for YouTube
Michael Tremer [Wed, 22 May 2019 14:29:32 +0000 (15:29 +0100)] 
unbound: Safe Search: Enable Restrict-Moderate for YouTube

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoUpdate German translations
Michael Tremer [Wed, 22 May 2019 10:23:07 +0000 (11:23 +0100)] 
Update German translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agovulnerabilities.cgi: Regard mitigations that only mitigate something still as vulnerable
Michael Tremer [Wed, 22 May 2019 10:08:43 +0000 (11:08 +0100)] 
vulnerabilities.cgi: Regard mitigations that only mitigate something still as vulnerable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agovulnerabilities.cgi: Simplify regexes
Michael Tremer [Wed, 22 May 2019 10:05:20 +0000 (11:05 +0100)] 
vulnerabilities.cgi: Simplify regexes

We can do the split in one.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoMerge branch 'master' into next
Arne Fitzenreiter [Wed, 22 May 2019 10:34:41 +0000 (12:34 +0200)] 
Merge branch 'master' into next

2 months agovulnerablities: change to logic colours
Arne Fitzenreiter [Wed, 22 May 2019 10:34:03 +0000 (12:34 +0200)] 
vulnerablities: change to logic colours

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agoMerge branch 'next'
Arne Fitzenreiter [Wed, 22 May 2019 08:38:02 +0000 (10:38 +0200)] 
Merge branch 'next'

2 months agofinish: core132
Arne Fitzenreiter [Wed, 22 May 2019 08:33:20 +0000 (10:33 +0200)] 
finish: core132

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agovulnerablities.cgi: add colours for vuln,smt and unknown output.
Arne Fitzenreiter [Wed, 22 May 2019 08:22:53 +0000 (10:22 +0200)] 
vulnerablities.cgi: add colours for vuln,smt and unknown output.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agokernel: update to 4.14.121
Arne Fitzenreiter [Tue, 21 May 2019 18:42:51 +0000 (20:42 +0200)] 
kernel: update to 4.14.121

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agovnstat: fix errormessage at first boot
Arne Fitzenreiter [Tue, 21 May 2019 18:36:16 +0000 (20:36 +0200)] 
vnstat: fix errormessage at first boot

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agoconfigroot: create main/security settings file
Arne Fitzenreiter [Tue, 21 May 2019 13:03:21 +0000 (15:03 +0200)] 
configroot: create main/security settings file

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agoweb-user-interface: update rootfile
Arne Fitzenreiter [Tue, 21 May 2019 13:02:54 +0000 (15:02 +0200)] 
web-user-interface: update rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>