Matthias Fischer [Tue, 26 May 2020 18:46:29 +0000 (20:46 +0200)]
knot: Update to 2.9.5
For details see:
https://www.knot-dns.cz/2020-05-25-version-295.html
"Bugfixes:
Old ZSK can be withdrawn too early during a ZSK rollover if maximum
zone TTL is computed automatically
Server responds SERVFAIL to ANY queries on empty non-terminal nodes
Improvements:
Also module onlinesign returns minimized responses to ANY queries
Linking against libcap-ng can be disabled via a configure option"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The message "ls: cannot access '*.bz2': No such file or directory" comes
from the 'ls' command prior to creating the *.md5-files for *.bz2, *.img.xz
and *.iso files.
But on most builds we have especially no more bzip2 compressed images anymore.
This message can usually be ignored and is just irritating.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 20 May 2020 12:29:48 +0000 (12:29 +0000)]
ids-functions.pl: Quote array of subnets
Reported-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Tue, 19 May 2020 12:38:11 +0000 (14:38 +0200)]
bind: Update to 9.11.19
For details see:
https://downloads.isc.org/isc/bind9/9.11.19/RELEASE-NOTES-bind-9.11.19.html
"Security Fixes
To prevent exhaustion of server resources by a maliciously
configured domain, the number of recursive queries that can be
triggered by a request before aborting recursion has been further
limited. Root and top-level domain servers are no longer exempt from
the max-recursion-queries limit. Fetches for missing name server
address records are limited to 4 for any domain. This issue was
disclosed in CVE-2020-8616. [GL #1388]
Replaying a TSIG BADTIME response as a request could trigger
an assertion failure. This was disclosed in CVE-2020-8617. [GL
#1703]
Feature Changes
Message IDs in inbound AXFR transfers are now checked for
consistency. Log messages are emitted for streams with inconsistent
message IDs. [GL #1674]
Bug Fixes
When running on a system with support for Linux capabilities, named
drops root privileges very soon after system startup. This was
causing a spurious log message, "unable to set effective uid to 0:
Operation not permitted", which has now been silenced. [GL #1042]
[GL #1090]
When named-checkconf -z was run, it would sometimes incorrectly set
its exit code. It reflected the status of the last view found;
if zone-loading errors were found in earlier configured views but
not in the last one, the exit code indicated success. Thanks
to Graham Clinch. [GL #1807]
When built without LMDB support, named failed to restart after
a zone with a double quote (") in its name was added with rndc
addzone. Thanks to Alberto Fernández. [GL #1695]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Tue, 12 May 2020 19:29:32 +0000 (21:29 +0200)]
clamav: Update to 0.102.3
For details see:
https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html
"ClamAV 0.102.3 is a bug patch release to address the following issues.
- CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module
in ClamAV 0.102.2 that could cause a Denial-of-Service (DoS) condition.
Improper bounds checking of an unsigned variable results in an
out-of-bounds read which causes a crash.
- CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV
0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition.
Improper size checking of a buffer used to initialize AES decryption
routines results in an out-of-bounds read which may cause a crash. Bug
found by OSS-Fuzz.
- Fix "Attempt to allocate 0 bytes" error when parsing some PDF
documents.
- Fix a couple of minor memory leaks.
- Updated libclamunrar to UnRAR 5.9.2."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sun, 10 May 2020 15:50:06 +0000 (15:50 +0000)]
hwdata: update PCI database
PCI IDs: 2020-05-07 03:15:02
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Sat, 9 May 2020 06:04:48 +0000 (06:04 +0000)]
tshark: Update to version 3.2.3
This update includes several bugfixes but also updated protocols.
For a full overview, in here -->
https://www.wireshark.org/docs/relnotes/wireshark-3.2.3.html the
changelog can be found.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Fri, 8 May 2020 06:23:19 +0000 (06:23 +0000)]
libseccomp: Update to version 2.4.3
- Add list of authorized release signatures to README.md
- Fix multiplexing issue with s390/s390x shm* syscalls
- Remove the static flag from libseccomp tools compilation
- Add define for __SNR_ppoll
- Update our Travis CI configuration to use Ubuntu 18.04
- Disable live python tests in Travis CI
- Use default python, rather than nightly python, in TravisCI
- Fix potential memory leak identified by clang in the scmp_bpf_sim too
The changelog can be found in here https://github.com/seccomp/libseccomp/blob/master/CHANGELOG .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Thu, 7 May 2020 10:46:15 +0000 (12:46 +0200)]
OpenVPN: Update to version 2.4.9
Beneath several smaller fixes, this version fixes also some OpenSSL problems but also CVE-2020-11810.
The full changelog can be found in here https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 29 Apr 2020 19:33:04 +0000 (19:33 +0000)]
random: Initialise the kernel's PRNG earlier
Since more processes depend on good randomness, we need to
make sure that the kernel's PRNG is initialized as early as
possible.
For systems without a HWRNG, we will need to fall back to our
noisy loop and wait until we have enough randomness.
This patch also removes saving and restoring the seed. This
is no longer useful because the kernel's PRNG only takes any
input after it has successfully been seeded from other sources.
Hence adding this seed does not increase its randomness.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This is the first release after Suricata joined the Oss-Fuzz program, leading to
discovery of a number of (potential) security issues. We expect that in the coming
months we’ll fix more such issues, as the fuzzers increase their coverage and we
continue to improve the seed corpus.
Feature #3481: GRE ERSPAN Type 1 Support
Feature #3613: Teredo port configuration
Feature #3673: datasets: add ‘dataset-remove’ unix command
Bug #3240: Dataset hash-size or prealloc invalid value logging
Bug #3241: Dataset reputation invalid value logging
Bug #3342: Suricata 5.0 crashes while parsing SMB data
Bug #3450: signature with sticky buffer with subsequent pcre check in a different buffer loads but will never match
Bug #3491: Backport 5 BUG_ON(strcasecmp(str, “any”) in DetectAddressParseString
Bug #3507: rule parsing: memory leaks
Bug #3526: 5.0.x Kerberos vulnerable to TCP splitting evasion
Bug #3534: Skip over ERF_TYPE_META records
Bug #3552: file logging: complete files sometimes marked ‘TRUNCATED’
Bug #3571: rust: smb compile warnings
Bug #3573: TCP Fast Open – Bypass of stateless alerts
Bug #3574: Behavior for tcp fastopen
Bug #3576: Segfault when facing malformed SNMP rules
Bug #3577: SIP: Input not parsed when header values contain trailing spaces
Bug #3580: Faulty signature with two threshold keywords does not generate an error and never match
Bug #3582: random failures on sip and http-evader suricata-verify tests
Bug #3585: htp: asan issue
Bug #3592: Segfault on SMTP TLS
Bug #3598: rules: memory leaks in pktvar keyword
Bug #3600: rules: bad address block leads to stack exhaustion
Bug #3602: rules: crash on ‘internal’-only keywords
Bug #3604: rules: missing ‘consumption’ of transforms before pkt_data would lead to crash
Bug #3606: rules: minor memory leak involving pcre_get_substring
Bug #3609: ssl/tls: ASAN issue in SSLv3ParseHandshakeType
Bug #3610: defrag: asan issue
Bug #3612: rules/bsize: memory issue during parsing
Bug #3614: build-info and configure wrongly display libnss status
Bug #3644: Invalid memory read on malformed rule with Lua script
Bug #3646: rules: memory leaks on failed rules
Bug #3649: CIDR Parsing Issue
Bug #3651: FTP response buffering against TCP stream
Bug #3653: Recursion stack-overflow in parsing YAML configuration
Bug #3660: Multiple DetectEngineReload and bad insertion into linked list lead to buffer overflow
Bug #3665: FTP: Incorrect ftp_memuse calculation.
Bug #3667: Signature with an IP range creates one IPOnlyCIDRItem by signe IP address
Bug #3669: Rules reload with Napatech can hang Suricata UNIX manager process
Bug #3672: coverity: data directory handling issues
Bug #3674: Protocol detection evasion by packet splitting
Optimization #3406: filestore rules are loaded without warning when filestore is not enabled
Task #3478: libhtp 0.5.33
Task #3514: SMTP should place restraints on variable length items (e.g., filenames)
Documentation #3543: doc: add ipv4.hdr and ipv6.hdr
Bundled libhtp 0.5.33
Bundled Suricata-Update 1.1.2
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 28 Apr 2020 16:35:56 +0000 (18:35 +0200)]
libhtp: update to 0.5.33
(Scanty) release notes:
0.5.33 (27 April 2020)
----------------------
- compression bomb protection
- memory handling issue found by Oss-Fuzz
- improve handling of anomalies in traffic
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 28 Apr 2020 14:47:01 +0000 (16:47 +0200)]
Postfix: update to 3.5.1
Please refer to http://www.postfix.org/announcements/postfix-3.5.1.html
for further information.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 27 Apr 2020 15:41:47 +0000 (17:41 +0200)]
graph.pl: fix intendation of user CPU load
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 27 Apr 2020 15:25:15 +0000 (17:25 +0200)]
graphs.pl: use brackets instead of hypens
This simply makes more sense in most languages, as INPUT, OUTPUT and
FORWARD are special cases of firewall hits in general.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 27 Apr 2020 15:24:52 +0000 (17:24 +0200)]
de.pl: mention technical detail regarding new not SYN packets
Since an appropriate translation of the firewall hits graph is not
possible due to limited space, mentioning "NewNotSYN" at least clarifies
the relationship between "Verworfene neue Pakete ohne SYN-Markierung
protokollieren" and "NewNotSYN".
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 27 Apr 2020 15:24:27 +0000 (17:24 +0200)]
en.pl: fix spelling of "SYN"
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 27 Apr 2020 15:24:06 +0000 (17:24 +0200)]
graphs.pl: fix spelling of "SYN"
This merely is a cosmetic change, but since we are dealing with network
packets here, the SYN flag must be capitalised.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Wed, 22 Apr 2020 16:01:13 +0000 (16:01 +0000)]
hyperscan: Update to version 5.2.1
Several bugfixes, improvements and extra detection has been added.
For the full changelog, take a look into here -->
https://github.com/intel/hyperscan/blob/master/CHANGELOG.md .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 18 Apr 2020 10:06:02 +0000 (12:06 +0200)]
libusb: update to 1.0.23
Fixes: #11480 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Mon, 4 May 2020 18:10:56 +0000 (20:10 +0200)]
70-log.menu: Fix ovpnclients section.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
projects / ipfire-2.x.git / log
