people/jschlag/ipfire-2.x.git
3 years agoopenssl: add forgotten sslv2 compile option master
Arne Fitzenreiter [Thu, 3 Mar 2016 07:38:27 +0000 (08:38 +0100)]
openssl: add forgotten sslv2 compile option

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agoopenssl: compile with sslv2 support but disable
Arne Fitzenreiter [Wed, 2 Mar 2016 20:31:07 +0000 (21:31 +0100)]
openssl: compile with sslv2 support but disable

the new default breaks the ABI so we need to compile in but
disable it with a patch.

3 years agoRevert "python-m2crypto: remove SSLv2_method"
Arne Fitzenreiter [Wed, 2 Mar 2016 20:13:31 +0000 (21:13 +0100)]
Revert "python-m2crypto: remove SSLv2_method"

This reverts commit d86a24928625c47d46d17daad18f159d28678ee4.

3 years agoOpenSSH: remove slogin binary in rootfile and update
Arne Fitzenreiter [Tue, 1 Mar 2016 21:50:53 +0000 (22:50 +0100)]
OpenSSH: remove slogin binary in rootfile and update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agopython-m2crypto: remove SSLv2_method
Arne Fitzenreiter [Tue, 1 Mar 2016 21:25:55 +0000 (22:25 +0100)]
python-m2crypto: remove SSLv2_method

this is removed by OpenSSL 1.0.2g

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agocore99: set version to 99
Arne Fitzenreiter [Tue, 1 Mar 2016 15:02:50 +0000 (16:02 +0100)]
core99: set version to 99

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agoopenssl: security update to 1.0.2g
Arne Fitzenreiter [Tue, 1 Mar 2016 15:00:19 +0000 (16:00 +0100)]
openssl: security update to 1.0.2g

this fixes diverse security problems.
check http://openssl.org/news/secadv/20160301.txt for details.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agoopenssh: update to 7.2p1
Arne Fitzenreiter [Tue, 1 Mar 2016 14:59:34 +0000 (15:59 +0100)]
openssh: update to 7.2p1

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agobackup: fix vnstat path
Arne Fitzenreiter [Mon, 29 Feb 2016 20:53:41 +0000 (21:53 +0100)]
backup: fix vnstat path

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agocore99: create core99 for OpenSSL security update
Arne Fitzenreiter [Mon, 29 Feb 2016 20:47:05 +0000 (21:47 +0100)]
core99: create core99 for OpenSSL security update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agostunnel: Bump release version
Michael Tremer [Tue, 23 Feb 2016 17:40:31 +0000 (09:40 -0800)]
stunnel: Bump release version

The version on the server seems to be still linked against
the older 0.9.8 series of openssl and needs to be updated
on all systems.

I manually pushed this update for the 2.17 branch on i586.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore98: fix typo
Arne Fitzenreiter [Thu, 18 Feb 2016 03:31:28 +0000 (04:31 +0100)]
core98: fix typo

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agoMerge branch 'core98' of git.ipfire.org:/pub/git/ipfire-2.x into core98
Arne Fitzenreiter [Wed, 17 Feb 2016 21:01:56 +0000 (22:01 +0100)]
Merge branch 'core98' of git.ipfire.org:/pub/git/ipfire-2.x into core98

3 years agocore98: remove wrong grub.cfg only if it was empty.
Arne Fitzenreiter [Wed, 17 Feb 2016 20:57:00 +0000 (21:57 +0100)]
core98: remove wrong grub.cfg only if it was empty.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agoglibc: disable patches that break build on arm.
Arne Fitzenreiter [Wed, 17 Feb 2016 17:49:38 +0000 (18:49 +0100)]
glibc: disable patches that break build on arm.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agocore98: new update with glibc security fixes.
Arne Fitzenreiter [Wed, 17 Feb 2016 12:52:51 +0000 (13:52 +0100)]
core98: new update with glibc security fixes.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agoglibc: new RHEL6 patches / fix CVE-2015-7547 and more
Arne Fitzenreiter [Wed, 17 Feb 2016 11:46:11 +0000 (12:46 +0100)]
glibc: new RHEL6 patches / fix CVE-2015-7547 and more

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agocore97: remove some core98 files from update filelist.
Arne Fitzenreiter [Thu, 28 Jan 2016 18:29:02 +0000 (19:29 +0100)]
core97: remove some core98 files from update filelist.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agofinish core97
Arne Fitzenreiter [Thu, 28 Jan 2016 15:20:16 +0000 (16:20 +0100)]
finish core97

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agoopenssl: security update to 1.0.2f
Arne Fitzenreiter [Thu, 28 Jan 2016 14:58:46 +0000 (15:58 +0100)]
openssl: security update to 1.0.2f

changes:
* DH small subgroups - CVE-2016-0701
* SSLv2 doesn't block disabled ciphers - CVE-2015-3197
* Reject DH handshakes with parameters shorter than 1024 bits

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agohwdate: update databases
Arne Fitzenreiter [Thu, 28 Jan 2016 12:24:50 +0000 (13:24 +0100)]
hwdate: update databases

pci.ids: 2016.01.28
usb.ids: 2015.12.17

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agocore97: prepare new core97 with openssl and openssh update.
Arne Fitzenreiter [Thu, 28 Jan 2016 12:08:59 +0000 (13:08 +0100)]
core97: prepare new core97 with openssl and openssh update.

the update itself has to be done...

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agovdr_eepg: fix source download.
Arne Fitzenreiter [Fri, 25 Dec 2015 11:45:05 +0000 (12:45 +0100)]
vdr_eepg: fix source download.

the external server has changed the compression so the md5 has changed.
Always use the IPFire server as primary download source.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agoopenssh: Update to 7.1p2
Matthias Fischer [Fri, 15 Jan 2016 16:43:50 +0000 (17:43 +0100)]
openssh: Update to 7.1p2

Fixes CVE-2016-0777

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore96: don't overwrite grub defaults.
Arne Fitzenreiter [Sat, 23 Jan 2016 14:19:58 +0000 (15:19 +0100)]
core96: don't overwrite grub defaults.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agocore96: remove rrd ramdisk entry from fstab
Arne Fitzenreiter [Wed, 23 Dec 2015 10:32:53 +0000 (11:32 +0100)]
core96: remove rrd ramdisk entry from fstab

3 years agocore96: Regenerate language cache
Michael Tremer [Tue, 22 Dec 2015 15:10:31 +0000 (15:10 +0000)]
core96: Regenerate language cache

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore96: Correctly call qosctrl
Michael Tremer [Tue, 22 Dec 2015 10:27:26 +0000 (10:27 +0000)]
core96: Correctly call qosctrl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore96: Fix deleting the old ramdisk directory
Michael Tremer [Tue, 22 Dec 2015 10:26:27 +0000 (10:26 +0000)]
core96: Fix deleting the old ramdisk directory

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore96: set pakfire version to 96.
Arne Fitzenreiter [Sun, 20 Dec 2015 19:19:43 +0000 (20:19 +0100)]
core96: set pakfire version to 96.

3 years agocurl: Fix certificate validation
Michael Tremer [Sat, 19 Dec 2015 14:12:29 +0000 (14:12 +0000)]
curl: Fix certificate validation

curl did not find the certificate bundle so that server
certificates could not be verified.

Fixes #10995

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agostrongswan: Update to 5.3.5
Michael Tremer [Sat, 19 Dec 2015 14:09:10 +0000 (14:09 +0000)]
strongswan: Update to 5.3.5

Also ships a fix for #853 upstream.

Fixes #10998

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore96: Ship updated grub
Michael Tremer [Fri, 18 Dec 2015 23:42:15 +0000 (23:42 +0000)]
core96: Ship updated grub

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agogrub 2.00: Bugfix for CVE-2015-8370
Matthias Fischer [Fri, 18 Dec 2015 20:28:52 +0000 (21:28 +0100)]
grub 2.00: Bugfix for CVE-2015-8370

See: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html

"A vulnerability in Grub2 has been found. Versions from 1.98 (December, 2009)
to 2.02 (December, 2015) are affected. The vulnerability can be exploited
under certain circumstances, allowing local attackers to bypass any kind of
authentication (plain or hashed passwords). And so, the attacker may take
control of the computer."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agodnsmasq 2.75: latest upstream patches ;-)
Matthias Fischer [Fri, 18 Dec 2015 14:11:25 +0000 (15:11 +0100)]
dnsmasq 2.75: latest upstream patches ;-)

The neverending story continues...

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agodnsmasq 2.75: latest upstream patches
Matthias Fischer [Wed, 16 Dec 2015 20:42:41 +0000 (21:42 +0100)]
dnsmasq 2.75: latest upstream patches

Since 'Makefile' was affected, I had to rewrite
'dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch', too.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoSquid-Accounting: Bugfix & clean up data
Alexander Marx [Thu, 17 Dec 2015 10:31:30 +0000 (11:31 +0100)]
Squid-Accounting: Bugfix & clean up data

There was a Bug in the addon so that no data was displayed because of a
typo. Additionally the computeraccounts are now filtered out of
trafficdata collection.
Only Proxy/AD/LDAP Accounts and IP adresses are collected.

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoRootfile update
Michael Tremer [Tue, 15 Dec 2015 18:32:55 +0000 (18:32 +0000)]
Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoMidnight Commander 4.8.15: Update for rootfile
Matthias Fischer [Sun, 13 Dec 2015 17:04:40 +0000 (18:04 +0100)]
Midnight Commander 4.8.15: Update for rootfile

There was a syntax file which I overlooked...

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore96: Ship rules.pl
Michael Tremer [Tue, 15 Dec 2015 13:54:04 +0000 (13:54 +0000)]
core96: Ship rules.pl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoBUG10994: SNAT rules are missing the outgoing interface
Alexander Marx [Mon, 7 Dec 2015 14:57:32 +0000 (15:57 +0100)]
BUG10994: SNAT rules are missing the outgoing interface

When creating SNAT rules, the outgoing interface is not set. As a side
effect, traffic that should be send unnatted to a vpn tunnel can be
natted which is a BUG.
With this patch the SNAT rules are getting a outgoing interface
according to the configuration. When selecting the RED Target network,
all SNAT rules will be configured with "-o red0". Otherwise if "all" is
selected, there is no interface in the rule, which matches all networks.

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoramdisk: Backup ramdisks once a night
Michael Tremer [Tue, 15 Dec 2015 13:47:52 +0000 (13:47 +0000)]
ramdisk: Backup ramdisks once a night

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agontp: Prefer local clock
Michael Tremer [Tue, 15 Dec 2015 12:49:27 +0000 (12:49 +0000)]
ntp: Prefer local clock

For some reason, ntp won't use a local clock even if it is
there and up and running. Therefore we need to "prefer" our
only source of time.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
3 years agontp 4.2.8p4: Update for rootfile
Matthias Fischer [Mon, 14 Dec 2015 23:07:10 +0000 (00:07 +0100)]
ntp 4.2.8p4: Update for rootfile

'/usr/share/ntp/lib/NTP/Util.pm' is needed for 'ntptrace'
to run correctly

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agontp: Fix syncing with local clock
Michael Tremer [Tue, 15 Dec 2015 12:37:16 +0000 (12:37 +0000)]
ntp: Fix syncing with local clock

This is a bug that was introduced with the latest release
from upstream

Fixes #10997
Upstream: http://bugs.ntp.org/show_bug.cgi?id=2965

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agonano: Update to 2.5.0
Matthias Fischer [Sun, 13 Dec 2015 17:54:25 +0000 (18:54 +0100)]
nano: Update to 2.5.0

Changelog: http://www.nano-editor.org/dist/v2.5/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoarping 2.15: Update for rootfile
Matthias Fischer [Sun, 13 Dec 2015 17:58:10 +0000 (18:58 +0100)]
arping 2.15: Update for rootfile

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoSpeed up rootfile generation
Michael Tremer [Sat, 12 Dec 2015 17:06:10 +0000 (17:06 +0000)]
Speed up rootfile generation

The old usage of find walked through the entire filesystem tree
and excluded some paths from being printed. The more efficient
solution is to skip walking through excluded directories entirely.

This is a slight speedup of the build process by a few minutes.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoarping: Update to 2.15
Matthias Fischer [Sat, 12 Dec 2015 13:10:16 +0000 (14:10 +0100)]
arping: Update to 2.15

arping: Update to 2.15

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoUpdate rootfiles
Michael Tremer [Sat, 12 Dec 2015 11:52:18 +0000 (11:52 +0000)]
Update rootfiles

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoramdisk: Remove temporary directory recursively
Michael Tremer [Sat, 12 Dec 2015 11:46:02 +0000 (12:46 +0100)]
ramdisk: Remove temporary directory recursively

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoramdisk: Fix copying files
root [Sat, 12 Dec 2015 11:35:24 +0000 (12:35 +0100)]
ramdisk: Fix copying files

The shell expansion wasn't used because of the quotation marks.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoconnections.cgi: Fix page crash with IPsec connections with one subnet only
Michael Tremer [Sat, 12 Dec 2015 09:50:19 +0000 (09:50 +0000)]
connections.cgi: Fix page crash with IPsec connections with one subnet only

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore96: Ship missing libnet
Michael Tremer [Fri, 11 Dec 2015 18:48:19 +0000 (18:48 +0000)]
core96: Ship missing libnet

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agolibnet 1.1.6: Fix for rootfile
Matthias Fischer [Sat, 5 Dec 2015 19:11:59 +0000 (20:11 +0100)]
libnet 1.1.6: Fix for rootfile

libnet 1.1.6: Fix for rootfile

See: https://forum.ipfire.org/viewtopic.php?f=27&t=15377, "error with
arping and libnet.so.1"
Should fix: Bug #10996 / https://bugzilla.ipfire.org/show_bug.cgi?id=10996

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoclamav: Update to 0.99
Matthias Fischer [Sat, 5 Dec 2015 03:12:51 +0000 (04:12 +0100)]
clamav: Update to 0.99

clamav: Update to 0.99

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore96: Ship updated rrdtool
Michael Tremer [Fri, 11 Dec 2015 18:43:39 +0000 (18:43 +0000)]
core96: Ship updated rrdtool

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agorrdtool: Update to 1.5.5
Matthias Fischer [Sat, 5 Dec 2015 03:08:49 +0000 (04:08 +0100)]
rrdtool: Update to 1.5.5

rrdtool: Update to 1.5.5

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoMidnight Commander: Update to 4.8.15
Matthias Fischer [Thu, 3 Dec 2015 18:09:45 +0000 (19:09 +0100)]
Midnight Commander: Update to 4.8.15

Removed uncognized option: --with-samba

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore96: Ship routing.cgi
Michael Tremer [Thu, 10 Dec 2015 16:38:36 +0000 (16:38 +0000)]
core96: Ship routing.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoBUG10993: fix errormessage when editing static routes
Alexander Marx [Mon, 7 Dec 2015 13:36:31 +0000 (14:36 +0100)]
BUG10993: fix errormessage when editing static routes

When editing existing static routes and clicking on apply button, there
was an errormessage saying that this route is already in use.
Now the errormessage is only displayed if a new route has the same ip
than an existing one.

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agodma: Import patch for better authentication
Michael Tremer [Thu, 10 Dec 2015 16:35:09 +0000 (16:35 +0000)]
dma: Import patch for better authentication

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoUpdate translations
Michael Tremer [Fri, 4 Dec 2015 22:22:55 +0000 (22:22 +0000)]
Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoUpdate rootfiles
Michael Tremer [Fri, 4 Dec 2015 22:22:41 +0000 (22:22 +0000)]
Update rootfiles

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agolibpri: Honour CFLAGS
Michael Tremer [Fri, 4 Dec 2015 22:13:44 +0000 (22:13 +0000)]
libpri: Honour CFLAGS

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoopenvmtools: Update to version 10.0.5
Michael Tremer [Fri, 4 Dec 2015 22:11:28 +0000 (22:11 +0000)]
openvmtools: Update to version 10.0.5

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoDrop tripwire
Michael Tremer [Fri, 4 Dec 2015 21:41:56 +0000 (21:41 +0000)]
Drop tripwire

This add-on is likely to be unused

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoxtables-addons: Make sure kernel module directory exists
Michael Tremer [Fri, 4 Dec 2015 21:38:05 +0000 (21:38 +0000)]
xtables-addons: Make sure kernel module directory exists

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoDrop cryptodev
Michael Tremer [Fri, 4 Dec 2015 21:32:58 +0000 (21:32 +0000)]
Drop cryptodev

This module isn't used by openssl any more and therefore
quite unnecessary.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agomISDNuser: Don't build with -Werror
Michael Tremer [Fri, 4 Dec 2015 21:18:11 +0000 (21:18 +0000)]
mISDNuser: Don't build with -Werror

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoliboping: Don't build with -Werror
Michael Tremer [Fri, 4 Dec 2015 21:17:27 +0000 (21:17 +0000)]
liboping: Don't build with -Werror

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore96: Ship updated mdadm
Michael Tremer [Fri, 4 Dec 2015 22:17:51 +0000 (22:17 +0000)]
core96: Ship updated mdadm

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agomdadm: Update to 3.3.4
Michael Tremer [Fri, 4 Dec 2015 21:15:18 +0000 (21:15 +0000)]
mdadm: Update to 3.3.4

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoebtables: Honour CFLAGS
Michael Tremer [Fri, 4 Dec 2015 21:14:47 +0000 (21:14 +0000)]
ebtables: Honour CFLAGS

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoopenssl: Update to 1.0.2e
Michael Tremer [Thu, 3 Dec 2015 16:59:48 +0000 (16:59 +0000)]
openssl: Update to 1.0.2e

OpenSSL Security Advisory [3 Dec 2015]
=======================================

NOTE: WE ANTICIPATE THAT 1.0.0t AND 0.9.8zh WILL BE THE LAST RELEASES FOR THE
0.9.8 AND 1.0.0 VERSIONS AND THAT NO MORE SECURITY FIXES WILL BE PROVIDED (AS
PER PREVIOUS ANNOUNCEMENTS). USERS ARE ADVISED TO UPGRADE TO LATER VERSIONS.

BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
==================================================================

Severity: Moderate

There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
as a result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH are considered just feasible (although very
difficult) because most of the work necessary to deduce information
about a private key may be performed offline. The amount of resources
required for such an attack would be very significant and likely only
accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur by
default in OpenSSL DHE based SSL/TLS ciphersuites.

This issue affects OpenSSL version 1.0.2.

OpenSSL 1.0.2 users should upgrade to 1.0.2e

This issue was reported to OpenSSL on August 13 2015 by Hanno
Böck. The fix was developed by Andy Polyakov of the OpenSSL
development team.

Certificate verify crash with missing PSS parameter (CVE-2015-3194)
===================================================================

Severity: Moderate

The signature verification routines will crash with a NULL pointer dereference
if presented with an ASN.1 signature using the RSA PSS algorithm and absent
mask generation function parameter. Since these routines are used to verify
certificate signature algorithms this can be used to crash any certificate
verification operation and exploited in a DoS attack. Any application which
performs certificate verification is vulnerable including OpenSSL clients and
servers which enable client authentication.

This issue affects OpenSSL versions 1.0.2 and 1.0.1.

OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q

This issue was reported to OpenSSL on August 27 2015 by Loïc Jonas Etienne
(Qnective AG). The fix was developed by Dr. Stephen Henson of the OpenSSL
development team.

X509_ATTRIBUTE memory leak (CVE-2015-3195)
==========================================

Severity: Moderate

When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
memory. This structure is used by the PKCS#7 and CMS routines so any
application which reads PKCS#7 or CMS data from untrusted sources is affected.
SSL/TLS is not affected.

This issue affects OpenSSL versions 1.0.2 and 1.0.1, 1.0.0 and 0.9.8.

OpenSSL 1.0.2 users should upgrade to 1.0.2e
OpenSSL 1.0.1 users should upgrade to 1.0.1q
OpenSSL 1.0.0 users should upgrade to 1.0.0t
OpenSSL 0.9.8 users should upgrade to 0.9.8zh

This issue was reported to OpenSSL on November 9 2015 by Adam Langley
(Google/BoringSSL) using libFuzzer. The fix was developed by Dr. Stephen
Henson of the OpenSSL development team.

Race condition handling PSK identify hint (CVE-2015-3196)
=========================================================

Severity: Low

If PSK identity hints are received by a multi-threaded client then
the values are wrongly updated in the parent SSL_CTX structure. This can
result in a race condition potentially leading to a double free of the
identify hint data.

This issue was fixed in OpenSSL 1.0.2d and 1.0.1p but has not been previously
listed in an OpenSSL security advisory. This issue also affects OpenSSL 1.0.0
and has not been previously fixed in an OpenSSL 1.0.0 release.

OpenSSL 1.0.2 users should upgrade to 1.0.2d
OpenSSL 1.0.1 users should upgrade to 1.0.1p
OpenSSL 1.0.0 users should upgrade to 1.0.0t

The fix for this issue can be identified in the OpenSSL git repository by commit
ids 3c66a669dfc7 (1.0.2), d6be3124f228 (1.0.1) and 1392c238657e (1.0.0).

The fix was developed by Dr. Stephen Henson of the OpenSSL development team.

Note
====

As per our previous announcements and our Release Strategy
(https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions
1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these
versions will be provided after that date. In the absence of significant
security issues being identified prior to that date, the 1.0.0t and 0.9.8zh
releases will be the last for those versions. Users of these versions are
advised to upgrade.

References
==========

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20151203.txt

Note: the online version of the advisory may be updated with additional
details over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoramdisk: Migrate everything during the update
Michael Tremer [Thu, 3 Dec 2015 16:34:59 +0000 (16:34 +0000)]
ramdisk: Migrate everything during the update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoramdisk: Avoid copying data if no ramdisk is used
Michael Tremer [Thu, 3 Dec 2015 16:03:29 +0000 (16:03 +0000)]
ramdisk: Avoid copying data if no ramdisk is used

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoramdisk: Move crontab back to disk
Michael Tremer [Thu, 3 Dec 2015 14:57:30 +0000 (14:57 +0000)]
ramdisk: Move crontab back to disk

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoramdisk: Make usage of ramdisk configurable
Michael Tremer [Thu, 3 Dec 2015 14:41:49 +0000 (14:41 +0000)]
ramdisk: Make usage of ramdisk configurable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoinitscripts: functions: Fix indentation
Michael Tremer [Thu, 3 Dec 2015 14:27:33 +0000 (14:27 +0000)]
initscripts: functions: Fix indentation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoRemove ramdisks for RRD databases
Alexander Marx [Thu, 3 Dec 2015 13:14:23 +0000 (13:14 +0000)]
Remove ramdisks for RRD databases

Ramdisks are very limited in space and as new graphs
are generated for OpenVPN N2N connections, etc. more
space is necessary.

This patch will enable ramdisks for all systems with more
than 490M of memory and allows the user to force using
a ramdisk on systems with less memory.

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Acked-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoMerge branch 'master' into next
Arne Fitzenreiter [Wed, 2 Dec 2015 20:39:20 +0000 (21:39 +0100)]
Merge branch 'master' into next

3 years agocore95: don't update snort.conf.
Arne Fitzenreiter [Wed, 2 Dec 2015 13:48:01 +0000 (14:48 +0100)]
core95: don't update snort.conf.

because this will erase selected rules.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agodhcpcd: revert dhclient config before core91.
Arne Fitzenreiter [Wed, 2 Dec 2015 13:39:19 +0000 (14:39 +0100)]
dhcpcd: revert dhclient config before core91.

the new config has some ipv6 defaults that conflict with
t-com entertain.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agokernel: bump pak version for pae kernel.
Arne Fitzenreiter [Wed, 2 Dec 2015 13:36:07 +0000 (14:36 +0100)]
kernel: bump pak version for pae kernel.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agocpufreq: change initscript for intel pstate driver.
Arne Fitzenreiter [Wed, 2 Dec 2015 13:17:34 +0000 (14:17 +0100)]
cpufreq: change initscript for intel pstate driver.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agokernel: enable intel_pstate driver.
Arne Fitzenreiter [Wed, 2 Dec 2015 13:13:04 +0000 (14:13 +0100)]
kernel: enable intel_pstate driver.

this is needed to use turbo boost of newer intel processors.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
3 years agocore96: Don't restart services that have not been updated
Michael Tremer [Tue, 1 Dec 2015 22:37:07 +0000 (22:37 +0000)]
core96: Don't restart services that have not been updated

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore96: Ship updated dnsmasq
Michael Tremer [Tue, 1 Dec 2015 22:36:21 +0000 (22:36 +0000)]
core96: Ship updated dnsmasq

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agodnsmasq 2.75: latest upstream patches
Matthias Fischer [Fri, 27 Nov 2015 21:11:41 +0000 (22:11 +0100)]
dnsmasq 2.75: latest upstream patches

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agorouting.cgi: Fix syntax error that caused an Internal Server Error
Michael Tremer [Wed, 25 Nov 2015 12:47:29 +0000 (12:47 +0000)]
routing.cgi: Fix syntax error that caused an Internal Server Error

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoUpdate Turkish translation
Ersan Yildirim [Mon, 23 Nov 2015 13:42:45 +0000 (13:42 +0000)]
Update Turkish translation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoUpdate translations
Michael Tremer [Mon, 23 Nov 2015 13:42:08 +0000 (13:42 +0000)]
Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoinstaller+setup: Update translations
Michael Tremer [Sat, 21 Nov 2015 14:27:04 +0000 (14:27 +0000)]
installer+setup: Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore96: Ship changed files
Michael Tremer [Thu, 19 Nov 2015 12:54:41 +0000 (12:54 +0000)]
core96: Ship changed files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoBUG10984: Fix portforwardconverter for upgrades before core 77
Alexander Marx [Mon, 16 Nov 2015 11:01:07 +0000 (12:01 +0100)]
BUG10984: Fix portforwardconverter for upgrades before core 77

When upgrading from a post core-77 installation, the portforwarding
rules seem to get broken. With this patch the sourceports and the
subnetmasks from the rules are converted correctly.

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agoBUG10963: implement a better email verification
Alexander Marx [Thu, 19 Nov 2015 10:09:49 +0000 (11:09 +0100)]
BUG10963: implement a better email verification

We now check all allowed chars in the address before the @ sign.
The domainpart after the '@' sign is just checked for valid chars, so that user@ipfire is valid, too

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agostrongswan: Update to 5.3.4
Michael Tremer [Thu, 19 Nov 2015 12:52:31 +0000 (12:52 +0000)]
strongswan: Update to 5.3.4

Fixes a security vulnerability in the EAP-MSCHAPv2 plugin
that is filed under CVE-2015-8023.

https://www.strongswan.org/blog/2015/11/16/strongswan-vulnerability-%28cve-2015-8023%29.html

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agocore96: Ship updated core initscript
Michael Tremer [Wed, 18 Nov 2015 17:31:32 +0000 (17:31 +0000)]
core96: Ship updated core initscript

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 years agosnort: Also monitor assigned alias addresses on red.
Stefan Schantl [Fri, 16 Oct 2015 16:49:15 +0000 (18:49 +0200)]
snort: Also monitor assigned alias addresses on red.

These changes will allow snort to also inspect the traffic for
one or more configured alias addresses, which has not been done in the past.

The current situation is, that snort if enabled on red, only inspects
the traffic which is desired to the statically configured red address.

If some alias addresses have been assigned to the red interface the
traffic to these addresses will not be checked by snort and
completely bypasses the IDS.

There is no user interaction required, nor visible-effects or any
backward-compatiblity required, only a restart of snort after the
update process to protect all red addresses.

To do this we will now check if, the RED interface has been set to STATIC (which
is required to use the aliases function) and any aliases have been configured. In
case of this, the modified code will add all enabled alias addresses to the HOMENET
variable in which snort is storing all the monitored addresses.

Fixes #10619.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>