From: Arne Fitzenreiter Date: Fri, 4 Mar 2016 06:09:02 +0000 (+0100) Subject: Merge remote-tracking branch 'origin/master' into next X-Git-Tag: v2.19-core100~21 X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=commitdiff_plain;h=4a6cfe51a16575c7100862e2cc6f959bc48c6628;hp=64835e022c52d24432d201bd4d57f1aa962c1f90 Merge remote-tracking branch 'origin/master' into next Signed-off-by: Arne Fitzenreiter --- diff --git a/config/backup/include b/config/backup/include index 6ecb930fa7..eb76ebf362 100644 --- a/config/backup/include +++ b/config/backup/include @@ -33,7 +33,7 @@ /var/log/ip-acct/* /var/log/rrd/* /var/log/rrd/collectd -/var/log/rrd/vnstat +/var/log/vnstat /etc/sysconfig/firewall.local /etc/sysconfig/rc.local /root/.gitconfig diff --git a/config/rootfiles/common/openssh b/config/rootfiles/common/openssh index 1b6ded3bab..c33003fe6b 100644 --- a/config/rootfiles/common/openssh +++ b/config/rootfiles/common/openssh @@ -14,7 +14,6 @@ etc/ssh/ssh_config etc/ssh/sshd_config usr/bin/scp usr/bin/sftp -usr/bin/slogin usr/bin/ssh usr/bin/ssh-add usr/bin/ssh-agent diff --git a/config/rootfiles/core/99/exclude b/config/rootfiles/core/99/exclude new file mode 100644 index 0000000000..d87f175b5f --- /dev/null +++ b/config/rootfiles/core/99/exclude @@ -0,0 +1,25 @@ +boot/config.txt +etc/alternatives +etc/collectd.custom +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/snort/snort.conf +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/dma +var/ipfire/time +var/ipfire/ovpn +var/lib/alternatives +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/99/filelists/files b/config/rootfiles/core/99/filelists/files new file mode 100644 index 0000000000..76b5b4e329 --- /dev/null +++ b/config/rootfiles/core/99/filelists/files @@ -0,0 +1,3 @@ +etc/system-release +etc/issue +var/ipfire/backup/include diff --git a/config/rootfiles/core/99/filelists/i586/openssl-sse2 b/config/rootfiles/core/99/filelists/i586/openssl-sse2 new file mode 120000 index 0000000000..f424713d6c --- /dev/null +++ b/config/rootfiles/core/99/filelists/i586/openssl-sse2 @@ -0,0 +1 @@ +../../../../common/i586/openssl-sse2 \ No newline at end of file diff --git a/config/rootfiles/core/99/filelists/openssh b/config/rootfiles/core/99/filelists/openssh new file mode 120000 index 0000000000..d8c77fd8e7 --- /dev/null +++ b/config/rootfiles/core/99/filelists/openssh @@ -0,0 +1 @@ +../../../common/openssh \ No newline at end of file diff --git a/config/rootfiles/core/99/filelists/openssl b/config/rootfiles/core/99/filelists/openssl new file mode 120000 index 0000000000..e011a9266c --- /dev/null +++ b/config/rootfiles/core/99/filelists/openssl @@ -0,0 +1 @@ +../../../common/openssl \ No newline at end of file diff --git a/config/rootfiles/core/99/meta b/config/rootfiles/core/99/meta new file mode 100644 index 0000000000..d547fa86fa --- /dev/null +++ b/config/rootfiles/core/99/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/99/update.sh b/config/rootfiles/core/99/update.sh new file mode 100644 index 0000000000..b57d0a738f --- /dev/null +++ b/config/rootfiles/core/99/update.sh @@ -0,0 +1,62 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2016 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# Remove old core updates from pakfire cache to save space... +core=99 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services + +# remove slogin which is not included in new OpenSSH +rm /usr/bin/slogin + +# Extract files +extract_files + +# Update Language cache +# /usr/local/bin/update-lang-cache + +# Start services +/etc/init.d/sshd restart +/etc/init.d/apache restart + +# This update need a reboot... +touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi +sync + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/oldcore/98/update.sh b/config/rootfiles/oldcore/98/update.sh index ec9c1aaa69..7e0cc2dc26 100644 --- a/config/rootfiles/oldcore/98/update.sh +++ b/config/rootfiles/oldcore/98/update.sh @@ -39,7 +39,10 @@ extract_files # Bugfixes for core96 updater bugs... if [ -e /boot/grub/grub.conf ]; then # legacy grub config on xen or citrix conflicts with grub2 config - rm /boot/grub/grub.cfg + # and core96 contains an empty file + if [ ! -s /boot/grub/grub.cfg ]; then + rm /boot/grub/grub.cfg + fi fi if [ -e /boot/grub/grub.cfg ]; then diff --git a/lfs/openssh b/lfs/openssh index 546bc7ed82..ab25d6233a 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2015 IPFire Team # +# Copyright (C) 2007-2016 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 7.1p2 +VER = 7.2p1 THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 4d8547670e2a220d5ef805ad9e47acf2 +$(DL_FILE)_MD5 = b984775f0cfff1f7ff18b8797fce8a28 install : $(TARGET) diff --git a/lfs/openssl b/lfs/openssl index c5b71f7976..eb7352f8cb 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@ include Config -VER = 1.0.2f +VER = 1.0.2g THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -53,6 +53,7 @@ CONFIGURE_OPTIONS = \ zlib-dynamic \ enable-camellia \ enable-md2 \ + enable-ssl2 \ enable-seed \ enable-tlsext \ enable-rfc3779 \ @@ -86,7 +87,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = b3bf73f507172be9292ea2a8c28b659d +$(DL_FILE)_MD5 = f3c710c045cdee5fd114feb69feba7aa install : $(TARGET) @@ -119,7 +120,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.0-beta5-enginesdir.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a-rpmbuild.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1m-weak-ciphers.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-disable-sslv2-sslv3.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2g-disable-sslv2v3.patch # i586 specific patches ifeq "$(MACHINE)" "i586" diff --git a/lfs/stunnel b/lfs/stunnel index f6f27e0759..4585151a86 100644 --- a/lfs/stunnel +++ b/lfs/stunnel @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = stunnel -PAK_VER = 1 +PAK_VER = 2 DEPS = "" diff --git a/make.sh b/make.sh index bed9230da9..8392e30333 100755 --- a/make.sh +++ b/make.sh @@ -26,7 +26,7 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.17" # Version number CORE="100" # Core Level (Filename) -PAKFIRE_CORE="98" # Core Level (PAKFIRE) +PAKFIRE_CORE="99" # Core Level (PAKFIRE) GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir diff --git a/src/patches/openssl-1.0.2g-disable-sslv2v3.patch b/src/patches/openssl-1.0.2g-disable-sslv2v3.patch new file mode 100644 index 0000000000..06f51322b4 --- /dev/null +++ b/src/patches/openssl-1.0.2g-disable-sslv2v3.patch @@ -0,0 +1,18 @@ +diff -up openssl-1.0.2g/ssl/ssl_lib.c.v2v3 openssl-1.0.2g/ssl/ssl_lib.c +--- openssl-1.0.2g/ssl/ssl_lib.c.v2v3 2016-03-01 16:38:26.879142021 +0100 ++++ openssl-1.0.2g/ssl/ssl_lib.c 2016-03-01 16:41:32.977353769 +0100 +@@ -2055,11 +2055,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m + ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; + + /* +- * Disable SSLv2 by default, callers that want to enable SSLv2 will have to +- * explicitly clear this option via either of SSL_CTX_clear_options() or ++ * Disable SSLv2 and SSLv3 by default, callers that want to enable these will have to ++ * explicitly clear these options via either of SSL_CTX_clear_options() or + * SSL_clear_options(). + */ +- ret->options |= SSL_OP_NO_SSLv2; ++ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; + + return (ret); + err: diff --git a/src/patches/openssl-disable-sslv2-sslv3.patch b/src/patches/openssl-disable-sslv2-sslv3.patch deleted file mode 100644 index e42dfac69b..0000000000 --- a/src/patches/openssl-disable-sslv2-sslv3.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- openssl-1.0.1m/ssl/ssl_lib.c.old 2015-03-19 15:56:40.966287977 +0100 -+++ openssl-1.0.1m/ssl/ssl_lib.c 2015-03-19 15:57:07.976160846 +0100 -@@ -1892,6 +1892,9 @@ - */ - ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; - -+ /* Disable SSLv2 and SSLv3 by default (affects the SSLv23_method() only) */ -+ ret->options |= SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; -+ - return (ret); - err: - SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);