people/pmueller/ipfire-2.x.git
3 weeks agolibvirt: add libtirpc to dependencies master
Arne Fitzenreiter [Mon, 31 Aug 2020 16:39:01 +0000 (18:39 +0200)] 
libvirt: add libtirpc to dependencies

libvirt is linked against libtirpc so this need to installed.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agoMerge remote-tracking branch 'origin/next'
Arne Fitzenreiter [Sun, 30 Aug 2020 07:52:55 +0000 (07:52 +0000)] 
Merge remote-tracking branch 'origin/next'

4 weeks agocore149: add vim to update
Arne Fitzenreiter [Sat, 29 Aug 2020 18:12:19 +0000 (18:12 +0000)] 
core149: add vim to update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agovim: update to 8.2 and fix crash with gcc-10
Arne Fitzenreiter [Sat, 29 Aug 2020 15:13:58 +0000 (17:13 +0200)] 
vim: update to 8.2 and fix crash with gcc-10

the configure.ac has a bug that detects gcc-10 as gcc-1 and so not use
some quirks. Also there is a bug with FORTIFY-SOURCE=2 that crash
if the matchparen plugin is used (enabled by default).

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agocore149: add files to exclude from older updates
Arne Fitzenreiter [Wed, 26 Aug 2020 13:58:02 +0000 (13:58 +0000)] 
core149: add files to exclude from older updates

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agoMerge branch 'next'
Arne Fitzenreiter [Wed, 26 Aug 2020 13:50:50 +0000 (13:50 +0000)] 
Merge branch 'next'

4 weeks agoCore 148: Exclude location related settings files.
Stefan Schantl [Tue, 25 Aug 2020 18:46:56 +0000 (20:46 +0200)] 
Core 148: Exclude location related settings files.

This prevents from overwriting existing files, with empty ones
and finally to lose the stored settings.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 weeks agoCore 148: Exclude location related settings files.
Stefan Schantl [Tue, 25 Aug 2020 18:46:56 +0000 (20:46 +0200)] 
Core 148: Exclude location related settings files.

This prevents from overwriting existing files, with empty ones
and finally to lose the stored settings.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agocore149: Restart squid
Michael Tremer [Mon, 24 Aug 2020 09:48:36 +0000 (09:48 +0000)] 
core149: Restart squid

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agosquid: Update to 4.13
Matthias Fischer [Sun, 23 Aug 2020 12:42:58 +0000 (14:42 +0200)] 
squid: Update to 4.13

For details see:
http://www.squid-cache.org/Versions/v4/changesets/

and

http://lists.squid-cache.org/pipermail/squid-users/2020-August/022566.html

Fixes (excerpt):

"* SQUID-2020:8 HTTP(S) Request Splitting
   (CVE-2020-15811)

This problem is serious because it allows any client, including
browser scripts, to bypass local security and poison the browser
cache and any downstream caches with content from an arbitrary
source.

* SQUID-2020:9 Denial of Service processing Cache Digest Response
   (CVE pending allocation)

This problem allows a trusted peer to deliver to perform Denial
of Service by consuming all available CPU cycles on the machine
running Squid when handling a crafted Cache Digest response
message.

* SQUID-2020:10 HTTP(S) Request Smuggling
   (CVE-2020-15810)

This problem is serious because it allows any client, including
browser scripts, to bypass local security and poison the proxy
cache and any downstream caches with content from an arbitrary
source.

* Bug 5051: Some collapsed revalidation responses never expire

* SSL-Bump: Support parsing GREASEd (and future) TLS handshakes

* Honor on_unsupported_protocol for intercepted https_port"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agosmt: Fix check to detect if a system is running virtually
Michael Tremer [Fri, 21 Aug 2020 09:51:10 +0000 (11:51 +0200)] 
smt: Fix check to detect if a system is running virtually

/sys/hypervisor exists when a host has loaded the kvm modules.

Fixes: #12472
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agogeneral-functions.pl: Do not check IPsec subnets for VTI/GRE connections
Michael Tremer [Thu, 20 Aug 2020 17:56:03 +0000 (17:56 +0000)] 
general-functions.pl: Do not check IPsec subnets for VTI/GRE connections

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agolibvirt: Depend on ebtables
Michael Tremer [Wed, 19 Aug 2020 14:08:10 +0000 (16:08 +0200)] 
libvirt: Depend on ebtables

libvirtd requires this to create some custom firewall rules

Reported-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agolibvirt: Ship all CPU maps
Michael Tremer [Wed, 19 Aug 2020 14:08:09 +0000 (16:08 +0200)] 
libvirt: Ship all CPU maps

Reported-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocore149: Ship zstd which is now part of the base system
Michael Tremer [Wed, 19 Aug 2020 12:12:08 +0000 (12:12 +0000)] 
core149: Ship zstd which is now part of the base system

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agozstd: Do not ship libstd.so
Michael Tremer [Wed, 19 Aug 2020 12:11:43 +0000 (12:11 +0000)] 
zstd: Do not ship libstd.so

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agorsync: Update to 3.2.3
Matthias Fischer [Tue, 18 Aug 2020 15:42:49 +0000 (17:42 +0200)] 
rsync: Update to 3.2.3

For details see:
https://download.samba.org/pub/rsync/NEWS#3.2.3

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocore149: Fix typo in apache initscript
Michael Tremer [Wed, 19 Aug 2020 11:56:56 +0000 (11:56 +0000)] 
core149: Fix typo in apache initscript

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agozstd 1.4.5: Deleted obsolete files from '/src/paks/'
Matthias Fischer [Tue, 18 Aug 2020 15:37:22 +0000 (17:37 +0200)] 
zstd 1.4.5: Deleted obsolete files from '/src/paks/'

No longer needed => deleted because of:
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=c67ff7d72c2232b6994e1ff97277d4040711f97d

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agotshark: Update to version 3.2.6
Erik Kapfer [Tue, 18 Aug 2020 14:34:37 +0000 (14:34 +0000)] 
tshark: Update to version 3.2.6

The version jump from 3.2.3 to 3.2.6 includes several changes.
3.2.4 includes only bugfixes.
3.2.5 includes bugfixes and updated protocols.
3.2.6 includes also bugfixes and updated protocols.

For a full overview, the release notes can be found in here -->
https://www.wireshark.org/docs/relnotes/ .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoPostfix: update to 3.5.6
Peter Müller [Mon, 17 Aug 2020 19:30:21 +0000 (19:30 +0000)] 
Postfix: update to 3.5.6

Please refer to http://www.postfix.org/announcements/postfix-3.5.6.html
for release announcements.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agozstd: Make this part of the core distributions
Michael Tremer [Tue, 18 Aug 2020 10:13:01 +0000 (10:13 +0000)] 
zstd: Make this part of the core distributions

Many packages link against it and we should make use of it
when we have it.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoqemu: Update rootfile
Michael Tremer [Tue, 18 Aug 2020 10:11:33 +0000 (10:11 +0000)] 
qemu: Update rootfile

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agorsync: Update rootfile
Michael Tremer [Tue, 18 Aug 2020 10:10:13 +0000 (10:10 +0000)] 
rsync: Update rootfile

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocore149: Ship popt
Michael Tremer [Mon, 17 Aug 2020 17:55:55 +0000 (17:55 +0000)] 
core149: Ship popt

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agopopt: Update to 1.18
Matthias Fischer [Sun, 28 Jun 2020 07:36:33 +0000 (09:36 +0200)] 
popt: Update to 1.18

Recommended for 'rsync 3.2.1'.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agorsync: Update to 3.2.1
Matthias Fischer [Sun, 28 Jun 2020 07:36:32 +0000 (09:36 +0200)] 
rsync: Update to 3.2.1

For details see:
https://download.samba.org/pub/rsync/NEWS#3.2.1

Although 3.2.2 is in "release testing", I decided to push this release now to get things running.

I activated zstd-support and added 'DEPS = zstd'.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agozstd 1.4.5: New package
Matthias Fischer [Sun, 28 Jun 2020 07:36:31 +0000 (09:36 +0200)] 
zstd 1.4.5: New package

This packages adds a "lossless compression algorithm" - supported by 'rsync 3.2.1'.

For details see:
https://github.com/facebook/zstd/releases/tag/v1.4.5

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoqemu: Update to 5.0.0
Matthias Fischer [Sat, 4 Jul 2020 23:04:51 +0000 (01:04 +0200)] 
qemu: Update to 5.0.0

For details see:
https://wiki.qemu.org/ChangeLog/5.0

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agousbredir: Update to 0.8.0
Matthias Fischer [Sat, 4 Jul 2020 23:04:50 +0000 (01:04 +0200)] 
usbredir: Update to 0.8.0

For details see:
https://gitlab.freedesktop.org/spice/usbredir/-/blob/master/ChangeLog

"-Source code and bug tracker hosted in Freedesktop's instance of Gitlab
 -https://gitlab.freedesktop.org/spice/usbredir
-usbredirfilter
 -Fix busy wait due endless recursion when interface_count is zero
-usbredirhost:
 -Fix leak on error
-usbredirserver:
 -Use 'busnum-devnum' instead of 'usbbus-usbaddr'
 -Add support for bind specific address -4 for ipv4, -6 for ipv6
 -Reject empty vendorid from command line
 -Enable TCP keepalive"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agolibvirt: Update to 6.5.0
Matthias Fischer [Sat, 4 Jul 2020 23:04:49 +0000 (01:04 +0200)] 
libvirt: Update to 6.5.0

For details see:
https://libvirt.org/news.html

This update "just came my way" - I hope its somehow useful.

I also checked updates for dependencies - 'libusbredir 0.8.0' and 'qemu 5.0.0' follow.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoPostfix: update to 3.5.4
Peter Müller [Tue, 14 Jul 2020 19:05:10 +0000 (19:05 +0000)] 
Postfix: update to 3.5.4

Please refer to http://www.postfix.org/announcements/postfix-3.5.4.html
for release announcements.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoTor: update to 0.4.3.6
Peter Müller [Tue, 14 Jul 2020 20:26:26 +0000 (20:26 +0000)] 
Tor: update to 0.4.3.6

Please refer to https://blog.torproject.org/new-release-tor-03511-0428-0436-security-fixes
for release announcements.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agoclamav: Update to 0.102.4
Matthias Fischer [Fri, 17 Jul 2020 16:11:51 +0000 (18:11 +0200)] 
clamav: Update to 0.102.4

Fixes CVE-2020-3350, CVE-2020-3327, CVE-2020-3481

For details see:
https://blog.clamav.net/2020/07/clamav-01024-security-patch-released.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocore149: Ship bind
Michael Tremer [Mon, 17 Aug 2020 17:52:18 +0000 (17:52 +0000)] 
core149: Ship bind

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agobind: Update to 9.11.21
Matthias Fischer [Fri, 17 Jul 2020 16:16:51 +0000 (18:16 +0200)] 
bind: Update to 9.11.21

For details see:
https://downloads.isc.org/isc/bind9/9.11.21/RELEASE-NOTES-bind-9.11.21.html

"Bug Fixes

    named could crash when cleaning dead nodes in lib/dns/rbtdb.c that
    were being reused. [GL #1968]

    Properly handle missing kyua command so that make check does not
    fail unexpectedly when CMocka is installed, but Kyua is not. [GL
    #1950]

    The validator could fail to accept a properly signed RRset if an
    unsupported algorithm appeared earlier in the DNSKEY RRset than
    a supported algorithm. It could also stop if it detected a malformed
    public key. [GL #1689]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocore149: Ship intel microcode
Michael Tremer [Mon, 17 Aug 2020 17:51:52 +0000 (17:51 +0000)] 
core149: Ship intel microcode

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agointel-microcode: update to 20200616
Peter Müller [Wed, 15 Jul 2020 17:01:00 +0000 (17:01 +0000)] 
intel-microcode: update to 20200616

Ice Lake Intel CPUs have been found of being vulnerable to MDS, thus
requiring new microcodes for them. <sarcasm>Yay!</sarcasm> Please refer to
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20200616
for further information.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocore149: Ship updated unbound
Michael Tremer [Mon, 17 Aug 2020 17:48:21 +0000 (17:48 +0000)] 
core149: Ship updated unbound

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agounbound: Update to 1.11.0
Matthias Fischer [Mon, 27 Jul 2020 18:07:00 +0000 (20:07 +0200)] 
unbound: Update to 1.11.0

For details see:
https://lists.nlnetlabs.nl/pipermail/unbound-users/2020-July/006921.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks ago7zip: Move files to /usr
Michael Tremer [Mon, 17 Aug 2020 17:23:37 +0000 (17:23 +0000)] 
7zip: Move files to /usr

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agou-boot: Fix build with GCC 10
Michael Tremer [Mon, 17 Aug 2020 15:09:51 +0000 (15:09 +0000)] 
u-boot: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agogrub: Run autoreconf after applying patches
Michael Tremer [Mon, 17 Aug 2020 15:09:24 +0000 (15:09 +0000)] 
grub: Run autoreconf after applying patches

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agocore149: Ship everything that was recently updated
Michael Tremer [Mon, 17 Aug 2020 10:19:47 +0000 (10:19 +0000)] 
core149: Ship everything that was recently updated

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agosocat: New package
Marcel Follert [Thu, 30 Jul 2020 22:22:11 +0000 (00:22 +0200)] 
socat: New package

Signed-off-by: Marcel Follert (Smooky) <smooky@v16.de>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoiproute2: Update to 5.8.0
Matthias Fischer [Sat, 15 Aug 2020 18:29:27 +0000 (20:29 +0200)] 
iproute2: Update to 5.8.0

For details see:
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/?h=v5.8.0

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoapache: Update to 2.4.46
Matthias Fischer [Sat, 15 Aug 2020 18:11:39 +0000 (20:11 +0200)] 
apache: Update to 2.4.46

For details see:
https://mirrors.ae-online.de/apache//httpd/CHANGES_2.4.46

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agologrotate: Update to 3.17.0
Matthias Fischer [Sat, 15 Aug 2020 15:43:13 +0000 (17:43 +0200)] 
logrotate: Update to 3.17.0

For details see:
https://github.com/logrotate/logrotate/releases/tag/3.17.0

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoOpenVPN: Add tls-version-min for TLSv1.2
Erik Kapfer [Sat, 15 Aug 2020 15:08:45 +0000 (17:08 +0200)] 
OpenVPN: Add tls-version-min for TLSv1.2

ovpnmain.cgi delivers now 'tls-version-min 1.2' for Roadwarrior and N2N.
Since the server needs it only on server side, this patch do not includes it for Roadwarrior clients.
N2N do not uses push options therefor this directive will be included on both sides.

To integrate the new directive into actual working OpenVPN server environment, the following commands
should be executed via update.sh.

Code block start:

if test -f "/var/ipfire/ovpn/server.conf"; then
# Add tls-version-minimum to OpenVPN server if not already there
if ! grep -q '^tls-version-min' /var/ipfire/ovpn/server.conf > /dev/null 2>&1; then
# Stop server before append the line
/usr/local/bin/openvpnctrl -k
# Append new directive
echo >> "tls-version-min 1.2" /var/ipfire/ovpn/server.conf
# Make sure server.conf have the correct permissions to prevent such
# --> https://community.ipfire.org/t/unable-to-start-the-openvpn-server/2465/54?u=ummeegge
# case
chown nobody:nobody /var/ipfire/ovpn/server.conf
# Start server again
/usr/local/bin/openvpnctrl -s
fi
fi

Code block end

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agocurl: Update to version 7.71.1
Erik Kapfer [Tue, 11 Aug 2020 08:15:58 +0000 (08:15 +0000)] 
curl: Update to version 7.71.1

Several bugfixes and vulnerabilities has been fixed since the current available version 7.64.0 .

For a full overview, the changelog is located in here --> https://curl.haxx.se/changes.html,
a security problem overview in here --> https://curl.haxx.se/docs/security.html .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agohyperscan: Update to 5.3.0
Stefan Schantl [Sat, 8 Aug 2020 19:20:42 +0000 (21:20 +0200)] 
hyperscan: Update to 5.3.0

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <Michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoOpenVPN: max-clients value has been enhanced
Erik Kapfer [Mon, 10 Aug 2020 17:12:19 +0000 (19:12 +0200)] 
OpenVPN: max-clients value has been enhanced

The --max-client value has been enhanced from 255 clients to 1024 clients.
Error message gives now explanation if the maximum has been reached.

Patch has been triggered by https://community.ipfire.org/t/openvpn-max-vpn-clients-quantity-and-connections/2925 .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agohaproxy: Update to 2.2.2
Michael Tremer [Wed, 5 Aug 2020 12:35:20 +0000 (12:35 +0000)] 
haproxy: Update to 2.2.2

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoindex.cgi: Show a note to people who are running IPFire on i?86
Michael Tremer [Wed, 5 Aug 2020 12:23:07 +0000 (12:23 +0000)] 
index.cgi: Show a note to people who are running IPFire on i?86

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoindex.cgi: Drop Reiser4 warning
Michael Tremer [Wed, 5 Aug 2020 12:23:06 +0000 (12:23 +0000)] 
index.cgi: Drop Reiser4 warning

We have dropped Reiser4 in 2013. There won't be any systems out there
any more running it. We can safely drop this warning.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoWIO. new version
Stephan Feddersen [Tue, 4 Aug 2020 19:31:15 +0000 (21:31 +0200)] 
WIO. new version

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoWIO: new french translation
Stephan Feddersen [Tue, 4 Aug 2020 19:31:14 +0000 (21:31 +0200)] 
WIO: new french translation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoWIO: code cleanup
Stephan Feddersen [Tue, 4 Aug 2020 19:31:13 +0000 (21:31 +0200)] 
WIO: code cleanup

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoOpenSSL: remove ciphers without Forward Secrecy from default ciphersuite
Peter Müller [Sat, 1 Aug 2020 12:13:47 +0000 (12:13 +0000)] 
OpenSSL: remove ciphers without Forward Secrecy from default ciphersuite

Ciphers not supplying (Perfect) Forward Secrecy are considered dangerous
since they allow content decryption in retrospect, if an attacker is
able to gain access to the servers' private key used for the
corresponding TLS session.

Since IPFire machines establish very few TLS connections by themselves, and
destinations (IPFire.org infrastructure, mirrors, IPS rule sources, etc.)
provide support for Forward Secrecy ciphers - some are even enforcing
them -, it is safe to drop support for anything else.

This patch reduces the OpenSSL default cipher list to:
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoglibc: aarch64: Ignore uninitialised variables in the stage2 build, too
Michael Tremer [Mon, 17 Aug 2020 10:05:40 +0000 (10:05 +0000)] 
glibc: aarch64: Ignore uninitialised variables in the stage2 build, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agomake.sh: Increase maximum size of ramdisk to 8GB
Michael Tremer [Sun, 16 Aug 2020 10:28:09 +0000 (10:28 +0000)] 
make.sh: Increase maximum size of ramdisk to 8GB

The previous 4GB were not enough for a full GCC bootstrap
in the toolchain stage.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoperl: Fix build in toolchain stage
Michael Tremer [Fri, 14 Aug 2020 23:29:05 +0000 (23:29 +0000)] 
perl: Fix build in toolchain stage

perl searches for headers and libraries in the wrong paths
and detects GCC 10 as GCC 1.x.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agomake: Run autoreconf after applying patches
Michael Tremer [Fri, 14 Aug 2020 23:28:35 +0000 (23:28 +0000)] 
make: Run autoreconf after applying patches

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoglibc: Pass -Wno-error=maybe-uninitialized
Michael Tremer [Fri, 14 Aug 2020 23:17:14 +0000 (23:17 +0000)] 
glibc: Pass -Wno-error=maybe-uninitialized

This is required to build glibc in the toolchain stage on
aarch64 due to messy headers on the host system.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoglibc: Drop any custom CFLAGS
Michael Tremer [Fri, 14 Aug 2020 23:16:34 +0000 (23:16 +0000)] 
glibc: Drop any custom CFLAGS

glibc is nothing special and can and should be built with
the same flags than the rest of the system.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agomake.sh: Bump toolchain version
Michael Tremer [Fri, 14 Aug 2020 16:28:09 +0000 (16:28 +0000)] 
make.sh: Bump toolchain version

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agomake.sh: Add -fcf-protection for x86_64/i586
Michael Tremer [Fri, 14 Aug 2020 16:25:26 +0000 (16:25 +0000)] 
make.sh: Add -fcf-protection for x86_64/i586

Instrument binaries to guard against ROP/JOP attacks.

This flag in only available on x86_64 and i586.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agomake.sh: Enable -fstack-clash-protection for x86_64/aarch64
Michael Tremer [Fri, 14 Aug 2020 16:22:55 +0000 (16:22 +0000)] 
make.sh: Enable -fstack-clash-protection for x86_64/aarch64

This patch turns on instrumentation to avoid skipping the guard page
in large stack frames.

Without this flag, vulnerabilities can result in where the stack
overlaps with the heap, or thread stacks spill into other regions
of memory.

This flag in only available on x86_64 and aarch64.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agogcc: Bundle against OS versions of gmp/mpfr
Michael Tremer [Fri, 14 Aug 2020 15:13:02 +0000 (15:13 +0000)] 
gcc: Bundle against OS versions of gmp/mpfr

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agompfr: Update to 4.1.0
Michael Tremer [Fri, 14 Aug 2020 15:12:45 +0000 (15:12 +0000)] 
mpfr: Update to 4.1.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agocmake: Do not limit compile processes to only two
Michael Tremer [Thu, 6 Aug 2020 18:13:58 +0000 (18:13 +0000)] 
cmake: Do not limit compile processes to only two

We can launch more when we have the memory for it

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agonfs: Update to 2.5.1 and remove bundled libnfsidmap
Michael Tremer [Tue, 11 Aug 2020 09:51:39 +0000 (09:51 +0000)] 
nfs: Update to 2.5.1 and remove bundled libnfsidmap

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agolibnfsidmap: Split into a separate package
Michael Tremer [Tue, 11 Aug 2020 09:49:59 +0000 (09:49 +0000)] 
libnfsidmap: Split into a separate package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoxinetd: Fix build against glibc 2.32 (without RPC)
Michael Tremer [Mon, 10 Aug 2020 14:06:13 +0000 (14:06 +0000)] 
xinetd: Fix build against glibc 2.32 (without RPC)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoconntrack-tools: Fix build against libtirpc
Michael Tremer [Thu, 6 Aug 2020 18:18:12 +0000 (18:18 +0000)] 
conntrack-tools: Fix build against libtirpc

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agosquid: Remove basic_nis_auth
Michael Tremer [Tue, 11 Aug 2020 10:17:20 +0000 (10:17 +0000)] 
squid: Remove basic_nis_auth

This depends on SunRPC in glibc which was removed in 2.32.

We do not use this file.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agopython(2/3): Remove nis module
Michael Tremer [Tue, 11 Aug 2020 10:21:30 +0000 (10:21 +0000)] 
python(2/3): Remove nis module

This requires SunRPC and we do not use it.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoBuild libtirpc earlier because RPC does not come with glibc any more
Michael Tremer [Thu, 6 Aug 2020 18:15:18 +0000 (18:15 +0000)] 
Build libtirpc earlier because RPC does not come with glibc any more

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agorpcsvc-proto: New package
Michael Tremer [Fri, 7 Aug 2020 11:47:32 +0000 (11:47 +0000)] 
rpcsvc-proto: New package

This is required since it is no longer included in glibc

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoUpdate glibc to 2.32
Michael Tremer [Thu, 6 Aug 2020 13:38:17 +0000 (13:38 +0000)] 
Update glibc to 2.32

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agomake.sh: Remove -mindirect-branch=thunk and -mfunction-return=thunk as default
Michael Tremer [Fri, 7 Aug 2020 11:50:00 +0000 (11:50 +0000)] 
make.sh: Remove -mindirect-branch=thunk and -mfunction-return=thunk as default

I cannot find any evidence that this is helpful and no other
distribution has this as default. Packages that are vulnerable to these
attacks (i.e. the kernel) add these flags as appropriate automatically.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoUpdate GCC to 10.2.0
Michael Tremer [Thu, 6 Aug 2020 13:38:02 +0000 (13:38 +0000)] 
Update GCC to 10.2.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agobacula: Fix build with GCC 10
Michael Tremer [Wed, 12 Aug 2020 09:18:44 +0000 (09:18 +0000)] 
bacula: Fix build with GCC 10

GCC 10 aborts compilation when nunbers are (potentially) out of range
when casted from one type to another:

fstype.c: In function 'bool fstype(FF_PKT*, char*, int)':
fstype.c:207:12: error: narrowing conversion of '4283649346' from
'unsigned int' to 'int' [-Wnarrowing]
  207 |       case 0xFF534D42:     fstype = "cifs"; break;          /*
CIFS_MAGIC_NUMBER */
      |            ^~~~~~~~~~
fstype.c:216:12: error: narrowing conversion of '4187351113' from
'unsigned int' to 'int' [-Wnarrowing]
  216 |       case 0xf995e849:     fstype = "hpfs"; break;          /*
HPFS_SUPER_MAGIC */
      |            ^~~~~~~~~~
fstype.c:217:12: error: narrowing conversion of '2508478710' from
'unsigned int' to 'int' [-Wnarrowing]
  217 |       case 0x958458f6:     fstype = "hugetlbfs"; break;     /*
HUGETLBFS_MAGIC */
      |            ^~~~~~~~~~
fstype.c:234:12: error: narrowing conversion of '2768370933' from
'unsigned int' to 'int' [-Wnarrowing]
  234 |       case 0xa501FCF5:     fstype = "vxfs"; break;
      |            ^~~~~~~~~~
fstype.c:237:12: error: narrowing conversion of '2435016766' from
'unsigned int' to 'int' [-Wnarrowing]
  237 |       case 0x9123683e:     fstype = "btrfs"; break;
      |            ^~~~~~~~~~

Does nobody build this for 32 bit any more?

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agokbd: Update to 2.2.0
Michael Tremer [Tue, 11 Aug 2020 09:44:56 +0000 (09:44 +0000)] 
kbd: Update to 2.2.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agou-boot: Fix build with GCC 10
Michael Tremer [Wed, 12 Aug 2020 09:44:04 +0000 (09:44 +0000)] 
u-boot: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agosyslinux: Fix build with GCC 10
Michael Tremer [Tue, 11 Aug 2020 09:47:06 +0000 (09:47 +0000)] 
syslinux: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoipfire-netboot: Fix build with GCC 10
Michael Tremer [Tue, 11 Aug 2020 09:46:40 +0000 (09:46 +0000)] 
ipfire-netboot: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agolcdproc: Fix build with GCC 10
Michael Tremer [Tue, 11 Aug 2020 09:46:03 +0000 (09:46 +0000)] 
lcdproc: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoiftop: Fix build with GCC 10
Michael Tremer [Tue, 11 Aug 2020 09:45:44 +0000 (09:45 +0000)] 
iftop: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agofrr: Fix build with GCC 10
Michael Tremer [Tue, 11 Aug 2020 09:45:31 +0000 (09:45 +0000)] 
frr: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agobird: Fix build with GCC 10
Michael Tremer [Tue, 11 Aug 2020 09:45:19 +0000 (09:45 +0000)] 
bird: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agosarg: Fix build with GCC 10
Michael Tremer [Mon, 10 Aug 2020 14:05:56 +0000 (14:05 +0000)] 
sarg: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agominidlna: Fix build with GCC 10
Michael Tremer [Mon, 10 Aug 2020 14:05:42 +0000 (14:05 +0000)] 
minidlna: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agow_scan: Fix build with GCC 10
Michael Tremer [Mon, 10 Aug 2020 09:30:13 +0000 (09:30 +0000)] 
w_scan: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agotftpd: Fix build with GCC 10
Michael Tremer [Mon, 10 Aug 2020 09:29:57 +0000 (09:29 +0000)] 
tftpd: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agomotion: Fix build with GCC 10
Michael Tremer [Mon, 10 Aug 2020 09:29:43 +0000 (09:29 +0000)] 
motion: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoopenvmtools: Update to 11.1.0
Michael Tremer [Mon, 10 Aug 2020 09:28:27 +0000 (09:28 +0000)] 
openvmtools: Update to 11.1.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoicinga: Fix build with GCC 10
Michael Tremer [Mon, 10 Aug 2020 09:27:18 +0000 (09:27 +0000)] 
icinga: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agocollectd: Fix build with GCC 10
Michael Tremer [Mon, 10 Aug 2020 09:27:08 +0000 (09:27 +0000)] 
collectd: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks ago7zip: Fix build against GCC 10
Michael Tremer [Mon, 10 Aug 2020 09:26:45 +0000 (09:26 +0000)] 
7zip: Fix build against GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>