people/pmueller/ipfire-2.x.git
4 weeks agoUpdate contributors master
Michael Tremer [Wed, 16 Dec 2020 10:33:23 +0000 (10:33 +0000)] 
Update contributors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 weeks agokernel: update to 4.14.212
Arne Fitzenreiter [Wed, 16 Dec 2020 06:33:57 +0000 (07:33 +0100)] 
kernel: update to 4.14.212

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 weeks agolibhtp: Update to 0.5.36
Matthias Fischer [Sat, 12 Dec 2020 09:18:30 +0000 (10:18 +0100)] 
libhtp: Update to 0.5.36

For details see:
https://github.com/OISF/libhtp/releases

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 weeks agosuricata: Downgrade to 5.0.5
Matthias Fischer [Sat, 12 Dec 2020 09:14:35 +0000 (10:14 +0100)] 
suricata: Downgrade to 5.0.5

Triggered by https://lists.ipfire.org/pipermail/development/2020-December/008868.html

Workaround for https://bugzilla.ipfire.org/show_bug.cgi?id=12548

Downgrading to 'suricata 5.0.5' bypasses Bug #12548 for now,
but its only a temporary workaround...

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
5 weeks agocore153: add ddns.cgi to update
Arne Fitzenreiter [Tue, 8 Dec 2020 17:40:57 +0000 (17:40 +0000)] 
core153: add ddns.cgi to update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agoddns.cgi: Drop static provider list for token based auth.
Stefan Schantl [Wed, 2 Dec 2020 11:30:11 +0000 (12:30 +0100)] 
ddns.cgi: Drop static provider list for token based auth.

This is really hard to maintain when adding new or altering existing
providers.

Reference #12415.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agocore153: add openssl to updater
Arne Fitzenreiter [Tue, 8 Dec 2020 17:33:47 +0000 (18:33 +0100)] 
core153: add openssl to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agoopenssl: update to 1.1.1i
Arne Fitzenreiter [Tue, 8 Dec 2020 17:27:00 +0000 (18:27 +0100)] 
openssl: update to 1.1.1i

fix: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)

Severity: High

The X.509 GeneralName type is a generic type for representing different types
of names. One of those name types is known as EDIPartyName. OpenSSL provides a
function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
to see if they are equal or not. This function behaves incorrectly when both
GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
may occur leading to a possible denial of service attack.

OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
1) Comparing CRL distribution point names between an available CRL and a CRL
   distribution point embedded in an X509 certificate
2) When verifying that a timestamp response token signer matches the timestamp
   authority name (exposed via the API functions TS_RESP_verify_response and
   TS_RESP_verify_token)

If an attacker can control both items being compared then that attacker could
trigger a crash. For example if the attacker can trick a client or server into
checking a malicious certificate against a malicious CRL then this may occur.
Note that some applications automatically download CRLs based on a URL embedded
in a certificate. This checking happens prior to the signatures on the
certificate and CRL being verified. OpenSSL's s_server, s_client and verify
tools have support for the "-crl_download" option which implements automatic
CRL downloading and this attack has been demonstrated to work against those
tools.

Note that an unrelated bug means that affected versions of OpenSSL cannot parse
or construct correct encodings of EDIPARTYNAME. However it is possible to
construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence
trigger this attack.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
5 weeks agokernel: update to 4.14.211
Arne Fitzenreiter [Tue, 8 Dec 2020 17:26:37 +0000 (18:26 +0100)] 
kernel: update to 4.14.211

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 weeks agovdr: version 2.4.4 still use plugin API 2.4.3
Arne Fitzenreiter [Sat, 5 Dec 2020 10:09:03 +0000 (10:09 +0000)] 
vdr: version 2.4.4 still use plugin API 2.4.3

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 weeks agoMerge branch 'next' into master
Arne Fitzenreiter [Thu, 3 Dec 2020 12:55:36 +0000 (12:55 +0000)] 
Merge branch 'next' into master

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 weeks agorootfile-check: exclude gdb
Arne Fitzenreiter [Thu, 3 Dec 2020 06:50:41 +0000 (07:50 +0100)] 
rootfile-check: exclude gdb

gdb always contain aarch64 in a syscall list.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 weeks agoMerge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Wed, 2 Dec 2020 22:43:15 +0000 (23:43 +0100)] 
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

6 weeks agointel-microcode: update to 20201118
Arne Fitzenreiter [Wed, 2 Dec 2020 22:42:29 +0000 (23:42 +0100)] 
intel-microcode: update to 20201118

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 weeks agokernel: update to 4.14.210
Arne Fitzenreiter [Wed, 2 Dec 2020 22:42:04 +0000 (23:42 +0100)] 
kernel: update to 4.14.210

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
6 weeks agoaws-cli: Update to 1.18.188
Michael Tremer [Wed, 2 Dec 2020 17:55:51 +0000 (17:55 +0000)] 
aws-cli: Update to 1.18.188

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agopython3-botocore: Update to 1.19.28
Michael Tremer [Wed, 2 Dec 2020 17:55:22 +0000 (17:55 +0000)] 
python3-botocore: Update to 1.19.28

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agopython3-urllib3: New package
Michael Tremer [Wed, 2 Dec 2020 17:54:32 +0000 (17:54 +0000)] 
python3-urllib3: New package

Required by botocore

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agocore153: Ship DDNS
Michael Tremer [Wed, 2 Dec 2020 14:57:17 +0000 (14:57 +0000)] 
core153: Ship DDNS

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoddns: Import upstream patch for provider DuckDNS.
Stefan Schantl [Wed, 2 Dec 2020 11:33:22 +0000 (12:33 +0100)] 
ddns: Import upstream patch for provider DuckDNS.

Fixes #12415.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoddns: Import upstream patch for provider DDNSS.
Stefan Schantl [Wed, 2 Dec 2020 09:13:52 +0000 (10:13 +0100)] 
ddns: Import upstream patch for provider DDNSS.

Fixes #12328.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agotor.cgi: fix location function call again
Peter Müller [Tue, 1 Dec 2020 21:45:43 +0000 (21:45 +0000)] 
tor.cgi: fix location function call again

This line was accidentially messed up while merging two patchsets
together, causing tor.cgi to crash with an HTTP error 500 in testing.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agolocation-functions.pl: Remove accidently keept 2nd DB init call.
Stefan Schantl [Wed, 2 Dec 2020 14:04:08 +0000 (15:04 +0100)] 
location-functions.pl: Remove accidently keept 2nd DB init call.

The get_full_country_name() function had an accidenlty and not longer
required call of the DB init function.

This is a waste of memory and a known problem, especially on systems
with less than 1GB of RAM, where the application which uses libloc in
such a redundant way crashes.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agolibloc: Import latest fixes from upstream
Michael Tremer [Tue, 1 Dec 2020 17:05:43 +0000 (17:05 +0000)] 
libloc: Import latest fixes from upstream

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoRevert "OpenVPN: Add start of static routes in client N2N"
Michael Tremer [Tue, 1 Dec 2020 16:32:03 +0000 (16:32 +0000)] 
Revert "OpenVPN: Add start of static routes in client N2N"

This reverts commit 1c612d9e326a477bb1cbad719702c51c35f11d62.

https://lists.ipfire.org/pipermail/development/2020-November/008773.html

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoCore 153: Update ownership of "/var/ipfire/red".
Stefan Schantl [Sun, 29 Nov 2020 10:52:18 +0000 (11:52 +0100)] 
Core 153: Update ownership of "/var/ipfire/red".

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoconfigroot: Change ownership of "/var/ipfire/red" to nobody.
Stefan Schantl [Sun, 29 Nov 2020 10:52:17 +0000 (11:52 +0100)] 
configroot: Change ownership of "/var/ipfire/red" to nobody.

Otherwise the WUI is not allowed to put and release the nobeep file in
this folder and the desired functionality does not work.

Fixes #12385.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agocore153: Ship openvpn
Michael Tremer [Tue, 1 Dec 2020 16:12:43 +0000 (16:12 +0000)] 
core153: Ship openvpn

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
6 weeks agoOpenVPN: Update to version 2.5.0
Erik Kapfer [Wed, 25 Nov 2020 22:26:03 +0000 (22:26 +0000)] 
OpenVPN: Update to version 2.5.0

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Tested-by: Adolf Belka <ahb.ipfire@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agologwatch: Disable iptables output in summary.dat, fixes #12533
Matthias Fischer [Thu, 26 Nov 2020 18:27:33 +0000 (19:27 +0100)] 
logwatch: Disable iptables output in summary.dat, fixes #12533

This patch disables the output of 'iptables' in 'summary.dat' by
modifying '/usr/share/conf/logwatch.conf'.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agocore153: Ship knot
Michael Tremer [Fri, 27 Nov 2020 15:50:49 +0000 (15:50 +0000)] 
core153: Ship knot

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agoknot: Update to 3.0.2
Matthias Fischer [Thu, 26 Nov 2020 17:36:53 +0000 (18:36 +0100)] 
knot: Update to 3.0.2

for details see:
https://www.knot-dns.cz/2020-11-11-version-302.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agoghostscript: Update to 9.53.3
Matthias Fischer [Thu, 26 Nov 2020 17:34:23 +0000 (18:34 +0100)] 
ghostscript: Update to 9.53.3

For details see:
https://www.ghostscript.com/doc/current/History9.htm#Version9.53.3

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agocore153: Ship updated zone configuration page
Michael Tremer [Fri, 27 Nov 2020 15:49:03 +0000 (15:49 +0000)] 
core153: Ship updated zone configuration page

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agozoneconf.cgi: Add NIC selection highlighting
Leo-Andres Hofmann [Tue, 17 Nov 2020 06:29:04 +0000 (07:29 +0100)] 
zoneconf.cgi: Add NIC selection highlighting

This improves the usability of the zone configuration by marking assigned
NICs in the zone color. The highlighting is initially applied to the static
HTML output, and JavaScript is used to follow changes made by the user.

Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agozoneconf.cgi: Improve CSS
Leo-Andres Hofmann [Tue, 17 Nov 2020 06:29:03 +0000 (07:29 +0100)] 
zoneconf.cgi: Improve CSS

- Add an element id so that the styling only affects the zone table
- Alternating row colors are now generated by CSS, remove unneeded Perl code

Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agozoneconf.cgi: Make output HTML 5 standard compliant
Leo-Andres Hofmann [Tue, 17 Nov 2020 06:29:02 +0000 (07:29 +0100)] 
zoneconf.cgi: Make output HTML 5 standard compliant

This fixes two minor violations of the HTML standard:
- <a> elements may not contain nested <button> elements:
Replace the button with a simple hyperlink, because it was only used as a link anyway.

- "id" attributes may not contain whitespace:
Remove unneeded attribute, use hyphens instead of spaces.

Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agozoneconf.cgi: Clean up HTML output
Leo-Andres Hofmann [Tue, 17 Nov 2020 06:29:01 +0000 (07:29 +0100)] 
zoneconf.cgi: Clean up HTML output

This adds missing brackets, cleans up the indentation and removes unnecessary CSS.

Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agolibloc: Import changes from upstream
Michael Tremer [Fri, 27 Nov 2020 15:46:39 +0000 (15:46 +0000)] 
libloc: Import changes from upstream

This fixes the segmentation fault on 32 bit systems.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agogdb: Build package to be available in the build environment
Michael Tremer [Fri, 27 Nov 2020 15:19:53 +0000 (15:19 +0000)] 
gdb: Build package to be available in the build environment

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agotransmission: update to 3.00
Arne Fitzenreiter [Tue, 24 Nov 2020 19:51:25 +0000 (20:51 +0100)] 
transmission: update to 3.00

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agolibloc: Import latest changes from upstream
Michael Tremer [Thu, 26 Nov 2020 16:15:07 +0000 (16:15 +0000)] 
libloc: Import latest changes from upstream

This is now a unified patch instead of being split into
individual commits from upstream.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agoopenvpn: Actually apply configured parameters
Michael Tremer [Tue, 20 Oct 2020 13:28:25 +0000 (13:28 +0000)] 
openvpn: Actually apply configured parameters

OpenVPN is an absolute mess. The behaviour of configuration
parameters has been changed over the time; default values have been
changed over time; and it looks like nobody is actually testing
anything any more.

I have been spending hours today on figuring out why OpenVPN
is so damn slow. On a Lightning Wire Labs IPFire Mini Appliance
it achieves about 100 MBit/s in the default configuration when
"openssl speed -evp aes-256-gcm" achieves over 3.5 GBit/s.

Changing any of the cryptography parameters does not change
anything. Throughput remains around 100 MBit/s.

I finally set "cipher none" and "auth none" which disables
encryption and authentication altogether but does not increase
throughput. From here on it was absolutely clear that it was
not a crypto issue.

OpenVPN tries to be smart here and does its own fragmentation.
This is the worst idea I have heard of all day, because that job
is normally done best by the OS.

Various settings which allow the user to "tune" this are grossly
ineffective - let alone it isn't even clear what I am supposed
to configure anywhere. Setting "fragment 1500" weirdly still
does not convince openvpn to generate a packet that is longer
than 1400 bytes. Who'd a thunk?

There is a number of other parameters to set the MTU or which
are related to it (tun-mtu, link-mtu, fragment, mssfix).

On top of all of this we have two "bugs" in ovpnmain.cgi which
are being fixed in this patch:

1) mssfix can be configured by the user. However, we always
   enable it in openvpn. The default is on, we only add "mssfix"
   which simply turns it on.
   It is now being disabled when the user has chosen so in the
   web UI. I do not know if this is backwards-compatible.

2) We cap the MTU (tun-mtu) at 1500 bytes when fragment is being
   used. So it becomes pointless that the user can this and the
   user is not being made aware of this when they hit the save
   button.
   This was added when we added path MTU discovery. Since that
   did not work and was removed, we can remove this now, too.

I archived a solid 500-600 MBit/s of goodput with these settings:

* Disable mssfix
* Set "fragment" to 0
* Set MTU to 9000

I am sure the MTU could be further increased to have bigger packets,
but I did not test how badly this will affect latency of the tunnel.

OpenVPN seems to only be able to handle a certain amount of packets
a second - no matter what. With larger packets, the throughput of
the tunnel increases, but latency might as well.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Cc: Erik Kapfer <erik.kapfer@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agolibloc: Import changes from upstream
Michael Tremer [Wed, 25 Nov 2020 20:02:30 +0000 (20:02 +0000)] 
libloc: Import changes from upstream

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agoRun "./make.sh lang"
Michael Tremer [Wed, 25 Nov 2020 17:21:56 +0000 (17:21 +0000)] 
Run "./make.sh lang"

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agoupdate translation files for changed Tor CGI strings
Peter Müller [Wed, 4 Nov 2020 21:29:14 +0000 (22:29 +0100)] 
update translation files for changed Tor CGI strings

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agoTor: allow enforcing distinct Guard relays or countries
Peter Müller [Wed, 4 Nov 2020 21:28:50 +0000 (22:28 +0100)] 
Tor: allow enforcing distinct Guard relays or countries

In order to make deanonymisation harder, especially high-risk Tor users
might want to use certain Guard relays only (for example operated by
people they trust), enforce Tor to use Guard relays in certain countries
only (for example countries with very strict data protection laws or
poor diplomatic relations), or avoid Guard relays in certain countries
entirely.

Since Tor sticks to sampled Guards for a long time (usually within the
range of months), restricting those is believed to cause less harm to a
users' anonymity than restricting Exit relays, since their diversity of
a generic Tor user is significantly higher.

This patch extends the Tor CGI for restricting Guard nodes to certain
countries or relays matching certain fingerprints.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agoTor: allow multiple countries to be selected for Exit relays
Peter Müller [Wed, 4 Nov 2020 21:28:22 +0000 (22:28 +0100)] 
Tor: allow multiple countries to be selected for Exit relays

This extends the functionality of the Tor CGI in order to be able to
select multiple countries for possible Exit relays, which is - in terms
of anonymity - less worse than limiting all Tor circuits to a single
country.

For example, a user might want to avoid Exit relays in more than one
country, and permit Tor to use Exit relays elesewhere, and vice versa.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agoTor: update to 0.4.4.6
Peter Müller [Wed, 25 Nov 2020 17:15:17 +0000 (17:15 +0000)] 
Tor: update to 0.4.4.6

Full changelog can be obtained from https://gitweb.torproject.org/tor.git/plain/ChangeLog?h=tor-0.4.4.6 .

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
7 weeks agokernel: update to 4.14.209
Arne Fitzenreiter [Tue, 24 Nov 2020 19:52:22 +0000 (20:52 +0100)] 
kernel: update to 4.14.209

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 weeks agocore153: ship strongswan
Arne Fitzenreiter [Tue, 24 Nov 2020 10:08:13 +0000 (11:08 +0100)] 
core153: ship strongswan

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 weeks agostrongswan: update to 5.9.1
Arne Fitzenreiter [Tue, 24 Nov 2020 09:52:45 +0000 (10:52 +0100)] 
strongswan: update to 5.9.1

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 weeks agovdr-dvbapi: fix rootfile
Arne Fitzenreiter [Tue, 24 Nov 2020 07:18:09 +0000 (08:18 +0100)] 
vdr-dvbapi: fix rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 weeks agovdr: update to 2.4.4
Arne Fitzenreiter [Mon, 23 Nov 2020 17:27:46 +0000 (18:27 +0100)] 
vdr: update to 2.4.4

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 weeks agofreeradius: Depend on samba again
Michael Tremer [Mon, 23 Nov 2020 15:11:43 +0000 (15:11 +0000)] 
freeradius: Depend on samba again

The package requires more libraries than libtalloc from
the samba package and therefore we need this dependency
again.

Fixes: #12538
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 weeks agoapcupsd: addition of backup/includes definition
Adolf Belka [Mon, 23 Nov 2020 12:08:48 +0000 (13:08 +0100)] 
apcupsd: addition of backup/includes definition

Added a backup/includes file for apcupsd to backup the
/etc/apcupsd/ directory where all the configuration files
are stored. Currently there is no backup available to
save the state of any changes carried out to the configuration
or action files.
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 weeks agopcengines-firmware: update to 4.12.0.6
Arne Fitzenreiter [Mon, 23 Nov 2020 14:24:37 +0000 (15:24 +0100)] 
pcengines-firmware: update to 4.12.0.6

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 weeks agokernel: update to 4.14.208
Arne Fitzenreiter [Mon, 23 Nov 2020 13:24:15 +0000 (14:24 +0100)] 
kernel: update to 4.14.208

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
8 weeks agocore153: Remove reloading microcode
Michael Tremer [Fri, 20 Nov 2020 20:04:13 +0000 (20:04 +0000)] 
core153: Remove reloading microcode

This requires that we can load the "microcode" module, but
since the kernel was replaced in this release, we can't load
it any more.

Fixes: #12537
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 weeks agonetwork-hotplug-bridges: Apply STP_PRIORITY
Daniel Weismüller [Fri, 20 Nov 2020 17:35:52 +0000 (18:35 +0100)] 
network-hotplug-bridges: Apply STP_PRIORITY

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 weeks agocore153: Ship network-hotplug-bridges
Michael Tremer [Fri, 20 Nov 2020 13:47:01 +0000 (13:47 +0000)] 
core153: Ship network-hotplug-bridges

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 weeks agoCore 152: the script "network-hotplug-bridges" now reads the variable ${ZONE}_STP...
Daniel Weismüller [Thu, 19 Nov 2020 13:18:49 +0000 (14:18 +0100)] 
Core 152: the script "network-hotplug-bridges" now reads the variable ${ZONE}_STP from /var/ipfire/ethernet/settings so that STP can be turned on and off for each bridge

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
8 weeks agoCore 153: Ship libhtp
Stefan Schantl [Thu, 19 Nov 2020 19:01:19 +0000 (20:01 +0100)] 
Core 153: Ship libhtp

libhtp has been updated and suricata 6 requires the new version, so
this lib has to be shipped with the core update.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoamazon-ssm-agent: Package /usr/bin/ssm-agent-worker
Michael Tremer [Thu, 19 Nov 2020 18:35:36 +0000 (18:35 +0000)] 
amazon-ssm-agent: Package /usr/bin/ssm-agent-worker

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agokernel: update to 4.14.207
Arne Fitzenreiter [Thu, 19 Nov 2020 18:08:33 +0000 (19:08 +0100)] 
kernel: update to 4.14.207

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agolibloc: Import more changes from upstream
Michael Tremer [Thu, 19 Nov 2020 13:08:22 +0000 (13:08 +0000)] 
libloc: Import more changes from upstream

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agolibloc: Import recent patches from upstream
Michael Tremer [Wed, 18 Nov 2020 13:30:15 +0000 (13:30 +0000)] 
libloc: Import recent patches from upstream

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agonetwork: Mount/umount network file systems at the correct time
Michael Tremer [Tue, 17 Nov 2020 16:35:13 +0000 (16:35 +0000)] 
network: Mount/umount network file systems at the correct time

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoipinfo.cgi: Align flag icon
Michael Tremer [Tue, 17 Nov 2020 16:04:10 +0000 (16:04 +0000)] 
ipinfo.cgi: Align flag icon

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoen.pl: fix accidentially removed line by ./make.sh langs
Peter Müller [Mon, 16 Nov 2020 17:42:12 +0000 (18:42 +0100)] 
en.pl: fix accidentially removed line by ./make.sh langs

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agosamba: remove pid at killproc in initscript
Arne Fitzenreiter [Sun, 1 Nov 2020 17:06:08 +0000 (18:06 +0100)] 
samba: remove pid at killproc in initscript

sometime a stale nmbd or smbd process prevent start of samba.
this change should kill all processes.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agoMerge remote-tracking branch 'origin/master' into next
Arne Fitzenreiter [Fri, 13 Nov 2020 18:20:59 +0000 (18:20 +0000)] 
Merge remote-tracking branch 'origin/master' into next

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agoUpdate contributors
Michael Tremer [Fri, 13 Nov 2020 11:13:08 +0000 (11:13 +0000)] 
Update contributors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoOpenVPN: Add start of static routes in client N2N
ummeegge [Wed, 11 Nov 2020 18:12:25 +0000 (18:12 +0000)] 
OpenVPN: Add start of static routes in client N2N

Fixes: #12529

- If a client N2N configuration will be imported into IPFire systems,
a line will be added which calls the --up script to restart the
static route initscript. Since this is IPFire specific, i will only be
added via import on IPFire system.
- Deleted unneeded line in CLIENTCONF section.
- Added description to SERVERCONF section.

Signed-off-by: ummeegge <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoamazon-ssm-agent: Update to 3.0.356.0
Michael Tremer [Fri, 13 Nov 2020 11:10:49 +0000 (11:10 +0000)] 
amazon-ssm-agent: Update to 3.0.356.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agogo: Update to 1.15.4
Michael Tremer [Fri, 13 Nov 2020 11:10:33 +0000 (11:10 +0000)] 
go: Update to 1.15.4

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agointel-microcode: update to 20201112
Arne Fitzenreiter [Fri, 13 Nov 2020 08:03:00 +0000 (09:03 +0100)] 
intel-microcode: update to 20201112

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agokernel: update to 4.14.206
Arne Fitzenreiter [Thu, 12 Nov 2020 08:02:02 +0000 (09:02 +0100)] 
kernel: update to 4.14.206

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agoRun "./make.sh lang"
Michael Tremer [Wed, 11 Nov 2020 18:30:45 +0000 (18:30 +0000)] 
Run "./make.sh lang"

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agolangs: add changed strings to German and English translations
Peter Müller [Wed, 11 Nov 2020 14:17:59 +0000 (15:17 +0100)] 
langs: add changed strings to German and English translations

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoipinfo.cgi: display AS information as well
Peter Müller [Wed, 11 Nov 2020 14:15:18 +0000 (15:15 +0100)] 
ipinfo.cgi: display AS information as well

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agolocation-functions.pl: add functions for fetching AS information
Peter Müller [Wed, 11 Nov 2020 14:14:09 +0000 (15:14 +0100)] 
location-functions.pl: add functions for fetching AS information

The second version of this patch only unifies the licence banner, but
leaves GPLv2 untouched. In addition, functions have been changed to use
a script-wide location database handle, as introduced in commit
b62d7e0cc71cc1ff23d66dd8baf0f5f3c5c7a29b.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore153: Ship rules.pl
Michael Tremer [Wed, 11 Nov 2020 15:53:39 +0000 (15:53 +0000)] 
core153: Ship rules.pl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agorules.pl: apply location filter to ppp0 if configured
Peter Müller [Tue, 3 Nov 2020 10:48:09 +0000 (11:48 +0100)] 
rules.pl: apply location filter to ppp0 if configured

In order to prevent collateral damage to internal traffic, commit
c69c820025c21713cdb77eae3dd4fa61ca71b5fb introduced applying location
block on red0 as a sanity check.

On systems configured to use PPPoE, however, traffic appears on the ppp0
interface instead. This patch checks if a system is configured to use
this connection method, and applies the location filter to this
interface. red0 is used otherwise.

Fixes: #12519

Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agospectre-meltdown-checker: update to 0.44
Peter Müller [Wed, 11 Nov 2020 13:45:06 +0000 (14:45 +0100)] 
spectre-meltdown-checker: update to 0.44

Full changelog as per https://github.com/speed47/spectre-meltdown-checker/releases/tag/v0.44 :

    feat: add support for SRBDS related vulnerabilities
    feat: add zstd kernel decompression (#370)
    enh: arm: add experimental support for binary arm images
    enh: rsb filling: no longer need the 'strings' tool to check for kernel support in live mode
    fix: fwdb: remove Intel extract tempdir on exit
    fix: has_vmm: ignore kernel threads when looking for a hypervisor (fixes #278)
    fix: fwdb: use the commit date as the intel fwdb version
    fix: fwdb: update Intel's repository URL
    fix: arm64: cve-2017-5753: kernels 4.19+ use a different nospec macro
    fix: on CPU parse info under FreeBSD
    chore: github: add check run on pull requests
    chore: fwdb: update to v165.20201021+i20200616

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore153: Ship unbound initscript
Michael Tremer [Wed, 11 Nov 2020 12:08:57 +0000 (12:08 +0000)] 
core153: Ship unbound initscript

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoDNS: Make YouTube configurable for Safe Search
Michael Tremer [Sat, 7 Nov 2020 12:59:08 +0000 (12:59 +0000)] 
DNS: Make YouTube configurable for Safe Search

When safe search is enabled, it is being enabled on YouTube, too.

This creates problems in some scenarios like schools where politics
is being tought as well as other subjects that might be censored by
YouTube (i.e. election TV spots).

Therefore it is now possible to exclude YouTube from Safe Search
but keep it enabled for the search engines.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore153: Update language cache
Michael Tremer [Wed, 11 Nov 2020 11:53:34 +0000 (11:53 +0000)] 
core153: Update language cache

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore153: Ship Intel mircocode and ask for reboot
Michael Tremer [Wed, 11 Nov 2020 11:52:13 +0000 (11:52 +0000)] 
core153: Ship Intel mircocode and ask for reboot

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agointel-microcode: update to 20201110
Arne Fitzenreiter [Wed, 11 Nov 2020 10:21:05 +0000 (11:21 +0100)] 
intel-microcode: update to 20201110

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agokernel: aarch64: enable ahci
Arne Fitzenreiter [Wed, 11 Nov 2020 08:11:55 +0000 (09:11 +0100)] 
kernel: aarch64: enable ahci

this is needed to boot on ESXi on arm.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agogit: Bump package version
Michael Tremer [Tue, 10 Nov 2020 11:17:46 +0000 (11:17 +0000)] 
git: Bump package version

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agogit: Add missing Error.pm and LoadCPAN submodules
ummeegge [Tue, 10 Nov 2020 09:28:56 +0000 (09:28 +0000)] 
git: Add missing Error.pm and LoadCPAN submodules

Fixes #12511

Signed-off-by: ummeegge <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agosamba: Add support for custom configuration changes
Michael Tremer [Mon, 9 Nov 2020 18:43:15 +0000 (18:43 +0000)] 
samba: Add support for custom configuration changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore153: Ship location changes
Michael Tremer [Mon, 9 Nov 2020 14:11:16 +0000 (14:11 +0000)] 
core153: Ship location changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoAdjust CGI files to work with latest location-function.pl changes.
Stefan Schantl [Sat, 7 Nov 2020 18:47:24 +0000 (19:47 +0100)] 
Adjust CGI files to work with latest location-function.pl changes.

Fixes #12515.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agolocations-functions.pl: Allow get_locations() function to skip special locations.
Stefan Schantl [Sat, 7 Nov 2020 18:47:23 +0000 (19:47 +0100)] 
locations-functions.pl: Allow get_locations() function to skip special locations.

When adding "no_special_locations" to the function call as argument
the special locations liks "A1, A2, A3 etc" will not be added to the
returned array as available locations.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agolocation-functions.pl: Add get_continent_code() function.
Stefan Schantl [Sat, 7 Nov 2020 18:47:22 +0000 (19:47 +0100)] 
location-functions.pl: Add get_continent_code() function.

This tiny function is used to get the continent code for a given
country code.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agolocation-functions.pl: Add END block to release the database handle.
Stefan Schantl [Sat, 7 Nov 2020 18:47:21 +0000 (19:47 +0100)] 
location-functions.pl: Add END block to release the database handle.

Reference #12515.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agolocation-functions.pl: Use a single script-wide db_handle.
Stefan Schantl [Sat, 7 Nov 2020 18:47:20 +0000 (19:47 +0100)] 
location-functions.pl: Use a single script-wide db_handle.

Create and use a single script-wide database handle for libloc to
prevent from creating multiple ones.

This helps saving memory, especially on small systems.

Reference #12515.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>