people/pmueller/ipfire-2.x.git
7 weeks agokernel: update to 4.14.131 master
Arne Fitzenreiter [Thu, 27 Jun 2019 16:18:41 +0000 (18:18 +0200)] 
kernel: update to 4.14.131

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agointel-microcode: update to 20190618
Arne Fitzenreiter [Sat, 22 Jun 2019 18:59:32 +0000 (20:59 +0200)] 
intel-microcode: update to 20190618

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agoMerge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Sat, 22 Jun 2019 14:01:16 +0000 (16:01 +0200)] 
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

2 months agokernel: 4.14.129
Arne Fitzenreiter [Sat, 22 Jun 2019 14:00:37 +0000 (16:00 +0200)] 
kernel: 4.14.129

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agofinish core134
Arne Fitzenreiter [Sat, 22 Jun 2019 06:47:55 +0000 (08:47 +0200)] 
finish core134

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agoUpdate contributors
Michael Tremer [Fri, 21 Jun 2019 00:39:42 +0000 (01:39 +0100)] 
Update contributors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore134: Ship updated firewall initscript
Michael Tremer [Fri, 21 Jun 2019 00:38:59 +0000 (01:38 +0100)] 
core134: Ship updated firewall initscript

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore134: Ship updated bind
Michael Tremer [Fri, 21 Jun 2019 00:38:22 +0000 (01:38 +0100)] 
core134: Ship updated bind

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agobind: Update to 9.11.8
Matthias Fischer [Fri, 21 Jun 2019 12:31:26 +0000 (14:31 +0200)] 
bind: Update to 9.11.8

For Details see:
https://downloads.isc.org/isc/bind9/9.11.8/RELEASE-NOTES-bind-9.11.8.html

"Security Fixes
    A race condition could trigger an assertion failure when a large number
    of incoming packets were being rejected.
    This flaw is disclosed in CVE-2019-6471. [GL #942]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoBUG12015: Redirecting to Captive portal does not work after IPFire restart
Alexander Marx [Thu, 20 Jun 2019 05:04:30 +0000 (07:04 +0200)] 
BUG12015: Redirecting to Captive portal does not work after IPFire restart

When the Captive portal is enabled, the needed firewall rules are applied. But when restarting IPFire,
the rules are not applied because there is no call to do so.
Added call to captivectrl in the initscrip 'firewall'.

Fixes: #12015

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore134: ship core133 late fixes again
Arne Fitzenreiter [Fri, 21 Jun 2019 09:58:58 +0000 (11:58 +0200)] 
core134: ship core133 late fixes again

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agoMerge remote-tracking branch 'origin/master' into next
Arne Fitzenreiter [Thu, 20 Jun 2019 07:35:59 +0000 (09:35 +0200)] 
Merge remote-tracking branch 'origin/master' into next

2 months agokernel: remove RPi DMA allignment revert
Arne Fitzenreiter [Thu, 20 Jun 2019 07:33:17 +0000 (09:33 +0200)] 
kernel: remove RPi DMA allignment revert

TODO: test if RPi works without now or if we need to
revert more of the allignment patches.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agoKernel: update to 4.14.128
Arne Fitzenreiter [Wed, 19 Jun 2019 19:01:29 +0000 (21:01 +0200)] 
Kernel: update to 4.14.128

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agocore134: Ship updated vim
Michael Tremer [Tue, 18 Jun 2019 21:35:23 +0000 (22:35 +0100)] 
core134: Ship updated vim

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRemove old vim 7.4 data
Matthias Fischer [Wed, 19 Jun 2019 11:24:06 +0000 (13:24 +0200)] 
Remove old vim 7.4 data

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agovim: Update to 8.1
Matthias Fischer [Wed, 19 Jun 2019 11:24:05 +0000 (13:24 +0200)] 
vim: Update to 8.1

Please note:
If this gets merged, the update process must deal with the otherwise remaining
files in '/usr/share/vim74' (~16 MB).

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoUpdate French translation
Stéphane Pautrel [Tue, 18 Jun 2019 19:01:23 +0000 (20:01 +0100)] 
Update French translation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore134: add kernel to updater
Arne Fitzenreiter [Tue, 18 Jun 2019 16:49:46 +0000 (18:49 +0200)] 
core134: add kernel to updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agoMerge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Tue, 18 Jun 2019 16:42:02 +0000 (18:42 +0200)] 
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

2 months agokernel: update to 4.14.127
Arne Fitzenreiter [Tue, 18 Jun 2019 16:41:19 +0000 (18:41 +0200)] 
kernel: update to 4.14.127

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agolinux-pae: fix grub.conf creation on pv machines
Arne Fitzenreiter [Tue, 18 Jun 2019 12:36:02 +0000 (14:36 +0200)] 
linux-pae: fix grub.conf creation on pv machines

on some systems it seems that grub2 and it config also exist.

2 months agocore134: Ship changed general-functions.pl
Michael Tremer [Tue, 18 Jun 2019 08:13:21 +0000 (09:13 +0100)] 
core134: Ship changed general-functions.pl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoBUG12070: Its not possible to use the underscore in email addresses
Alexander Marx [Tue, 18 Jun 2019 07:55:35 +0000 (09:55 +0200)] 
BUG12070: Its not possible to use the underscore in email addresses

Using IPFire's Mailservice does not allow to enter a senders mail address with the underscore.
The function used to verify that is used from general-functions.pl.
Now the function 'validemail' allows the underscore in the address.

Fixes: #12070

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore134: Ship updated unbound
Michael Tremer [Mon, 17 Jun 2019 16:40:37 +0000 (17:40 +0100)] 
core134: Ship updated unbound

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agounbound: Update to 1.9.2
Matthias Fischer [Mon, 17 Jun 2019 19:11:00 +0000 (21:11 +0200)] 
unbound: Update to 1.9.2

For details see:
https://nlnetlabs.nl/pipermail/unbound-users/2019-June/011632.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agovpnmain.cgi: Fix writing ESP settings for PFS ciphers
Peter Müller [Mon, 17 Jun 2019 14:08:00 +0000 (14:08 +0000)] 
vpnmain.cgi: Fix writing ESP settings for PFS ciphers

The changes introduced due to #12091 caused IPsec ESP
to be invalid if PFS ciphers were selected. Code has
to read "!$pfs" instead of just "$pfs", as it should trigger
for ciphers _without_ Perfect Forward Secrecy.

Fixes #12099

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoMerge branch 'master' into next
Arne Fitzenreiter [Sat, 15 Jun 2019 16:09:06 +0000 (18:09 +0200)] 
Merge branch 'master' into next

2 months agovpnmain.cgi: remove wrongh "shift-space"
Arne Fitzenreiter [Sat, 15 Jun 2019 15:38:47 +0000 (17:38 +0200)] 
vpnmain.cgi: remove wrongh "shift-space"

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agohyperscan: increase min RAM per buildprocess to 1GB
Arne Fitzenreiter [Fri, 14 Jun 2019 20:09:47 +0000 (22:09 +0200)] 
hyperscan: increase min RAM per buildprocess to 1GB

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agocore133: Ship jansson in update
Michael Tremer [Fri, 14 Jun 2019 05:22:52 +0000 (06:22 +0100)] 
core133: Ship jansson in update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agofinish core133
Arne Fitzenreiter [Wed, 12 Jun 2019 17:57:21 +0000 (19:57 +0200)] 
finish core133

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2 months agocore134: Ship updated OpenSSL
Michael Tremer [Wed, 12 Jun 2019 16:25:13 +0000 (17:25 +0100)] 
core134: Ship updated OpenSSL

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoOpenSSL: lower priority for CBC ciphers in default cipherlist
Peter Müller [Mon, 10 Jun 2019 18:55:00 +0000 (18:55 +0000)] 
OpenSSL: lower priority for CBC ciphers in default cipherlist

In order to avoid CBC ciphers as often as possible (they contain
some known vulnerabilities), this changes the OpenSSL default
ciphersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

Since TLS servers usually override the clients' preference with their
own, this will neither break existing setups nor introduce huge
differences in the wild. Unfortunately, CBC ciphers cannot be disabled
at all, as they are still used by popular web sites.

TLS 1.3 ciphers will be added implicitly and can be omitted in the
ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing
AES-NI support for the majority of installations reporting to Fireinfo
(see https://fireinfo.ipfire.org/processors for details, AES-NI support
is 28.22% at the time of writing).

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoStart Core Update 134
Michael Tremer [Wed, 12 Jun 2019 16:18:23 +0000 (17:18 +0100)] 
Start Core Update 134

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agounbound: Make some zones type-transparent
Michael Tremer [Wed, 12 Jun 2019 16:14:28 +0000 (17:14 +0100)] 
unbound: Make some zones type-transparent

If we remove other records (like MX) from the response, we won't
be able to send mail to those hosts any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agounbound: Add yandex.com to safe search feature
Michael Tremer [Wed, 12 Jun 2019 16:11:32 +0000 (17:11 +0100)] 
unbound: Add yandex.com to safe search feature

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agounbound: safe search: Resolve hosts at startup
Michael Tremer [Thu, 13 Jun 2019 10:12:07 +0000 (11:12 +0100)] 
unbound: safe search: Resolve hosts at startup

unbound is not able to expand CNAMEs in local-data. Therefore we
have to do it manually at startup.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoTor: fix permissions after updating, too
Peter Müller [Mon, 10 Jun 2019 19:02:00 +0000 (19:02 +0000)] 
Tor: fix permissions after updating, too

Fixes #12088

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reported-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated wpa_supplicant
Michael Tremer [Tue, 11 Jun 2019 06:00:38 +0000 (07:00 +0100)] 
core133: Ship updated wpa_supplicant

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agowpa_supplicant: Update to 2.8
Matthias Fischer [Tue, 11 Jun 2019 13:32:15 +0000 (15:32 +0200)] 
wpa_supplicant: Update to 2.8

For details see:
https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agosmt: Only disable SMT when the kernel thinks it is vulnerable
Michael Tremer [Tue, 11 Jun 2019 17:07:23 +0000 (17:07 +0000)] 
smt: Only disable SMT when the kernel thinks it is vulnerable

On virtual machines, it does not make sense to disable SMT for the
virtual cores. This has to be done by the hypervisor.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoship language files in Core Update 133
Peter Müller [Mon, 10 Jun 2019 18:22:00 +0000 (18:22 +0000)] 
ship language files in Core Update 133

These were missing in Core Update 132, and some strings
(especially on the "CPU vulnerabilities" page) missed translations.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRootfile update
Michael Tremer [Mon, 10 Jun 2019 08:58:15 +0000 (09:58 +0100)] 
Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoconvert-ids-modifysids-file: Fix check if the ids is running.
Stefan Schantl [Sun, 9 Jun 2019 15:55:34 +0000 (17:55 +0200)] 
convert-ids-modifysids-file: Fix check if the ids is running.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agohostapd: Update to 2.8
Matthias Fischer [Sun, 9 Jun 2019 10:10:07 +0000 (12:10 +0200)] 
hostapd: Update to 2.8

For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRootfile update
Michael Tremer [Sat, 8 Jun 2019 10:34:37 +0000 (11:34 +0100)] 
Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRootfile update
Michael Tremer [Fri, 7 Jun 2019 10:14:11 +0000 (11:14 +0100)] 
Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated knot package
Michael Tremer [Fri, 7 Jun 2019 10:13:01 +0000 (11:13 +0100)] 
core133: Ship updated knot package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoknot: Update to 2.8.2
Matthias Fischer [Thu, 6 Jun 2019 18:30:56 +0000 (20:30 +0200)] 
knot: Update to 2.8.2

For details see:
https://www.knot-dns.cz/2019-06-05-version-282.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoUpdate contributors
Michael Tremer [Wed, 5 Jun 2019 11:46:37 +0000 (12:46 +0100)] 
Update contributors

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agosuricata: Enable EVE logging
Erik Kapfer [Tue, 4 Jun 2019 13:00:24 +0000 (15:00 +0200)] 
suricata: Enable EVE logging

The EVE output facility outputs alerts, metadata, file info and protocol specific records through JSON.
for further informations please see --> https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoconvert-ids-modifysids-file: Adjust code to use changed write_modify_sids_file function
Stefan Schantl [Wed, 5 Jun 2019 18:56:35 +0000 (20:56 +0200)] 
convert-ids-modifysids-file: Adjust code to use changed write_modify_sids_file function

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship snort configuration converter
Michael Tremer [Wed, 5 Jun 2019 11:42:53 +0000 (12:42 +0100)] 
core133: Ship snort configuration converter

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoconvert-snort: Adjust code to use changed modify_sids_file function.
Stefan Schantl [Wed, 5 Jun 2019 18:56:34 +0000 (20:56 +0200)] 
convert-snort: Adjust code to use changed modify_sids_file function.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoids-functions.pl: Rework function write_modify_sids_file().
Stefan Schantl [Wed, 5 Jun 2019 18:56:33 +0000 (20:56 +0200)] 
ids-functions.pl: Rework function write_modify_sids_file().

Directly implement the logic to determine the used ruleset and if
IDS or IPS mode should be used into the function instead of pass those
details as arguments.

This helps to prevent from doing this stuff at several places again and again.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship IPS changes
Michael Tremer [Wed, 5 Jun 2019 11:41:37 +0000 (12:41 +0100)] 
core133: Ship IPS changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agosuricata: correct rule actions in IPS mode
Tim FitzGeorge [Wed, 5 Jun 2019 18:56:32 +0000 (20:56 +0200)] 
suricata: correct rule actions in IPS mode

In IPS mode rule actions need to be have the action 'drop' for the
protection to work, however this is not appropriate for all rules.
Modify the generator for oinkmaster-modify-sids.conf to leave
rules with the action 'alert' here this is appropriate.  Also add
a script to be run on update to correct existing downloaded rules.

Fixes #12086

Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship IDS ruleset updater
Michael Tremer [Wed, 5 Jun 2019 11:34:44 +0000 (12:34 +0100)] 
core133: Ship IDS ruleset updater

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoupdate-ids-ruleset: Run as unprivileged user.
Stefan Schantl [Wed, 5 Jun 2019 16:27:10 +0000 (18:27 +0200)] 
update-ids-ruleset: Run as unprivileged user.

Check if the script has been launched as privileged user (root) and drop all
permissions by switching to the "nobody" user and group.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated vpnmain.cgi file and regenerate configuration
Michael Tremer [Wed, 5 Jun 2019 04:08:31 +0000 (05:08 +0100)] 
core133: Ship updated vpnmain.cgi file and regenerate configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agovpnmain.cgi: Fix wrong cipher suite generation when PFS is disabled
Michael Tremer [Wed, 5 Jun 2019 09:22:53 +0000 (10:22 +0100)] 
vpnmain.cgi: Fix wrong cipher suite generation when PFS is disabled

Fixes: #12091
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agomonit: Some fixes for 'monitrc'
Matthias Fischer [Wed, 5 Jun 2019 09:54:29 +0000 (11:54 +0200)] 
monit: Some fixes for 'monitrc'

Just cosmetics:
Removed all trailing spaces - there were a few...

Activated 'monit' start delay:
I activated this option to avoid running into a race condition while started through
'/etc/init.d/monit start'.

As mentioned in 'monit' manual:
"...if a service is slow to start, Monit can assume that the service is not running
and possibly try to start it [again] and raise an alert, while, in fact the service
is already about to start or already in its startup sequence."

This happened here during testing with (e.g.) Clamav.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated dhcp.cgi
Michael Tremer [Tue, 4 Jun 2019 23:33:36 +0000 (00:33 +0100)] 
core133: Ship updated dhcp.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agodhcp.cgi: Save fixed leases immediately after addition of a new lease
Bernhard Bitsch [Tue, 4 Jun 2019 10:24:00 +0000 (12:24 +0200)] 
dhcp.cgi: Save fixed leases immediately after addition of a new lease

This changes the behaviour of the script to immediately save the added
lease to file but still remain in edit mode to make changes.

If the user does not make any changes, the lease is immediately saved
and there is no second click required to write it to file.

This a more natural flow that is expected by almost all users of this
feature.

Fixes: #12050
Signed-off-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoSMT: Disable when system is vulnerable to L1TF (Foreshadow)
Michael Tremer [Tue, 4 Jun 2019 22:55:17 +0000 (23:55 +0100)] 
SMT: Disable when system is vulnerable to L1TF (Foreshadow)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRootfile update for ARM kernels
Michael Tremer [Tue, 4 Jun 2019 22:44:49 +0000 (23:44 +0100)] 
Rootfile update for ARM kernels

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRootfile update for gcc on i586
Michael Tremer [Tue, 4 Jun 2019 22:41:59 +0000 (23:41 +0100)] 
Rootfile update for gcc on i586

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated PAM
Michael Tremer [Tue, 4 Jun 2019 22:32:35 +0000 (23:32 +0100)] 
core133: Ship updated PAM

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agolinux-pam: Update to 1.3.1
Matthias Fischer [Wed, 5 Jun 2019 07:16:58 +0000 (09:16 +0200)] 
linux-pam: Update to 1.3.1

For details see:
https://github.com/linux-pam/linux-pam/releases

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated rrdtool
Michael Tremer [Tue, 4 Jun 2019 22:31:51 +0000 (23:31 +0100)] 
core133: Ship updated rrdtool

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agorrdtool: Update to 1.7.2
Matthias Fischer [Wed, 5 Jun 2019 07:13:11 +0000 (09:13 +0200)] 
rrdtool: Update to 1.7.2

For details see:
https://oss.oetiker.ch/rrdtool/pub/CHANGES

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoBUG 11487:solve problem with unexspected shutdown
sfeddersen [Tue, 4 Jun 2019 19:49:22 +0000 (21:49 +0200)] 
BUG 11487:solve problem with unexspected shutdown

Solve problem with unexspected shutdown problem when checking a single client.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRootfile update
Michael Tremer [Mon, 3 Jun 2019 08:20:05 +0000 (09:20 +0100)] 
Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agomake.sh: Set default ccache size to 4G
Michael Tremer [Sun, 2 Jun 2019 21:52:57 +0000 (22:52 +0100)] 
make.sh: Set default ccache size to 4G

Since we have now one cache for each architecture, we do not
need to make it too large.

The largest build (i586 because of the two kernels) uses around
2.5GB after one build. So 4G will give us some space.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated ovpnmain.cgi
Michael Tremer [Sun, 2 Jun 2019 21:49:42 +0000 (22:49 +0100)] 
core133: Ship updated ovpnmain.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoovpnmain.cgi: Fixed line break for LZO option
Erik Kapfer [Sat, 1 Jun 2019 06:46:14 +0000 (08:46 +0200)] 
ovpnmain.cgi: Fixed line break for LZO option

It is better readable if everything is in one line.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agomonit: Update to 5.25.3
Matthias Fischer [Fri, 31 May 2019 19:54:45 +0000 (21:54 +0200)] 
monit: Update to 5.25.3

For details see:
https://mmonit.com/monit/changes/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agomake.sh: Have a ccache for each architecture
Michael Tremer [Wed, 29 May 2019 14:28:45 +0000 (15:28 +0100)] 
make.sh: Have a ccache for each architecture

It does not make much sense to mix architectures into a single
ccache:

* There is never going to be a match
* The cache gets bigger and therefore slower
* If both architectures are being compiled one after the other and
  the cache hits its maximum size, cached but still needed content
  will be dropped
* Only both can be deleted together

This small change splits this into multiple caches. One per
architecture. Therefore we should be more efficient on builders
that build for multiple architectures.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agomiau: Drop package
Michael Tremer [Wed, 29 May 2019 14:24:29 +0000 (15:24 +0100)] 
miau: Drop package

This is not maintained since 2010

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoopenssl: Update to 1.1.1c
Michael Tremer [Wed, 29 May 2019 10:22:22 +0000 (11:22 +0100)] 
openssl: Update to 1.1.1c

Fixes CVE-2019-1543

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agostrongswan: Update to 5.8.0
Michael Tremer [Tue, 28 May 2019 12:05:50 +0000 (13:05 +0100)] 
strongswan: Update to 5.8.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agotshark: Update to 3.0.2
Erik Kapfer [Tue, 28 May 2019 09:38:59 +0000 (11:38 +0200)] 
tshark: Update to 3.0.2

Incl. one vulnerability and several bug fixes. For full overview --> https://www.wireshark.org/docs/relnotes/wireshark-3.0.2.html .

- Disabled geoip support since libmaxminddb is not presant.
- Added dictionary in ROOTFILE to prevent "radius: Could not open file: '/usr/share/wireshark/radius/dictionary' " .
- Added CMAKE build type
- Removed profile examples and htmls completly from ROOTFILE.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoccache: Automatically set size to 8GB
Michael Tremer [Tue, 28 May 2019 11:01:30 +0000 (12:01 +0100)] 
ccache: Automatically set size to 8GB

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship toolchain changes
Michael Tremer [Tue, 28 May 2019 10:44:32 +0000 (11:44 +0100)] 
core133: Ship toolchain changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRootfile update
Michael Tremer [Tue, 28 May 2019 10:41:46 +0000 (11:41 +0100)] 
Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agohyperscan: Limit amount of memory being used during build
Michael Tremer [Tue, 28 May 2019 10:36:06 +0000 (11:36 +0100)] 
hyperscan: Limit amount of memory being used during build

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoddns: Update to 011
Michael Tremer [Mon, 27 May 2019 15:25:01 +0000 (16:25 +0100)] 
ddns: Update to 011

Add support for two new providers and has some general bug fixes
included.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship updated IPS ruleset sources
Michael Tremer [Mon, 27 May 2019 14:48:44 +0000 (15:48 +0100)] 
core133: Ship updated IPS ruleset sources

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoruleset-sources: Update snort dl urls.
Stefan Schantl [Sun, 26 May 2019 18:11:55 +0000 (20:11 +0200)] 
ruleset-sources: Update snort dl urls.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agotor: Ship updated CGI
Michael Tremer [Mon, 27 May 2019 14:47:02 +0000 (15:47 +0100)] 
tor: Ship updated CGI

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agotor.cgi: Disable debugging output
Erik Kapfer [Sun, 26 May 2019 15:02:56 +0000 (17:02 +0200)] 
tor.cgi: Disable debugging output

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Drop metadata for jansson package
Michael Tremer [Mon, 27 May 2019 14:42:50 +0000 (15:42 +0100)] 
core133: Drop metadata for jansson package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore133: Ship hyperscan
Michael Tremer [Mon, 27 May 2019 14:40:31 +0000 (15:40 +0100)] 
core133: Ship hyperscan

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agohyperscan: Move rootfiles to arch directories
Michael Tremer [Mon, 27 May 2019 14:38:42 +0000 (15:38 +0100)] 
hyperscan: Move rootfiles to arch directories

This package is only compiled on x86_64 and i586 and cannot
be packaged in any of the other architectures.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agohyperscan: New package
Stefan Schantl [Sun, 26 May 2019 17:56:47 +0000 (19:56 +0200)] 
hyperscan: New package

This package adds hyperscan support to suricata

Fixes #12053.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoragel: New package
Stefan Schantl [Sun, 26 May 2019 17:56:46 +0000 (19:56 +0200)] 
ragel: New package

This is a build dependency of hyperscan

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocolm: New package
Stefan Schantl [Sun, 26 May 2019 17:56:45 +0000 (19:56 +0200)] 
colm: New package

This is a build dependency of ragel, which is a build dependency of
hyperscan.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoasterisk: Remove dependency to jansson.
Stefan Schantl [Sun, 26 May 2019 17:51:40 +0000 (19:51 +0200)] 
asterisk: Remove dependency to jansson.

The package has become part of the main system.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agojansson: Move to core system and update to 2.12
Stefan Schantl [Sun, 26 May 2019 17:51:39 +0000 (19:51 +0200)] 
jansson: Move to core system and update to 2.12

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>