Arne Fitzenreiter [Mon, 9 Dec 2019 18:03:14 +0000 (18:03 +0000)]
Merge branch 'next'
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Mon, 9 Dec 2019 17:48:07 +0000 (18:48 +0100)]
core139: finish
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sun, 8 Dec 2019 21:55:26 +0000 (22:55 +0100)]
leds: use new APUx ACPI Bios leds if exist.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Fri, 6 Dec 2019 06:08:33 +0000 (07:08 +0100)]
ovpn: Fix LZO checkbox restore
Triggered by --> https://community.ipfire.org/t/openvpn-is-lzo-compression-now-effectively-disabled/503 .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Fri, 6 Dec 2019 02:18:09 +0000 (03:18 +0100)]
pcengines-firmware: fix rootfile
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Wed, 4 Dec 2019 16:32:00 +0000 (16:32 +0000)]
Core Update 139: ship updated OpenSSH
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Wed, 4 Dec 2019 16:30:00 +0000 (16:30 +0000)]
OpenSSH: update to 8.1p1
Please refer to https://www.openssh.com/txt/release-8.1 for release notes.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 5 Dec 2019 17:53:16 +0000 (18:53 +0100)]
pcengines-firmware: update to 4.10.0.3
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 5 Dec 2019 11:48:13 +0000 (12:48 +0100)]
intel-microcode: update to
20191115
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 5 Dec 2019 11:44:45 +0000 (12:44 +0100)]
linux-firmware: update to
20191022
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Mon, 2 Dec 2019 17:11:30 +0000 (17:11 +0000)]
core139: add cpio to updater
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Sat, 30 Nov 2019 16:03:47 +0000 (17:03 +0100)]
cpio: Update to 2.13
For details see:
https://www.gnu.org/software/cpio/
Fix CVE-2015-1197
Fix CVE-2016-2037
Fix CVE-2019-14866
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Sat, 30 Nov 2019 15:57:46 +0000 (16:57 +0100)]
nano: Update to 4.6
For details see:
https://www.nano-editor.org/news.php
... and a long list of other changes in https://www.nano-editor.org/dist/latest/ChangeLog ...
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Thu, 28 Nov 2019 21:43:00 +0000 (21:43 +0000)]
spectre-meltdown-checker: update to 0.42
See https://github.com/speed47/spectre-meltdown-checker/releases/tag/v0.42
for release announcements.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Thu, 28 Nov 2019 21:14:00 +0000 (21:14 +0000)]
Postfix: update to 3.4.8
See http://www.postfix.org/announcements/postfix-3.4.8.html for release
announcements.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Thu, 28 Nov 2019 17:19:00 +0000 (17:19 +0000)]
update ca-certificates CA bundle
Update the CA certificates list to what Mozilla NSS ships currently.
The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Mon, 2 Dec 2019 17:05:15 +0000 (17:05 +0000)]
core139: add hwdata to updater
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Thu, 28 Nov 2019 17:08:00 +0000 (17:08 +0000)]
hwdata: update PCI/USB databases
PCI IDs: 2019-11-26 03:15:03
USB IDs: 2019-11-05 20:34:06
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sun, 1 Dec 2019 17:33:19 +0000 (18:33 +0100)]
dhcpcd.exe: remove red.down run on "NOCARRIER"
after "NOCARRIER" the dhcp client always run "EXPIRE" event.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sun, 1 Dec 2019 15:36:43 +0000 (16:36 +0100)]
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Sun, 1 Dec 2019 14:29:59 +0000 (15:29 +0100)]
up/down beep: move from ppp ip-up/down to general red.up/down
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sun, 1 Dec 2019 13:03:46 +0000 (14:03 +0100)]
70-dhcpdd.exe: don't run red.down scripts at "PREINIT"
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 30 Nov 2019 23:45:02 +0000 (00:45 +0100)]
core139: add dhcp and network changes to updater
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 30 Nov 2019 21:26:00 +0000 (22:26 +0100)]
networking red: add delay to wait for carrier
some nic's need some time after link up to get a carrier
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 30 Nov 2019 21:21:42 +0000 (22:21 +0100)]
dhcpcd: 10-mtu break if carrier was lost
some nic's like Intel e1000e needs a reinit to change the
mtu. In this case the dhcp hook reinit the nic and terminate now
to let the dhcpcd reinit the card in backgrounnd without running the
rest of the hooks.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 25 Nov 2019 11:09:58 +0000 (11:09 +0000)]
clamav: Allow downloads to take up to 10 minutes
freshclam did not have a receive timeout set and a default of
60s was used. That causes that the large main database cannot
be downloaded over a line with a 16 MBit/s downlink.
This patch increases that timeout and should allow a successful
download on slower connections, too.
Suggested-by: Tim Fitzgeorge <ipfb@tfitzgeorge.me.uk>
Fixes: #12246
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Fri, 22 Nov 2019 18:26:59 +0000 (19:26 +0100)]
bind: Update to 9.11.13
For details see:
https://downloads.isc.org/isc/bind9/9.11.13/RELEASE-NOTES-bind-9.11.13.html
"Security Fixes
Set a limit on the number of concurrently served pipelined TCP queries.
This flaw is disclosed in CVE-2019-6477. [GL #1264]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Thu, 21 Nov 2019 16:57:48 +0000 (17:57 +0100)]
clamav: Update to 0.102.1
For details see:
https://blog.clamav.net/2019/11/clamav-01021-and-01015-patches-have.html
"Fix for the following vulnerability affecting 0.102.0 and 0.101.4 and prior:
CVE-2019-15961:
A Denial-of-Service (DoS) vulnerability may occur when scanning
a specially crafted email file as a result of excessively long scan
times. The issue is resolved by implementing several maximums in parsing
MIME messages and by optimizing use of memory allocation.
Build system fixes to build clamav-milter, to correctly link with
libxml2 when detected, and to correctly detect fanotify for on-access
scanning feature support.
Signature load time is significantly reduced by changing to a more
efficient algorithm for loading signature patterns and allocating the AC
trie. Patch courtesy of Alberto Wu.
Introduced a new configure option to statically link libjson-c with
libclamav. Static linking with libjson is highly recommended to prevent
crashes in applications that use libclamav alongside another JSON
parsing library.
Null-dereference fix in email parser when using the --gen-json metadata
option.
Fixes for Authenticode parsing and certificate signature (.crb database)
bugs."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 30 Nov 2019 09:56:29 +0000 (09:56 +0000)]
core139: add unbound to updater
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Wed, 20 Nov 2019 16:24:01 +0000 (17:24 +0100)]
unbound: Update to 1.9.5
For details see:
https://nlnetlabs.nl/pipermail/unbound-users/2019-November/011897.html
"This release is a fix for vulnerability CVE-2019-18934, that can cause
shell execution in ipsecmod.
Bug Fixes:
- Fix for the reported vulnerability.
The CVE number for this vulnerability is CVE-2019-18934"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 30 Nov 2019 09:54:14 +0000 (09:54 +0000)]
core139: add captive.cgi to updater
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Alexander Marx [Wed, 20 Nov 2019 10:45:18 +0000 (11:45 +0100)]
BUG12245: captive portal - clients are not automatically removed
With this patch the clients are updated and those who are expired get deleted from the hash.
In addition the table of active clients is now sorted.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 19 Nov 2019 15:28:22 +0000 (15:28 +0000)]
bird: Fix path of configuration file in backup
The backup did not pack the configuration file
due to an incorrect path.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 30 Nov 2019 09:49:58 +0000 (09:49 +0000)]
core139: add pcregrep to updater
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Tue, 19 Nov 2019 07:09:42 +0000 (08:09 +0100)]
pcre: Add pcregrep to core system
Triggered by --> https://community.ipfire.org/t/pcregrep-on-ipfire/259 .
This patch adds pcregrep only from the actual package not from pcre-compat.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Sat, 30 Nov 2019 09:48:00 +0000 (09:48 +0000)]
core139: add updated calamaris mkreport
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Thu, 14 Nov 2019 18:03:46 +0000 (19:03 +0100)]
calamaris: Bug fix for proxy reports staying empty after Core 136 upgrade
After upgrading to Core 136, 'calamaris' "Proxy reports" stayed empty.
GUI always show "No reports available".
Tested manually on console stops and throws an error:
...
root@ipfire: ~ # /usr/bin/perl /var/ipfire/proxy/calamaris/bin/mkreport
1 0 2019 8 10 2019 -d 10 -P 30 -t 10 -D 2 -u -r -1 -R 100 -s
Can't use 'defined(%hash)' (Maybe you should just omit the defined()?)
at /var/ipfire/proxy/calamaris/bin/calamaris line 2609.
...
Line 2609 was changed and reports are built again.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 28 Nov 2019 17:41:18 +0000 (18:41 +0100)]
python: update to 2.7.17
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Fri, 15 Nov 2019 15:29:42 +0000 (16:29 +0100)]
kernel: fix x86_64 rootfile
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Fri, 15 Nov 2019 15:28:02 +0000 (16:28 +0100)]
set core to 139 and pakfire to 138
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Fri, 15 Nov 2019 06:10:37 +0000 (06:10 +0000)]
core138: insert emergency core update for new intel vulnarabilities.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Wed, 13 Nov 2019 19:18:00 +0000 (19:18 +0000)]
intel-microcode: update to
20191112
For release notes, refer to:
- https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu/
- https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-
20191112
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 14 Nov 2019 21:12:12 +0000 (22:12 +0100)]
kernel: update to 4.14.154
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 14 Nov 2019 21:10:04 +0000 (22:10 +0100)]
vulnearabilities.cgi: add tsx async abort and itlb_multihit
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 14 Nov 2019 21:13:23 +0000 (22:13 +0100)]
Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next
Arne Fitzenreiter [Thu, 14 Nov 2019 21:12:12 +0000 (22:12 +0100)]
kernel: update to 4.14.154
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 14 Nov 2019 21:10:04 +0000 (22:10 +0100)]
vulnearabilities.cgi: add tsx async abort and itlb_multihit
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 14 Nov 2019 17:28:38 +0000 (17:28 +0000)]
rename core138 -> core139 to insert a emergency core update
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 14 Nov 2019 01:55:46 +0000 (01:55 +0000)]
intel-microcode: fix rootfile
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 14 Nov 2019 17:28:38 +0000 (17:28 +0000)]
rename core138 -> core139 to insert a emergency core update
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 14 Nov 2019 02:42:54 +0000 (02:42 +0000)]
core138: fix rootfile
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 14 Nov 2019 01:55:46 +0000 (01:55 +0000)]
intel-microcode: fix rootfile
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Thu, 14 Nov 2019 01:55:09 +0000 (01:55 +0000)]
bash: fix rootfile
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 13 Nov 2019 20:08:41 +0000 (20:08 +0000)]
core138: fix intel-microcode rootfile link
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Wed, 13 Nov 2019 19:18:00 +0000 (19:18 +0000)]
intel-microcode: update to
20191112
For release notes, refer to:
- https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu/
- https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-
20191112
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 13 Nov 2019 19:56:11 +0000 (19:56 +0000)]
qemu: remove sdl from dependency list
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 13 Nov 2019 19:55:17 +0000 (19:55 +0000)]
qemu: switch to xz compressed source
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 13 Nov 2019 19:45:14 +0000 (19:45 +0000)]
core138: add bash, readline and readline-compat
Peter Müller [Tue, 12 Nov 2019 17:15:00 +0000 (17:15 +0000)]
bash: update to 5.0 (patchlevel 11)
The third version of this patch also includes patches 1-11
for version 5.0, drops orphaned 4.3 patches, and fixes rootfile
mistakes reported by Arne.
Please refer to https://tiswww.case.edu/php/chet/bash/bashtop.html
for release notes.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 12 Nov 2019 17:14:00 +0000 (17:14 +0000)]
readline: update to 8.0 (patchlevel 1)
The third version of this patch fixes missing rootfile changes, drops
orphaned readline 5.2 patches (as they became obsolete due to
readline-compat changes), includes readline 8.0 upstream patch, and
keeps the for-loop in LFS file (as commented by Michael).
Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
peter.mueller@ipfire.org [Tue, 12 Nov 2019 15:59:00 +0000 (15:59 +0000)]
readline-compat: update to 6.3
This is necessary as many add-ons still need readline-compat as they
cannot link against readline 8.0, yet.
Reported-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stephan Feddersen [Tue, 12 Nov 2019 20:34:00 +0000 (21:34 +0100)]
wio-1.3.2-7: fixed bug with arp client import
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Tue, 12 Nov 2019 08:09:01 +0000 (09:09 +0100)]
ddns: Import rename NoIP.com handle back to no-ip.com patch
This patch is required for compatiblity reasons for any existing
configurations.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Jonatan Schlag [Sun, 10 Nov 2019 13:03:02 +0000 (13:03 +0000)]
Update qemu to version 4.1.0
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Jonatan Schlag [Sun, 10 Nov 2019 13:03:01 +0000 (13:03 +0000)]
qemu: disable sdl and documentation
A newer version of qemu does not build anymore with our version of sdl. I
tried around a little bit and as I have not got a clue why we are using
sdl (spice and remote access still works) I think we should disable it.
I disabled the generation of the documentation as well but this switch
does not seem to have any effect.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Jonatan Schlag [Sun, 10 Nov 2019 13:03:00 +0000 (13:03 +0000)]
Libvirt: enable lvm
This was requested in the forum:
https://forum.ipfire.org/viewtopic.php?f=17&t=21872&p=120243&hilit=lvm#p120243
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Jonatan Schlag [Sun, 10 Nov 2019 13:02:59 +0000 (13:02 +0000)]
Libvirt: update to version 5.6.0
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Jonatan Schlag [Sun, 10 Nov 2019 13:02:58 +0000 (13:02 +0000)]
libvirt: use a custom config file
The patch which adjusts the options for IPFire in the libvirtd.conf does
not apply in a newer version of libvirt. Creating this patch is harder
than to use a separate config file.
This separate config file also enables us to adjust options much faster.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Jonatan Schlag [Sun, 10 Nov 2019 13:02:57 +0000 (13:02 +0000)]
Libvirt: disable Wireshark
When I try to build libvirt a second-time without ./make.sh clean
between the two builds, libvirt tries to link against Wireshark and
fails.
This configure option solves the problem.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 13 Nov 2019 19:37:47 +0000 (19:37 +0000)]
core138: add squid
Matthias Fischer [Fri, 8 Nov 2019 16:47:06 +0000 (17:47 +0100)]
squid: Update to 4.9
For details see:
http://www.squid-cache.org/Versions/v4/changesets/
Fixes CVE-2019-12526, CVE-2019-12523, CVE-2019-18676, CVE-2019-18677, CVE-2019-18678 and
CVE-2019-18679
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Tue, 5 Nov 2019 18:23:41 +0000 (19:23 +0100)]
ddns: Import upstream patch for NoIP.com
Reference: #11561.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 13 Nov 2019 19:33:53 +0000 (19:33 +0000)]
core138: add ddns
Arne Fitzenreiter [Wed, 13 Nov 2019 19:33:31 +0000 (19:33 +0000)]
core138: add logwatch
Stefan Schantl [Tue, 5 Nov 2019 09:37:44 +0000 (10:37 +0100)]
ddns: Update to 012
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 13 Nov 2019 19:20:17 +0000 (19:20 +0000)]
core138: add suricata changes
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Tue, 5 Nov 2019 09:32:02 +0000 (10:32 +0100)]
suricata: Use DNS_SERVERS declaration from external file.
These settings now will be read from
/var/ipfire/suricata/suricata-dns-servers.yaml, which will be
generated by the generate_dns_servers_file() function, located in
ids-functions.pl and called by various scripts.
Fixes #12166.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Tue, 5 Nov 2019 09:32:01 +0000 (10:32 +0100)]
red.up: Generate Suricata DNS servers file on reconnect.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Tue, 5 Nov 2019 09:32:00 +0000 (10:32 +0100)]
convert-snort: Generate DNS servers file.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Tue, 5 Nov 2019 09:31:59 +0000 (10:31 +0100)]
ids.cgi: Generate and store the DNS server configuration.
This will be done by the recently added generate_dns_servers_file()
function from ids-functions.pl.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Tue, 5 Nov 2019 09:31:58 +0000 (10:31 +0100)]
ids-functions.pl: Introduce generate_dns_servers_file()
This function is used to generate a yaml file which take care of the
current used DNS configuration and should be included in the main
suricata config file.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Tue, 5 Nov 2019 08:07:46 +0000 (09:07 +0100)]
logwatch: Update to 7.5.2
For details see:
https://build.opensuse.org/package/view_file/server:monitoring/logwatch/ChangeLog?expand=1
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
peter.mueller@ipfire.org [Mon, 4 Nov 2019 18:53:00 +0000 (18:53 +0000)]
Apache: deny framing of WebUI from different origins
There is no legitimate reason to do this. Setting header X-Frame-Options
to "sameorigin" is necessary for displaying some collectd graphs on the
WebUI.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 13 Nov 2019 19:10:03 +0000 (19:10 +0000)]
core138: add ipfire-interface.conf
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
peter.mueller@ipfire.org [Mon, 4 Nov 2019 18:52:00 +0000 (18:52 +0000)]
Apache: prevent Referrer leaks via WebUI
By default, even modern browsers sent the URL of ther originating
site to another one when accessing hyperlinks. This is an information
leak and may expose internal details (such as FQDN or IP address)
of an IPFire installation to a third party.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 13 Nov 2019 19:08:02 +0000 (19:08 +0000)]
core138: add ipfire-interface-ssl.conf
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
peter.mueller@ipfire.org [Mon, 4 Nov 2019 18:35:00 +0000 (18:35 +0000)]
Apache: drop CBC ciphers for WebUI
CBC ciphers contain some known vulnerabilities and should not be used
anymore. While dropping them for OpenSSL clients or public web servers
still causes interoperability problems with legacy setups, they can
be safely removed from IPFire's administrative UI.
This patch changes the used cipersuite to:
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
Since TLS 1.3 ciphers will be added automatically by OpenSSL, mentioning
them in "SSLCipherSuite" is unnecessary. ECDSA is preferred over RSA for
performance reasons.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 13 Nov 2019 19:04:48 +0000 (19:04 +0000)]
core138: add openssl
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
peter.mueller@ipfire.org [Mon, 4 Nov 2019 18:24:00 +0000 (18:24 +0000)]
OpenSSL: drop preferring of Chacha20/Poly1305 over AES-GCM
As hardware acceleration for AES is emerging (Fireinfo indicates
30.98% of reporting installations support this, compared to
28.22% in summer), there is no more reason to manually prefer
Chacha20/Poly1305 over it.
Further, overall performance is expected to increase as server
CPUs usually come with AES-NI today, where Chacha/Poly would
be an unnecessary bottleneck. Small systems without AES-NI,
however, compute Chacha/Poly measurable, but not significantly faster,
so there only was a small advantage of this.
This patch changes the OpenSSL default ciphersuite to:
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(128) Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
CAMELLIA256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA256
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
CAMELLIA128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 13 Nov 2019 18:55:53 +0000 (18:55 +0000)]
core138: add ovpnmain.cgi
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Mon, 4 Nov 2019 14:52:26 +0000 (15:52 +0100)]
OpenVPN: Fix max-clients option
Fix: Triggered by https://forum.ipfire.org/viewtopic.php?f=16&t=23551
Since the 'DHCP_WINS' cgiparam has been set for the max-client directive, changes in the WUI has not been adapted to server.conf.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 13 Nov 2019 18:54:28 +0000 (18:54 +0000)]
core138: add unbound initscript
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 4 Nov 2019 12:02:46 +0000 (12:02 +0000)]
unbound: Fix whitespace error in initscript
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 13 Nov 2019 18:52:15 +0000 (18:52 +0000)]
core138: add openvpn
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Fri, 1 Nov 2019 13:33:06 +0000 (14:33 +0100)]
OpenVPN: Update to version 2.4.8
This is primarily a maintenance release with bugfixes and improvements. All changes can be overviewed in here -->
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 13 Nov 2019 18:50:07 +0000 (18:50 +0000)]
core138: add init.d/functions
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Thu, 31 Oct 2019 18:09:05 +0000 (18:09 +0000)]
initscripts: Tell users to report bugs on Bugzilla
I have been receiving a couple of emails recently directed
at info@ipfire.org with bug reports when a system did not
boot up or shut down properly.
This is obviously not the right way to report bugs, but
we are telling our users to do so.
This patch changes this to report bugs to Bugzilla like
it should be.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Thu, 31 Oct 2019 07:58:30 +0000 (08:58 +0100)]
libarchiv: Update to version 3.4.0
Version 3.4.0 is a feature and security release. The changelog can be found in here --> https://github.com/libarchive/libarchive/releases .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Arne Fitzenreiter [Wed, 13 Nov 2019 18:44:36 +0000 (18:44 +0000)]
core138: add lz4
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Thu, 31 Oct 2019 07:49:55 +0000 (08:49 +0100)]
lz4: Update to version 1.9.2
Several fixes and improvements has been integrated. The changes list through the different versions since
the current version 1.8.1.2 can be found in here --> https://github.com/lz4/lz4/releases
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>