make.sh: fix tmpfs build on 32bit machines

the inode count of tmpfs defaults on availbable low memory page count
which is too low on 32bit machines

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

glibc: enbable parallel build for locales

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

IO-Socket-SSL: Update to version 2.066

Fix for "Undefined subroutine &IO::Socket::SSL::set_client_defaults called at /usr/libexec/git-core/git-send-email" problem.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: apply local sshd config and restart sshd at update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: fix typo at GeoIP update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship perl-CGI and perl-Switch

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship updated perl scripts

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'next'

finish core136

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

update contributor list

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship updated zoneconf.cgi

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

zoneconf: reduce the width of inputs for vlanid

The inputs for the vlanids are overlapping the borders of their cells (using a recent Firefox on Linux Mint, Android or Windows 7). This patch fixes this by limiting the width to a fixed value.

Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

openssl: update to 1.1.1d

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: update logwatch crontab entry

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

BUG 12036: logwatch now starts at 00:05am to avoid conflicts with logrotate

Problem:
Every once in a while 'logwatch' creates an empty log file with 0 Bytes.

Probably 'logwatch' conflicts with the logrotate job which is
launched at the same time.

To avoid this in the future, the start of logwatch was postponed for
four minutes.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship logrotate

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

logrotate: Update to 3.5.1

For details see:
https://github.com/logrotate/logrotate/releases

"use correct create mode in examples/btmp (#257)"
=> https://github.com/logrotate/logrotate/pull/257

"fix several bugs found by fuzzing (#254)"
=> https://github.com/logrotate/logrotate/issues/254

"do not abort globbing on a broken symlink (#251)"
=> https://github.com/logrotate/logrotate/issues/251

"rearrange logrotate.8 man page to improve readability (#248)"
=> https://github.com/logrotate/logrotate/pull/248

"encourage admins to use the su directive in logrotate.8 man page (#236)"
=> https://github.com/logrotate/logrotate/pull/236

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Tor: fix permission of /var/ipfire/tor/settings

The settings file must be writeable for group "nobody" so
users can change their Tor settings via WebUI. Since other
files in /var/ipfire/tor/ does not need this workaround, only
the settings file permissions are changed.

Sorry for the late fix; this was reported by various people
in the forum, too (I was unaware of so many Tor users in our
community).

Fixes #12117

Reported-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship changed log.dat

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

WUI log-section Mail: add support for postfix addon

Expand the regex for the section dmi ("Mail") for /var/log/mail to include the log contents of postfix, in case the addon is installed.

Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

WUI log-section Mail: bugfix for dma

The prefix for dmi in /var/log/mail seems to have changed from "dma[<PID>]: " to "dma: ". This results in a bug where no lines are being shown at all in the WUI.

Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship openssh

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

openssh: update to 8.0p1

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

BUG12156: fixed wrong permissions in install script

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

BUG12156: GUI cosmetic to show woi logs cleaner

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

BUG12156: increased paket number

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

BUG12156: added wio rrd files to backup

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

BUG12156: changed wio.cgi to fix broken Web GUI

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

haproxy: Update to 2.0.5

This release brings a couple of new features and this
patch enables using the PCRE Jit.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship usb_modswitch and data

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

usb-modeswitch-data: fix rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

usb_modeswitch_data: update to 20170806

Signed-off-by: Ramax Lo <ramaxlo@gmail.com>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

usb_modeswitch: update to 1.5.2

Signed-off-by: Ramax Lo <ramaxlo@gmail.com>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship unbound

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

unbound: Update to 1.9.3

For details see:
https://nlnetlabs.nl/pipermail/unbound-users/2019-August/011765.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

zabbix_agentd: Update to 4.2.6

Release Notes: https://www.zabbix.com/rn/rn4.2.6

Signed-off-by: Alex Koch <ipfire@starkstromkonsument.de>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Revert "freeradius: Build without SSL"

This reverts commit 071d7754f7b955b28f7e3b5f3eb44fbaa93eb4e9.

Fixes: #12139

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

freeradius: Update to 3.0.19

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

haproxy: Update to 1.8.21

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

pcengines-apu-firmware: rootfile update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

pcengines-apu.firmware: Update to 4.10.0.0

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

perl-Net-LibIDN: add module for Amavisd

fixes: #12138

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

dhcpcd: Update to 8.0.3

https://roy.marples.name/blog/dhcpcd-8-0-3-released

"DHCP: Work with IP headers with options
script: Assert that env string are correctly terminated
script: Terminate env strings with no value
script: Don't attempt to use an invalid env string
route: Fix NULL deference error when using static routes
ARP: Respect IFF_NOARP
DHCP: Add support for ARPHRD_NONE interfaces
DHCP: Allow full DHCP support for PtP interfaces, but not by default
DragonFlyBSD: 500704 announces IPv6 address flag changes
control: sends correct buffer to listeners"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

clamav: Update to 0.101.4

For details see:
https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html

"An out of bounds write was possible within ClamAV's NSIS bzip2
library when attempting decompression in cases where the number
of selectors exceeded the max limit set by the library (CVE-2019-12900).
The issue has been resolved by respecting that limit.

Thanks to Martin Simmons for reporting the issue here.

The zip bomb vulnerability mitigated in 0.101.3 has been assigned
the CVE identifier CVE-2019-12625. Unfortunately, a workaround for
the zip-bomb mitigation was immediately identified. To remediate
the zip-bomb scan time issue, a scan time limit has been introduced
in 0.101.4.
This limit now resolves ClamAV's vulnerability to CVE-2019-12625."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

bind: Update to 9.11.10

For details see:
https://downloads.isc.org/isc/bind9/9.11.10/RELEASE-NOTES-bind-9.11.10.html

"Security Fixes

A race condition could trigger an assertion failure when a large
number of incoming packets were being rejected.
This flaw is disclosed in CVE-2019-6471. [GL #942]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

freeradius: Add a logrotate configuration file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

dnsdist: Increase number of open files to 64k

dnsdist might need to open large number of connections
and therefore the default limit of 1024 needs to be
raised.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

aarch64: rootfile updates

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: touch "need reboot" flag

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: run xt_geoip_update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: restart apache2

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: remove old perl files

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship geoip-generator

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship hwdata

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship knot

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship bind

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship apache2

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship dhcpcd

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship patch

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship ca-certificates

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: ship gcc with go compiler

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: add perl and common modules to update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

xt_geoip_update: fix date and add maxmind copyright to GeoIP.dat

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

perl-NetAddr-IP: move to core

I had added this for spamassassin but now the geoip-converter needs it too.
It was not pushed yet so there is no need to remove it from pakfire databases.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

geoip-generator: added to build legacy GeoIP.dat file

program and scripts based on debian geoip packages.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge remote-tracking branch 'arne_f/perl-5.30' into next

hwdata: update PCI/USB databases

PCI IDs: 2019-07-25 03:15:02
USB IDs: 2019-07-27 20:34:05

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

knot: Update to 2.8.3

For details see:
https://www.knot-dns.cz/2019-07-16-version-283.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

bind: Update to 9.11.9

For details see:
https://downloads.isc.org/isc/bind9/9.11.9/RELEASE-NOTES-bind-9.11.9.html

"Security Fixes

   A race condition could trigger an assertion failure when a large
   number of incoming packets were being rejected.
   This flaw is disclosed in CVE-2019-6471. [GL #942]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

apache: Update to 2.4.41

For details see:
http://mirror.dkd.de/apache//httpd/CHANGES_2.4.41

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

dhcpcd: Update to 8.0.2

For details see:
https://roy.marples.name/

"NetBSD: Can be build without ARP support but listen to kernel DaD
ND6: Removed NA support from SMALL builds
ND6: Remove and warn about NA issues on OS's other than NetBSD and Linux
script: /tmp files are now cleaned up for systems without open_memstream(3)
configure: open_memstream(3) detected on recent glibc
DHCP: Avoid duplicate read of UDP socket when BPF is also open
IP: Avoid adding address if already exists on OS other than Linux
IP6: Avoid adding address is already exists on Solaris
route: Fixed a NULL de-reference error on statically configured routes
DHCP6: Move to REQUEST when any IA has error no-binding in RENEW/REBIND
DragonFlyBSD: Now compiles and works for
IP: Accept packets with IP header options"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Postfix: update to 3.4.6

See http://www.postfix.org/announcements/postfix-3.4.6.html
for release notes.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

patch: update to 2.7.6

Note: This does not fix CVE-2019-13636 and CVE-2019-13638
as fixes did not make it into upstream vanilla patch, yet.

See also: https://www.debian.org/security/2019/dsa-4489

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

update ca-certificates CA bundle

Update the CA certificates list to what Mozilla NSS ships currently.

The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core136: Ship updated firewall script

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

firewall: raise log rate limit to 10 packets per second

Previous setting was to log 10 packets per minute for each
event logging is turned on. This made debugging much harder,
as the limit was rather strict and chances of dropping a
packet without logging it were good.

This patch changes the log rate limit to 10 packets per
second per event, to avoid DoS attacks against the log file.
I plan to drop log rate limit entirely in future changes,
if a better solution for this attack vector is available.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

gcc: Build the Go compiler

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

freeradius: Update rootfile

This removes all SSL modules.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tshark: Fix parallel build

The variable name was incorrect and therefore a parallel
build was never attempted.

This this package already takes a lot of time to build, even
more is being saved now.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dhcp.cgi: fix typo

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

rootfiles: replace x86_64 with MACHINE

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Unix-syslog: fix rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

rootfiles: perl 5.30 needs the autosplit.ix files

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

perl: remove unused patches

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

perl: fix installation at toolchain build

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

perl: changes on make.sh

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

rootfile update and bump of all addons with perl modules

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

rootfile update for all common perl modules.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

spamassassin: update to 3.4.2

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

gnump3d: update for new perl path

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

mpfire: update to new perl path

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

MIME-Tools: update to 5.509

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

perl-Authen-SASL: fix build and bump for new perl

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

perl-NetAddr-IP: add addon module

perl-NetAddr-IP is needed for Spamassassin

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

perl-Switch: add module

perl-Switch was removed from perl core distribution

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

perl-CGI: add perl-CGI module.

perl-CGI was remoced from perl core distribution

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

perl: update to 5.30

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

perl-scripts: suppress smartmatch experimental warning

smartmatch was introduced with perl 5.10 and was marked
as experimental in 5.14

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

texinfo: update to 6.6

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>