Erik Kapfer [Thu, 3 Jan 2019 02:57:16 +0000 (03:57 +0100)]
database_attribute: Deliver/create index.txt.attr
Fixes #11904
Since OpenSSL-1.1.0x the database attribute file for IPSec and OpenVPN wasn´t created while initial PKI generation.
OpenVPN delivered an error message but IPSec did crashed within the first attempt.
This problem persists also after X509 deletion and new generation.
index.txt.attr will now be delivered by the system but also deleted and recreated while setting up a new x509.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 27 Dec 2018 17:16:35 +0000 (18:16 +0100)]
wget: Update to 1.20.1
This is a bugfix release:
"due to some privacy issues in default settings of Wget, we introduce
this bugfix release.
The --xattr option (saving original URL and Referer into extended file
attributes) was introduced and enabled by default since Wget 1.19.
It possibly saved - possibly unrecognized by the user - credentials,
access tokes etc that were included in the requested URL.
We changed three details as a countermeasure, see below in the NEWS section.
With Best Regards, Tim
...
NEWS
* Changes in Wget 1.20.1
** --xattr is no longer default since it introduces privacy issues.
** --xattr saves the Referer as scheme/host/port,
user/pw/path/query/fragment
are no longer saved to prevent privacy issues.
** --xattr saves the Original URL without user/password to prevent
privacy issues."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 19 Dec 2018 15:42:23 +0000 (15:42 +0000)]
pcre: Enable JIT
This is now possible because we no longer run grsecurity-enabled
kernels. The performance of PCRE increases dramatically and applications
like the IDS benefit hugely:
Matthias Fischer [Thu, 13 Dec 2018 17:40:24 +0000 (18:40 +0100)]
squid: Update to 4.4 (stable)
For details see:
http://www.squid-cache.org/Versions/v4/changesets/
In July 2018, 'squid 4' was "released for production use", see:
https://wiki.squid-cache.org/Squid-4
"The features have been set and large code changes are reserved for later versions."
I've tested almost all 4.x-versions and patch series before with good results.
Right now, 4.4 is running here with no seen problems together with
'squidclamav', 'squidguard' and 'privoxy'.
I too would declare this version stable.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 16 Dec 2018 16:50:13 +0000 (16:50 +0000)]
make.sh: Build in ramdisk
This is an experimental change that I want to trial to speed up
the nightly builds. The build environment will be mounted in a
ramdisk and the build will be performed in there.
This will hopefully reduce IO on the (slow) replicated disks.
If there is no significant performance gain from this, this
commit will be reverted.
To enable this, USE_RAMDISK must be set to 1 in .config.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Thu, 13 Dec 2018 11:52:50 +0000 (12:52 +0100)]
grub: xfs: Accept filesystem with sparse inodes
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 12 Dec 2018 11:34:12 +0000 (11:34 +0000)]
AWS: Prefer red* or eth* when importing configuration
This change is necessary to make sure that the script prefers
are link with internet access. That would usually be red (after
the second boot) or eth* (on the first boot).
That allows (and ensures) that we can install packages in
the user-data script.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 11 Dec 2018 20:43:24 +0000 (20:43 +0000)]
installer: Intialize part_boot_efi_idx
This variable was not initialized on systems where EFI was not
in use. Therefore the generated parted command line was not
valid and caused the installation to abort.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 21 Nov 2018 11:21:42 +0000 (11:21 +0000)]
openssl: Update to 1.1.0j
*) Timing vulnerability in DSA signature generation
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
(CVE-2018-0734)
[Paul Dale]
*) Timing vulnerability in ECDSA signature generation
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
(CVE-2018-0735)
[Paul Dale]
*) Add coordinate blinding for EC_POINT and implement projective
coordinate blinding for generic prime curves as a countermeasure to
chosen point SCA attacks.
[Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 20 Nov 2018 16:28:52 +0000 (16:28 +0000)]
openssl-compat: Update to 1.0.2q
*) Microarchitecture timing vulnerability in ECC scalar multiplication
OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been
shown to be vulnerable to a microarchitecture timing side channel attack.
An attacker with sufficient access to mount local timing attacks during
ECDSA signature generation could recover the private key.
This issue was reported to OpenSSL on 26th October 2018 by Alejandro
Cabrera Aldaya, Billy Brumley, Sohaib ul Hassan, Cesar Pereida Garcia and
Nicola Tuveri.
(CVE-2018-5407)
[Billy Brumley]
*) Timing vulnerability in DSA signature generation
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
(CVE-2018-0734)
[Paul Dale]
*) Resolve a compatibility issue in EC_GROUP handling with the FIPS Object
Module, accidentally introduced while backporting security fixes from the
development branch and hindering the use of ECC in FIPS mode.
[Nicola Tuveri]
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 11 Nov 2018 17:26:35 +0000 (17:26 +0000)]
shairport-sync: New package
Shairport Sync is an AirPlay audio player - it plays audio streamed
from iTunes, iOS, Apple TV and macOS devices and AirPlay sources
such as Quicktime Player and ForkedDaapd, among others.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sun, 11 Nov 2018 16:21:01 +0000 (16:21 +0000)]
soxr: New package (0.1.3)
The SoX Resampler library `libsoxr' performs one-dimensional sample-rate
conversion -- it may be used, for example, to resample PCM-encoded audio.
For higher-dimensional resampling, such as for visual-image processing, you
should look elsewhere.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>