Erik Kapfer [Sat, 15 Aug 2020 15:08:45 +0000 (17:08 +0200)]
OpenVPN: Add tls-version-min for TLSv1.2
ovpnmain.cgi delivers now 'tls-version-min 1.2' for Roadwarrior and N2N.
Since the server needs it only on server side, this patch do not includes it for Roadwarrior clients.
N2N do not uses push options therefor this directive will be included on both sides.
To integrate the new directive into actual working OpenVPN server environment, the following commands
should be executed via update.sh.
Code block start:
if test -f "/var/ipfire/ovpn/server.conf"; then
# Add tls-version-minimum to OpenVPN server if not already there
if ! grep -q '^tls-version-min' /var/ipfire/ovpn/server.conf > /dev/null 2>&1; then
# Stop server before append the line
/usr/local/bin/openvpnctrl -k
# Append new directive
echo >> "tls-version-min 1.2" /var/ipfire/ovpn/server.conf
# Make sure server.conf have the correct permissions to prevent such
# --> https://community.ipfire.org/t/unable-to-start-the-openvpn-server/2465/54?u=ummeegge
# case
chown nobody:nobody /var/ipfire/ovpn/server.conf
# Start server again
/usr/local/bin/openvpnctrl -s
fi
fi
Code block end
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Tue, 11 Aug 2020 08:15:58 +0000 (08:15 +0000)]
curl: Update to version 7.71.1
Several bugfixes and vulnerabilities has been fixed since the current available version 7.64.0 .
For a full overview, the changelog is located in here --> https://curl.haxx.se/changes.html,
a security problem overview in here --> https://curl.haxx.se/docs/security.html .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sat, 8 Aug 2020 19:20:42 +0000 (21:20 +0200)]
hyperscan: Update to 5.3.0
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <Michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Mon, 10 Aug 2020 17:12:19 +0000 (19:12 +0200)]
OpenVPN: max-clients value has been enhanced
The --max-client value has been enhanced from 255 clients to 1024 clients.
Error message gives now explanation if the maximum has been reached.
Patch has been triggered by https://community.ipfire.org/t/openvpn-max-vpn-clients-quantity-and-connections/2925 .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 1 Aug 2020 12:13:47 +0000 (12:13 +0000)]
OpenSSL: remove ciphers without Forward Secrecy from default ciphersuite
Ciphers not supplying (Perfect) Forward Secrecy are considered dangerous
since they allow content decryption in retrospect, if an attacker is
able to gain access to the servers' private key used for the
corresponding TLS session.
Since IPFire machines establish very few TLS connections by themselves, and
destinations (IPFire.org infrastructure, mirrors, IPS rule sources, etc.)
provide support for Forward Secrecy ciphers - some are even enforcing
them -, it is safe to drop support for anything else.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 7 Aug 2020 11:50:00 +0000 (11:50 +0000)]
make.sh: Remove -mindirect-branch=thunk and -mfunction-return=thunk as default
I cannot find any evidence that this is helpful and no other
distribution has this as default. Packages that are vulnerable to these
attacks (i.e. the kernel) add these flags as appropriate automatically.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 12 Aug 2020 09:18:44 +0000 (09:18 +0000)]
bacula: Fix build with GCC 10
GCC 10 aborts compilation when nunbers are (potentially) out of range
when casted from one type to another:
fstype.c: In function 'bool fstype(FF_PKT*, char*, int)':
fstype.c:207:12: error: narrowing conversion of '4283649346' from
'unsigned int' to 'int' [-Wnarrowing]
207 | case 0xFF534D42: fstype = "cifs"; break; /*
CIFS_MAGIC_NUMBER */
| ^~~~~~~~~~
fstype.c:216:12: error: narrowing conversion of '4187351113' from
'unsigned int' to 'int' [-Wnarrowing]
216 | case 0xf995e849: fstype = "hpfs"; break; /*
HPFS_SUPER_MAGIC */
| ^~~~~~~~~~
fstype.c:217:12: error: narrowing conversion of '2508478710' from
'unsigned int' to 'int' [-Wnarrowing]
217 | case 0x958458f6: fstype = "hugetlbfs"; break; /*
HUGETLBFS_MAGIC */
| ^~~~~~~~~~
fstype.c:234:12: error: narrowing conversion of '2768370933' from
'unsigned int' to 'int' [-Wnarrowing]
234 | case 0xa501FCF5: fstype = "vxfs"; break;
| ^~~~~~~~~~
fstype.c:237:12: error: narrowing conversion of '2435016766' from
'unsigned int' to 'int' [-Wnarrowing]
237 | case 0x9123683e: fstype = "btrfs"; break;
| ^~~~~~~~~~
Does nobody build this for 32 bit any more?
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 11 Aug 2020 15:56:43 +0000 (15:56 +0000)]
spandsp: Update to 0.0.6
This package - for some reason - does not build on i586 with
the latest version of glibc. The reason is that MMX instructions
are being used which are not allowed on i586.
However, since the assembler has not been changed, this should
have been caught before. Weird.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 2 May 2020 09:52:25 +0000 (11:52 +0200)]
de.pl: fix misleading translation
The 'geoip' key is being used in the firewall.cgi for configuring GeoIP
as a source or destination. "konfigurieren" is misleading in this
context.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 25 Jul 2020 19:08:37 +0000 (19:08 +0000)]
network-functions.pl: add missing unit tests for changed, network membership procedure
Cc: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk> Cc: Alexander Marx <alexander.marx@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 25 Jul 2020 19:08:07 +0000 (19:08 +0000)]
network-functions.pl: fix network membership test
This is based on an orphaned patch provided by Tim FitzGeorge and
_finally_ fixes incorrect network membership calculations. Those were
are usability pain in the ass deluxe, as they rendered some combinations
of configuring OpenVPN and IPsec services unusable.
Fixes: #11235 Fixes: #12263 Cc: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk> Cc: Michael Tremer <michael.tremer@ipfire.org> Cc: Alexander Marx <alexander.marx@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 28 Jul 2020 18:17:43 +0000 (18:17 +0000)]
bacula: Correction to 9.6.5
- Corrected Download URL to remove filename from the end of it. This is defined separately.
- Corrected to include install command for backup file which was missed in previous patch.
- Added backup file to rootfiles list. Signed-off-by: Adolf Belka<ahb.ipfire@gmail.com> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>