people/pmueller/ipfire-2.x.git
2 months agostripper: Handle capabilities master
Michael Tremer [Fri, 9 Jul 2021 16:17:43 +0000 (16:17 +0000)] 
stripper: Handle capabilities

During the build process, we set capabilities to elevate privileges of
certain progrems (e.g. ping). These have been removed during the build
process because of strip.

This patch collects any capabilities from all files that are being
stripped and restores them after calling strip.

Fixes: #12652
Reported-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore158: Run sshctrl
Michael Tremer [Fri, 9 Jul 2021 15:24:33 +0000 (15:24 +0000)] 
core158: Run sshctrl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoPakfire: call "sync" in function.sh after having extracted archives
Peter Müller [Wed, 7 Jul 2021 17:27:14 +0000 (19:27 +0200)] 
Pakfire: call "sync" in function.sh after having extracted archives

After upgrading to Core Update 157, a few number of users reported their
systems to be unworkable after a reboot. Most of them (the systems, not
the users) were apparently missing the new Linux kernel in their Grub
configuration, causing a non-functional bootloader written to disk.

While we seem to be able to rule out issues related to poor storage
(SDDs, flash cards, etc.) or very high I/O load, it occurred to me we
are not calling "sync" after having extracted a Core Update's .tar.gz
file.

This patch therefore proposes to do so. It is a somewhat homeopathic
approach, though, but might ensure all parts of the system to have
properly processed the contents of an extracted archive. While we cannot
even reasonably guess it will solve the problem(s) mentioned initially,
doing so cannot hurt either.

See also:
https://community.ipfire.org/t/after-update-ipfire-to-157-no-boot/5641/45

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore158: Ship pakfire functions.sh
Michael Tremer [Fri, 9 Jul 2021 13:25:41 +0000 (13:25 +0000)] 
core158: Ship pakfire functions.sh

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agopakfire: Do not delay directory restore
Michael Tremer [Fri, 9 Jul 2021 13:25:00 +0000 (13:25 +0000)] 
pakfire: Do not delay directory restore

https://www.gnu.org/software/tar/manual/tar.html#Directory-Modification-Times-and-Permissions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agopakfire: Put tar options into an array
Michael Tremer [Fri, 9 Jul 2021 13:23:56 +0000 (13:23 +0000)] 
pakfire: Put tar options into an array

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agopakfire.cgi: Sleep after running a pakfire command
Michael Tremer [Fri, 9 Jul 2021 13:19:08 +0000 (13:19 +0000)] 
pakfire.cgi: Sleep after running a pakfire command

This is required to have better chances in the race of showing the log
output afterwards.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agopakfire.cgi: Remove confusing dots in install message
Michael Tremer [Fri, 9 Jul 2021 13:05:13 +0000 (13:05 +0000)] 
pakfire.cgi: Remove confusing dots in install message

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agopakfire.cgi: Pass packages to install/uninstall as array
Michael Tremer [Fri, 9 Jul 2021 13:04:14 +0000 (13:04 +0000)] 
pakfire.cgi: Pass packages to install/uninstall as array

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agofireinfo.cgi: Fix kernel version
Michael Tremer [Fri, 9 Jul 2021 12:56:17 +0000 (12:56 +0000)] 
fireinfo.cgi: Fix kernel version

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoddns.cgi: Fix sanity check logic.
Stefan Schantl [Tue, 6 Jul 2021 16:08:29 +0000 (18:08 +0200)] 
ddns.cgi: Fix sanity check logic.

The input validation did not work in the proper way. It allways
reported "No password" when using a provider which supports token and
the token has been given.

This of course is wrong and leaded to unuseable providers.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore158: Ship ppp
Michael Tremer [Fri, 2 Jul 2021 14:39:33 +0000 (14:39 +0000)] 
core158: Ship ppp

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRevert "ppp: update to 2.4.9"
Michael Tremer [Fri, 2 Jul 2021 14:38:28 +0000 (14:38 +0000)] 
Revert "ppp: update to 2.4.9"

This reverts commit 0cd9215b565e7c3ef34699b695aaab7eba1dc510.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoaws-cli: Depend on python3-six
Michael Tremer [Thu, 1 Jul 2021 17:16:36 +0000 (17:16 +0000)] 
aws-cli: Depend on python3-six

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoRevert "python-six: Removal of python2 & 3 addon versions of six"
Michael Tremer [Thu, 1 Jul 2021 17:16:09 +0000 (17:16 +0000)] 
Revert "python-six: Removal of python2 & 3 addon versions of six"

This reverts commit 3a61ae73fa179adb24f9feeb8ee486c1900609bf.

This module is required by awscli.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore158: Fully terminate apache before restarting it
Michael Tremer [Thu, 1 Jul 2021 10:10:17 +0000 (10:10 +0000)] 
core158: Fully terminate apache before restarting it

Asking apache to restart itself fails when the binary is changed and
some symbols cannot be resolved. We therefore terminate all processes
and start them again.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore158: Fix name of vnstat initscript
Michael Tremer [Thu, 1 Jul 2021 10:09:40 +0000 (10:09 +0000)] 
core158: Fix name of vnstat initscript

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore158: Actually drop motion instead of monit
Michael Tremer [Mon, 28 Jun 2021 19:29:27 +0000 (19:29 +0000)] 
core158: Actually drop motion instead of monit

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agocore158: Uninstall all dropped add-ons
Michael Tremer [Mon, 28 Jun 2021 17:32:52 +0000 (17:32 +0000)] 
core158: Uninstall all dropped add-ons

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2 months agoUpdate French translation
Stéphane Pautrel [Mon, 28 Jun 2021 16:12:21 +0000 (16:12 +0000)] 
Update French translation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoRevert "OpenSSH: restrict file permissions for sshd_config to 0600"
Michael Tremer [Thu, 24 Jun 2021 17:45:17 +0000 (17:45 +0000)] 
Revert "OpenSSH: restrict file permissions for sshd_config to 0600"

This reverts commit a9fb87809eccdc7ea7736659ceec929a028761d4.

This prevents the SSH configuration being parsed by the web user
interface.

Reported-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoRevert "ncat: Update to 7.91"
Michael Tremer [Thu, 24 Jun 2021 09:17:57 +0000 (09:17 +0000)] 
Revert "ncat: Update to 7.91"

This reverts commit ee3b6ba0c7d3cc88667922f96db2ac0bd5630625.

ncat segfaults straight away (#12647)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoovpnmain.cgi: Fix typos.
Stefan Schantl [Tue, 22 Jun 2021 12:56:52 +0000 (14:56 +0200)] 
ovpnmain.cgi: Fix typos.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoovpnmain.cgi: Call correct system_output() function.
Stefan Schantl [Tue, 22 Jun 2021 12:52:36 +0000 (14:52 +0200)] 
ovpnmain.cgi: Call correct system_output() function.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoMerge branch 'core157'
Michael Tremer [Mon, 21 Jun 2021 19:41:25 +0000 (19:41 +0000)] 
Merge branch 'core157'

3 months agocore157: Ship lua
Michael Tremer [Mon, 21 Jun 2021 19:39:30 +0000 (19:39 +0000)] 
core157: Ship lua

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoovpnmain.cgi: Fix detection of used DH key lenght.
Stefan Schantl [Mon, 21 Jun 2021 15:45:05 +0000 (17:45 +0200)] 
ovpnmain.cgi: Fix detection of used DH key lenght.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agovpnmain.cgi: Fix typo.
Stefan Schantl [Mon, 21 Jun 2021 12:44:58 +0000 (14:44 +0200)] 
vpnmain.cgi: Fix typo.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agopppsetup.cgi: Fix typos.
Stefan Schantl [Mon, 21 Jun 2021 12:44:57 +0000 (14:44 +0200)] 
pppsetup.cgi: Fix typos.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoMerge remote-tracking branch 'origin/next'
Michael Tremer [Mon, 21 Jun 2021 10:04:11 +0000 (10:04 +0000)] 
Merge remote-tracking branch 'origin/next'

3 months agonano: Update to 5.8
Matthias Fischer [Sun, 20 Jun 2021 12:18:13 +0000 (14:18 +0200)] 
nano: Update to 5.8

For details see:
https://www.nano-editor.org/news.php

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoknot: Update to 3.0.7
Matthias Fischer [Sun, 20 Jun 2021 12:15:20 +0000 (14:15 +0200)] 
knot: Update to 3.0.7

For details see:
https://www.knot-dns.cz/2021-06-16-version-307.html

Features:

        knotd: new configuration policy option for CDS digest algorithm setting #738
        keymgr: new command for primary SOA serial manipulation in on-secondary signing mode

Improvements:

        knotd: improved algorithm rollover to shorten the last step of old RRSIG publication

Bugfixes:

        knotd: zone is flushed upon server start, despite DNSSEC signing is up-to-date
        knotd: wildcard nonexistence is proved on empty-non-terminal query
        knotd: redundant wildcard proof for non-authoritative data in a reply
        knotd: missing wildcard proofs in a wildcard-cname loop reply
        knotd: incorrectly synthesized CNAME owner from a wildcard record #715
        knotd: zone-in-journal changeset ignores journal-max-usage limit #736
        knotd: incorrect processing of zone-in-journal changeset with SOA serial 0
        knotd: broken initialization of processing workers if SO_REUSEPORT(_LB) not available
        kjournalprint: reported journal usage is incorrect #736
        keymgr: cannot parse algorithm name ed448 #739
        keymgr: default key size not set properly
        kdig: failed to process huge DoH responses
        libknot/probe: some corner-case bugs

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoTor: update to 0.4.6.5
Peter Müller [Sun, 20 Jun 2021 10:49:17 +0000 (12:49 +0200)] 
Tor: update to 0.4.6.5

Please refer to the .tar.gz's ReleaseNote file for the full changelog
since version 0.4.5.8; it is too large to include it here.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agospeed.cgi: Add requirement for general-functions.pl.
Stefan Schantl [Sat, 19 Jun 2021 14:03:14 +0000 (16:03 +0200)] 
speed.cgi: Add requirement for general-functions.pl.

The CGI now requires the general-functions library, because the
get_red_interface() function is used.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agomemory.cgi: Fix missing qoutes.
Stefan Schantl [Sat, 19 Jun 2021 13:52:34 +0000 (15:52 +0200)] 
memory.cgi: Fix missing qoutes.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoDrop obsolete files from bluetooth package
Michael Tremer [Fri, 18 Jun 2021 16:17:27 +0000 (16:17 +0000)] 
Drop obsolete files from bluetooth package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agogeneral-functions.pl: Explicitely call new system function
Michael Tremer [Fri, 18 Jun 2021 15:12:53 +0000 (15:12 +0000)] 
general-functions.pl: Explicitely call new system function

Perl seems to just "guess" that someone no longer wants to use the
builtin "system" command when there is a function with the same name.

I have no idea what kind of liquid they are drinking, but because of the
side effects of that stuff, we explicitely call our system() function.

Not that that would be necessary, but why not waste a couple more CPU
cycles?

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoBump release of all packages with CGI files
Michael Tremer [Fri, 18 Jun 2021 15:08:57 +0000 (15:08 +0000)] 
Bump release of all packages with CGI files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoproxy.cgi: Suppress Squid version by default
Peter Müller [Fri, 18 Jun 2021 07:07:21 +0000 (09:07 +0200)] 
proxy.cgi: Suppress Squid version by default

While hiding version information does not come with any _actual_
security improvements, it is generally a good thing to do so by default:
Attackers will still be able to reasonably guess or enumerate the
software version running, but need to conduct additional effort to do
so, hence more likely raising alerts and drawing attention on their
operation.

In addition, we suppress version details somewhere else in IPFire 2.x by
default, too (e. g. Unbound and Apache), so we can justify this patch by
aiming to stay consistent, I guess. :-)

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agocore158: Ship web-user-interface
Michael Tremer [Thu, 17 Jun 2021 20:12:32 +0000 (20:12 +0000)] 
core158: Ship web-user-interface

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoMerge branch 'perl-system' into next
Michael Tremer [Thu, 17 Jun 2021 20:11:47 +0000 (20:11 +0000)] 
Merge branch 'perl-system' into next

3 months agohardwaregraphs.cgi: Perform all sensor lookups in pure perl.
Stefan Schantl [Thu, 17 Jun 2021 19:52:00 +0000 (21:52 +0200)] 
hardwaregraphs.cgi: Perform all sensor lookups in pure perl.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agoservices.cgi: Redesign isautorun() because shell globbing cannot used anymore.
Stefan Schantl [Thu, 17 Jun 2021 16:54:17 +0000 (18:54 +0200)] 
services.cgi: Redesign isautorun() because shell globbing cannot used anymore.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agoremote.cgi: Fix splitting output from ssh-keygen.
Stefan Schantl [Tue, 15 Jun 2021 17:19:24 +0000 (19:19 +0200)] 
remote.cgi: Fix splitting output from ssh-keygen.

The split function requires an string as input.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agodhcp.cgi: Fix typo and displaying advanced options syntax.
Stefan Schantl [Mon, 14 Jun 2021 19:38:42 +0000 (21:38 +0200)] 
dhcp.cgi: Fix typo and displaying advanced options syntax.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agofireinfo.cgi: Fix read-in profile data.
Stefan Schantl [Tue, 8 Jun 2021 16:03:30 +0000 (18:03 +0200)] 
fireinfo.cgi: Fix read-in profile data.

To read-in the whole file content the data type needs to be an array.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agotime.cgi: Get and manipuate date and time in pure perl
Stefan Schantl [Thu, 20 May 2021 19:13:50 +0000 (21:13 +0200)] 
time.cgi: Get and manipuate date and time in pure perl

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agonetexternal.cgi: Grab DNS servers in pure perl
Stefan Schantl [Thu, 20 May 2021 18:31:33 +0000 (20:31 +0200)] 
netexternal.cgi: Grab DNS servers in pure perl

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agoids-functions.pl: Use new system methods
Stefan Schantl [Thu, 20 May 2021 17:53:00 +0000 (19:53 +0200)] 
ids-functions.pl: Use new system methods

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agonetwork-functions.pl: Use new system methods
Stefan Schantl [Thu, 20 May 2021 17:50:01 +0000 (19:50 +0200)] 
network-functions.pl: Use new system methods

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agomdstat.cgi: Print mdstat status in pure perl
Stefan Schantl [Thu, 20 May 2021 17:46:59 +0000 (19:46 +0200)] 
mdstat.cgi: Print mdstat status in pure perl

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agofireinfo.cgi: Use new system methods
Stefan Schantl [Thu, 20 May 2021 17:43:10 +0000 (19:43 +0200)] 
fireinfo.cgi: Use new system methods

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agovpnmain.cgi: Use new system methods
Stefan Schantl [Thu, 20 May 2021 16:36:44 +0000 (18:36 +0200)] 
vpnmain.cgi: Use new system methods

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agopppsetup.cgi: Use new system methods
Stefan Schantl [Thu, 20 May 2021 15:58:24 +0000 (17:58 +0200)] 
pppsetup.cgi: Use new system methods

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agowireless.cgi: Use new system methods
Stefan Schantl [Thu, 20 May 2021 15:45:30 +0000 (17:45 +0200)] 
wireless.cgi: Use new system methods

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agocore158: Ship xfsprogs
Michael Tremer [Thu, 17 Jun 2021 20:06:52 +0000 (20:06 +0000)] 
core158: Ship xfsprogs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoxfsprogs: Update to 5.12.0
Adolf Belka [Thu, 17 Jun 2021 09:47:16 +0000 (11:47 +0200)] 
xfsprogs: Update to 5.12.0

- Update from 5.11.0 to 5.12.0
- Update of rootfile not required
- Changelog
    xfsprogs-5.12.0 (21 May 2021)
- No further changes
    xfsprogs-5.12.0-rc1 (07 May 2021)
- mkfs: don't default to too-large physical sector size (Jeff Moyer)
- repair: phase 6 speedups (Dave Chinner, Gao Xiang)
- man: Add dax mount option to man xfs(5) (Carlos Maiolino)
- xfs_admin: pick up log arguments correctly (Darrick Wong)
- xfs_growfs: support shrinking unused space (Gao Xiang)
- libfrog: report inobtcount in geometry (Darrick Wong)
- xfs_logprint: Fix buffer overflow printing quotaoff (Carlos Maiolino)
- xfsprogs: include <signal.h> for platform_crash (Leah Neukirchen)
- xfsprogs: remove BMV_IF_NO_DMAPI_READ flag (Anthony Iliopoulos)
- workqueue: bound maximum queue depth (Dave Chinner)
    xfsprogs-5.12.0-rc0 (12 Apr 2021)
- libxfs changes merged from kernel 5.12

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agocups-filters: Update to 1.28.9
Adolf Belka [Thu, 17 Jun 2021 09:47:00 +0000 (11:47 +0200)] 
cups-filters: Update to 1.28.9

- Update from 1.28.8 to 1.28.9
- Update of rootfile not required
- Changelog
     CHANGES IN V1.28.9
- libcupsfilters: Silenced compiler warnings
- libcupsfilters: Removed duplicate code in the
  apply_filters() function.
- driverless: If there are no driverless IPP printers
  available let "driverless" terminate with exit code 0 and
  not 1, to follow CUPS' standard of backends in discovery
  mode terminating with 0 if there are no appropriate printers
  found (Issue #375).
- gstoraster, foomatic-rip: Fixed Ghostscript command line for
  counting pages as it took too long on PDFs from evince when
  printing DjVu files (Issue #354, Pull request #371, Ubuntu
  bug #1920730).
- cups-browsed: Renamed ldap_connect() due to conflict in
  new openldap (Issue #367, Pull request #370).
- pdftoraster: Free color data after processing of each page
  (Pull request #363).
- cups-browsed: Always save "...-default" option entries
  from printers.conf, regardless of presence or absense
  of PPD file (Pull request #359).
- cups-browsed: Start after network-online.target (Pull
  request #360).
- texttopdf: Set default margins when no PPD file is used
  (Pull request #356).

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoproxy.cgi: drop options for faking Referer and User-Agent HTTP headers
Peter Müller [Tue, 15 Jun 2021 20:29:34 +0000 (22:29 +0200)] 
proxy.cgi: drop options for faking Referer and User-Agent HTTP headers

While maintaining privacy when accessing web sites probably has never
been more important than it is today, faking Referer and User-Agent
headers is both obsolete and counterproductive:

(a) Most web sites require HTTPS, thwarting manipulation attempts to
    HTTP headers in transit. Given todays' internet landscape, faking
    these headers is unlikely to work for the vast majority of web
    sites.

(b) It is trivial to detect faked HTTP User-Agent headers by obtaining
    corresponding browser information via JavaScript. Any difference
    most likely indicates (trivial) header manipulation attempts, hence
    rendering this feature useless if browsers do not behave in the same
    manner, which we cannot control on IPFire.

(c) Especially static Referer headers make users stick out like a sore
    thumb, as nobody else in the world is likely to have the same
    Referer set _all the time_.

    Modern browsers attempt to strip sensitive information from Referer
    headers, or ditch them completely, particularly to 3rd party sites.

Given the state of the web ecosystem as we know it today, enforcing
privacy in a centralised manner does not even come close to being
sufficient. Without gaining control over users' browsers, their
settings, and their infrastructure (such as setting up terminal
environments for accessing the web, preventing hardware
fingerprinting), a centralised attempt will at best fail, if not making
things worse, as highlighted in (c).

Therefore, removing these features from the Squid GUI is the least worse
option we have. We should not give our users a false sense of privacy.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agocore158: Ship smartmontools
Michael Tremer [Thu, 17 Jun 2021 20:04:31 +0000 (20:04 +0000)] 
core158: Ship smartmontools

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agosmartmontools: update to 7.2
Peter Müller [Tue, 15 Jun 2021 17:42:11 +0000 (19:42 +0200)] 
smartmontools: update to 7.2

Release announcement of this version as per
https://www.smartmontools.org/browser/tags/RELEASE_7_2/smartmontools/NEWS:

Date 2020-12-30
Summary: smartmontools release 7.2
-----------------------------------------------------------
- smartctl: New option '--json=y[c]' selects YAML output.
- smartctl '-i': Prints ATA TRIM and Zoned Device capabilities.
- smartctl '-j': Fixed 'scsi_grown_defect_list' value.
- smartctl '-a': Prints SCSI 'Accumulated power on time'.
- smartctl '-n POWERMODE': SCSI support.
- smartctl '-s standby,now' and '-s standby,off': SCSI support.
- smartctl '-c': NVMe 1.4 additions.
- smartd: Support for staggered self-tests.
- smartd: No longer writes attribute log if no attributes were read
  due to standby mode or other error.
- smartd: Now resolves symlinks before device names are checked for
  duplicates.
- smartd: Fixed SMARTD_DEVICETYPE environment variable if DEVICESCAN is
  used without '-d TYPE'.
- ATA: Device type '-d jmb39x-q,N' for JMB39x protocol variant used by
  some QNAP NAS devices.
- ATA: Device type '-d jms56x,N' for JMS562 USB to SATA RAID bridges.
- SCSI: Improved heuristics for log subpages of new and very old disks.
- NVMe: Log transfer size limited to avoid device or kernel crashes.
- NVMe/USB: Device type '-d sntrealtek' for Realtek RTL9210 USB to
  NVMe bridges.
- update-smart-drivedb: New option '--branch X.Y'.
- HDD, SSD and USB additions to drive database.
- Dropped support for pre-C99 snprintf().
- configure: Dropped option '--without-working-snprintf'.
- configure: Fixed '-fstack-protector*' detection.
- Linux: Various fixes of smartd.service file.
- Darwin: NVMe log support.
- FreeBSD: Device scan does no longer include T_ENCLOSURE devices.
- NetBSD: Fixed timeout handling.
- NetBSD big endian: Fixed ATA register handling.
- OpenBSD: Fixed timeout handling.
- Windows: Dropped backward compatibility fixes for very old compilers.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agocore158: Ship hwdata
Michael Tremer [Thu, 17 Jun 2021 20:03:58 +0000 (20:03 +0000)] 
core158: Ship hwdata

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agohwdata: update PCI/USB databases
Peter Müller [Tue, 15 Jun 2021 17:39:01 +0000 (19:39 +0200)] 
hwdata: update PCI/USB databases

PCI IDs: 2021-05-16 03:15:02
USB IDs: 2021-06-06 20:34:10

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoPostfix: update to 3.6.1
Peter Müller [Tue, 15 Jun 2021 17:37:03 +0000 (19:37 +0200)] 
Postfix: update to 3.6.1

This versions' release announcement can be retrieved here:
http://www.postfix.org/announcements/postfix-3.6.1.html

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoglib: Update to 2.68.3
Adolf Belka [Tue, 15 Jun 2021 17:15:44 +0000 (19:15 +0200)] 
glib: Update to 2.68.3

- Update from 2.68.2 to 2.68.3
- Update rootfile
- Changelog
   Overview of changes in GLib 2.68.3
    * Bugs fixed:
      - #2311 testfilemonitor test leaks ip_watched_file_t struct
      - #2417 GFile: `g_file_replace_contents()` reports `G_IO_ERROR_WRONG_ETAG` when saving from a symlink
      - !2133 Backport !2128 “inotify: Fix a memory leak” to glib-2-68
      - !2137 Backport !2136 “tlscertificate: Avoid possible invalid read” to glib-2-68
      - !2141 Backport !2138 “glocalfileoutputstream: Fix ETag check when replacing through a symlink” to glib-2-68

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agocore158: Ship fuse
Michael Tremer [Thu, 17 Jun 2021 20:02:35 +0000 (20:02 +0000)] 
core158: Ship fuse

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agofuse: Update to 3.10.4
Adolf Belka [Tue, 15 Jun 2021 17:15:26 +0000 (19:15 +0200)] 
fuse: Update to 3.10.4

- Update from 3.10.3 to 3.10.4
- Update of rootfile
- Changelog
   * Building of unit tests is now optional.
   * Fixed a test failure when running tests under XFS.
   * Fixed memory leaks in examples.
   * Minor documentation fixes.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agocmake: Update to 3.20.4
Adolf Belka [Tue, 15 Jun 2021 17:15:11 +0000 (19:15 +0200)] 
cmake: Update to 3.20.4

- Update from 3.20.3 to 3.20.4
- Update of rootfile not required.
- Changelog
   Changes in 3.20.4 since 3.20.3:
    Ben Boeckel (1):
      ci: use consistent sccache builds
    Brad King (8):
      VS: Add special case for '-T version=14.29.16.10' under VS 16.10
      VS: Add flag table entries for '/external:W*' flags in VS 16.10
      gitlab-ci: Update Windows builds to MSVC 19.29-16.10 toolset
      Makefiles: Fix CMAKE_EXPORT_COMPILE_COMMANDS crash with custom compile rule
      presets: Fix buildPreset "jobs" field test case
      IRSL: Add Intel oneAPI redist location on Windows
      fileapi: Fix codemodel-v2 link command fragment relative paths
    John Drouhard (1):
      FindBoost: Add check for json component header in Boost 1.75+
    Marc Chevrier (1):
      Help: cmake_path: fix erroneous example for IS_PREFIX
    Raul Tambre (2):
      MSVC: C++20 final flag, C++23 support
      Clang/MSVC: C++20 final flag, C++23 support
    Sam Freed (2):
      presets: Fix buildPreset "jobs"
      presets: Fix buildPreset "targets" not allowing a single string

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoipsec: Prefer curve448 over curve25519
Michael Tremer [Mon, 14 Jun 2021 13:28:28 +0000 (14:28 +0100)] 
ipsec: Prefer curve448 over curve25519

Curve448 provides better cryptographic security. For more details see:

  https://bugzilla.ipfire.org/show_bug.cgi?id=12634

Fixes: #12634
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoMerge remote-tracking branch 'pmueller/temp-cleanup-orphaned-items' into next
Michael Tremer [Mon, 14 Jun 2021 09:07:17 +0000 (09:07 +0000)] 
Merge remote-tracking branch 'pmueller/temp-cleanup-orphaned-items' into next

3 months agoRemoved several lfs options leading to: configure: WARNING: unrecognized options
Matthias Fischer [Sat, 12 Jun 2021 20:45:57 +0000 (22:45 +0200)] 
Removed several lfs options leading to: configure: WARNING: unrecognized options

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agocore158: Ship sudo
Michael Tremer [Mon, 14 Jun 2021 09:05:34 +0000 (09:05 +0000)] 
core158: Ship sudo

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agosudo: Update to 1.9.7p1
Adolf Belka [Sat, 12 Jun 2021 13:23:25 +0000 (15:23 +0200)] 
sudo: Update to 1.9.7p1

- Update from 1.9.7 to 1.9.7p1
- Update of rootfile not required.
- Changelog
   Major changes between sudo 1.9.7p1 and 1.9.7
    * Fixed an SELinux sudoedit bug when the edited temporary file
      could not be opened.  The sesh helper would still be run even
      when there are no temporary files available to install.
    * Fixed a compilation problem on FreeBSD.
    * The sudo_noexec.so file is now built as a module on all systems
      other than macOS.  This makes it possible to use other libtool
      implementations such as slibtool.  On macOS shared libraries and
      modules are not interchangeable and the version of libtool shipped
      with sudo must be used.
    * Fixed a few bugs in the getgrouplist() emulation on Solaris when
      reading from the local group file.
    * Fixed a bug in sudo_logsrvd that prevented periodic relay server
      connection retries from occurring in "store_first" mode.
    * Disabled the nss_search()-based getgrouplist() emulation on HP-UX
      due to a crash when the group source is set to "compat" in
      /etc/nsswitch.conf.  This is probably due to a mismatch between
      include/compat/nss_dbdefs.h and what HP-UX uses internally.  On
      HP-UX we now just cycle through groups the slow way using
      getgrent().  Bug #978.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agotmux: Update to 3.2a
Matthias Fischer [Fri, 11 Jun 2021 22:11:41 +0000 (00:11 +0200)] 
tmux: Update to 3.2a

For details see:
https://raw[dot]githubusercontent[dot]com/tmux/tmux/3.2a/CHANGES

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agocore158: Ship libpcap
Michael Tremer [Sat, 12 Jun 2021 09:34:36 +0000 (09:34 +0000)] 
core158: Ship libpcap

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agolibpcap: Update to 1.10.1
Matthias Fischer [Fri, 11 Jun 2021 20:16:18 +0000 (22:16 +0200)] 
libpcap: Update to 1.10.1

For details see:
http://www.tcpdump.org/libpcap-changes.txt

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agotcpdump: Update to 4.99.1
Matthias Fischer [Fri, 11 Jun 2021 20:10:20 +0000 (22:10 +0200)] 
tcpdump: Update to 4.99.1

For details see:
http://www.tcpdump.org/tcpdump-changes.txt

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoipsec-policy: Do no create DROP rules for on-demand mode
Michael Tremer [Fri, 11 Jun 2021 16:15:37 +0000 (16:15 +0000)] 
ipsec-policy: Do no create DROP rules for on-demand mode

This is not necessary and gets in the way if users have SNAT rules or
other things that make the check be in the wrong place.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoPostfix: update to 3.6.0
Peter Müller [Fri, 11 Jun 2021 11:33:15 +0000 (13:33 +0200)] 
Postfix: update to 3.6.0

Please refer to http://www.postfix.org/announcements/postfix-3.6.0.html
for this versions' release announcements.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoupdate ca-certificates CA bundle
Peter Müller [Fri, 11 Jun 2021 08:37:57 +0000 (10:37 +0200)] 
update ca-certificates CA bundle

Update the CA certificates list to what Mozilla NSS ships currently.

The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agocore157: Fix shipping boost
Michael Tremer [Thu, 10 Jun 2021 18:01:00 +0000 (18:01 +0000)] 
core157: Fix shipping boost

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agowlanap.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 14:28:53 +0000 (15:28 +0100)] 
wlanap.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agowirelessclient.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 14:26:19 +0000 (15:26 +0100)] 
wirelessclient.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agowireless.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 14:25:44 +0000 (15:25 +0100)] 
wireless.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agowebaccess.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 14:25:02 +0000 (15:25 +0100)] 
webaccess.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agowakeonlan.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 14:24:29 +0000 (15:24 +0100)] 
wakeonlan.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agovpnmain.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 14:23:52 +0000 (15:23 +0100)] 
vpnmain.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agourlfilter.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 14:23:06 +0000 (15:23 +0100)] 
urlfilter.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoupdatexlrator.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 14:08:23 +0000 (15:08 +0100)] 
updatexlrator.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agotraffic.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 14:05:05 +0000 (15:05 +0100)] 
traffic.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agotor.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 14:01:36 +0000 (15:01 +0100)] 
tor.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agotime.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 14:00:54 +0000 (15:00 +0100)] 
time.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoshutdown.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 13:56:40 +0000 (14:56 +0100)] 
shutdown.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoservices.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 13:55:52 +0000 (14:55 +0100)] 
services.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agosamba.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 13:54:52 +0000 (14:54 +0100)] 
samba.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agorouting.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 13:46:29 +0000 (14:46 +0100)] 
routing.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoremote.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 13:46:04 +0000 (14:46 +0100)] 
remote.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoqos.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 13:45:27 +0000 (14:45 +0100)] 
qos.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agoproxy.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 13:41:24 +0000 (14:41 +0100)] 
proxy.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
3 months agopppsetup.cgi: Use new perl system functions
Michael Tremer [Thu, 10 Jun 2021 13:35:56 +0000 (14:35 +0100)] 
pppsetup.cgi: Use new perl system functions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>