people/pmueller/ipfire-2.x.git
15 months agovnstat: Update to 1.18
Matthias Fischer [Tue, 20 Mar 2018 19:46:52 +0000 (20:46 +0100)]
vnstat: Update to 1.18

For details see: https://humdi.net/vnstat/CHANGES

Changed "SaveInterval 5" to "SaveInterval 1" in '/etc/vnstat.conf', triggered by
https://forum.ipfire.org/viewtopic.php?f=22&t=20448 to avoid data loss with 1Gbit
connections and high traffic.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agoForgot to "git add" the new pakfire init script
Michael Tremer [Tue, 20 Mar 2018 11:08:58 +0000 (11:08 +0000)]
Forgot to "git add" the new pakfire init script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agoRevert "installer: Import the Pakfire key at install time"
Michael Tremer [Mon, 19 Mar 2018 19:45:24 +0000 (19:45 +0000)]
Revert "installer: Import the Pakfire key at install time"

This reverts commit 7d995c9f56055f39e559bd6e355a9a1689585c6d.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agopakfire: Import key when system boots up
Michael Tremer [Mon, 19 Mar 2018 19:44:50 +0000 (19:44 +0000)]
pakfire: Import key when system boots up

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agoffmpeg: Ship libraries correctly
Michael Tremer [Mon, 19 Mar 2018 18:07:49 +0000 (18:07 +0000)]
ffmpeg: Ship libraries correctly

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agohdparm: Update to 9.55
Matthias Fischer [Sun, 18 Mar 2018 16:32:43 +0000 (17:32 +0100)]
hdparm: Update to 9.55

Changelogs against 9.53:

"hdparm-9.55:
- added #include <sys/sysmacros.h> for major()/minor() macros

hdparm-9.54:
- Partial revert of Jmicron changes, from Jan Friesse."

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agodmidecode 3.1: Added patch (Fix firmware version of TPM device)
Matthias Fischer [Sun, 18 Mar 2018 16:40:47 +0000 (17:40 +0100)]
dmidecode 3.1: Added patch (Fix firmware version of TPM device)

For details see:
http://git.savannah.gnu.org/cgit/dmidecode.git/commit/?id=174387405e98cd94c627832ae23abcb9be7e5623

"Both the operator (detected by clang, reported by Xorg) and the mask
for the minor firmware version field of TPM devices were wrong."

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agoFix python-m2crypto rootfile
Michael Tremer [Mon, 19 Mar 2018 11:52:26 +0000 (11:52 +0000)]
Fix python-m2crypto rootfile

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agocore120: Ship updated logrotate and restart unbound
Michael Tremer [Sun, 18 Mar 2018 13:51:38 +0000 (13:51 +0000)]
core120: Ship updated logrotate and restart unbound

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agounbound: Update to 1.7.0
Matthias Fischer [Sun, 18 Mar 2018 09:05:33 +0000 (10:05 +0100)]
unbound: Update to 1.7.0

For details see:
http://www.unbound.net/download.html

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agologrotate: Update to 3.14.0
Matthias Fischer [Sun, 18 Mar 2018 09:21:17 +0000 (10:21 +0100)]
logrotate: Update to 3.14.0

For details see:
https://github.com/logrotate/logrotate/releases

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agohtop: Update to 2.1.0
Matthias Fischer [Sun, 18 Mar 2018 09:14:07 +0000 (10:14 +0100)]
htop: Update to 2.1.0

For details see:
https://hisham.hm/htop/index.php?page=downloads

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agobind: Update to 9.11.3
Matthias Fischer [Sun, 18 Mar 2018 09:00:34 +0000 (10:00 +0100)]
bind: Update to 9.11.3

For details see:
http://ftp.isc.org/isc/bind9/9.11.3/RELEASE-NOTES-bind-9.11.3.html

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agonano: Update to 2.9.4
Matthias Fischer [Sun, 18 Mar 2018 08:53:40 +0000 (09:53 +0100)]
nano: Update to 2.9.4

For details see:
https://www.nano-editor.org/news.php

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agorsync: Update to 3.1.3
Matthias Fischer [Sun, 18 Mar 2018 08:48:04 +0000 (09:48 +0100)]
rsync: Update to 3.1.3

For details see:
https://download.samba.org/pub/rsync/src/rsync-3.1.3-NEWS

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agoPAM: Delete old lib and symlinks
Erik Kapfer [Sun, 18 Mar 2018 12:55:31 +0000 (13:55 +0100)]
PAM: Delete old lib and symlinks

Core 119 update delivers an updated PAM whereby the libdir has been changed from /lib to /usr/lib
but the old libraries and symlinks are still presant. Since the system searches /lib before
/usr/lib , the old libs and symlinks are used which ends up in an `LIBPAM_EXTENSION_1.1' not found.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agoOpenVPN: Update to version 2.4.5
Erik Kapfer [Mon, 12 Mar 2018 12:47:34 +0000 (13:47 +0100)]
OpenVPN: Update to version 2.4.5

This is primarily a maintenance release, with further improved OpenSSL 1.1 integration, several minor bug fixes and other minor improvements.
Further information can be found in here https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-245 and
here https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 .

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agopakfire: Drop old key import mechanism
Michael Tremer [Fri, 16 Mar 2018 14:36:05 +0000 (14:36 +0000)]
pakfire: Drop old key import mechanism

This was error-prone and allowed to potentially inject another
key.

Fixes: #11539
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agoinstaller: Import the Pakfire key at install time
Michael Tremer [Fri, 16 Mar 2018 14:33:42 +0000 (14:33 +0000)]
installer: Import the Pakfire key at install time

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agocore120: Import new pakfire PGP key
Michael Tremer [Fri, 16 Mar 2018 14:28:17 +0000 (14:28 +0000)]
core120: Import new pakfire PGP key

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
15 months agoImport new Pakfire Signing Key
Michael Tremer [Fri, 16 Mar 2018 14:23:56 +0000 (14:23 +0000)]
Import new Pakfire Signing Key

We will swap the key that we use to sign Pakfire packages
since the current one is considered outdated cryptography.

Fixes: #11539

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoWIO: increment PAK_VER
Stephan Feddersen [Tue, 6 Mar 2018 19:53:20 +0000 (20:53 +0100)]
WIO: increment PAK_VER

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoWIO: Fix a problem with the Network-Table-Button
Stephan Feddersen via Development [Tue, 27 Feb 2018 16:20:07 +0000 (17:20 +0100)]
WIO: Fix a problem with the Network-Table-Button

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoWIO: Fix some typos
Stephan Feddersen via Development [Tue, 27 Feb 2018 16:18:39 +0000 (17:18 +0100)]
WIO: Fix some typos

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoWIO: Update to Version 1.3.2 several changes in many files
Stephan Feddersen via Development [Tue, 20 Feb 2018 20:41:13 +0000 (21:41 +0100)]
WIO: Update to Version 1.3.2 several changes in many files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agontp: Update to 4.2.8p11
Matthias Fischer [Wed, 7 Mar 2018 18:19:04 +0000 (19:19 +0100)]
ntp: Update to 4.2.8p11

For details see:
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

"This release addresses five security issues in ntpd:

LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability: ephemeral
association attack
While fixed in ntp-4.2.8p7, there are significant additional protections for
this issue in 4.2.8p11.
Reported by Matt Van Gundy of Cisco.
INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909: ctl_getitem(): buffer read overrun
leads to undefined behavior and information leak
Reported by Yihan Lian of Qihoo 360.
LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated ephemeral associations
Reported on the questions@ list.
LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode cannot recover
from bad state
Reported by Miroslav Lichvar of Red Hat.
LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909: Unauthenticated packet can reset
authenticated interleaved association
Reported by Miroslav Lichvar of Red Hat.

one security issue in ntpq:

MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909: ntpq:decodearr() can write beyond its
buffer limit
Reported by Michael Macnair of Thales-esecurity.com.

and provides over 33 bugfixes and 32 other improvements."

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoclamav 0.99.4: removed gcc patch
Matthias Fischer [Wed, 7 Mar 2018 18:26:53 +0000 (19:26 +0100)]
clamav 0.99.4: removed gcc patch

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agocore120: Ship updated qos.cgi
Michael Tremer [Tue, 6 Mar 2018 15:13:56 +0000 (15:13 +0000)]
core120: Ship updated qos.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoAs described in bug 11257 there is a mistake in the qos templates. The sum of the...
Daniel Weismüller [Tue, 6 Mar 2018 14:56:48 +0000 (15:56 +0100)]
As described in bug 11257 there is a mistake in the qos templates. The sum of the guaranteed bandwidth of the classes 101 - 120 is bigger than the available bandwidth. I adjusted the guaranteed bandwidth of the classes 101 - 104 so that each of them has a

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agocore120: Ship updated proxy.cgi
Michael Tremer [Tue, 6 Mar 2018 15:12:42 +0000 (15:12 +0000)]
core120: Ship updated proxy.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agosquid: Add RAM-only Proxy functionality
Daniel Weismüller via Development [Fri, 16 Feb 2018 12:04:50 +0000 (13:04 +0100)]
squid: Add RAM-only Proxy functionality

As suggested by Oliver "giller" Fieker <oli@new-lan.de>
in bug 10592 I added the functionality to use the squid as ram-only cache.

Further it defines the maximum_object_size_in_memory
as 2% of the in the webif defined "Memory cache size".
The maximum_object_size_in_memory should have a useful
size of the defined memory cache and I don't want to
create another variable which muste be fulled in by the user.

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Suggested-by: Oliver "giller" Fieker <oli@new-lan.de>
Suggested-by: Kim Wölfel <xaver4all@gmx.de>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agocore120: Ship updated unbound init script
Michael Tremer [Mon, 5 Mar 2018 15:21:56 +0000 (15:21 +0000)]
core120: Ship updated unbound init script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agotest if nameservers with DNSSEC support return "ad"-flagged data
Peter Müller [Sun, 4 Mar 2018 17:26:52 +0000 (18:26 +0100)]
test if nameservers with DNSSEC support return "ad"-flagged data

DNSSEC-validating nameservers return an "ad" (Authenticated Data)
flag in the DNS response header. This can be used as a negative
indicator for DNSSEC validation: In case a nameserver does not
return the flag, but failes to look up a domain with an invalid
signature, it does not support DNSSEC validation.

This makes it easier to detect nameservers which do not fully
comply to the RFCs or try to tamper DNS queries.

See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further details.

The second version of this patch avoids unnecessary usage of
grep. Thanks to Michael Tremer for the hint.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoTor: update to 0.3.2.10
Peter Müller [Sun, 4 Mar 2018 17:03:04 +0000 (18:03 +0100)]
Tor: update to 0.3.2.10

Update Tor to 0.3.2.10, which fixes some security and DoS
issues especially important for relays.

The release notes are available at:
https://blog.torproject.org/new-stable-tor-releases-security-fixes-and-dos-prevention-03210-03110-02915

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes: #11662

16 months agoClamAV: update to 0.99.4
Peter Müller [Sun, 4 Mar 2018 16:57:15 +0000 (17:57 +0100)]
ClamAV: update to 0.99.4

Update ClamAV to 0.99.4 which fixes four security issues
and compatibility issues with GCC 6 and C++ 11.

The release note can be found here: http://blog.clamav.net/2018/03/clamav-0994-has-been-released.html

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agovpnmain.cgi: Fix reading common names from certificates
Michael Tremer [Thu, 1 Mar 2018 19:58:11 +0000 (19:58 +0000)]
vpnmain.cgi: Fix reading common names from certificates

OpenSSL has changed the output of the subject lines of
certificates.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoapache: Require TLSv1.2 for access to the web user interface
Michael Tremer [Wed, 28 Feb 2018 11:55:35 +0000 (11:55 +0000)]
apache: Require TLSv1.2 for access to the web user interface

This will work fine for FF 27 or newer, Chrome 30 or newer,
IE 11 on Windows 7 or newer, Opera 17 or newer, Safari 9 or
newer, Android 5.0 or newer and Java 8 or newer

Since IPFire is not supposed to host any other applications and
all have been removed in the last few Core Updates, only the web
user interface is served over HTTPS here. We clearly prefer
security over compatibility.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agochange Apache TLS cipher list to "Mozilla Modern"
Peter Müller [Tue, 7 Nov 2017 19:51:32 +0000 (20:51 +0100)]
change Apache TLS cipher list to "Mozilla Modern"

Change the TLS cipher list of Apache to "Mozilla Modern".

ECDSA is preferred over RSA to save CPU time on both server
and client. Clients without support for TLS 1.2 and AES will
experience connection failures.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoopenssl: Apply ciphers patch before running Configure
Michael Tremer [Wed, 28 Feb 2018 11:49:47 +0000 (11:49 +0000)]
openssl: Apply ciphers patch before running Configure

This works just fine here.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoset OpenSSL 1.1.0 DEFAULT cipher list to secure value
Peter Müller via Development [Tue, 27 Feb 2018 17:35:22 +0000 (18:35 +0100)]
set OpenSSL 1.1.0 DEFAULT cipher list to secure value

Only use secure cipher list for the OpenSSL DEFAULT list:
* ECDSA is preferred over RSA since it is faster and more scalable
* TLS 1.2 suites are preferred over anything older
* weak ciphers such as RC4 and 3DES have been eliminated
* AES-GCM is preferred over AES-CBC (known as "mac-then-encrypt" problem)
* ciphers without PFS are moved to the end of the cipher list

This patch leaves AES-CCM, AES-CCM8 and CHACHA20-POLY1305 suites
where they are since they are considered secure and there is no
need to change anything.

The DEFAULT cipher list is now (output of "openssl ciphers -v"):

ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES256-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(256) Mac=AEAD
DHE-RSA-AES256-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(128) Mac=AEAD
DHE-RSA-AES128-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(256) Mac=AEAD
AES256-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(128) Mac=AEAD
AES128-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

This has been discussed at 2017-12-04 (https://wiki.ipfire.org/devel/telco/2017-12-04)
and for a similar patch written for OpenSSL 1.0.x.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agocore120: Call openvpnctrl with full path
Michael Tremer [Wed, 28 Feb 2018 10:48:29 +0000 (10:48 +0000)]
core120: Call openvpnctrl with full path

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoBump release of all packages linked against OpenSSL
Michael Tremer [Mon, 26 Feb 2018 16:28:16 +0000 (16:28 +0000)]
Bump release of all packages linked against OpenSSL

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agocore120: Ship everything that is linked against OpenSSL
Michael Tremer [Mon, 26 Feb 2018 16:22:32 +0000 (16:22 +0000)]
core120: Ship everything that is linked against OpenSSL

This will make sure that everything is using the new version
of the library.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoDisable Path MTU discovery
Michael Tremer [Mon, 26 Feb 2018 15:37:49 +0000 (15:37 +0000)]
Disable Path MTU discovery

This seems to be a failed concept and causes issues with transferring
large packets through an IPsec tunnel connection.

This configures the kernel to still respond to PMTU ICMP discovery
messages, but will not try this on its own.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agocore120: Fix typo in initscript name
Michael Tremer [Mon, 26 Feb 2018 15:34:10 +0000 (15:34 +0000)]
core120: Fix typo in initscript name

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoRootfile update
Michael Tremer [Mon, 26 Feb 2018 13:06:34 +0000 (13:06 +0000)]
Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agodhcp: Allow adding extra DHCP interfaces
Michael Tremer [Mon, 26 Feb 2018 11:12:20 +0000 (11:12 +0000)]
dhcp: Allow adding extra DHCP interfaces

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoOpenVPN: Ship missing OpenSSL configuration file for update
Erik Kapfer via Development [Mon, 26 Feb 2018 07:00:15 +0000 (08:00 +0100)]
OpenVPN: Ship missing OpenSSL configuration file for update

Core 115 delivered a patch which prevents the '--ns-cert-type server is deprecated' message
and introduced also '--remote-cert-tls server' -->
https://patchwork.ipfire.org/patch/1441/ whereby the changed ovpn.cnf has not been delivered.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoOpenVPN: New AES-GCM cipher for N2N and RW
Erik Kapfer via Development [Sun, 25 Feb 2018 13:49:49 +0000 (14:49 +0100)]
OpenVPN: New AES-GCM cipher for N2N and RW

AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior section.

HMAC selection for N2N will be disabled if AES-GCM is used since GCM provides an own message authentication (GMAC).
    'auth *' line in N2N.conf will be deleted appropriately if AES-GCM is used since '--tls-auth' is not available for N2N.
HMAC selection menu for Roadwarriors is still available since '--tls-auth' is available for RWs
    which uses the configuered HMAC even AES-GCM has been applied.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoopenssl-compat: Do not try to apply missing padlock patch
Michael Tremer [Thu, 22 Feb 2018 18:52:03 +0000 (18:52 +0000)]
openssl-compat: Do not try to apply missing padlock patch

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoopenssl-compat: Add missing library path
Michael Tremer [Thu, 22 Feb 2018 18:50:38 +0000 (18:50 +0000)]
openssl-compat: Add missing library path

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agocore120: Remove deprecated sshd configuration option
Michael Tremer [Wed, 21 Feb 2018 13:06:22 +0000 (13:06 +0000)]
core120: Remove deprecated sshd configuration option

This just created a warning and is now dropped

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoRevert "wget: Link against GnuTLS instead of OpenSSL"
Michael Tremer [Wed, 21 Feb 2018 12:55:36 +0000 (12:55 +0000)]
Revert "wget: Link against GnuTLS instead of OpenSSL"

This reverts commit a46b159a8dc0d191ee57cf48b66be8a39fd7d9ec.

wget 1.19.4 supports linking against OpenSSL 1.1.0.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agocore120: Remove forgotten PHP file
Michael Tremer [Wed, 21 Feb 2018 12:41:05 +0000 (12:41 +0000)]
core120: Remove forgotten PHP file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agocore120: Ship updated OpenSSL 1.1.0
Michael Tremer [Wed, 21 Feb 2018 12:39:55 +0000 (12:39 +0000)]
core120: Ship updated OpenSSL 1.1.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoMerge branch 'openssl-11' into next
Michael Tremer [Wed, 21 Feb 2018 12:21:10 +0000 (12:21 +0000)]
Merge branch 'openssl-11' into next

16 months agoStart Core Update 120
Michael Tremer [Wed, 21 Feb 2018 12:20:57 +0000 (12:20 +0000)]
Start Core Update 120

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agocore119: Reload apache after configuration changes
Michael Tremer [Wed, 21 Feb 2018 12:05:14 +0000 (12:05 +0000)]
core119: Reload apache after configuration changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agodisable Apache server signature
Peter Müller [Tue, 5 Dec 2017 13:43:17 +0000 (14:43 +0100)]
disable Apache server signature

Sending the server signature is unnecessary and might leak
some internal information (although ServerTokens is already
set to "Prod").

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agobackup: Don't backup apache configuration, keys only
Michael Tremer [Wed, 21 Feb 2018 11:24:48 +0000 (11:24 +0000)]
backup: Don't backup apache configuration, keys only

In the past the apache configuration was part of the backup
and may have been restored after Core Update 118 was installed
with PHP being dropped amongst other things.

This patch will make sure that only keys are being backuped.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoRootfile update
Michael Tremer [Tue, 20 Feb 2018 20:10:30 +0000 (20:10 +0000)]
Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agostrongswan: Update to 5.6.2
Michael Tremer [Mon, 19 Feb 2018 23:44:57 +0000 (23:44 +0000)]
strongswan: Update to 5.6.2

Fixed a DoS vulnerability in the parser for PKCS#1 RSASSA-PSS
signatures that was caused by insufficient input validation.
One of the configurable parameters in algorithm identifier
structures for RSASSA-PSS signatures is the mask generation
function (MGF). Only MGF1 is currently specified for this purpose.
However, this in turn takes itself a parameter that specifies
the underlying hash function. strongSwan's parser did not
correctly handle the case of this parameter being absent,
causing an undefined data read.

This vulnerability has been registered as CVE-2018-6459.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoIPsec: Try to restart always-on tunnels immediately
Michael Tremer [Mon, 19 Feb 2018 23:42:17 +0000 (23:42 +0000)]
IPsec: Try to restart always-on tunnels immediately

When a tunnel that is in always-on configuration closes
unexpectedly, we can instruct strongSwan to restart it
immediately which is precisely what we do now.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoRootfile update for armv5tel
Michael Tremer [Sat, 17 Feb 2018 18:55:38 +0000 (18:55 +0000)]
Rootfile update for armv5tel

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agohaproxy: Link against libatomic on ARM
Michael Tremer [Sat, 17 Feb 2018 13:36:37 +0000 (13:36 +0000)]
haproxy: Link against libatomic on ARM

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoi2c-tools: New package
Michael Tremer [Fri, 16 Feb 2018 20:01:55 +0000 (20:01 +0000)]
i2c-tools: New package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoflac: Update to 1.3.2
Michael Tremer [Fri, 16 Feb 2018 19:14:33 +0000 (19:14 +0000)]
flac: Update to 1.3.2

The previous version fails to build on i586

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoRootfile update
Michael Tremer [Thu, 15 Feb 2018 19:34:50 +0000 (19:34 +0000)]
Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoOpenVPN: Added needed directive for v2.4 update
Erik Kapfer [Thu, 15 Feb 2018 04:43:49 +0000 (05:43 +0100)]
OpenVPN: Added needed directive for v2.4 update

script-security: The support for the 'system' flag has been removed due to security implications
    with shell expansions when executing scripts via system() call.
    For more informations: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage .

ncp-disable: Negotiable crypto parameters has been disabled for the first.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agocore119: Ship changed proxy.cgi
Michael Tremer [Wed, 14 Feb 2018 22:23:20 +0000 (22:23 +0000)]
core119: Ship changed proxy.cgi

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoproxy.cgi: remove excessive newlines in generated proxy.pac
Bernhard Held [Mon, 12 Feb 2018 22:25:47 +0000 (23:25 +0100)]
proxy.cgi: remove excessive newlines in generated proxy.pac

Remove excessive newlines in generated proxy.pac

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoRootfile update
Michael Tremer [Tue, 13 Feb 2018 21:07:04 +0000 (21:07 +0000)]
Rootfile update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoBump toolchain version
Michael Tremer [Tue, 13 Feb 2018 16:35:08 +0000 (16:35 +0000)]
Bump toolchain version

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoRootfile update for glibc on i586
Michael Tremer [Tue, 13 Feb 2018 16:34:55 +0000 (16:34 +0000)]
Rootfile update for glibc on i586

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agonagios-plugins: Update rootfiles
Michael Tremer [Tue, 13 Feb 2018 16:30:05 +0000 (16:30 +0000)]
nagios-plugins: Update rootfiles

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agopostfix: Update rootfile
Michael Tremer [Tue, 13 Feb 2018 16:20:55 +0000 (16:20 +0000)]
postfix: Update rootfile

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agozlib: Fix name of logfile in toolchain build
Michael Tremer [Tue, 13 Feb 2018 10:24:04 +0000 (10:24 +0000)]
zlib: Fix name of logfile in toolchain build

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agosslh: Build without tcpwrappers
Michael Tremer [Tue, 13 Feb 2018 10:23:54 +0000 (10:23 +0000)]
sslh: Build without tcpwrappers

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agotoolchain: Add zlib
Michael Tremer [Mon, 12 Feb 2018 14:24:12 +0000 (14:24 +0000)]
toolchain: Add zlib

ccache needs this and usually comes with an own bundled
version but fails to build in version 3.4.1.

Since this is a small library only and we really want
ccache to use compression, we will build this indepently
and let ccache use it from the system.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoBump toolchain version
Michael Tremer [Mon, 12 Feb 2018 13:07:38 +0000 (13:07 +0000)]
Bump toolchain version

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoCleanup toolchain scripts
Michael Tremer [Mon, 12 Feb 2018 12:44:37 +0000 (12:44 +0000)]
Cleanup toolchain scripts

No functional changes, just some tidy up

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoccache: Update to 3.4.1
Michael Tremer [Mon, 12 Feb 2018 12:12:08 +0000 (12:12 +0000)]
ccache: Update to 3.4.1

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoPAM: Drop shipped configuration
Michael Tremer [Mon, 12 Feb 2018 12:09:22 +0000 (12:09 +0000)]
PAM: Drop shipped configuration

This is outdated, broken and has hardcoded passwords.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoDrop perl-DBD-mysql
Michael Tremer [Mon, 12 Feb 2018 12:07:29 +0000 (12:07 +0000)]
Drop perl-DBD-mysql

This package is not used by anything and depends on MySQL
which has been dropped, too.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoDrop MySQL
Michael Tremer [Mon, 12 Feb 2018 12:05:46 +0000 (12:05 +0000)]
Drop MySQL

This is outdated and still on 5.0.x and nobody volunteered to
update this package.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoasterisk: Do not depend on MySQL any more
Michael Tremer [Mon, 12 Feb 2018 11:55:28 +0000 (11:55 +0000)]
asterisk: Do not depend on MySQL any more

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agopostfix: Don't depend on amavis
Michael Tremer [Mon, 12 Feb 2018 11:52:07 +0000 (11:52 +0000)]
postfix: Don't depend on amavis

This can be used together but there is no need to
always install amavis when someone wants to use postfix

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agopostfix: Don't depend on MySQL any more
Michael Tremer [Mon, 12 Feb 2018 11:51:46 +0000 (11:51 +0000)]
postfix: Don't depend on MySQL any more

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agopostfix: Don't ship our own configuration
Michael Tremer [Mon, 12 Feb 2018 11:50:51 +0000 (11:50 +0000)]
postfix: Don't ship our own configuration

This is outdated and half of it is not maintained any more.

Users should configure postfix themselves based on the
default configuration.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoDrop pammysql
Michael Tremer [Mon, 12 Feb 2018 11:44:28 +0000 (11:44 +0000)]
Drop pammysql

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoDrop tcpwrapper
Michael Tremer [Mon, 12 Feb 2018 11:42:47 +0000 (11:42 +0000)]
Drop tcpwrapper

This library has been unused for quite a while

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoDrop mISDN userspace tools
Michael Tremer [Mon, 12 Feb 2018 11:40:07 +0000 (11:40 +0000)]
Drop mISDN userspace tools

This is unsupported for quite a while and nobody should be using this.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoDrop capi4k-utils
Michael Tremer [Mon, 12 Feb 2018 11:33:51 +0000 (11:33 +0000)]
Drop capi4k-utils

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agocore119: Remove dropped lcr package during update
Michael Tremer [Mon, 12 Feb 2018 11:31:14 +0000 (11:31 +0000)]
core119: Remove dropped lcr package during update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agocore119: Import changed packages
Michael Tremer [Mon, 12 Feb 2018 11:29:53 +0000 (11:29 +0000)]
core119: Import changed packages

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoStart Core Update 119
Michael Tremer [Mon, 12 Feb 2018 11:22:58 +0000 (11:22 +0000)]
Start Core Update 119

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoRootfile update for bison
Michael Tremer [Mon, 12 Feb 2018 11:18:01 +0000 (11:18 +0000)]
Rootfile update for bison

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoOpenVPN: Mark unsecure ciphers and DH-parameter as 'weak' in WUI menu
Erik Kapfer [Thu, 8 Feb 2018 08:54:58 +0000 (09:54 +0100)]
OpenVPN: Mark unsecure ciphers and DH-parameter as 'weak' in WUI menu

64 bit block ciphers like Blowfish, TDEA and CAST5 are vulnerable to the so called 'Birthday attacks' .
    Infos for 'Sweet32' Birthday attacks can be found in here
        https://sweet32.info/ .
    An Overview of 64 bit clock ciphers can also be found in here
        http://en.citizendium.org/wiki/Block_cipher/Catalogs/Cipher_list#64-bit_blocks

1024 bit Diffie-Hellman parameter has also been marked as weak causing the 'Logjam Attack' .
   Infos for 'Logjam Attack' can be found in here
        https://weakdh.org/ .

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoindex.cgi: Properly show IPsec subnets
Michael Tremer [Sun, 11 Feb 2018 23:23:54 +0000 (23:23 +0000)]
index.cgi: Properly show IPsec subnets

Fixes: #11604

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoCRL updater: Update script for OpenVPNs CRL
Erik Kapfer [Wed, 7 Feb 2018 17:31:49 +0000 (18:31 +0100)]
CRL updater: Update script for OpenVPNs CRL

Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 .
    Script checks the next update field from the CRL and executes an update before it expires.
    Script is placed under fcron.daily for daily checks.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>