Peter Müller [Sat, 21 Apr 2018 16:44:45 +0000 (18:44 +0200)]
update ClamAV to 0.100.0
Update ClamAV to 0.100.0, which brings some new features and bugfixes
(release notes are available here: https://blog.clamav.net/2018/04/clamav-01000-has-been-released.html).
Since the internal LLVM code is now deprecated and disabled by default,
patching clamav/libclamav/c++/llvm/lib/ExecutionEngine/JIT/Intercept.cpp
does not seem to be necessary anymore.
Further, the --disable-zlib-vcheck option has been removed since it
produces warnings during compilation.
Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 9 Apr 2018 10:32:07 +0000 (11:32 +0100)]
OpenVPN: Drop Path MTU discovery settings
These have to be dropped since the entire system does not
support Path MTU discovery any more. This should not have
any disadvantage on any tunnels since PMTU didn't really
work in the first place.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 28 Mar 2018 03:41:50 +0000 (05:41 +0200)]
use protocol defined in server-list.db for mirror communication
For each mirror server, a protocol can be specified in the
server-list.db database. However, it was not used for the
actual URL query to a mirror before.
This might be useful for deploy HTTPS pinning for Pakfire.
If a mirror is known to support HTTPS, all queries to it
will be made with this protocol.
This saves some overhead if HTTPS is enforced on a mirror
via 301 redirects. To enable this, the server-list.db
needs to be adjusted.
The second version of this patch only handles protocols
HTTP and HTTPS, since we do not expect anything else here
at the moment.
Partially fixes #11661.
Signed-off-by: Peter Müller <peter.mueller@link38.eu> Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 27 Mar 2018 15:05:07 +0000 (16:05 +0100)]
openssl: Update to 1.0.2o
CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018:
Constructed ASN.1 types with a recursive definition (such as can be
found in PKCS7) could eventually exceed the stack given malicious
input with excessive recursion. This could result in a Denial Of
Service attack. There are no such structures used within SSL/TLS
that come from untrusted sources so this is considered safe.
Reported by OSS-fuzz.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 27 Mar 2018 14:59:04 +0000 (15:59 +0100)]
openssl: Update to 1.1.0h
CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018:
Constructed ASN.1 types with a recursive definition (such as can be
found in PKCS7) could eventually exceed the stack given malicious
input with excessive recursion. This could result in a Denial Of
Service attack. There are no such structures used within SSL/TLS
that come from untrusted sources so this is considered safe.
Reported by OSS-fuzz.
This patch also entirely removes support for SSLv3. The patch to
disable it didn't apply and since nobody has been using this before,
we will not compile it into OpenSSL any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Tue, 20 Mar 2018 19:46:52 +0000 (20:46 +0100)]
vnstat: Update to 1.18
For details see: https://humdi.net/vnstat/CHANGES
Changed "SaveInterval 5" to "SaveInterval 1" in '/etc/vnstat.conf', triggered by
https://forum.ipfire.org/viewtopic.php?f=22&t=20448 to avoid data loss with 1Gbit
connections and high traffic.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Sun, 18 Mar 2018 12:55:31 +0000 (13:55 +0100)]
PAM: Delete old lib and symlinks
Core 119 update delivers an updated PAM whereby the libdir has been changed from /lib to /usr/lib
but the old libraries and symlinks are still presant. Since the system searches /lib before
/usr/lib , the old libs and symlinks are used which ends up in an `LIBPAM_EXTENSION_1.1' not found.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Mon, 12 Mar 2018 12:47:34 +0000 (13:47 +0100)]
OpenVPN: Update to version 2.4.5
This is primarily a maintenance release, with further improved OpenSSL 1.1 integration, several minor bug fixes and other minor improvements.
Further information can be found in here https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-245 and
here https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 .
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
"This release addresses five security issues in ntpd:
LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability: ephemeral
association attack
While fixed in ntp-4.2.8p7, there are significant additional protections for
this issue in 4.2.8p11.
Reported by Matt Van Gundy of Cisco.
INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909: ctl_getitem(): buffer read overrun
leads to undefined behavior and information leak
Reported by Yihan Lian of Qihoo 360.
LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated ephemeral associations
Reported on the questions@ list.
LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode cannot recover
from bad state
Reported by Miroslav Lichvar of Red Hat.
LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909: Unauthenticated packet can reset
authenticated interleaved association
Reported by Miroslav Lichvar of Red Hat.
one security issue in ntpq:
MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909: ntpq:decodearr() can write beyond its
buffer limit
Reported by Michael Macnair of Thales-esecurity.com.
and provides over 33 bugfixes and 32 other improvements."
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
As described in bug 11257 there is a mistake in the qos templates. The sum of the guaranteed bandwidth of the classes 101 - 120 is bigger than the available bandwidth. I adjusted the guaranteed bandwidth of the classes 101 - 104 so that each of them has a
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
As suggested by Oliver "giller" Fieker <oli@new-lan.de>
in bug 10592 I added the functionality to use the squid as ram-only cache.
Further it defines the maximum_object_size_in_memory
as 2% of the in the webif defined "Memory cache size".
The maximum_object_size_in_memory should have a useful
size of the defined memory cache and I don't want to
create another variable which muste be fulled in by the user.
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Suggested-by: Oliver "giller" Fieker <oli@new-lan.de> Suggested-by: Kim Wölfel <xaver4all@gmx.de> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Cc: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 4 Mar 2018 17:26:52 +0000 (18:26 +0100)]
test if nameservers with DNSSEC support return "ad"-flagged data
DNSSEC-validating nameservers return an "ad" (Authenticated Data)
flag in the DNS response header. This can be used as a negative
indicator for DNSSEC validation: In case a nameserver does not
return the flag, but failes to look up a domain with an invalid
signature, it does not support DNSSEC validation.
This makes it easier to detect nameservers which do not fully
comply to the RFCs or try to tamper DNS queries.
See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further details.
The second version of this patch avoids unnecessary usage of
grep. Thanks to Michael Tremer for the hint.
Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 28 Feb 2018 11:55:35 +0000 (11:55 +0000)]
apache: Require TLSv1.2 for access to the web user interface
This will work fine for FF 27 or newer, Chrome 30 or newer,
IE 11 on Windows 7 or newer, Opera 17 or newer, Safari 9 or
newer, Android 5.0 or newer and Java 8 or newer
Since IPFire is not supposed to host any other applications and
all have been removed in the last few Core Updates, only the web
user interface is served over HTTPS here. We clearly prefer
security over compatibility.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 7 Nov 2017 19:51:32 +0000 (20:51 +0100)]
change Apache TLS cipher list to "Mozilla Modern"
Change the TLS cipher list of Apache to "Mozilla Modern".
ECDSA is preferred over RSA to save CPU time on both server
and client. Clients without support for TLS 1.2 and AES will
experience connection failures.
Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
set OpenSSL 1.1.0 DEFAULT cipher list to secure value
Only use secure cipher list for the OpenSSL DEFAULT list:
* ECDSA is preferred over RSA since it is faster and more scalable
* TLS 1.2 suites are preferred over anything older
* weak ciphers such as RC4 and 3DES have been eliminated
* AES-GCM is preferred over AES-CBC (known as "mac-then-encrypt" problem)
* ciphers without PFS are moved to the end of the cipher list
This patch leaves AES-CCM, AES-CCM8 and CHACHA20-POLY1305 suites
where they are since they are considered secure and there is no
need to change anything.
The DEFAULT cipher list is now (output of "openssl ciphers -v"):
OpenVPN: Ship missing OpenSSL configuration file for update
Core 115 delivered a patch which prevents the '--ns-cert-type server is deprecated' message
and introduced also '--remote-cert-tls server' -->
https://patchwork.ipfire.org/patch/1441/ whereby the changed ovpn.cnf has not been delivered.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior section.
HMAC selection for N2N will be disabled if AES-GCM is used since GCM provides an own message authentication (GMAC).
'auth *' line in N2N.conf will be deleted appropriately if AES-GCM is used since '--tls-auth' is not available for N2N.
HMAC selection menu for Roadwarriors is still available since '--tls-auth' is available for RWs
which uses the configuered HMAC even AES-GCM has been applied.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>