index.cgi: Show a note to people who are running IPFire on i?86

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

index.cgi: Drop Reiser4 warning

We have dropped Reiser4 in 2013. There won't be any systems out there
any more running it. We can safely drop this warning.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

WIO. new version

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

WIO: new french translation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

WIO: code cleanup

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

OpenSSL: remove ciphers without Forward Secrecy from default ciphersuite

Ciphers not supplying (Perfect) Forward Secrecy are considered dangerous
since they allow content decryption in retrospect, if an attacker is
able to gain access to the servers' private key used for the
corresponding TLS session.

Since IPFire machines establish very few TLS connections by themselves, and
destinations (IPFire.org infrastructure, mirrors, IPS rule sources, etc.)
provide support for Forward Secrecy ciphers - some are even enforcing
them -, it is safe to drop support for anything else.

This patch reduces the OpenSSL default cipher list to:
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

glibc: aarch64: Ignore uninitialised variables in the stage2 build, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Increase maximum size of ramdisk to 8GB

The previous 4GB were not enough for a full GCC bootstrap
in the toolchain stage.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

perl: Fix build in toolchain stage

perl searches for headers and libraries in the wrong paths
and detects GCC 10 as GCC 1.x.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make: Run autoreconf after applying patches

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

glibc: Pass -Wno-error=maybe-uninitialized

This is required to build glibc in the toolchain stage on
aarch64 due to messy headers on the host system.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

glibc: Drop any custom CFLAGS

glibc is nothing special and can and should be built with
the same flags than the rest of the system.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Bump toolchain version

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Add -fcf-protection for x86_64/i586

Instrument binaries to guard against ROP/JOP attacks.

This flag in only available on x86_64 and i586.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Enable -fstack-clash-protection for x86_64/aarch64

This patch turns on instrumentation to avoid skipping the guard page
in large stack frames.

Without this flag, vulnerabilities can result in where the stack
overlaps with the heap, or thread stacks spill into other regions
of memory.

This flag in only available on x86_64 and aarch64.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

gcc: Bundle against OS versions of gmp/mpfr

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

mpfr: Update to 4.1.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cmake: Do not limit compile processes to only two

We can launch more when we have the memory for it

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nfs: Update to 2.5.1 and remove bundled libnfsidmap

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libnfsidmap: Split into a separate package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

xinetd: Fix build against glibc 2.32 (without RPC)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

conntrack-tools: Fix build against libtirpc

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid: Remove basic_nis_auth

This depends on SunRPC in glibc which was removed in 2.32.

We do not use this file.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

python(2/3): Remove nis module

This requires SunRPC and we do not use it.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Build libtirpc earlier because RPC does not come with glibc any more

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

rpcsvc-proto: New package

This is required since it is no longer included in glibc

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update glibc to 2.32

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Remove -mindirect-branch=thunk and -mfunction-return=thunk as default

I cannot find any evidence that this is helpful and no other
distribution has this as default. Packages that are vulnerable to these
attacks (i.e. the kernel) add these flags as appropriate automatically.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Update GCC to 10.2.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bacula: Fix build with GCC 10

GCC 10 aborts compilation when nunbers are (potentially) out of range
when casted from one type to another:

fstype.c: In function 'bool fstype(FF_PKT*, char*, int)':
fstype.c:207:12: error: narrowing conversion of '4283649346' from
'unsigned int' to 'int' [-Wnarrowing]
  207 |       case 0xFF534D42:     fstype = "cifs"; break;          /*
CIFS_MAGIC_NUMBER */
      |            ^~~~~~~~~~
fstype.c:216:12: error: narrowing conversion of '4187351113' from
'unsigned int' to 'int' [-Wnarrowing]
  216 |       case 0xf995e849:     fstype = "hpfs"; break;          /*
HPFS_SUPER_MAGIC */
      |            ^~~~~~~~~~
fstype.c:217:12: error: narrowing conversion of '2508478710' from
'unsigned int' to 'int' [-Wnarrowing]
  217 |       case 0x958458f6:     fstype = "hugetlbfs"; break;     /*
HUGETLBFS_MAGIC */
      |            ^~~~~~~~~~
fstype.c:234:12: error: narrowing conversion of '2768370933' from
'unsigned int' to 'int' [-Wnarrowing]
  234 |       case 0xa501FCF5:     fstype = "vxfs"; break;
      |            ^~~~~~~~~~
fstype.c:237:12: error: narrowing conversion of '2435016766' from
'unsigned int' to 'int' [-Wnarrowing]
  237 |       case 0x9123683e:     fstype = "btrfs"; break;
      |            ^~~~~~~~~~

Does nobody build this for 32 bit any more?

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kbd: Update to 2.2.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

u-boot: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

syslinux: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipfire-netboot: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

lcdproc: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

iftop: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

frr: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bird: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

sarg: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

minidlna: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

w_scan: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tftpd: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

motion: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvmtools: Update to 11.1.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

icinga: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

collectd: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

7zip: Fix build against GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

netatalk: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squidguard: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

htop: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

foomatic: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cups-filters: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

sysfsutils: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libtirpc: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

logrotate: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cdrkit: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

gnupg: Fix building with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

linux-atm: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

efivar: Fix build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dhcp: Fix compiling with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cpio: Package won't build with GCC 10 without -fcommon

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

watchdog: Update to 5.16

Fixed build with GCC 10/glibc 2.32

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

spandsp: Update to 0.0.6

This package - for some reason - does not build on i586 with
the latest version of glibc. The reason is that MMX instructions
are being used which are not allowed on i586.

However, since the assembler has not been changed, this should
have been caught before. Weird.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dnsdist: Update to 1.5.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

lsof: Update to 4.91

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

xfsprogs: Update to 5.7.0

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

fping: Update to 5.0

Fixes build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

minicom: Update to 2.7.1

Fixes build with GCC 10

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bison: Update to 3.7.1

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core149: add grub and install it at update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

grub: update to 2.04

fixes: #12463

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>

de.pl: fix misleading translation

The 'geoip' key is being used in the firewall.cgi for configuring GeoIP
as a source or destination. "konfigurieren" is misleading in this
context.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

start core149 and add oci changes.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

smt: Do not disable SMT in virtual machines

Processors in virtual machines are *virtual*. Therefore this
only degrades the performance of the guest, but does not increase
it's security.

This patch always leaves SMT enabled in all virtual environments.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

oci: Add automatic configuration script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

oci: Add detection for Oracle Cloud

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

make.sh: Add cross-building for aarch64

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

make.sh: add aarch qemu user binfmt magic

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

libloc: fix i586 perl module

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

libloc: Only update database once a week

Ensure to download and update the database only once a week, even the
script will be called by cron each hour.

Fixes #12462.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

stage2: fix rootfile 2nd try

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

stage2: fix aarch64 rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

stage2: update x86_64 rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core148: add network-functions.pl

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

network-functions.pl: add missing unit tests for changed, network membership procedure

Cc: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Cc: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

network-functions.pl: fix network membership test

This is based on an orphaned patch provided by Tim FitzGeorge and
_finally_ fixes incorrect network membership calculations. Those were
are usability pain in the ass deluxe, as they rendered some combinations
of configuring OpenVPN and IPsec services unusable.

Fixes: #11235
Fixes: #12263
Cc: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

bacula: Correction to 9.6.5

- Corrected Download URL to remove filename from the end of it. This is defined separately.
- Corrected to include install command for backup file which was missed in previous patch.
- Added backup file to rootfiles list.
Signed-off-by: Adolf Belka<ahb.ipfire@gmail.com>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core148: add networking/any initskript

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

network: Fix typo for MTU value

Reported here:

  https://community.ipfire.org/t/strange-etc-init-d-networking-any-for-blue/2831

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

location: Restart IPsec after firewall was restarted

strongswan creates rules in iptables which are being dropped when
the firewall is being restarted.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core148: Do not update the location database straight away

This process takes a long time and stalls the update process.

Since the cronjob is being called once an hour, all systems will
very quickly pull a recent database which will then be extracted
in the background not disrupting the Core Update process.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Fix typo in german translation

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

mc: Update to 4.8.25

For details see:
http://midnight-commander.org/wiki/NEWS-4.8.25

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

libloc: Apply -fstack-protector only on i586

All other architectures build fine and we do not need to
weaken the Perl module unnecessarily.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

fr: Update French translation

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core148: Update crontab with recent changes

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

libloc: use regular stack-protector on i586

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

stage2: update aarch64 rootfile

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

libloc: Add upstream patch to fix a buffer issue.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

libloc: Apply patch to compile the perl module without stack protector.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>