finish core108

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

squid 3.5.22: latest patches (14119-14122)

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nano: Update to 2.7.1

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core108: Ship updated squid

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid 3.5.22: latest patches (14114-14118)

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid 3.5.22: latest patches (14103-14113)

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid 3.5.22: latest patches (14100-14102)

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

squid 3.5.22: latest patch (14099)

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core108: Ship updated NTP

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ntp: Update to 4.2.8p9

"It addresses 1 high-, 2 medium-, 2 medium-/low-, and 5 low-severity
security issues, 28 bugfixes, and contains other improvements over 4.2.8p8."

For a complete list, see:
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tor: Update to 0.2.8.10

Brings various major bugfixes and privacy enhancements

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Fix DNS forwarder test

The previous version aborted when the validation test
suceeded, but this is not always sufficient in case a
provider filters any DNSKEY, DS or RRSIG records.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Do not try removing forwarders when unbound is not running

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Always enable asynchronous logging

This patch always enables asynchronous logging which slows
down the system a lot on slow storage and some virtual environments.

It also removes the configuration options in the web
user interface, since this is not configurable any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core108: Ship updated ddns

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ddns: Import patches for schokokeks.org support.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Start Core Update 108

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

strongswan: Update to 5.5.1

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Deactivate qname-minimization & harden-below-nxdomain

This causes trouble when you try to resolve a record like
a.b.blah.com where b.blah.com responds with NXDOMAIN. unbound
won't try to resolve a.b.blah.com because it is assumed that
everything longer than b.blah.com does not exist which is
probably not good usability.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

BUG11242: Fix for adding 2 VPN Hosts/network with same name

If one has an IPSec network named "aaa" and an OpenVPn Host with the same name
it was not possible to group them together because of the same name.
Now the Network type is also checked wich allows Entries with same name, but different networks.

Fixes: #11242
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge remote-tracking branch 'origin/master' into next

Merge remote-tracking branch 'origin/core107'

ntp: init with hardcoded ip if dns not work

DNSSec need the correct time to validate the zones so we need
a workaround to init the time without dns.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

unbound: Send out replies from where they came in

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core107: Restart unbound to activate configuration changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Allow list of INSECURE_ZONES being set in sysconfig

A list of DNS zones can be given for which DNSSEC validation
will be disabled.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Allow recursion from everywhere

Users use the IPFire DNS service from VPNs and other
routed networks.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

guardian: add path to update-lang-cache

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

guardian: add languange cache regeneration at (un)install

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

unbound: Fix for DNS forwarding of .local zones

These are traditionally used for Windows domains and should not
be used for that. However if they are used like this, DNSSEC
validation cannot be used.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Fix for DNS forwarding of .local zones

These are traditionally used for Windows domains and should not
be used for that. However if they are used like this, DNSSEC
validation cannot be used.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

set pakfire version to 107

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

start core107 updater

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

log.dat: cosmetical upgrade

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hdparm: Update to 9.50

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

kernel: fix CVE-2016-5159 (Dirty COW)

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

kernel: add support aes-ni support for aes-192 and 256

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'master' into next

core106: set version to 106

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Revert "setup: Store passwords in SHA format"

This reverts commit eef9b2529c3cab522dac4f4bcfa1a0075376514e.

It appears that htpasswd is not salting any passwords that are
stored with the SHA (-s) algorithm. MD5 passwords however are
salted.

That leads us to the conclusion that the "MD5 algorithm" in htpasswd
is more secure than the "SHA algorithm" although the hash function
itself should be stronger.

With a rainbow table, cracking "SHA" is easily done.

A rainbow table for "MD5" + salt would be way too large to be
efficiently stored.

Hence this commit is reverted to old behaviour to avoid the clear
failure of design in SHA.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>

unbound: Omit reverse PTRs if address equals GREEN

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Make leases unique by IP address

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Only update cache when lease was added/removed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Rewrite update algorithm

Before the bridge tries reading any existing leases from unbound
but this makes it difficult to destinguish between what is a DHCP lease,
static host entry or anything else.

This patch will change the bridge back to just remember what has been
added to the cache already which makes it easier to keep track.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Skip processing leases with empty hostname

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Reading in static hosts

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound/dhcp: stop lease bridge if dhcp was needed to killed

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Omit reverse PTRs if address equals GREEN

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Make leases unique by IP address

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Only update cache when lease was added/removed

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Rewrite update algorithm

Before the bridge tries reading any existing leases from unbound
but this makes it difficult to destinguish between what is a DHCP lease,
static host entry or anything else.

This patch will change the bridge back to just remember what has been
added to the cache already which makes it easier to keep track.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Skip processing leases with empty hostname

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound-dhcp-bridge: Reading in static hosts

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

netpbm: Bump release version to 2

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

netpbm: update to 10.47.61

To keep the files in the right place, the files are installed into the build directory
and only the files which are useful are copied to the usual places in /usr.

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Reviewed-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libjpeg: update to 1.5.1

The old libjpeg is renamed to libjpeg-compat
The compat makes the old libs maintainable

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Reviewed-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

texinfo: update to 6.3

Signed-off-by: Marcel Lorenz <marcel.lorenz@ipfire.org>
Reviewed-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound/dhcp: stop lease bridge if dhcp was needed to killed

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

squid: Update to 3.5.22

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Move "listen on all" to main configuration file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Midnight Commander: Update to 4.8.18

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: start prior network

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

backup: add unbound config

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

unbound: bind to all interfaces

this allow to add interfaces without restart unbound.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

setup: restart unbound after network config change

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

drop of the obsolete and deprecated vdr addon vdr_vnsiserver3

Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Public static leases in DNS, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Skip invalid hostnames

If there are any invalid hostnames in the DHCP leases
table, we just skip them and do not create and RRs for
them.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

guardian 2.0: fixes for rootfile

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core106: Ship changed pakfire.cgi

This was actually changed over a year ago, but was
never shipped in an update.

Commit 212fd689a30a7b2f627149ead8d45823dc8a68af

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core106: Ship updated iptables.cgi file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

iptables.cgi: cosmetics - wider columns

Hi,

Since the first three columns of 'iptables.cgi' gave a nearly unreadable output
with large numbers, so I made 'pkts', 'bytes' and 'target'-columns a bit wider.

BEFORE - it was something like this:

Chain INPUT (policy DROP 0 packets, 0 bytes)
  pkts bytestarget        proc opt in     out source    destination
  32M38G    BADTCP        tcp  --  *      *   0.0.0.0/0 0.0.0.0/0
  32M38G    CUSTOMINPUT   all  --  *      *   0.0.0.0/0 0.0.0.0/0
  32M38G    P2PBLOCK      all  --  *      *   0.0.0.0/0 0.0.0.0/0
  32M38G    GUARDIAN      all  --  *      *   0.0.0.0/0 0.0.0.0/0
  00        OVPNBLOCK     all  --  tun+   *   0.0.0.0/0 0.0.0.0/0
  32M38G    IPTVINPUT     all  --  *      *   0.0.0.0/0 0.0.0.0/0
  32M38G    ICMPINPUT     all  --  *      *   0.0.0.0/0 0.0.0.0/0
  32M38G    LOOPBACK      all  --  *      *   0.0.0.0/0 0.0.0.0/0
  21M21G    CONNTRACK     all  --  *      *   0.0.0.0/0 0.0.0.0/0
  393873484KDHCPGREENINPUTall  --  green0 *   0.0.0.0/0 0.0.0.0/0
  645153642KGEOIPBLOCK    all  --  *      *   0.0.0.0/0 0.0.0.0/0
  386592304KIPSECINPUT    all  --  *      *   0.0.0.0/0 0.0.0.0/0
  386592304KGUIINPUT      all  --  *      *   0.0.0.0/0 0.0.0.0/0
  368332209KWIRELESSINPUT all  --  *      *   0.0.0.0/0 0.0.0.0/0 ctstate NEW
  368332209KOVPNINPUT     all  --  *      *   0.0.0.0/0 0.0.0.0/0
  368332209KTOR_INPUT     all  --  *      *   0.0.0.0/0 0.0.0.0/0
  368332209KINPUTFW       all  --  *      *   0.0.0.0/0 0.0.0.0/0
  309641833KREDINPUT      all  --  *      *   0.0.0.0/0 0.0.0.0/0
  309641833KPOLICYIN      all  --  *      *   0.0.0.0/0 0.0.0.0/0

AFTER - somehow better readable - I think: ;-)

Chain INPUT (policy DROP 0 packets, 0 bytes)
  pkts  bytes target         proc opt in     out source    destination
  32M   38G   BADTCP         tcp  --  *      *   0.0.0.0/0 0.0.0.0/0
  32M   38G   CUSTOMINPUT    all  --  *      *   0.0.0.0/0 0.0.0.0/0
  32M   38G   P2PBLOCK       all  --  *      *   0.0.0.0/0 0.0.0.0/0
  32M   38G   GUARDIAN       all  --  *      *   0.0.0.0/0 0.0.0.0/0
  0     0     OVPNBLOCK      all  --  tun+   *   0.0.0.0/0 0.0.0.0/0
  32M   38G   IPTVINPUT      all  --  *      *   0.0.0.0/0 0.0.0.0/0
  32M   38G   ICMPINPUT      all  --  *      *   0.0.0.0/0 0.0.0.0/0
  32M   38G   LOOPBACK       all  --  *      *   0.0.0.0/0 0.0.0.0/0
  21M   21G   CONNTRACK      all  --  *      *   0.0.0.0/0 0.0.0.0/0
  39387 3484K DHCPGREENINPUT all  --  green0 *   0.0.0.0/0 0.0.0.0/0
  64515 3642K GEOIPBLOCK     all  --  *      *   0.0.0.0/0 0.0.0.0/0
  38659 2304K IPSECINPUT     all  --  *      *   0.0.0.0/0 0.0.0.0/0
  38659 2304K GUIINPUT       all  --  *      *   0.0.0.0/0 0.0.0.0/0
  36833 2209K WIRELESSINPUT  all  --  *      *   0.0.0.0/0 0.0.0.0/0 ctstate NEW
  36833 2209K OVPNINPUT      all  --  *      *   0.0.0.0/0 0.0.0.0/0
  36833 2209K TOR_INPUT      all  --  *      *   0.0.0.0/0 0.0.0.0/0
  36833 2209K INPUTFW        all  --  *      *   0.0.0.0/0 0.0.0.0/0
  30964 1833K REDINPUT       all  --  *      *   0.0.0.0/0 0.0.0.0/0
  30964 1833K POLICYIN       all  --  *      *   0.0.0.0/0 0.0.0.0/0

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

setclock: accept also empty logfile timestamp

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

setclock: prevent time bacjump by empty rtc batteries

This is a work around to prevent not working dns
resolution if the time jumps before the DNSSec signing key.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

unbound: skip green interface if ip was set to 1.1.1.1

this is a reserved marker for unused green ip.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

unbound: Correctly format PTR records

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core106: Restart DHCP server to import leases into DNS

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

setup: Store passwords in SHA format

htpasswd doesn't protect passwords very well. MD5 was used
before and now any newly created passwords will use the
SHA format.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next

Revert "core106: Add DNS root key to exclude list"

This reverts commit f58002a83f279246cdd58bfb5e9dfbf9d5aa99c7.

unbound: fix update forwarders if unbound was not running

psgrep has no "-q" switch so i use pidof.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

unbound: fix reverse lockup of webif defined hosts

and make the own host resolveable.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Update translations

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

guardian 2.0: suggested cosmetic changes

I did the following:

- Rearranged the fields on 'guardian.cgi' a bit - in a (hopefully) logical manner,
  so that they don't need so much room.
- Added some translation-strings and explanations to (revised) 'guardian.cgi'.
- Added missing language string(s), deleted obsolete.
- Deleted all guardian entries from standard language files in
  '/var/ipfire/langs'-directory.
- Added (upgraded) addon-specific language files to '/var/ipfire/addon-lang'-directory.

I hope, I didn't forget something...

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

core106: Ship updated libidn

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libidn: Update to 1.33

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

index.cgi: display unbound dns servers

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

Remove IPAC stuff

This is unused for a very very very long time and serves
no purpose any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add search domain to /etc/resolv.conf at boot time

unbound does not append the local domain to the request
any more (like dnsmasq did). Therefore, the client needs
to do that if desired.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

unbound: Test upstream name servers before using

unbound has some trouble with validating DNSSEC-enabled
domains when the upstream name server is stripping signatures
from the authoritative responses.

This script now checks that, removes any broken upstream
name servers from the list and prints a warning.

If all name servers fail the test, unbound falls back
into recursor mode.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core106: Add DNS root key to exclude list

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

unbound: Update to 1.5.10

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

core106: Ship updated /etc/login.defs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Print nicer error message when already running

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Start unbound when invoked by DHCP scripts

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

shadow-utils: Create standard set of configuration files

Previously we copied the default configuration from the upstream
package and modified that. Unfortunately a patch and a sed command
changed the file which resulted in unwanted changes.

This patch removes the patch and sed command and adds a new set
of configuration files that just need to be copied to the system.

Fixes #11195

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

attr: rootfile update

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>