From 2c531c2132ae6681d5b0dc6ec114fb5e8cbb0040 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 1 May 2015 16:57:13 +0200 Subject: [PATCH 1/4] vpnmain.cgi: Fix ECP regex again for Brainpool curves The regular expression did not take into account that there could be characters like "bp" in case of the Brainpool curves (ecp512bp). --- html/cgi-bin/vpnmain.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 1d7535640..2a020eadd 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -3017,7 +3017,7 @@ sub make_algos($$$$$) { if ($mode eq "ike") { push(@algo, $int); - if ($grp =~ m/^e(\d+)/) { + if ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1"); } else { push(@algo, "modp$grp"); @@ -3030,7 +3030,7 @@ sub make_algos($$$$$) { push(@algo, $int); } - if ($grp =~ m/^e(\d+)/) { + if ($grp =~ m/^e(.*)$/) { push(@algo, "ecp$1"); } else { push(@algo, "modp$grp"); From 49c3105cc3fa4b988bc9d4596f4021c02fa15086 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 2 May 2015 11:20:37 +0200 Subject: [PATCH 2/4] squid: Update to 3.4.13 --- config/rootfiles/core/90/filelists/squid | 1 + lfs/squid | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) create mode 120000 config/rootfiles/core/90/filelists/squid diff --git a/config/rootfiles/core/90/filelists/squid b/config/rootfiles/core/90/filelists/squid new file mode 120000 index 000000000..2dc8372a0 --- /dev/null +++ b/config/rootfiles/core/90/filelists/squid @@ -0,0 +1 @@ +../../../common/squid \ No newline at end of file diff --git a/lfs/squid b/lfs/squid index 67e4a7db1..48aaa965a 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@ include Config -VER = 3.4.9 +VER = 3.4.13 THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 497e5be7b3430d12667628296760beca +$(DL_FILE)_MD5 = a5f6c978b2d7a99b161c8275e1acb470 install : $(TARGET) From 88b1e637ac581b836bcdfa4a44deeef2d8ff9711 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 2 May 2015 12:56:09 +0200 Subject: [PATCH 3/4] squid: Disable SSL support The SSL support parts of squid are a great security risk. The majority of all security issues has been in this area. As we are not using any of that in production we can as well disable SSL support. This won't affect squid's possibility to forward SSL connections with the CONNECT method. --- lfs/squid | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lfs/squid b/lfs/squid index 48aaa965a..d4fc4c5a1 100644 --- a/lfs/squid +++ b/lfs/squid @@ -78,12 +78,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --libexecdir=/usr/lib/squid \ --localstatedir=/var \ --disable-ipv6 \ + --disable-ssl \ --enable-poll \ --disable-icmp \ --disable-wccp \ --enable-ident-lookups \ --enable-storeio="aufs,diskd,ufs" \ - --enable-ssl \ --enable-underscores \ --enable-http-violations \ --enable-removal-policies="heap,lru" \ From 0ee35ce0cac70ac4da8817f2ed3c84d84ddcfc44 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Sat, 2 May 2015 14:29:46 +0200 Subject: [PATCH 4/4] core90: Also regenerate IPsec configuration during the update --- config/rootfiles/core/90/update.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/rootfiles/core/90/update.sh b/config/rootfiles/core/90/update.sh index 2a69278f9..68798cb84 100644 --- a/config/rootfiles/core/90/update.sh +++ b/config/rootfiles/core/90/update.sh @@ -195,6 +195,9 @@ fcrontab -z &>/dev/null # Generate ddns configuration file sudo -u nobody /srv/web/ipfire/cgi-bin/ddns.cgi +# Regenerate IPsec configuration +sudo -u nobody /srv/web/ipfire/cgi-bin/vpnmain.cgi + # Update Language cache perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"