webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'next' into fifteen

Browse Source
This commit is contained in:
Arne Fitzenreiter
2013-12-10 00:15:01 +01:00
parent e39ac92dd2 9fa1849586
commit 5d4d41b18c
17 changed files with 122 additions and 341 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
config/rootfiles/common/apache2
View File

@@ -1388,6 +1388,7 @@ srv/web/ipfire/cgi-bin/connscheduler.cgi
srv/web/ipfire/cgi-bin/country.cgi
srv/web/ipfire/cgi-bin/credits.cgi
srv/web/ipfire/cgi-bin/dns.cgi
srv/web/ipfire/cgi-bin/dnsforward.cgi
srv/web/ipfire/cgi-bin/ddns.cgi
srv/web/ipfire/cgi-bin/dhcp.cgi
#srv/web/ipfire/cgi-bin/dmzholes.cgi

17
config/rootfiles/core/74/exclude Normal file
View File

@@ -0,0 +1,17 @@
srv/web/ipfire/html/proxy.pac
boot/config.txt
etc/udev/rules.d/30-persistent-network.rules
etc/collectd.custom
etc/shadow
etc/ipsec.conf
etc/ipsec.secrets
etc/ipsec.user.conf
etc/ipsec.user.secrets
var/log/cache
var/updatecache
etc/localtime
var/ipfire/ovpn
etc/ssh/ssh_config
etc/ssh/sshd_config
etc/ssl/openssl.cnf
var/state/dhcp/dhcpd.leases

6
config/rootfiles/core/74/filelists/files Normal file
View File

@@ -0,0 +1,6 @@
etc/system-release
etc/issue
srv/web/ipfire/cgi-bin/dnsforward.cgi
srv/web/ipfire/cgi-bin/proxy.cgi
var/ipfire/header.pl
var/ipfire/langs

1
config/rootfiles/core/74/filelists/i586/strongswan-padlock Symbolic link
View File

@@ -0,0 +1 @@
../../../../common/i586/strongswan-padlock

1
config/rootfiles/core/74/filelists/openvpn Symbolic link
View File

@@ -0,0 +1 @@
../../../common/openvpn

1
config/rootfiles/core/74/filelists/squid Symbolic link
View File

@@ -0,0 +1 @@
../../../common/squid

1
config/rootfiles/core/74/filelists/strongswan Symbolic link
View File

@@ -0,0 +1 @@
../../../common/strongswan

1
config/rootfiles/core/74/meta Normal file
View File

@@ -0,0 +1 @@
DEPS=""

84
config/rootfiles/core/74/update.sh Normal file
View File

@@ -0,0 +1,84 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 3 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2013 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
/usr/local/bin/backupctrl exclude >/dev/null 2>&1
#
# Remove old core updates from pakfire cache to save space...
core=74
for (( i=1; i<=$core; i++ ))
do
rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
done
#
#Stop services
/etc/init.d/ipsec stop
/etc/init.d/squid stop
#
#Extract files
extract_files
if [ -e "/var/ipfire/proxy/enable" ] || [ -e "/var/ipfire/proxy/enable_blue" ]; then
(
eval $(/usr/local/bin/readhash /var/ipfire/proxy/advanced/settings)
if [ "${TRANSPARENT_PORT}" = "81" ]; then
TRANSPARENT_PORT="$(( ${TRANSPARENT_PORT} + 1 ))"
sed -e "s/^TRANSPARENT_PORT=.*/TRANSPARENT_PORT=${TRANSPARENT_PORT}/" \
-i /var/ipfire/proxy/advanced/settings
fi
)
fi
# Regenerate squid configuration files.
/srv/web/ipfire/cgi-bin/proxy.cgi
chown nobody:nobody /var/ipfire/proxy/squid.conf
#
#Start services
/etc/init.d/squid start
if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then
/etc/init.d/ipsec start
fi
#
#Update Language cache
perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"
sync
# This update need a reboot...
#touch /var/run/need_reboot
#
#Finish
/etc/init.d/fireinfo start
sendprofile
#Don't report the exitcode last command
exit 0

6
lfs/samba
View File

@@ -24,7 +24,7 @@
include Config
VER = 3.6.21
VER = 3.6.22
THISAPP = samba-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = samba
PAK_VER = 55
PAK_VER = 56
DEPS = "cups"
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = faa67c625508dc495c082357913ccea6
$(DL_FILE)_MD5 = 59add4bb178ebc188d857bc13a508c0b
install : $(TARGET)

10
lfs/squid
View File

@@ -24,7 +24,7 @@
include Config
VER = 3.3.10
VER = 3.3.11
THISAPP = squid-$(VER)
DL_FILE = $(THISAPP).tar.xz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 28058812d722cac303517a643e28bcb0
$(DL_FILE)_MD5 = dd016ff5f14b2548083b3882207914f6
install : $(TARGET)
@@ -53,7 +53,6 @@ md5 : $(subst %,%_MD5,$(objects))
###############################################################################
# Downloading, checking, md5sum
###############################################################################
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
@$(CHECK)
@@ -70,11 +69,6 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/squid-3.3.10-optional-ssl-options.patch
cd $(DIR_APP) && patch -Np0 < $(DIR_SRC)/src/patches/squid-3.3.10-set-rlimit-fds.patch
cd $(DIR_APP) && ./bootstrap.sh
cd $(DIR_APP) && ./configure \
--prefix=/usr \
--sysconfdir=/etc/squid \

6
lfs/tor
View File

@@ -24,7 +24,7 @@
include Config
VER = 0.2.4.17-rc
VER = 0.2.4.18-rc
THISAPP = tor-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = tor
PAK_VER = 4
PAK_VER = 5
DEPS = "libevent2"
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 2cdfb8dcc3306a43cf465a858bf97b2d
$(DL_FILE)_MD5 = 6cc5bc776e9d61a9fb1b000609ed2692
install : $(TARGET)

2
make.sh
View File

@@ -25,7 +25,7 @@
NAME="IPFire" # Software name
SNAME="ipfire" # Short name
VERSION="2.13" # Version number
CORE="73" # Core Level (Filename)
CORE="74" # Core Level (Filename)
PAKFIRE_CORE="73" # Core Level (PAKFIRE)
GIT_BRANCH=`git status | head -n1 | cut -d" " -f4` # Git Branch
SLOGAN="www.ipfire.org" # Software slogan

54
src/patches/squid-3.1-10486.patch
View File

@@ -1,54 +0,0 @@
------------------------------------------------------------
revno: 10486
revision-id: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
parent: squid3@treenet.co.nz-20130109021503-hqg7ufldrudpzr9l
fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3790
author: Reinhard Sojka <reinhard.sojka@parlament.gv.at>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: SQUID_3_1
timestamp: Fri 2013-02-22 04:13:25 -0700
message:
Bug 3790: cachemgr.cgi crash with authentication
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
# /SQUID_3_1
# testament_sha1: 121adf68a9c3b2eca766cfb768256b6b57d9816b
# timestamp: 2013-02-22 11:17:18 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
# /SQUID_3_1
# base_revision_id: squid3@treenet.co.nz-20130109021503-\
# hqg7ufldrudpzr9l
#
# Begin patch
=== modified file 'tools/cachemgr.cc'
--- tools/cachemgr.cc 2013-01-08 23:11:51 +0000
+++ tools/cachemgr.cc 2013-02-22 11:13:25 +0000
@@ -1162,7 +1162,6 @@
{
static char buf[1024];
size_t stringLength = 0;
- const char *str64;
if (!req->passwd)
return "";
@@ -1171,15 +1170,12 @@
req->user_name ? req->user_name : "",
req->passwd);
- str64 = base64_encode(buf);
-
- stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", str64);
+ stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %s\r\n", base64_encode(buf));
assert(stringLength < sizeof(buf));
- snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", str64);
+ snprintf(&buf[stringLength], sizeof(buf) - stringLength, "Proxy-Authorization: Basic %s\r\n", base64_encode(buf));
- xxfree(str64);
return buf;
}

73
src/patches/squid-3.1-10487.patch
View File

@@ -1,73 +0,0 @@
------------------------------------------------------------
revno: 10487
revision-id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
parent: squid3@treenet.co.nz-20130222111325-zizr296kq3te4g7h
author: Nathan Hoad <nathan@getoffmalawn.com>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: SQUID_3_1
timestamp: Wed 2013-07-10 06:47:48 -0600
message:
Protect against buffer overrun in DNS query generation
see SQUID-2013:2.
This bug has been present as long as the internal DNS component however
most code reaching this point is passing through URL validation first.
With Squid-3.2 Host header verification using DNS directly we may have
problems.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20130710124748-2n6111r04xsi71vx
# target_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
# /SQUID_3_1
# testament_sha1: b5be85c8876ce15ec8fa173845e61755b6942fe0
# timestamp: 2013-07-10 12:48:57 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/branches\
# /SQUID_3_1
# base_revision_id: squid3@treenet.co.nz-20130222111325-\
# zizr296kq3te4g7h
#
# Begin patch
=== modified file 'src/dns_internal.cc'
--- src/dns_internal.cc 2011-10-11 02:12:56 +0000
+++ src/dns_internal.cc 2013-07-10 12:47:48 +0000
@@ -1532,22 +1532,26 @@
void
idnsALookup(const char *name, IDNSCB * callback, void *data)
{
- unsigned int i;
+ size_t nameLength = strlen(name);
+
+ // Prevent buffer overflow on q->name
+ if (nameLength > NS_MAXDNAME) {
+ debugs(23, DBG_IMPORTANT, "SECURITY ALERT: DNS name too long to perform lookup: '" << name << "'. see access.log for details.");
+ callback(data, NULL, 0, "Internal error");
+ return;
+ }
+
+ if (idnsCachedLookup(name, callback, data))
+ return;
+
+ idns_query *q = cbdataAlloc(idns_query);
+ q->id = idnsQueryID();
int nd = 0;
- idns_query *q;
-
- if (idnsCachedLookup(name, callback, data))
- return;
-
- q = cbdataAlloc(idns_query);
-
- q->id = idnsQueryID();
-
- for (i = 0; i < strlen(name); i++)
+ for (unsigned int i = 0; i < nameLength; ++i)
if (name[i] == '.')
nd++;
- if (Config.onoff.res_defnames && npc > 0 && name[strlen(name)-1] != '.') {
+ if (Config.onoff.res_defnames && npc > 0 && name[nameLength-1] != '.') {
q->do_searchpath = 1;
} else {
q->do_searchpath = 0;

148
src/patches/squid-3.3.10-optional-ssl-options.patch
View File

@@ -1,148 +0,0 @@
From: http://bazaar.launchpad.net/~squid/squid/3-trunk/revision/13115
Committer: Christos Tsantilas
Date: 2013-11-07 10:46:14 UTC
Revision ID: chtsanti@users.sourceforge.net-20131107104614-s3a9kzlkgm7x9rhf
http://bugs.squid-cache.org/show_bug.cgi?id=3936
Bug 3936: error-details.txt parse error
Squid fails parsing error-details.txt template when one or more listed OpenSSL
errors are not supported on running platform.
This patch add a hardcoded list of OpenSSL errors wich can be optional.
This is a Measurement Factory project
=== modified file 'src/ssl/ErrorDetail.cc'
--- src/ssl/ErrorDetail.cc 2013-07-31 00:13:04 +0000
+++ src/ssl/ErrorDetail.cc 2013-11-07 10:46:14 +0000
@@ -221,6 +221,31 @@
{SSL_ERROR_NONE, NULL}
};
+static const char *OptionalSslErrors[] = {
+ "X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER",
+ "X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION",
+ "X509_V_ERR_KEYUSAGE_NO_CRL_SIGN",
+ "X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION",
+ "X509_V_ERR_INVALID_NON_CA",
+ "X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED",
+ "X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE",
+ "X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED",
+ "X509_V_ERR_INVALID_EXTENSION",
+ "X509_V_ERR_INVALID_POLICY_EXTENSION",
+ "X509_V_ERR_NO_EXPLICIT_POLICY",
+ "X509_V_ERR_DIFFERENT_CRL_SCOPE",
+ "X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE",
+ "X509_V_ERR_UNNESTED_RESOURCE",
+ "X509_V_ERR_PERMITTED_VIOLATION",
+ "X509_V_ERR_EXCLUDED_VIOLATION",
+ "X509_V_ERR_SUBTREE_MINMAX",
+ "X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE",
+ "X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX",
+ "X509_V_ERR_UNSUPPORTED_NAME_SYNTAX",
+ "X509_V_ERR_CRL_PATH_VALIDATION_ERROR",
+ NULL
+};
+
struct SslErrorAlias {
const char *name;
const Ssl::ssl_error_t *errors;
@@ -331,6 +356,16 @@
return NULL;
}
+bool
+Ssl::ErrorIsOptional(const char *name)
+{
+ for (int i = 0; OptionalSslErrors[i] != NULL; ++i) {
+ if (strcmp(name, OptionalSslErrors[i]) == 0)
+ return true;
+ }
+ return false;
+}
+
const char *
Ssl::GetErrorDescr(Ssl::ssl_error_t value)
{
=== modified file 'src/ssl/ErrorDetail.h'
--- src/ssl/ErrorDetail.h 2013-05-30 10:10:29 +0000
+++ src/ssl/ErrorDetail.h 2013-11-07 10:46:14 +0000
@@ -40,6 +40,14 @@
/**
\ingroup ServerProtocolSSLAPI
+ * Return true if the SSL error is optional and may not supported
+ * by current squid version
+ */
+
+bool ErrorIsOptional(const char *name);
+
+/**
+ \ingroup ServerProtocolSSLAPI
* Used to pass SSL error details to the error pages returned to the
* end user.
*/
=== modified file 'src/ssl/ErrorDetailManager.cc'
--- src/ssl/ErrorDetailManager.cc 2013-10-25 00:13:46 +0000
+++ src/ssl/ErrorDetailManager.cc 2013-11-07 10:46:14 +0000
@@ -218,32 +218,35 @@
}
Ssl::ssl_error_t ssl_error = Ssl::GetErrorCode(errorName.termedBuf());
- if (ssl_error == SSL_ERROR_NONE) {
+ if (ssl_error != SSL_ERROR_NONE) {
+
+ if (theDetails->getErrorDetail(ssl_error)) {
+ debugs(83, DBG_IMPORTANT, HERE <<
+ "WARNING! duplicate entry: " << errorName);
+ return false;
+ }
+
+ ErrorDetailEntry &entry = theDetails->theList[ssl_error];
+ entry.error_no = ssl_error;
+ entry.name = errorName;
+ String tmp = parser.getByName("detail");
+ httpHeaderParseQuotedString(tmp.termedBuf(), tmp.size(), &entry.detail);
+ tmp = parser.getByName("descr");
+ httpHeaderParseQuotedString(tmp.termedBuf(), tmp.size(), &entry.descr);
+ bool parseOK = entry.descr.defined() && entry.detail.defined();
+
+ if (!parseOK) {
+ debugs(83, DBG_IMPORTANT, HERE <<
+ "WARNING! missing important field for detail error: " << errorName);
+ return false;
+ }
+
+ } else if (!Ssl::ErrorIsOptional(errorName.termedBuf())) {
debugs(83, DBG_IMPORTANT, HERE <<
"WARNING! invalid error detail name: " << errorName);
return false;
}
- if (theDetails->getErrorDetail(ssl_error)) {
- debugs(83, DBG_IMPORTANT, HERE <<
- "WARNING! duplicate entry: " << errorName);
- return false;
- }
-
- ErrorDetailEntry &entry = theDetails->theList[ssl_error];
- entry.error_no = ssl_error;
- entry.name = errorName;
- String tmp = parser.getByName("detail");
- httpHeaderParseQuotedString(tmp.termedBuf(), tmp.size(), &entry.detail);
- tmp = parser.getByName("descr");
- httpHeaderParseQuotedString(tmp.termedBuf(), tmp.size(), &entry.descr);
- bool parseOK = entry.descr.defined() && entry.detail.defined();
-
- if (!parseOK) {
- debugs(83, DBG_IMPORTANT, HERE <<
- "WARNING! missing imporant field for detail error: " << errorName);
- return false;
- }
}// else {only spaces and black lines; just ignore}
buf.consume(size);

51
src/patches/squid-3.3.10-set-rlimit-fds.patch
View File

@@ -1,51 +0,0 @@
http://bazaar.launchpad.net/~squid/squid/3-trunk/revision/13144
Committer: Amos Jeffries
Date: 2013-11-23 01:28:52 UTC
Revision ID: squid3@treenet.co.nz-20131123012852-zpe8hamjrs5vy42w
http://bugs.squid-cache.org/show_bug.cgi?id=3970
Bug 3970: max_filedescriptors disabled due to missing setrlimit
=== modified file 'configure.ac'
--- configure.ac 2013-11-16 13:19:28 +0000
+++ configure.ac 2013-11-23 01:28:52 +0000
@@ -2534,7 +2534,6 @@
;;
esac
-
dnl --with-maxfd present for compatibility with Squid-2.
dnl undocumented in ./configure --help to encourage using the Squid-3 directive
AC_ARG_WITH(maxfd,,
@@ -2542,6 +2541,7 @@
case ${withval} in
[[0-9]]*)
squid_filedescriptors_num=$withval
+ AC_MSG_NOTICE([forcing default of $squid_filedescriptors_num filedescriptors (user-forced)])
;;
*)
AC_MSG_ERROR(--with-maxfd expects a numeric argument)
@@ -2556,6 +2556,7 @@
case ${withval} in
[[0-9]]*)
squid_filedescriptors_num=$withval
+ AC_MSG_NOTICE([forcing default of $squid_filedescriptors_num filedescriptors (user-forced)])
;;
*)
AC_MSG_ERROR(--with-filedescriptors expects a numeric argument)
@@ -2564,10 +2565,9 @@
])
SQUID_CHECK_DEFAULT_FD_SETSIZE
-if test "x$squid_filedescriptors_num" = "x"; then
- SQUID_CHECK_MAXFD
-else
- AC_MSG_NOTICE([forcing use of $squid_filedescriptors_num filedescriptors (user-forced)])
+SQUID_CHECK_MAXFD
+if test "x$squid_filedescriptors_num" != "x"; then
+ AC_MSG_NOTICE([Default number of fieldescriptors: $squid_filedescriptors_num])
fi
if test "$squid_filedescriptors_num" -lt 512 ; then
AC_MSG_WARN([$squid_filedescriptors_num may not be enough filedescriptors if your])