From ec35bb25d47e3009d480816251dbd8d96308fba0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20M=C3=BCller?= Date: Tue, 15 Aug 2023 16:18:00 +0000 Subject: [PATCH 1/6] vulnerabilities.cgi: Add English and German translations for new flaws MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- html/cgi-bin/vulnerabilities.cgi | 6 +++--- langs/de/cgi-bin/de.pl | 4 +++- langs/en/cgi-bin/en.pl | 4 +++- langs/fr/cgi-bin/fr.pl | 2 +- 4 files changed, 10 insertions(+), 6 deletions(-) diff --git a/html/cgi-bin/vulnerabilities.cgi b/html/cgi-bin/vulnerabilities.cgi index 77223c4fa..1fb57220e 100644 --- a/html/cgi-bin/vulnerabilities.cgi +++ b/html/cgi-bin/vulnerabilities.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team # +# Copyright (C) 2007-2023 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -30,14 +30,14 @@ require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; my %VULNERABILITIES = ( - "gather_data_sampling" => "gather data sampling", + "gather_data_sampling" => "$Lang::tr{'downfall gather data sampling'} (CVE-2022-40982)", "itlb_multihit" => "$Lang::tr{'itlb multihit'} (CVE-2018-12207)", "l1tf" => "$Lang::tr{'foreshadow'} (CVE-2018-3620)", "mds" => "$Lang::tr{'fallout zombieload ridl'} (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091)", "meltdown" => "$Lang::tr{'meltdown'} (CVE-2017-5754)", "mmio_stale_data" => "$Lang::tr{'mmio stale data'} (CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, CVE-2022-21166)", "retbleed" => "$Lang::tr{'retbleed'} (CVE-2022-29900, CVE-2022-29901)", - "spec_rstack_overflow" => "spec rstack overflow", + "spec_rstack_overflow" => "$Lang::tr{'spec rstack overflow'} (CVE-2023-20569)", "spec_store_bypass" => "$Lang::tr{'spectre variant 4'} (CVE-2018-3639)", "spectre_v1" => "$Lang::tr{'spectre variant 1'} (CVE-2017-5753)", "spectre_v2" => "$Lang::tr{'spectre variant 2'} (CVE-2017-5715)", diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 33730f0c3..0ae6a2b10 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -887,6 +887,7 @@ 'donation-text' => 'IPFire wird von Freiwilligen in ihrer Freizeit betreut und weiterentwickelt. Um dieses Projekt am Leben zu erhalten, entstehen uns natürlich auch Kosten. Wenn Sie uns unterstützen wollen, würden wir uns über eine kleine Spende sehr freuen.', 'dos charset' => 'DOS-Zeichensatz', 'down and up speed' => 'Geben Sie bitte hier ihre Download- bzw. Upload-Geschwindigkeit ein
und klicken Sie danach auf Speichern.', +'downfall gather data sampling' => 'Downfall/Gather Data Sampling', 'downlink' => 'Downlink', 'downlink speed' => 'Downlink-Geschwindigkeit (kBit/Sek.)', 'downlink std class' => 'Downloadstandardklasse', @@ -2304,6 +2305,7 @@ 'source port overlaps' => 'Quellportbereich überlappt mit einem bereits definierten Portbereich.', 'speaker off' => 'Lautsprecher aus:', 'speaker on' => 'Lautsprecher ein:', +'spec rstack overflow' => 'Speculative Return Stack Overflow', 'spectre variant 1' => 'Spectre-Variante 1', 'spectre variant 2' => 'Spectre-Variante 2', 'spectre variant 4' => 'Spectre-Variante 4', @@ -2384,7 +2386,7 @@ 'system logs' => 'Systemprotokolldateien', 'system status information' => 'System-Statusinformationen', 'ta key' => 'TLS-Authentifizierungsschlüssel', -'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2', +'taa zombieload2' => 'TSX Async Abort/ZombieLoad v2', 'tcp more reliable' => 'TCP (zuverlässiger)', 'telephone not set' => 'Telefonnummer nicht angegeben.', 'template' => 'Vorlage', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 729516538..560a9e748 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -931,6 +931,7 @@ 'done' => 'Do it', 'dos charset' => 'DOS Charset', 'down and up speed' => 'Enter your Down- and Uplink-Speed
and then press Save.', +'downfall gather data sampling' => 'Downfall/Gather Data Sampling', 'downlink' => 'Downlink', 'downlink speed' => 'Downlink speed (kbit/sec)', 'downlink std class' => 'downlink standard class', @@ -2368,6 +2369,7 @@ 'source port overlaps' => 'Source port range overlaps an existing port range.', 'speaker off' => 'Speaker off:', 'speaker on' => 'Speaker on:', +'spec rstack overflow' => 'Speculative Return Stack Overflow', 'spectre variant 1' => 'Spectre Variant 1', 'spectre variant 2' => 'Spectre Variant 2', 'spectre variant 4' => 'Spectre Variant 4', @@ -2449,7 +2451,7 @@ 'system logs' => 'System Logs', 'system status information' => 'System Status Information', 'ta key' => 'TLS-Authentification-Key', -'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2', +'taa zombieload2' => 'TSX Async Abort/ZombieLoad v2', 'tcp more reliable' => 'TCP (more reliable)', 'telephone not set' => 'Telephone not set.', 'template' => 'Preset', diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl index 5ae085c72..0e746736e 100644 --- a/langs/fr/cgi-bin/fr.pl +++ b/langs/fr/cgi-bin/fr.pl @@ -2460,7 +2460,7 @@ 'system logs' => 'Rapports système', 'system status information' => 'Informations sur le statut du système', 'ta key' => 'Clé d\'authentification TLS', -'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2', +'taa zombieload2' => 'TSX Async Abort/ZombieLoad v2', 'tcp more reliable' => 'TCP (plus fiable)', 'telephone not set' => 'Numéro de téléphone non défini.', 'template' => 'Préétabli', From a566ba13923a8abad29dcb953a913b005c5c19dc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20M=C3=BCller?= Date: Tue, 15 Aug 2023 16:18:00 +0000 Subject: [PATCH 2/6] vulnerabilities.cgi: Avoid superfluous line breaks by widening SMT configuration table MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- html/cgi-bin/vulnerabilities.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/vulnerabilities.cgi b/html/cgi-bin/vulnerabilities.cgi index 1fb57220e..1946cf171 100644 --- a/html/cgi-bin/vulnerabilities.cgi +++ b/html/cgi-bin/vulnerabilities.cgi @@ -183,7 +183,7 @@ print "
\n"; my $smt_status = &smt_status(); print < +
From b5d85855e5c24d41d65bd9a4218e789974fc2722 Mon Sep 17 00:00:00 2001 From: Adolf Belka Date: Fri, 18 Aug 2023 20:46:45 +0200 Subject: [PATCH 3/6] ppp: Bug#13164 - Update configure options to have correct directory for pid - The original poster of the bug#13164 has already tested out ppp-2.5.0 in CU179 (master) and identified that the startup could not find the directory /usr/var/run/. This is due to the change in use of the prefix command in 2.5.0 vs 2.4.9 so --localstatedir set to /var. runstatedir is then set to localstatedir/run ie /var/run which is then correct for IPFire. - This fix needs to be implemented into CU179 so that the bug poster can test out the update - Updated rootfile to remove additional empty line Fixes: Bug#13164 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer --- config/rootfiles/common/ppp | 1 - lfs/ppp | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/config/rootfiles/common/ppp b/config/rootfiles/common/ppp index 6098fa7c3..379c64af4 100644 --- a/config/rootfiles/common/ppp +++ b/config/rootfiles/common/ppp @@ -71,4 +71,3 @@ usr/sbin/pppstats #usr/share/man/man8/pppoe-discovery.8 #usr/share/man/man8/pppstats.8 var/log/connect-errors - diff --git a/lfs/ppp b/lfs/ppp index fc4528ece..a6bd633b4 100644 --- a/lfs/ppp +++ b/lfs/ppp @@ -82,6 +82,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --prefix=/usr \ --sysconfdir=/etc \ --with-logfile-dir=/var/log \ + --localstatedir=/var \ cc="gcc" \ cflags="$(CFLAGS)" cd $(DIR_APP) && make $(MAKETUNING) From 3dcbb53a21b69ff34fc60d7d75c1ebdbd58bc425 Mon Sep 17 00:00:00 2001 From: Adolf Belka Date: Thu, 24 Aug 2023 10:37:26 +0200 Subject: [PATCH 4/6] ppp: Patch to stop CU179 Testing error msg - pppd uses obsolete (PF_INET, SOCK_PACKET) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - This issue was found by Peter Müller in the CU179 Testing evaluation. - The issue was found to have already been raised and closed on the ppp github issues page. - Patch for fix downloaded and applied to this submission. - When ppp-2.5.1 is released then this patch can be removed. - update of rootfile not required. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer --- lfs/ppp | 1 + ...to-see-if-we-have-struct-sockaddr_ll.patch | 37 +++++++++++++++++++ 2 files changed, 38 insertions(+) create mode 100644 src/patches/ppp/ppp-2.5.0-7-add-configure-check-to-see-if-we-have-struct-sockaddr_ll.patch diff --git a/lfs/ppp b/lfs/ppp index a6bd633b4..54aa1caf5 100644 --- a/lfs/ppp +++ b/lfs/ppp @@ -78,6 +78,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-4-increase-max-padi-attempts.patch cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-5-headers_4.9.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-6-patch-configure-to-handle-cflags-properly.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-7-add-configure-check-to-see-if-we-have-struct-sockaddr_ll.patch cd $(DIR_APP) && ./configure \ --prefix=/usr \ --sysconfdir=/etc \ diff --git a/src/patches/ppp/ppp-2.5.0-7-add-configure-check-to-see-if-we-have-struct-sockaddr_ll.patch b/src/patches/ppp/ppp-2.5.0-7-add-configure-check-to-see-if-we-have-struct-sockaddr_ll.patch new file mode 100644 index 000000000..a7823d424 --- /dev/null +++ b/src/patches/ppp/ppp-2.5.0-7-add-configure-check-to-see-if-we-have-struct-sockaddr_ll.patch @@ -0,0 +1,37 @@ +From 9d6d326b2530cffb1414e4c401675117c42d43ce Mon Sep 17 00:00:00 2001 +From: Eivind Naess +Date: Sun, 23 Apr 2023 11:30:43 -0700 +Subject: [PATCH] Add configure check to see if we have struct sockaddr_ll + +Fixes issue #411. + +Signed-off-by: Eivind Naess +--- + configure.ac | 3 ++- + pppd/plugins/pppoe/config.h.in | 2 ++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 1180f64ec..38b24af92 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -75,7 +75,8 @@ AM_COND_IF([LINUX], [ + linux/if_ether.h \ + linux/if_packet.h \ + netinet/if_ether.h \ +- netpacket/packet.h])]) ++ netpacket/packet.h]) ++ AC_CHECK_TYPES([struct sockaddr_ll], [], [], [#include ])]) + + AC_CHECK_SIZEOF(unsigned int) + AC_CHECK_SIZEOF(unsigned long) +diff --git a/pppd/plugins/pppoe/config.h.in b/pppd/plugins/pppoe/config.h.in +index d447f5e89..d7d61c01c 100644 +--- a/pppd/plugins/pppoe/config.h.in ++++ b/pppd/plugins/pppoe/config.h.in +@@ -69,3 +69,5 @@ + /* The size of `unsigned short', as computed by sizeof. */ + #undef SIZEOF_UNSIGNED_SHORT + ++/* Define to 1 if the system has the type `struct sockaddr_ll'. */ ++#undef HAVE_STRUCT_SOCKADDR_LL From fb7869feb2c9b8665c2f9e77c2d6e2f0ff9ad832 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20M=C3=BCller?= Date: Wed, 23 Aug 2023 14:43:00 +0000 Subject: [PATCH 5/6] Core Update 179: Only start services if they are enabled MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Doing so avoids situations where a service is started without being configured to do so, thus reducing the potential for confusion and exposure of services not intended to be exposed by the user. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer --- config/rootfiles/core/179/update.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/core/179/update.sh b/config/rootfiles/core/179/update.sh index 636792d82..df89d702e 100644 --- a/config/rootfiles/core/179/update.sh +++ b/config/rootfiles/core/179/update.sh @@ -86,9 +86,13 @@ migrate_extrahd # Start services /etc/init.d/udev restart -/etc/init.d/squid restart -/usr/local/bin/openvpnctrl -s -/usr/local/bin/openvpnctrl -sn2n +if [ -f /var/ipfire/proxy/enable ]; then + /etc/init.d/squid restart +fi +if grep -q "ENABLED=on" /var/ipfire/ovpn/settings; then + /usr/local/bin/openvpnctrl -s + /usr/local/bin/openvpnctrl -sn2n +fi # This update needs a reboot... touch /var/run/need_reboot From 121652cf5320851cc4f6cfce1fb9c179319ee6b1 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 24 Aug 2023 10:11:28 +0000 Subject: [PATCH 6/6] core179: Start OpenVPN N2N connections even if the RW server is disabled Signed-off-by: Michael Tremer --- config/rootfiles/core/179/update.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/rootfiles/core/179/update.sh b/config/rootfiles/core/179/update.sh index df89d702e..09db135d5 100644 --- a/config/rootfiles/core/179/update.sh +++ b/config/rootfiles/core/179/update.sh @@ -91,8 +91,8 @@ if [ -f /var/ipfire/proxy/enable ]; then fi if grep -q "ENABLED=on" /var/ipfire/ovpn/settings; then /usr/local/bin/openvpnctrl -s - /usr/local/bin/openvpnctrl -sn2n fi +/usr/local/bin/openvpnctrl -sn2n # This update needs a reboot... touch /var/run/need_reboot