From a96bcf413ac96d9df1ff883e3daeb7cdb4911b57 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 22 May 2019 11:05:20 +0100
Subject: [PATCH 1/8] vulnerabilities.cgi: Simplify regexes

We can do the split in one.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/vulnerabilities.cgi | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/html/cgi-bin/vulnerabilities.cgi b/html/cgi-bin/vulnerabilities.cgi
index 76eb79f82..b7e11c710 100644
--- a/html/cgi-bin/vulnerabilities.cgi
+++ b/html/cgi-bin/vulnerabilities.cgi
@@ -233,15 +233,11 @@ sub check_status($) {
 	my $status = <FILE>;
 	close(FILE);
 
-	if ($status =~ /^(Vulnerable): (.*)$/) {
-		return ($1, $2);
-	}
-
 	if ($status =~ /^(Mitigation): (.*vulnerable.*)$/) {
 		return ("Mitigation-SMT", $2);
 	}
 
-	if ($status =~ /^(Mitigation): (.*)$/) {
+	if ($status =~ /^(Vulnerable|Mitigation): (.*)$/) {
 		return ($1, $2);
 	} 
 

From 413f84e9883e7c9b6d74aad74c01aa0325d3180a Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 22 May 2019 11:08:43 +0100
Subject: [PATCH 2/8] vulnerabilities.cgi: Regard mitigations that only
 mitigate something still as vulnerable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/vulnerabilities.cgi | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/html/cgi-bin/vulnerabilities.cgi b/html/cgi-bin/vulnerabilities.cgi
index b7e11c710..74d222017 100644
--- a/html/cgi-bin/vulnerabilities.cgi
+++ b/html/cgi-bin/vulnerabilities.cgi
@@ -125,12 +125,6 @@ for my $vuln (sort keys %VULNERABILITIES) {
 		$colour = "white";
 		$bgcolour = ${Header::colourred};
 
-	# Mitigated but smt is enabled
-	} elsif ($status eq "Mitigation-SMT") {
-		$status_message = $Lang::tr{'mitigated'};
-		$colour = "white";
-		$bgcolour = ${Header::colourred};
-
 	# Mitigated
 	} elsif ($status eq "Mitigation") {
 		$status_message = $Lang::tr{'mitigated'};
@@ -233,8 +227,9 @@ sub check_status($) {
 	my $status = <FILE>;
 	close(FILE);
 
+	# Fix status when something has been mitigated, but not fully, yet
 	if ($status =~ /^(Mitigation): (.*vulnerable.*)$/) {
-		return ("Mitigation-SMT", $2);
+		return ("Vulnerable", $2);
 	}
 
 	if ($status =~ /^(Vulnerable|Mitigation): (.*)$/) {

From e896a9bd3de5b254340c03f7dcbced73c6721c50 Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Sat, 25 May 2019 06:54:35 +0200
Subject: [PATCH 3/8] vulnerabilities.cgi fix string handling

remove lf at the end for correct matching
and not strip "Mitigated:" if it was not full working and still
vulnerable.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 html/cgi-bin/vulnerabilities.cgi | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/vulnerabilities.cgi b/html/cgi-bin/vulnerabilities.cgi
index 74d222017..a15accfa0 100644
--- a/html/cgi-bin/vulnerabilities.cgi
+++ b/html/cgi-bin/vulnerabilities.cgi
@@ -150,7 +150,7 @@ for my $vuln (sort keys %VULNERABILITIES) {
 				<font color="$colour">
 END
 	if ($message) {
-		print "<strong>$status_message</strong>: $message";
+		print "<strong>$status_message</strong> - $message";
 	} else {
 		print "<strong>$status_message</strong>";
 	}
@@ -227,9 +227,11 @@ sub check_status($) {
 	my $status = <FILE>;
 	close(FILE);
 
+	chomp($status);
+
 	# Fix status when something has been mitigated, but not fully, yet
 	if ($status =~ /^(Mitigation): (.*vulnerable.*)$/) {
-		return ("Vulnerable", $2);
+		return ("Vulnerable", $status);
 	}
 
 	if ($status =~ /^(Vulnerable|Mitigation): (.*)$/) {

From 29abc2d07cf297b5ccf32798d6c3cd7dbecef6b2 Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Sat, 25 May 2019 07:39:38 +0200
Subject: [PATCH 4/8] vulnerabilities.cgi: again change colours

red - vulnerable
blue - mitigated
green - not affected

because we not really trust the mitigations so they shound not green.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 html/cgi-bin/vulnerabilities.cgi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/vulnerabilities.cgi b/html/cgi-bin/vulnerabilities.cgi
index a15accfa0..a8746c30c 100644
--- a/html/cgi-bin/vulnerabilities.cgi
+++ b/html/cgi-bin/vulnerabilities.cgi
@@ -117,7 +117,7 @@ for my $vuln (sort keys %VULNERABILITIES) {
 	if ($status eq "Not affected") {
 		$status_message = $Lang::tr{'not affected'};
 		$colour = "white";
-		$bgcolour = ${Header::colourblack};
+		$bgcolour = ${Header::colourgreen};
 
 	# Vulnerable
 	} elsif ($status eq "Vulnerable") {
@@ -129,7 +129,7 @@ for my $vuln (sort keys %VULNERABILITIES) {
 	} elsif ($status eq "Mitigation") {
 		$status_message = $Lang::tr{'mitigated'};
 		$colour = "white";
-		$bgcolour = ${Header::colourgreen};
+		$bgcolour = ${Header::colourblue};
 
 	# Unknown report from kernel
 	} else {

From d0db7550edb51ced239c640dada40db8fa1eacc1 Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Sun, 26 May 2019 16:05:41 +0200
Subject: [PATCH 5/8] core132: set correct permissions of security settings
 file.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 config/rootfiles/core/132/update.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/rootfiles/core/132/update.sh b/config/rootfiles/core/132/update.sh
index 982a9d964..979f31925 100644
--- a/config/rootfiles/core/132/update.sh
+++ b/config/rootfiles/core/132/update.sh
@@ -90,6 +90,8 @@ ldconfig
 
 # create main/security file
 touch /var/ipfire/main/security
+chmod 755 /var/ipfire/main/security
+chown nobody:nobody /var/ipfire/main/security
 
 # Update Language cache
 /usr/local/bin/update-lang-cache

From fefb5173cf02c6b94f2f199bb342df550752ade0 Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Fri, 24 May 2019 17:45:33 +0200
Subject: [PATCH 6/8] ids-functions.pl: Do not delete the whitelist file on
 rulesdir cleanup.

Fixes #12087.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 config/cfgroot/ids-functions.pl | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 5530da11e..88734a3ca 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -572,6 +572,9 @@ sub _cleanup_rulesdir() {
 		# Skip element if it has config as file extension.
 		next if ($file =~ m/\.config$/);
 
+		# Skip rules file for whitelisted hosts.
+		next if ("$rulespath/$file" eq $whitelist_file);
+
 		# Delete the current processed file, if not, exit this function
 		# and return an error message.
 		unlink("$rulespath/$file") or return "Could not delete $rulespath/$file. $!\n";

From 8fad3a5941a1a0553bc3cbd0ad577d9067f3dd6b Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 23 May 2019 01:50:29 +0100
Subject: [PATCH 7/8] tor: Depend on libseccomp

Suggested-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 lfs/tor | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lfs/tor b/lfs/tor
index 9b3416450..ab28a848d 100644
--- a/lfs/tor
+++ b/lfs/tor
@@ -32,9 +32,9 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = tor
-PAK_VER    = 37
+PAK_VER    = 38
 
-DEPS       = ""
+DEPS       = "libseccomp"
 
 ###############################################################################
 # Top-level Rules

From 637885839b5a2d6baeffb7fb37967c5b1bf7f84f Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Sun, 26 May 2019 16:17:04 +0200
Subject: [PATCH 8/8] core132: security conf should not executable

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 config/rootfiles/core/132/update.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/rootfiles/core/132/update.sh b/config/rootfiles/core/132/update.sh
index 979f31925..fa4553625 100644
--- a/config/rootfiles/core/132/update.sh
+++ b/config/rootfiles/core/132/update.sh
@@ -90,7 +90,7 @@ ldconfig
 
 # create main/security file
 touch /var/ipfire/main/security
-chmod 755 /var/ipfire/main/security
+chmod 644 /var/ipfire/main/security
 chown nobody:nobody /var/ipfire/main/security
 
 # Update Language cache