From a485606c27781a5439d38fcde662a786cb5671d9 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 18 Mar 2019 15:24:56 +0000
Subject: [PATCH 01/11] ipsec-interfaces: Apply static routes (again) after
 creating IPsec interfaces

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 config/rootfiles/core/130/filelists/files | 3 +++
 src/scripts/ipsec-interfaces              | 3 +++
 2 files changed, 6 insertions(+)
 create mode 100644 config/rootfiles/core/130/filelists/files

diff --git a/config/rootfiles/core/130/filelists/files b/config/rootfiles/core/130/filelists/files
new file mode 100644
index 000000000..98b8fec39
--- /dev/null
+++ b/config/rootfiles/core/130/filelists/files
@@ -0,0 +1,3 @@
+etc/system-release
+etc/issue
+usr/local/bin/ipsec-interfaces
diff --git a/src/scripts/ipsec-interfaces b/src/scripts/ipsec-interfaces
index 0e43fccbc..cb55fdf79 100644
--- a/src/scripts/ipsec-interfaces
+++ b/src/scripts/ipsec-interfaces
@@ -167,6 +167,9 @@ main() {
 		log "Deleting interface ${intf}"
 		ip link del "${intf}" &>/dev/null
 	done
+
+	# (Re-)Apply all static routes
+	/etc/init.d/static-routes start
 }
 
 main || exit $?

From bfd5cfa9c6949eca6319a774b871007c9da8fd0e Mon Sep 17 00:00:00 2001
From: Matthias Fischer <matthias.fischer@ipfire.org>
Date: Wed, 27 Mar 2019 20:54:10 +0100
Subject: [PATCH 02/11] clamav: Update to 0.101.2

For details see:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html

"ClamAV 0.101.2 is a patch release to address a handful of security related bugs."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/rootfiles/packages/clamav | 6 +++---
 lfs/clamav                       | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/config/rootfiles/packages/clamav b/config/rootfiles/packages/clamav
index e95d4dc6e..9d6d68647 100644
--- a/config/rootfiles/packages/clamav
+++ b/config/rootfiles/packages/clamav
@@ -13,7 +13,7 @@ usr/bin/sigtool
 #usr/lib/libclamav.la
 usr/lib/libclamav.so
 usr/lib/libclamav.so.9
-usr/lib/libclamav.so.9.0.1
+usr/lib/libclamav.so.9.0.2
 #usr/lib/libclammspack.la
 usr/lib/libclammspack.so
 usr/lib/libclammspack.so.0
@@ -21,11 +21,11 @@ usr/lib/libclammspack.so.0.1.0
 #usr/lib/libclamunrar.la
 usr/lib/libclamunrar.so
 usr/lib/libclamunrar.so.9
-usr/lib/libclamunrar.so.9.0.1
+usr/lib/libclamunrar.so.9.0.2
 #usr/lib/libclamunrar_iface.la
 usr/lib/libclamunrar_iface.so
 usr/lib/libclamunrar_iface.so.9
-usr/lib/libclamunrar_iface.so.9.0.1
+usr/lib/libclamunrar_iface.so.9.0.2
 #usr/lib/pkgconfig/libclamav.pc
 usr/sbin/clamd
 #usr/share/man/man1/clambc.1
diff --git a/lfs/clamav b/lfs/clamav
index a6e44ebf2..640691408 100644
--- a/lfs/clamav
+++ b/lfs/clamav
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2019  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 0.101.1
+VER        = 0.101.2
 
 THISAPP    = clamav-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = clamav
-PAK_VER    = 43
+PAK_VER    = 44
 
 DEPS       = ""
 
@@ -50,7 +50,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 9c137d6172f6e132e08e61fe25b636f8
+$(DL_FILE)_MD5 = faeb0e286e76c2a26e2e10845e4b68db
 
 install : $(TARGET)
 

From 8d76eb20852a695b15e6fd32076128a25fad01d1 Mon Sep 17 00:00:00 2001
From: Matthias Fischer <matthias.fischer@ipfire.org>
Date: Thu, 4 Apr 2019 09:43:50 +0200
Subject: [PATCH 03/11] wget: Update to 1.20.2

For details see:
https://fossies.org/linux/wget/ChangeLog

Excerpt from "NEWS":

* Changes in Wget 1.20.2
** NTLM authentication will retry under certain cases
** Fixed a buffer overflow vulnerability"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 lfs/wget | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lfs/wget b/lfs/wget
index b8c83d10d..ac2fa826c 100644
--- a/lfs/wget
+++ b/lfs/wget
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2019  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.20.1
+VER        = 1.20.2
 
 THISAPP    = wget-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = f6ebe9c7b375fc9832fb1b2028271fb7
+$(DL_FILE)_MD5 = 2692f6678e93601441306b5c1fc6a77a
 
 install : $(TARGET)
 

From 49ce16f9bea9f1812be5cb41ef7b390556fc2364 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 4 Apr 2019 02:07:16 +0100
Subject: [PATCH 04/11] core130: Ship updated wget

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/rootfiles/core/130/filelists/wget | 1 +
 1 file changed, 1 insertion(+)
 create mode 120000 config/rootfiles/core/130/filelists/wget

diff --git a/config/rootfiles/core/130/filelists/wget b/config/rootfiles/core/130/filelists/wget
new file mode 120000
index 000000000..fcb57dfec
--- /dev/null
+++ b/config/rootfiles/core/130/filelists/wget
@@ -0,0 +1 @@
+../../../common/wget
\ No newline at end of file

From d66433fca6323940ac217d7a0834a0b178d509eb Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 8 Apr 2019 16:41:24 +0100
Subject: [PATCH 05/11] strongswan: Manually install all routes for non-routed
 VPNs

This is a regression from disabling charon.install_routes.

VPNs are routing fine as long as traffic is passing through
the firewall. Traps are not propertly used as long as these
routes are not present and therefore we won't trigger any
tunnels when traffic originates from the firewall.

Fixes: #12045
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 lfs/strongswan                             |   1 +
 src/patches/strongswan-ipfire-revert.patch | 113 +++++++++++++++++++++
 src/scripts/ipsec-interfaces               |  97 ++++++++++++++++++
 3 files changed, 211 insertions(+)
 create mode 100644 src/patches/strongswan-ipfire-revert.patch

diff --git a/lfs/strongswan b/lfs/strongswan
index 4174f78fe..714537e36 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -73,6 +73,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-disable-ipv6.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-interfaces.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/strongswan-ipfire-revert.patch
 
 	cd $(DIR_APP) && ./configure \
 		--prefix="/usr" \
diff --git a/src/patches/strongswan-ipfire-revert.patch b/src/patches/strongswan-ipfire-revert.patch
new file mode 100644
index 000000000..91c76212e
--- /dev/null
+++ b/src/patches/strongswan-ipfire-revert.patch
@@ -0,0 +1,113 @@
+--- strongswan-5.7.2/src/_updown/_updown.in.bak	2019-04-08 16:27:08.549214441 +0100
++++ strongswan-5.7.2/src/_updown/_updown.in	2019-04-08 16:30:30.195868788 +0100
+@@ -130,36 +130,6 @@
+ #              address family.
+ #
+ 
+-VARS=(
+-	id status name lefthost type ctype psk local local_id leftsubnets
+-	remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
+-	x13 x14 x15 x16 x17 x18 x19 proto x20 x21 x22
+-	route x23 mode interface_mode interface_address interface_mtu rest
+-)
+-
+-function ip_encode() {
+-	local IFS=.
+-
+-	local int=0
+-	for field in $1; do
+-		int=$(( $(( $int << 8 )) | $field ))
+-	done
+-
+-	echo $int
+-}
+-
+-function ip_in_subnet() {
+-	local netmask
+-	netmask=$(_netmask $2)
+-	[ $(( $(ip_encode $1) & $netmask)) = $(( $(ip_encode ${2%/*}) & $netmask )) ]
+-}
+-
+-function _netmask() {
+-	local vlsm
+-	vlsm=${1#*/}
+-	[ $vlsm -eq 0 ] && echo 0 || echo $(( -1 << $(( 32 - $vlsm )) ))
+-}
+-
+ # define a minimum PATH environment in case it is not set
+ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+ export PATH
+@@ -326,13 +296,6 @@
+ 	fi
+ 	;;
+ up-client:iptables)
+-	# Read IPsec configuration
+-	while IFS="," read -r "${VARS[@]}"; do
+-		if [ "${PLUTO_CONNECTION}" = "${name}" ]; then
+-			break
+-		fi
+-	done < /var/ipfire/vpn/config
+-
+ 	# connection to client subnet, with (left/right)firewall=yes, coming up
+ 	# This is used only by the default updown script, not by your custom
+ 	# ones, so do not mess with it; see CAUTION comment up at top.
+@@ -396,30 +359,6 @@
+ 	    logger -t $TAG -p $FAC_PRIO \
+ 	      "tunnel+ $PLUTO_PEER -- $PLUTO_ME"
+ 	fi
+-
+-	if [ -z "${interface_mode}" ]; then
+-		# Add source nat so also the gateway can access the other nets
+-		eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+-		for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+-			ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+-			if [ $? -eq 0 ]; then
+-				src=${_src}
+-				break
+-			fi
+-		done
+-
+-		if [ -n "${src}" ]; then
+-			iptables --wait -t nat -A IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+-			logger -t $TAG -p $FAC_PRIO \
+-				"snat+ $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+-		else
+-			logger -t $TAG -p $FAC_PRIO \
+-				"Cannot create NAT rule because no IP of the IPFire does match the subnet. $PLUTO_MY_CLIENT"
+-		fi
+-	fi
+-
+-	# Flush routing cache
+-	ip route flush cache
+ 	;;
+ down-client:iptables)
+ 	# connection to client subnet, with (left/right)firewall=yes, going down
+@@ -487,28 +426,6 @@
+ 	    logger -t $TAG -p $FAC_PRIO \
+ 	      "tunnel- $PLUTO_PEER -- $PLUTO_ME"
+ 	fi
+-
+-	# remove source nat
+-	eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+-	for _src in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+-		ip_in_subnet "${_src}" "${PLUTO_MY_CLIENT}"
+-		if [ $? -eq 0 ]; then
+-			src=${_src}
+-			break
+-		fi
+-	done
+-
+-	if [ -n "${src}" ]; then
+-		iptables --wait -t nat -D IPSECNAT -o $PLUTO_INTERFACE -s $PLUTO_ME -d $PLUTO_PEER_CLIENT -j SNAT --to $src
+-		logger -t $TAG -p $FAC_PRIO \
+-			"snat- $PLUTO_INTERFACE-$PLUTO_ME : $PLUTO_PEER_CLIENT - $src"
+-	else
+-		logger -t $TAG -p $FAC_PRIO \
+-			"Cannot remove NAT rule because no IP of the IPFire does match the subnet."
+-	fi
+-
+-	# Flush routing cache
+-	ip route flush cache
+ 	;;
+ #
+ # IPv6
diff --git a/src/scripts/ipsec-interfaces b/src/scripts/ipsec-interfaces
index cb55fdf79..2546f8927 100644
--- a/src/scripts/ipsec-interfaces
+++ b/src/scripts/ipsec-interfaces
@@ -23,9 +23,19 @@ shopt -s nullglob
 
 VPN_CONFIG="/var/ipfire/vpn/config"
 
+ROUTE_TABLE="220"
+ROUTE_TABLE_PRIO="128"
+
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/vpn/settings)
 
+# Get RED interface name
+if [ -r "/var/ipfire/red/iface" ]; then
+	RED_INTF="$(</var/ipfire/red/iface)"
+else
+	RED_INTF="red0"
+fi
+
 VARS=(
 	id status name lefthost type ctype psk local local_id leftsubnets
 	remote_id remote rightsubnets x3 x4 x5 x6 x7 x8 x9 x10 x11 x12
@@ -43,6 +53,52 @@ resolve_hostname() {
 	dig +short A "${hostname}" | tail -n1
 }
 
+ip_encode() {
+	local address="${1}"
+
+	local int=0
+	for field in ${address//./ }; do
+		int=$(( $(( ${int} << 8 )) | ${field} ))
+	done
+
+	echo ${int}
+}
+
+function ip_in_subnet() {
+	local address="${1}"
+	local subnet="${2}"
+
+	local netmask="${subnet#*/}"
+
+	# Convert netmask to prefix if necessary
+	case "${netmask}" in
+		[0-9]+)
+			;;
+		*)
+			netmask="$(netmask2prefix "${netmask}")"
+			;;
+	esac
+
+	local vlsm=$(( -1 << $(( 32 - ${netmask} )) ))
+
+	[ "$(( $(ip_encode "${address}") & ${vlsm} ))" -eq "$(( $(ip_encode "${subnet%/*}") & ${vlsm} ))" ]
+}
+
+netmask2prefix() {
+	local netmask="${1}"
+	local mask="$(ip_encode "${netmask}")"
+
+	local cidr=0
+	local x="$(( 128 << 24 ))" # 0x80000000
+
+	while [ $(( ${x} & ${mask} )) -ne 0 ]; do
+		[ ${mask} -eq ${x} ] && mask=0 || mask=$(( ${mask} << 1 ))
+		cidr=$(( ${cidr} + 1 ))
+	done
+
+	echo "${cidr}"
+}
+
 main() {
 	# Register local variables
 	local "${VARS[@]}"
@@ -50,8 +106,17 @@ main() {
 
 	local interfaces=()
 
+	# Flush IPsec routes
+	ip route flush table "${ROUTE_TABLE}"
+
+	# Remove lookups
+	ip rule del lookup "${ROUTE_TABLE}"
+
 	# We are done when IPsec is not enabled
 	if [ "${ENABLED}" = "on" ]; then
+		# Enable route table lookup
+		ip rule add lookup "${ROUTE_TABLE}" prio "${ROUTE_TABLE_PRIO}"
+
 		while IFS="," read -r "${VARS[@]}"; do
 			# Check if the connection is enabled
 			[ "${status}" = "on" ] || continue
@@ -65,6 +130,38 @@ main() {
 					local intf="${interface_mode}${id}"
 					;;
 				*)
+					# Install routes
+					local address
+
+					local _address
+					for _address in ${GREEN_ADDRESS} ${BLUE_ADDRESS} ${ORANGE_ADDRESS}; do
+						local leftsubnet
+						for leftsubnet in ${leftsubnets//\|/ }; do
+							if ip_in_subnet "${_address}" "${leftsubnet}"; then
+								address="${_address}"
+								break
+							fi
+						done
+
+						# End loop when address is set
+						[ -n "${address}" ] && break
+					done
+
+					local rightsubnet
+					for rightsubnet in ${rightsubnets//\|/ }; do
+						# Ignore default
+						case "${rightsubnet}" in
+							0.0.0.0/*)
+								continue
+								;;
+						esac
+
+						log "Creating route to ${rightsubnet} (via ${address} and ${RED_INTF})"
+						ip route add table "${ROUTE_TABLE}" "${rightsubnet}" proto static \
+							dev "${RED_INTF}" src "${address}"
+					done
+
+					# No interface processing required
 					continue
 					;;
 			esac

From f0ce8b2c8853041cd708a0cef88b1bd22cbf88df Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 8 Apr 2019 11:56:58 +0100
Subject: [PATCH 06/11] core130: Ship perl-Net-SSLeay

This was still using the old version of OpenSSL.

Instead of linking the module (which we should have found earlier)
the module uses dlopen :(

Fixes: #12044
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/rootfiles/core/130/filelists/Net_SSLeay | 1 +
 1 file changed, 1 insertion(+)
 create mode 120000 config/rootfiles/core/130/filelists/Net_SSLeay

diff --git a/config/rootfiles/core/130/filelists/Net_SSLeay b/config/rootfiles/core/130/filelists/Net_SSLeay
new file mode 120000
index 000000000..13fe0560c
--- /dev/null
+++ b/config/rootfiles/core/130/filelists/Net_SSLeay
@@ -0,0 +1 @@
+../../../common/Net_SSLeay
\ No newline at end of file

From e7dafc3e3eb7be7e685fe0e7b3999fd6f264c80b Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Tue, 9 Apr 2019 07:30:26 +0200
Subject: [PATCH 07/11] core130: ship strongswan

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 config/rootfiles/core/130/filelists/strongswan | 1 +
 1 file changed, 1 insertion(+)
 create mode 120000 config/rootfiles/core/130/filelists/strongswan

diff --git a/config/rootfiles/core/130/filelists/strongswan b/config/rootfiles/core/130/filelists/strongswan
new file mode 120000
index 000000000..90c727e26
--- /dev/null
+++ b/config/rootfiles/core/130/filelists/strongswan
@@ -0,0 +1 @@
+../../../common/strongswan
\ No newline at end of file

From 6fc3f2e685d42d9c6261ca281740ce067ab6e00d Mon Sep 17 00:00:00 2001
From: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Tue, 9 Apr 2019 07:31:23 +0200
Subject: [PATCH 08/11] core130: insert a core update for urgent fixes.

the bigger changes for suricata and kernel need longer time for test
so we insert a core with smaller but important fixes.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 config/rootfiles/core/130/exclude   | 28 +++++++++++
 config/rootfiles/core/130/update.sh | 77 +++++++++++++++++++++++++++++
 make.sh                             |  4 +-
 3 files changed, 107 insertions(+), 2 deletions(-)
 create mode 100644 config/rootfiles/core/130/exclude
 create mode 100644 config/rootfiles/core/130/update.sh

diff --git a/config/rootfiles/core/130/exclude b/config/rootfiles/core/130/exclude
new file mode 100644
index 000000000..b22159878
--- /dev/null
+++ b/config/rootfiles/core/130/exclude
@@ -0,0 +1,28 @@
+boot/config.txt
+boot/grub/grub.cfg
+boot/grub/grubenv
+etc/alternatives
+etc/collectd.custom
+etc/default/grub
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+etc/localtime
+etc/shadow
+etc/snort/snort.conf
+etc/ssl/openssl.cnf
+etc/sudoers
+etc/sysconfig/firewall.local
+etc/sysconfig/rc.local
+etc/udev/rules.d/30-persistent-network.rules
+srv/web/ipfire/html/proxy.pac
+var/ipfire/dma
+var/ipfire/time
+var/ipfire/ovpn
+var/lib/alternatives
+var/log/cache
+var/log/dhcpcd.log
+var/log/messages
+var/state/dhcp/dhcpd.leases
+var/updatecache
diff --git a/config/rootfiles/core/130/update.sh b/config/rootfiles/core/130/update.sh
new file mode 100644
index 000000000..f072e8052
--- /dev/null
+++ b/config/rootfiles/core/130/update.sh
@@ -0,0 +1,77 @@
+#!/bin/bash
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 3 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2019 IPFire-Team <info@ipfire.org>.                        #
+#                                                                          #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+core=130
+
+# Remove old core updates from pakfire cache to save space...
+for (( i=1; i<=$core; i++ )); do
+	rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+# Stop services
+/etc/init.d/squid stop
+/usr/local/bin/openvpnctrl -k
+/usr/local/bin/openvpnctrl -kn2n
+/usr/local/bin/ipsecctrl D
+/etc/init.d/unbound stop
+
+# Remove files
+rm -vf \
+	/usr/lib/firewall/ipsec-block
+
+# Extract files
+extract_files
+
+# update linker config
+ldconfig
+
+# Update Language cache
+/usr/local/bin/update-lang-cache
+
+# Start services
+/etc/init.d/firewall restart
+/etc/init.d/unbound start
+/usr/local/bin/ipsecctrl S
+/usr/local/bin/openvpnctrl -s
+/usr/local/bin/openvpnctrl -sn2n
+/etc/init.d/squid start
+
+# This update needs a reboot...
+#touch /var/run/need_reboot
+
+# Finish
+/etc/init.d/fireinfo start
+sendprofile
+
+# Update grub config to display new core version
+if [ -e /boot/grub/grub.cfg ]; then
+	grub-mkconfig -o /boot/grub/grub.cfg
+fi
+
+sync
+
+# Don't report the exitcode last command
+exit 0
diff --git a/make.sh b/make.sh
index 3453c6719..08cf31901 100755
--- a/make.sh
+++ b/make.sh
@@ -25,8 +25,8 @@
 NAME="IPFire"							# Software name
 SNAME="ipfire"							# Short name
 VERSION="2.21"							# Version number
-CORE="129"							# Core Level (Filename)
-PAKFIRE_CORE="129"						# Core Level (PAKFIRE)
+CORE="130"							# Core Level (Filename)
+PAKFIRE_CORE="130"						# Core Level (PAKFIRE)
 GIT_BRANCH=`git rev-parse --abbrev-ref HEAD`			# Git Branch
 SLOGAN="www.ipfire.org"						# Software slogan
 CONFIG_ROOT=/var/ipfire						# Configuration rootdir

From 0971726e1372d743f92b7f0e6969ebbaa8718756 Mon Sep 17 00:00:00 2001
From: Matthias Fischer <matthias.fischer@ipfire.org>
Date: Thu, 4 Apr 2019 09:15:00 +0200
Subject: [PATCH 09/11] apache: Update to 2.4.39

For details see:
http://mirror.checkdomain.de/apache//httpd/CHANGES_2.4.39

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/rootfiles/common/apache2 | 1 +
 lfs/apache2                     | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/config/rootfiles/common/apache2 b/config/rootfiles/common/apache2
index ee09c6cbe..4866fb6bd 100644
--- a/config/rootfiles/common/apache2
+++ b/config/rootfiles/common/apache2
@@ -1646,6 +1646,7 @@ usr/lib/apache/mod_slotmem_plain.so
 usr/lib/apache/mod_slotmem_shm.so
 usr/lib/apache/mod_socache_dbm.so
 usr/lib/apache/mod_socache_memcache.so
+usr/lib/apache/mod_socache_redis.so
 usr/lib/apache/mod_socache_shmcb.so
 usr/lib/apache/mod_speling.so
 usr/lib/apache/mod_ssl.so
diff --git a/lfs/apache2 b/lfs/apache2
index be5ffd9ec..87f639efe 100644
--- a/lfs/apache2
+++ b/lfs/apache2
@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2018  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2019  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -25,7 +25,7 @@
 
 include Config
 
-VER        = 2.4.38
+VER        = 2.4.39
 
 THISAPP    = httpd-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -45,7 +45,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 4a2b87ca55e42017d21f18724c560084
+$(DL_FILE)_MD5 = 930e217ba2d71e708a3f1521ecae7ec0
 
 install : $(TARGET)
 

From af9aa1556e6329e7af3d8939c51316fe1599295a Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu, 4 Apr 2019 02:04:28 +0100
Subject: [PATCH 10/11] core130: Ship updated apache

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
---
 config/rootfiles/core/130/filelists/apache2 |  1 +
 config/rootfiles/core/130/update.sh         | 14 +-------------
 2 files changed, 2 insertions(+), 13 deletions(-)
 create mode 120000 config/rootfiles/core/130/filelists/apache2

diff --git a/config/rootfiles/core/130/filelists/apache2 b/config/rootfiles/core/130/filelists/apache2
new file mode 120000
index 000000000..eef95efa7
--- /dev/null
+++ b/config/rootfiles/core/130/filelists/apache2
@@ -0,0 +1 @@
+../../../common/apache2
\ No newline at end of file
diff --git a/config/rootfiles/core/130/update.sh b/config/rootfiles/core/130/update.sh
index f072e8052..86e42a1d4 100644
--- a/config/rootfiles/core/130/update.sh
+++ b/config/rootfiles/core/130/update.sh
@@ -32,15 +32,7 @@ for (( i=1; i<=$core; i++ )); do
 done
 
 # Stop services
-/etc/init.d/squid stop
-/usr/local/bin/openvpnctrl -k
-/usr/local/bin/openvpnctrl -kn2n
 /usr/local/bin/ipsecctrl D
-/etc/init.d/unbound stop
-
-# Remove files
-rm -vf \
-	/usr/lib/firewall/ipsec-block
 
 # Extract files
 extract_files
@@ -52,12 +44,8 @@ ldconfig
 /usr/local/bin/update-lang-cache
 
 # Start services
-/etc/init.d/firewall restart
-/etc/init.d/unbound start
+/etc/init.d/apache restart
 /usr/local/bin/ipsecctrl S
-/usr/local/bin/openvpnctrl -s
-/usr/local/bin/openvpnctrl -sn2n
-/etc/init.d/squid start
 
 # This update needs a reboot...
 #touch /var/run/need_reboot

From d01d68913f643c5d4b9b58a7ecab6d1c4dde5c0c Mon Sep 17 00:00:00 2001
From: Matthias Fischer <matthias.fischer@ipfire.org>
Date: Fri, 5 Apr 2019 21:55:12 +0200
Subject: [PATCH 11/11] wget: Update to 1.20.3

For details see:
https://fossies.org/linux/wget/ChangeLog

Excerpt from "NEWS":

"2019-04-05  Tim Ruehsen  <tim.ruehsen@gmx.de>

Fix a buffer overflow vulnerability
* src/iri.c(do_conversion): Reallocate the output buffer to a larger
  size if it is already full"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 lfs/wget | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lfs/wget b/lfs/wget
index ac2fa826c..00ca75033 100644
--- a/lfs/wget
+++ b/lfs/wget
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 1.20.2
+VER        = 1.20.3
 
 THISAPP    = wget-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 2692f6678e93601441306b5c1fc6a77a
+$(DL_FILE)_MD5 = db4e6dc7977cbddcd543b240079a4899
 
 install : $(TARGET)