From 75c2cf6f51d4f7d8e513b6df6a25b30e8a834f9f Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Mon, 9 Apr 2012 12:19:06 +0200 Subject: [PATCH 01/16] started core59. --- config/rootfiles/core/59/exclude | 12 +++ config/rootfiles/core/59/filelists/Net-Telnet | 1 + config/rootfiles/core/59/filelists/files | 6 ++ config/rootfiles/core/59/meta | 1 + config/rootfiles/core/59/update.sh | 82 +++++++++++++++++++ make.sh | 2 +- 6 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 config/rootfiles/core/59/exclude create mode 120000 config/rootfiles/core/59/filelists/Net-Telnet create mode 100644 config/rootfiles/core/59/filelists/files create mode 100644 config/rootfiles/core/59/meta create mode 100644 config/rootfiles/core/59/update.sh diff --git a/config/rootfiles/core/59/exclude b/config/rootfiles/core/59/exclude new file mode 100644 index 000000000..7360266bd --- /dev/null +++ b/config/rootfiles/core/59/exclude @@ -0,0 +1,12 @@ +srv/web/ipfire/html/proxy.pac +etc/udev/rules.d/30-persistent-network.rules +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +var/updatecache +etc/localtime +var/ipfire/ovpn +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf diff --git a/config/rootfiles/core/59/filelists/Net-Telnet b/config/rootfiles/core/59/filelists/Net-Telnet new file mode 120000 index 000000000..66ca926ff --- /dev/null +++ b/config/rootfiles/core/59/filelists/Net-Telnet @@ -0,0 +1 @@ +../../../common/Net-Telnet \ No newline at end of file diff --git a/config/rootfiles/core/59/filelists/files b/config/rootfiles/core/59/filelists/files new file mode 100644 index 000000000..16464c758 --- /dev/null +++ b/config/rootfiles/core/59/filelists/files @@ -0,0 +1,6 @@ +etc/system-release +etc/issue +srv/web/ipfire/cgi-bin/index.cgi +srv/web/ipfire/cgi-bin/ovpnmain.cgi +var/ipfire/general-functions.pl +var/ipfire/langs diff --git a/config/rootfiles/core/59/meta b/config/rootfiles/core/59/meta new file mode 100644 index 000000000..d547fa86f --- /dev/null +++ b/config/rootfiles/core/59/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/59/update.sh b/config/rootfiles/core/59/update.sh new file mode 100644 index 000000000..5a3cc2a21 --- /dev/null +++ b/config/rootfiles/core/59/update.sh @@ -0,0 +1,82 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2012 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# +# Remove old core updates from pakfire cache to save space... +core=59 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# +#Stop services + +# +#Extract files + +# +#Start services +if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then + /etc/init.d/ipsec start +fi + +# +#Update Language cache +perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" + +#Rebuild module dep's +#arch=`uname -m` +#if [ ${arch::3} == "arm" ]; then +# depmod -a 2.6.32.45-ipfire-versatile >/dev/null 2>&1 +# depmod -a 2.6.32.45-ipfire-kirkwood >/dev/null 2>&1 +#else +# depmod -a 2.6.32.45-ipfire >/dev/null 2>&1 +# depmod -a 2.6.32.45-ipfire-pae >/dev/null 2>&1 +# depmod -a 2.6.32.45-ipfire-xen >/dev/null 2>&1 +#fi + + +#Rebuild initrd's because some compat-wireless modules are inside +#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45.img 2.6.32.45-ipfire +#if [ -e /boot/ipfirerd-2.6.32.45-pae.img ]; then +#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45-pae.img 2.6.32.45-ipfire-pae +#fi +#if [ -e /boot/ipfirerd-2.6.32.45-xen.img ]; then +#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45-xen.img 2.6.32.45-ipfire-xen +#fi + +sync + +# This update need a reboot... +#touch /var/run/need_reboot + +# +#Finish +/etc/init.d/fireinfo start +sendprofile +#Don't report the exitcode last command +exit 0 diff --git a/make.sh b/make.sh index 3535bebe9..1d48b3198 100755 --- a/make.sh +++ b/make.sh @@ -25,7 +25,7 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.11" # Version number -CORE="58" # Core Level (Filename) +CORE="59" # Core Level (Filename) PAKFIRE_CORE="58" # Core Level (PAKFIRE) GIT_BRANCH=`git status | head -n1 | cut -d" " -f4` # Git Branch SLOGAN="www.ipfire.org" # Software slogan From a6f4183e83385cbd21d31db07171fb7109b81d54 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Wed, 2 May 2012 19:42:02 +0200 Subject: [PATCH 02/16] openssl: security update to 0.9.8w. (CVE-2012-2131). SN1 BIO incomplete fix (CVE-2012-2131) ======================================= It was discovered that the fix for CVE-2012-2110 released on 19 Apr 2012 was not sufficient to correct the issue for OpenSSL 0.9.8. Please see http://www.openssl.org/news/secadv_20120419.txt for details of that vulnerability. This issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0i already contain a patch sufficient to correct CVE-2012-2110. Thanks to Red Hat for discovering and fixing this issue. Affected users should upgrade to 0.9.8w. References ========== URL for this Security Advisory: http://www.openssl.org/news/secadv_20120424.txt --- config/rootfiles/common/openssl | 2 +- lfs/openssl | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl index bc1ac49f0..02e4c1cdd 100644 --- a/config/rootfiles/common/openssl +++ b/config/rootfiles/common/openssl @@ -1116,7 +1116,6 @@ usr/lib/libssl.so.0.9.8 #usr/share/man/man3/dsa.3 #usr/share/man/man3/ecdsa.3 #usr/share/man/man3/engine.3 -#usr/share/man/man3/err.3 #usr/share/man/man3/evp.3 #usr/share/man/man3/hmac.3 #usr/share/man/man3/i2d_ASN1_OBJECT.3 @@ -1164,6 +1163,7 @@ usr/lib/libssl.so.0.9.8 #usr/share/man/man3/md5.3 #usr/share/man/man3/mdc2.3 #usr/share/man/man3/pem.3 +#usr/share/man/man3/rand.3 #usr/share/man/man3/rc4.3 #usr/share/man/man3/ripemd.3 #usr/share/man/man3/rsa.3 diff --git a/lfs/openssl b/lfs/openssl index 9d559e154..c58c0487f 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@ include Config -VER = 0.9.8u +VER = 0.9.8w THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = cb41e94f762ed63e41d1cca2b8430ede +$(DL_FILE)_MD5 = 4ceb7d570e42c094b360cc7b8e848a0b install : $(TARGET) From 54798036675c0eebb8dedb55d2e509d8385cc363 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 5 May 2012 23:19:36 +0200 Subject: [PATCH 03/16] core59: add openssl to core update. --- config/rootfiles/core/59/filelists/openssh | 1 + config/rootfiles/core/59/filelists/openssl | 1 + 2 files changed, 2 insertions(+) create mode 120000 config/rootfiles/core/59/filelists/openssh create mode 120000 config/rootfiles/core/59/filelists/openssl diff --git a/config/rootfiles/core/59/filelists/openssh b/config/rootfiles/core/59/filelists/openssh new file mode 120000 index 000000000..d8c77fd8e --- /dev/null +++ b/config/rootfiles/core/59/filelists/openssh @@ -0,0 +1 @@ +../../../common/openssh \ No newline at end of file diff --git a/config/rootfiles/core/59/filelists/openssl b/config/rootfiles/core/59/filelists/openssl new file mode 120000 index 000000000..e011a9266 --- /dev/null +++ b/config/rootfiles/core/59/filelists/openssl @@ -0,0 +1 @@ +../../../common/openssl \ No newline at end of file From 8f6a5178e816689fc6bd38aebfc0cfc41aa5d37d Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 5 May 2012 23:21:18 +0200 Subject: [PATCH 04/16] fix core58 merge problem. Conflicts: config/rootfiles/core/58/filelists/files --- config/rootfiles/core/58/filelists/files | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/rootfiles/core/58/filelists/files b/config/rootfiles/core/58/filelists/files index afb3d9969..047127e7e 100644 --- a/config/rootfiles/core/58/filelists/files +++ b/config/rootfiles/core/58/filelists/files @@ -1,3 +1,7 @@ etc/system-release etc/issue etc/vimrc +srv/web/ipfire/cgi-bin/index.cgi +srv/web/ipfire/cgi-bin/ovpnmain.cgi +var/ipfire/general-functions.pl +var/ipfire/langs From 36585d00bd91bb7207627ca4e46c5d3c6f20cd26 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 5 May 2012 23:23:53 +0200 Subject: [PATCH 05/16] python: update to 2.7.3. --- config/rootfiles/common/python | 25 +++++++++++++------ config/rootfiles/core/59/filelists/python | 1 + lfs/python | 4 +-- ...gdbm-1.patch => Python-2.7.3-gdbm-1.patch} | 0 4 files changed, 21 insertions(+), 9 deletions(-) create mode 120000 config/rootfiles/core/59/filelists/python rename src/patches/{Python-2.7.2-gdbm-1.patch => Python-2.7.3-gdbm-1.patch} (100%) diff --git a/config/rootfiles/common/python b/config/rootfiles/common/python index c6421cb94..3472e2517 100644 --- a/config/rootfiles/common/python +++ b/config/rootfiles/common/python @@ -3,6 +3,8 @@ #usr/bin/pydoc usr/bin/python #usr/bin/python-config +usr/bin/python2 +#usr/bin/python2-config usr/bin/python2.7 #usr/bin/python2.7-config #usr/bin/smtpd.py @@ -103,6 +105,7 @@ usr/lib/libpython2.7.so usr/lib/libpython2.7.so.1.0 #usr/lib/pkgconfig/python-2.7.pc #usr/lib/pkgconfig/python.pc +#usr/lib/pkgconfig/python2.pc #usr/lib/python2.7 #usr/lib/python2.7/BaseHTTPServer.py usr/lib/python2.7/BaseHTTPServer.pyc @@ -920,6 +923,7 @@ usr/lib/python2.7/dis.pyc #usr/lib/python2.7/distutils/tests/test_versionpredicate.py #usr/lib/python2.7/distutils/tests/test_versionpredicate.pyc #usr/lib/python2.7/distutils/tests/test_versionpredicate.pyo +#usr/lib/python2.7/distutils/tests/xxmodule.c #usr/lib/python2.7/distutils/text_file.py #usr/lib/python2.7/distutils/text_file.pyc #usr/lib/python2.7/distutils/text_file.pyo @@ -1815,7 +1819,7 @@ usr/lib/python2.7/json/tool.pyc usr/lib/python2.7/keyword.pyc #usr/lib/python2.7/keyword.pyo #usr/lib/python2.7/lib-dynload -usr/lib/python2.7/lib-dynload/Python-2.7.2-py2.7.egg-info +usr/lib/python2.7/lib-dynload/Python-2.7.3-py2.7.egg-info usr/lib/python2.7/lib-dynload/_bisect.so usr/lib/python2.7/lib-dynload/_bsddb.so usr/lib/python2.7/lib-dynload/_codecs_cn.so @@ -1973,9 +1977,9 @@ usr/lib/python2.7/lib-dynload/zlib.so #usr/lib/python2.7/lib-tk/turtle.pyo #usr/lib/python2.7/lib2to3 #usr/lib/python2.7/lib2to3/Grammar.txt -#usr/lib/python2.7/lib2to3/Grammar2.7.2.final.0.pickle +#usr/lib/python2.7/lib2to3/Grammar2.7.3.final.0.pickle #usr/lib/python2.7/lib2to3/PatternGrammar.txt -#usr/lib/python2.7/lib2to3/PatternGrammar2.7.2.final.0.pickle +#usr/lib/python2.7/lib2to3/PatternGrammar2.7.3.final.0.pickle #usr/lib/python2.7/lib2to3/__init__.py #usr/lib/python2.7/lib2to3/__init__.pyc #usr/lib/python2.7/lib2to3/__init__.pyo @@ -2666,6 +2670,10 @@ usr/lib/python2.7/tempfile.pyc #usr/lib/python2.7/test/cjkencodings/gbk.txt #usr/lib/python2.7/test/cjkencodings/hz-utf8.txt #usr/lib/python2.7/test/cjkencodings/hz.txt +#usr/lib/python2.7/test/cjkencodings/iso2022_jp-utf8.txt +#usr/lib/python2.7/test/cjkencodings/iso2022_jp.txt +#usr/lib/python2.7/test/cjkencodings/iso2022_kr-utf8.txt +#usr/lib/python2.7/test/cjkencodings/iso2022_kr.txt #usr/lib/python2.7/test/cjkencodings/johab-utf8.txt #usr/lib/python2.7/test/cjkencodings/johab.txt #usr/lib/python2.7/test/cjkencodings/shift_jis-utf8.txt @@ -2861,6 +2869,7 @@ usr/lib/python2.7/tempfile.pyc #usr/lib/python2.7/test/mapping_tests.pyc #usr/lib/python2.7/test/mapping_tests.pyo #usr/lib/python2.7/test/math_testcases.txt +#usr/lib/python2.7/test/nokia.pem #usr/lib/python2.7/test/nullcert.pem #usr/lib/python2.7/test/outstanding_bugs.py #usr/lib/python2.7/test/outstanding_bugs.pyc @@ -2889,9 +2898,6 @@ usr/lib/python2.7/tempfile.pyc #usr/lib/python2.7/test/re_tests.py #usr/lib/python2.7/test/re_tests.pyc #usr/lib/python2.7/test/re_tests.pyo -#usr/lib/python2.7/test/regex_tests.py -#usr/lib/python2.7/test/regex_tests.pyc -#usr/lib/python2.7/test/regex_tests.pyo #usr/lib/python2.7/test/regrtest.py #usr/lib/python2.7/test/regrtest.pyc #usr/lib/python2.7/test/regrtest.pyo @@ -2924,7 +2930,6 @@ usr/lib/python2.7/tempfile.pyc #usr/lib/python2.7/test/subprocessdata/sigchild_ignore.py #usr/lib/python2.7/test/subprocessdata/sigchild_ignore.pyc #usr/lib/python2.7/test/subprocessdata/sigchild_ignore.pyo -#usr/lib/python2.7/test/svn_python_org_https_cert.pem #usr/lib/python2.7/test/test_MimeWriter.py #usr/lib/python2.7/test/test_MimeWriter.pyc #usr/lib/python2.7/test/test_MimeWriter.pyo @@ -3093,6 +3098,9 @@ usr/lib/python2.7/tempfile.pyc #usr/lib/python2.7/test/test_codecencodings_hk.py #usr/lib/python2.7/test/test_codecencodings_hk.pyc #usr/lib/python2.7/test/test_codecencodings_hk.pyo +#usr/lib/python2.7/test/test_codecencodings_iso2022.py +#usr/lib/python2.7/test/test_codecencodings_iso2022.pyc +#usr/lib/python2.7/test/test_codecencodings_iso2022.pyo #usr/lib/python2.7/test/test_codecencodings_jp.py #usr/lib/python2.7/test/test_codecencodings_jp.pyc #usr/lib/python2.7/test/test_codecencodings_jp.pyo @@ -3722,6 +3730,9 @@ usr/lib/python2.7/tempfile.pyc #usr/lib/python2.7/test/test_py3kwarn.py #usr/lib/python2.7/test/test_py3kwarn.pyc #usr/lib/python2.7/test/test_py3kwarn.pyo +#usr/lib/python2.7/test/test_py_compile.py +#usr/lib/python2.7/test/test_py_compile.pyc +#usr/lib/python2.7/test/test_py_compile.pyo #usr/lib/python2.7/test/test_pyclbr.py #usr/lib/python2.7/test/test_pyclbr.pyc #usr/lib/python2.7/test/test_pyclbr.pyo diff --git a/config/rootfiles/core/59/filelists/python b/config/rootfiles/core/59/filelists/python new file mode 120000 index 000000000..ffe6e2c49 --- /dev/null +++ b/config/rootfiles/core/59/filelists/python @@ -0,0 +1 @@ +../../../common/python \ No newline at end of file diff --git a/lfs/python b/lfs/python index 0deaadd11..6095e5ed0 100644 --- a/lfs/python +++ b/lfs/python @@ -24,7 +24,7 @@ include Config -VER = 2.7.2 +VER = 2.7.3 THISAPP = Python-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 75c87a80c6ddb0b785a57ea3583e04fa +$(DL_FILE)_MD5 = 62c4c1699170078c469f79ddfed21bc0 install : $(TARGET) diff --git a/src/patches/Python-2.7.2-gdbm-1.patch b/src/patches/Python-2.7.3-gdbm-1.patch similarity index 100% rename from src/patches/Python-2.7.2-gdbm-1.patch rename to src/patches/Python-2.7.3-gdbm-1.patch From d66d6f88273637d34b649184543862f588a7d9e3 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 5 May 2012 23:25:07 +0200 Subject: [PATCH 06/16] strongswan: update to 4.6.3. --- config/rootfiles/common/strongswan | 3 +++ config/rootfiles/core/59/filelists/strongswan | 1 + lfs/strongswan | 4 ++-- 3 files changed, 6 insertions(+), 2 deletions(-) create mode 120000 config/rootfiles/core/59/filelists/strongswan diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan index 9b02c0b6f..4c7d558b1 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -33,6 +33,9 @@ usr/lib/ipsec/plugins/libstrongswan-aes.so #usr/lib/ipsec/plugins/libstrongswan-attr.a #usr/lib/ipsec/plugins/libstrongswan-attr.la usr/lib/ipsec/plugins/libstrongswan-attr.so +#usr/lib/ipsec/plugins/libstrongswan-cmac.a +#usr/lib/ipsec/plugins/libstrongswan-cmac.la +usr/lib/ipsec/plugins/libstrongswan-cmac.so #usr/lib/ipsec/plugins/libstrongswan-constraints.a #usr/lib/ipsec/plugins/libstrongswan-constraints.la usr/lib/ipsec/plugins/libstrongswan-constraints.so diff --git a/config/rootfiles/core/59/filelists/strongswan b/config/rootfiles/core/59/filelists/strongswan new file mode 120000 index 000000000..90c727e26 --- /dev/null +++ b/config/rootfiles/core/59/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/lfs/strongswan b/lfs/strongswan index 964f2ed46..44497d480 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@ include Config -VER = 4.6.2 +VER = 4.6.3 THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = ed64e6746011930a70f3a271dc0e3c9e +$(DL_FILE)_MD5 = 34146e514ced1738b4f2d9e7169bbb52 install : $(TARGET) From 68eeed828507c6edc395772d6d9c81f1cc12dd53 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sun, 6 May 2012 12:51:14 +0200 Subject: [PATCH 07/16] traceroute: update to 2.0.18 and fix name resolution. fixes #10097 --- lfs/traceroute | 8 +++--- src/patches/traceroute-2.0.18-ipfire.patch | 31 ++++++++++++++++++++++ 2 files changed, 35 insertions(+), 4 deletions(-) create mode 100644 src/patches/traceroute-2.0.18-ipfire.patch diff --git a/lfs/traceroute b/lfs/traceroute index fec18a4ce..74cffc7ea 100644 --- a/lfs/traceroute +++ b/lfs/traceroute @@ -24,7 +24,7 @@ include Config -VER = 2.0.12 +VER = 2.0.18 THISAPP = traceroute-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = traceroute -PAK_VER = 2 +PAK_VER = 3 DEPS = "" @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 2262a9d30ae85f12b759a38ef827f8f7 +$(DL_FILE)_MD5 = b7254149b7f081cce07f4b9e065ba5ef install : $(TARGET) @@ -77,7 +77,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && sed -i 's|hints.ai_flags = AI_IDN;|/* hints.ai_flags = AI_IDN; */|g' traceroute/traceroute.c + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/$(THISAPP)-ipfire.patch cd $(DIR_APP) && make cd $(DIR_APP) && make install prefix=/usr bindir=/usr/sbin chmod u-s /usr/sbin/traceroute diff --git a/src/patches/traceroute-2.0.18-ipfire.patch b/src/patches/traceroute-2.0.18-ipfire.patch new file mode 100644 index 000000000..14f09d8a8 --- /dev/null +++ b/src/patches/traceroute-2.0.18-ipfire.patch @@ -0,0 +1,31 @@ +diff -Naur traceroute-2.0.18.org/traceroute/traceroute.c traceroute-2.0.18/traceroute/traceroute.c +--- traceroute-2.0.18.org/traceroute/traceroute.c 2011-08-18 17:19:48.000000000 +0200 ++++ traceroute-2.0.18/traceroute/traceroute.c 2012-05-06 12:42:55.000000000 +0200 +@@ -31,6 +31,9 @@ + #include "version.h" + #include "traceroute.h" + ++#ifndef IPV6_TCLASS ++#define IPV6_TCLASS 67 ++#endif + + #ifndef ICMP6_DST_UNREACH_BEYONDSCOPE + #ifdef ICMP6_DST_UNREACH_NOTNEIGHBOR +@@ -186,7 +189,7 @@ + + memset (&hints, 0, sizeof (hints)); + hints.ai_family = af; +- hints.ai_flags = AI_IDN; ++ /* hints.ai_flags = AI_IDN; */ + + ret = getaddrinfo (name, NULL, &hints, &res); + if (ret) { +@@ -688,7 +691,7 @@ + + buf[0] = '\0'; + getnameinfo (&res->sa, sizeof (*res), buf, sizeof (buf), +- 0, 0, NI_IDN); ++ 0, 0, 0); + printf (" %s (%s)", buf[0] ? buf : str, str); + } + From 8074eed711092b90ae279fa968545a27d2655fd6 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 12 May 2012 15:30:38 +0200 Subject: [PATCH 08/16] openssl: security update to 0.9.8x (CVE-2012-2333). Invalid TLS/DTLS record attack (CVE-2012-2333) =============================================== A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and DTLS can be exploited in a denial of service attack on both clients and servers. DTLS applications are affected in all versions of OpenSSL. TLS is only affected in OpenSSL 1.0.1 and later. Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing as a service testing platform. The fix was developed by Stephen Henson of the OpenSSL core team. Affected users should upgrade to OpenSSL 1.0.1c, 1.0.0j or 0.9.8x References ========== URL for this Security Advisory: http://www.openssl.org/news/secadv_20120510.txt --- lfs/openssl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/openssl b/lfs/openssl index c58c0487f..9aef173b0 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@ include Config -VER = 0.9.8w +VER = 0.9.8x THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 4ceb7d570e42c094b360cc7b8e848a0b +$(DL_FILE)_MD5 = ee17e9bc805c8cc7d0afac3b0ef78eda install : $(TARGET) From dc7239d678ca426485814c95060ac72d987b814d Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 12 May 2012 15:32:47 +0200 Subject: [PATCH 09/16] openssh: update to 6.0p1. --- lfs/openssh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/openssh b/lfs/openssh index f7d129d78..26ac55560 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -24,7 +24,7 @@ include Config -VER = 5.9p1 +VER = 6.0p1 THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = afe17eee7e98d3b8550cc349834a85d0 +$(DL_FILE)_MD5 = 3c9347aa67862881c5da3f3b1c08da7b install : $(TARGET) From 58574e318b594d471a6c9376ade91d7f7c6f4644 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 12 May 2012 15:33:42 +0200 Subject: [PATCH 10/16] php: security update to 5.3.13 (CVE-2012-2311). --- config/rootfiles/core/59/filelists/php | 1 + lfs/php | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) create mode 120000 config/rootfiles/core/59/filelists/php diff --git a/config/rootfiles/core/59/filelists/php b/config/rootfiles/core/59/filelists/php new file mode 120000 index 000000000..1ae48d7a7 --- /dev/null +++ b/config/rootfiles/core/59/filelists/php @@ -0,0 +1 @@ +../../../common/php \ No newline at end of file diff --git a/lfs/php b/lfs/php index 2a883de84..075d4fbae 100644 --- a/lfs/php +++ b/lfs/php @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2011 IPFire Team # +# Copyright (C) 2007-2012 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 5.3.10 +VER = 5.3.13 THISAPP = php-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -42,7 +42,7 @@ $(DL_FILE) = $(DL_FROM)/$(DL_FILE) idn-0.1.tgz = $(DL_FROM)/idn-0.1.tgz Log-1.9.11.tgz = $(DL_FROM)/Log-1.9.11.tgz -$(DL_FILE)_MD5 = 816259e5ca7d0a7e943e56a3bb32b17f +$(DL_FILE)_MD5 = 370be99c5cdc2e756c82c44d774933c8 idn-0.1.tgz_MD5 = ef8635ec22348325a76abd2abddca4a1 Log-1.9.11.tgz_MD5 = fb7c648b212f12fdb5ce1ab687793513 From db083dd81ece9a52f1badc189d34f89b228a28c0 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 12 May 2012 17:13:45 +0200 Subject: [PATCH 11/16] dhcpcd: ignore MTU Smaller than 577. Normally 576 is the smallest valid mtu but some cable provider set this also if they support much higher mtu's. Fedora does not accept this to prevent speed problems with such isp connections so we do the same. If you really need mtu=576 you can still force at at the setup. --- config/rootfiles/core/59/filelists/files | 1 + lfs/dhcpcd | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/config/rootfiles/core/59/filelists/files b/config/rootfiles/core/59/filelists/files index 16464c758..fef386b98 100644 --- a/config/rootfiles/core/59/filelists/files +++ b/config/rootfiles/core/59/filelists/files @@ -4,3 +4,4 @@ srv/web/ipfire/cgi-bin/index.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi var/ipfire/general-functions.pl var/ipfire/langs +var/ipfire/dhcpc/dhcpcd-hooks/10-mtu diff --git a/lfs/dhcpcd b/lfs/dhcpcd index e843b9a75..f7a8c361c 100644 --- a/lfs/dhcpcd +++ b/lfs/dhcpcd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# Copyright (C) 2012 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -76,6 +76,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --mandir=/usr/share/man --disable-nls cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install + ln -sf /etc/rc.d/init.d/networking/dhcpcd.exe \ $(CONFIG_ROOT)/dhcpc/dhcpcd-hooks/70-dhcpcd.exe rm -f $(CONFIG_ROOT)/dhcpc/dhcpcd-hooks/20-resolv.conf @@ -84,5 +85,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) rm -f $(CONFIG_ROOT)/dhcpc/dhcpcd-hooks/50-yp.conf rm -f $(CONFIG_ROOT)/dhcpc/dhcpcd-hooks/50-ypbind + sed -i -e "s|-ge 576|-gt 576|g" $(CONFIG_ROOT)/dhcpc/dhcpcd-hooks/10-mtu + @rm -rf $(DIR_APP) @$(POSTBUILD) From c7c8b4aaecc68b12fa3ad89d2eabe82581b969ad Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 12 May 2012 19:15:38 +0200 Subject: [PATCH 12/16] GeoIP: update database to 01052012. --- config/rootfiles/core/59/filelists/GeoIP | 1 + lfs/GeoIP | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) create mode 100644 config/rootfiles/core/59/filelists/GeoIP diff --git a/config/rootfiles/core/59/filelists/GeoIP b/config/rootfiles/core/59/filelists/GeoIP new file mode 100644 index 000000000..0258236c0 --- /dev/null +++ b/config/rootfiles/core/59/filelists/GeoIP @@ -0,0 +1 @@ +usr/local/share/GeoIP/GeoIP.dat diff --git a/lfs/GeoIP b/lfs/GeoIP index 271bab679..f1b200b81 100644 --- a/lfs/GeoIP +++ b/lfs/GeoIP @@ -25,7 +25,7 @@ include Config VER = 1.17 -DATVER = 03032012 +DATVER = 01052012 THISAPP = Geo-IP-PurePerl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -43,7 +43,7 @@ $(DL_FILE) = $(DL_FROM)/$(DL_FILE) GeoIP.dat-$(DATVER).gz = $(DL_FROM)/GeoIP.dat-$(DATVER).gz $(DL_FILE)_MD5 = 42a6b9d4dd2563a20c8998556216e1de -GeoIP.dat-$(DATVER).gz_MD5 = 98ba2a5c177cdfa8da6f9fab524e948d +GeoIP.dat-$(DATVER).gz_MD5 = bb073125a92b1ee3dba202b1cec922c4 install : $(TARGET) From a18da317d3b9802572f2f174d1b76a1eba7ff53b Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 12 May 2012 19:22:26 +0200 Subject: [PATCH 13/16] finished core59. --- make.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/make.sh b/make.sh index 1d48b3198..3b447c893 100755 --- a/make.sh +++ b/make.sh @@ -26,7 +26,7 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.11" # Version number CORE="59" # Core Level (Filename) -PAKFIRE_CORE="58" # Core Level (PAKFIRE) +PAKFIRE_CORE="59" # Core Level (PAKFIRE) GIT_BRANCH=`git status | head -n1 | cut -d" " -f4` # Git Branch SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir From 4bd2536f4b2da867a96c53b79320874793231002 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Sat, 12 May 2012 19:40:41 +0200 Subject: [PATCH 14/16] core59: start/stop ipsec and ssh at update. --- config/rootfiles/core/59/update.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/rootfiles/core/59/update.sh b/config/rootfiles/core/59/update.sh index 5a3cc2a21..6764f1c20 100644 --- a/config/rootfiles/core/59/update.sh +++ b/config/rootfiles/core/59/update.sh @@ -34,12 +34,15 @@ done # #Stop services +/etc/init.d/ipsec stop +/etc/init.d/sshd stop # #Extract files # #Start services +/etc/init.d/sshd start if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then /etc/init.d/ipsec start fi From 6105282debd636dd5634f6e487afbeb02b51a69b Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Fri, 1 Jun 2012 12:47:07 +0200 Subject: [PATCH 15/16] strongswan: security update to 4.6.4 (fix CVE-2012-2388). RSA signature verification vulnerability see http://http://www.strongswan.org/blog/2012/05/31/strongswan-4.6.4-released-%28cve-2012-2388%29.html for details. --- lfs/strongswan | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/strongswan b/lfs/strongswan index 44497d480..d0d533d11 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@ include Config -VER = 4.6.3 +VER = 4.6.4 THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 34146e514ced1738b4f2d9e7169bbb52 +$(DL_FILE)_MD5 = 4c0999c42faa0860ae0afc4f8efd9d04 install : $(TARGET) From 1346863ac7cbf67b38d6209a6b0ab3bab565386c Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Fri, 1 Jun 2012 12:54:24 +0200 Subject: [PATCH 16/16] core60: add strongswan security update. --- config/rootfiles/core/60/exclude | 12 +++ config/rootfiles/core/60/filelists/files | 2 + config/rootfiles/core/60/filelists/strongswan | 1 + config/rootfiles/core/60/meta | 1 + config/rootfiles/core/60/update.sh | 83 +++++++++++++++++++ make.sh | 4 +- 6 files changed, 101 insertions(+), 2 deletions(-) create mode 100644 config/rootfiles/core/60/exclude create mode 100644 config/rootfiles/core/60/filelists/files create mode 120000 config/rootfiles/core/60/filelists/strongswan create mode 100644 config/rootfiles/core/60/meta create mode 100644 config/rootfiles/core/60/update.sh diff --git a/config/rootfiles/core/60/exclude b/config/rootfiles/core/60/exclude new file mode 100644 index 000000000..7360266bd --- /dev/null +++ b/config/rootfiles/core/60/exclude @@ -0,0 +1,12 @@ +srv/web/ipfire/html/proxy.pac +etc/udev/rules.d/30-persistent-network.rules +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +var/updatecache +etc/localtime +var/ipfire/ovpn +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf diff --git a/config/rootfiles/core/60/filelists/files b/config/rootfiles/core/60/filelists/files new file mode 100644 index 000000000..409e5fe8a --- /dev/null +++ b/config/rootfiles/core/60/filelists/files @@ -0,0 +1,2 @@ +etc/system-release +etc/issue diff --git a/config/rootfiles/core/60/filelists/strongswan b/config/rootfiles/core/60/filelists/strongswan new file mode 120000 index 000000000..90c727e26 --- /dev/null +++ b/config/rootfiles/core/60/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/config/rootfiles/core/60/meta b/config/rootfiles/core/60/meta new file mode 100644 index 000000000..d547fa86f --- /dev/null +++ b/config/rootfiles/core/60/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/60/update.sh b/config/rootfiles/core/60/update.sh new file mode 100644 index 000000000..5aaa23ee7 --- /dev/null +++ b/config/rootfiles/core/60/update.sh @@ -0,0 +1,83 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2012 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# +# Remove old core updates from pakfire cache to save space... +core=60 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# +#Stop services +/etc/init.d/ipsec stop + +# +#Extract files +extract_files +# +#Start services +if [ `grep "ENABLED=on" /var/ipfire/vpn/settings` ]; then + /etc/init.d/ipsec start +fi + +# +#Update Language cache +#perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" + +#Rebuild module dep's +#arch=`uname -m` +#if [ ${arch::3} == "arm" ]; then +# depmod -a 2.6.32.45-ipfire-versatile >/dev/null 2>&1 +# depmod -a 2.6.32.45-ipfire-kirkwood >/dev/null 2>&1 +#else +# depmod -a 2.6.32.45-ipfire >/dev/null 2>&1 +# depmod -a 2.6.32.45-ipfire-pae >/dev/null 2>&1 +# depmod -a 2.6.32.45-ipfire-xen >/dev/null 2>&1 +#fi + + +#Rebuild initrd's because some compat-wireless modules are inside +#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45.img 2.6.32.45-ipfire +#if [ -e /boot/ipfirerd-2.6.32.45-pae.img ]; then +#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45-pae.img 2.6.32.45-ipfire-pae +#fi +#if [ -e /boot/ipfirerd-2.6.32.45-xen.img ]; then +#/sbin/dracut --force --verbose /boot/ipfirerd-2.6.32.45-xen.img 2.6.32.45-ipfire-xen +#fi + +sync + +# This update need a reboot... +#touch /var/run/need_reboot + +# +#Finish +/etc/init.d/fireinfo start +sendprofile +#Don't report the exitcode last command +exit 0 diff --git a/make.sh b/make.sh index 3b447c893..6b1c93d31 100755 --- a/make.sh +++ b/make.sh @@ -25,8 +25,8 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.11" # Version number -CORE="59" # Core Level (Filename) -PAKFIRE_CORE="59" # Core Level (PAKFIRE) +CORE="60" # Core Level (Filename) +PAKFIRE_CORE="60" # Core Level (PAKFIRE) GIT_BRANCH=`git status | head -n1 | cut -d" " -f4` # Git Branch SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir