From 68aa7aa602afac230dc8f9d81f2b7f43993d24d5 Mon Sep 17 00:00:00 2001 From: Sascha Kilian Date: Fri, 15 Apr 2016 09:07:52 +0000 Subject: [PATCH 1/3] openssh: Update to 7.2p2 Signed-off-by: Sascha Kilian Signed-off-by: Michael Tremer --- lfs/openssh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/openssh b/lfs/openssh index ab25d6233..c4dff4d09 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -24,7 +24,7 @@ include Config -VER = 7.2p1 +VER = 7.2p2 THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = b984775f0cfff1f7ff18b8797fce8a28 +$(DL_FILE)_MD5 = 13009a9156510d8f27e752659075cced install : $(TARGET) From d25d7bfccf37fd008af43021ec5a18f135894699 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Tue, 3 May 2016 21:28:28 +0200 Subject: [PATCH 2/3] openssl: security update to 1.0.2g see https://www.openssl.org/news/secadv/20160503.txt for details Signed-off-by: Arne Fitzenreiter --- lfs/openssl | 8 ++++---- src/patches/openssl-1.0.1m-weak-ciphers.patch | 11 ----------- src/patches/openssl-1.0.2h-weak-ciphers.patch | 12 ++++++++++++ 3 files changed, 16 insertions(+), 15 deletions(-) delete mode 100644 src/patches/openssl-1.0.1m-weak-ciphers.patch create mode 100644 src/patches/openssl-1.0.2h-weak-ciphers.patch diff --git a/lfs/openssl b/lfs/openssl index eb7352f8c..0a0b2cffd 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@ include Config -VER = 1.0.2g +VER = 1.0.2h THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -53,7 +53,7 @@ CONFIGURE_OPTIONS = \ zlib-dynamic \ enable-camellia \ enable-md2 \ - enable-ssl2 \ + disable-ssl2 \ enable-seed \ enable-tlsext \ enable-rfc3779 \ @@ -87,7 +87,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = f3c710c045cdee5fd114feb69feba7aa +$(DL_FILE)_MD5 = 9392e65072ce4b614c1392eefc1f23d0 install : $(TARGET) @@ -119,7 +119,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.0-beta5-enginesdir.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2a-rpmbuild.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.1m-weak-ciphers.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2h-weak-ciphers.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.0.2g-disable-sslv2v3.patch # i586 specific patches diff --git a/src/patches/openssl-1.0.1m-weak-ciphers.patch b/src/patches/openssl-1.0.1m-weak-ciphers.patch deleted file mode 100644 index f57b97811..000000000 --- a/src/patches/openssl-1.0.1m-weak-ciphers.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- openssl-1.0.1m/ssl/ssl.h.old 2015-03-19 15:25:20.646533583 +0100 -+++ openssl-1.0.1m/ssl/ssl.h 2015-03-19 15:25:31.229875691 +0100 -@@ -334,7 +334,7 @@ - * The following cipher list is used by default. It also is substituted when - * an application-defined cipher list string starts with 'DEFAULT'. - */ --# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2" -+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2:!RC2:!DES" - /* - * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always - * starts with a reasonable order, and all we have to do for DEFAULT is diff --git a/src/patches/openssl-1.0.2h-weak-ciphers.patch b/src/patches/openssl-1.0.2h-weak-ciphers.patch new file mode 100644 index 000000000..d1ec6a2af --- /dev/null +++ b/src/patches/openssl-1.0.2h-weak-ciphers.patch @@ -0,0 +1,12 @@ +diff -Naur openssl-1.0.2h.org/ssl/ssl.h openssl-1.0.2h/ssl/ssl.h +--- openssl-1.0.2h.org/ssl/ssl.h 2016-05-03 15:44:42.000000000 +0200 ++++ openssl-1.0.2h/ssl/ssl.h 2016-05-03 18:49:10.393302264 +0200 +@@ -338,7 +338,7 @@ + * The following cipher list is used by default. It also is substituted when + * an application-defined cipher list string starts with 'DEFAULT'. + */ +-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2" ++# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC2:!DES" + /* + * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always + * starts with a reasonable order, and all we have to do for DEFAULT is From 3af3a6c5ee445d52bc31315ddaf734fbfa61f76e Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Tue, 3 May 2016 21:30:14 +0200 Subject: [PATCH 3/3] core102: ship openssl and openssl updates Signed-off-by: Arne Fitzenreiter --- config/rootfiles/core/{101 => 102}/exclude | 0 config/rootfiles/core/102/filelists/files | 2 + .../core/102/filelists/i586/openssl-sse2 | 1 + config/rootfiles/core/102/filelists/openssh | 1 + config/rootfiles/core/102/filelists/openssl | 1 + config/rootfiles/core/{101 => 102}/meta | 0 config/rootfiles/core/102/update.sh | 74 +++++++++++++++++++ config/rootfiles/oldcore/101/exclude | 28 +++++++ .../101/filelists/armv5tel/ath9k-module | 0 .../101/filelists/armv5tel/gmp | 0 .../101/filelists/armv5tel/linux-rpi | 0 .../{core => oldcore}/101/filelists/bind | 0 .../{core => oldcore}/101/filelists/dma | 0 .../{core => oldcore}/101/filelists/e2fsprogs | 0 .../{core => oldcore}/101/filelists/files | 0 .../{core => oldcore}/101/filelists/grep | 0 .../101/filelists/i586/ath9k-module | 0 .../101/filelists/i586/dmidecode | 0 .../{core => oldcore}/101/filelists/i586/gmp | 0 .../{core => oldcore}/101/filelists/libxml2 | 0 .../{core => oldcore}/101/filelists/mpfr | 0 .../{core => oldcore}/101/filelists/nettle | 0 .../{core => oldcore}/101/filelists/patch | 0 .../{core => oldcore}/101/filelists/paxctl | 0 .../{core => oldcore}/101/filelists/pciutils | 0 .../{core => oldcore}/101/filelists/pcre | 0 .../101/filelists/perl-Apache-Htpasswd | 0 .../{core => oldcore}/101/filelists/squid | 0 .../101/filelists/x86_64/ath9k-module | 0 .../101/filelists/x86_64/dmidecode | 0 .../101/filelists/x86_64/gmp | 0 config/rootfiles/oldcore/101/meta | 1 + .../rootfiles/{core => oldcore}/101/update.sh | 0 make.sh | 4 +- 34 files changed, 110 insertions(+), 2 deletions(-) rename config/rootfiles/core/{101 => 102}/exclude (100%) create mode 100644 config/rootfiles/core/102/filelists/files create mode 120000 config/rootfiles/core/102/filelists/i586/openssl-sse2 create mode 120000 config/rootfiles/core/102/filelists/openssh create mode 120000 config/rootfiles/core/102/filelists/openssl rename config/rootfiles/core/{101 => 102}/meta (100%) create mode 100644 config/rootfiles/core/102/update.sh create mode 100644 config/rootfiles/oldcore/101/exclude rename config/rootfiles/{core => oldcore}/101/filelists/armv5tel/ath9k-module (100%) rename config/rootfiles/{core => oldcore}/101/filelists/armv5tel/gmp (100%) rename config/rootfiles/{core => oldcore}/101/filelists/armv5tel/linux-rpi (100%) rename config/rootfiles/{core => oldcore}/101/filelists/bind (100%) rename config/rootfiles/{core => oldcore}/101/filelists/dma (100%) rename config/rootfiles/{core => oldcore}/101/filelists/e2fsprogs (100%) rename config/rootfiles/{core => oldcore}/101/filelists/files (100%) rename config/rootfiles/{core => oldcore}/101/filelists/grep (100%) rename config/rootfiles/{core => oldcore}/101/filelists/i586/ath9k-module (100%) rename config/rootfiles/{core => oldcore}/101/filelists/i586/dmidecode (100%) rename config/rootfiles/{core => oldcore}/101/filelists/i586/gmp (100%) rename config/rootfiles/{core => oldcore}/101/filelists/libxml2 (100%) rename config/rootfiles/{core => oldcore}/101/filelists/mpfr (100%) rename config/rootfiles/{core => oldcore}/101/filelists/nettle (100%) rename config/rootfiles/{core => oldcore}/101/filelists/patch (100%) rename config/rootfiles/{core => oldcore}/101/filelists/paxctl (100%) rename config/rootfiles/{core => oldcore}/101/filelists/pciutils (100%) rename config/rootfiles/{core => oldcore}/101/filelists/pcre (100%) rename config/rootfiles/{core => oldcore}/101/filelists/perl-Apache-Htpasswd (100%) rename config/rootfiles/{core => oldcore}/101/filelists/squid (100%) rename config/rootfiles/{core => oldcore}/101/filelists/x86_64/ath9k-module (100%) rename config/rootfiles/{core => oldcore}/101/filelists/x86_64/dmidecode (100%) rename config/rootfiles/{core => oldcore}/101/filelists/x86_64/gmp (100%) create mode 100644 config/rootfiles/oldcore/101/meta rename config/rootfiles/{core => oldcore}/101/update.sh (100%) diff --git a/config/rootfiles/core/101/exclude b/config/rootfiles/core/102/exclude similarity index 100% rename from config/rootfiles/core/101/exclude rename to config/rootfiles/core/102/exclude diff --git a/config/rootfiles/core/102/filelists/files b/config/rootfiles/core/102/filelists/files new file mode 100644 index 000000000..409e5fe8a --- /dev/null +++ b/config/rootfiles/core/102/filelists/files @@ -0,0 +1,2 @@ +etc/system-release +etc/issue diff --git a/config/rootfiles/core/102/filelists/i586/openssl-sse2 b/config/rootfiles/core/102/filelists/i586/openssl-sse2 new file mode 120000 index 000000000..f424713d6 --- /dev/null +++ b/config/rootfiles/core/102/filelists/i586/openssl-sse2 @@ -0,0 +1 @@ +../../../../common/i586/openssl-sse2 \ No newline at end of file diff --git a/config/rootfiles/core/102/filelists/openssh b/config/rootfiles/core/102/filelists/openssh new file mode 120000 index 000000000..d8c77fd8e --- /dev/null +++ b/config/rootfiles/core/102/filelists/openssh @@ -0,0 +1 @@ +../../../common/openssh \ No newline at end of file diff --git a/config/rootfiles/core/102/filelists/openssl b/config/rootfiles/core/102/filelists/openssl new file mode 120000 index 000000000..e011a9266 --- /dev/null +++ b/config/rootfiles/core/102/filelists/openssl @@ -0,0 +1 @@ +../../../common/openssl \ No newline at end of file diff --git a/config/rootfiles/core/101/meta b/config/rootfiles/core/102/meta similarity index 100% rename from config/rootfiles/core/101/meta rename to config/rootfiles/core/102/meta diff --git a/config/rootfiles/core/102/update.sh b/config/rootfiles/core/102/update.sh new file mode 100644 index 000000000..2f51d109e --- /dev/null +++ b/config/rootfiles/core/102/update.sh @@ -0,0 +1,74 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2016 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +core=102 + +function exit_with_error() { + # Set last succesfull installed core. + echo $(($core-1)) > /opt/pakfire/db/core/mine + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: $1" + exit $2 +} + +# Remove old core updates from pakfire cache to save space... +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + + +# Stop services + +# Extract files +extract_files + +# update linker config +ldconfig + +# Update Language cache +#/usr/local/bin/update-lang-cache + +# +# Start services +# + +sync +# This update need a reboot... +touch /var/run/need_reboot + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi +sync + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/oldcore/101/exclude b/config/rootfiles/oldcore/101/exclude new file mode 100644 index 000000000..7ddeae0ba --- /dev/null +++ b/config/rootfiles/oldcore/101/exclude @@ -0,0 +1,28 @@ +boot/config.txt +boot/grub/grub.cfg +boot/grub/grubenv +etc/alternatives +etc/collectd.custom +etc/default/grub +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/snort/snort.conf +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/dma +var/ipfire/time +var/ipfire/ovpn +var/lib/alternatives +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/101/filelists/armv5tel/ath9k-module b/config/rootfiles/oldcore/101/filelists/armv5tel/ath9k-module similarity index 100% rename from config/rootfiles/core/101/filelists/armv5tel/ath9k-module rename to config/rootfiles/oldcore/101/filelists/armv5tel/ath9k-module diff --git a/config/rootfiles/core/101/filelists/armv5tel/gmp b/config/rootfiles/oldcore/101/filelists/armv5tel/gmp similarity index 100% rename from config/rootfiles/core/101/filelists/armv5tel/gmp rename to config/rootfiles/oldcore/101/filelists/armv5tel/gmp diff --git a/config/rootfiles/core/101/filelists/armv5tel/linux-rpi b/config/rootfiles/oldcore/101/filelists/armv5tel/linux-rpi similarity index 100% rename from config/rootfiles/core/101/filelists/armv5tel/linux-rpi rename to config/rootfiles/oldcore/101/filelists/armv5tel/linux-rpi diff --git a/config/rootfiles/core/101/filelists/bind b/config/rootfiles/oldcore/101/filelists/bind similarity index 100% rename from config/rootfiles/core/101/filelists/bind rename to config/rootfiles/oldcore/101/filelists/bind diff --git a/config/rootfiles/core/101/filelists/dma b/config/rootfiles/oldcore/101/filelists/dma similarity index 100% rename from config/rootfiles/core/101/filelists/dma rename to config/rootfiles/oldcore/101/filelists/dma diff --git a/config/rootfiles/core/101/filelists/e2fsprogs b/config/rootfiles/oldcore/101/filelists/e2fsprogs similarity index 100% rename from config/rootfiles/core/101/filelists/e2fsprogs rename to config/rootfiles/oldcore/101/filelists/e2fsprogs diff --git a/config/rootfiles/core/101/filelists/files b/config/rootfiles/oldcore/101/filelists/files similarity index 100% rename from config/rootfiles/core/101/filelists/files rename to config/rootfiles/oldcore/101/filelists/files diff --git a/config/rootfiles/core/101/filelists/grep b/config/rootfiles/oldcore/101/filelists/grep similarity index 100% rename from config/rootfiles/core/101/filelists/grep rename to config/rootfiles/oldcore/101/filelists/grep diff --git a/config/rootfiles/core/101/filelists/i586/ath9k-module b/config/rootfiles/oldcore/101/filelists/i586/ath9k-module similarity index 100% rename from config/rootfiles/core/101/filelists/i586/ath9k-module rename to config/rootfiles/oldcore/101/filelists/i586/ath9k-module diff --git a/config/rootfiles/core/101/filelists/i586/dmidecode b/config/rootfiles/oldcore/101/filelists/i586/dmidecode similarity index 100% rename from config/rootfiles/core/101/filelists/i586/dmidecode rename to config/rootfiles/oldcore/101/filelists/i586/dmidecode diff --git a/config/rootfiles/core/101/filelists/i586/gmp b/config/rootfiles/oldcore/101/filelists/i586/gmp similarity index 100% rename from config/rootfiles/core/101/filelists/i586/gmp rename to config/rootfiles/oldcore/101/filelists/i586/gmp diff --git a/config/rootfiles/core/101/filelists/libxml2 b/config/rootfiles/oldcore/101/filelists/libxml2 similarity index 100% rename from config/rootfiles/core/101/filelists/libxml2 rename to config/rootfiles/oldcore/101/filelists/libxml2 diff --git a/config/rootfiles/core/101/filelists/mpfr b/config/rootfiles/oldcore/101/filelists/mpfr similarity index 100% rename from config/rootfiles/core/101/filelists/mpfr rename to config/rootfiles/oldcore/101/filelists/mpfr diff --git a/config/rootfiles/core/101/filelists/nettle b/config/rootfiles/oldcore/101/filelists/nettle similarity index 100% rename from config/rootfiles/core/101/filelists/nettle rename to config/rootfiles/oldcore/101/filelists/nettle diff --git a/config/rootfiles/core/101/filelists/patch b/config/rootfiles/oldcore/101/filelists/patch similarity index 100% rename from config/rootfiles/core/101/filelists/patch rename to config/rootfiles/oldcore/101/filelists/patch diff --git a/config/rootfiles/core/101/filelists/paxctl b/config/rootfiles/oldcore/101/filelists/paxctl similarity index 100% rename from config/rootfiles/core/101/filelists/paxctl rename to config/rootfiles/oldcore/101/filelists/paxctl diff --git a/config/rootfiles/core/101/filelists/pciutils b/config/rootfiles/oldcore/101/filelists/pciutils similarity index 100% rename from config/rootfiles/core/101/filelists/pciutils rename to config/rootfiles/oldcore/101/filelists/pciutils diff --git a/config/rootfiles/core/101/filelists/pcre b/config/rootfiles/oldcore/101/filelists/pcre similarity index 100% rename from config/rootfiles/core/101/filelists/pcre rename to config/rootfiles/oldcore/101/filelists/pcre diff --git a/config/rootfiles/core/101/filelists/perl-Apache-Htpasswd b/config/rootfiles/oldcore/101/filelists/perl-Apache-Htpasswd similarity index 100% rename from config/rootfiles/core/101/filelists/perl-Apache-Htpasswd rename to config/rootfiles/oldcore/101/filelists/perl-Apache-Htpasswd diff --git a/config/rootfiles/core/101/filelists/squid b/config/rootfiles/oldcore/101/filelists/squid similarity index 100% rename from config/rootfiles/core/101/filelists/squid rename to config/rootfiles/oldcore/101/filelists/squid diff --git a/config/rootfiles/core/101/filelists/x86_64/ath9k-module b/config/rootfiles/oldcore/101/filelists/x86_64/ath9k-module similarity index 100% rename from config/rootfiles/core/101/filelists/x86_64/ath9k-module rename to config/rootfiles/oldcore/101/filelists/x86_64/ath9k-module diff --git a/config/rootfiles/core/101/filelists/x86_64/dmidecode b/config/rootfiles/oldcore/101/filelists/x86_64/dmidecode similarity index 100% rename from config/rootfiles/core/101/filelists/x86_64/dmidecode rename to config/rootfiles/oldcore/101/filelists/x86_64/dmidecode diff --git a/config/rootfiles/core/101/filelists/x86_64/gmp b/config/rootfiles/oldcore/101/filelists/x86_64/gmp similarity index 100% rename from config/rootfiles/core/101/filelists/x86_64/gmp rename to config/rootfiles/oldcore/101/filelists/x86_64/gmp diff --git a/config/rootfiles/oldcore/101/meta b/config/rootfiles/oldcore/101/meta new file mode 100644 index 000000000..d547fa86f --- /dev/null +++ b/config/rootfiles/oldcore/101/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/101/update.sh b/config/rootfiles/oldcore/101/update.sh similarity index 100% rename from config/rootfiles/core/101/update.sh rename to config/rootfiles/oldcore/101/update.sh diff --git a/make.sh b/make.sh index 960b45d6e..d2d3e14a4 100755 --- a/make.sh +++ b/make.sh @@ -25,8 +25,8 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.19" # Version number -CORE="101" # Core Level (Filename) -PAKFIRE_CORE="101" # Core Level (PAKFIRE) +CORE="102" # Core Level (Filename) +PAKFIRE_CORE="102" # Core Level (PAKFIRE) GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir