diff --git a/config/backup/includes/check_mk_agent b/config/backup/includes/check_mk_agent new file mode 100644 index 000000000..ca710461b --- /dev/null +++ b/config/backup/includes/check_mk_agent @@ -0,0 +1 @@ +/etc/check_mk/ diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 6994f333d..dbac0d7a1 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -413,9 +413,9 @@ sub getnetworkip #Gets: IP, CIDR (10.10.10.0-255, 24) #Gives: 10.10.10.0 my ($ccdip,$ccdsubnet) = @_; - my $ip_address_binary = &Socket::inet_pton( AF_INET,$ccdip ); - my $netmask_binary = &Socket::inet_pton(AF_INET,&iporsubtodec($ccdsubnet)); - my $network_address = &Socket::inet_ntop( AF_INET,$ip_address_binary & $netmask_binary ); + my $ip_address_binary = inet_aton( $ccdip ); + my $netmask_binary = ~pack("N", (2**(32-$ccdsubnet))-1); + my $network_address = inet_ntoa( $ip_address_binary & $netmask_binary ); return $network_address; } @@ -773,21 +773,12 @@ sub validportrange # used to check a port range # Return: TRUE/FALSE sub IpInSubnet { - my $addr = shift; - my $network = shift; - my $netmask = shift; - - my $addr_num = &Socket::inet_pton(AF_INET,$addr); - my $network_num = &Socket::inet_pton(AF_INET,$network); - my $netmask_num = &Socket::inet_pton(AF_INET,$netmask); - - # Find start address - my $network_start = $network_num & $netmask_num; - - # Find end address - my $network_end = $network_start ^ ~$netmask_num; - - return (($addr_num ge $network_start) && ($addr_num le $network_end)); + my $ip = unpack('N', &Socket::inet_aton(shift)); + my $start = unpack('N', &Socket::inet_aton(shift)); + my $mask = unpack('N', &Socket::inet_aton(shift)); + $start &= $mask; # base of subnet... + my $end = $start + ~$mask; + return (($ip >= $start) && ($ip <= $end)); } # diff --git a/config/rootfiles/common/ddns b/config/rootfiles/common/ddns index 2f0bdf741..f93965cea 100644 --- a/config/rootfiles/common/ddns +++ b/config/rootfiles/common/ddns @@ -60,4 +60,7 @@ usr/lib/python2.7/site-packages/ddns/system.pyo #usr/share/locale/uz@Latn/LC_MESSAGES #usr/share/locale/uz@Latn/LC_MESSAGES/ddns.mo #usr/share/locale/vi/LC_MESSAGES/ddns.mo +#usr/share/locale/zh +#usr/share/locale/zh/LC_MESSAGES +#usr/share/locale/zh/LC_MESSAGES/ddns.mo #var/ipfire/ddns/ddns.conf.sample diff --git a/config/rootfiles/core/80/filelists/files b/config/rootfiles/core/80/filelists/files index 5f4c42cee..cdddaac16 100644 --- a/config/rootfiles/core/80/filelists/files +++ b/config/rootfiles/core/80/filelists/files @@ -6,7 +6,9 @@ etc/rc.d/init.d/dhcrelay etc/rc.d/init.d/dnsmasq etc/rc.d/init.d/firewall etc/rc.d/init.d/networking/red.up/30-ddns +etc/rc.d/init.d/rngd srv/web/ipfire/cgi-bin/ddns.cgi +srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/netexternal.cgi diff --git a/config/rootfiles/core/81/exclude b/config/rootfiles/core/81/exclude new file mode 100644 index 000000000..18e9b4d24 --- /dev/null +++ b/config/rootfiles/core/81/exclude @@ -0,0 +1,20 @@ +boot/config.txt +etc/collectd.custom +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/ssh/ssh_config +etc/ssh/sshd_config +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/ovpn +var/log/cache +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/81/filelists/ddns b/config/rootfiles/core/81/filelists/ddns new file mode 120000 index 000000000..739516420 --- /dev/null +++ b/config/rootfiles/core/81/filelists/ddns @@ -0,0 +1 @@ +../../../common/ddns \ No newline at end of file diff --git a/config/rootfiles/core/81/filelists/files b/config/rootfiles/core/81/filelists/files new file mode 100644 index 000000000..4b0ae1e75 --- /dev/null +++ b/config/rootfiles/core/81/filelists/files @@ -0,0 +1,5 @@ +etc/system-release +etc/issue +etc/rc.d/init.d/firewall +srv/web/ipfire/cgi-bin/ddns.cgi +srv/web/ipfire/cgi-bin/ovpnmain.cgi diff --git a/config/rootfiles/core/81/filelists/lzo b/config/rootfiles/core/81/filelists/lzo new file mode 120000 index 000000000..8e11e78d3 --- /dev/null +++ b/config/rootfiles/core/81/filelists/lzo @@ -0,0 +1 @@ +../../../common/lzo \ No newline at end of file diff --git a/config/rootfiles/core/81/filelists/openssh b/config/rootfiles/core/81/filelists/openssh new file mode 120000 index 000000000..d8c77fd8e --- /dev/null +++ b/config/rootfiles/core/81/filelists/openssh @@ -0,0 +1 @@ +../../../common/openssh \ No newline at end of file diff --git a/config/rootfiles/core/81/filelists/openssl b/config/rootfiles/core/81/filelists/openssl new file mode 120000 index 000000000..e011a9266 --- /dev/null +++ b/config/rootfiles/core/81/filelists/openssl @@ -0,0 +1 @@ +../../../common/openssl \ No newline at end of file diff --git a/config/rootfiles/core/81/meta b/config/rootfiles/core/81/meta new file mode 100644 index 000000000..d547fa86f --- /dev/null +++ b/config/rootfiles/core/81/meta @@ -0,0 +1 @@ +DEPS="" diff --git a/config/rootfiles/core/81/update.sh b/config/rootfiles/core/81/update.sh new file mode 100644 index 000000000..16a559e89 --- /dev/null +++ b/config/rootfiles/core/81/update.sh @@ -0,0 +1,57 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2014 IPFire-Team . # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +# Remove old core updates from pakfire cache to save space... +core=81 +for (( i=1; i<=$core; i++ )) +do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services + +# Remove old strongswan files + +# Extract files +extract_files + +# Start services +/etc/init.d/apache restart + +# Update Language cache +#perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang" + +sync + +# This update need a reboot... +touch /var/run/need_reboot +^^ +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Don't report the exitcode last command +exit 0 diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi index 7be9a50f0..dc5dacc24 100644 --- a/html/cgi-bin/ddns.cgi +++ b/html/cgi-bin/ddns.cgi @@ -187,7 +187,7 @@ if (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang:: # Check if a password has been typed in. # freedns.afraid.org does not require this field. - if (($settings{'PASSWORD'} eq '') && ($settings{'SERVICE'} ne 'freedns.afraid.org')) { + if (($settings{'PASSWORD'} eq '') && ($settings{'SERVICE'} ne 'freedns.afraid.org') && ($settings{'SERVICE'} ne 'regfish.com')) { $errormessage = $Lang::tr{'password not set'}; } @@ -197,6 +197,12 @@ if (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang:: # Splitt hostname field into 2 parts for storrage. my($hostname, $domain) = split(/\./, $settings{'HOSTNAME'}, 2); + # Handle enabled checkbox. When the checkbox is selected a "on" will be returned, + # if the checkbox is not checked nothing is returned in this case we set the value to "off". + if ($settings{'ENABLED'} ne 'on') { + $settings{'ENABLED'} = 'off'; + } + # Handle adding new accounts. if ($settings{'ACTION'} eq $Lang::tr{'add'}) { @@ -215,8 +221,6 @@ if (($settings{'ACTION'} eq $Lang::tr{'add'}) || ($settings{'ACTION'} eq $Lang:: # Write out notice to logfile. &General::log($Lang::tr{'ddns hostname added'}); - # Update ddns config file. - # Handle account edditing. } elsif ($settings{'ACTION'} eq $Lang::tr{'update'}) { @@ -354,7 +358,9 @@ $checked{'BEHINDROUTER'}{'RED_IP'} = ''; $checked{'BEHINDROUTER'}{'FETCH_IP'} = ''; $checked{'BEHINDROUTER'}{$settings{'BEHINDROUTER'}} = "checked='checked'"; -$checked{'ENABLED'}{'on'} = ($settings{'ENABLED'} eq '' ) ? '' : "checked='checked'"; +$checked{'ENABLED'}{'on'} = ''; +$checked{'ENABLED'}{'off'} = ''; +$checked{'ENABLED'}{$settings{'ENABLED'}} = "checked='checked'"; # Show box for errormessages.. if ($errormessage) { @@ -451,7 +457,7 @@ print < $Lang::tr{'enabled'} - + $Lang::tr{'username'} @@ -507,17 +513,32 @@ END chomp(@current); my @temp = split(/\,/,$line); + # Handle hostname details. Only connect the values with a dott if both are available. + my $hostname=""; + + if (($temp[1]) && ($temp[2])) { + $hostname="$temp[1].$temp[2]"; + } else { + $hostname="$temp[1]"; + } + # Generate value for enable/disable checkbox. - my $sync = ""; + my $sync = ''; my $gif = ''; my $gdesc = ''; if ($temp[7] eq "on") { $gif = 'on.gif'; $gdesc = $Lang::tr{'click to disable'}; - $sync = (&General::DyndnsServiceSync ($ip,$temp[1], $temp[2]) ? "": "") ; + + # Check if the given hostname is a FQDN before doing a nslookup. + if (&General::validfqdn($hostname)) { + $sync = (&General::DyndnsServiceSync ($ip,$temp[1], $temp[2]) ? "": "") ; + } + $toggle_enabled = 'off'; } else { + $sync = ""; $gif = 'off.gif'; $gdesc = $Lang::tr{'click to enable'}; $toggle_enabled = 'on'; @@ -650,8 +671,8 @@ sub GenerateDDNSConfigFile { if ($provider ~~ ["dns.lightningwirelabs.com", "entrydns.net", "regfish.com"] && $username eq "token") { $use_token = 1; - # Handle token auth for freedns.afraid.org. - } elsif ($provider eq "freedns.afraid.org" && $password eq "") { + # Handle token auth for freedns.afraid.org and regfish.com. + } elsif ($provider ~~ ["freedns.afraid.org", "regfish.com"] && $password eq "") { $use_token = 1; $password = $username; diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 5a28daaed..ff72b7894 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -263,11 +263,11 @@ if (-e "/etc/snort/snort.conf") { ####################### End added for snort rules control ################################# if ($snortsettings{'RULES'} eq 'subscripted') { - $url=" http://www.snort.org/sub-rules/snortrules-snapshot-2961.tar.gz/$snortsettings{'OINKCODE'}"; + $url=" https://www.snort.org/rules/snortrules-snapshot-2961.tar.gz?oinkcode=$snortsettings{'OINKCODE'}"; } elsif ($snortsettings{'RULES'} eq 'registered') { - $url=" http://www.snort.org/reg-rules/snortrules-snapshot-2960.tar.gz/$snortsettings{'OINKCODE'}"; + $url=" https://www.snort.org/rules/snortrules-snapshot-2961.tar.gz?oinkcode=$snortsettings{'OINKCODE'}"; } elsif ($snortsettings{'RULES'} eq 'community') { - $url=" http://s3.amazonaws.com/snort-org/www/rules/community/community-rules.tar.gz"; + $url=" https://www.snort.org/rules/community"; } else { $url="http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz"; } diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 927616a55..14308e549 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -3968,10 +3968,8 @@ if ($cgiparams{'TYPE'} eq 'net') { $errormessage = $Lang::tr{'name too long'}; goto VPNCONF_ERROR; } - if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { + if ($cgiparams{'CERT_NAME'} eq '' || $cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { $errormessage = $Lang::tr{'invalid input for name'}; - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; goto VPNCONF_ERROR; } if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { diff --git a/lfs/check_mk_agent b/lfs/check_mk_agent index 541d7d6a0..532647111 100644 --- a/lfs/check_mk_agent +++ b/lfs/check_mk_agent @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/check_mk-${VER} TARGET = $(DIR_INFO)/$(THISAPP) PROG = check_mk_agent -PAK_VER = 3 +PAK_VER = 4 DEPS = "" diff --git a/lfs/ddns b/lfs/ddns index 975c8c3ab..b94b3a124 100644 --- a/lfs/ddns +++ b/lfs/ddns @@ -24,7 +24,7 @@ include Config -VER = 003 +VER = 004 THISAPP = ddns-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 9ff8ab5fa716859b51f63b0a241f1337 +$(DL_FILE)_MD5 = ff77cb72d0cb06c73bde70419b15bae8 install : $(TARGET) @@ -71,8 +71,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch - cd $(DIR_APP) && [ -x "configure" ] || sh ./autogen.sh cd $(DIR_APP) && ./configure --prefix=/usr --sysconfdir=/var/ipfire cd $(DIR_APP) && make $(MAKETUNING) diff --git a/lfs/lzo b/lfs/lzo index 1745f4cca..19ad0909c 100644 --- a/lfs/lzo +++ b/lfs/lzo @@ -24,7 +24,7 @@ include Config -VER = 2.08 +VER = 2.06 THISAPP = lzo-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = fcec64c26a0f4f4901468f360029678f +$(DL_FILE)_MD5 = 95380bd4081f85ef08c5209f4107e9f8 install : $(TARGET) @@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/lzo-2.06-CVE-2014-4607.patch cd $(DIR_APP) && ./configure --prefix=/usr --enable-shared cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/lfs/openssl b/lfs/openssl index 12cea68b2..0f0b823a9 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@ include Config -VER = 1.0.1h +VER = 1.0.1i THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -51,7 +51,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 8d6d684a9430d5cc98a62a5d8fbda8cf +$(DL_FILE)_MD5 = c8dc151a671b9b92ff3e4c118b174972 install : $(TARGET) diff --git a/lfs/tor b/lfs/tor index 6f9e50289..0cc2957ed 100644 --- a/lfs/tor +++ b/lfs/tor @@ -24,7 +24,7 @@ include Config -VER = 0.2.4.22 +VER = 0.2.4.23 THISAPP = tor-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 7 +PAK_VER = 8 DEPS = "libevent2" @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 5a7eee0d9df87233255d78b25c6f8270 +$(DL_FILE)_MD5 = 9e39928e310612c3bffee727f554c63f install : $(TARGET) diff --git a/make.sh b/make.sh index b424bed2d..69be5500e 100755 --- a/make.sh +++ b/make.sh @@ -25,8 +25,8 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name VERSION="2.15" # Version number -CORE="80" # Core Level (Filename) -PAKFIRE_CORE="80" # Core Level (PAKFIRE) +CORE="81" # Core Level (Filename) +PAKFIRE_CORE="81" # Core Level (PAKFIRE) GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN="www.ipfire.org" # Software slogan CONFIG_ROOT=/var/ipfire # Configuration rootdir diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall index 97186c399..23d0c23ff 100644 --- a/src/initscripts/init.d/firewall +++ b/src/initscripts/init.d/firewall @@ -64,16 +64,20 @@ iptables_init() { iptables -A BADTCP -i lo -j RETURN # Disallow packets frequently used by port-scanners - # nmap xmas - iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN - # Null - iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN - # FIN + # NMAP FIN/URG/PSH (XMAS scan) + iptables -A BADTCP -p tcp --tcp-flags ALL FIN,URG,PSH -j PSCAN + # SYN/RST/ACK/FIN/URG + iptables -A BADTCP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j PSCAN + # ALL/ALL + iptables -A BADTCP -p tcp --tcp-flags ALL ALL -j PSCAN + # FIN Stealth iptables -A BADTCP -p tcp --tcp-flags ALL FIN -j PSCAN # SYN/RST (also catches xmas variants that set SYN+RST+...) iptables -A BADTCP -p tcp --tcp-flags SYN,RST SYN,RST -j PSCAN # SYN/FIN (QueSO or nmap OS probe) iptables -A BADTCP -p tcp --tcp-flags SYN,FIN SYN,FIN -j PSCAN + # Null + iptables -A BADTCP -p tcp --tcp-flags ALL NONE -j PSCAN # NEW TCP without SYN iptables -A BADTCP -p tcp ! --syn -m conntrack --ctstate NEW -j NEWNOTSYN @@ -83,6 +87,7 @@ iptables_init() { # Connection tracking chain iptables -N CONNTRACK iptables -A CONNTRACK -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + iptables -A CONNTRACK -m conntrack --ctstate INVALID -j DROP # Fix for braindead ISP's iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu diff --git a/src/initscripts/init.d/rngd b/src/initscripts/init.d/rngd index 22437fdc4..df4aa7da2 100644 --- a/src/initscripts/init.d/rngd +++ b/src/initscripts/init.d/rngd @@ -28,12 +28,18 @@ case "${1}" in fi boot_mesg "Starting Random Number Generator Daemon..." - loadproc /usr/sbin/rngd --no-tpm=1 + + if pidofproc /usr/sbin/rngd &>/dev/null; then + # Is already running. + echo_ok + else + loadproc /usr/sbin/rngd --no-tpm=1 + fi ;; stop) boot_mesg "Stopping Random Number Generator Daemon..." - killproc /usr/sbin/rngd + killproc -p /var/run/rngd.pid /usr/sbin/rngd ;; restart) diff --git a/src/paks/check_mk_agent/uninstall.sh b/src/paks/check_mk_agent/uninstall.sh index 3a0860afe..51449f55b 100644 --- a/src/paks/check_mk_agent/uninstall.sh +++ b/src/paks/check_mk_agent/uninstall.sh @@ -22,6 +22,7 @@ ############################################################################ # . /opt/pakfire/lib/functions.sh +extract_backup_includes make_backup ${NAME} remove_files diff --git a/src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch b/src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch deleted file mode 100644 index 978db85fc..000000000 --- a/src/patches/ddns-003-Add-a-program-prefix-to-syslog-messages.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 21fd4b8d26d01d622185ab8de971a9ee934220a3 Mon Sep 17 00:00:00 2001 -From: Michael Tremer -Date: Thu, 24 Jul 2014 13:23:36 +0200 -Subject: [PATCH] Add a program prefix to syslog messages. - ---- - src/ddns/__init__.py | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/src/ddns/__init__.py b/src/ddns/__init__.py -index 22764e6..6fe3a33 100644 ---- a/src/ddns/__init__.py -+++ b/src/ddns/__init__.py -@@ -42,6 +42,8 @@ def setup_logging(): - handler = logging.handlers.SysLogHandler(address="/dev/log", - facility=logging.handlers.SysLogHandler.LOG_DAEMON - ) -+ formatter = logging.Formatter("ddns[%(process)d]: %(message)s") -+ handler.setFormatter(formatter) - handler.setLevel(logging.INFO) - rootlogger.addHandler(handler) - --- -1.9.3 - diff --git a/src/patches/lzo-2.06-CVE-2014-4607.patch b/src/patches/lzo-2.06-CVE-2014-4607.patch new file mode 100755 index 000000000..d22c406e0 --- /dev/null +++ b/src/patches/lzo-2.06-CVE-2014-4607.patch @@ -0,0 +1,245 @@ +diff --git a/minilzo/minilzo.c b/minilzo/minilzo.c +index 34ce0f0..ecfdf66 100644 +--- a/minilzo/minilzo.c ++++ b/minilzo/minilzo.c +@@ -3547,6 +3547,8 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len, + #undef TEST_LBO + #undef NEED_IP + #undef NEED_OP ++#undef TEST_IV ++#undef TEST_OV + #undef HAVE_TEST_IP + #undef HAVE_TEST_OP + #undef HAVE_NEED_IP +@@ -3561,6 +3563,7 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len, + # if (LZO_TEST_OVERRUN_INPUT >= 2) + # define NEED_IP(x) \ + if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun ++# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun + # endif + #endif + +@@ -3572,6 +3575,7 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len, + # undef TEST_OP + # define NEED_OP(x) \ + if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun ++# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun + # endif + #endif + +@@ -3602,11 +3606,13 @@ DO_COMPRESS ( const lzo_bytep in , lzo_uint in_len, + # define HAVE_NEED_IP 1 + #else + # define NEED_IP(x) ((void) 0) ++# define TEST_IV(x) ((void) 0) + #endif + #if defined(NEED_OP) + # define HAVE_NEED_OP 1 + #else + # define NEED_OP(x) ((void) 0) ++# define TEST_OV(x) ((void) 0) + #endif + + #if defined(HAVE_TEST_IP) || defined(HAVE_NEED_IP) +@@ -3687,6 +3693,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len, + { + t += 255; + ip++; ++ TEST_IV(t); + NEED_IP(1); + } + t += 15 + *ip++; +@@ -3835,6 +3842,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 31 + *ip++; +@@ -3879,6 +3887,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 7 + *ip++; +@@ -4073,6 +4082,8 @@ lookbehind_overrun: + #undef TEST_LBO + #undef NEED_IP + #undef NEED_OP ++#undef TEST_IV ++#undef TEST_OV + #undef HAVE_TEST_IP + #undef HAVE_TEST_OP + #undef HAVE_NEED_IP +@@ -4087,6 +4098,7 @@ lookbehind_overrun: + # if (LZO_TEST_OVERRUN_INPUT >= 2) + # define NEED_IP(x) \ + if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun ++# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun + # endif + #endif + +@@ -4098,6 +4110,7 @@ lookbehind_overrun: + # undef TEST_OP + # define NEED_OP(x) \ + if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun ++# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun + # endif + #endif + +@@ -4128,11 +4141,13 @@ lookbehind_overrun: + # define HAVE_NEED_IP 1 + #else + # define NEED_IP(x) ((void) 0) ++# define TEST_IV(x) ((void) 0) + #endif + #if defined(NEED_OP) + # define HAVE_NEED_OP 1 + #else + # define NEED_OP(x) ((void) 0) ++# define TEST_OV(x) ((void) 0) + #endif + + #if defined(HAVE_TEST_IP) || defined(HAVE_NEED_IP) +@@ -4213,6 +4228,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len, + { + t += 255; + ip++; ++ TEST_IV(t); + NEED_IP(1); + } + t += 15 + *ip++; +@@ -4361,6 +4377,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 31 + *ip++; +@@ -4405,6 +4422,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 7 + *ip++; +diff --git a/src/lzo1_d.ch b/src/lzo1_d.ch +index 40a5bfd..c442d9c 100644 +--- a/src/lzo1_d.ch ++++ b/src/lzo1_d.ch +@@ -76,6 +76,8 @@ + #undef TEST_LBO + #undef NEED_IP + #undef NEED_OP ++#undef TEST_IV ++#undef TEST_OV + #undef HAVE_TEST_IP + #undef HAVE_TEST_OP + #undef HAVE_NEED_IP +@@ -91,6 +93,7 @@ + # if (LZO_TEST_OVERRUN_INPUT >= 2) + # define NEED_IP(x) \ + if ((lzo_uint)(ip_end - ip) < (lzo_uint)(x)) goto input_overrun ++# define TEST_IV(x) if ((x) > (lzo_uint)0 - (511)) goto input_overrun + # endif + #endif + +@@ -102,6 +105,7 @@ + # undef TEST_OP /* don't need both of the tests here */ + # define NEED_OP(x) \ + if ((lzo_uint)(op_end - op) < (lzo_uint)(x)) goto output_overrun ++# define TEST_OV(x) if ((x) > (lzo_uint)0 - (511)) goto output_overrun + # endif + #endif + +@@ -135,11 +139,13 @@ + # define HAVE_NEED_IP 1 + #else + # define NEED_IP(x) ((void) 0) ++# define TEST_IV(x) ((void) 0) + #endif + #if defined(NEED_OP) + # define HAVE_NEED_OP 1 + #else + # define NEED_OP(x) ((void) 0) ++# define TEST_OV(x) ((void) 0) + #endif + + +diff --git a/src/lzo1b_d.ch b/src/lzo1b_d.ch +index fe5f361..36b4b6b 100644 +--- a/src/lzo1b_d.ch ++++ b/src/lzo1b_d.ch +@@ -187,6 +187,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += (M4_MIN_LEN - M3_MIN_LEN) + *ip++; +diff --git a/src/lzo1f_d.ch b/src/lzo1f_d.ch +index 9e942f5..0c2199e 100644 +--- a/src/lzo1f_d.ch ++++ b/src/lzo1f_d.ch +@@ -84,6 +84,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len, + { + t += 255; + ip++; ++ TEST_IV(t); + NEED_IP(1); + } + t += 31 + *ip++; +@@ -138,6 +139,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 31 + *ip++; +diff --git a/src/lzo1x_d.ch b/src/lzo1x_d.ch +index 49cf326..c804cc7 100644 +--- a/src/lzo1x_d.ch ++++ b/src/lzo1x_d.ch +@@ -120,6 +120,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len, + { + t += 255; + ip++; ++ TEST_IV(t); + NEED_IP(1); + } + t += 15 + *ip++; +@@ -273,6 +274,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 31 + *ip++; +@@ -317,6 +319,7 @@ match: + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += 7 + *ip++; +diff --git a/src/lzo2a_d.ch b/src/lzo2a_d.ch +index 48e51ca..954f07e 100644 +--- a/src/lzo2a_d.ch ++++ b/src/lzo2a_d.ch +@@ -131,6 +131,7 @@ DO_DECOMPRESS ( const lzo_bytep in , lzo_uint in_len, + { + t += 255; + ip++; ++ TEST_OV(t); + NEED_IP(1); + } + t += *ip++;