webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-15 21:43:00 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,969 Commits 2 Branches 1 Tag
0786c686ea47543bc4ea3d8005ee9489dc98cb13
Commit Graph

7013 Commits

Author SHA1 Message Date
Matthias Fischer
0786c686ea unbound: Update to 1.9.5 
For details see:
https://nlnetlabs.nl/pipermail/unbound-users/2019-November/011897.html

"This release is a fix for vulnerability CVE-2019-18934, that can cause
shell execution in ipsecmod.

Bug Fixes:
- Fix for the reported vulnerability.

The CVE number for this vulnerability is CVE-2019-18934"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-30 09:55:22 +00:00
Arne Fitzenreiter
b0e2dffde9 core139: add captive.cgi to updater 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-30 09:54:14 +00:00
Michael Tremer
1a23cf7324 bird: Fix path of configuration file in backup 
The backup did not pack the configuration file
due to an incorrect path.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-30 09:51:23 +00:00
Arne Fitzenreiter
007b99e540 core139: add pcregrep to updater 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-30 09:49:58 +00:00
Erik Kapfer
eb0adc17d6 pcre: Add pcregrep to core system 
Triggered by --> https://community.ipfire.org/t/pcregrep-on-ipfire/259 .

This patch adds pcregrep only from the actual package not from pcre-compat.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-30 09:49:15 +00:00
Arne Fitzenreiter
7942ff9875 core139: add updated calamaris mkreport 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-30 09:48:00 +00:00
Arne Fitzenreiter
e557cecbdd python: update to 2.7.17 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-28 18:41:18 +01:00
Arne Fitzenreiter
4baee8fa4c kernel: fix x86_64 rootfile 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-15 16:29:42 +01:00
Arne Fitzenreiter
aee6dd0ba4 Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next 2019-11-14 22:13:23 +01:00
Arne Fitzenreiter
44b227b102 kernel: update to 4.14.154 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-14 22:12:12 +01:00
Arne Fitzenreiter
9e5434d4bf rename core138 -> core139 to insert a emergency core update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-14 17:28:38 +00:00
Arne Fitzenreiter
60490558f6 core138: fix rootfile 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-14 02:42:54 +00:00
Arne Fitzenreiter
6eac34e431 intel-microcode: fix rootfile 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-14 01:55:46 +00:00
Arne Fitzenreiter
1d91ea28f9 bash: fix rootfile 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-14 01:55:38 +00:00
Arne Fitzenreiter
02ad01eb9f core138: fix intel-microcode rootfile link 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 20:08:41 +00:00
Peter Müller
1ec32691e9 intel-microcode: update to 20191112 
For release notes, refer to:
- https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu/
- https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20191112

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:58:08 +00:00
Arne Fitzenreiter
beae0121b7 core138: add bash, readline and readline-compat 2019-11-13 19:45:14 +00:00
Peter Müller
415fb8b5bd bash: update to 5.0 (patchlevel 11) 
The third version of this patch also includes patches 1-11
for version 5.0, drops orphaned 4.3 patches, and fixes rootfile
mistakes reported by Arne.

Please refer to https://tiswww.case.edu/php/chet/bash/bashtop.html
for release notes.

Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:42:59 +00:00
Peter Müller
c82aa03e2c readline: update to 8.0 (patchlevel 1) 
The third version of this patch fixes missing rootfile changes, drops
orphaned readline 5.2 patches (as they became obsolete due to
readline-compat changes), includes readline 8.0 upstream patch, and
keeps the for-loop in LFS file (as commented by Michael).

Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:42:43 +00:00
peter.mueller@ipfire.org
f7b1fe542f readline-compat: update to 6.3 
This is necessary as many add-ons still need readline-compat as they
cannot link against readline 8.0, yet.

Reported-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:42:31 +00:00
Jonatan Schlag
9cc131cc5a Update qemu to version 4.1.0 
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:40:39 +00:00
Jonatan Schlag
5cc921b474 Libvirt: enable lvm 
This was requested in the forum:

https://forum.ipfire.org/viewtopic.php?f=17&t=21872&p=120243&hilit=lvm#p120243

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:39:33 +00:00
Jonatan Schlag
62e116567a Libvirt: update to version 5.6.0 
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:39:20 +00:00
Jonatan Schlag
3e5d4e6f83 libvirt: use a custom config file 
The patch which adjusts the options for IPFire in the libvirtd.conf does
not apply in a newer version of libvirt. Creating this patch is harder
than to use a separate config file.

This separate config file also enables us to adjust options much faster.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:38:59 +00:00
Arne Fitzenreiter
df67c7a80e core138: add squid 2019-11-13 19:37:47 +00:00
Arne Fitzenreiter
590e4a38bf core138: add ddns 2019-11-13 19:33:53 +00:00
Arne Fitzenreiter
ca6dc5ad5e core138: add logwatch 2019-11-13 19:33:31 +00:00
Arne Fitzenreiter
42541ddb7e core138: add suricata changes 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:20:17 +00:00
Stefan Schantl
961a27b5e2 suricata: Use DNS_SERVERS declaration from external file. 
These settings now will be read from
/var/ipfire/suricata/suricata-dns-servers.yaml, which will be
generated by the generate_dns_servers_file() function, located in
ids-functions.pl and called by various scripts.

Fixes #12166.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:14:27 +00:00
Stefan Schantl
bb2696da35 convert-snort: Generate DNS servers file. 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:14:03 +00:00
Stefan Schantl
30ee98e949 ids-functions.pl: Introduce generate_dns_servers_file() 
This function is used to generate a yaml file which take care of the
current used DNS configuration and should be included in the main
suricata config file.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:13:09 +00:00
Matthias Fischer
e93959a7aa logwatch: Update to 7.5.2 
For details see:
https://build.opensuse.org/package/view_file/server:monitoring/logwatch/ChangeLog?expand=1

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:11:09 +00:00
peter.mueller@ipfire.org
be8afd151f Apache: deny framing of WebUI from different origins 
There is no legitimate reason to do this. Setting header X-Frame-Options
to "sameorigin" is necessary for displaying some collectd graphs on the
WebUI.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:10:33 +00:00
Arne Fitzenreiter
90582bb01e core138: add ipfire-interface.conf 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:10:03 +00:00
peter.mueller@ipfire.org
583687a88d Apache: prevent Referrer leaks via WebUI 
By default, even modern browsers sent the URL of ther originating
site to another one when accessing hyperlinks. This is an information
leak and may expose internal details (such as FQDN or IP address)
of an IPFire installation to a third party.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:09:07 +00:00
Arne Fitzenreiter
1141bc69c9 core138: add ipfire-interface-ssl.conf 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:08:02 +00:00
peter.mueller@ipfire.org
4636ed66c6 Apache: drop CBC ciphers for WebUI 
CBC ciphers contain some known vulnerabilities and should not be used
anymore. While dropping them for OpenSSL clients or public web servers
still causes interoperability problems with legacy setups, they can
be safely removed from IPFire's administrative UI.

This patch changes the used cipersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD

Since TLS 1.3 ciphers will be added automatically by OpenSSL, mentioning
them in "SSLCipherSuite" is unnecessary. ECDSA is preferred over RSA for
performance reasons.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:05:54 +00:00
Arne Fitzenreiter
856cdf15df core138: add openssl 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 19:04:48 +00:00
Arne Fitzenreiter
1826c42b9e core138: add ovpnmain.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:55:53 +00:00
Arne Fitzenreiter
c86bf0bf24 core138: add unbound initscript 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:54:28 +00:00
Arne Fitzenreiter
d93b76a00e core138: add openvpn 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:52:15 +00:00
Arne Fitzenreiter
64e0b8a5af core138: add init.d/functions 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:50:07 +00:00
Erik Kapfer
cb41e4a9a9 libarchiv: Update to version 3.4.0 
Version 3.4.0 is a feature and security release. The changelog can be found in here --> https://github.com/libarchive/libarchive/releases .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:45:32 +00:00
Arne Fitzenreiter
eeb1a2a219 core138: add lz4 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:44:36 +00:00
Erik Kapfer
bc456dd750 lz4: Update to version 1.9.2 
Several fixes and improvements has been integrated. The changes list through the different versions since
the current version 1.8.1.2 can be found in here --> https://github.com/lz4/lz4/releases

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:43:04 +00:00
Arne Fitzenreiter
39bf8c6341 core138: add mail.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:42:17 +00:00
peter.mueller@ipfire.org
8f9c4081b4 Core Update 138: ship ca-certificates 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:40:04 +00:00
peter.mueller@ipfire.org
d5ccd924e0 update ca-certificates CA bundle 
Update the CA certificates list to what Mozilla NSS ships currently.

The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-11-13 18:39:50 +00:00
Arne Fitzenreiter
94c09bd9c4 core138: add firewall-lib.pl to update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-29 13:25:55 +00:00
Stefan Schantl
dba780a784 firewall-lib.pl: Populate GeoIP rules only if location is available. 
In case a GeoIP related firewall rule should be created, the script
now will check if the given location is still available.

Fixes #12054.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-29 13:23:43 +00:00