This is a work around to prevent not working dns
resolution if the time jumps before the DNSSec signing key.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
htpasswd doesn't protect passwords very well. MD5 was used
before and now any newly created passwords will use the
SHA format.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
I did the following:
- Rearranged the fields on 'guardian.cgi' a bit - in a (hopefully) logical manner,
so that they don't need so much room.
- Added some translation-strings and explanations to (revised) 'guardian.cgi'.
- Added missing language string(s), deleted obsolete.
- Deleted all guardian entries from standard language files in
'/var/ipfire/langs'-directory.
- Added (upgraded) addon-specific language files to '/var/ipfire/addon-lang'-directory.
I hope, I didn't forget something...
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
unbound does not append the local domain to the request
any more (like dnsmasq did). Therefore, the client needs
to do that if desired.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
unbound has some trouble with validating DNSSEC-enabled
domains when the upstream name server is stripping signatures
from the authoritative responses.
This script now checks that, removes any broken upstream
name servers from the list and prints a warning.
If all name servers fail the test, unbound falls back
into recursor mode.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Previously we copied the default configuration from the upstream
package and modified that. Unfortunately a patch and a sed command
changed the file which resulted in unwanted changes.
This patch removes the patch and sed command and adds a new set
of configuration files that just need to be copied to the system.
Fixes#11195
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This update removes dnsmasq and replaces it with unbound.
Also many packages are updated and shipped.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit updates krb5 to version 1.14.4
The patch is removed, because he is upstream since 1.12.2.
The samba version is incremented, to link samba against the new krb5
version. Otherwise samba for example is linked against
/usr/lib/libkdb5.so.7 but the current version is /usr/lib/libkdb5.so.8
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Missing CRL sanity check (CVE-2016-7052)
========================================
Severity: Moderate
This issue only affects OpenSSL 1.0.2i, released on 22nd September 2016.
A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
OpenSSL 1.0.2i users should upgrade to 1.0.2j
The issue was reported to OpenSSL on 22nd September 2016 by Bruce Stephens and
Thomas Jakobi. The fix was developed by Matt Caswell of the OpenSSL development
team.
https://www.openssl.org/news/secadv/20160926.txt
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
