webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-11 11:35:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,525 Commits 2 Branches 1 Tag
15ca18a3d9efbe8879e8b22f1f72eaeb596ca2f9
Commit Graph

13525 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Arne Fitzenreiter
15ca18a3d9 Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next 2019-06-18 18:42:02 +02:00
Arne Fitzenreiter
82c279a518 kernel: update to 4.14.127 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-06-18 18:41:19 +02:00
Arne Fitzenreiter
1a129822af linux-pae: fix grub.conf creation on pv machines 
on some systems it seems that grub2 and it config also exist.
 2019-06-18 14:36:02 +02:00
Michael Tremer
7516e8b7f1 core134: Ship changed general-functions.pl 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-18 09:13:21 +01:00
Alexander Marx
cc724c142a BUG12070: Its not possible to use the underscore in email addresses 
Using IPFire's Mailservice does not allow to enter a senders mail address with the underscore.
The function used to verify that is used from general-functions.pl.
Now the function 'validemail' allows the underscore in the address.

Fixes: #12070

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-18 09:12:49 +01:00
Michael Tremer
82899ad1ce core134: Ship updated unbound 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-18 09:11:18 +01:00
Matthias Fischer
2f278de868 unbound: Update to 1.9.2 
For details see:
https://nlnetlabs.nl/pipermail/unbound-users/2019-June/011632.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-17 17:39:37 +01:00
Arne Fitzenreiter
1307df2257 Merge branch 'master' into next 2019-06-15 18:10:35 +02:00
Arne Fitzenreiter
faec909e1a vpnmain.cgi: remove wrongh "shift-space" 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-06-15 17:38:47 +02:00
Arne Fitzenreiter
f5662122b5 hyperscan: increase min RAM per buildprocess to 1GB 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-06-14 22:09:47 +02:00
Michael Tremer
bc051eac54 core133: Ship jansson in update 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-14 06:22:52 +01:00
Arne Fitzenreiter
f081e454a6 finish core133 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-06-12 19:57:21 +02:00
Michael Tremer
527078e439 core134: Ship updated OpenSSL 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:25:13 +01:00
Peter Müller
69772b7dda OpenSSL: lower priority for CBC ciphers in default cipherlist 
In order to avoid CBC ciphers as often as possible (they contain
some known vulnerabilities), this changes the OpenSSL default
ciphersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

Since TLS servers usually override the clients' preference with their
own, this will neither break existing setups nor introduce huge
differences in the wild. Unfortunately, CBC ciphers cannot be disabled
at all, as they are still used by popular web sites.

TLS 1.3 ciphers will be added implicitly and can be omitted in the
ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing
AES-NI support for the majority of installations reporting to Fireinfo
(see https://fireinfo.ipfire.org/processors for details, AES-NI support
is 28.22% at the time of writing).

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:24:00 +01:00
Michael Tremer
ce46df9b83 Start Core Update 134 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:18:23 +01:00
Michael Tremer
e263c29c92 unbound: Make some zones type-transparent 
If we remove other records (like MX) from the response, we won't
be able to send mail to those hosts any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:14:28 +01:00
Michael Tremer
91056adea5 unbound: Add yandex.com to safe search feature 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:11:32 +01:00
Michael Tremer
043e7aa50f unbound: safe search: Resolve hosts at startup 
unbound is not able to expand CNAMEs in local-data. Therefore we
have to do it manually at startup.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-13 11:12:07 +01:00
Peter Müller
fa7de475fe Tor: fix permissions after updating, too 
Fixes #12088

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reported-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 05:45:42 +01:00
Michael Tremer
5d65813aa3 core133: Ship updated wpa_supplicant 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-11 07:00:38 +01:00
Matthias Fischer
33fb0c91ec wpa_supplicant: Update to 2.8 
For details see:
https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-11 07:00:05 +01:00
Michael Tremer
894eaf5184 smt: Only disable SMT when the kernel thinks it is vulnerable 
On virtual machines, it does not make sense to disable SMT for the
virtual cores. This has to be done by the hypervisor.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-11 17:07:23 +00:00
Peter Müller
8e101c0bda ship language files in Core Update 133 
These were missing in Core Update 132, and some strings
(especially on the "CPU vulnerabilities" page) missed translations.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-10 19:44:59 +01:00
Michael Tremer
35f12f2998 Rootfile update 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-10 09:58:15 +01:00
Stefan Schantl
33afb0681f convert-ids-modifysids-file: Fix check if the ids is running. 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-10 09:46:00 +01:00
Matthias Fischer
3f7cec61c9 hostapd: Update to 2.8 
For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-10 09:45:54 +01:00
Michael Tremer
28093c8376 Rootfile update 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-08 11:34:37 +01:00
Michael Tremer
09b9910696 Rootfile update 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-07 11:14:11 +01:00
Michael Tremer
c0fc25861f core133: Ship updated knot package 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-07 11:13:01 +01:00
Matthias Fischer
d52b5a4c22 knot: Update to 2.8.2 
For details see:
https://www.knot-dns.cz/2019-06-05-version-282.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-07 11:12:35 +01:00
Michael Tremer
171512b7a7 Update contributors 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:46:37 +01:00
Erik Kapfer
21a8382383 suricata: Enable EVE logging 
The EVE output facility outputs alerts, metadata, file info and protocol specific records through JSON.
for further informations please see --> https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:44:49 +01:00
Stefan Schantl
3c91ee8092 convert-ids-modifysids-file: Adjust code to use changed write_modify_sids_file function 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:43:09 +01:00
Michael Tremer
e1f8f870ea core133: Ship snort configuration converter 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:42:53 +01:00
Stefan Schantl
f1add9a8dd convert-snort: Adjust code to use changed modify_sids_file function. 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:42:00 +01:00
Stefan Schantl
81bae51f61 ids-functions.pl: Rework function write_modify_sids_file(). 
Directly implement the logic to determine the used ruleset and if
IDS or IPS mode should be used into the function instead of pass those
details as arguments.

This helps to prevent from doing this stuff at several places again and again.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:41:49 +01:00
Michael Tremer
a40bcbb02c core133: Ship IPS changes 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:41:37 +01:00
Tim FitzGeorge
a5ba473c15 suricata: correct rule actions in IPS mode 
In IPS mode rule actions need to be have the action 'drop' for the
protection to work, however this is not appropriate for all rules.
Modify the generator for oinkmaster-modify-sids.conf to leave
rules with the action 'alert' here this is appropriate.  Also add
a script to be run on update to correct existing downloaded rules.

Fixes #12086

Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:39:57 +01:00
Michael Tremer
9734a58faf core133: Ship IDS ruleset updater 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:34:44 +01:00
Stefan Schantl
72ab71969f update-ids-ruleset: Run as unprivileged user. 
Check if the script has been launched as privileged user (root) and drop all
permissions by switching to the "nobody" user and group.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:33:58 +01:00
Michael Tremer
dc9ac30c8d core133: Ship updated vpnmain.cgi file and regenerate configuration 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 05:08:31 +01:00
Michael Tremer
745915d82c vpnmain.cgi: Fix wrong cipher suite generation when PFS is disabled 
Fixes: #12091
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 05:07:27 +01:00
Matthias Fischer
01320a141d monit: Some fixes for 'monitrc' 
Just cosmetics:
Removed all trailing spaces - there were a few...

Activated 'monit' start delay:
I activated this option to avoid running into a race condition while started through
'/etc/init.d/monit start'.

As mentioned in 'monit' manual:
"...if a service is slow to start, Monit can assume that the service is not running
and possibly try to start it [again] and raise an alert, while, in fact the service
is already about to start or already in its startup sequence."

This happened here during testing with (e.g.) Clamav.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 05:04:17 +01:00
Michael Tremer
c899be2fd0 core133: Ship updated dhcp.cgi 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 00:33:36 +01:00
Bernhard Bitsch
e4f9ea3c16 dhcp.cgi: Save fixed leases immediately after addition of a new lease 
This changes the behaviour of the script to immediately save the added
lease to file but still remain in edit mode to make changes.

If the user does not make any changes, the lease is immediately saved
and there is no second click required to write it to file.

This a more natural flow that is expected by almost all users of this
feature.

Fixes: #12050
Signed-off-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 00:30:19 +01:00
Michael Tremer
0bb25a4f61 SMT: Disable when system is vulnerable to L1TF (Foreshadow) 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-04 23:55:17 +01:00
Michael Tremer
cfbb61a74d Rootfile update for ARM kernels 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-04 23:44:49 +01:00
Michael Tremer
236831c0f9 Rootfile update for gcc on i586 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-04 23:41:59 +01:00
Michael Tremer
d62925de4f core133: Ship updated PAM 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-04 23:32:35 +01:00
Matthias Fischer
0105cedb0d linux-pam: Update to 1.3.1 
For details see:
https://github.com/linux-pam/linux-pam/releases

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-04 23:32:06 +01:00