The tls-remote directive is deprecated and will be removed with
OpenVPN version 2.4 . Added instead --verify-x509-name HOST name
into ovpnmain.cgi.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changelog:
[security]
Update allowed OpenSSL versions as named is potentially
vulnerable to CVE-2015-3193.
[maint]
H.ROOT-SERVERS.NET is 198.97.190.53 and 2001:500:1::53. [RT #40556]
[security]
Insufficient testing when parsing a message allowed
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #40987]
[security]
Address fetch context reference count handling error
on socket error. (CVE-2015-8461) [RT#40945]
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
the external server has changed the compression so the md5 has changed.
Always use the IPFire server as primary download source.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
bind: Update to 9.10.3
Security fixes:
An incorrect boundary check in the OPENPGPKEY rdatatype could trigger an assertion failure. This flaw is disclosed in CVE-2015-5986. [RT #40286]
A buffer accounting error could trigger an assertion failure when parsing certain malformed DNSSEC keys.
This flaw was discovered by Hanno Böck of the Fuzzing Project, and is disclosed in CVE-2015-5722. [RT #40212]
A specially crafted query could trigger an assertion failure in message.c.
This flaw was discovered by Jonathan Foote, and is disclosed in CVE-2015-5477. [RT #40046]
On servers configured to perform DNSSEC validation, an assertion failure could be triggered on answers from a specially configured server.
This flaw was discovered by Breno Silveira Soares, and is disclosed in CVE-2015-4620. [RT #39795]
Bug fixes:
Asynchronous zone loads were not handled correctly when the zone load was already in progress; this could trigger a crash in zt.c. [RT #37573]
A race during shutdown or reconfiguration could cause an assertion failure in mem.c. [RT #38979]
Some answer formatting options didn't work correctly with dig +short. [RT #39291]
Malformed records of some types, including NSAP and UNSPEC, could trigger assertion failures when loading text zone files. [RT #40274] [RT #40285]
Fixed a possible crash in ratelimiter.c caused by NOTIFY messages being removed from the wrong rate limiter queue. [RT #40350]
The default rrset-order of random was inconsistently applied. [RT #40456]
BADVERS responses from broken authoritative name servers were not handled correctly. [RT #40427]
Several bugs have been fixed in the RPZ implementation.
For a complete list, see:
https://kb.isc.org/article/AA-01306/0/BIND-9.10.3-Release-Notes.html
Regards,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
curl did not find the certificate bundle so that server
certificates could not be verified.
Fixes#10995
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
See: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
"A vulnerability in Grub2 has been found. Versions from 1.98 (December, 2009)
to 2.02 (December, 2015) are affected. The vulnerability can be exploited
under certain circumstances, allowing local attackers to bypass any kind of
authentication (plain or hashed passwords). And so, the attacker may take
control of the computer."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since 'Makefile' was affected, I had to rewrite
'dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch', too.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
There was a Bug in the addon so that no data was displayed because of a
typo. Additionally the computeraccounts are now filtered out of
trafficdata collection.
Only Proxy/AD/LDAP Accounts and IP adresses are collected.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When creating SNAT rules, the outgoing interface is not set. As a side
effect, traffic that should be send unnatted to a vpn tunnel can be
natted which is a BUG.
With this patch the SNAT rules are getting a outgoing interface
according to the configuration. When selecting the RED Target network,
all SNAT rules will be configured with "-o red0". Otherwise if "all" is
selected, there is no interface in the rule, which matches all networks.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For some reason, ntp won't use a local clock even if it is
there and up and running. Therefore we need to "prefer" our
only source of time.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
The old usage of find walked through the entire filesystem tree
and excluded some paths from being printed. The more efficient
solution is to skip walking through excluded directories entirely.
This is a slight speedup of the build process by a few minutes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
