Includes a fix for a denial-of-service vulnerability among
many more various fixes.
Fixes#11281
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://ftp.isc.org/isc/bind9/9.11.0-P2/RELEASE-NOTES-bind-9.11.0-P2.html
"BIND 9.11.0-P2 addresses the security issues described in CVE-2016-9131, CVE-2016-9147,
CVE-2016-9444 and CVE-2016-9778.
...
Security Fixes
A coding error in the nxdomain-redirect feature could lead to an assertion failure if the
redirection namespace was served from a local authoritative data source such as a local zone
or a DLZ instead of via recursive lookup. This flaw is disclosed in CVE-2016-9778. [RT
Named could mishandle authority sections that were missing RRSIGs triggering an assertion
failure. This flaw is disclosed in CVE-2016-9444. [RT # 43632]
Named mishandled some responses where covering RRSIG records are returned without the
requested data resulting in a assertion failure. This flaw is disclosed in CVE-2016-9147.
[RT #43548]
Named incorrectly tried to cache TKEY records which could trigger a assertion failure when
there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522]
It was possible to trigger assertions when processing a response. This flaw is disclosed in
CVE-2016-8864. [RT #43465]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
In firewallgroups it was not possible to create new networks that are subnets of
IPFire internal networks. Now this is possible for all internal networks.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is shown in the log section even when the add-on is not
installed and was rendered as an empty field
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The backup iso script did not check the arch of the host. On x86_64 host
the wrong iso was downloaded.
Furthermore, there were some if clauses which could cause trouble which
I also tried to improve.
(For example: -e is valid if we have a directory or a file, but we want
to check for a file only )
Fixes: 11258
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Sorry, they did it again...:
For details see:
https://www.nano-editor.org/news.php
"GNU nano 2.7.3 "Ontbijtkoek" wipes away a handful of bugs:
your editor is now able to handle filenames that contain
newlines, avoids a brief flash of color when switching
between buffers that are governed by different syntaxes,
makes the Shift+Ctrl+Arrow keys select text again on a
Linux console, is more resistant against malformations
in the positionlog file, and does not crash when ^C is
typed on systems where it produces the code KEY_CANCEL.
Oh, and it no longer mistakenly warns about editing an
unlocked file just after saving a new one. That's it.
Tastes great with thick butter."
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Instead of orange0phys we should use orangephys0 this patch implements
the necessary changes.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
It is now also possible to use the MAC address to define a slave of a
bridge.
Simply add the mac address to the ZONE_SLAVES=''.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This script is creating common bridges now, too and therefore
needs a more generic name.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This bridge mode is supposed to be used for virtual environments
to create a network zone as a bridge and have virtual machines inside
it. Other physical interfaces can also be added to the bridge.
This is very similar to the MACVTAP bridge feature but still works
when the link of any (or all) physical interfaces is down.
Fixes: #11252
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These all fix a potential "NULL dereference" bug that has existed in libpng
since version 0.71 of June 26, 1995. To be vulnerable, an application
has to load a text chunk into the png structure, then delete all text, then
add another text chunk to the same png structure, which seems to be
an unlikely sequence, but it has happened.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Some networks have equipment that fails to forward DNS queries
with EDNS and the DO bit set. They might even lose the replies.
This patch will adjust unbound so that it will not try to receive
too large replies and falls back to TCP earlier. This creates
some higher load on the DNS servers but at least gives us
working DNS.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
