Since these files are static, there is no legitimate reason why they
should be owned (hence writable) by "nobody". Also, according to
configroot's LFS file, this is the intended behaviour for the *.user
files, which is then overwritten by the backup LFS file. Therefore, set
the file mode of these statically - configroot does not feature other
files in /var/ipfire/backup/ anyway.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.4.8 to 2.4.9
- Update of rootfile
- Changelog
Release 2.4.9 Tue September 20 2022
Security fixes:
#629#640 CVE-2022-40674 -- Heap use-after-free vulnerability in
function doContent. Expected impact is denial of service
or potentially arbitrary code execution.
Bug fixes:
#634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0
#614 docs: Fix documentation on effect of switch XML_DTD on
symbol visibility in doc/reference.html
Other changes:
#638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output
#596#625 Autotools: Sync CMake templates with CMake 3.22
#608 CMake: Migrate from use of CMAKE_*_POSTFIX to
dedicated variables EXPAT_*_POSTFIX to stop affecting
other projects
#597#599 Windows|CMake: Add missing -DXML_STATIC to test runners
and fuzzers
#512#621 Windows|CMake: Render .def file from a template to fix
linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
#611#621 MinGW|CMake: Apply MSVC .def file when linking
#622#624 MinGW|CMake: Sync library name with GNU Autotools,
i.e. produce libexpat-1.dll rather than libexpat.dll
by default. Filename libexpat.dll.a is unaffected.
#632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in
toolchain file "cmake/mingw-toolchain.cmake" to avoid
error "windres: Command not found" on e.g. Ubuntu 20.04
#597#627 CMake: Unify inconsistent use of set() and option() in
context of public build time options to take need for
set(.. FORCE) in projects using Expat by means of
add_subdirectory(..) off Expat's users' shoulders
#626#641 Stop exporting API symbols when building a static library
#644 Resolve use of deprecated "fgrep" by "grep -F"
#620 CMake: Make documentation on variables a bit more consistent
#636 CMake: Drop leading whitespace from a #cmakedefine line in
file expat_config.h.cmake
#594 xmlwf: Fix harmless variable mix-up in function nsattcmp
#592#593#610 Address Cppcheck warnings
#643 Address Clang 15 compiler warnings
#642#644 Version info bumped from 9:8:8 to 9:9:8;
see https://verbump.de/ for what these numbers do
Infrastructure:
#597#598 CI: Windows: Start covering MSVC 2022
#619 CI: macOS: Migrate off deprecated macOS 10.15
#632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work
#643 CI: Upgrade Clang from 14 to 15
#637 apply-clang-format.sh: Add support for BSD find
#633 coverage.sh: Exclude MinGW headers
#635 coverage.sh: Fix name collision for -funsigned-char
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.33/doc/arm/html/notes.html#notes-for-bind-9-16-33
"Security Fixes
Previously, there was no limit to the number of database lookups
performed while processing large delegations, which could be abused to
severely impact the performance of named running as a recursive
resolver. This has been fixed. (CVE-2022-2795)
ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
Bremler-Barr & Shani Stajnrod from Reichman University for bringing
this vulnerability to our attention. [GL #3394]
named running as a resolver with the stale-answer-client-timeout option
set to 0 could crash with an assertion failure, when there was a stale
CNAME in the cache for the incoming query. This has been fixed.
(CVE-2022-3080) [GL #3517]
A memory leak was fixed that could be externally triggered in the
DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177) [GL
#3487]
Memory leaks were fixed that could be externally triggered in the
DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) [GL
#3487]
Feature Changes
Response Rate Limiting (RRL) code now treats all QNAMEs that are
subject to wildcard processing within a given zone as the same name, to
prevent circumventing the limits enforced by RRL. [GL #3459]
Zones using dnssec-policy now require dynamic DNS or inline-signing to
be configured explicitly. [GL #3381]
A backward-compatible approach was implemented for encoding
internationalized domain names (IDN) in dig and converting the domain
to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. [GL
#3485]
Bug Fixes
A serve-stale bug was fixed, where BIND would try to return stale data
from cache for lookups that received duplicate queries or queries that
would be dropped. This bug resulted in premature SERVFAIL responses,
and has now been resolved. [GL #2982]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Network (other) help link was set to go to Network (internal) wiki page
Link modified
- Running the check_manualpages.pl script requires it to be executable so the build
changed the permissions mode from 644 to 755
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
- Created (mostly) for old openvpn graphs
- RRD removed when no graph modification for +365 days
- chosen since graph max out is 365 days
- fcron job runs once per week
- chosen since this is just a cleanup and it doesnt need to run everyday
Note: logging can be added if needed.
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- cpufrequtils is a set of "tools" to manage and set cpu freq settings.
- There is an initscript but this is only loading the cpu dependent kernel modules that
are required by cpufrequtils.
- Therefore cpufrequtils is not a service but a set of tools that are used when required.
- SERVICES line made blank so that this addon does not show up in the services addon table.
- Modified install initscript line to not use SERVICES variable
Fixes: Bug#12933
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
For details see:
https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-September/007885.html
"This release fixes CVE-2022-3204 Non-Responsive Delegation
Attack. It was reported by Yehuda Afek from Tel-Aviv
University and Anat Bremler-Barr and Shani Stajnrod from
Reichman University.
This fixes for better performance when under load, by cutting
promiscuous queries for nameserver discovery and limiting the
number of times a delegation point can look in the cache for
missing records.
Bug Fixes
- Patch for CVE-2022-3204 Non-Responsive Delegation Attack."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
According to the kernel's documentation,
> debugfs is a virtual file system that kernel developers use to put
> debugging files into. Enable this option to be able to read and
> write to these files.
There is no legitimate reason why one has to do so on an IPFire machine.
Further, the vast debugging options (i.e. related to various drivers)
have never been enabled, limiting the use of this virtual file system
even further.
This patch therefore proposes to disable it entirely, since its
potential security impact outweights its benefits. Due to operational
constraints, changes to ARM kernel configurations will be made if this
patch is approved for x86_64.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Since we replace Perl, users most likely get to see some nasty "Internal
Server Error" messages during the upgrade. To suppres them, and to limit
the chance of side effects, stop Apache before applying the update, and
start it again afterwards.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Changes in version 0.4.7.10 - 2022-08-12
This version updates the geoip cache that we generate from IPFire location
database to use the August 9th, 2022 one. Everyone MUST update to this
latest release else circuit path selection and relay metrics are badly
affected.
o Major bugfixes (geoip data):
- IPFire informed us on August 12th that databases generated after
(including) August 10th did not have proper ARIN network allocations. We
are updating the database to use the one generated on August 9th, 2022.
Fixes bug 40658; bugfix on 0.4.7.9.
Changes in version 0.4.7.9 - 2022-08-11
This version contains several major fixes aimed at reducing memory pressure on
relays and possible side-channel. It also contains a major bugfix related to
congestion control also aimed at reducing memory pressure on relays.
Finally, there is last one major bugfix related to Vanguard L2 layer node
selection.
We strongly recommend to upgrade to this version especially for Exit relays
in order to help the network defend against this ongoing DDoS.
o Major bugfixes (congestion control):
- Implement RFC3742 Limited Slow Start. Congestion control was
overshooting the congestion window during slow start, particularly
for onion service activity. With this fix, we now update the
congestion window more often during slow start, as well as dampen
the exponential growth when the congestion window grows above a
capping parameter. This should reduce the memory increases guard
relays were seeing, as well as allow us to set lower queue limits
to defend against ongoing DoS attacks. Fixes bug 40642; bugfix
on 0.4.7.5-alpha.
o Major bugfixes (relay):
- Remove OR connections btrack subsystem entries when the connections
close normally. Before this, we would only remove the entry on error and
thus leaking memory for each normal OR connections. Fixes bug 40604;
bugfix on 0.4.0.1-alpha.
- Stop sending TRUNCATED cell and instead close the circuit from which we
received a DESTROY cell. This makes every relay in the circuit path to
stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
o Major bugfixes (vanguards):
- We had omitted some checks for whether our vanguards (second layer
guards from proposal 333) overlapped. Now make sure to pick each
of them to be independent. Also, change the design to allow them
to come from the same family. Fixes bug 40639; bugfix
on 0.4.7.1-alpha.
o Minor features (dirauth):
- Add a torrc option to control the Guard flag bandwidth threshold
percentile. Closes ticket 40652.
- Add an AuthDirVoteGuard torrc option that can allow authorities to
assign the Guard flag to the given fingerprints/country code/IPs.
This is a needed feature mostly for defense purposes in case a DoS
hits the network and relay start losing the Guard flags too fast.
- Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE,
TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable
from torrc.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 11, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/08/11.
o Minor bugfixes (congestion control):
- Add a check for an integer underflow condition that might happen
in cases where the system clock is stopped, the ORconn is blocked,
and the endpoint sends more than a congestion window worth of non-
data control cells at once. This would cause a large congestion
window to be calculated instead of a small one. No security
impact. Fixes bug 40644; bugfix on 0.4.7.5-alpha.
o Minor bugfixes (defense in depth):
- Change a test in the netflow padding code to make it more
_obviously_ safe against remotely triggered crashes. (It was safe
against these before, but not obviously so.) Fixes bug 40645;
bugfix on 0.3.1.1-alpha.
o Minor bugfixes (relay):
- Do not propagate either forward or backward a DESTROY remote reason when
closing a circuit in order to avoid a possible side channel. Fixes bug
40649; bugfix on 0.1.2.4-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Since we disabled Bluetooth support in the kernel a long time ago due to
security reasons, these do not serve any purpose anymore. Therefore, do
not ship them and delete them on existing installations.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
For some reason, stripper crashes processing this directory:
strip: error: the input file '/lib/firmware/qcom/sc8280xp/LENOVO/21BX/qccdsp8280.mbn' has no sections
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- The lcd2usb portion of the hd44780 driver in in the latest release version of
lcdproc (0.5.9) are only coded for libusb-0.1, which was removed from IPFire in recent
times.
- Commits have been merged into the lcdproc repository that enable lcd2usb to work with
the libusb-1.0 series but no release has been made since 2017.
- This patch downloaded a zip archive from the status of the lcdproc repository at commit
0e2ce9b. This zip archive was then converted into a tar.gx archive. The lfs and
rootfile have been updated in line with this.
- The lcdproc-0e2ce9b-4.ipfire file created by this build has been tested by the bug
reporter, Rolf Schreiber, and confirmed to fix the issue raised with the bug.
- This patch brings lcdproc upto date with the 149 commits that have been made between
2017 and Dec 2021, the date of the last commit.
- The version number has been defined as the last commit number.
- The -enable-libusb option has to be left in place as it turned out that
-enable-libusb-1-0 only works if -enable-libusb is also set. It looks like this was
identified in the lcdproc issues list but has not yet been fixed.
Fixes: Bug#12920
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
