Added a reboot notice and made table rows more distinguishable by
alternating their background color. This improves usability.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This change is necessary because the table can grow larger than the main
container if a user has many NICs on their machine.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes: #11819
- Since the Voracle vulnerability, LZO is better placed under advanced section cause under specific circumstances it is exploitable.
- Warning/hint has been added in the option defaults description.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Since HMAC selection is already in global section, it makes sense to keep the encryption togehter.
- Given tls-auth better understandable name.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes: #12009 and #11824
- Since HMACs will be used in any configuration it is better placed in the global menu.
- Adapted global section to advanced and marked sections with a headline for better overview.
- Deleted old headline in advanced section cause it is not needed anymore.
- Added check if settings do not includes 'DAUTH', if possible SHA512 will be used and written to settings file.
Old configurations with SHA1 will be untouched.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
We are not doing anything different from the default here,
so we do not need an extra copy of them.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch fixes the behavior in 11696 and adds IPSEC and OpenVPN n2n subnets to wpad.dat so they don't pass through the proxy.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
While being built with user/group set to "tor", the default
configuration still contains the old username.
This patch adjusts it to the correct value. The issue was
caused by insufficient testing, which I apologise for.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
It was to offten forgotten to update the backupiso script
that need to download the matching iso from the servers
so i added a comment.
no functional change
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Fixes: #12084
Since the Suricata regex did not match the messages output, Suricata was not displayed in the "System Logs" section in the WUI.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
CBC ciphers are vulnerable to a bunch of attacks (being
rather academic so far) such as MAC-then-encrypt or
padding oracle.
These seem to be more serious (see
https://blog.qualys.com/technology/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities
for further readings) which is why they should be used
for interoperability purposes only.
I plan to remove AES-CBC ciphers for the WebUI at the
end of the year, provided overall security landscape
has not changed until that.
This patch changes the WebUI cipherlist to:
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
(AES-CBC + ECDSA will be preferred over RSA for performance
reasons. As this cipher order cannot be trivially rebuilt with
OpenSSL cipher stings, it has to be hard-coded.)
All working clients will stay compatible.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is a feature that will filter adult content from search
engine's results.
The old method of rewriting the HTTP request no longer works.
This method changes the DNS response for supported search engines
which violates our belief in DNSSEC and won't allow these search
engines to ever enable DNSSEC.
However, there is no better solution available to this and this
an optional feature, too.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
This is not working for quite some time now because all search
engines have moved over to HTTPS. Therefore we no longer can
manipulate the URL query string.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This updates the package to its latest upstream version and should
be able to support IGMPv3.
Fixes: #12074
Suggested-by: Marc Roland <marc.roland@outlook.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Exporting XZ_OPT caused that every time xz was called, it automatically
enabled parallelism. The make systemm also launches multiple processes
at the same time to use more processor cores at the same time.
The combination of this causes memory exhaustion even on large systems
and has no performance gain. Therefore this is disabled by default
and only enabled where we need it which is already the case.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fix a bug that allows users to add multiple NICs to non-bridged zones.
This fix includes a new error message.
Unused zones are now invisible instead of grey.
An authenticated Stored XSS (Cross-site Scripting) exists in the
(https://192.168.0.241:444/cgi-bin/routing.cgi) Routing Table Entries
via the "Remark" text box or "remark" parameter. This is due to a
lack of user input validation in "Remark" text box or "remark"
parameter. It allows an authenticated WebGUI user with privileges
for the affected page to execute Stored Cross-site Scripting in
the Routing Table Entries (/cgi-bin/routing.cgi), which helps
attacker to redirect the victim to a attacker's phishing page.
The Stored XSS get prompted on the victims page whenever victim
tries to access the Routing Table Entries configuraiton page.
An attacker get access to the victim's session by performing
the CSRF and gather the cookie and session id's or possibly can
change the victims configuration using this Stored XSS.
This attack can possibly spoof the victim's informations.
Fixes: #12072
Reported-by: Dharmesh Baskaran <dharmesh201093@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is a bit shouty and there are various places where we do not
warn about this problem, so this patch makes it more consistent.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch mainly changes "Macvtap" to the branded spelling and removes
short forms as well as hyphenation in German compound nouns.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
