When renaming a GeoIP Group, the corresponding names in
firewallrules (if any) are not changed accordingly. Now
when changing a GeoIP Group the firewallrules are renamed
correctly.
Slightly improved first version of this patch (contained
a blank line with trailing whitespace). No functionality
changed, patch has been confirmed as working correctly.
Fixes: #11312
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When the firewall policy is blocked, no outgoing IPsec connections
can be established. That is slightly counter-intuitive since we
open ports in the incoming direction automatically.
Fixes: #11704
Reported-by: Oliver Fuhrer <oliver.fuhrer@bluewin.ch>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Update ClamAV to 0.100.0, which brings some new features and bugfixes
(release notes are available here: https://blog.clamav.net/2018/04/clamav-01000-has-been-released.html).
Since the internal LLVM code is now deprecated and disabled by default,
patching clamav/libclamav/c++/llvm/lib/ExecutionEngine/JIT/Intercept.cpp
does not seem to be necessary anymore.
Further, the --disable-zlib-vcheck option has been removed since it
produces warnings during compilation.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Updated Apache from 2.4.29 to 2.4.33
- Updated Apr from 1.6.1 to 1.6.3
- Updated Apr-Util from 1.6.0 to 1.6.1
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These have to be dropped since the entire system does not
support Path MTU discovery any more. This should not have
any disadvantage on any tunnels since PMTU didn't really
work in the first place.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For each mirror server, a protocol can be specified in the
server-list.db database. However, it was not used for the
actual URL query to a mirror before.
This might be useful for deploy HTTPS pinning for Pakfire.
If a mirror is known to support HTTPS, all queries to it
will be made with this protocol.
This saves some overhead if HTTPS is enforced on a mirror
via 301 redirects. To enable this, the server-list.db
needs to be adjusted.
The second version of this patch only handles protocols
HTTP and HTTPS, since we do not expect anything else here
at the moment.
Partially fixes#11661.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018:
Constructed ASN.1 types with a recursive definition (such as can be
found in PKCS7) could eventually exceed the stack given malicious
input with excessive recursion. This could result in a Denial Of
Service attack. There are no such structures used within SSL/TLS
that come from untrusted sources so this is considered safe.
Reported by OSS-fuzz.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018:
Constructed ASN.1 types with a recursive definition (such as can be
found in PKCS7) could eventually exceed the stack given malicious
input with excessive recursion. This could result in a Denial Of
Service attack. There are no such structures used within SSL/TLS
that come from untrusted sources so this is considered safe.
Reported by OSS-fuzz.
This patch also entirely removes support for SSLv3. The patch to
disable it didn't apply and since nobody has been using this before,
we will not compile it into OpenSSL any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Update curl to 7.59.0 which fixes a number of bugs and
some minor security issues.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Update GnuPG to 1.4.22, which fixes some security vulnerabilities,
such as the memory side channel attack CVE-2017-7526.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
