rulefiles.
Suricata seems to struggle when using multiple and/or nested includes in
the same config section. This results in a only partially loaded
confguration where not all rulefiles are loaded and used.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This converter is responsible to convert the old oinkmaster modification
files into the new files and format.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function is going to replace the part which currently the
oinkmaster.pl script does.
It will read in the extracted ruleset, remove duplicates and alter the
rules to alert or drop in case they match. Also rules will be enabled or
disabled if the used requested this.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function is used to gather the modes of the configured providers
and return them as hash.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The download script should not directly do the logging stuff.
It simply should download the files for the requested provider and
return an error code on fail.
The logging should be done at another place.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Remove the option and required code to download the rulesets
for all configured and enabled providers by just calling the downloader
function.
This cause a lot of troubles and if required, directly should be handled
by the processing script.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
When using the "If-Modified-Since" header, the server can be requested
if a modified version of the file can be served.
In case that is true, the file will be sent and stored by the downloader
function. If the file has not been touched since the last time, the
server will respond with the code "304" (Not modified).
This tells us, that the current stored file is the latest one (still up-to-date)
and we safely can skip the download attempt for this provider.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This will help us to determine if all required perl modules and their
dependencies are avail and load-able.
It also prevents us from doubble loading modules and makes development
and maintainance more easy.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Even if the servers do not support HEAD requests, the remote filesize
(content_length) can be obtained from the connection headers.
This generic method works for all servers and therefore we do not need
the code for handle sourcefire servers in a different way anymore.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
The former used hash value only contains the country code when
a rule for a single country should be created.
In case a location group is used the hash value refers to the group name,
which does not work here.
The required country code is part of the processed string and can be omitted
from here. This works well for single codes and location groups, because those
are processed in a loop.
Fixes#12809.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
This patch enabled that we can compress any firmware files on disk. This
will save some space since /lib/firmware is becoming larger with every
release.
From formerly 828MiB, this is now using ~349MiB which is a saving of
about 480MiB on disk. This is helping us a lot fighting to contain the
distribution to 2GB on /.
Some other firmware that is installed in other packages is not
compressed with this patch which is a bit sad, but potentially not worth
the effort.
In order to ship this change with a Core Update, it might be intuitive
to remove /lib/firmware first and then extract the new update with all
new files. However, I do not know if this all will compress as well as
before since now the files are already individually compressed. It might
be a challenge to ship this.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.27/doc/arm/html/notes.html#notes-for-bind-9-16-27
"Security Fixes
The rules for acceptance of records into the cache have been
tightened to prevent the possibility of poisoning if forwarders send
records outside the configured bailiwick. (CVE-2021-25220)
ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
Network and Information Security Lab, Tsinghua University, and
Changgen Zou from Qi An Xin Group Corp. for bringing this
vulnerability to our attention. [GL #2950]
TCP connections with keep-response-order enabled could leave the TCP
sockets in the CLOSE_WAIT state when the client did not properly
shut down the connection. (CVE-2022-0396) [GL #3112]
Feature Changes
DEBUG(1)-level messages were added when starting and ending the BIND
9 task-exclusive mode that stops normal DNS operation (e.g. for
reconfiguration, interface scans, and other events that require
exclusive access to a shared resource). [GL #3137]
Bug Fixes
The max-transfer-time-out and max-transfer-idle-out options were not
implemented when the BIND 9 networking stack was refactored in 9.16.
The missing functionality has been re-implemented and outgoing zone
transfers now time out properly when not progressing. [GL #1897]
TCP connections could hang indefinitely if the other party did not
read sent data, causing the TCP write buffers to fill. This has been
fixed by adding a “write” timer. Connections that are hung while
writing now time out after the tcp-idle-timeout period has elapsed.
[GL #3132]
The statistics counter representing the current number of clients
awaiting recursive resolution results (RecursClients) could
be miscalculated in certain resolution scenarios, potentially
causing the value of the counter to drop below zero. This has been
fixed. [GL #3147]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://github.com/oetiker/rrdtool-1.x/releases/tag/v1.8.0
"Bugfixes
python bindings: properly convert double values of rrd info
failed to expand 'Py_UNUSED', Invalid usage when expanding 'Py_UNUSED'
document --showtime in xport help output
fix --use-nan-for-all-missing-data
update rrdruby.pod
add missing rrdruby.pod and rrdpython.pod to dist
Set first_weekday to 0 (Sunday), when HAVE__NL_TIME_WEEK_1STDAY is not defined
fix median calculation for all NaN inputs
fix potential leak in xport during failure
fix many warnings raised by Cppcheck
fix many compiler warnings from latest gcc
ensure proper initialization in rrd_daemon
cleanup testsuite
better testing
avoid invalid read in rrd_client
add symbols from rrdc to librrd
Fix duplicate write_changes_to_disk() calls when HAVE_LIBRADOS is true and HAVE_MMAP is false
documentation updates
for SMIN example in docs
fix for pyton3 compatibility
freemem only for valid status <Christian Kr"oger>
fix double meaning of time 0 as uninitialized value
fix for zfs not supporting fallocate. this makes resize work on zfs
add rrdrados.pod to dist
fetch - do not call rrd_freemem on uninitialized pointers
use separate pango fontmap per thread
switch to python 3
do not leak filename when opening a broken file
fix leaks in rrdcached
avoid segfault when flushing cache
escape json in legend entries
fix leak in xport
make rrdcgi param parsing more robust
fix race in journal_write"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
On an IPFire installation that has been around since Core Update 110
(released April 28, 2017), these files have been identified as being
orphaned, comparing to a fresh installation of Core Update 164.
To avoid such a list of files agglomerating, persons responsible for a
Core Update should check whether an updated package contains deleted
files in its rootfile. If so, they should be deleted on existing systems
via update.sh as well.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This was introduced in b1c25d7a84, and
subsequently broke the nightly builds, and I failed to spot this in the
first place. :-/
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
It is not necessary to have this key present on IPFire systems anymore,
since it has not been in use for years, and we can expect systems to be
sufficiently up-to-date, so they no longer need to rely on old updates
or add-ons signed with this key.
Also, given the current key was generated in 2018, we should consider a
Pakfire key rollover soon.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
- In sysvinit-2.97 (Dec2020) a patch was added which allows init to load configuration data
from files stored in /etc/inittab.d/
This modification would have come in with Core Update 155.
- When sysvinit was updated from 2.88dsf to 2.98 the /etc/inittab.d/ directory in the
rootfile was commented out.
Sysvinit looks to see if there are any files in inittab.d but as that directory does not
exist then the message "No inittab.d directory found" is written during the boot and is
also shown in the log summary.
- This patch uncomments the directory so that it will be present. No files will be placed
in it but its prescence will stop the error message being shown during boot.
Fixes: Bug #12797
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This script appeared in the rootfiles for Core Updates 65 and 66, being
released in late 2012 and early 2013. It is not used elsewhere, and
there is no sense in keeping it around on IPFire installations.
Should this patch be accepted, a corresponding 'rm' statement is
necessary in the update.sh script of the Core Update it will go into.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These rulefiles are used by various providers as a kind of reference and
to store rules which have been taken out for correctness, performance
reasons or because of other reasons.
Fixes#12794.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
OpenSSL Security Advisory [15 March 2022]
============================================
Infinite loop in BN_mod_sqrt() reachable when parsing certificates
(CVE-2022-0778)
==================================================================================
Severity: High
The BN_mod_sqrt() function, which computes a modular square root,
contains
a bug that can cause it to loop forever for non-prime moduli.
Internally this function is used when parsing certificates that contain
elliptic curve public keys in compressed form or explicit elliptic curve
parameters with a base point encoded in compressed form.
It is possible to trigger the infinite loop by crafting a certificate
that
has invalid explicit curve parameters.
Since certificate parsing happens prior to verification of the
certificate
signature, any process that parses an externally supplied certificate
may thus
be subject to a denial of service attack. The infinite loop can also be
reached when parsing crafted private keys as they can contain explicit
elliptic curve parameters.
Thus vulnerable situations include:
- TLS clients consuming server certificates
- TLS servers consuming client certificates
- Hosting providers taking certificates or private keys from customers
- Certificate authorities parsing certification requests from
subscribers
- Anything else which parses ASN.1 elliptic curve parameters
Also any other applications that use the BN_mod_sqrt() where the
attacker
can control the parameter values are vulnerable to this DoS issue.
In the OpenSSL 1.0.2 version the public key is not parsed during initial
parsing of the certificate which makes it slightly harder to trigger
the infinite loop. However any operation which requires the public key
from the certificate will trigger the infinite loop. In particular the
attacker can use a self-signed certificate to trigger the loop during
verification of the certificate signature.
This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was
addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022.
OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers
only)
OpenSSL 1.1.1 users should upgrade to 1.1.1n
OpenSSL 3.0 users should upgrade to 3.0.2
This issue was reported to OpenSSL on the 24th February 2022 by Tavis
Ormandy
from Google. The fix was developed by David Benjamin from Google and
Tomáš Mráz
from OpenSSL.
Note
====
OpenSSL 1.0.2 is out of support and no longer receiving public updates.
Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html
OpenSSL 1.1.0 is out of support and no longer receiving updates of any
kind.
It is affected by the issue.
Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20220315.txt
Note: the online version of the advisory may be updated with additional
details
over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Only extract rulefiles which are located in a rules directory and/or in the archive
root.
This prevents us from extracting experimental or binary rules etc. which
often are located in corresponding sub-directories.
Reference: #12794.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
