* bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
* Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes CVE-2017-13089
A stack-based buffer overflow when processing chunked, encoded HTTP
responses was found in wget. By tricking an unsuspecting user into
connecting to a malicious HTTP server, an attacker could exploit
this flaw to potentially execute arbitrary code.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Another clickable link for 'proxy.cgi', this time for 'Cache Manager Interface' - this one opens in a new window.
And: This time - hopefully - with correct '_blank'-attribute (deleted the backslashes) - based on current 'next'.
Plus: Deleted some "blind" tabs - found by chance.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Do not allow credentials being submitted in plaintext to Apache.
Instead, redirect the user with a 301 to the TLS version of IPFire's
web interface.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Voucher was used instead of coupon in English, and Coupon
was used instead of Gutschein in German.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys. Such
reinstallation of the encryption key can result in two different types
of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
This fixes: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086,
CVE-2017-13087, CVE-2017-13088
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
A vulnerability was found in how a number of implementations can be
triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by
replaying a specific frame that is used to manage the keys. Such
reinstallation of the encryption key can result in two different types
of vulnerabilities: disabling replay protection and significantly
reducing the security of encryption to the point of allowing frames to
be decrypted or some parts of the keys to be determined by an attacker
depending on which cipher is used.
This fixes: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086,
CVE-2017-13087, CVE-2017-13088
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is required since Apache crashes if any of the key/certificate files
does not exist.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Note: Apache crashes if any of these files does not exist. Thereof it
is necessary to generate missing keys on existing installations.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Generate ECDSA key (and sign it) in case it does not exist. That way,
httpscert can be ran on existing installations without breaking already
generated (RSA) keys.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Priorize ECDSA before RSA and remove unused cipher suites.
Remove redundant OpenSSL directives to make SSL configuration more readable.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
