bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00

Author	SHA1	Message	Date
Arne Fitzenreiter	4d43b3dcb1	intel-microcode: update to 20200609 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-12 17:47:29 +02:00
Arne Fitzenreiter	f3a59d63e2	kernel: update to 4.14.184 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-12 16:04:48 +02:00
Peter Müller	92e828b3b0	kernel: disable CONFIG_UPROBES Quoted from #12433: > Uprobes is the user-space counterpart to kprobes: they enable instrumentation > applications (such as 'perf probe') to establish unintrusive probes in > user-space binaries and libraries, by executing handler functions when the > probes are hit by user-space applications. > > ( These probes come in the form of single-byte breakpoints, managed by the > kernel and kept transparent to the probed application. ) IMHO this can be safely disabled, as there is little if any need to debug userspace programs _that_ deeply on an IPFire machine. Fixes: #12433 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-10 15:18:36 +00:00
Peter Müller	a5e577d083	kernel: enable CONFIG_FORTIFY_SOURCE on armv5tel Partially fixes: #12369 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-10 15:17:40 +00:00
Peter Müller	3eb393ff2e	kernel: enable CONFIG_FORTIFY_SOUCRE on aarch64 Partially fixes: #12369 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-10 15:17:24 +00:00
Peter Müller	4ee87ee248	kernel: enable CONFIG_SLUB_DEBUG on aarch64 and armv5tel Fixes: #12377 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-10 15:16:57 +00:00
Arne Fitzenreiter	325a2680c8	kernel: fix diabling CONFIG_MODFIFY_LDT_SYSCALL Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-10 16:21:49 +02:00
Arne Fitzenreiter	2b51e4aeab	Revert "kernel: enable CONFIG_RANDOMIZE_BASE on aarch64" with enabled CONFIG_RAMDOIZE_BASE the linking of xtables and maybee other external kernel modules fail on aarch64 This reverts commit `8379ab44b8`.	2020-06-10 16:20:34 +02:00
Peter Müller	e694bbd17f	kernel: enable CONFIG_RANDOMIZE_BASE on armv5tel Partially fixes: #12363 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-09 22:20:26 +00:00
Peter Müller	8379ab44b8	kernel: enable CONFIG_RANDOMIZE_BASE on aarch64 Partially fixes: #12363 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-09 22:19:50 +00:00
Peter Müller	e4d1f96869	kernel: enable CONFIG_HARDENED_USERCOPY on aarch64 and armv5tel Fixes: #12365 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-09 15:37:33 +00:00
Peter Müller	7617da3bba	kernel: enable CONFIG_SECCOMP on aarch64 and armv5tel Fixes: #12366 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-08 21:22:44 +00:00
Peter Müller	d7174d7c3a	kernel: disable CONFIG_ACPI_CUSTOM_METHOD on x86_64 and i586 This is dangerous as it allows replacing the running kernel without rebooting. Kernel Self Protection Project people recommend to keep it disabled. Fixes: #12372 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-08 21:22:32 +00:00
Peter Müller	b1f24c4353	kernel: disable CONFIG_MODIFY_LDT_SYSCALL on i586 and x86_64 Fixes: #12382 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-08 21:22:05 +00:00
Arne Fitzenreiter	8a86d257cf	squid-accounting: remove deps that are moved to core Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-05 20:43:58 +00:00
Arne Fitzenreiter	625104ec57	Merge branch 'master' into next	2020-06-04 15:16:39 +00:00
Michael Tremer	405c7326d2	core145: Remove double-added configuration lines for OpenVPN Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-04 15:13:33 +00:00
Arne Fitzenreiter	90c1e763b6	Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next	2020-06-04 08:59:28 +02:00
Arne Fitzenreiter	7674247947	start core146 and add the kernel Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-04 08:49:28 +02:00
Arne Fitzenreiter	a43b370411	kernel: update to 4.14.183 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-04 08:37:00 +02:00
Michael Tremer	4963d555f6	core145: Update OpenVPN server configuration only when necessary Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-03 14:46:31 +00:00
Michael Tremer	495613fb35	core145: Update OpenVPN server configuration only when necessary Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-03 14:45:04 +00:00
Arne Fitzenreiter	b923dd3de0	kernel: backport "random: try to actively add entropy" this backports https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/char/random.c?id=50ee7529ec4500c88f8664560770a7a1b65db72b to gather enough entropy for initialise the crng faster. Of some machines like the APU it will need forever if the machine only wait for entropy without doing anything else. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-03 08:03:01 +00:00
Arne Fitzenreiter	5b0c35e092	drop xen-inage-builder this depends on linux-pae and has failed to boot since a while. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 18:37:22 +02:00
Arne Fitzenreiter	83d5892a86	kernel: drop extra i586-pae kernel Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 18:34:44 +02:00
Peter Müller	e6514b3af8	kernel: disable CONFIG_DEBUG_LIST on i586(-pae) Fixes: #12378 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 11:15:51 +00:00
Peter Müller	4264e41a61	kernel: enable CONFIG_SCHED_STACK_END_CHECK on x86_64, armv5tel and aarch64 > This option checks for a stack overrun on calls to schedule(). If the stack > end location is found to be over written always panic as the content of the > corrupted region can no longer be trusted. This is to ensure no erroneous > behaviour occurs which could result in data corruption or a sporadic crash at a > later stage once the region is examined. The runtime overhead introduced is > minimal. Fixes: #12376 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 11:15:34 +00:00
Peter Müller	c2749c1bed	kernel: disable CONFIG_USELIB on x86_64 and i586(-pae) > This option enables the uselib syscall a system call used in the dynamic > linker from libc5 and earlier. glibc does not use this system call. If you > intend to run programs built on libc5 or earlier you may need to enable this > syscall. Current systems running glibc can safely disable this. In my point of view, the last sentence matches our situation. Fixes: #12379 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 11:15:13 +00:00
Peter Müller	b5e1ccaee2	kernel: enable CONFIG_DEBUG_WX on aarch64 Since this is described as 'Generate a warning if any W+X mappings are found at boot.', it most likely does not break anything and can be safely enabled. Fixes: #12373 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 11:14:50 +00:00
Peter Müller	efd508e9f6	kernel: enable page poisoning on x86_64 This is already active on i586 and prevents information leaks from freed data. Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 11:14:15 +00:00
Peter Müller	442a7f5ea2	Kernel: drop Memstick support These are not needed anymore since Sony announced EOL in 2010 and there is no legitimate use case for such hardware on a firewall system. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 11:13:14 +00:00
Peter Müller	90ecad4f66	Kernel: drop bluetooth support The bluetooth addon was recently removed by commit `592be1d206`, which is why we do not need to carry the corresponding kernel modules around anymore. The second version of this patch correctly updates kernel configuration files via "make oldconfig" as requested by Arne. Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-06-02 11:12:58 +00:00
Arne Fitzenreiter	bea09ff261	core145: found more urlfilter db files to cleanup Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-30 18:04:33 +00:00
Arne Fitzenreiter	30830d62a0	core145: remove converted urlfilter database to force rebuilt with new db. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-30 17:33:40 +00:00
Michael Tremer	371661367c	netatalk: Add krb5 as a dependency Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-29 10:27:15 +00:00
Matthias Fischer	fead20a917	knot: Update to 2.9.5 For details see: https://www.knot-dns.cz/2020-05-25-version-295.html "Bugfixes: Old ZSK can be withdrawn too early during a ZSK rollover if maximum zone TTL is computed automatically Server responds SERVFAIL to ANY queries on empty non-terminal nodes Improvements: Also module onlinesign returns minimized responses to ANY queries Linking against libcap-ng can be disabled via a configure option" Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-27 11:07:55 +00:00
Matthias Fischer	ca33424de5	minidlna: Update to 1.2.1 For details see: https://sourceforge.net/projects/minidlna/files/minidlna/1.2.1/ Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-26 11:13:06 +00:00
Matthias Fischer	6e670b9c9d	ffmpeg: Update to 4.2.3 For details see: http://ffmpeg.org/download.html#release_4.2 Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-26 11:12:51 +00:00
Michael Tremer	6d78ec1a1c	core145: Enable OpenVPN metrics collection Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-26 11:12:39 +00:00
Michael Tremer	75bb55e716	openvpn: Create database schema if not exists Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-26 11:12:23 +00:00
Matthias Fischer	5336aaa6fa	make.sh: Suppress 'ls :cannot access .bz2'-message The message "ls: cannot access '.bz2': No such file or directory" comes from the 'ls' command prior to creating the .md5-files for .bz2, .img.xz and .iso files. But on most builds we have especially no more bzip2 compressed images anymore. This message can usually be ignored and is just irritating. Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-26 11:12:04 +00:00
Matthias Fischer	442717a127	nano: Update to 4.9.3 For details see: https://www.nano-editor.org/news.php "One more bug introduced in version 4.9 is fixed: a crash when the terminal screen is resized while at a lock-file prompt." Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-26 11:11:51 +00:00
Michael Tremer	91b23ce05b	squidGuard: Fix generating databases with libdb >= 5 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-22 12:47:32 +00:00
Michael Tremer	7479c99349	ids-functions.pl: Quote array of subnets Reported-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-20 12:39:17 +00:00
Arne Fitzenreiter	76a1dedb4f	move perl-DBI and perl-DBD-SQLite to core system Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-20 09:47:25 +00:00
Arne Fitzenreiter	b2896abb64	update credits.cgi Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-20 09:15:36 +00:00
Arne Fitzenreiter	1d3698fc00	core145: add bind Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-19 19:45:29 +00:00
Matthias Fischer	c7e79ba602	bind: Update to 9.11.19 For details see: https://downloads.isc.org/isc/bind9/9.11.19/RELEASE-NOTES-bind-9.11.19.html "Security Fixes To prevent exhaustion of server resources by a maliciously configured domain, the number of recursive queries that can be triggered by a request before aborting recursion has been further limited. Root and top-level domain servers are no longer exempt from the max-recursion-queries limit. Fetches for missing name server address records are limited to 4 for any domain. This issue was disclosed in CVE-2020-8616. [GL #1388] Replaying a TSIG BADTIME response as a request could trigger an assertion failure. This was disclosed in CVE-2020-8617. [GL #1703] Feature Changes Message IDs in inbound AXFR transfers are now checked for consistency. Log messages are emitted for streams with inconsistent message IDs. [GL #1674] Bug Fixes When running on a system with support for Linux capabilities, named drops root privileges very soon after system startup. This was causing a spurious log message, "unable to set effective uid to 0: Operation not permitted", which has now been silenced. [GL #1042] [GL #1090] When named-checkconf -z was run, it would sometimes incorrectly set its exit code. It reflected the status of the last view found; if zone-loading errors were found in earlier configured views but not in the last one, the exit code indicated success. Thanks to Graham Clinch. [GL #1807] When built without LMDB support, named failed to restart after a zone with a double quote (") in its name was added with rndc addzone. Thanks to Alberto Fernández. [GL #1695]" Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-19 19:45:02 +00:00
Arne Fitzenreiter	35d361d72e	core145: stop/start suricata and squid Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-19 19:43:39 +00:00
Arne Fitzenreiter	1eba21f2a8	core145: restart squid Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-19 19:41:22 +00:00

1 2 3 4 5 ...

14710 Commits