This process takes a long time and stalls the update process.
Since the cronjob is being called once an hour, all systems will
very quickly pull a recent database which will then be extracted
in the background not disrupting the Core Update process.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
All other architectures build fine and we do not need to
weaken the Perl module unnecessarily.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The firewall chain for location based rules has been renamed to
LOCATIONBLOCK and therefore the fiewall needs to be restarted and
the chains regenerated.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
* Also bump the shipped database to 2020-07-10 for a more recent version
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This reverts commit dc637f087f.
Rationale: "authenticate_ip_ttl" can be safely used as it does not
introduces an authentication bypass, but saves relationships between
successfully authenticated users and their IP addresses.
"max_user_ip" depends on such an authentication cache, so credential
sharing between several IPs (on purpose or by chance) can be detected
properly. This is useful in case of crompromised machines and/or
attackers in internal networks having stolen proxy authentication
credentials.
Quoted from squid.conf.documented or man 5 squid.conf:
> acl aclname max_user_ip [-s] number
> # This will be matched when the user attempts to log in from more
> # than <number> different ip addresses. The authenticate_ip_ttl
> # parameter controls the timeout on the ip entries. [fast]
> # If -s is specified the limit is strict, denying browsing
> # from any further IP addresses until the ttl has expired. Without
> # -s Squid will just annoy the user by "randomly" denying requests.
> # (the counter is reset each time the limit is reached and a
> # request is denied)
> # NOTE: in acceleration mode or where there is mesh of child proxies,
> # clients may appear to come from multiple addresses if they are
> # going through proxy farms, so a limit of 1 may cause user problems.
Fixes: #11994
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.20/RELEASE-NOTES-bind-9.11.20.html
"Security Fixes
It was possible to trigger an INSIST failure when a zone with
an interior wildcard label was queried in a certain pattern. This
was disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
New Features
dig and other tools can now print the Extended DNS Error (EDE)
option when it appears in a request or a response. [GL #1835]
Bug Fixes
When fully updating the NSEC3 chain for a large zone via IXFR,
a temporary loss of performance could be experienced on the
secondary server when answering queries for nonexistent data that
required DNSSEC proof of non-existence (in other words, queries that
required the server to find and to return NSEC3 data). The
unnecessary processing step that was causing this delay has now been
removed. [GL #1834]
A data race in lib/dns/resolver.c:log_formerr() that could lead
to an assertion failure was fixed. [GL #1808]
Previously, provide-ixfr no; failed to return up-to-date responses
when the serial number was greater than or equal to the current
serial number. [GL #1714]
named-checkconf -p could include spurious text in server-addresses
statements due to an uninitialized DSCP value. This has been fixed.
[GL #1812]
The ARM has been updated to indicate that the TSIG session key is
generated when named starts, regardless of whether it is needed. [GL
#1842]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update bacula from version 9.0.6 to 9.6.5
Version 9.0.6 is over two and a half years old.
- Update config options in lfs to include bacula recommended smartalloc option.
"This enables the inclusion of the Smartalloc orphaned buffer detection
code. This option is highly recommended. Because we never build without this option,
you may experience problems if it is not enabled. In this case, simply re-enable the
option. We strongly recommend keeping this option enabled as it helps detect memory
leaks. This configuration parameter is used while building Bacula"
- Add install, uninstall and update files in src/paks/bacula
- Updated backup/includes to backup the config file and the File Daemon state file.
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://roy.marples.name/blog/dhcpcd-9-1-2-released.html
"Fix installing dhcpcd-definitions.conf rather than embedding it
NetBSD: free ARP state once IPv4LL address announced
Linux: fix compile for older distros
udev: disable plugin for non Linux OS's
BSD: Mark RA dervied addresses as AUTOCONF on NetBSD-current
BSD: Only mark static routes from dhcpcd.conf as static
DHCP6: Ensure requested addresses are requested
DHCP6: Fix prefix length calculation when no prefix specified
privsep: Implement a resource limited sandbox [1]
privsep: Remove inet and dns pledges from master process
privsep: call getifaddrs when the BSD lacks SIOCGIFALIAS
privsep: free getifaddrs the right way if from privsep or not
[1] You will see a control proxy process now. This is for the resource
limited sandbox so that we can isolate requests over the control socket.
For NetBSD, FreeBSD and derivatives such as DragonFlyBSD this is
a massive win as these OS now enjoy a similar level of protection
as Capsicum or Pledge, but without the syscall filtering."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If this module is not being loaded, the kernel will mark any
GRE connection as INVALID in connection tracking, which will
be then silently dropped by a firewall rule.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
