webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-14 13:02:58 +02:00
Code Issues Packages Projects Releases Wiki Activity
14,977 Commits 2 Branches 1 Tag
53e1abbb57768153b72656ec985b0979bcfbe6dd
Commit Graph

14977 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Matthias Fischer
53e1abbb57 unbound: Update to 1.11.0 
For details see:
https://lists.nlnetlabs.nl/pipermail/unbound-users/2020-July/006921.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 17:47:36 +00:00
Michael Tremer
c2607bc492 7zip: Move files to /usr 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 17:23:37 +00:00
Michael Tremer
6168163681 u-boot: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 15:09:51 +00:00
Michael Tremer
9b34655840 grub: Run autoreconf after applying patches 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 15:09:24 +00:00
Michael Tremer
8d25e59811 core149: Ship everything that was recently updated 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:21:40 +00:00
Marcel Follert
6992457365 socat: New package 
Signed-off-by: Marcel Follert (Smooky) <smooky@v16.de>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:10:11 +00:00
Matthias Fischer
db376b5895 iproute2: Update to 5.8.0 
For details see:
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/?h=v5.8.0

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:09:25 +00:00
Matthias Fischer
2fa9dfa8d9 apache: Update to 2.4.46 
For details see:
https://mirrors.ae-online.de/apache//httpd/CHANGES_2.4.46

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:09:20 +00:00
Matthias Fischer
62e68ad323 logrotate: Update to 3.17.0 
For details see:
https://github.com/logrotate/logrotate/releases/tag/3.17.0

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:09:17 +00:00
Erik Kapfer
942446b553 OpenVPN: Add tls-version-min for TLSv1.2 
ovpnmain.cgi delivers now 'tls-version-min 1.2' for Roadwarrior and N2N.
Since the server needs it only on server side, this patch do not includes it for Roadwarrior clients.
N2N do not uses push options therefor this directive will be included on both sides.

To integrate the new directive into actual working OpenVPN server environment, the following commands
should be executed via update.sh.

Code block start:

if test -f "/var/ipfire/ovpn/server.conf"; then
	# Add tls-version-minimum to OpenVPN server if not already there
	if ! grep -q '^tls-version-min' /var/ipfire/ovpn/server.conf > /dev/null 2>&1; then
		# Stop server before append the line
		/usr/local/bin/openvpnctrl -k
		# Append new directive
		echo >> "tls-version-min 1.2" /var/ipfire/ovpn/server.conf
		# Make sure server.conf have the correct permissions to prevent such
		# --> https://community.ipfire.org/t/unable-to-start-the-openvpn-server/2465/54?u=ummeegge
		# case
		chown nobody:nobody /var/ipfire/ovpn/server.conf
		# Start server again
		/usr/local/bin/openvpnctrl -s
	fi
fi

Code block end

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:09:15 +00:00
Erik Kapfer
0d1054abc9 curl: Update to version 7.71.1 
Several bugfixes and vulnerabilities has been fixed since the current available version 7.64.0 .

For a full overview, the changelog is located in here --> https://curl.haxx.se/changes.html,
a security problem overview in here --> https://curl.haxx.se/docs/security.html .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:09:10 +00:00
Stefan Schantl
80dd69380d hyperscan: Update to 5.3.0 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <Michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:09:08 +00:00
Erik Kapfer
ba50f66da3 OpenVPN: max-clients value has been enhanced 
The --max-client value has been enhanced from 255 clients to 1024 clients.
Error message gives now explanation if the maximum has been reached.

Patch has been triggered by https://community.ipfire.org/t/openvpn-max-vpn-clients-quantity-and-connections/2925 .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:09:03 +00:00
Michael Tremer
b970ae902a haproxy: Update to 2.2.2 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:08:25 +00:00
Michael Tremer
fa8edb9bd7 index.cgi: Show a note to people who are running IPFire on i?86 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:08:23 +00:00
Michael Tremer
c0fe5ea579 index.cgi: Drop Reiser4 warning 
We have dropped Reiser4 in 2013. There won't be any systems out there
any more running it. We can safely drop this warning.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:08:22 +00:00
Stephan Feddersen
6408a43c0d WIO. new version 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:08:17 +00:00
Stephan Feddersen
6a73c7b94c WIO: new french translation 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:08:16 +00:00
Stephan Feddersen
48aae162c6 WIO: code cleanup 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:08:14 +00:00
Peter Müller
159cab272a OpenSSL: remove ciphers without Forward Secrecy from default ciphersuite 
Ciphers not supplying (Perfect) Forward Secrecy are considered dangerous
since they allow content decryption in retrospect, if an attacker is
able to gain access to the servers' private key used for the
corresponding TLS session.

Since IPFire machines establish very few TLS connections by themselves, and
destinations (IPFire.org infrastructure, mirrors, IPS rule sources, etc.)
provide support for Forward Secrecy ciphers - some are even enforcing
them -, it is safe to drop support for anything else.

This patch reduces the OpenSSL default cipher list to:
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:07:56 +00:00
Michael Tremer
44bfc40640 glibc: aarch64: Ignore uninitialised variables in the stage2 build, too 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:05:40 +00:00
Michael Tremer
815ca15dc4 make.sh: Increase maximum size of ramdisk to 8GB 
The previous 4GB were not enough for a full GCC bootstrap
in the toolchain stage.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
6d6f306179 perl: Fix build in toolchain stage 
perl searches for headers and libraries in the wrong paths
and detects GCC 10 as GCC 1.x.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
c9e4607e88 make: Run autoreconf after applying patches 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
de57b780be glibc: Pass -Wno-error=maybe-uninitialized 
This is required to build glibc in the toolchain stage on
aarch64 due to messy headers on the host system.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
a7f6809c7f glibc: Drop any custom CFLAGS 
glibc is nothing special and can and should be built with
the same flags than the rest of the system.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
d9d28c2c35 make.sh: Bump toolchain version 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
5eec0f21a6 make.sh: Add -fcf-protection for x86_64/i586 
Instrument binaries to guard against ROP/JOP attacks.

This flag in only available on x86_64 and i586.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
87f3b1e568 make.sh: Enable -fstack-clash-protection for x86_64/aarch64 
This patch turns on instrumentation to avoid skipping the guard page
in large stack frames.

Without this flag, vulnerabilities can result in where the stack
overlaps with the heap, or thread stacks spill into other regions
of memory.

This flag in only available on x86_64 and aarch64.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
854df4df81 gcc: Bundle against OS versions of gmp/mpfr 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
465e54a37b mpfr: Update to 4.1.0 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
50f77459a7 cmake: Do not limit compile processes to only two 
We can launch more when we have the memory for it

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
14d0106c9b nfs: Update to 2.5.1 and remove bundled libnfsidmap 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
8af744bcf7 libnfsidmap: Split into a separate package 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
757de9a175 xinetd: Fix build against glibc 2.32 (without RPC) 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
f33eca42c3 conntrack-tools: Fix build against libtirpc 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
1ce519cabc squid: Remove basic_nis_auth 
This depends on SunRPC in glibc which was removed in 2.32.

We do not use this file.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
704199d23d python(2/3): Remove nis module 
This requires SunRPC and we do not use it.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
29370584a0 Build libtirpc earlier because RPC does not come with glibc any more 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
8cc0ef4b40 rpcsvc-proto: New package 
This is required since it is no longer included in glibc

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
6843949dac Update glibc to 2.32 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
b24d630bc1 make.sh: Remove -mindirect-branch=thunk and -mfunction-return=thunk as default 
I cannot find any evidence that this is helpful and no other
distribution has this as default. Packages that are vulnerable to these
attacks (i.e. the kernel) add these flags as appropriate automatically.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
0c30619a95 Update GCC to 10.2.0 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
e39437b25e bacula: Fix build with GCC 10 
GCC 10 aborts compilation when nunbers are (potentially) out of range
when casted from one type to another:

fstype.c: In function 'bool fstype(FF_PKT*, char*, int)':
fstype.c:207:12: error: narrowing conversion of '4283649346' from
'unsigned int' to 'int' [-Wnarrowing]
  207 |       case 0xFF534D42:     fstype = "cifs"; break;          /*
CIFS_MAGIC_NUMBER */
      |            ^~~~~~~~~~
fstype.c:216:12: error: narrowing conversion of '4187351113' from
'unsigned int' to 'int' [-Wnarrowing]
  216 |       case 0xf995e849:     fstype = "hpfs"; break;          /*
HPFS_SUPER_MAGIC */
      |            ^~~~~~~~~~
fstype.c:217:12: error: narrowing conversion of '2508478710' from
'unsigned int' to 'int' [-Wnarrowing]
  217 |       case 0x958458f6:     fstype = "hugetlbfs"; break;     /*
HUGETLBFS_MAGIC */
      |            ^~~~~~~~~~
fstype.c:234:12: error: narrowing conversion of '2768370933' from
'unsigned int' to 'int' [-Wnarrowing]
  234 |       case 0xa501FCF5:     fstype = "vxfs"; break;
      |            ^~~~~~~~~~
fstype.c:237:12: error: narrowing conversion of '2435016766' from
'unsigned int' to 'int' [-Wnarrowing]
  237 |       case 0x9123683e:     fstype = "btrfs"; break;
      |            ^~~~~~~~~~

Does nobody build this for 32 bit any more?

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
30ddc2e27a kbd: Update to 2.2.0 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
a644f18bec u-boot: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
8ba15ff89a syslinux: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
ac2d807d1c ipfire-netboot: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
806ded02f9 lcdproc: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
b061abae1e iftop: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00