For details see:
https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004648.html
"** libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
The TLS server would not bind the session ticket encryption key with a
value supplied by the application until the initial key rotation, allowing
attacker to bypass authentication in TLS 1.3 and recover previous
conversations in TLS 1.2 (#1011).
[GNUTLS-SA-2020-06-03, CVSS: high]
** libgnutls: Fixed handling of certificate chain with cross-signed
intermediate CA certificates (#1008).
** libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).
** libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
(2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
Key Identifier (AKI) properly (#989, #991).
** certtool: PKCS #7 attributes are now printed with symbolic names (!1246).
** libgnutls: Added several improvements on Windows Vista and later releases
(!1257, !1254, !1256). Most notably the system random number generator now
uses Windows BCrypt* API if available (!1255).
** libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
Also both accelerated and non-accelerated implementations check key block
according to FIPS-140-2 IG A.9 (!1233).
** libgnutls: Added support for AES-SIV ciphers (#463).
** libgnutls: Added support for 192-bit AES-GCM cipher (!1267).
** libgnutls: No longer use internal symbols exported from Nettle (!1235)
** API and ABI modifications:
GNUTLS_CIPHER_AES_128_SIV: Added
GNUTLS_CIPHER_AES_256_SIV: Added
GNUTLS_CIPHER_AES_192_GCM: Added
gnutls_pkcs7_print_signature_info: Added"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
There is not enough stuff that it is justified to have an own file.
This patch therefore merges everything into general-functions.pl.
There are no functional changes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Quoted from #12433:
> Uprobes is the user-space counterpart to kprobes: they enable instrumentation
> applications (such as 'perf probe') to establish unintrusive probes in
> user-space binaries and libraries, by executing handler functions when the
> probes are hit by user-space applications.
>
> ( These probes come in the form of single-byte breakpoints, managed by the
> kernel and kept transparent to the probed application. )
IMHO this can be safely disabled, as there is little if any need to debug
userspace programs _that_ deeply on an IPFire machine.
Fixes: #12433
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This is dangerous as it allows replacing the running kernel without
rebooting. Kernel Self Protection Project people recommend to keep it
disabled.
Fixes: #12372
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
> This option checks for a stack overrun on calls to schedule(). If the stack
> end location is found to be over written always panic as the content of the
> corrupted region can no longer be trusted. This is to ensure no erroneous
> behaviour occurs which could result in data corruption or a sporadic crash at a
> later stage once the region is examined. The runtime overhead introduced is
> minimal.
Fixes: #12376
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
> This option enables the uselib syscall a system call used in the dynamic
> linker from libc5 and earlier. glibc does not use this system call. If you
> intend to run programs built on libc5 or earlier you may need to enable this
> syscall. Current systems running glibc can safely disable this.
In my point of view, the last sentence matches our situation.
Fixes: #12379
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
These are not needed anymore since Sony announced EOL in 2010 and there
is no legitimate use case for such hardware on a firewall system.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The bluetooth addon was recently removed by commit
592be1d206, which is why we do not need to
carry the corresponding kernel modules around anymore.
The second version of this patch correctly updates kernel configuration
files via "make oldconfig" as requested by Arne.
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.19/RELEASE-NOTES-bind-9.11.19.html
"Security Fixes
To prevent exhaustion of server resources by a maliciously
configured domain, the number of recursive queries that can be
triggered by a request before aborting recursion has been further
limited. Root and top-level domain servers are no longer exempt from
the max-recursion-queries limit. Fetches for missing name server
address records are limited to 4 for any domain. This issue was
disclosed in CVE-2020-8616. [GL #1388]
Replaying a TSIG BADTIME response as a request could trigger
an assertion failure. This was disclosed in CVE-2020-8617. [GL
#1703]
Feature Changes
Message IDs in inbound AXFR transfers are now checked for
consistency. Log messages are emitted for streams with inconsistent
message IDs. [GL #1674]
Bug Fixes
When running on a system with support for Linux capabilities, named
drops root privileges very soon after system startup. This was
causing a spurious log message, "unable to set effective uid to 0:
Operation not permitted", which has now been silenced. [GL #1042]
[GL #1090]
When named-checkconf -z was run, it would sometimes incorrectly set
its exit code. It reflected the status of the last view found;
if zone-loading errors were found in earlier configured views but
not in the last one, the exit code indicated success. Thanks
to Graham Clinch. [GL #1807]
When built without LMDB support, named failed to restart after
a zone with a double quote (") in its name was added with rndc
addzone. Thanks to Alberto Fernández. [GL #1695]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
