- Network (other) help link was set to go to Network (internal) wiki page
Link modified
- Running the check_manualpages.pl script requires it to be executable so the build
changed the permissions mode from 644 to 755
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
- Created (mostly) for old openvpn graphs
- RRD removed when no graph modification for +365 days
- chosen since graph max out is 365 days
- fcron job runs once per week
- chosen since this is just a cleanup and it doesnt need to run everyday
Note: logging can be added if needed.
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- cpufrequtils is a set of "tools" to manage and set cpu freq settings.
- There is an initscript but this is only loading the cpu dependent kernel modules that
are required by cpufrequtils.
- Therefore cpufrequtils is not a service but a set of tools that are used when required.
- SERVICES line made blank so that this addon does not show up in the services addon table.
- Modified install initscript line to not use SERVICES variable
Fixes: Bug#12933
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
For details see:
https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-September/007885.html
"This release fixes CVE-2022-3204 Non-Responsive Delegation
Attack. It was reported by Yehuda Afek from Tel-Aviv
University and Anat Bremler-Barr and Shani Stajnrod from
Reichman University.
This fixes for better performance when under load, by cutting
promiscuous queries for nameserver discovery and limiting the
number of times a delegation point can look in the cache for
missing records.
Bug Fixes
- Patch for CVE-2022-3204 Non-Responsive Delegation Attack."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
According to the kernel's documentation,
> debugfs is a virtual file system that kernel developers use to put
> debugging files into. Enable this option to be able to read and
> write to these files.
There is no legitimate reason why one has to do so on an IPFire machine.
Further, the vast debugging options (i.e. related to various drivers)
have never been enabled, limiting the use of this virtual file system
even further.
This patch therefore proposes to disable it entirely, since its
potential security impact outweights its benefits. Due to operational
constraints, changes to ARM kernel configurations will be made if this
patch is approved for x86_64.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Since we replace Perl, users most likely get to see some nasty "Internal
Server Error" messages during the upgrade. To suppres them, and to limit
the chance of side effects, stop Apache before applying the update, and
start it again afterwards.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Changes in version 0.4.7.10 - 2022-08-12
This version updates the geoip cache that we generate from IPFire location
database to use the August 9th, 2022 one. Everyone MUST update to this
latest release else circuit path selection and relay metrics are badly
affected.
o Major bugfixes (geoip data):
- IPFire informed us on August 12th that databases generated after
(including) August 10th did not have proper ARIN network allocations. We
are updating the database to use the one generated on August 9th, 2022.
Fixes bug 40658; bugfix on 0.4.7.9.
Changes in version 0.4.7.9 - 2022-08-11
This version contains several major fixes aimed at reducing memory pressure on
relays and possible side-channel. It also contains a major bugfix related to
congestion control also aimed at reducing memory pressure on relays.
Finally, there is last one major bugfix related to Vanguard L2 layer node
selection.
We strongly recommend to upgrade to this version especially for Exit relays
in order to help the network defend against this ongoing DDoS.
o Major bugfixes (congestion control):
- Implement RFC3742 Limited Slow Start. Congestion control was
overshooting the congestion window during slow start, particularly
for onion service activity. With this fix, we now update the
congestion window more often during slow start, as well as dampen
the exponential growth when the congestion window grows above a
capping parameter. This should reduce the memory increases guard
relays were seeing, as well as allow us to set lower queue limits
to defend against ongoing DoS attacks. Fixes bug 40642; bugfix
on 0.4.7.5-alpha.
o Major bugfixes (relay):
- Remove OR connections btrack subsystem entries when the connections
close normally. Before this, we would only remove the entry on error and
thus leaking memory for each normal OR connections. Fixes bug 40604;
bugfix on 0.4.0.1-alpha.
- Stop sending TRUNCATED cell and instead close the circuit from which we
received a DESTROY cell. This makes every relay in the circuit path to
stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
o Major bugfixes (vanguards):
- We had omitted some checks for whether our vanguards (second layer
guards from proposal 333) overlapped. Now make sure to pick each
of them to be independent. Also, change the design to allow them
to come from the same family. Fixes bug 40639; bugfix
on 0.4.7.1-alpha.
o Minor features (dirauth):
- Add a torrc option to control the Guard flag bandwidth threshold
percentile. Closes ticket 40652.
- Add an AuthDirVoteGuard torrc option that can allow authorities to
assign the Guard flag to the given fingerprints/country code/IPs.
This is a needed feature mostly for defense purposes in case a DoS
hits the network and relay start losing the Guard flags too fast.
- Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE,
TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable
from torrc.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 11, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/08/11.
o Minor bugfixes (congestion control):
- Add a check for an integer underflow condition that might happen
in cases where the system clock is stopped, the ORconn is blocked,
and the endpoint sends more than a congestion window worth of non-
data control cells at once. This would cause a large congestion
window to be calculated instead of a small one. No security
impact. Fixes bug 40644; bugfix on 0.4.7.5-alpha.
o Minor bugfixes (defense in depth):
- Change a test in the netflow padding code to make it more
_obviously_ safe against remotely triggered crashes. (It was safe
against these before, but not obviously so.) Fixes bug 40645;
bugfix on 0.3.1.1-alpha.
o Minor bugfixes (relay):
- Do not propagate either forward or backward a DESTROY remote reason when
closing a circuit in order to avoid a possible side channel. Fixes bug
40649; bugfix on 0.1.2.4-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Since we disabled Bluetooth support in the kernel a long time ago due to
security reasons, these do not serve any purpose anymore. Therefore, do
not ship them and delete them on existing installations.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
For some reason, stripper crashes processing this directory:
strip: error: the input file '/lib/firmware/qcom/sc8280xp/LENOVO/21BX/qccdsp8280.mbn' has no sections
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- The lcd2usb portion of the hd44780 driver in in the latest release version of
lcdproc (0.5.9) are only coded for libusb-0.1, which was removed from IPFire in recent
times.
- Commits have been merged into the lcdproc repository that enable lcd2usb to work with
the libusb-1.0 series but no release has been made since 2017.
- This patch downloaded a zip archive from the status of the lcdproc repository at commit
0e2ce9b. This zip archive was then converted into a tar.gx archive. The lfs and
rootfile have been updated in line with this.
- The lcdproc-0e2ce9b-4.ipfire file created by this build has been tested by the bug
reporter, Rolf Schreiber, and confirmed to fix the issue raised with the bug.
- This patch brings lcdproc upto date with the 149 commits that have been made between
2017 and Dec 2021, the date of the last commit.
- The version number has been defined as the last commit number.
- The -enable-libusb option has to be left in place as it turned out that
-enable-libusb-1-0 only works if -enable-libusb is also set. It looks like this was
identified in the lcdproc issues list but has not yet been fixed.
Fixes: Bug#12920
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Since we have extended services.cgi that it reads the Services field
from the Pakfire metadata, we will need to make sure that that metadata
is going to be on those systems.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
