The helper script will be automatically called when the red interface gets up
and will re-generate the HOME_NET file, to take care if the IP-address of this
interface has changed.
Fixes#11989
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Disabled MD2 and Aria cipher.
TLSv1.3 is now available with:
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
TLS_AES_256_GCM_SHA384 TLSv1.3
TLS_AES_128_GCM_SHA256 TLSv1.3
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The legacy GeoIP perl module cannot handle the new GeoLite2 databases
provided from maxmind and therefore needs to be dropped.
Reference #11960
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is a runtime dependency of the xt_geoip_build perl script
shipped by xtables-addons in version 3.2.
Reference #11960.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes#11904
Since OpenSSL-1.1.0x the database attribute file for IPSec and OpenVPN wasn´t created while initial PKI generation.
OpenVPN delivered an error message but IPSec did crashed within the first attempt.
This problem persists also after X509 deletion and new generation.
index.txt.attr will now be delivered by the system but also deleted and recreated while setting up a new x509.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
http://www.squid-cache.org/Versions/v4/changesets/
In July 2018, 'squid 4' was "released for production use", see:
https://wiki.squid-cache.org/Squid-4
"The features have been set and large code changes are reserved for later versions."
I've tested almost all 4.x-versions and patch series before with good results.
Right now, 4.4 is running here with no seen problems together with
'squidclamav', 'squidguard' and 'privoxy'.
I too would declare this version stable.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is useful when the user-data script is installing
packages. For that it will need valid keys for course.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Hi,
To save space linking the 'bind 9.11.5'-binaries was changed from statically to dynamically.
Changes to V2:
Removed unnecessary '*.so'-links.
Complete file sizes shrinked from ~4800K to ~1700K. Needs testing and confirmation!
I'm running this version right now under Core 124 - no seen problems so far.
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
*) Timing vulnerability in DSA signature generation
The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
(CVE-2018-0734)
[Paul Dale]
*) Timing vulnerability in ECDSA signature generation
The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.
This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
(CVE-2018-0735)
[Paul Dale]
*) Add coordinate blinding for EC_POINT and implement projective
coordinate blinding for generic prime curves as a countermeasure to
chosen point SCA attacks.
[Sohaib ul Hassan, Nicola Tuveri, Billy Bob Brumley]
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Some drivers was disabled by oldconfig because i had
arm multiarch patchsed. This commit reenable it.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
