See: http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
"A vulnerability in Grub2 has been found. Versions from 1.98 (December, 2009)
to 2.02 (December, 2015) are affected. The vulnerability can be exploited
under certain circumstances, allowing local attackers to bypass any kind of
authentication (plain or hashed passwords). And so, the attacker may take
control of the computer."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since 'Makefile' was affected, I had to rewrite
'dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch', too.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
There was a Bug in the addon so that no data was displayed because of a
typo. Additionally the computeraccounts are now filtered out of
trafficdata collection.
Only Proxy/AD/LDAP Accounts and IP adresses are collected.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Ramdisks are very limited in space and as new graphs
are generated for OpenVPN N2N connections, etc. more
space is necessary.
This patch will enable ramdisks for all systems with more
than 490M of memory and allows the user to force using
a ramdisk on systems with less memory.
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
Acked-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These changes will allow snort to also inspect the traffic for
one or more configured alias addresses, which has not been done in the past.
The current situation is, that snort if enabled on red, only inspects
the traffic which is desired to the statically configured red address.
If some alias addresses have been assigned to the red interface the
traffic to these addresses will not be checked by snort and
completely bypasses the IDS.
There is no user interaction required, nor visible-effects or any
backward-compatiblity required, only a restart of snort after the
update process to protect all red addresses.
To do this we will now check if, the RED interface has been set to STATIC (which
is required to use the aliases function) and any aliases have been configured. In
case of this, the modified code will add all enabled alias addresses to the HOMENET
variable in which snort is storing all the monitored addresses.
Fixes#10619.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
in the installed addon list pakfire has showed
the latest version of the addon not the installed.
Fixes: #10875
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
using MASQERADE_GREEN="off" will not work because "NETWORK_GREEN" is
not correctly defined in green only mode.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Fix unnecessary space character in "E-Mail Absender".
Replaces the space character with a dash as is correct and already used in the other words in that part.
Signed-off-by: Lars Schuhmacher <larsen007@web.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If an IPsec VPN connections is not established, there are
rare cases when packets are supposed to be sent through
that said tunnel and incorrectly handled.
Those packets are sent to the default gateway an entry
for this connection is created in the connection tracking
table (usually only happens to UDP). All following packets
are sent the same route even after the tunnel has been
brought up. That leads to SIP phones not being able to
register among other things.
This patch adds firewall rules that these packets are
rejected. That will sent a notification to the client
that the tunnel is not up and avoid the connection to
be added to the connection tracking table.
Apart from a small performance penalty there should
be no other side-effects.
Fixes: #10908
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Cc: tomvend@rymes.com
Cc: daniel.weismueller@ipfire.org
Cc: morlix@morlix.de
Reviewed-by: Timo Eissler <timo.eissler@ipfire.org>
