webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-23 09:22:59 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,618 Commits 2 Branches 1 Tag
8f520a2d1d2fa197da59eb8c3bc2f61eb01190c1
Commit Graph

1052 Commits

Author SHA1 Message Date
Arne Fitzenreiter
6836e528e5 u-boot-friendlyarm: add u-boot for nanopi-r1 to boot from eMMC 
this is a heavy patched version and should replaced when stock
u-boot is able to boot from h3 eMMC.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-08-06 04:32:22 +00:00
Arne Fitzenreiter
de8810fbaa iperf3: update to 3.7 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-07-17 13:15:33 +02:00
Peter Müller
69772b7dda OpenSSL: lower priority for CBC ciphers in default cipherlist 
In order to avoid CBC ciphers as often as possible (they contain
some known vulnerabilities), this changes the OpenSSL default
ciphersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

Since TLS servers usually override the clients' preference with their
own, this will neither break existing setups nor introduce huge
differences in the wild. Unfortunately, CBC ciphers cannot be disabled
at all, as they are still used by popular web sites.

TLS 1.3 ciphers will be added implicitly and can be omitted in the
ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing
AES-NI support for the majority of installations reporting to Fireinfo
(see https://fireinfo.ipfire.org/processors for details, AES-NI support
is 28.22% at the time of writing).

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:24:00 +01:00
Matthias Fischer
3f7cec61c9 hostapd: Update to 2.8 
For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-10 09:45:54 +01:00
Michael Tremer
29fc1c8c3a ddns: Update to 011 
Add support for two new providers and has some general bug fixes
included.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-27 16:25:01 +01:00
Michael Tremer
333125abf8 Merge branch 'toolchain' into next 2019-05-24 06:55:03 +01:00
Michael Tremer
9f0295a512 Merge remote-tracking branch 'ms/faster-build' into next 2019-05-24 06:54:16 +01:00
Matthias Fischer
d2b5f03631 squid: Update to 4.7 
For details see:

http://www.squid-cache.org/Versions/v4/changesets/

Fixes among other things the old 'filedescriptors' problem, so this patch was deleted.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-24 06:37:50 +01:00
Michael Tremer
9d959ac151 igmpproxy: Update to 0.2.1 
This updates the package to its latest upstream version and should
be able to support IGMPv3.

Fixes: #12074
Suggested-by: Marc Roland <marc.roland@outlook.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-11 02:20:15 +01:00
Michael Tremer
3966b1e58f iptables: Fix build without kernel source 
The layer7 filter header files were not installed into /usr/include
and therefore we needed to keep the whole kernel source tree.

This is just a waste of space and this patch fixes this.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-10 04:55:49 +01:00
Michael Tremer
525f5d2959 gcc: Update to 8.3.0 
This patch carries the rootfile for x86_64 only.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-04-28 09:44:37 +01:00
Michael Tremer
4987d0ed19 grub: Fix relocation type issue 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-04-28 09:43:37 +01:00
Michael Tremer
bab38dad60 ipfire-netboot: Fix compiling and linking with new GCC & binutils 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-04-28 09:43:24 +01:00
Michael Tremer
7f156022b5 sarg: Fix build with newer GCCs 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-04-28 09:43:08 +01:00
Michael Tremer
2cecfd0fdb grub: Fix build error with GCC 8 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-04-26 16:19:51 +01:00
Michael Tremer
918ee4a4cf strongswan: Manually install all routes for non-routed VPNs 
This is a regression from disabling charon.install_routes.

VPNs are routing fine as long as traffic is passing through
the firewall. Traps are not propertly used as long as these
routes are not present and therefore we won't trigger any
tunnels when traffic originates from the firewall.

Fixes: #12045
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-04-08 16:44:57 +01:00
Arne Fitzenreiter
3005eb2234 kernel: update user regd patch from openwrt 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-03-30 16:56:56 +01:00
Matthias Fischer
6bc94afa0d lua: Update to 5.3.5 
For details see:

http://www.lua.org/bugs.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-03-21 20:41:44 +00:00
Arne Fitzenreiter
c448474fc7 Revert "kernel: cleanup unused rpi patch" 
This reverts commit a2d49659f3.

The patch is still needed to prevent strange crashes

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-03-13 09:39:07 +01:00
Matthias Fischer
d6d5999af1 hostapd: Update to 2.7 
For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

This patch sticks to 'wpa_supplicant: Update to 2.7'.

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-03-04 09:26:58 +00:00
Erik Kapfer
5a3c9ef298 netsnmpd: OpenSSL patch is incl. in new version 
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-03-04 09:26:58 +00:00
Matthias Fischer
aa88b2ef59 squid: Update to 4.6 
For details see:
http://www.squid-cache.org/Versions/v4/changesets/

The 'configure'-option "--disable-ipv6" was removed, it is no longer necessary.

See:
https://lists.ipfire.org/pipermail/development/2016-April/002046.html

"The --disable-ipv6 build option is now deprecated.
...
Squid-3.5.7 and later will perform IPv6 availability tests on startup in
all builds.

- Where IPv6 is unavailable Squid will continue exactly as it would
have had the build option not been used.

These Squid can have the build option removed now."

The warning message concerning a "BCP 177 violation" while
starting 'squid' can be ignored.

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-03-02 14:07:38 +00:00
Michael Tremer
50d1bbf0f5 Merge branch 'ipsec' into next 2019-02-25 00:48:08 +00:00
Arne Fitzenreiter
c09758302b kernel: update to 4.14.103 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-02-23 15:56:21 +01:00
Arne Fitzenreiter
173844d352 kernel: import cve-2019-8912 patch 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-02-22 21:20:57 +01:00
Arne Fitzenreiter
6957b699b3 kernel: apu leds: add more id's 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-02-22 18:02:45 +01:00
Arne Fitzenreiter
a2d49659f3 kernel: cleanup unused rpi patch 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-02-21 19:13:27 +01:00
Arne Fitzenreiter
17872019ba kernel: update apu led patch for apu3 and 4 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-02-19 01:04:19 +01:00
Michael Tremer
8be516b3bc strongswan: Do not create any NAT rules when using VTI/GRE 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-02-04 18:38:24 +00:00
Peter Müller
fee8b1c504 OpenSSH: update to 7.9p1 
Update OpenSSH to 7.9p1 (release note is available at
https://www.openssh.com/txt/release-7.9). Patching support
for OpenSSL 1.1.0 is no longer required, thus the orphaned
patchfile has been deleted.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-01-23 05:13:47 +00:00
Arne Fitzenreiter
be838808e1 Merge remote-tracking branch 'origin/master' into next 2019-01-23 21:19:01 +01:00
Michael Tremer
480e301442 xtables-addons: Fix generating GeoIP database 
Perl seems to have a very funny feature where you cannot rely on
how it formats IP addresses into a binary string.

This seems to be 16 bytes long for IPv4 addresses when we (and the kernel)
only expect 4.

This patch changes this so that the last 12 bytes are just being dropped.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-01-23 04:12:41 +00:00
Peter Müller
47051c2a0a drop orphaned OpenSSL patches 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-01-17 14:42:37 +00:00
Erik Kapfer
32ba431458 openssl: Update to version 1.1.1a 
Disabled MD2 and Aria cipher.

TLSv1.3 is now available with:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
TLS_AES_256_GCM_SHA384  TLSv1.3
TLS_AES_128_GCM_SHA256  TLSv1.3

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-01-17 14:33:20 +00:00
Matthias Fischer
042a5fe60a tar: Update to 1.31, including fix for bug #11958 
For details see:

http://savannah.gnu.org/forum/forum.php?forum_id=9344

"- Fix heap-buffer-overrun with --one-top-level.
- Support for zstd compression.
- The -K option interacts properly with member names given in the command line.
- Fix CVE-2018-20482"

This patch was reverted because 'tar 1.31' crashed when installing PakFire packages
with the option '--no-overwrite-dir'.
See: https://bugzilla.ipfire.org/show_bug.cgi?id=11958

Included is now a patch from https://savannah.gnu.org/bugs/?55413, which seems to fix this issue.
The test cases given in https://savannah.gnu.org/bugs/?55413#comment1 ran without problems.

As always, please check and confirm.

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-01-07 01:31:43 +00:00
Arne Fitzenreiter
5e6f343b7d python: update to 2.7.15 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-01-06 15:51:53 +01:00
Arne Fitzenreiter
b15309e9d1 transmission: update to 2.94 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-01-05 13:47:31 +01:00
Matthias Fischer
c86d893830 squid: Update to 4.5 
For details see:
http://www.squid-cache.org/Versions/v4/changesets/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-12-31 00:37:51 +00:00
Matthias Fischer
a2bcb4135b squid: Update to 4.4 (stable) 
For details see:
http://www.squid-cache.org/Versions/v4/changesets/

In July 2018, 'squid 4' was "released for production use", see:
https://wiki.squid-cache.org/Squid-4

"The features have been set and large code changes are reserved for later versions."

I've tested almost all 4.x-versions and patch series before with good results.
Right now, 4.4 is running here with no seen problems together with
'squidclamav', 'squidguard' and 'privoxy'.

I too would declare this version stable.

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-12-18 22:30:51 +00:00
Stefan Schantl
848ac69009 grub: xfs: Accept filesystem with sparse inodes 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Tested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-12-13 13:07:53 +00:00
Michael Tremer
7e17de5f86 fireinfo: Add authentication for upstream proxies 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-12-11 19:38:21 +00:00
Arne Fitzenreiter
ed4bbe44d1 kernel: fix dwc2 (usb) dma crashes on RPi1-3 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2018-12-10 20:45:54 +01:00
Arne Fitzenreiter
1e2e78e6ff Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next 2018-11-02 15:16:22 +00:00
Arne Fitzenreiter
5edc6b10e0 directfb: fix comile on 32bit arm 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2018-11-02 15:14:11 +00:00
Matthias Fischer
e2bd68dfad squid 3.5.28: latest patches (01-02) 
For details see:
http://www.squid-cache.org/Versions/v3/3.5/changesets/

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-11-01 10:29:05 +00:00
Michael Tremer
02776a0dc2 Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next 2018-10-29 10:51:44 +00:00
Arne Fitzenreiter
d823d5f072 hostapd: add switch to disable neigborhood scan 
this may violate regulatory rules because 40Mhz channels should disabled
if there are other networks but nearly every commercial router ignore this.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2018-10-27 16:47:12 +02:00
Michael Tremer
edacf85320 libvirt: Update to 4.6.0 
Fixes builds against glibc >= 2.28

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-10-24 09:25:57 +01:00
Michael Tremer
2678d600f9 parted: Fix build with glibc >= 2.28 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-10-24 09:15:28 +01:00
Michael Tremer
5814cf9931 syslinux: Fix build with glibc >= 2.28 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-10-24 09:14:43 +01:00