The email recipient was not correctly validated which allowed for some
stored cross-site scripting vulnerability.
Fixes: #12925 - JVN#15411362 Inquiry on vulnerability found in IPFire
Reported-by: Noriko Totsuka <vuls@jpcert.or.jp>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The scope option does not seem to work at all now, which is surprising
since I tested it quite well.
The secondary flag cannot be set from userspace (aparently), but it
works, so I would prefer to go with this option for now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The third version of this patch conducts the necessary changes in
configroot. Previously, they took place in ipblocklist itself, which
would have caused user settings to be overwritten, should ipblocklist be
shipped in future Core Updates.
Fixes: #12917
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>
- libfmt required in run time by mpd
- mpd changelog specifically said fmt was a build only dependency
- Bug#12909 flagged up that fmt was also a run time dependency for mpd
Fixes: Bug#12909
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
This is cosmetic change to have the name of the ISO file similar to the
flash image and also have all parts of it in a reasonable order.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf (released in
2015) recommends "to use primes of 2048 bits or larger", to which BSI's
techical guideline BSI-TR-02102 (https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf?__blob=publicationFile&v=5)
concurs. The latter also recommends not to use DH groups comprising of
less than 2000 bits after 2022, and shift to 3000 bit DH groups earlier
as a precaution.
According to RFC 3526, section 8, MODP-1536 provides an estimated
security between 90 and 120 bits, a value that can be reasonably
considered broken today, as it has been so for other types of
cryptographic algorithms already, and per section 2.4 in the
aforementioned paper, breaking 1024-bit DH is considered feasible for
the NSA in 2015, which does not inspire confidence for MODP-1536 in
2022.
Therefore, this patch suggests to mark MODP-1536 as broken, since it
de facto is, and tag MODP-2048 as weak. The latter is also removed from
the default selection, so newly created VPN connections won't use it
anymore, to follow BSI's recommendations of using DH groups >= 3000 bits
in 2022 and later.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Sodium is a new, easy-to-use software library for encryption,
decryption, signatures, password hashing and more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is now being dropped since the image won't fit onto a 2GB device
any more and since there is only one type of image, we don't need to
state the filesystem type.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
On some installations, we are running out of space on the /boot
partition due to growing sizes of the ramdisk and the kernel.
To accomodate for that and have room to grow in the future, we increase
the size of the partition to 256 MiB.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
