CVE-2020-1967 (OpenSSL advisory) [High severity] 21 April 2020:
Server or client applications that call the SSL_check_chain()
function during or after a TLS 1.3 handshake may crash due
to a NULL pointer dereference as a result of incorrect handling
of the "signature_algorithms_cert" TLS extension.
The crash occurs if an invalid or unrecognised signature algorithm
is received from the peer. This could be exploited by a malicious
peer in a Denial of Service attack.
https://www.openssl.org/news/secadv/20200421.txt
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This file is being read by some packages to find out on what
distribution they are running on.
This file needs to be included in every Core Update.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
There is loads of stuff for PowerPC and other architectures
in the directory which we cannot strip. Therefore we ignore
the whole directory.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Since Go has a horrible build system which requires a Go
compiler to build the Go compiler and takes a very long
time to compile, we are following Rust and are using the
"official" pre-compiled release tarball.
We no longer ship the Go runtime, which mitigates the
risk of shipping any malware.
Because we currently only have one package using this
and which is only being compiled for x86_64, we are
only making Go available on this architecture.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
dhcpcd 9.x adds privelege seperation by creating a chroot
and running parts of the client not as root.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
glibc calls clock_nanosleep_time64 syscall even if it not defined in
the headers for this arch and the seccomp filter kills the process
with because an unknown syscall.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
On systems with RED on PPP and no BLUE or ORANGE zones,
there would always be an error when handling non-existant input.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Records which are from the same domain than the IPFire hostname
might not be returned by unbound. This change explicitely instructs
unbound to check local data before checking the global DNS.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
With this commit suricata reads the HTTP port declarations from a newly
introduced external file
(/var/ipfire/suricata/suricata-http-ports.yaml).
This file dynamically will be generated. HTTP ports always are the
default port "80" and "81" for update Accelerator and HTTP access to the
WUI. In case the Web-proxy is used, the configured proxy port and/or Transparent
Proxy port also will be declared as a HTTP port and written to that file.
In case one of the proxy ports will be changed, the HTTP port file will
be re-generated and suricate restarted if launched. Also if an old
backup with snort will be restored the convert script handles the
generation of the HTTP ports file.
Finally the suricata-generate-http-ports-file as a tiny script which
simply generates the http ports file and needs to be launched during the
installation of a core update. (The script will no be required
anymore, so it could be deleted afterwards.)
Fixes#12308.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This file contains the configured ruleset and oinkcode settings and
therefore needs to be backuped and restored.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
