CVE-2020-1967 (OpenSSL advisory) [High severity] 21 April 2020:
Server or client applications that call the SSL_check_chain()
function during or after a TLS 1.3 handshake may crash due
to a NULL pointer dereference as a result of incorrect handling
of the "signature_algorithms_cert" TLS extension.
The crash occurs if an invalid or unrecognised signature algorithm
is received from the peer. This could be exploited by a malicious
peer in a Denial of Service attack.
https://www.openssl.org/news/secadv/20200421.txt
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This file is being read by some packages to find out on what
distribution they are running on.
This file needs to be included in every Core Update.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
There is loads of stuff for PowerPC and other architectures
in the directory which we cannot strip. Therefore we ignore
the whole directory.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Since Go has a horrible build system which requires a Go
compiler to build the Go compiler and takes a very long
time to compile, we are following Rust and are using the
"official" pre-compiled release tarball.
We no longer ship the Go runtime, which mitigates the
risk of shipping any malware.
Because we currently only have one package using this
and which is only being compiled for x86_64, we are
only making Go available on this architecture.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
glibc calls clock_nanosleep_time64 syscall even if it not defined in
the headers for this arch and the seccomp filter kills the process
with because an unknown syscall.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.17/RELEASE-NOTES-bind-9.11.17.html
"Notes for BIND 9.11.17
Feature Changes
The configure option --with-libxml2 now uses pkg-config to detect
libxml2 library availability. You will either have to install pkg-config
or specify the exact path where libxml2 has been installed on your
system. [GL #1635]
Bug Fixes
Fixed re-signing issues with inline zones which resulted in records
being re-signed late or not at all."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Summary: smartmontools release 7.1
-----------------------------------------------------------
- smartctl: Fixed bogus exception on unknown form factor value (regression).
- smartctl '--json=cg': Suppresses extra spaces also in 'g' format.
- smartctl '-i': ATA ACS-4 and ACS-5 enhancements.
- smartd: No longer truncates very long device names in warning emails.
- smartd: No longer skips scheduled tests if system clock has been adjusted
to the past.
- smartd '-A': Attribute logs now use local time instead of UTC.
- ATA: Device type '-d jmb39x,N' for drives behind JMicron JMB39x RAID port
multipliers.
- SCSI: Workaround for incomplete Log subpages response from some SAS SSDs.
- HDD, SSD and USB additions to drive database.
- Autodetection of '-d sntjmicron' type for JMicron USB to NVMe bridges.
- configure: Defines '_FORTIFY_SOURCE=2' if supported and not defined.
- Linux/FreeBSD: Fixed segfault on CCISS transfer sizes > 512 bytes.
- Linux: Fixed smartd.service 'Type' if libsystemd-dev is not available.
- Linux: Fixed '/dev/megaraid_sas_ioctl_node' fd leak.
- Linux: Fixed GPL licensing problem of 'linux_nvme_ioctl.h'.
- FreeBSD update-smart-drivedb: Now uses 'fetch' as default download tool.
- FreeBSD big endian: Fixed NVMe access.
- FreeBSD: Compile fix for FreeBSD 12.
- NetBSD: Fixed device scan crash on empty name list.
- NetBSD: Fixed memory leak in device scan.
- Windows: Fixed log page access via Windows 10 NVMe driver for NVMe 1.2.1+.
- Windows: Allow drive letters as device names for Windows 10 NVMe driver.
- Windows: Workround to allow CSMI access to devices behind AMD RAID drivers.
- Windows: Fixed MinGW options to add relocation info if ASLR is enabled.
- Windows wtssendmsg: No longer writes '\n' line endings to event log.
- Windows wtssendmsg: New options '-t' and '-w'.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Those are now created in their own temporary directory, so that
no other files can be included by accident.
We also package with fewer temporary files.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Not sure why this has ever been there. This simply makes it
nicer to read and edit because we can have line-breaks now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
When using a swap file, it is not being activated correctly
when the filesystem it is residing on is not mounted, yet.
The root file system is mounted read-only here before
S40mountfs is being executed.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
