This reverts commit a81cbf6127.
It was no longer possible to generate the root/host certificates.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
During the build process, we set capabilities to elevate privileges of
certain progrems (e.g. ping). These have been removed during the build
process because of strip.
This patch collects any capabilities from all files that are being
stripped and restores them after calling strip.
Fixes: #12652
Reported-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
After upgrading to Core Update 157, a few number of users reported their
systems to be unworkable after a reboot. Most of them (the systems, not
the users) were apparently missing the new Linux kernel in their Grub
configuration, causing a non-functional bootloader written to disk.
While we seem to be able to rule out issues related to poor storage
(SDDs, flash cards, etc.) or very high I/O load, it occurred to me we
are not calling "sync" after having extracted a Core Update's .tar.gz
file.
This patch therefore proposes to do so. It is a somewhat homeopathic
approach, though, but might ensure all parts of the system to have
properly processed the contents of an extracted archive. While we cannot
even reasonably guess it will solve the problem(s) mentioned initially,
doing so cannot hurt either.
See also:
https://community.ipfire.org/t/after-update-ipfire-to-157-no-boot/5641/45
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The input validation did not work in the proper way. It allways
reported "No password" when using a provider which supports token and
the token has been given.
This of course is wrong and leaded to unuseable providers.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Asking apache to restart itself fails when the binary is changed and
some symbols cannot be resolved. We therefore terminate all processes
and start them again.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This reverts commit a9fb87809e.
This prevents the SSH configuration being parsed by the web user
interface.
Reported-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://www.knot-dns.cz/2021-06-16-version-307.html
Features:
knotd: new configuration policy option for CDS digest algorithm setting #738
keymgr: new command for primary SOA serial manipulation in on-secondary signing mode
Improvements:
knotd: improved algorithm rollover to shorten the last step of old RRSIG publication
Bugfixes:
knotd: zone is flushed upon server start, despite DNSSEC signing is up-to-date
knotd: wildcard nonexistence is proved on empty-non-terminal query
knotd: redundant wildcard proof for non-authoritative data in a reply
knotd: missing wildcard proofs in a wildcard-cname loop reply
knotd: incorrectly synthesized CNAME owner from a wildcard record #715
knotd: zone-in-journal changeset ignores journal-max-usage limit #736
knotd: incorrect processing of zone-in-journal changeset with SOA serial 0
knotd: broken initialization of processing workers if SO_REUSEPORT(_LB) not available
kjournalprint: reported journal usage is incorrect #736
keymgr: cannot parse algorithm name ed448 #739
keymgr: default key size not set properly
kdig: failed to process huge DoH responses
libknot/probe: some corner-case bugs
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Please refer to the .tar.gz's ReleaseNote file for the full changelog
since version 0.4.5.8; it is too large to include it here.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The CGI now requires the general-functions library, because the
get_red_interface() function is used.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Perl seems to just "guess" that someone no longer wants to use the
builtin "system" command when there is a function with the same name.
I have no idea what kind of liquid they are drinking, but because of the
side effects of that stuff, we explicitely call our system() function.
Not that that would be necessary, but why not waste a couple more CPU
cycles?
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
While hiding version information does not come with any _actual_
security improvements, it is generally a good thing to do so by default:
Attackers will still be able to reasonably guess or enumerate the
software version running, but need to conduct additional effort to do
so, hence more likely raising alerts and drawing attention on their
operation.
In addition, we suppress version details somewhere else in IPFire 2.x by
default, too (e. g. Unbound and Apache), so we can justify this patch by
aiming to stay consistent, I guess. :-)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
