webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-05-06 13:06:11 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,785 Commits 2 Branches 1 Tag
c67519ac7c398237973a278aa267c574e7f2624d
Commit Graph

13785 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Arne Fitzenreiter
c67519ac7c sane: rootfile update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-09 18:06:54 +02:00
Arne Fitzenreiter
3791a79239 tshark: rootfile update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-09 18:05:50 +02:00
Arne Fitzenreiter
e29eb3a6c1 speedtest-cli: add rootfile 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-09 18:04:30 +02:00
Arne Fitzenreiter
7739cbf456 sane/stage2: remove sanedloop 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-09 08:37:23 +02:00
Arne Fitzenreiter
f2e7d2bf50 rust: fix typo 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:49:01 +00:00
Arne Fitzenreiter
2228871e3e rust: fix md5 sums for i586 and arm 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:44:54 +00:00
Stefan Schantl
5b87687cb1 suricata: Enable rust support 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:08:37 +00:00
Stefan Schantl
59fe973584 rust: New package. 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:08:23 +00:00
Erik Kapfer
5848f7288b ncat: Update to version 7.80 
Several improvements has been added. This update is part of the nmap-7.80 update.
For the complete changelog take a look in here --> https://seclists.org/nmap-announce/2019/0 .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:07:01 +00:00
Erik Kapfer
692d6e012b nmap: Update to version 7.80 
Several improvements, NSE scripts and libraries has been added.
The complete changelog can be found in here --> https://seclists.org/nmap-announce/2019/0 .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:06:34 +00:00
Arne Fitzenreiter
2513c3bba9 core137: ship libpcap 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:05:50 +00:00
Matthias Fischer
64243e995b libpcap: Update to 1.9.1 
For details see:
https://www.tcpdump.org/libpcap-changes.txt

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:04:36 +00:00
Arne Fitzenreiter
a647499b10 core137: ship unbound 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:03:50 +00:00
Matthias Fischer
146c8a58ab unbound: Update to 1.9.4 
For details see:
https://nlnetlabs.nl/pipermail/unbound-users/2019-October/011832.html

"This release is a fix for vulnerability CVE-2019-16866 that causes a
failure when a specially crafted query is received."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:01:41 +00:00
Matthias Fischer
6c20eff135 tcpdump: Update to 4.9.3 
For details see:
https://www.tcpdump.org/tcpdump-changes.txt

"Fix buffer overflow/overread vulnerabilities:
      CVE-2017-16808 (AoE)
      CVE-2018-14468 (FrameRelay)
      CVE-2018-14469 (IKEv1)
      CVE-2018-14470 (BABEL)
      CVE-2018-14466 (AFS/RX)
      CVE-2018-14461 (LDP)
      CVE-2018-14462 (ICMP)
      CVE-2018-14465 (RSVP)
      CVE-2018-14881 (BGP)
      CVE-2018-14464 (LMP)
      CVE-2018-14463 (VRRP)
      CVE-2018-14467 (BGP)
      CVE-2018-10103 (SMB - partially fixed, but SMB printing disabled)
      CVE-2018-10105 (SMB - too unreliably reproduced, SMB printing disabled)
      CVE-2018-14880 (OSPF6)
      CVE-2018-16451 (SMB)
      CVE-2018-14882 (RPL)
      CVE-2018-16227 (802.11)
      CVE-2018-16229 (DCCP)
      CVE-2018-16301 (was fixed in libpcap)
      CVE-2018-16230 (BGP)
      CVE-2018-16452 (SMB)
      CVE-2018-16300 (BGP)
      CVE-2018-16228 (HNCP)
      CVE-2019-15166 (LMP)
      CVE-2019-15167 (VRRP)
    Fix for cmdline argument/local issues:
      CVE-2018-14879 (tcpdump -V)"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:01:28 +00:00
Matthias Fischer
a92ede2487 clamav: Update to 0.102.0 
For details see:
https://blog.clamav.net/2019/10/clamav-01020-has-been-released.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:01:02 +00:00
Matthias Fischer
d46c0db060 nano: Update to 4.5 
For details see:
https://www.nano-editor.org/news.php

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 19:00:26 +00:00
Erik Kapfer
1da6583980 tshark: Update to version 3.0.5 
The jump from 3.0.2 to 3.0.5 includes several bugfixes, updated protocols and new and updated capture support.
The complete release notes can be found in here --> https://www.wireshark.org/docs/relnotes/ .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:57:43 +00:00
Arne Fitzenreiter
5fe5334daa core137: ship strongwan and vpnmain.cgi 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:56:47 +00:00
Michael Tremer
d47b2cc28b IPsec: Add support for Curve448 
This is supported since strongswan 5.7.2 and is a good alternative
to Curve25519 because Curve448 is almost equally secure but performs
faster.

  https://en.wikipedia.org/wiki/Curve448

This is enabled by default although we do not expect many other
implementations to be able to support this.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:53:23 +00:00
Michael Tremer
4dde3dd50f strongswan: Update 5.8.1 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:53:13 +00:00
Michael Tremer
9875e9f2ae speedtest-cli: New package 
This is a CLI implementation to test the speed of an internet
connection.

I find this quite useful when there is no access to a client
computer on the network and this will give you a rough idea
about the connection speed.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:52:47 +00:00
Stephan Feddersen
ff599b6767 WIO:Add fr language 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:52:17 +00:00
Stephan Feddersen
b64b3c110e WIO: Add french translation file 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:52:05 +00:00
Arne Fitzenreiter
f1e1e9072d core137: ship updated unbound initskript 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:50:04 +00:00
peter.mueller@ipfire.org
70cd5c42f0 firewall: always allow outgoing DNS traffic to root servers 
Allowing outgoing DNS traffic (destination port 53, both TCP
and UDP) to the root servers is BCP for some reasons. First,
RFC 5011 assumes resolvers are able to fetch new trust ancors
from the root servers for a certain time period in order to
do key rollovers.

Second, Unbound shows some side effects if it cannot do trust
anchor signaling (see RFC 8145) or fetch the current trust anchor,
resulting in SERVFAILs for arbitrary requests a few minutes.

There is little security implication of allowing DNS traffic
to the root servers: An attacker might abuse this for exfiltrating
data via DNS queries, but is unable to infiltrate data unless
he gains control over at least one root server instance. If
there is no firewall ruleset in place which prohibits any other
DNS traffic than to chosen DNS servers, this patch will not
have security implications at all.

The second version of this patch does not use unnecessary xargs-
call nor changes anything else not related to this issue.

Fixes #12183

Cc: Michael Tremer <michael.tremer@ipfire.org>
Suggested-by: Horace Michael <horace.michael@gmx.com>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:48:40 +00:00
Michael Tremer
974d86532f unbound: Add option to force using TCP for upstream servers 
Some users have problems to reach DNS servers. This change adds an option
which allows to force using TCP for upstream name servers.

This is a good workaround for users behind a broken Fritz!Box in modem
mode which does not allow resolving any records of the root zone.

The name server tests in the script will also only use TCP.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:42:18 +00:00
Michael Tremer
f003a07936 shairport-sync: Update to 3.3.2 
This version now requires libdaemon and brings various improvements
for sound quality and stability.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:40:26 +00:00
Michael Tremer
1ad45a5a09 sane: Update to 1.0.28 
This patch updates the package and removes the sanedloop script
which was needed to launch saned, but that program can now run
in standalone mode.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:39:47 +00:00
Arne Fitzenreiter
c132fed64d core137: ship suricata 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:38:52 +00:00
Matthias Fischer
dbf1ae2a10 suricata: Update to 4.1.5 
Changelog:
"4.1.5 -- 2019-09-24

Feature #3068: protocol parser: vxlan (4.1.x)
Bug #2841: False positive alerts firing after upgrade suricata 3.0 -> 4.1.0 (4.1.x)
Bug #2966: filestore (v1 and v2): dropping of "unwanted" files (4.1.x)
Bug #3008: rust: updated libc crate causes depration warnings (4.1.x)
Bug #3044: tftp: missing logs because of broken tx handling (4.1.x)
Bug #3067: GeoIP keyword depends on now discontinued legacy GeoIP database (4.1.x)
Bug #3094: Fedora rawhide af-packet compilation err (4.1.x)
Bug #3123: bypass keyword: Suricata 4.1.x Segmentation Faults (4.1.x)
Bug #3129: Fixes warning about size of integers in string formats (4.1.x)
Bug #3159: SC_ERR_PCAP_DISPATCH with message "error code -2" upon rule reload completion (4.1.x)
Bug #3164: Suricata 4.1.4: NSS Shutdown triggers crashes in test mode
Bug #3168: tls: out of bounds read
Bug #3170: defrag: out of bounds read
Bug #3173: ipv4: ts field decoding oob read
Bug #3175: File_data inspection depth while inspecting base64 decoded data (4.1.x)
Bug #3184: decode/der: crafted input can lead to resource starvation
Bug #3186: Multiple Content-Length headers causes HTP_STREAM_ERROR (4.1.x)
Bug #3187: GET/POST HTTP-request with no Content-Length, http_client_body miss (4.1.x)"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:37:29 +00:00
Matthias Fischer
80d5bb76dd iproute2: Update to 5.3.0 
For details see:
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/?h=v5.3.0

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:37:03 +00:00
Arne Fitzenreiter
563ac9b13e core137: ship knot 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:36:24 +00:00
Matthias Fischer
5725768496 knot: Update to 2.8.4 
For details see:
https://www.knot-dns.cz/2019-09-24-version-284.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:35:16 +00:00
peter.mueller@ipfire.org
b9921169b1 mtr: update to 0.93 
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:33:55 +00:00
peter.mueller@ipfire.org
65c295e923 Tor: update to 0.4.1.6 
Please refer to https://blog.torproject.org/new-release-tor-0416 for
release notes. This patch has to be applied after applying 9fb607ef6
(https://patchwork.ipfire.org/patch/2407/), which was not merged at
the time of writing.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:31:31 +00:00
peter.mueller@ipfire.org
a85a7a60fc firewall: raise log rate limit for user generated rules, too 
Having raised the overall log rate limit to 10 packet per second
in Core Update 136, this did not affected rules generated by the
user. In order to stay consistent, this patch also raises log rate
limit for these.

In order to avoid side effects on firewalls with slow disks, it
was probably better touch these categories separately, so testing
users won't be DoSsed instantly. :-)

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:30:31 +00:00
Arne Fitzenreiter
e60dde5f53 core137: ship Net_SSLeay 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:26:22 +00:00
Erik Kapfer
24f9c830eb Net-SSLeay: Update to version 1.88 
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:24:32 +00:00
Matthias Fischer
3ec5d6c062 nano: Update to 4.4 
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:22:27 +00:00
Arne Fitzenreiter
0e081a25f7 core137: ship libssh 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:21:17 +00:00
Michael Tremer
95180fe563 bird: Update to 2.0.6 
Minor update which will enable support for RPKI because libssh is
now present.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:19:35 +00:00
Michael Tremer
1df47cc9ee libssh: New package 
This is required by Bird to support RPKI.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:19:33 +00:00
Arne Fitzenreiter
dcf1a61f5b core137: ship updated logrotate.conf 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:17:44 +00:00
Matthias Fischer
686ada3158 Added Mail log file to '/etc/logrotate.conf' 
Fixes Bug #12155: logrotate wasn't set up to rotate this file.

For details see:
https://bugzilla.ipfire.org/show_bug.cgi?id=12155

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:17:06 +00:00
Arne Fitzenreiter
dbcb1c99d2 core137: ship tzdata 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:14:43 +00:00
Matthias Fischer
71adb8b98f tzcode / tzdata: Update to 2019c 
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:13:22 +00:00
Arne Fitzenreiter
c9ef22a019 core137: ship wpa_supplicant 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:10:23 +00:00
Matthias Fischer
2fc8d41915 hostapd: Update to 2.9 
For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:09:10 +00:00
Matthias Fischer
19addaa5aa wpa_supplicant: Update to 2.9 
For details see:
https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-10-08 18:09:08 +00:00