webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-15 13:32:59 +02:00
Code Issues Packages Projects Releases Wiki Activity
14,097 Commits 2 Branches 1 Tag
c8dcd46537bebe4f59cd7c22d09c45e98bfecb1f
Commit Graph

3630 Commits

Author SHA1 Message Date
Michael Tremer
35b892b0dd pakfire: Drop old key import mechanism 
This was error-prone and allowed to potentially inject another
key.

Fixes: #11539
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-03-16 14:37:21 +00:00
Michael Tremer
7d995c9f56 installer: Import the Pakfire key at install time 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-03-16 14:33:42 +00:00
Michael Tremer
5e5c2e5413 Import new Pakfire Signing Key 
We will swap the key that we use to sign Pakfire packages
since the current one is considered outdated cryptography.

Fixes: #11539

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-03-16 14:26:07 +00:00
Stephan Feddersen via Development
c1fc92a9b8 WIO: Fix a problem with the Network-Table-Button 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-03-09 15:39:52 +00:00
Stephan Feddersen via Development
cc222a8e62 WIO: Fix some typos 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-03-09 15:39:50 +00:00
Stephan Feddersen via Development
a25c95b3a0 WIO: Update to Version 1.3.2 several changes in many files 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-03-09 15:39:48 +00:00
Matthias Fischer
cc4816a1af clamav 0.99.4: removed gcc patch 
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-03-07 18:43:44 +00:00
Peter Müller
438da7e0a0 test if nameservers with DNSSEC support return "ad"-flagged data 
DNSSEC-validating nameservers return an "ad" (Authenticated Data)
flag in the DNS response header. This can be used as a negative
indicator for DNSSEC validation: In case a nameserver does not
return the flag, but failes to look up a domain with an invalid
signature, it does not support DNSSEC validation.

This makes it easier to detect nameservers which do not fully
comply to the RFCs or try to tamper DNS queries.

See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further details.

The second version of this patch avoids unnecessary usage of
grep. Thanks to Michael Tremer for the hint.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-03-05 15:19:55 +00:00
Peter Müller via Development
5929493445 set OpenSSL 1.1.0 DEFAULT cipher list to secure value 
Only use secure cipher list for the OpenSSL DEFAULT list:
* ECDSA is preferred over RSA since it is faster and more scalable
* TLS 1.2 suites are preferred over anything older
* weak ciphers such as RC4 and 3DES have been eliminated
* AES-GCM is preferred over AES-CBC (known as "mac-then-encrypt" problem)
* ciphers without PFS are moved to the end of the cipher list

This patch leaves AES-CCM, AES-CCM8 and CHACHA20-POLY1305 suites
where they are since they are considered secure and there is no
need to change anything.

The DEFAULT cipher list is now (output of "openssl ciphers -v"):

ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM8(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES256-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(256) Mac=AEAD
DHE-RSA-AES256-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-CCM8     TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM8(128) Mac=AEAD
DHE-RSA-AES128-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(256) Mac=AEAD
AES256-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-CCM8             TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM8(128) Mac=AEAD
AES128-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

This has been discussed at 2017-12-04 (https://wiki.ipfire.org/devel/telco/2017-12-04)
and for a similar patch written for OpenSSL 1.0.x.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-28 11:45:03 +00:00
Arne Fitzenreiter
1a7cfc2f10 Merge remote-tracking branch 'origin/core119' into kernel-4.14 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2018-02-27 12:38:18 +01:00
Michael Tremer
0eccedd1c8 dhcp: Allow adding extra DHCP interfaces 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-26 11:12:20 +00:00
Michael Tremer
9434bffaf2 Merge branch 'openssl-11' into next 2018-02-21 12:21:10 +00:00
Michael Tremer
0f354672a2 flac: Update to 1.3.2 
The previous version fails to build on i586

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-16 19:14:33 +00:00
Michael Tremer
2d5940daca Drop MySQL 
This is outdated and still on 5.0.x and nobody volunteered to
update this package.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-12 12:05:46 +00:00
Michael Tremer
a350ea6dea Drop mISDN userspace tools 
This is unsupported for quite a while and nobody should be using this.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-12 11:41:50 +00:00
Michael Tremer
11e78f38b9 Package openssl-compat (1.0.2.n) 
This is provided for compatibility with binaries that have
been compiled against this version of OpenSSL.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-11 22:19:45 +00:00
Michael Tremer
7e63e4f806 transmission: Patch to build against OpenSSL 1.1 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-11 22:19:45 +00:00
Michael Tremer
0d0fe16e22 net-snmp: Patch to build against OpenSSL 1.1 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-11 22:19:45 +00:00
Michael Tremer
3b10b31303 elinks: Patch to build against OpenSSL 1.1 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-11 22:19:45 +00:00
Michael Tremer
07b8dcd0b2 openssh: Update to 7.6p1 and patch against OpenSSL 1.1 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-11 22:19:45 +00:00
Michael Tremer
5a9bbaa93d openssl: Update to version 1.1 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-11 22:19:45 +00:00
Michael Tremer
e9e3dd9fee qemu: Make it build with newer glibcs 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-11 20:56:12 +00:00
Michael Tremer
c19196e1c5 nfs: Fix building with newer glibcs 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-11 20:56:12 +00:00
Michael Tremer
ce7f9c3a0e libtirpc: Fix build against newer glibcs 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-11 20:56:12 +00:00
Michael Tremer
f794504ec6 dma: Don't only use TLSv1 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-11 20:56:12 +00:00
Michael Tremer
65a75e0ddf glibc: Update to 2.27 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-11 20:56:12 +00:00
Michael Tremer
f1a5a25a40 flex: Patch against SEGV with newer glibc 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-11 20:56:12 +00:00
Michael Tremer
6ffe2da8c9 iproute2: Update to 4.14.1 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-11 20:56:12 +00:00
Michael Tremer
f6b0901df9 hostname: Update to 3.20 
Drops dependency to obsolete RPCSVC code in glibc.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-11 20:56:12 +00:00
Michael Tremer
dca7011c1f make: Patch against SEGV when using globbing functions 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-11 20:56:12 +00:00
Michael Tremer
85439ac74c toolchain: Add bison 
This is required by glibc 2.27

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-02-11 20:56:12 +00:00
Arne Fitzenreiter
11b5e5cb8e toolchain: update to gcc-7.3.0 and enable retpolines on x86_64 and i586 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2018-02-11 20:56:12 +00:00
Arne Fitzenreiter
27ee5072c5 mdadm: fix build with gcc-7 2018-02-11 20:56:12 +00:00
Arne Fitzenreiter
eaec148fd8 sarg: update to 2.3.11 (needed for gcc-7) 2018-02-11 20:56:12 +00:00
Michael Tremer
c7e41255bb unbound: Fix reverse lookup zones 
These should be stubs and overlay the internal zones that
unbound comes with.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes: #11625
 2018-02-11 17:44:21 +00:00
Arne Fitzenreiter
be13dd4818 Merge remote-tracking branch 'origin/master' into kernel-4.14 2018-02-10 09:54:55 +01:00
Michael Tremer
3925a0db6c syslogdctrl: Fix sed syntax issues 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-01-30 20:54:46 +00:00
Arne Fitzenreiter
97e4adb8fd Merge remote-tracking branch 'origin/next' into kernel-4.14 2018-01-28 11:24:12 +01:00
Matthias Fischer
9a57c6cdd3 clamav: Update to 0.99.3 
Excerpt from 'README':

"ClamAV 0.99.3 is a hotfix release to patch a set of vulnerabilities.

- fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420,
  CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377,
  CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
- also included are 2 minor fixes to properly detect openssl install
  locations on FreeBSD 11, and prevent false warnings about zlib 1.2.1#
  version numbers."

For details see:
http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-01-27 16:26:45 +00:00
Arne Fitzenreiter
09cdb999da Merge remote-tracking branch 'arne_f/gcc-7-retpol' into kernel-4.14 2018-01-27 10:26:11 +01:00
Arne Fitzenreiter
7520b95a8b toolchain: update to gcc-7.3.0 and enable retpolines on x86_64 and i586 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2018-01-26 20:48:08 +01:00
Arne Fitzenreiter
33e3a1bd84 mdadm: fix build with gcc-7 2018-01-26 12:23:00 +01:00
Arne Fitzenreiter
38391953e0 sarg: update to 2.3.11 (needed for gcc-7) 2018-01-26 12:20:57 +01:00
Michael Tremer
3ed1c621cf Revert "Add Intel microcode updates from Jan 2018" 
This reverts commit d404b1dba2.

Intel has pulled these microcode updates because of
random system reboots and systems becoming unstable.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-01-24 16:08:22 +00:00
Erik Kapfer
adf3f4f4fe LZ4: New compression library. 
New lossless data compression algorithm.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-01-23 13:20:58 +00:00
Matthias Fischer
eb03c511fd squid 3.5.27: Patch for SA 2018:2 
As announced, here is the second patch for 'squid 3.5.27'.

For details about this and the previous patch (2018_1) regarding "ESI Response
processing" and "HTTP message processing", see:

http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-announce-ADVISORY-SQUID-2018-1-Denial-of-Service-issue-in-ESI-Response-processing-tp4684618.html

http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-announce-ADVISORY-SQUID-2018-2-Denial-of-Service-issue-in-HTTP-Message-processing-td4684617.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-01-23 13:08:19 +00:00
Matthias Fischer
101765c0fd squid 3.5.27: Patch for SA 2018:1 
http://www.squid-cache.org/Versions/v3/3.5/changesets/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-01-23 13:07:43 +00:00
Michael Tremer
1e7b718cd4 syslogdctrl: Fix compiler error and SEGV 
Fixes #11574

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-01-20 14:51:40 +00:00
Michael Tremer
07e63f6d2a Revert "misc-progs: syslogdctrl: Fix data type of protocol variable" 
This reverts commit b269686f88.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-01-20 14:45:10 +00:00
Jonatan Schlag
2da45fe0e1 dmidecode: update to version 3.1 
The removed patches are included in this version so there is no need
that we apply them.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2018-01-20 14:33:52 +00:00