fix: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971)
Severity: High
The X.509 GeneralName type is a generic type for representing different types
of names. One of those name types is known as EDIPartyName. OpenSSL provides a
function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
to see if they are equal or not. This function behaves incorrectly when both
GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
may occur leading to a possible denial of service attack.
OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
1) Comparing CRL distribution point names between an available CRL and a CRL
distribution point embedded in an X509 certificate
2) When verifying that a timestamp response token signer matches the timestamp
authority name (exposed via the API functions TS_RESP_verify_response and
TS_RESP_verify_token)
If an attacker can control both items being compared then that attacker could
trigger a crash. For example if the attacker can trick a client or server into
checking a malicious certificate against a malicious CRL then this may occur.
Note that some applications automatically download CRLs based on a URL embedded
in a certificate. This checking happens prior to the signatures on the
certificate and CRL being verified. OpenSSL's s_server, s_client and verify
tools have support for the "-crl_download" option which implements automatic
CRL downloading and this attack has been demonstrated to work against those
tools.
Note that an unrelated bug means that affected versions of OpenSSL cannot parse
or construct correct encodings of EDIPARTYNAME. However it is possible to
construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence
trigger this attack.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Otherwise the WUI is not allowed to put and release the nobeep file in
this folder and the desired functionality does not work.
Fixes#12385.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch disables the output of 'iptables' in 'summary.dat' by
modifying '/usr/share/conf/logwatch.conf'.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The package requires more libraries than libtalloc from
the samba package and therefore we need this dependency
again.
Fixes: #12538
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Added a backup/includes file for apcupsd to backup the
/etc/apcupsd/ directory where all the configuration files
are stored. Currently there is no backup available to
save the state of any changes carried out to the configuration
or action files.
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Full changelog as per https://github.com/speed47/spectre-meltdown-checker/releases/tag/v0.44 :
feat: add support for SRBDS related vulnerabilities
feat: add zstd kernel decompression (#370)
enh: arm: add experimental support for binary arm images
enh: rsb filling: no longer need the 'strings' tool to check for kernel support in live mode
fix: fwdb: remove Intel extract tempdir on exit
fix: has_vmm: ignore kernel threads when looking for a hypervisor (fixes#278)
fix: fwdb: use the commit date as the intel fwdb version
fix: fwdb: update Intel's repository URL
fix: arm64: cve-2017-5753: kernels 4.19+ use a different nospec macro
fix: on CPU parse info under FreeBSD
chore: github: add check run on pull requests
chore: fwdb: update to v165.20201021+i20200616
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Full changelog obtained from: https://cisofy.com/changelog/lynis/#301
- Detection of Alpine Linux
- Detection of CloudLinux
- Detection of Kali Linux
- Detection of Linux Mint
- Detection of macOS Big Sur (11.0)
- Detection of Pop!_OS
- Detection of PHP 7.4
- Malware detection tool: Microsoft Defender ATP
- New flag: --slow-warning to allow tests more time before showing a
warning
- Test TIME-3185 to check systemd-timesyncd synchronized time
- rsh host file permissions
- AUTH-9229 - Added option for LOCKED accounts and bugfix for older bash
versions
- BOOT-5122 - Presence check for grub.d added
- CRYP-7902 - Added support for certificates in DER format
- CRYP-7931 - Added data to report
- CRYP-7931 - Redirect errors (e.g. when swap is not encrypted)
- FILE-6430 - Don't grep nonexistant modprobe.d files
- FIRE-4535 - Set initial firewall state
- INSE-8312 - Corrected text on screen
- KRNL-5728 - Handle zipped kernel configuration correctly
- KRNL-5830 - Improved version detection for non-symlinked kernel
- MALW-3280 - Extended detection of BitDefender
- TIME-3104 - Find more time synchronization commands
- TIME-3182 - Corrected detection of time peers
- Fix: hostid generation routine would sometimes show too short IDs
- Fix: language detection
- Generic improvements for macOS
- German translation updated
- End-of-life database updated
- Several minor code enhancements
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The pacificnew file has been dropped by IANA. Adding the "factory" file
makes sense to have a reasonable default in case the time zone is
unknown, which, however, should not happen in case of IPFire 2.x - just
trying to be consistent here.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Those fix some unintentional behaviour regarding autocompletion I
stumbled across the other day. While there seems nothing security
relevant in this, it irons out a few bugs.
The full and up-to-date list of all Bash 5.0 patches can be obtained
from https://ftp.gnu.org/gnu/bash/bash-5.0-patches/ .
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
