webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-22 17:02:58 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,527 Commits 2 Branches 1 Tag
d3e88203308ea22105d12d6ebfb08f81e0efbdc8
Commit Graph

5880 Commits

Author SHA1 Message Date
Arne Fitzenreiter
15ca18a3d9 Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next 2019-06-18 18:42:02 +02:00
Arne Fitzenreiter
82c279a518 kernel: update to 4.14.127 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-06-18 18:41:19 +02:00
Matthias Fischer
2f278de868 unbound: Update to 1.9.2 
For details see:
https://nlnetlabs.nl/pipermail/unbound-users/2019-June/011632.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-17 17:39:37 +01:00
Arne Fitzenreiter
f5662122b5 hyperscan: increase min RAM per buildprocess to 1GB 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-06-14 22:09:47 +02:00
Peter Müller
69772b7dda OpenSSL: lower priority for CBC ciphers in default cipherlist 
In order to avoid CBC ciphers as often as possible (they contain
some known vulnerabilities), this changes the OpenSSL default
ciphersuite to:

TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
CAMELLIA256-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
CAMELLIA128-SHA256      TLSv1.2 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1

Since TLS servers usually override the clients' preference with their
own, this will neither break existing setups nor introduce huge
differences in the wild. Unfortunately, CBC ciphers cannot be disabled
at all, as they are still used by popular web sites.

TLS 1.3 ciphers will be added implicitly and can be omitted in the
ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing
AES-NI support for the majority of installations reporting to Fireinfo
(see https://fireinfo.ipfire.org/processors for details, AES-NI support
is 28.22% at the time of writing).

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 17:24:00 +01:00
Peter Müller
fa7de475fe Tor: fix permissions after updating, too 
Fixes #12088

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reported-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-12 05:45:42 +01:00
Matthias Fischer
33fb0c91ec wpa_supplicant: Update to 2.8 
For details see:
https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-11 07:00:05 +01:00
Matthias Fischer
3f7cec61c9 hostapd: Update to 2.8 
For details see:
https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-10 09:45:54 +01:00
Matthias Fischer
d52b5a4c22 knot: Update to 2.8.2 
For details see:
https://www.knot-dns.cz/2019-06-05-version-282.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-07 11:12:35 +01:00
Erik Kapfer
21a8382383 suricata: Enable EVE logging 
The EVE output facility outputs alerts, metadata, file info and protocol specific records through JSON.
for further informations please see --> https://suricata.readthedocs.io/en/suricata-4.1.2/output/eve/index.html .

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:44:49 +01:00
Tim FitzGeorge
a5ba473c15 suricata: correct rule actions in IPS mode 
In IPS mode rule actions need to be have the action 'drop' for the
protection to work, however this is not appropriate for all rules.
Modify the generator for oinkmaster-modify-sids.conf to leave
rules with the action 'alert' here this is appropriate.  Also add
a script to be run on update to correct existing downloaded rules.

Fixes #12086

Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-05 12:39:57 +01:00
Matthias Fischer
0105cedb0d linux-pam: Update to 1.3.1 
For details see:
https://github.com/linux-pam/linux-pam/releases

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-04 23:32:06 +01:00
Matthias Fischer
83d4264eba rrdtool: Update to 1.7.2 
For details see:
https://oss.oetiker.ch/rrdtool/pub/CHANGES

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-04 23:31:11 +01:00
sfeddersen
2a1c173589 BUG 11487:solve problem with unexspected shutdown 
Solve problem with unexspected shutdown problem when checking a single client.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-04 23:31:07 +01:00
Matthias Fischer
7c1bbc9339 monit: Update to 5.25.3 
For details see:
https://mmonit.com/monit/changes/

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-06-02 22:48:59 +01:00
Michael Tremer
b0ec4158f3 miau: Drop package 
This is not maintained since 2010

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-29 15:24:29 +01:00
Michael Tremer
f62f432a27 openssl: Update to 1.1.1c 
Fixes CVE-2019-1543

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-29 13:51:48 +01:00
Michael Tremer
7b6d2972e3 strongswan: Update to 5.8.0 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-28 13:05:50 +01:00
Erik Kapfer
3c8aa8d75b tshark: Update to 3.0.2 
Incl. one vulnerability and several bug fixes. For full overview --> https://www.wireshark.org/docs/relnotes/wireshark-3.0.2.html .

- Disabled geoip support since libmaxminddb is not presant.
- Added dictionary in ROOTFILE to prevent "radius: Could not open file: '/usr/share/wireshark/radius/dictionary' " .
- Added CMAKE build type
- Removed profile examples and htmls completly from ROOTFILE.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-28 12:29:36 +01:00
Michael Tremer
4e54a8e2d6 ccache: Automatically set size to 8GB 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-28 12:01:57 +01:00
Michael Tremer
c9b7fc40c0 hyperscan: Limit amount of memory being used during build 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-28 11:36:06 +01:00
Michael Tremer
29fc1c8c3a ddns: Update to 011 
Add support for two new providers and has some general bug fixes
included.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-27 16:25:01 +01:00
Michael Tremer
21f2107697 tor: Ship updated CGI 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-27 15:47:02 +01:00
Stefan Schantl
52ebc66bba hyperscan: New package 
This package adds hyperscan support to suricata

Fixes #12053.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-27 14:40:14 +01:00
Stefan Schantl
2348cfffcf ragel: New package 
This is a build dependency of hyperscan

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-27 14:40:03 +01:00
Stefan Schantl
1a5f064916 colm: New package 
This is a build dependency of ragel, which is a build dependency of
hyperscan.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-27 14:39:32 +01:00
Stefan Schantl
0f75603f23 asterisk: Remove dependency to jansson. 
The package has become part of the main system.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-27 14:39:19 +01:00
Stefan Schantl
616395f37c jansson: Move to core system and update to 2.12 
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-27 14:39:00 +01:00
Michael Tremer
333125abf8 Merge branch 'toolchain' into next 2019-05-24 06:55:03 +01:00
Michael Tremer
9f0295a512 Merge remote-tracking branch 'ms/faster-build' into next 2019-05-24 06:54:16 +01:00
Matthias Fischer
d2b5f03631 squid: Update to 4.7 
For details see:

http://www.squid-cache.org/Versions/v4/changesets/

Fixes among other things the old 'filedescriptors' problem, so this patch was deleted.

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-24 06:37:50 +01:00
Matthias Fischer
f225f3ee29 bind: Update to 9.11.7 
For details see:
http://ftp.isc.org/isc/bind9/9.11.7/RELEASE-NOTES-bind-9.11.7.html

"Security Fixes

  The TCP client quota set using the tcp-clients option could be exceeded in some cases.
  This could lead to exhaustion of file descriptors.
  This flaw is disclosed in CVE-2018-5743. [GL #615]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-24 06:36:55 +01:00
Michael Tremer
f8c23b43b7 tor: Depend on libseccomp 
Suggested-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-23 01:50:29 +01:00
Arne Fitzenreiter
716f00b116 kernel: update to 4.14.121 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-05-21 20:42:51 +02:00
Arne Fitzenreiter
b0d31edbd6 vnstat: fix errormessage at first boot 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-05-21 20:36:16 +02:00
Arne Fitzenreiter
6d37280f3e configroot: create main/security settings file 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-05-21 15:03:21 +02:00
Michael Tremer
6a83dbb451 SMT: Apply settings according to configuration 
SMT can be forced on.

By default, all systems that are vulnerable to RIDL/Fallout
will have SMT disabled by default.

Systems that are not vulnerable to that will keep SMT enabled.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-20 21:30:26 +01:00
Michael Tremer
b06288b74d spectre-meltdown-checker: Update to 0.41 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-20 18:04:49 +01:00
Erik Kapfer
ffcef39d40 tshark: New addon 
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-20 10:44:04 +01:00
Michael Tremer
f8f4cd6660 tor: Bump release version 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-20 10:09:26 +01:00
Arne Fitzenreiter
16cb73d901 kernel: update to 4.14.120 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-05-17 07:10:52 +02:00
Arne Fitzenreiter
d099196501 kernel: update to 4.14.119 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-05-16 14:26:04 +02:00
Arne Fitzenreiter
29b907c677 intel-microcode: update to 20190514 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2019-05-15 13:17:26 +02:00
Michael Tremer
ad794614cd xtables-addons: Explicitely add path for alternative kernels 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-12 10:21:32 +01:00
Michael Tremer
3f60a1e10e linux: Fix touching incorrect version.h 
This file has moved and the touch command created an empty version
of the file which caused that builds depending on that did not
complete.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-12 10:20:57 +01:00
Michael Tremer
c1e8c954bd linux: objtool does not exist on all platforms 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-12 09:28:10 +01:00
Michael Tremer
9d959ac151 igmpproxy: Update to 0.2.1 
This updates the package to its latest upstream version and should
be able to support IGMPv3.

Fixes: #12074
Suggested-by: Marc Roland <marc.roland@outlook.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-11 02:20:15 +01:00
Michael Tremer
0aa8284905 xtables-addons: Automatically detect location of kernel source 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-10 10:25:46 +01:00
Michael Tremer
0ad5f6a1fc linux: Install kernel build system to /lib/modules 
This is necessary so that we can clean up /usr/src after
each build and do not waste any space on the massive kernel
source.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-10 10:12:50 +01:00
Michael Tremer
3966b1e58f iptables: Fix build without kernel source 
The layer7 filter header files were not installed into /usr/include
and therefore we needed to keep the whole kernel source tree.

This is just a waste of space and this patch fixes this.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2019-05-10 04:55:49 +01:00