For details see:
https://downloads.isc.org/isc/bind9/9.11.20/RELEASE-NOTES-bind-9.11.20.html
"Security Fixes
It was possible to trigger an INSIST failure when a zone with
an interior wildcard label was queried in a certain pattern. This
was disclosed in CVE-2020-8619. [GL #1111] [GL #1718]
New Features
dig and other tools can now print the Extended DNS Error (EDE)
option when it appears in a request or a response. [GL #1835]
Bug Fixes
When fully updating the NSEC3 chain for a large zone via IXFR,
a temporary loss of performance could be experienced on the
secondary server when answering queries for nonexistent data that
required DNSSEC proof of non-existence (in other words, queries that
required the server to find and to return NSEC3 data). The
unnecessary processing step that was causing this delay has now been
removed. [GL #1834]
A data race in lib/dns/resolver.c:log_formerr() that could lead
to an assertion failure was fixed. [GL #1808]
Previously, provide-ixfr no; failed to return up-to-date responses
when the serial number was greater than or equal to the current
serial number. [GL #1714]
named-checkconf -p could include spurious text in server-addresses
statements due to an uninitialized DSCP value. This has been fixed.
[GL #1812]
The ARM has been updated to indicate that the TSIG session key is
generated when named starts, regardless of whether it is needed. [GL
#1842]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://lists.gnupg.org/pipermail/gnutls-help/2020-June/004648.html
"** libgnutls: Fixed insecure session ticket key construction, since 3.6.4.
The TLS server would not bind the session ticket encryption key with a
value supplied by the application until the initial key rotation, allowing
attacker to bypass authentication in TLS 1.3 and recover previous
conversations in TLS 1.2 (#1011).
[GNUTLS-SA-2020-06-03, CVSS: high]
** libgnutls: Fixed handling of certificate chain with cross-signed
intermediate CA certificates (#1008).
** libgnutls: Fixed reception of empty session ticket under TLS 1.2 (#997).
** libgnutls: gnutls_x509_crt_print() is enhanced to recognizes commonName
(2.5.4.3), decodes certificate policy OIDs (!1245), and prints Authority
Key Identifier (AKI) properly (#989, #991).
** certtool: PKCS #7 attributes are now printed with symbolic names (!1246).
** libgnutls: Added several improvements on Windows Vista and later releases
(!1257, !1254, !1256). Most notably the system random number generator now
uses Windows BCrypt* API if available (!1255).
** libgnutls: Use accelerated AES-XTS implementation if possible (!1244).
Also both accelerated and non-accelerated implementations check key block
according to FIPS-140-2 IG A.9 (!1233).
** libgnutls: Added support for AES-SIV ciphers (#463).
** libgnutls: Added support for 192-bit AES-GCM cipher (!1267).
** libgnutls: No longer use internal symbols exported from Nettle (!1235)
** API and ABI modifications:
GNUTLS_CIPHER_AES_128_SIV: Added
GNUTLS_CIPHER_AES_256_SIV: Added
GNUTLS_CIPHER_AES_192_GCM: Added
gnutls_pkcs7_print_signature_info: Added"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
There is not enough stuff that it is justified to have an own file.
This patch therefore merges everything into general-functions.pl.
There are no functional changes.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.19/RELEASE-NOTES-bind-9.11.19.html
"Security Fixes
To prevent exhaustion of server resources by a maliciously
configured domain, the number of recursive queries that can be
triggered by a request before aborting recursion has been further
limited. Root and top-level domain servers are no longer exempt from
the max-recursion-queries limit. Fetches for missing name server
address records are limited to 4 for any domain. This issue was
disclosed in CVE-2020-8616. [GL #1388]
Replaying a TSIG BADTIME response as a request could trigger
an assertion failure. This was disclosed in CVE-2020-8617. [GL
#1703]
Feature Changes
Message IDs in inbound AXFR transfers are now checked for
consistency. Log messages are emitted for streams with inconsistent
message IDs. [GL #1674]
Bug Fixes
When running on a system with support for Linux capabilities, named
drops root privileges very soon after system startup. This was
causing a spurious log message, "unable to set effective uid to 0:
Operation not permitted", which has now been silenced. [GL #1042]
[GL #1090]
When named-checkconf -z was run, it would sometimes incorrectly set
its exit code. It reflected the status of the last view found;
if zone-loading errors were found in earlier configured views but
not in the last one, the exit code indicated success. Thanks
to Graham Clinch. [GL #1807]
When built without LMDB support, named failed to restart after
a zone with a double quote (") in its name was added with rndc
addzone. Thanks to Alberto Fernández. [GL #1695]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Since more processes depend on good randomness, we need to
make sure that the kernel's PRNG is initialized as early as
possible.
For systems without a HWRNG, we will need to fall back to our
noisy loop and wait until we have enough randomness.
This patch also removes saving and restoring the seed. This
is no longer useful because the kernel's PRNG only takes any
input after it has successfully been seeded from other sources.
Hence adding this seed does not increase its randomness.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
We should initialise the kernel's PRNG as early as we can.
Starting rngd very early will seed the random number generator
when RDRAND or other hardware random number generators are available.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
We have loads of packages linked against the older
version which is difficult to update.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This patch removes slapd which is unused in IPFire.
Everything linked against the old version needs to
be shipped with this update.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This script is called when an OpenVPN Roadwarrior client
connects or disconnect and logs the start and duration
of the session.
This can be used to monitor session duration and data transfer.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This reverts commit 3bcd393e18.
this has a corrupt rootfile:
Error! '/x86_64' in rootfiles files found!
./config/rootfiles/common/libwww-perl:#usr/lib/perl5/site_perl/5.30.0/x86_64-linux-thread-multi/auto/libwww
./config/rootfiles/common/libwww-perl:#usr/lib/perl5/site_perl/5.30.0/x86_64-linux-thread-multi/auto/libwww/perl
./config/rootfiles/common/libwww-perl:usr/lib/perl5/site_perl/5.30.0/x86_64-linux-thread-multi/auto/libwww/perl/.packlist
Replace by MACHINE !
and if i fix this it break pakfire.
