webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-27 11:13:24 +02:00
Code Issues Packages Projects Releases Wiki Activity
11,101 Commits 2 Branches 1 Tag
dc6ed83537e1bcc1347ad16bee095ef4d641bc69
Commit Graph

11101 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alexander Marx
83ba0896f6 Captive-portal: Add directory for logo upload 
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:45 +01:00
Michael Tremer
fb1d26d1bc captivectrl: Add protection against DNS tunnels 
Limit the amount of DNS traffic for each client that
has not registered, yet.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-22 18:54:45 +01:00
Michael Tremer
76ece32362 captivectrl: Skip all lines that start with # 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-22 18:54:45 +01:00
Alexander Marx
07d56062a9 Captive-Portal: fix cleanup script 
The cleanup-script did not write back the hash after the expired voucher
was delted

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:45 +01:00
Alexander Marx
5dc32e5877 Captive-Portal: add Errormessage when wrong code is entered 
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:45 +01:00
Alexander Marx
f3802750ac Captive-Portal: fix wrong expiretime of unused vouchers 
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:45 +01:00
Alexander Marx
facfdcd040 Captive-Portal: fix voucher form 
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:45 +01:00
Alexander Marx
6d31cfdd58 Captive-Portal: add logging to syslog 
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:44 +01:00
Alexander Marx
e14adf759a Captive-Portal: SHow always licencebox in config 
Also fix index.cgi to show individual title

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:03 +01:00
Alexander Marx
c7e78cc62e Captive-Portal: several design changes 
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:03 +01:00
Alexander Marx
e01c5ab71a Captive-Portal: redesign Webinterface 
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:03 +01:00
Alexander Marx
47406df0fe Captive-Portal: fix some rootfiles 
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:03 +01:00
Alexander Marx
a6c985284d Captive-Portal: add backup-part 
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:03 +01:00
Alexander Marx
8ef627839f Captive-Portal: add captive logdir to apache2 rootfile 
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:03 +01:00
Alexander Marx
c04d2de74e Captive-Portal: add files to configroot rootfile 
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:03 +01:00
Alexander Marx
585703d8a3 Captive-Portal: Add files for webinterface tio rootfile 
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:03 +01:00
Alexander Marx
19cd2b6a7c Captive-Portal: add vhost config to apache2 rootfile 
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:03 +01:00
Alexander Marx
1fc9a43056 Captive-Portal: create dir for cative logfiles 
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:03 +01:00
Alexander Marx
5ca163cd82 Captive-Portal: add captive dirs and files to configroot 
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:03 +01:00
Alexander Marx
bbaa3613b4 Captive-Portal: add captive chains to firewall initscript 
When loading the initscript of the firewall the neccessary chains for
the captive portalneed to be created.

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:03 +01:00
Alexander Marx
4d9002279f Captive-Portal: add crontab and cleanup scripts 
The cleanup script is called every hour and deletes expired clients from
the clients file.
every night the captivectrl warpper runs once to flush the chains and
reload rules for active clients

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:03 +01:00
Alexander Marx
8b92078917 Captive-Portal: add web-part 
Introduce new Captive-Portal.
Here we add the menu, apache configuration (vhost), IPFire configuration
website and Captive-Portal Access site. Also the languagefiles are
updated.

Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:03 +01:00
Michael Tremer
cec16b8242 captivectrl: Move sure that the settings are always initialised 
This just removes a compiler warning.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-22 18:54:03 +01:00
Michael Tremer
5906c96206 wirelessctrl: Disable MAC filter on blue if captive portal is enabled 
Fixes #11038

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-22 18:54:03 +01:00
Michael Tremer
0d6a599aba captivectrl: Add missing space character 
The iptables argument list was botched. Oops. Sorry.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-22 18:54:03 +01:00
Michael Tremer
0c24f0a9df captivectrl: Support unlimited leases 
When the expiry time equals zero, the lease will have
no time constraints. The IP address will also be removed
as it might probably change.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-22 18:54:03 +01:00
Michael Tremer
5fbeaf1333 captivectrl: Allow empty IP addresses 
Probably required for very long leases

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-22 18:54:03 +01:00
Michael Tremer
7ef66b6199 captivectrl: Change format of clients configuration 
We store the start of the lease now and the time in
seconds after the lease expires

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-22 18:54:03 +01:00
Michael Tremer
ee40139d9a Captive Portal: add c-wrapper captivectrl 
This wrapper reads the captive settings and clients and sets the
firewall access rules. It is called every time the config changed or
everytime that a client changes. Also this wrapper is later called once
hourly to flush the chains and rebuild rules for actual clients.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Alexander Marx <alexander.marx@ipfire.org>
 2017-09-22 18:54:03 +01:00
Michael Tremer
c4791488a2 hostapd: Bump package version for updated wlanap.cgi 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-20 22:23:53 +01:00
Matthias Fischer
5bb906f7a9 Typo in en.pl 
Fixes typo in
http://git.ipfire.org/?p=people/mfischer/ipfire-2.x.git;a=commit;h=15f19ed85ea3e6944c5fea623eca8ef215eae39e

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-20 22:23:21 +01:00
Matthias Fischer
d3790c6a0b wlanap.cgi: Some cosmetics... 
- Added missing box heading ('Access Point Configuration') in 'wlanap.cgi'.
- For this to work, added missing string 'wlanap configuration' in translations.
- Changed existing translation strings in 'de.pl' and 'en.pl': 'wlanap' means 'wlan access point', so why is it called
'wlan*ap* access point'?

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-20 22:23:19 +01:00
Matthias Fischer
b76d0433be apache2: Import patch for CVE-2017-9798 ("optionsbleed") 
Imported from:
https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch

For details see:
https://nvd.nist.gov/vuln/detail/CVE-2017-9798

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-20 22:01:50 +01:00
Matthias Fischer
fdff464161 unbound: Update to 1.6.6 
For details see:
http://www.unbound.net/download.html

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-20 22:00:59 +01:00
Matthias Fischer
77090f6d13 tcpdump: Update to 4.9.2 
Changelog:

"Sunday September 3, 2017 denis@ovsienko.info
  Summary for 4.9.2 tcpdump release
    Do not use getprotobynumber() for protocol name resolution.  Do not do
      any protocol name resolution if -n is specified.
      Improve errors detection in the test scripts.
      Fix a segfault with OpenSSL 1.1 and improve OpenSSL usage.
      Clean up IS-IS printing.
      Fix buffer overflow vulnerabilities:
      CVE-2017-11543 (SLIP)
      CVE-2017-13011 (bittok2str_internal)
      Fix infinite loop vulnerabilities:
      CVE-2017-12989 (RESP)
      CVE-2017-12990 (ISAKMP)
      CVE-2017-12995 (DNS)
      CVE-2017-12997 (LLDP)
      Fix buffer over-read vulnerabilities:
      CVE-2017-11541 (safeputs)
      CVE-2017-11542 (PIMv1)
      CVE-2017-12893 (SMB/CIFS)
      CVE-2017-12894 (lookup_bytestring)
      CVE-2017-12895 (ICMP)
      CVE-2017-12896 (ISAKMP)
      CVE-2017-12897 (ISO CLNS)
      CVE-2017-12898 (NFS)
      CVE-2017-12899 (DECnet)
      CVE-2017-12900 (tok2strbuf)
      CVE-2017-12901 (EIGRP)
      CVE-2017-12902 (Zephyr)
      CVE-2017-12985 (IPv6)
      CVE-2017-12986 (IPv6 routing headers)
      CVE-2017-12987 (IEEE 802.11)
      CVE-2017-12988 (telnet)
      CVE-2017-12991 (BGP)
      CVE-2017-12992 (RIPng)
      CVE-2017-12993 (Juniper)
      CVE-2017-11542 (PIMv1)
      CVE-2017-11541 (safeputs)
      CVE-2017-12994 (BGP)
      CVE-2017-12996 (PIMv2)
      CVE-2017-12998 (ISO IS-IS)
      CVE-2017-12999 (ISO IS-IS)
      CVE-2017-13000 (IEEE 802.15.4)
      CVE-2017-13001 (NFS)
      CVE-2017-13002 (AODV)
      CVE-2017-13003 (LMP)
      CVE-2017-13004 (Juniper)
      CVE-2017-13005 (NFS)
      CVE-2017-13006 (L2TP)
      CVE-2017-13007 (Apple PKTAP)
      CVE-2017-13008 (IEEE 802.11)
      CVE-2017-13009 (IPv6 mobility)
      CVE-2017-13010 (BEEP)
      CVE-2017-13012 (ICMP)
      CVE-2017-13013 (ARP)
      CVE-2017-13014 (White Board)
      CVE-2017-13015 (EAP)
      CVE-2017-11543 (SLIP)
      CVE-2017-13016 (ISO ES-IS)
      CVE-2017-13017 (DHCPv6)
      CVE-2017-13018 (PGM)
      CVE-2017-13019 (PGM)
      CVE-2017-13020 (VTP)
      CVE-2017-13021 (ICMPv6)
      CVE-2017-13022 (IP)
      CVE-2017-13023 (IPv6 mobility)
      CVE-2017-13024 (IPv6 mobility)
      CVE-2017-13025 (IPv6 mobility)
      CVE-2017-13026 (ISO  IS-IS)
      CVE-2017-13027 (LLDP)
      CVE-2017-13028 (BOOTP)
      CVE-2017-13029 (PPP)
      CVE-2017-13030 (PIM)
      CVE-2017-13031 (IPv6 fragmentation header)
      CVE-2017-13032 (RADIUS)
      CVE-2017-13033 (VTP)
      CVE-2017-13034 (PGM)
      CVE-2017-13035 (ISO IS-IS)
      CVE-2017-13036 (OSPFv3)
      CVE-2017-13037 (IP)
      CVE-2017-13038 (PPP)
      CVE-2017-13039 (ISAKMP)
      CVE-2017-13040 (MPTCP)
      CVE-2017-13041 (ICMPv6)
      CVE-2017-13042 (HNCP)
      CVE-2017-13043 (BGP)
      CVE-2017-13044 (HNCP)
      CVE-2017-13045 (VQP)
      CVE-2017-13046 (BGP)
      CVE-2017-13047 (ISO ES-IS)
      CVE-2017-13048 (RSVP)
      CVE-2017-13049 (Rx)
      CVE-2017-13050 (RPKI-Router)
      CVE-2017-13051 (RSVP)
      CVE-2017-13052 (CFM)
      CVE-2017-13053 (BGP)
      CVE-2017-13054 (LLDP)
      CVE-2017-13055 (ISO IS-IS)
      CVE-2017-13687 (Cisco HDLC)
      CVE-2017-13688 (OLSR)
      CVE-2017-13689 (IKEv1)
      CVE-2017-13690 (IKEv2)
      CVE-2017-13725 (IPv6 routing headers)

Sunday July 23, 2017 denis@ovsienko.info
  Summary for 4.9.1 tcpdump release
    CVE-2017-11108/Fix bounds checking for STP.
    Make assorted documentation updates and fix a few typos in tcpdump output.
    Fixup -C for file size >2GB (GH #488).
    Show AddressSanitizer presence in version output.
    Fix a bug in test scripts (exposed in GH #613).
    On FreeBSD adjust Capsicum capabilities for netmap.
    On Linux fix a use-after-free when the requested interface does not exist."

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-11 21:13:44 +01:00
Michael Tremer
b9863c8845 apache2: Import patch for PR61382 
We usually do not download patches, but rather ship them with
our source.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-07 12:27:43 +01:00
Wolfgang Apolinarski
ab2eb13784 Fixup for apache and aprutil, do not include whole directory 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-07 12:21:50 +01:00
Michael Tremer
a041054941 core114: Update apache configuration of all add-ons that have one 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-04 13:09:43 +01:00
Michael Tremer
5f7487f676 core114: Ship updated apache2 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-04 13:02:43 +01:00
Michael Tremer
051884986d apache2: Download source from IPFire servers 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-04 12:56:42 +01:00
Wolfgang Apolinarski
d41fe99f74 Update to apache 2.4.27 
- Updated to apache 2.4
- Updated the htpasswd generation to use the more secure bcrypt algorithm

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-04 12:40:20 +01:00
Wolfgang Apolinarski
c8e9a7a85e apr and aprutil: Added as requirement for apache 2.4 
- APR 1.6.2 is a requirement for building apache httpd 2.4
- APR-Util 1.6.0 is a requirement for building apache httpd 2.4

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-04 12:37:56 +01:00
Peter Müller
0effbb3569 fix WebUI system information leak 
Disable unauthenticated access to cgi-bin/credits.cgi. The page
leaks the currently installed version of IPFire and the hardware
architecture.

Both information might make a successful attack much easier.

This issue can be reproduced by accessing https://[IPFire-IP]:444/cgi-bin/credits.cgi
and accepting a SSL certificate warning (if any).

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-04 12:25:23 +01:00
Peter Müller
3dcf1822e6 update german translations 
- Unify translations of various terms.
- Unify translations of week days.
- Correct some typos and grammar errors.
- Modify some phrases which were not fully translated.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-09-04 12:25:01 +01:00
Arne Fitzenreiter
d57f8d886f strongswan: rootfile update 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2017-08-30 19:03:25 +02:00
Arne Fitzenreiter
a51ce2defa core114: add unbound initskript to updater. 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2017-08-30 19:03:15 +02:00
Arne Fitzenreiter
391e3390ef unbound: flush negative and bogus at update forwarders 
this resolves problems that negative answers from
a forwarder was still used after setting new servers.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2017-08-30 19:00:40 +02:00
Arne Fitzenreiter
68fac98a5b unbound: run time fix also after update forwarder 
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
 2017-08-30 10:32:44 +02:00
Stephan Feddersen
fe6f676b35 WIO: fix the bugs reported in the forum 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-08-29 14:37:30 +01:00
Michael Tremer
0c55ec5a49 strongswan: Update to 5.6.0 
Fixes CVE-2017-11185:

Fixed a DoS vulnerability in the gmp plugin that was caused by insufficient input validation
when verifying RSA signatures, which requires decryption with the operation m^e mod n,
where m is the signature, and e and n are the exponent and modulus of the public key.
The value m is an integer between 0 and n-1, however, the gmp plugin did not verify this.
So if m equals n the calculation results in 0, in which case mpz_export() returns NULL.
This result wasn't handled properly causing a null-pointer dereference.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2017-08-23 20:03:21 +01:00