Fixes custom IPFire Zabbix Agent userparameter ipfire.net.gateway.ping
returning 1 (success) when fping failed for other reasons (rc 2,3 or 4)
than host unreachable (rc 0).
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This has been our default setting on x86_64 for quite some time now,
which is why this patch aligns the aarch64 kernel configuration to that
value.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This subsystem has been a frequent source of security vulnerabilities
affecting the Linux kernel; as a result, Google announced on June 14,
2023, that they would disable it in their environment as widely as
possible.
IPFire does not depend on the availability of io_uring. Therefore,
disable this subsystem as well in order to preemptively cut attack
surface.
See also: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
v4.19.1. => https://www.samba.org/samba/history/samba-4.19.1.html
"
==============================
Release Notes for Samba 4.19.1
October 10, 2023
==============================
This is a security release in order to address the following defects:
o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to
existing unix domain sockets on the file system.
https://www.samba.org/samba/security/CVE-2023-3961.html
o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with
OVERWRITE disposition when using the acl_xattr Samba VFS
module with the smb.conf setting
"acl_xattr:ignore system acls = yes"
https://www.samba.org/samba/security/CVE-2023-4091.html
o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all
attributes, including secrets and passwords. Additionally,
the access check fails open on error conditions.
https://www.samba.org/samba/security/CVE-2023-4154.html
o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
server block for a user-defined amount of time, denying
service.
https://www.samba.org/samba/security/CVE-2023-42669.html
o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
listeners, disrupting service on the AD DC.
https://www.samba.org/samba/security/CVE-2023-42670.html"
v4.19.2 => https://www.samba.org/samba/history/samba-4.19.2.html
"Changes since 4.19.1
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15423: Use-after-free in aio_del_req_from_fsp during smbd shutdown
after failed IPC FSCTL_PIPE_TRANSCEIVE.
* BUG 15426: clidfs.c do_connect() missing a "return" after a cli_shutdown()
call.
o Ralph Boehme <slow@samba.org>
* BUG 15463: macOS mdfind returns only 50 results.
o Volker Lendecke <vl@samba.org>
* BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with
previous cache entry value.
o Stefan Metzmacher <metze@samba.org>
* BUG 15464: libnss_winbind causes memory corruption since samba-4.18,
impacts sendmail, zabbix, potentially more.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the
Heimdal KDC in Samba 4.19
* BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is
in use."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- A script was added to the update.sh script to add pass/no pass to the ovpnconfig entries
but I forgot that this was also needed in the backup.pl file to add those statuses into
any ovpnconfig file restored from a backup before the pass/no pass entries were added.
- This patch corrects that oversight.
- Confirmed by testing on my vm. Before the script added to backup.pl a restore of older
ovpnconfig ended up not showing any icons or status elements. With the script in
backup.pl confirmed that the restored ovpnconfig showed up in the WUI page correctly
with the right icons and with the status elements correctly displayed.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.00 to 3.08
- Update of rootfile
- All the other patches and sed modifications are now built mintyo the source tarball,
except for the mountpoint patch which is stilol needed
- Changelog
3.08
This release focuses on three changes which are basically imports of patches from Gentoo. Special thanks to floppym for supplying these.
Applied a patch from floppm which adds kexec option to the halt command. This can be used as "halt -k".
floppym provided patch which causes the halt command to call "shutdown -h -H" instead of "shutdown -h" when halt is invoked without parameters. This forces the shutdown command to set the INIT_HALT variable and assume, unless other conditions apply, that the "halt" call really wants to halt the machine and INIT_HALT should be set. In other words we assume halt wants to halt unless told otherwise.
Addresses downstream Gentoo bug ID 911257.
Updated halt documentation and help output to display parameters in alphabetical order.
3.07
The 3.07 release of SysV init mostly introduces fixes and improvements for the
killall5 and pidof programs. (These are actually the same program, but are
invoked with two different names, which result in different behaviour. The main
highlights in this release are:
Fixed killall5 so that processes in the omit list are not sent any
signals, including SIGSTOP.
Fixed usage message for killall5 to be more accurate.
pidof was not returning PIDs of programs which were launched using a
symbolic link. This has been fixed so programs run from a symbolic link
show up in process lists.
3.06
Mark Hindley fixed typo in es.po
Mark Hindley cleaned up translation code in src/Makefile.
Drop sulogin from Debian build. Removed libcrypt-dev dependency.
Fixed pt translation pages which were failing due to mis-matched open/close
tags.
Makefile now respects ROOT prefix when setting up pidof-to-killall5 symbolic
link.
Removed redundant translation files from man directory.
Makefile now respects DESTDIR. User can specify either ROOT= or DESTDIR= to
set install prefix.
3.05
This release (3.05) focuses on two things:
Updating the translation framework.
Fixing compiling issues on various systems.
The second point, compiling, encompasses a few minor changes to get SysV init to
build properly on GNU Hurd, systems without certain GNU assumptions, and systems
running the latest glibc library (2.36 at time of writing).
3.04
This release contains one minor fix which allows the bootlogd code to properly
compile on Debian's GNU Hurd branch.
3.03
This release includes two minor changes. One is fixing a typo in the init manual
page (init.8). this fix was offered by Mark hindley.
Mark, and a few other people, also pointed out that a fix in 3.02 for bootlogd
introduced reliance on a defined PATH_MAX constant. This is used elsewhere in
the code, but is not explicitly defined in bootlogd, which caused bootlogd to
not build properly on GNU Hurd and musl C systems. This has been fixed.
3.02
Added q and Q flags to synopsis in shutdown manual page.
Applied fixes for markup and spacing in manual pages.
Patch provided by Mario Blattermann.
Added translation framework (po4a) from Mario Blttermann.
Added Makefile for man/ directory. Will handle translations
and substitutions.
Applied new translations for multiple languages from Mario Blattermann.
Added ability to use "@" symbol in command named in the inittab file. This
treats commands as literal and does not launch a shell to interpret them.
Updated inittab manual page to include overview of symbols which trigger
a shell interpretor and how to disable them using the @ symbol.
Introduced change which adds error checking in bootlogd when performing
chdir(). - Provided by Alexander Vickberg
Add check for console using TIOCGDEV on Linux systems in bootlogd to
make finding console more robust. - Provided by Alexander Vickberg
3.01
Default to showing processes in the uninterruptable state (D).
The -z flag no longer affects whether processes in D state are shown.
The -z flag does still toggle whether zombie (Z) processes are shown.
Removed unnecessary check which is always true from init tab parsing.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This was updated in 180, but we want to make sure that even testing
users get the latest updates.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Looking through some of the changelog and some mail list communications it looks like
qemu decided they did noty want to maintain their own bundled version of libslirp when
the majority of OS's had their own version now in place. Ubuntu 18.04 did not have
libslirp but qemu stopped supporting that version from qemu-7.1
- So it looks like all OS's have a standard libslirp available now and qemu have taken
the decision to no longer have their own version but to use the system version. That
was always possible to do if use of the system version was explicitly defined but
the default was to use the bundled version.
- No evidence that libslirp is deprecated.
- The last version of libslirp was released a year ago but it looks like every month or
so there are a couple of commits merged. The last was a month ago.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 8.0.3 to 8.1.1
- In CU179 the update of qemu caused at least one user to have a problem starting his
qemu system as the qemu bundled slirp library used for the net user backend was removed
in version 7.2. Unfortunately no user tested qemu in the CU179 Testing phase, or if they
did they are not using the net user backend.
- This patch adds the --enable-slirp option to configure and installs libslirp in a
separate patch.
- I can't test if this now works as I don't use qemu anywhere.
- Changelog is too large to include here.
8.1
https://wiki.qemu.org/ChangeLog/8.1
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- The code checks first if ovpnconfig exists and is not empty.
- Then it makes all net2net connections no-pass since they do not use encryption
- Then it cycles through all .p12 files and checks with openssl if a password exists or not.
If a password is present then pass is added to index 41 and if not then no-pass is added
to index 41
- I had to add a blank line to the top of the ovpnconfig file otherwise the awk code
treated the first line as a blank line and missed it out of the update. This was the
problem that was discovered during the previous Testing Release evaluation.
Tested out this time with several existing entries both encrypted and insecure and with
additional entries of both added in afterwards and all connection entries were
maintained - road warrior and net2net.
- This code should be left in update.sh for future Core Updates in case people don't update
with Core Update 175 but leave it till later. This code works fine on code that already
has pass or no-pass entered into index 41 in ovpnconfig
Fixes: Bug#11048
Suggested-by: Erik Kapfer <ummeegge@ipfire.org>
Suggested-by: Adolf Belka <adolf.belka@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- This uses a padlock icon from https://commons.wikimedia.org/wiki/File:Encrypted.png
- The license for this image is the following:-
This library is free software; you can redistribute it and/or modify it under the terms
of the GNU Lesser General Public License as published by the Free Software Foundation;
either version 2.1 of the License, or (at your option) any later version. This library
is distributed in the hope that it will be useful, but without any warranty; without
even the implied warranty of merchantability or fitness for a particular purpose. See
version 2.1 and version 3 of the GNU Lesser General Public License for more details.
- Based on the above license I believe it can be used by IPFire covered by the GNU General
Public License that is used for it.
- The icon image was made by taking the existing openvpn.png file and superimposing the
padlock icon on top of it as a 12x12 pixel format and naming it openvpn_encrypted.png
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.44/doc/arm/html/notes.html#notes-for-bind-9-16-44
Changes since 9.16.40:
9.16.44:
"Previously, sending a specially crafted message
over the control channel could cause the packet-parsing
code to run out of available stack memory, causing named
to terminate unexpectedly. This has been fixed. (CVE-2023-3341)"
9.16.43:
"Processing already-queued queries received over TCP could cause
an assertion failure, when the server was reconfigured at the
same time or the cache was being flushed. This has been fixed."
9.16.42:
"The overmem cleaning process has been improved, to prevent the
cache from significantly exceeding the configured max-cache-size
limit. (CVE-2023-2828)
A query that prioritizes stale data over lookup triggers a fetch
to refresh the stale data in cache. If the fetch is aborted for
exceeding the recursion quota, it was possible for named to enter
an infinite callback loop and crash due to stack overflow. This
has been fixed. (CVE-2023-2911)
Previously, it was possible for a delegation from cache to be
returned to the client after the stale-answer-client-timeout
duration. This has been fixed."
9.16.41:
"When removing delegations from an opt-out range, empty-non-terminal
NSEC3 records generated by those delegations were not cleaned up.
This has been fixed."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
