Development March 2021

development@lists.ipfire.org

14 participants
107 discussions

[PATCH] suricata: Update to 5.0.6
by Matthias Fischer 03 Mar '21

03 Mar '21

For details see: https://forum.suricata.io/t/suricata-6-0-2-and-5-0-6-released/1170 and https://redmine.openinfosecfoundation.org/versions/164 Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- config/rootfiles/common/suricata | 8 +++++--- lfs/suricata | 6 +++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index f891fa449..5a1b22204 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -1,9 +1,8 @@ -etc/suricata +#etc/suricata etc/suricata/suricata.yaml #root/.cargo #root/.cargo/.package-cache usr/bin/suricata -#usr/include/suricata-plugin.h #usr/share/doc/suricata #usr/share/doc/suricata/AUTHORS #usr/share/doc/suricata/Basic_Setup.txt @@ -17,7 +16,10 @@ usr/bin/suricata #usr/share/doc/suricata/TODO #usr/share/doc/suricata/Third_Party_Installation_Guides.txt #usr/share/man/man1/suricata.1 -var/lib/suricata +#usr/share/man/man1/suricatactl-filestore.1 +#usr/share/man/man1/suricatactl.1 +#usr/share/man/man1/suricatasc.1 +#var/lib/suricata var/lib/suricata/classification.config var/lib/suricata/reference.config var/lib/suricata/threshold.config diff --git a/lfs/suricata b/lfs/suricata index c5dc46af4..522cdc440 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2021 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 5.0.5 +VER = 5.0.6 THISAPP = suricata-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = fe039cc4571eb56828874ddc0b71dc51 +$(DL_FILE)_MD5 = 82d80b4b3179315bf6f5695c6437ee1f install : $(TARGET) -- 2.18.0

2 3

[PATCH] mc: Update to 4.8.26
by Matthias Fischer 03 Mar '21

03 Mar '21

For details see: http://midnight-commander.org/wiki/NEWS-4.8.26 Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- config/rootfiles/packages/mc | 3 +++ lfs/mc | 10 +++++----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/config/rootfiles/packages/mc b/config/rootfiles/packages/mc index 8e7a57db7..4c71298a1 100644 --- a/config/rootfiles/packages/mc +++ b/config/rootfiles/packages/mc @@ -58,7 +58,9 @@ usr/libexec/mc/extfs.d/ucab usr/libexec/mc/extfs.d/uha usr/libexec/mc/extfs.d/ulha usr/libexec/mc/extfs.d/ulib +usr/libexec/mc/extfs.d/unar usr/libexec/mc/extfs.d/urar +usr/libexec/mc/extfs.d/uwim usr/libexec/mc/extfs.d/uzip usr/libexec/mc/extfs.d/uzoo #usr/libexec/mc/fish @@ -210,6 +212,7 @@ usr/share/mc/syntax/smalltalk.syntax usr/share/mc/syntax/spec.syntax usr/share/mc/syntax/sql.syntax usr/share/mc/syntax/strace.syntax +usr/share/mc/syntax/swift.syntax usr/share/mc/syntax/swig.syntax usr/share/mc/syntax/syntax.syntax usr/share/mc/syntax/tcl.syntax diff --git a/lfs/mc b/lfs/mc index 5c48dd332..b5498ab24 100644 --- a/lfs/mc +++ b/lfs/mc @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2021 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 4.8.25 +VER = 4.8.26 THISAPP = mc-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = mc -PAK_VER = 20 +PAK_VER = 21 DEPS = @@ -44,7 +44,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 19f14d368001aac454c28a2ddd2e851b +$(DL_FILE)_MD5 = 3c1f77b71dba1f4eeeedc4276627fed7 install : $(TARGET) @@ -54,7 +54,7 @@ download :$(patsubst %,$(DIR_DL)/%,$(objects)) md5 : $(subst %,%_MD5,$(objects)) -dist: +dist: @$(PAK) ############################################################################### -- 2.18.0

1 0

Fwd: [openssh-unix-announce] Announce: OpenSSH 8.5 released
by Michael Tremer 03 Mar '21

03 Mar '21

Who wants to grab this one? Looks like a simple package upgrade with no other changes required. Best, -Michael > Begin forwarded message: > > From: Damien Miller <djm(a)cvs.openbsd.org> > Subject: [openssh-unix-announce] Announce: OpenSSH 8.5 released > Date: 3 March 2021 at 01:19:55 GMT > To: openssh-unix-announce(a)mindrot.org > > OpenSSH 8.5 has just been released. It will be available from the > mirrors listed at https://www.openssh.com/ shortly. > > OpenSSH is a 100% complete SSH protocol 2.0 implementation and > includes sftp client and server support. > > Once again, we would like to thank the OpenSSH community for their > continued support of the project, especially those who contributed > code or patches, reported bugs, tested snapshots or donated to the > project. More information on donations may be found at: > https://www.openssh.com/donations.html > > Future deprecation notice > ========================= > > It is now possible[1] to perform chosen-prefix attacks against the > SHA-1 algorithm for less than USD$50K. > > In the SSH protocol, the "ssh-rsa" signature scheme uses the SHA-1 > hash algorithm in conjunction with the RSA public key algorithm. > OpenSSH will disable this signature scheme by default in the near > future. > > Note that the deactivation of "ssh-rsa" signatures does not necessarily > require cessation of use for RSA keys. In the SSH protocol, keys may be > capable of signing using multiple algorithms. In particular, "ssh-rsa" > keys are capable of signing using "rsa-sha2-256" (RSA/SHA256), > "rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last of > these is being turned off by default. > > This algorithm is unfortunately still used widely despite the > existence of better alternatives, being the only remaining public key > signature algorithm specified by the original SSH RFCs that is still > enabled by default. > > The better alternatives include: > > * The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These > algorithms have the advantage of using the same key type as > "ssh-rsa" but use the safe SHA-2 hash algorithms. These have been > supported since OpenSSH 7.2 and are already used by default if the > client and server support them. > > * The RFC8709 ssh-ed25519 signature algorithm. It has been supported > in OpenSSH since release 6.5. > > * The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These > have been supported by OpenSSH since release 5.7. > > To check whether a server is using the weak ssh-rsa public key > algorithm, for host authentication, try to connect to it after > removing the ssh-rsa algorithm from ssh(1)'s allowed list: > > ssh -oHostKeyAlgorithms=-ssh-rsa user@host > > If the host key verification fails and no other supported host key > types are available, the server software on that host should be > upgraded. > > This release enables the UpdateHostKeys option by default to assist > the client by automatically migrating to better algorithms. > > [1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and > Application to the PGP Web of Trust" Leurent, G and Peyrin, T > (2020) https://eprint.iacr.org/2020/014.pdf > > Security > ======== > > * ssh-agent(1): fixed a double-free memory corruption that was > introduced in OpenSSH 8.2 . We treat all such memory faults as > potentially exploitable. This bug could be reached by an attacker > with access to the agent socket. > > On modern operating systems where the OS can provide information > about the user identity connected to a socket, OpenSSH ssh-agent > and sshd limit agent socket access only to the originating user > and root. Additional mitigation may be afforded by the system's > malloc(3)/free(3) implementation, if it detects double-free > conditions. > > The most likely scenario for exploitation is a user forwarding an > agent either to an account shared with a malicious user or to a > host with an attacker holding root access. > > * Portable sshd(8): Prevent excessively long username going to PAM. > This is a mitigation for a buffer overflow in Solaris' PAM username > handling (CVE-2020-14871), and is only enabled for Sun-derived PAM > implementations. This is not a problem in sshd itself, it only > prevents sshd from being used as a vector to attack Solaris' PAM. > It does not prevent the bug in PAM from being exploited via some > other PAM application. GHPR#212 > > > Potentially-incompatible changes > ================================ > > This release includes a number of changes that may affect existing > configurations: > > * ssh(1), sshd(8): this release changes the first-preference signature > algorithm from ECDSA to ED25519. > > * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration > for interactive use prior to TCP connect. The connection phase of > the SSH session is time-sensitive and often explicitly interactive. > The ultimate interactive/bulk TOS/DSCP will be set after > authentication completes. > > * ssh(1), sshd(8): remove the pre-standardization cipher > rijndael-cbc(a)lysator.liu.se. It is an alias for aes256-cbc before > it was standardized in RFC4253 (2006), has been deprecated and > disabled by default since OpenSSH 7.2 (2016) and was only briefly > documented in ssh.1 in 2001. > > * ssh(1), sshd(8): update/replace the experimental post-quantum > hybrid key exchange method based on Streamlined NTRU Prime coupled > with X25519. > > The previous sntrup4591761x25519-sha512(a)tinyssh.org method is > replaced with sntrup761x25519-sha512(a)openssh.com. Per its > designers, the sntrup4591761 algorithm was superseded almost two > years ago by sntrup761. > > (note this both the updated method and the one that it replaced are > disabled by default) > > * ssh(1): disable CheckHostIP by default. It provides insignificant > benefits while making key rotation significantly more difficult, > especially for hosts behind IP-based load-balancers. > > Changes since OpenSSH 8.4 > ========================= > > New features > ------------ > > * ssh(1): this release enables UpdateHostkeys by default subject to > some conservative preconditions: > - The key was matched in the UserKnownHostsFile (and not in the > GlobalKnownHostsFile). > - The same key does not exist under another name. > - A certificate host key is not in use. > - known_hosts contains no matching wildcard hostname pattern. > - VerifyHostKeyDNS is not enabled. > - The default UserKnownHostsFile is in use. > > We expect some of these conditions will be modified or relaxed in > future. > > * ssh(1), sshd(8): add a new LogVerbose configuration directive for > that allows forcing maximum debug logging by file/function/line > pattern-lists. > > * ssh(1): when prompting the user to accept a new hostkey, display > any other host names/addresses already associated with the key. > > * ssh(1): allow UserKnownHostsFile=none to indicate that no > known_hosts file should be used to identify host keys. > > * ssh(1): add a ssh_config KnownHostsCommand option that allows the > client to obtain known_hosts data from a command in addition to > the usual files. > > * ssh(1): add a ssh_config PermitRemoteOpen option that allows the > client to restrict the destination when RemoteForward is used > with SOCKS. > > * ssh(1): for FIDO keys, if a signature operation fails with a > "incorrect PIN" reason and no PIN was initially requested from the > user, then request a PIN and retry the operation. This supports > some biometric devices that fall back to requiring PIN when reading > of the biometric failed, and devices that require PINs for all > hosted credentials. > > * sshd(8): implement client address-based rate-limiting via new > sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize > directives that provide more fine-grained control on a per-origin > address basis than the global MaxStartups limit. > > Bugfixes > -------- > > * ssh(1): Prefix keyboard interactive prompts with "(user@host)" to > make it easier to determine which connection they are associated > with in cases like scp -3, ProxyJump, etc. bz#3224 > > * sshd(8): fix sshd_config SetEnv directives located inside Match > blocks. GHPR#201 > > * ssh(1): when requesting a FIDO token touch on stderr, inform the > user once the touch has been recorded. > > * ssh(1): prevent integer overflow when ridiculously large > ConnectTimeout values are specified, capping the effective value > (for most platforms) at 24 days. bz#3229 > > * ssh(1): consider the ECDSA key subtype when ordering host key > algorithms in the client. > > * ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to > PubkeyAcceptedAlgorithms. The previous name incorrectly suggested > that it control allowed key algorithms, when this option actually > specifies the signature algorithms that are accepted. The previous > name remains available as an alias. bz#3253 > > * ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh) and > HostbasedAcceptedKeyTypes (sshd) to HostbasedAcceptedAlgorithms. > > * sftp-server(8): add missing lsetstat(a)openssh.com documentation > and advertisement in the server's SSH2_FXP_VERSION hello packet. > > * ssh(1), sshd(8): more strictly enforce KEX state-machine by > banning packet types once they are received. Fixes memleak caused > by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz #30078). > > * sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on 32bit > platforms instead of being limited by LONG_MAX. bz#3206 > > * Minor man page fixes (capitalization, commas, etc.) bz#3223 > > * sftp(1): when doing an sftp recursive upload or download of a > read-only directory, ensure that the directory is created with > write and execute permissions in the interim so that the transfer > can actually complete, then set the directory permission as the > final step. bz#3222 > > * ssh-keygen(1): document the -Z, check the validity of its argument > earlier and provide a better error message if it's not correct. > bz#2879 > > * ssh(1): ignore comments at the end of config lines in ssh_config, > similar to what we already do for sshd_config. bz#2320 > > * sshd_config(5): mention that DisableForwarding is valid in a > sshd_config Match block. bz3239 > > * sftp(1): fix incorrect sorting of "ls -ltr" under some > circumstances. bz3248. > > * ssh(1), sshd(8): fix potential integer truncation of (unlikely) > timeout values. bz#3250 > > * ssh(1): make hostbased authentication send the signature algorithm > in its SSH2_MSG_USERAUTH_REQUEST packets instead of the key type. > This make HostbasedAcceptedAlgorithms do what it is supposed to - > filter on signature algorithm and not key type. > > Portability > ----------- > > * sshd(8): add a number of platform-specific syscalls to the Linux > seccomp-bpf sandbox. bz#3232 bz#3260 > > * sshd(8): remove debug message from sigchld handler that could cause > deadlock on some platforms. bz#3259 > > * Sync contrib/ssh-copy-id with upstream. > > * unittests: add a hostname function for systems that don't have it. > Some systems don't have a hostname command (it's not required by > POSIX). The do have uname -n (which is), but not all of those have > it report the FQDN. > > Checksums: > ========== > > - SHA1 (openssh-8.5.tar.gz) = 04cae43c389fb411227c01219e4eb46e3113f34e > - SHA256 (openssh-8.5.tar.gz) = 5qB2CgzNG4io4DmChTjHgCWqRWvEOvCKJskLdJCz+SU= > > - SHA1 (openssh-8.5p1.tar.gz) = 72eadcbe313b07b1dd3b693e41d3cd56d354e24e > - SHA256 (openssh-8.5p1.tar.gz) = 9S8/QdQpqpkY44zyAK8iXM3Y5m8FLaVyhwyJc3ZG7CU= > > Please note that the SHA256 signatures are base64 encoded and not > hexadecimal (which is the default for most checksum tools). The PGP > key used to sign the releases is available from the mirror sites: > https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/RELEASE_KEY.asc > > Please note that the OpenPGP key used to sign releases has been > rotated for this release. The new key has been signed by the previous > key to provide continuity. > > Reporting Bugs: > =============== > > - Please read https://www.openssh.com/report.html > Security bugs should be reported directly to openssh(a)openssh.com > _______________________________________________ > openssh-unix-announce mailing list > openssh-unix-announce(a)mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-announce

2 2

[PATCH] libhtp: Update to 0.5.37
by Matthias Fischer 03 Mar '21

03 Mar '21

For details see: https://github.com/OISF/libhtp/releases Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/libhtp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/libhtp b/lfs/libhtp index 90a55112c..e21db73a9 100644 --- a/lfs/libhtp +++ b/lfs/libhtp @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> # +# Copyright (C) 2007-2021 IPFire Team <info(a)ipfire.org> # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 0.5.36 +VER = 0.5.37 THISAPP = libhtp-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 15f567527e437b38b9b1d6b86adb6a54 +$(DL_FILE)_MD5 = ccc2f25ab3c1db53a22034280f1600dd install : $(TARGET) -- 2.18.0

1 0

suricata 6.0.2 - cpu load (idle) rising compared to 5.0.X
by Matthias Fischer 02 Mar '21

02 Mar '21

Hi, for the records: Today I tested 'suricata 6.0.2' and '5.0.6' on Core 153/x86_64. 'suricata' was activated only on RED with a few rules from "EmergingThreats.net". Hardware: https://fireinfo.ipfire.org/profile/5f68a6360ffbecb6877dcac75f5b8c8030f43ce8 *Nothing* has changed here, CPU load still rises from ~0.7% in idle mode to ~7-9% as soon as 'suricata' is started. No further mails or reactions in the suricata forum on Michaels last comment (https://redmine.openinfosecfoundation.org/issues/4096#note-29). Should I send an update to '5.0.6' or '6.0.2'? ;-) Best, Matthias

2 1

[PATCH] firewall: Disable all connection tracking helpers by default
by Michael Tremer 02 Mar '21

02 Mar '21

This will mitigate exploiting networks secured by IPFire using NAT Slipstreaming: https://lists.ipfire.org/pipermail/development/2021-February/009303.html Suggested-by: Peter Müller <peter.mueller(a)ipfire.org> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> --- lfs/configroot | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/lfs/configroot b/lfs/configroot index bc8c0283f..a3e474d70 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -139,12 +139,7 @@ $(TARGET) : cp $(DIR_SRC)/config/suricata/convert-ids-modifysids-file /usr/sbin/convert-ids-modifysids-file # Add conntrack helper default settings - for proto in FTP H323 IRC SIP TFTP; do \ - echo "CONNTRACK_$${proto}=on" >> $(CONFIG_ROOT)/optionsfw/settings; \ - done - - # Do not enable these by default because these are broken - for proto in AMANDA PPTP; do \ + for proto in AMANDA FTP H323 IRC PPTP SIP TFTP; do \ echo "CONNTRACK_$${proto}=off" >> $(CONFIG_ROOT)/optionsfw/settings; \ done -- 2.20.1

1 0

Core Update 154 (testing) report
by Peter Müller 01 Mar '21

01 Mar '21

Hello *, Core Update 154 (testing, see: https://blog.ipfire.org/post/ipfire-2-25-core-update-154-available-for-test…) is running here for a couple of weeks by now without any known issues so far - sorry for my tardy report. As expected, Unbound is now reusing TCP and TLS connections, making huge improvements of resolution times for machines using something else than UDP for querying DNS resolvers. Except for a initial delay, DoT does not introduce any significant performance impact anymore. Upcoming Unbound version will support padding of DNS over TLS traffic, making guessing queried FQDNs even harder to passive adversaries. In a rather gloomy world in terms of privacy, I guess that is good news. :-) Tested IPFire functionalities in detail: - IPsec (N2N connections only) - Squid (authentication enabled, using an upstream proxy) - OpenVPN (RW connections only) - IPS/Suricata (with Emerging Threats community ruleset enabled) - Guardian - Quality of Service - DNS (using DNS over TLS and strict QNAME minimisation) - Dynamic DNS - Tor (relay mode) I look forward to the release of Core Update 154. Thanks, and best regards, Peter Müller

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development March 2021