Development June 2022

development@lists.ipfire.org

15 participants
67 discussions

[PATCH] Kernel: Enable YAMA support
by Peter Müller 01 Jul '22

01 Jul '22

See https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html for the upstream rationale. Enabling YAMA gives us the benefit of additional hardening options available, without any obvious downsides. Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.armv6l-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 6dfeae595..7e63b77ca 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -7555,7 +7555,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.armv6l-ipfire b/config/kernel/kernel.config.armv6l-ipfire index 1bb745a87..1b6440b11 100644 --- a/config/kernel/kernel.config.armv6l-ipfire +++ b/config/kernel/kernel.config.armv6l-ipfire @@ -7561,7 +7561,7 @@ CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 2d1fdbd28..2d6bb3a2c 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6193,7 +6193,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index b84698235..0efe14c41 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -6971,7 +6971,7 @@ CONFIG_FORTIFY_SOURCE=y # CONFIG_SECURITY_TOMOYO is not set # CONFIG_SECURITY_APPARMOR is not set # CONFIG_SECURITY_LOADPIN is not set -# CONFIG_SECURITY_YAMA is not set +CONFIG_SECURITY_YAMA=y # CONFIG_SECURITY_SAFESETID is not set CONFIG_SECURITY_LOCKDOWN_LSM=y CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y -- 2.35.3

2 6

[PATCH] random: Drop busy-loop script
by Michael Tremer 29 Jun '22

29 Jun '22

This is no longer required because the kernel will now try to generate some randomness in an easier way when needed. This has been added in: b923dd3de0acbf415cee193191250347b733fab8 Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> --- config/rootfiles/common/aarch64/initscripts | 2 - config/rootfiles/common/armv6l/initscripts | 2 - config/rootfiles/common/x86_64/initscripts | 2 - lfs/initscripts | 1 - src/initscripts/system/random | 51 --------------------- 5 files changed, 58 deletions(-) delete mode 100644 src/initscripts/system/random diff --git a/config/rootfiles/common/aarch64/initscripts b/config/rootfiles/common/aarch64/initscripts index 4e607012a..d0c01c006 100644 --- a/config/rootfiles/common/aarch64/initscripts +++ b/config/rootfiles/common/aarch64/initscripts @@ -71,7 +71,6 @@ etc/rc.d/init.d/networking/wpa_supplicant.exe etc/rc.d/init.d/ntp etc/rc.d/init.d/pakfire etc/rc.d/init.d/partresize -etc/rc.d/init.d/random etc/rc.d/init.d/rc etc/rc.d/init.d/reboot etc/rc.d/init.d/rngd @@ -187,7 +186,6 @@ etc/rc.d/rcsysinit.d/S45udev_retry etc/rc.d/rcsysinit.d/S50cleanfs etc/rc.d/rcsysinit.d/S60setclock etc/rc.d/rcsysinit.d/S65rngd -etc/rc.d/rcsysinit.d/S66random etc/rc.d/rcsysinit.d/S70console etc/rc.d/rcsysinit.d/S71pakfire etc/rc.d/rcsysinit.d/S73swconfig diff --git a/config/rootfiles/common/armv6l/initscripts b/config/rootfiles/common/armv6l/initscripts index 4e607012a..d0c01c006 100644 --- a/config/rootfiles/common/armv6l/initscripts +++ b/config/rootfiles/common/armv6l/initscripts @@ -71,7 +71,6 @@ etc/rc.d/init.d/networking/wpa_supplicant.exe etc/rc.d/init.d/ntp etc/rc.d/init.d/pakfire etc/rc.d/init.d/partresize -etc/rc.d/init.d/random etc/rc.d/init.d/rc etc/rc.d/init.d/reboot etc/rc.d/init.d/rngd @@ -187,7 +186,6 @@ etc/rc.d/rcsysinit.d/S45udev_retry etc/rc.d/rcsysinit.d/S50cleanfs etc/rc.d/rcsysinit.d/S60setclock etc/rc.d/rcsysinit.d/S65rngd -etc/rc.d/rcsysinit.d/S66random etc/rc.d/rcsysinit.d/S70console etc/rc.d/rcsysinit.d/S71pakfire etc/rc.d/rcsysinit.d/S73swconfig diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts index dba397e73..628b59969 100644 --- a/config/rootfiles/common/x86_64/initscripts +++ b/config/rootfiles/common/x86_64/initscripts @@ -71,7 +71,6 @@ etc/rc.d/init.d/networking/wpa_supplicant.exe etc/rc.d/init.d/ntp etc/rc.d/init.d/pakfire etc/rc.d/init.d/partresize -etc/rc.d/init.d/random etc/rc.d/init.d/rc etc/rc.d/init.d/reboot etc/rc.d/init.d/rngd @@ -186,7 +185,6 @@ etc/rc.d/rcsysinit.d/S45udev_retry etc/rc.d/rcsysinit.d/S50cleanfs etc/rc.d/rcsysinit.d/S60setclock etc/rc.d/rcsysinit.d/S65rngd -etc/rc.d/rcsysinit.d/S66random etc/rc.d/rcsysinit.d/S70console etc/rc.d/rcsysinit.d/S71pakfire etc/rc.d/rcsysinit.d/S74cloud-init diff --git a/lfs/initscripts b/lfs/initscripts index 97220cd4d..c6a5f3835 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -171,7 +171,6 @@ $(TARGET) : ln -sf ../init.d/setclock /etc/rc.d/rc0.d/K47setclock ln -sf ../init.d/setclock /etc/rc.d/rc6.d/K47setclock ln -sf ../init.d/rngd /etc/rc.d/rcsysinit.d/S65rngd - ln -sf ../init.d/random /etc/rc.d/rcsysinit.d/S66random ln -sf ../init.d/console /etc/rc.d/rcsysinit.d/S70console ln -sf ../init.d/pakfire /etc/rc.d/rcsysinit.d/S71pakfire ln -sf ../init.d/cloud-init /etc/rc.d/rcsysinit.d/S74cloud-init diff --git a/src/initscripts/system/random b/src/initscripts/system/random deleted file mode 100644 index 60b508738..000000000 --- a/src/initscripts/system/random +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/sh -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team <info(a)ipfire.org> # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see <http://www.gnu.org/licenses/>. # -# # -############################################################################### - -. /etc/sysconfig/rc -. $rc_functions - -if [ -e /proc/sys/kernel/random/poolsize ]; then - poolsize=$(</proc/sys/kernel/random/poolsize); - poolsize=$(expr $poolsize / 8 ); -else - poolsize=512; -fi - -case "$1" in - start) - - #CRNG init need 128bit so wait until there is more) - avail=$(</proc/sys/kernel/random/entropy_avail) - while [ $avail -lt 130 ]; do - avail=$(</proc/sys/kernel/random/entropy_avail) - boot_mesg -n "\rWait for entropy: $avail/130 " - # Generate some disc access to gather entropy - echo avail > /var/tmp/random-tmpfile - sync - rm -f /var/tmp/random-tmpfile - done; - ;; - - *) - echo "Usage: $0 {start}" - exit 1 - ;; -esac -- 2.30.2

2 1

Re: IPFire 2.27 - Core Update 169 is available for testing
by Adolf Belka 28 Jun '22

28 Jun '22

Hi All, Tried out upgrading to CU169 on my Virtualbox vm system and had problems. The actual upgrade itself went fine with no error messages from pakfire but I had a problem when rebooting. It comes up with a kernel panic message and then says it will reboot in 10 secs and then repeats the same message. I repeated creating a clone CU168 system and upgrading and exactly the same happened so it is a consistent effect, at least on my vm system. The vm system is a raid array based system with red, green, blue and orange networks with virtual arch linux systems connected to each of the networks. The first part of the error message scrolls up to fast so I was only able to get the following screenshot when the message about rebooting in 10 secs comes up. On 28/06/2022 10:00, IPFire Project wrote: > IPFire Logo > > there is a new post from Peter Müller on the IPFire Blog: > > *IPFire 2.27 - Core Update 169 is available for testing* > > The next Core Update - one of the biggest in size we have ever put together - is available for testing. It introduces the support of two-factor authentication (2FA) for OpenVPN clients, updates several core parts of the system, provides mitigations for another two types of CPU side-channel attacks, as well as package updates, bug fixes and other security improvements. > > Click Here To Read More <https://blog.ipfire.org/post/ipfire-2-27-core-update-169-is-available-for-t…> > > The IPFire Project > Don't like these emails? Unsubscribe <https://people.ipfire.org/unsubscribe>. >

1 0

[PATCH 01/23] python3-cryptography: Update to version 36.0.2
by Adolf Belka 28 Jun '22

28 Jun '22

- Update from version 3.4.7 to 36.0.2 After version 3.4.8 the numbering scheme changed to 35.0.0 in Sept 2021 See Chanelog section 35.0.0 below - New release requires a lot of rust packages - see Changelog sections 35.0.0 & 36.0.0 below. The required rust packages are installed in separate patches in this series - Update of rootfile - Changelog 36.0.2 - 2022-03-15¶ Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n. 36.0.1 - 2021-12-14¶ Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m. 36.0.0 - 2021-11-21¶ FINAL DEPRECATION Support for verifier and signer on our asymmetric key classes was deprecated in version 2.0. These functions had an extended deprecation due to usage, however the next version of cryptography will drop support. Users should migrate to sign and verify. The entire X.509 layer is now written in Rust. This allows alternate asymmetric key implementations that can support cloud key management services or hardware security modules provided they implement the necessary interface (for example: EllipticCurvePrivateKey). Deprecated the backend argument for all functions. Added support for AESOCB3. Added support for iterating over arbitrary request attributes. Deprecated the get_attribute_for_oid method on CertificateSigningRequest in favor of get_attribute_for_oid() on the new Attributes object. Fixed handling of PEM files to allow loading when certificate and key are in the same file. Fixed parsing of CertificatePolicies extensions containing legacy BMPString values in their explicitText. Allow parsing of negative serial numbers in certificates. Negative serial numbers are prohibited by RFC 5280 so a deprecation warning will be raised whenever they are encountered. A future version of cryptography will drop support for parsing them. Added support for parsing PKCS12 files with friendly names for all certificates with load_pkcs12(), which will return an object of type PKCS12KeyAndCertificates. rfc4514_string() and related methods now have an optional attr_name_overrides parameter to supply custom OID to name mappings, which can be used to match vendor-specific extensions. BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email address fields as E in rfc4514_string() methods from version 35.0. The previous behavior can be restored with: name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"}) Allow X25519PublicKey and X448PublicKey to be used as public keys when parsing certificates or creating them with CertificateBuilder. These key types must be signed with a different signing algorithm as X25519 and X448 do not support signing. Extension values can now be serialized to a DER byte string by calling public_bytes(). Added experimental support for compiling against BoringSSL. As BoringSSL does not commit to a stable API, cryptography tests against the latest commit only. Please note that several features are not available when building against BoringSSL. Parsing CertificateSigningRequest from DER and PEM now, for a limited time period, allows the Extension critical field to be incorrectly encoded. See the issue for complete details. This will be reverted in a future cryptography release. When OCSPNonce are parsed and generated their value is now correctly wrapped in an ASN.1 OCTET STRING. This conforms to RFC 6960 but conflicts with the original behavior specified in RFC 2560. For a temporary period for backwards compatibility, we will also parse values that are encoded as specified in RFC 2560 but this behavior will be removed in a future release. 35.0.0 - 2021-09-29¶ Changed the version scheme. This will result in us incrementing the major version more frequently, but does not change our existing backwards compatibility policy. BACKWARDS INCOMPATIBLE: The X.509 PEM parsers now require that the PEM string passed have PEM delimiters of the correct type. For example, parsing a private key PEM concatenated with a certificate PEM will no longer be accepted by the PEM certificate parser. BACKWARDS INCOMPATIBLE: The X.509 certificate parser no longer allows negative serial numbers. RFC 5280 has always prohibited these. BACKWARDS INCOMPATIBLE: Additional forms of invalid ASN.1 found during X.509 parsing will raise an error on initial parse rather than when the malformed field is accessed. Rust is now required for building cryptography, the CRYPTOGRAPHY_DONT_BUILD_RUST environment variable is no longer respected. Parsers for X.509 no longer use OpenSSL and have been rewritten in Rust. This should be backwards compatible (modulo the items listed above) and improve both security and performance. Added support for OpenSSL 3.0.0 as a compilation target. Added support for SM3 and SM4, when using OpenSSL 1.1.1. These algorithms are provided for compatibility in regions where they may be required, and are not generally recommended. We now ship manylinux_2_24 and musllinux_1_1 wheels, in addition to our manylinux2010 and manylinux2014 wheels. Users on distributions like Alpine Linux should ensure they upgrade to the latest pip to correctly receive wheels. Added rfc4514_attribute_name attribute to x509.NameAttribute. Added KBKDFCMAC. 3.4.8 - 2021-08-24¶ Updated Windows, macOS, and manylinux wheels to be compiled with OpenSSL 1.1.1l. Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- .../rootfiles/packages/python3-cryptography | 25 ++++++++++--------- lfs/python3-cryptography | 6 ++--- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/config/rootfiles/packages/python3-cryptography b/config/rootfiles/packages/python3-cryptography index 9f63606fb..a9ee32faf 100644 --- a/config/rootfiles/packages/python3-cryptography +++ b/config/rootfiles/packages/python3-cryptography @@ -1,20 +1,18 @@ usr/lib/python3.10/site-packages/cryptography -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/PKG-INFO -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/SOURCES.txt -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/dependency_links.txt -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/not-zip-safe -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/requires.txt -#usr/lib/python3.10/site-packages/cryptography-3.4.7-py3.10.egg-info/top_level.txt +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/PKG-INFO +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/SOURCES.txt +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/dependency_links.txt +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/not-zip-safe +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/requires.txt +#usr/lib/python3.10/site-packages/cryptography-36.0.2-py3.10.egg-info/top_level.txt usr/lib/python3.10/site-packages/cryptography/__about__.py usr/lib/python3.10/site-packages/cryptography/__init__.py usr/lib/python3.10/site-packages/cryptography/exceptions.py usr/lib/python3.10/site-packages/cryptography/fernet.py usr/lib/python3.10/site-packages/cryptography/hazmat usr/lib/python3.10/site-packages/cryptography/hazmat/__init__.py -usr/lib/python3.10/site-packages/cryptography/hazmat/_der.py usr/lib/python3.10/site-packages/cryptography/hazmat/_oid.py -usr/lib/python3.10/site-packages/cryptography/hazmat/_types.py usr/lib/python3.10/site-packages/cryptography/hazmat/backends usr/lib/python3.10/site-packages/cryptography/hazmat/backends/__init__.py usr/lib/python3.10/site-packages/cryptography/hazmat/backends/interfaces.py @@ -33,7 +31,6 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/ed448.py usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/encode_asn1.py usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/hashes.py usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/hmac.py -usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/ocsp.py usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/poly1305.py usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/rsa.py usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/utils.py @@ -43,8 +40,12 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/backends/openssl/x509.py usr/lib/python3.10/site-packages/cryptography/hazmat/bindings usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/__init__.py usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so -usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_padding.abi3.so +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust.abi3.so +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/__init__.pyi +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/asn1.pyi +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/ocsp.pyi +usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/_rust/x509.pyi usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/__init__.py usr/lib/python3.10/site-packages/cryptography/hazmat/bindings/openssl/_conditional.py @@ -63,6 +64,7 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/ed255 usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/ed448.py usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/padding.py usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/rsa.py +usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/types.py usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/utils.py usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/x25519.py usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/asymmetric/x448.py @@ -97,7 +99,6 @@ usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor/__init__.py usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor/hotp.py usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor/totp.py -usr/lib/python3.10/site-packages/cryptography/hazmat/primitives/twofactor/utils.py usr/lib/python3.10/site-packages/cryptography/py.typed usr/lib/python3.10/site-packages/cryptography/utils.py usr/lib/python3.10/site-packages/cryptography/x509 diff --git a/lfs/python3-cryptography b/lfs/python3-cryptography index f3090bc6a..77e5f06b0 100644 --- a/lfs/python3-cryptography +++ b/lfs/python3-cryptography @@ -24,7 +24,7 @@ include Config -VER = 3.4.7 +VER = 36.0.2 THISAPP = cryptography-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = python3-cryptography -PAK_VER = 1 +PAK_VER = 2 DEPS = python3-cffi @@ -46,7 +46,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 49bc1e098ed1ba0181059b645f6668cda6332d196eaca55270ebce6e07e5bb6ab6724c5050fde20e89b7025773960d74ec782bb875badbbd5dc9a04db0a536f1 +$(DL_FILE)_BLAKE2 = b34b994e44b1ccd099a56fba4a167d563a29652f86ab0f0000ef78b4093a15cbfb82a9cebecdcaf6bca782a5fdd20f6c7d2206d68a219626a9fe8ae13e9aec5e install : $(TARGET) -- 2.36.1

3 31

Next Dev Video Conf Call
by Adolf Belka 26 Jun '22

26 Jun '22

Hi All, I won't be able to make the next Video Conf Call on 4th July as I have a friend visiting for that week starting on the Monday of the conf call. Regards, Adolf.

4 3

[PATCH 0/1] pakfire: Better errorhandling on downloads
by Robin Roevens 25 Jun '22

25 Jun '22

Hi all While tinkering with pakfire to add effective use of the new metadata, remove more duplicate code and seperating some view and control for cleaner usage in services.cgi et al; I had a few times where my VM lost connection to internet. And there I found that pakfire started to fail in ugly ways. Ugly errors, even tar errors failing to untar the file it failed to download etc. This lack of errorhandling was also the cause of meta-files sometimes turning up empty. Also in some corner cases the list files could become corrupted or some package dependencies could be skipped during install. So I added proper errorhandling around file downloads: functions fetchfile, getmetafile and getmirrors now always return 0 (fail) or 1 (success). Fetchfile actually already had return values but those where never checked. So now, where required, these errorcodes are checked and proper error messages are displayed, or at least files are not overwritten with possibly corrupt files, making functions or even pakfire stop before it tries to do things that depend on files that are not there due to earlier uncatched failures. Regards Robin -- Dit bericht is gescanned op virussen en andere gevaarlijke inhoud door MailScanner en lijkt schoon te zijn.

4 10

[PATCH 1/2] ovpnmain.cgi: Fix for bug #12865 - Static IP address pools - Add network - Name with space
by Adolf Belka 24 Jun '22

24 Jun '22

- The fix for bug #12428 removed spaces from the validhostname subroutine as hostnames are not supposed to have spaces - This resulted in spaces no longer being allowed for the Static IP Address Pools names - New subroutine created called validccdname in general-functions.pl Fixes: Bug #12865 Tested-by: Adolf Belka <adolf.belka(a)ipfire.org> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- html/cgi-bin/ovpnmain.cgi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 736d17541..90d3710e4 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -473,7 +473,7 @@ sub addccdnet return } - if(!&General::validhostname($ccdname)) + if(!&General::validccdname($ccdname)) { $errormessage=$Lang::tr{'ccd err invalidname'}; return; -- 2.36.1

1 1

[PATCH 1/3] borgbackup: Fix bug #12884 - borgbackup 1.2.0 crashes on running any borg command
by Adolf Belka 24 Jun '22

24 Jun '22

- When borgbackup was upgraded from version 1.1.17 to 1.2.0 the build was sucessfully completed but there was no testing feedback till after full release. It turned out that it did not successfully run. - python3-packaging which had been installed for the build of borgbackup needed to also be available for the execution. - When borgbackup was upgraded to 1.2.0 it was noticed that the old python3-msgpack was no longer needed as borgbackup used its own bundled msgpack since around version 1.1.10 What was not seen was that in version 1.1.19 or 1.1.18 the bundled version of msgpack had been removed and that the newer version of python3-msgpack now needed to be installed but the version number has to meet the borgbackup requirements which currently require it to be =<1.0.3 - This patch adds the python3-packaging and python3-msgpack modules as dependencies for borgbackup - The egg-info files are uncommented in the rootfile so that the borgbackup metadata can be found by python. - The updated borgbackup build together with the python3-packaging and python3-msgpack modules were installed into a vm system using the .ipfire packages. Successfully initialised a borgbackup repo and ran two backups to the repo and checked the stats for the backup. Everything ran fine. Fixes: Bug #12884 Tested-by: Adolf Belka <adolf.belka(a)ipfire.org> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- config/rootfiles/packages/borgbackup | 14 +++++++------- lfs/borgbackup | 4 ++-- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/config/rootfiles/packages/borgbackup b/config/rootfiles/packages/borgbackup index a27b7c11c..b744b0b99 100644 --- a/config/rootfiles/packages/borgbackup +++ b/config/rootfiles/packages/borgbackup @@ -92,10 +92,10 @@ usr/lib/python3.10/site-packages/borg/upgrader.py usr/lib/python3.10/site-packages/borg/version.py usr/lib/python3.10/site-packages/borg/xattr.py #usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info -#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/PKG-INFO -#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/SOURCES.txt -#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/dependency_links.txt -#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/entry_points.txt -#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/not-zip-safe -#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/requires.txt -#usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/top_level.txt +usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/PKG-INFO +usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/SOURCES.txt +usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/dependency_links.txt +usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/entry_points.txt +usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/not-zip-safe +usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/requires.txt +usr/lib/python3.10/site-packages/borgbackup-1.2.0-py3.10.egg-info/top_level.txt diff --git a/lfs/borgbackup b/lfs/borgbackup index bfdc9e3ff..c2faaac21 100644 --- a/lfs/borgbackup +++ b/lfs/borgbackup @@ -33,9 +33,9 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = borgbackup -PAK_VER = 11 +PAK_VER = 12 -DEPS = python3-pkgconfig +DEPS = python3-pkgconfig python3-msgpack python3-packaging SERVICES = -- 2.36.1

1 2

[PATCH] ruleset-sources: Update download URL for Talos rulesets.
by Stefan Schantl 23 Jun '22

23 Jun '22

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org> --- config/suricata/ruleset-sources | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/suricata/ruleset-sources b/config/suricata/ruleset-sources index 1d2c6e98b..592cbedf0 100644 --- a/config/suricata/ruleset-sources +++ b/config/suricata/ruleset-sources @@ -23,7 +23,7 @@ our %Providers = ( website => "https://www.snort.org", tr_string => "registered user rules", requires_subscription => "True", - dl_url => "https://www.snort.org/rules/snortrules-snapshot-29190.tar.gz?oinkcode=<subscription_code>", + dl_url => "https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode=<subscription_code>", dl_type => "archive", }, @@ -33,7 +33,7 @@ our %Providers = ( website => "https://www.snort.org", tr_string => "subscripted user rules", requires_subscription => "True", - dl_url => "https://www.snort.org/rules/snortrules-snapshot-29190.tar.gz?oinkcode=<subscription_code>", + dl_url => "https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode=<subscription_code>", dl_type => "archive", }, -- 2.30.2

3 4

borgbackup 1.2.0 is not working
by Adolf Belka 23 Jun '22

23 Jun '22

Hallo all, In the forum it has been flagged up that borgbackup is not working in CU168. I cloned a CU168 vm in my testbed system and installed borgbackup and ran borg -h and replicated the posters error. The following message occurred:- borg -h Traceback (most recent call last): File "/usr/bin/borg", line 33, in <module> sys.exit(load_entry_point('borgbackup==1.2.0', 'console_scripts', 'borg')()) File "/usr/bin/borg", line 22, in importlib_load_entry_point for entry_point in distribution(dist_name).entry_points File "/usr/lib/python3.10/importlib/metadata/__init__.py", line 919, in distribution return Distribution.from_name(distribution_name) File "/usr/lib/python3.10/importlib/metadata/__init__.py", line 518, in from_name raise PackageNotFoundError(name) importlib.metadata.PackageNotFoundError: No package metadata was found for borgbackup I have done searches about the error message and have not been able to find anything that helps. The build for borgbackup-1.2.0 ran without any problems and there are no error messages in the logs for the build that I have been able to find. Does anyone have a clue what is going on here. At first I thought that the package importlib-metadata was missing for the execution but then I thought the message was more related to not being able to find metadata about borgbackup but I haven't been able to find any clues about that either in my searches. Looking for any inspiration or good guesses otherwise I will raise it as an issue on the borgbackup git repository. Regards, Adolf.

2 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development June 2022