Development June 2024

development@lists.ipfire.org

11 participants
41 discussions

[PATCH] sysctl: Disable bpf() calls from unprivileged users without toggle option
by Peter Müller 16 Jun '24

16 Jun '24

According to the Linux kernel documentation, enabling BPF_UNPRIV_DEFAULT_OFF (which was done in 69dde418f11dc0085cbe061b90f6c002d6d6cce2) will cause the sysctl kernel.unprivileged_bpf_disabled to default to 2. This prohibits calls to bpf() from unprivileged users by default, but allows for such calls to be allowed again during runtime, by setting kernel.unprivileged_bpf_disabled to 0. There is no legitimate reason why this should be possible on IPFire, which is why this patch sets kernel.unprivileged_bpf_disabled to 1 during startup, causing the same effect as 2, but without any option to revert this setting during runtime. This fixes a Lynis warning. Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/etc/sysctl.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 31a220e38..51a804043 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -111,3 +111,6 @@ kernel.perf_event_paranoid = 3 # Only processes with CAP_SYS_PTRACE may use ptrace kernel.yama.ptrace_scope = 2 + +# Disable unprivileged calls to bpf() without option to enable during runtime +kernel.unprivileged_bpf_disabled = 1 -- 2.35.3

1 0

[PATCH] Tor: Update to 0.4.8.12
by Peter Müller 16 Jun '24

16 Jun '24

From https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes: Changes in version 0.4.8.12 - 2024-06-06 This is a minor release with couple bugfixes affecting conflux and logging. We also have the return of faravahar directory authority with new keys and address. o Minor feature (dirauth): - Add back faravahar with a new address and new keys. Closes 40689. o Minor features (fallbackdir): - Regenerate fallback directories generated on June 06, 2024. o Minor features (geoip data): - Update the geoip files to match the IPFire Location Database, as retrieved on 2024/06/06. o Minor bugfix (circuit): - Remove a log_warn being triggered by a protocol violation that already emits a protocol warning log. Fixes bug 40932; bugfix on 0.4.8.1-alpha. o Minor bugfixes (conflux): - Avoid a potential hard assert (crash) when sending a cell on a Conflux set. Fixes bug 40921; bugfix on 0.4.8.1-alpha. - Make sure we don't process a closed circuit when packaging data. This lead to a non fatal BUG() spamming logs. Fixes bug 40908; bugfix on 0.4.8.1-alpha. Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- lfs/tor | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/tor b/lfs/tor index 488415902..7659c5212 100644 --- a/lfs/tor +++ b/lfs/tor @@ -26,7 +26,7 @@ include Config SUMMARY = Anonymizing overlay network for TCP (The onion router) -VER = 0.4.8.11 +VER = 0.4.8.12 THISAPP = tor-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 85 +PAK_VER = 86 DEPS = libseccomp @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = b7f5bb855a6f8fe7dfd0e0efe7b48798e9d4642e401641c83554ed0f98fe238a5f303e9466e9e24a7ade63488a745b3c957ed6cc53a2f5e21f5f9c3f78f7fa78 +$(DL_FILE)_BLAKE2 = adaf1f90c698ee373d7ef93c77e883b76a2d75932a50b2bf7a4f5a2d387f3f8cc00d83860ed61e1e2c1d224680d07828137cf4805adb9975d9cc7218c493d19d install : $(TARGET) -- 2.35.3

1 0

[PATCH] vpnmain.cgi: Allow passing strings with double @@ as IDs
by Michael Tremer 13 Jun '24

13 Jun '24

This is required to configure a user FQDN which some VPN peers might send. This patch also allows setting a key ID using @#. Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> --- html/cgi-bin/vpnmain.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 9173a85d8..25e0f0a53 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -1856,8 +1856,8 @@ END # Allow nothing or a string (DN,FDQN,) beginning with @ # with no comma but slashes between RID eg @O=FR/C=Paris/OU=myhome/CN=franck - if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) || - ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) || + if ( ($cgiparams{'LOCAL_ID'} !~ /^(|[\w.-]*@[@#]?[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) || + ($cgiparams{'REMOTE_ID'} !~ /^(|[\w.-]*@[@#]?[\w. =*\/-]+|\d+\.\d+\.\d+\.\d+)$/) || (($cgiparams{'REMOTE_ID'} eq $cgiparams{'LOCAL_ID'}) && ($cgiparams{'LOCAL_ID'} ne '')) ) { $errormessage = $Lang::tr{'invalid local-remote id'} . '<br />' . -- 2.39.2

1 0

[PATCH] squid: Update to 6.10
by Matthias Fischer 12 Jun '24

12 Jun '24

For details see: https://github.com/squid-cache/squid/commits/v6 Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/squid | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/squid b/lfs/squid index 6f487c3a6..d7fefe8c8 100644 --- a/lfs/squid +++ b/lfs/squid @@ -24,7 +24,7 @@ include Config -VER = 6.9 +VER = 6.10 THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -46,7 +46,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = cac10d3a16fe31a9becfcd0fc278413d53c52285cdca9ece897ca4e3a0e50806e186960091f9050243180996382c6b5209360d9fff249d26b20d1e529285a038 +$(DL_FILE)_BLAKE2 = 608b49c25549e73bc58ee4ec82a4d582f6f28b6dd324261806931eb2e37f0b5d63f6c2f6373a3db43823e805f5d6df56b2a4b5a8324cd6e623c4302d2c4b9421 install : $(TARGET) -- 2.34.1

1 0

[PATCH] ppp: Fix definition of directory for pid files
by Adolf Belka 11 Jun '24

11 Jun '24

- When ppp was updated from version 2.5.0 to e1266c7 I missed that a new configure option was introduced. This is --with-runtime-dir=DIR. - If this option is used then the run time directory for the pid files is defined by that DIR entry. If the option is not used then the pid directory is fixed as /var/run/pppd/ - Even if the --runstatedir=DIR option is used then it is ignored if the --with-runtime-dir=DIR option is used or not used even though both effectively deal with the same aspect. - Some users in the forum had noticed that they had log messages saying that pid files could not be created because the files or directories did not exist. The pid files were being tried to be stored in /var/run/pppd/ but the pppd directory did not exist. - This patch submission adds the --with-runtime-dir=/var/run option to the ppp configure command. This basically makes ppp act the same as it used to do previously with version 2.5.0 and earlier. - Changing IPFire to use /var/run/pppd/ is not a good idea as then there are several locations in IPFire that specify the pid directory location to /var/run/ as hard coded path. All of these locations would need to be identified and changed. - Leaving IPFire to use /var/run means that only the ppp configure command needs to be modified. - I hope that @adamgibbo and @markadewwet will be able to test out this change in CU187 Testing when it is accepted. Those two users have got the pid error messages. - Even if the ppp pid file can not be stored ppp will still successfully start. However the likelihood is that stoppinf ppp will not work as would be expected. This patch ensures that ppp will be able to store its pid files asa required whyen starting up. Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- lfs/ppp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lfs/ppp b/lfs/ppp index a16859002..9290a7c41 100644 --- a/lfs/ppp +++ b/lfs/ppp @@ -72,7 +72,7 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && ./autogen.sh + cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-1-we-don-t-want-to-accidentally-leak-fds.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/ppp/ppp-e1266c7-2-everywhere-O_CLOEXEC-harder.patch cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/ppp/ppp-2.5.0-3-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch @@ -84,6 +84,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --sysconfdir=/etc \ --with-logfile-dir=/var/log \ --localstatedir=/var \ + --with-runtime-dir=/var/run \ cc="gcc" \ cflags="$(CFLAGS)" cd $(DIR_APP) && make $(MAKETUNING) -- 2.45.2

1 0

[PATCH 1/3] ovpnmain.cgi: Define OpenSSL configuration globally
by Michael Tremer 11 Jun '24

11 Jun '24

This makes commands shorter and therefore easier to read. Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> --- html/cgi-bin/ovpnmain.cgi | 30 +++++++++++++----------------- 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index c92d0237d..9b8ff5aa5 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -53,6 +53,9 @@ my %mainsettings = (); &General::readhash("${General::swroot}/main/settings", \%mainsettings); &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); +# Use a custom OpenSSL configuration file for all operations +$ENV["OPENSSL_CONF"] = "${General::swroot}/ovpn/ca/cacert.pem"; + ### ### Initialize variables ### @@ -1835,8 +1838,7 @@ END unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-days', '999999', '-newkey', 'rsa:4096', '-sha512', '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", - '-out', "${General::swroot}/ovpn/ca/cacert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { + '-out', "${General::swroot}/ovpn/ca/cacert.pem")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; goto ROOTCERT_ERROR; } @@ -1867,8 +1869,7 @@ END '-newkey', 'rsa:4096', '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", '-out', "${General::swroot}/ovpn/certs/serverreq.pem", - '-extensions', 'server', - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { + '-extensions', 'server')) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); @@ -1884,8 +1885,7 @@ END '-batch', '-notext', '-in', "${General::swroot}/ovpn/certs/serverreq.pem", '-out', "${General::swroot}/ovpn/certs/servercert.pem", - '-extensions', 'server', - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); + '-extensions', 'server'); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/ca/cakey.pem"); @@ -1903,8 +1903,7 @@ END # Create an empty CRL # System call is safe, because all arguments are passed as array. system('/usr/bin/openssl', 'ca', '-gencrl', - '-out', "${General::swroot}/ovpn/crls/cacrl.pem", - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); + '-out', "${General::swroot}/ovpn/crls/cacrl.pem"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); @@ -2426,8 +2425,8 @@ else if ($confighash{$cgiparams{'KEY'}}) { # Revoke certificate if certificate was deleted and rewrite the CRL - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem"); ### # m.a.d net2net @@ -2480,7 +2479,7 @@ else &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); delete $confighash{$cgiparams{'KEY'}}; - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem"); &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); } else { @@ -4052,8 +4051,7 @@ if ($cgiparams{'TYPE'} eq 'net') { system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}", '-batch', '-notext', '-in', $filename, - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ($filename); @@ -4265,8 +4263,7 @@ if ($cgiparams{'TYPE'} eq 'net') { unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-newkey', 'rsa:4096', '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); @@ -4279,8 +4276,7 @@ if ($cgiparams{'TYPE'} eq 'net') { system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}", '-batch', '-notext', '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); -- 2.39.2

2 18

[PATCH] ca-certificates: Update root CA certificates bundle
by Peter Müller 10 Jun '24

10 Jun '24

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/ca-certificates/certdata.txt | 124 ++++++++++++++++++++++++++++ lfs/ca-certificates | 2 +- 2 files changed, 125 insertions(+), 1 deletion(-) diff --git a/config/ca-certificates/certdata.txt b/config/ca-certificates/certdata.txt index ed5e6cb17..ea914d409 100644 --- a/config/ca-certificates/certdata.txt +++ b/config/ca-certificates/certdata.txt @@ -25359,3 +25359,127 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +# +# Certificate "FIRMAPROFESIONAL CA ROOT-A WEB" +# +# Issuer: CN=FIRMAPROFESIONAL CA ROOT-A WEB,OID.2.5.4.97=VATES-A62634068,O=Firmaprofesional SA,C=ES +# Serial Number:31:97:21:ed:af:89:42:7f:35:41:87:a1:67:56:4c:6d +# Subject: CN=FIRMAPROFESIONAL CA ROOT-A WEB,OID.2.5.4.97=VATES-A62634068,O=Firmaprofesional SA,C=ES +# Not Valid Before: Wed Apr 06 09:01:36 2022 +# Not Valid After : Sun Mar 31 09:01:36 2047 +# Fingerprint (SHA-256): BE:F2:56:DA:F2:6E:9C:69:BD:EC:16:02:35:97:98:F3:CA:F7:18:21:A0:3E:01:82:57:C5:3C:65:61:7F:3D:4A +# Fingerprint (SHA1): A8:31:11:74:A6:14:15:0D:CA:77:DD:0E:E4:0C:5D:58:FC:A0:72:A5 +CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "FIRMAPROFESIONAL CA ROOT-A WEB" +CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +CKA_SUBJECT MULTILINE_OCTAL +\060\156\061\013\060\011\006\003\125\004\006\023\002\105\123\061 +\034\060\032\006\003\125\004\012\014\023\106\151\162\155\141\160 +\162\157\146\145\163\151\157\156\141\154\040\123\101\061\030\060 +\026\006\003\125\004\141\014\017\126\101\124\105\123\055\101\066 +\062\066\063\064\060\066\070\061\047\060\045\006\003\125\004\003 +\014\036\106\111\122\115\101\120\122\117\106\105\123\111\117\116 +\101\114\040\103\101\040\122\117\117\124\055\101\040\127\105\102 +END +CKA_ID UTF8 "0" +CKA_ISSUER MULTILINE_OCTAL +\060\156\061\013\060\011\006\003\125\004\006\023\002\105\123\061 +\034\060\032\006\003\125\004\012\014\023\106\151\162\155\141\160 +\162\157\146\145\163\151\157\156\141\154\040\123\101\061\030\060 +\026\006\003\125\004\141\014\017\126\101\124\105\123\055\101\066 +\062\066\063\064\060\066\070\061\047\060\045\006\003\125\004\003 +\014\036\106\111\122\115\101\120\122\117\106\105\123\111\117\116 +\101\114\040\103\101\040\122\117\117\124\055\101\040\127\105\102 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\061\227\041\355\257\211\102\177\065\101\207\241\147\126 +\114\155 +END +CKA_VALUE MULTILINE_OCTAL +\060\202\002\172\060\202\002\000\240\003\002\001\002\002\020\061 +\227\041\355\257\211\102\177\065\101\207\241\147\126\114\155\060 +\012\006\010\052\206\110\316\075\004\003\003\060\156\061\013\060 +\011\006\003\125\004\006\023\002\105\123\061\034\060\032\006\003 +\125\004\012\014\023\106\151\162\155\141\160\162\157\146\145\163 +\151\157\156\141\154\040\123\101\061\030\060\026\006\003\125\004 +\141\014\017\126\101\124\105\123\055\101\066\062\066\063\064\060 +\066\070\061\047\060\045\006\003\125\004\003\014\036\106\111\122 +\115\101\120\122\117\106\105\123\111\117\116\101\114\040\103\101 +\040\122\117\117\124\055\101\040\127\105\102\060\036\027\015\062 +\062\060\064\060\066\060\071\060\061\063\066\132\027\015\064\067 +\060\063\063\061\060\071\060\061\063\066\132\060\156\061\013\060 +\011\006\003\125\004\006\023\002\105\123\061\034\060\032\006\003 +\125\004\012\014\023\106\151\162\155\141\160\162\157\146\145\163 +\151\157\156\141\154\040\123\101\061\030\060\026\006\003\125\004 +\141\014\017\126\101\124\105\123\055\101\066\062\066\063\064\060 +\066\070\061\047\060\045\006\003\125\004\003\014\036\106\111\122 +\115\101\120\122\117\106\105\123\111\117\116\101\114\040\103\101 +\040\122\117\117\124\055\101\040\127\105\102\060\166\060\020\006 +\007\052\206\110\316\075\002\001\006\005\053\201\004\000\042\003 +\142\000\004\107\123\352\054\021\244\167\307\052\352\363\326\137 +\173\323\004\221\134\372\210\306\042\271\203\020\142\167\204\063 +\055\351\003\210\324\340\063\367\355\167\054\112\140\352\344\157 +\255\155\264\370\114\212\244\344\037\312\352\117\070\112\056\202 +\163\053\307\146\233\012\214\100\234\174\212\366\362\071\140\262 +\336\313\354\270\344\157\352\233\135\267\123\220\030\062\125\305 +\040\267\224\243\143\060\141\060\017\006\003\125\035\023\001\001 +\377\004\005\060\003\001\001\377\060\037\006\003\125\035\043\004 +\030\060\026\200\024\223\341\103\143\134\074\235\326\047\363\122 +\354\027\262\251\257\054\367\166\370\060\035\006\003\125\035\016 +\004\026\004\024\223\341\103\143\134\074\235\326\047\363\122\354 +\027\262\251\257\054\367\166\370\060\016\006\003\125\035\017\001 +\001\377\004\004\003\002\001\006\060\012\006\010\052\206\110\316 +\075\004\003\003\003\150\000\060\145\002\060\035\174\244\173\303 +\211\165\063\341\073\251\105\277\106\351\351\241\335\311\042\026 +\267\107\021\013\330\232\272\361\310\013\160\120\123\002\221\160 +\205\131\251\036\244\346\352\043\061\240\000\002\061\000\375\342 +\370\263\257\026\271\036\163\304\226\343\301\060\031\330\176\346 +\303\227\336\034\117\270\211\057\063\353\110\017\031\367\207\106 +\135\046\220\245\205\305\271\172\224\076\207\250\275\000 +END +CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE +CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE +CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE + +# Trust for "FIRMAPROFESIONAL CA ROOT-A WEB" +# Issuer: CN=FIRMAPROFESIONAL CA ROOT-A WEB,OID.2.5.4.97=VATES-A62634068,O=Firmaprofesional SA,C=ES +# Serial Number:31:97:21:ed:af:89:42:7f:35:41:87:a1:67:56:4c:6d +# Subject: CN=FIRMAPROFESIONAL CA ROOT-A WEB,OID.2.5.4.97=VATES-A62634068,O=Firmaprofesional SA,C=ES +# Not Valid Before: Wed Apr 06 09:01:36 2022 +# Not Valid After : Sun Mar 31 09:01:36 2047 +# Fingerprint (SHA-256): BE:F2:56:DA:F2:6E:9C:69:BD:EC:16:02:35:97:98:F3:CA:F7:18:21:A0:3E:01:82:57:C5:3C:65:61:7F:3D:4A +# Fingerprint (SHA1): A8:31:11:74:A6:14:15:0D:CA:77:DD:0E:E4:0C:5D:58:FC:A0:72:A5 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "FIRMAPROFESIONAL CA ROOT-A WEB" +CKA_CERT_SHA1_HASH MULTILINE_OCTAL +\250\061\021\164\246\024\025\015\312\167\335\016\344\014\135\130 +\374\240\162\245 +END +CKA_CERT_MD5_HASH MULTILINE_OCTAL +\202\262\255\105\000\202\260\146\143\370\137\303\147\116\316\243 +END +CKA_ISSUER MULTILINE_OCTAL +\060\156\061\013\060\011\006\003\125\004\006\023\002\105\123\061 +\034\060\032\006\003\125\004\012\014\023\106\151\162\155\141\160 +\162\157\146\145\163\151\157\156\141\154\040\123\101\061\030\060 +\026\006\003\125\004\141\014\017\126\101\124\105\123\055\101\066 +\062\066\063\064\060\066\070\061\047\060\045\006\003\125\004\003 +\014\036\106\111\122\115\101\120\122\117\106\105\123\111\117\116 +\101\114\040\103\101\040\122\117\117\124\055\101\040\127\105\102 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\020\061\227\041\355\257\211\102\177\065\101\207\241\147\126 +\114\155 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + diff --git a/lfs/ca-certificates b/lfs/ca-certificates index 5fe5ca550..6c603340a 100644 --- a/lfs/ca-certificates +++ b/lfs/ca-certificates @@ -24,7 +24,7 @@ include Config -VER = 20240217 +VER = 20240610 # From https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/b… -- 2.35.3

2 1

[PATCH] zabbix_agentd: Update to 6.0.30 (LTS)
by Robin Roevens 09 Jun '24

09 Jun '24

- Update from version 6.0.27 to 6.0.30 - Update of rootfile not required Bugs fixed: - ZBX-23853: Fixed duplicate agent check timestamps when time shifts back due to system clock synchronization Full changelogs since 6.0.27: - https://www.zabbix.com/rn/rn6.0.28 - https://www.zabbix.com/rn/rn6.0.29 - https://www.zabbix.com/rn/rn6.0.30 --- lfs/zabbix_agentd | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/zabbix_agentd b/lfs/zabbix_agentd index 5f274c309..06956ad41 100644 --- a/lfs/zabbix_agentd +++ b/lfs/zabbix_agentd @@ -26,7 +26,7 @@ include Config SUMMARY = Zabbix Agent -VER = 6.0.27 +VER = 6.0.30 THISAPP = zabbix-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = zabbix_agentd -PAK_VER = 12 +PAK_VER = 13 DEPS = fping @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 793bb887bd8f0d3c2f3d15a4ed9bb5b1fcfb13fcf80ea077672744a1bd8524e213eaf53291e0f9eecb9eb055fee6f1e29e91f890b54698906beac21ca54db4e9 +$(DL_FILE)_BLAKE2 = 5446a15c5fa3400d78eef47cced6cbd0bc884b6b1f14e267321f562b5891e21de41179bb615a733b49ee0ae334aadede32d931db400b9148ec9bc6636ac71e5a install : $(TARGET) -- 2.45.1

2 1

[PATCH] openssl: Update to 3.2.2
by Michael Tremer 07 Jun '24

07 Jun '24

https://www.openssl.org/news/openssl-3.2-notes.html Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org> --- config/rootfiles/common/openssl | 5 +++++ lfs/openssl | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl index a3664a521..d5f4f3814 100644 --- a/config/rootfiles/common/openssl +++ b/config/rootfiles/common/openssl @@ -797,6 +797,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/doc/openssl/html/man3/SSL_set_incoming_stream_policy.html #usr/share/doc/openssl/html/man3/SSL_set_retry_verify.html #usr/share/doc/openssl/html/man3/SSL_set_session.html +#usr/share/doc/openssl/html/man3/SSL_set_session_secret_cb.html #usr/share/doc/openssl/html/man3/SSL_set_shutdown.html #usr/share/doc/openssl/html/man3/SSL_set_verify_result.html #usr/share/doc/openssl/html/man3/SSL_shutdown.html @@ -966,6 +967,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/doc/openssl/html/man7/OSSL_PROVIDER-default.html #usr/share/doc/openssl/html/man7/OSSL_PROVIDER-legacy.html #usr/share/doc/openssl/html/man7/OSSL_PROVIDER-null.html +#usr/share/doc/openssl/html/man7/OSSL_STORE-winstore.html #usr/share/doc/openssl/html/man7/RAND.html #usr/share/doc/openssl/html/man7/RSA-PSS.html #usr/share/doc/openssl/html/man7/X25519.html @@ -5515,6 +5517,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/SSL_set_security_level.3ossl #usr/share/man/man3/SSL_set_session.3ossl #usr/share/man/man3/SSL_set_session_id_context.3ossl +#usr/share/man/man3/SSL_set_session_secret_cb.3ossl #usr/share/man/man3/SSL_set_shutdown.3ossl #usr/share/man/man3/SSL_set_split_send_fragment.3ossl #usr/share/man/man3/SSL_set_srp_server_param.3ossl @@ -6703,6 +6706,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/sk_TYPE_value.3ossl #usr/share/man/man3/sk_TYPE_zero.3ossl #usr/share/man/man3/ssl_ct_validation_cb.3ossl +#usr/share/man/man3/tls_session_secret_cb_fn.3ossl #usr/share/man/man5/config.5ossl #usr/share/man/man5/fips_config.5ossl #usr/share/man/man5/x509v3_config.5ossl @@ -6828,6 +6832,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man7/OSSL_PROVIDER-default.7ossl #usr/share/man/man7/OSSL_PROVIDER-legacy.7ossl #usr/share/man/man7/OSSL_PROVIDER-null.7ossl +#usr/share/man/man7/OSSL_STORE-winstore.7ossl #usr/share/man/man7/RAND.7ossl #usr/share/man/man7/RSA-PSS.7ossl #usr/share/man/man7/RSA.7ossl diff --git a/lfs/openssl b/lfs/openssl index 695035742..d6f565df2 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@ include Config -VER = 3.2.1 +VER = 3.2.2 THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -72,7 +72,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347 +$(DL_FILE)_BLAKE2 = f42d44f31dc9ccf26ffe1fdd4a0119506a211808f92e860a34118109eae2ee7bcb5b0f43cbdf9eb811cd185cb53e092e62d652f7c0c0ce55b13289f7489073c9 install : $(TARGET) -- 2.39.2

1 0

[PATCH] ethtool: Update to version 6.9
by Adolf Belka 07 Jun '24

07 Jun '24

- Update from version 6.7 to 6.9 - Update of rootfile not required - Changelog 6.9 * Feature: support for rx-flow-hash gtp (-N) * Feature: support for RSS input transformation (-X) * Fix: typo in coalescing output (-c) * Fix: document all debugging flags in man page Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- lfs/ethtool | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/ethtool b/lfs/ethtool index c6b54aa4e..9cdede460 100644 --- a/lfs/ethtool +++ b/lfs/ethtool @@ -24,7 +24,7 @@ include Config -VER = 6.7 +VER = 6.9 THISAPP = ethtool-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 94a6fd8d29ff479eb894fe56bf991f522fff9af5a94c176d06be2819fe2520125cb48dbded229df1a9f5a0308aeaec503c55caf5d248eef87640c7f90f1132ec +$(DL_FILE)_BLAKE2 = e04fa530084ad14abfea8c3802f272eb61eae9ee07aa2a12d16eeb77708b5ab021f1cdee10c24f83f77d65f2740ba5aceda99c21c47ef6cbcd65834af8334b00 install : $(TARGET) -- 2.45.2

1 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development June 2024