Development July 2024

development@lists.ipfire.org

9 participants
39 discussions

[PATCH 1/3] vpnmain.cgi: Fix for bug13029 - add base64 encoding to IPSec cgi page
by Adolf Belka 05 Jul '24

05 Jul '24

- This adds the base64 encoded PSK into the config file and when the ipsec.secrets file is created the PSK is base64 decoded to write it to the file. The ipsec.secrets file surrounds the PSK with single quotation marks so that character is not allowed to be used in the PSK but anything else can be. - Tested out on my vm system and shown to be working. New PSK with various characters characters including commas was base64 encoded before putting into the config file and therefore was accepted by the code. If a single quotation mark was used in the PSK then the error message about invalid characters was shown. Fixes: Bug13029 Tested-by: Adolf Belka <adolf.belka(a)ipfire.org> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- html/cgi-bin/vpnmain.cgi | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) mode change 100644 => 100755 html/cgi-bin/vpnmain.cgi diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi old mode 100644 new mode 100755 index 25e0f0a53..bde5e11bc --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -481,7 +481,8 @@ sub writeipsecfiles { if ($lconfighash{$key}[4] eq 'psk') { $psk_line = ($lconfighash{$key}[7] ? $lconfighash{$key}[7] : $localside) . " " ; $psk_line .= $lconfighash{$key}[9] ? $lconfighash{$key}[9] : $lconfighash{$key}[10]; #remoteid or remote address? - $psk_line .= " : PSK '$lconfighash{$key}[5]'\n"; + my $decoded_psk = MIME::Base64::decode_base64($lconfighash{$key}[5]); + $psk_line .= " : PSK '$decoded_psk'\n"; # if the line contains %any, it is less specific than two IP or ID, so move it at end of file. if ($psk_line =~ /%any/) { $last_secrets .= $psk_line; @@ -2260,7 +2261,7 @@ END $confighash{$key}[3] = $cgiparams{'TYPE'}; if ($cgiparams{'AUTH'} eq 'psk') { $confighash{$key}[4] = 'psk'; - $confighash{$key}[5] = $cgiparams{'PSK'}; + $confighash{$key}[5] = MIME::Base64::encode_base64($cgiparams{'PSK'}, ""); } else { $confighash{$key}[4] = 'cert'; } -- 2.45.2

1 2

[PATCH] apache: Update to 2.4.61
by Matthias Fischer 05 Jul '24

05 Jul '24

For details see: https://dlcdn.apache.org/httpd/CHANGES_2.4.61 "Changes with Apache 2.4.61 *) SECURITY: CVE-2024-39884: Apache HTTP Server: source code disclosure with handlers configured via AddType (cve.mitre.org) A regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.61, which fixes this issue." Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/apache2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/apache2 b/lfs/apache2 index 2736eec8d..2dfd8b39d 100644 --- a/lfs/apache2 +++ b/lfs/apache2 @@ -25,7 +25,7 @@ include Config -VER = 2.4.60 +VER = 2.4.61 THISAPP = httpd-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -45,7 +45,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = d1b4d2e05edfe8b88f541e6fa8b5db73f37cc349a4037b493e57ae2f2e0bb84f92aad3ad3bc0bdbc454d2677091bbca283ebe752a9335fae6931ec65cc687326 +$(DL_FILE)_BLAKE2 = 9299ef5843888829143732b3a60d1713aff688ed2f6c2b7f154be16bc075ec747a5b116716f188491ebc9947ff2dfe09dfc71f5245d98a4be3ba27ada28ec8a5 install : $(TARGET) -- 2.34.1

1 0

[PATCH 1/2] ipblocklist-sources: Update to include the 3CORESec ip blocklists
by Adolf Belka 03 Jul '24

03 Jul '24

- The patch for this was created by Stefan Schantl - Blocklist addition was discussed and agreed at IPFire dev conf call in June 2024. - Tested on vm system. - The combined list was removed because it is just the three others which can be selected in the WUI to give the equivalent result. Created-by: Stefan Schantl <stefan.schantl(a)ipfire.org> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- config/ipblocklist/sources | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/config/ipblocklist/sources b/config/ipblocklist/sources index 0835c0f9c..69f964dd9 100644 --- a/config/ipblocklist/sources +++ b/config/ipblocklist/sources @@ -124,5 +124,23 @@ our %sources = ( 'EMERGING_FWRULE' => { 'name' => 'Emerging Threats Blocklis 'info' => 'https://www.blocklist.de', 'parser' => 'ip-or-net-list', 'rate' => '30m', - 'category' => 'attacker' } + 'category' => 'attacker' }, + '3CORESEC_SSH' => { 'name' => '3CORESec SSH Activity Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/ssh.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' }, + '3CORESEC_SCAN' => { 'name' => '3CORESec Scan and IDS Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/misc.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'reputation' }, + '3CORESEC_WEB' => { 'name' => '3CORESec Web Server Activity Blocklist', + 'url' => 'https://blacklist.3coresec.net/lists/http.txt', + 'info' => 'https://blacklist.3coresec.net', + 'parser' => 'ip-or-net-list', + 'rate' => '1d', + 'category' => 'attacker' } ); -- 2.45.2

2 4

[PATCH] Core Update 187: Rewrite the SSH configuration on update
by Peter Müller 03 Jul '24

03 Jul '24

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org> --- config/rootfiles/core/187/update.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/rootfiles/core/187/update.sh b/config/rootfiles/core/187/update.sh index 5687474b9..e0a977290 100644 --- a/config/rootfiles/core/187/update.sh +++ b/config/rootfiles/core/187/update.sh @@ -49,6 +49,9 @@ ldconfig # Filesytem cleanup /usr/local/bin/filesystem-cleanup +# Apply local configuration to sshd_config +/usr/local/bin/sshctrl + # Start services /etc/init.d/apache restart /etc/init.d/unbound restart -- 2.35.3

1 0

Access to IPFire git server
by jon 03 Jul '24

03 Jul '24

Michael, To continue this post about the IPFire git server: https://bugzilla.ipfire.org/show_bug.cgi?id=13254#c147 I want to use the git server but I do not think I have access. I see errors like this: ``` Connection closed by 81.3.27.45 port 22 fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. ``` And with FileZilla I access `people.ipfire.org` and I can read and write files. But I cannot access `git.ipfire.org`. I get this error: Do I need access to `git.ipfire.org` to access the ipfire git server? Best regards, Jon

2 1

Review of package updates from Adolf for any with CVE's
by Adolf Belka 02 Jul '24

02 Jul '24

Hi All, I went through the list of package updates that I have provided that are not yet merged. There are two that have CVE's. openssh, which we know from yesterday and tshark. Current version of tshark is 4.0.8 and there are 13 updates between that version and the update of 4.2.5. In 7 of those 13 updates there are a total of 21 CVE's, so I think tshark definitely needs to go into CU187. Regards, Adolf. -- Sent from my laptop

2 1

[PATCH] apache: Update to 2.4.60
by Matthias Fischer 02 Jul '24

02 Jul '24

Fixed: CVE-2024-39573, CVE-2024-38477, CVE-2024-38476, CVE-2024-38475, CVE-2024-38474, CVE-2024-38473, CVE-2024-38472, CVE-2024-36387. For details see: https://dlcdn.apache.org/httpd/CHANGES_2.4.60 Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org> --- lfs/apache2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/apache2 b/lfs/apache2 index 0851471fe..2736eec8d 100644 --- a/lfs/apache2 +++ b/lfs/apache2 @@ -25,7 +25,7 @@ include Config -VER = 2.4.59 +VER = 2.4.60 THISAPP = httpd-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -45,7 +45,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 836e3538a120d71c016149397a4efd61ae6acd8a8fb9d2ce117c7d86209c4b40c0be3c464007891f28c58182e9d40a8793abe9e94e642354492954af91d9878c +$(DL_FILE)_BLAKE2 = d1b4d2e05edfe8b88f541e6fa8b5db73f37cc349a4037b493e57ae2f2e0bb84f92aad3ad3bc0bdbc454d2677091bbca283ebe752a9335fae6931ec65cc687326 install : $(TARGET) -- 2.34.1

2 1

[PATCH] openssh: Update to version 9.8p1
by Adolf Belka 01 Jul '24

01 Jul '24

- Update from version 9.7p1 to 9.8p1 - Update of rootfile - Changelog 9.8p1 -There is a fix for CVE-2024-6387 -The number of changes is too large to show all here. As well as the CVE fix and another security related fix there are a log of bug fixes as well. The details can seen at https://www.openssh.com/txt/release-9.8 Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org> --- config/rootfiles/common/openssh | 3 +-- lfs/openssh | 4 ++-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/config/rootfiles/common/openssh b/config/rootfiles/common/openssh index c3666d914..93d51714d 100644 --- a/config/rootfiles/common/openssh +++ b/config/rootfiles/common/openssh @@ -1,8 +1,6 @@ #etc/ssh etc/ssh/moduli etc/ssh/ssh_config -#etc/ssh/ssh_host_dsa_key -#etc/ssh/ssh_host_dsa_key.pub #etc/ssh/ssh_host_ecdsa_key #etc/ssh/ssh_host_ecdsa_key.pub #etc/ssh/ssh_host_ed25519_key @@ -22,6 +20,7 @@ usr/lib/openssh/sftp-server #usr/lib/openssh/ssh-keysign usr/lib/openssh/ssh-pkcs11-helper usr/lib/openssh/ssh-sk-helper +#usr/lib/openssh/sshd-session usr/sbin/sshd #usr/share/man/man1/scp.1 #usr/share/man/man1/sftp.1 diff --git a/lfs/openssh b/lfs/openssh index 315b1a70b..036d0bb8e 100644 --- a/lfs/openssh +++ b/lfs/openssh @@ -24,7 +24,7 @@ include Config -VER = 9.7p1 +VER = 9.8p1 THISAPP = openssh-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 520859fcbdf678808fc8515b64585ab9a90a8055fa869df6fbba3083cb7f73ddb81ed9ea981e131520736a8aed838f85ae68ca63406a410df61039913c5cb48b +$(DL_FILE)_BLAKE2 = 3bf983c4ef5358054ed0104cd51d3e0069fbc2b80d8522d0df644d5508ec1d26a67bf061b1b5698d1cdf0d2cbba16b4cdca12a4ce30da24429094576a075e192 install : $(TARGET) -- 2.45.2

1 0

Update of openssh due to CVE CVE-2024-6387
by Adolf Belka 01 Jul '24

01 Jul '24

Hi All, Openssh has a CVE https://community.ipfire.org/t/cve-2024-6387-openssh-regession/11806 I am building a package update for Openssh to 9.8p1 and will submit to go into CU187. I am not sure that it is super critical for IPFire as so far the exploit has only been demonstrated in 32 bit systems with the attacker having to try and make connections for 6 to 8 hours. On 64 bit systems they expect it will take longer but so far the exploit has not yet been demonstrated. Regards, Adolf.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Development July 2024