-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hello Michael,
Michael Tremer:
On Sun, 2015-05-31 at 22:11 +0200, Stefan Schantl wrote:
Hello Timmothy,
thanks for your hard work and sending us the patches. I've noticed you already have read through the "Submiting Patches" guide on the wiki (http://wiki.ipfire.org/devel/submit-patches).
In order for an easy apply of your modifications please re-send them to the list with the patchfile attached to the mail.
No, no attachments.
http://wiki.ipfire.org/devel/submit-patches#no_mime_no_links_no_compre
ssion_no_attachments_just_plain_text As
Stefan already estimated, I've read those wiki pages. But I've uploaded the patch to nopaste.ipfire.org due to cryappy line breaks done by my mail program (I guess it has something to do with PGP, but I don't know it for sure.).
So, if you like, I can attach the patch to an email, but I really can't guarantee that it arrives correctly.
Also no pseudonyms.
What is that supposed to mean?
I get that this entire process might be a bit difficult for a start but there has been put a lot of thought into it why we are doing it this way.
Both aspects are right: It is complicated to clone the git branch, make patchfiles, working with git (first time!) and so on. But those things seem to be useful for you developers.
Best regards, Timmothy Wilson
Best, -Michael
Thanks in advance,
-Stefan
Changes: [1] Forbid the use of weak DH cipher suites in Apache. [2] Tell Apache to use a custom bunch of prime numbers. [3] Updated "httpscert" in order to generate those prime numbers.
Those changes are supposed to fix a vulnerability called "logjam" in Apache. "Logjam" is a recently discovered vulnerability in the Diffie-Hellman-Key-Exchange. Affected are TLS/SSL connectiones, VPNs and other services which are relying on DH as well.
References: [Bug #10856]: https://bugzilla.ipfire.org/show_bug.cgi?id=10856 [Further Information]: https://weakdh.org/ [Further Information (german)]: http://www.heise.de/security/meldung/Logjam-Attacke-Verschluesselung
- -von
- -zehntausenden-Servern-gefaehrdet-2657502.html
Please find the patch here: http://nopaste.ipfire.org/view/r8QWUyQF
However, the patch can't applied to IPFire systems without creating unique prime numbers, since the configuration file of Apache expects the presence of a file called "/etc/httpd/dhparams.pem", if this one does not exist, Apache will likely crash. Please make sure to generate prime numbers by Pakfire during a upgrade:
/usr/bin/openssl dhparam -out /etc/httpd/dhparams.pem 2048;
I'm estimating that other software components of IPFire are still vulnerable to Lojgam (IPSec?). As soon as I have more information about this, I will roll out new patches.
Best regards, Timmothy Wilson _______________________________________________ Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
_______________________________________________ Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development
_______________________________________________ Development mailing list Development@lists.ipfire.org http://lists.ipfire.org/mailman/listinfo/development