This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, core165 has been created at c55f5c8eaaa5b91a63765b1ac5fec4da8ce028fb (commit)
- Log ----------------------------------------------------------------- commit c55f5c8eaaa5b91a63765b1ac5fec4da8ce028fb Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Mar 23 18:08:52 2022 +0100
rules.pl: Fix creating rules for location based groups.
The former used hash value only contains the country code when a rule for a single country should be created.
In case a location group is used the hash value refers to the group name, which does not work here.
The required country code is part of the processed string and can be omitted from here. This works well for single codes and location groups, because those are processed in a loop.
Fixes #12809.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 26926c4d12793331cdf51d54a44ea3dfe4780dbf Author: Peter Müller peter.mueller@ipfire.org Date: Wed Mar 23 11:18:34 2022 +0000
firewall: Fix placement of HOSTILE chains
They were mistakenly placed after the IPS chains in commit 7b529f5417254c68b6bd33732f30578182893d34, but should be placed after the connection tracking and before the IPS.
Fixes: #12815
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 38f5bc99125e41140d893baf327a9ac454ea0fa4 Author: Peter Müller peter.mueller@ipfire.org Date: Sun Mar 20 10:41:28 2022 +0000
libseccomp: Bump package version
Fixes: #12807
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6b10e08aec961c14732271b17a03db1ba43c3f9e Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Mar 16 16:01:50 2022 +0000
core165: Ship u-boot
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4c5aba14f273c8ce1879518a52fd8dee0b13ae28 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Sun Feb 27 09:07:39 2022 +0000
u-boot: add OrangePi Zero Plus (Allwinner H5)
this u-boot should also work with NanoPi R1S H5
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 24e7c426de292e00fb482e1db2b8eb77e82a45ee Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 11 16:05:28 2022 +0000
samba: Update rootfile on aarch64
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5e9cb98252313e91e3ca22816e61c3924672c98d Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 11 16:04:09 2022 +0000
stage2: Update rootfiles
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5f3dc2ca06d31bc73006d93abc969b42876fb0e0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Mar 15 19:24:02 2022 +0100
C165: Fix ownership of suricata classification.config file.
The file has to be write-able for the WUI and update script, which both are executed as nobody.
Fixes #12803.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e41bb76cc34e17e165cecfbfcd8f974faed23bb7 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Tue Mar 15 18:25:57 2022 +0100
ids-functions.pl: Skip deleted.rules files
These rulefiles are used by various providers as a kind of reference and to store rules which have been taken out for correctness, performance reasons or because of other reasons.
Fixes #12794.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0dc98b19ee29348a869b74965e8eb7c15d6415ba Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 15 17:51:13 2022 +0000
openssl: Update to 1.1.1n
OpenSSL Security Advisory [15 March 2022] ============================================
Infinite loop in BN_mod_sqrt() reachable when parsing certificates (CVE-2022-0778) ==================================================================================
Severity: High
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli.
Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form.
It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters.
Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.
Thus vulnerable situations include:
- TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters
Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue.
In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature.
This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022.
OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers only) OpenSSL 1.1.1 users should upgrade to 1.1.1n OpenSSL 3.0 users should upgrade to 3.0.2
This issue was reported to OpenSSL on the 24th February 2022 by Tavis Ormandy from Google. The fix was developed by David Benjamin from Google and Tomáš Mráz from OpenSSL.
Note ====
OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html
OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. It is affected by the issue.
Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1.
References ==========
URL for this Security Advisory: https://www.openssl.org/news/secadv/20220315.txt
Note: the online version of the advisory may be updated with additional details over time.
For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ebe404ef020fc5091f5b9cee6e2617fc2e45d279 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 15 11:16:22 2022 +0000
core165: Ship IPS rule updater again and unlock IPS page
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 16cd2d674ef253f1882bf6793281a3eaa9c0aca4 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 14 15:56:40 2022 +0000
core165: Rebuild IPS rules
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 41fda6cd14ef9c0a72910d296fc7399298125fa3 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Sun Mar 13 20:27:25 2022 +0100
ids-functions.pl: Do not longer extract all rulefiles in archive.
Only extract rulefiles which are located in a rules directory and/or in the archive root.
This prevents us from extracting experimental or binary rules etc. which often are located in corresponding sub-directories.
Reference: #12794.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 12cd38896795836c3f4e2c8a661b2c36d444d89a Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 11 14:43:11 2022 +0000
firewall: Make blocking all traffic impossible on HOSTILE
The current setup can fail and block all traffic on RED if the RETURN rules could not be created.
This can happen when the kernel fails to load the ipset module, as it is the case after upgrading to a new kernel. Restarting the firewall will cause that the system is being cut off the internet.
This design now changes that if those rules cannot be created, the DROP_HOSTILE feature is just inactive, but it would not disrupt any traffic.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Daniel Weismüller daniel.weismueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit fe6b15f843cfbfe7ba84faa35c87fce2c2470235 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 10 10:35:44 2022 +0000
core165: Actually ship the core files
This filelist is there to ship files that contain the version number of a release and *must* be shipped every time. For that, they will need to be a part of the filelist.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 817f4c1410c2c2f75ca340ff317e75910ac54f27 Merge: ead01caeb eb41bf304 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 10 10:27:51 2022 +0000
Merge branch 'next'
-----------------------------------------------------------------------
hooks/post-receive -- IPFire 2.x development tree