This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 505b886d0d8cbe5448a9998ff88c6636b8e50245 (commit) via d5fe33228311d47490536bee370297a7c735f9d6 (commit) via 65ae069c213a7fcd36d7857b15d863804984948d (commit) via fd0a0384f07b399e9cb4cf46b4c5722b809ffe6a (commit) from 3da2a66193ce8e3f92d3c29be95a4076a4fa0274 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 505b886d0d8cbe5448a9998ff88c6636b8e50245 Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Sep 9 17:48:14 2018 +0100
core124: Apply changed sysctl.conf
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d5fe33228311d47490536bee370297a7c735f9d6 Author: Peter Müller peter.mueller@link38.eu Date: Thu Aug 16 17:29:58 2018 +0200
do not expose kernel address spaces even to privileged users
Change this setting from 1 to 2 so kernel addresses are not displayed even if a user has CAPS_SYSLOG privileges.
See also: - https://lwn.net/Articles/420403/ - https://tails.boum.org/contribute/design/kernel_hardening/
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 65ae069c213a7fcd36d7857b15d863804984948d Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Sep 9 17:43:53 2018 +0100
core124: Ship updated rng-tools
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit fd0a0384f07b399e9cb4cf46b4c5722b809ffe6a Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Sep 9 17:42:17 2018 +0100
rng-tools: Update to 6.4
Also add a patch that keeps RDRAND enabled on i586
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Fixes: #11853
-----------------------------------------------------------------------
Summary of changes: config/etc/sysctl.conf | 2 +- config/rootfiles/core/124/filelists/files | 1 + .../{oldcore/121 => core/124}/filelists/rng-tools | 0 config/rootfiles/core/124/update.sh | 4 +++ lfs/rng-tools | 5 ++-- .../rng-tools-6-Enable-RDRAND-for-i586-too.patch | 35 ++++++++++++++++++++++ 6 files changed, 44 insertions(+), 3 deletions(-) copy config/rootfiles/{oldcore/121 => core/124}/filelists/rng-tools (100%) create mode 100644 src/patches/rng-tools-6-Enable-RDRAND-for-i586-too.patch
Difference in files: diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 011c4287e..345f8f52a 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -44,7 +44,7 @@ net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). -kernel.kptr_restrict = 1 +kernel.kptr_restrict = 2
# Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 diff --git a/config/rootfiles/core/124/filelists/files b/config/rootfiles/core/124/filelists/files index 320d2808d..823355f2b 100644 --- a/config/rootfiles/core/124/filelists/files +++ b/config/rootfiles/core/124/filelists/files @@ -4,6 +4,7 @@ etc/rc.d/helper/aws-setup etc/rc.d/init.d/aws etc/rc.d/init.d/localnet etc/rc.d/init.d/partresize +etc/sysctl.conf opt/pakfire/lib/functions.pl opt/pakfire/pakfire srv/web/ipfire/cgi-bin/firewall.cgi diff --git a/config/rootfiles/core/124/filelists/rng-tools b/config/rootfiles/core/124/filelists/rng-tools new file mode 120000 index 000000000..a7853e41b --- /dev/null +++ b/config/rootfiles/core/124/filelists/rng-tools @@ -0,0 +1 @@ +../../../common/rng-tools \ No newline at end of file diff --git a/config/rootfiles/core/124/update.sh b/config/rootfiles/core/124/update.sh index 471667a12..80eca4ceb 100644 --- a/config/rootfiles/core/124/update.sh +++ b/config/rootfiles/core/124/update.sh @@ -48,8 +48,12 @@ ldconfig /usr/local/bin/update-lang-cache
# Start services +/etc/init.d/rngd restart /etc/init.d/ntp restart
+# Reload sysctl.conf +sysctl -p + # Remove deprecated GRUB configuration option if [ -e "/etc/default/grub" ]; then sed -e "/^GRUB_FONT/d" -i /etc/default/grub diff --git a/lfs/rng-tools b/lfs/rng-tools index c7a358e56..dc87a3406 100644 --- a/lfs/rng-tools +++ b/lfs/rng-tools @@ -24,7 +24,7 @@
include Config
-VER = 6.3.1 +VER = 6.4
THISAPP = rng-tools-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = fe2d38e39ff02d0c7b3585407d51dc64 +$(DL_FILE)_MD5 = 52a8243858503f94eecd4ae0983a9818
install : $(TARGET)
@@ -70,6 +70,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/rng-tools-6-Enable-RDRAND-for-i586-too.patch cd $(DIR_APP) && ./autogen.sh cd $(DIR_APP) && ./configure --prefix=/usr cd $(DIR_APP) && make $(MAKETUNING) $(EXTRA_MAKE) diff --git a/src/patches/rng-tools-6-Enable-RDRAND-for-i586-too.patch b/src/patches/rng-tools-6-Enable-RDRAND-for-i586-too.patch new file mode 100644 index 000000000..7d45bd0b8 --- /dev/null +++ b/src/patches/rng-tools-6-Enable-RDRAND-for-i586-too.patch @@ -0,0 +1,35 @@ +From 1f023b49959aa58246e6bb7091ba7710116f6915 Mon Sep 17 00:00:00 2001 +From: Michael Tremer michael.tremer@ipfire.org +Date: Sun, 9 Sep 2018 17:29:15 +0100 +Subject: [PATCH] Enable RDRAND for i586, too + +IPFire is being compiled for i586 omitting some instructions +for i686. However, RDRAND is available on some systems and +can of course be used. + +Signed-off-by: Michael Tremer michael.tremer@ipfire.org + +Pull request sent: https://github.com/nhorman/rng-tools/pull/31 + +--- + configure.ac | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index faba7cc9857e..716175328ff6 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -53,8 +53,8 @@ AC_CHECK_TOOLS([AR], [ar gar], :) + + AX_PTHREAD + +-AM_CONDITIONAL([RDRAND], [test $target_cpu = x86_64 -o $target_cpu = i686]) +-AS_IF([test $target_cpu = x86_64 -o $target_cpu = i686], [AC_DEFINE([HAVE_RDRAND],1,[Enable RDRAND])],[]) ++AM_CONDITIONAL([RDRAND], [test $target_cpu = x86_64 -o $target_cpu = i686 -o $target_cpu = i586]) ++AS_IF([test $target_cpu = x86_64 -o $target_cpu = i686 -o $target_cpu = i586], [AC_DEFINE([HAVE_RDRAND],1,[Enable RDRAND])],[]) + + AM_CONDITIONAL([DARN], [test $target_cpu = powerpc64le]) + AS_IF([test $target_cpu = powerpc64le], [AC_DEFINE([HAVE_DARN],1,[Enable DARN])],[]) +-- +2.17.1 +
hooks/post-receive -- IPFire 2.x development tree