This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via b5fe050fce03a7ee2547a1162452c8211d2eea8d (commit) via 07002f2bca7efd49d8baea0dadf193a29f27604b (commit) via abd12bd073dd0be74d97e2f204027f2a4346549a (commit) via 3d5c499e0ca73c9a787815b8894d6cfcb0416a1b (commit) via f3dfb261c8c78f7806bcf215646f9d3618d151f5 (commit) via 7090074557516deaaff9b1a84f4f8beec6c4dadd (commit) from 0e8f275e80d8ad517019f7c0f8349a5a16ea9f1b (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit b5fe050fce03a7ee2547a1162452c8211d2eea8d Author: Matthias Fischer matthias.fischer@ipfire.org Date: Mon Apr 24 20:56:29 2017 +0200
unbound: Update to 1.6.2
For details see: http://www.unbound.net/download.html
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 07002f2bca7efd49d8baea0dadf193a29f27604b Author: Matthias Fischer matthias.fischer@ipfire.org Date: Tue Apr 25 21:08:32 2017 +0200
bind: Update to 9.11.1
For details see: https://ftp.isc.org/isc/bind9/9.11.1/RELEASE-NOTES-bind-9.11.1.html
"Security Fixes
rndc "" could trigger an assertion failure in named. This flaw is disclosed in (CVE-2017-3138). [RT #44924]
Some chaining (i.e., type CNAME or DNAME) responses to upstream queries could trigger assertion failures. This flaw is disclosed in CVE-2017-3137. [RT #44734]
dns64 with break-dnssec yes; can result in an assertion failure. This flaw is disclosed in CVE-2017-3136. [RT #44653]
If a server is configured with a response policy zone (RPZ) that rewrites an answer with local data, and is also configured for DNS64 address mapping, a NULL pointer can be read triggering a server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434]
A coding error in the nxdomain-redirect feature could lead to an assertion failure if the redirection namespace was served from a local authoritative data source such as a local zone or a DLZ instead of via recursive lookup. This flaw is disclosed in CVE-2016-9778. [RT #43837]
named could mishandle authority sections with missing RRSIGs, triggering an assertion failure. This flaw is disclosed in CVE-2016-9444. [RT #43632]
named mishandled some responses where covering RRSIG records were returned without the requested data, resulting in an assertion failure. This flaw is disclosed in CVE-2016-9147. [RT #43548]
named incorrectly tried to cache TKEY records which could trigger an assertion failure when there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522]
It was possible to trigger assertions when processing responses containing answers of type DNAME. This flaw is disclosed in CVE-2016-8864. [RT #43465]
Added the ability to specify the maximum number of records permitted in a zone (max-records #;). This provides a mechanism to block overly large zone transfers, which is a potential risk with slave zones from other parties, as described in CVE-2016-6170. [RT #42143]
Bug Fixes
A synthesized CNAME record appearing in a response before the associated DNAME could be cached, when it should not have been. This was a regression introduced while addressing CVE-2016-8864. [RT #44318]
named could deadlock if multiple changes to NSEC/NSEC3 parameters for the same zone were being processed at the same time. [RT #42770]
named could trigger an assertion when sending NOTIFY messages. [RT #44019]
Referencing a nonexistent zone in a response-policy statement could cause an assertion failure during configuration. [RT #43787]
rndc addzone could cause a crash when attempting to add a zone with a type other than master or slave. Such zones are now rejected. [RT #43665]
named could hang when encountering log file names with large apparent gaps in version number (for example, when files exist called "logfile.0", "logfile.1", and "logfile.1482954169"). This is now handled correctly. [RT #38688]
If a zone was updated while named was processing a query for nonexistent data, it could return out-of-sync NSEC3 records causing potential DNSSEC validation failure. [RT #43247]"
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit abd12bd073dd0be74d97e2f204027f2a4346549a Author: Matthias Fischer matthias.fischer@ipfire.org Date: Tue Apr 25 21:13:17 2017 +0200
nano: Update to 2.8.1
For details see: https://www.nano-editor.org/news.php
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3d5c499e0ca73c9a787815b8894d6cfcb0416a1b Author: Matthias Fischer matthias.fischer@ipfire.org Date: Fri Apr 28 08:17:33 2017 +0200
logrotate: Update to 3.12.1
For details see: https://github.com/logrotate/logrotate/blob/master/ChangeLog.md
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f3dfb261c8c78f7806bcf215646f9d3618d151f5 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Apr 28 13:03:46 2017 +0100
OpenVPN: Mark SHA1 as weak
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7090074557516deaaff9b1a84f4f8beec6c4dadd Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Apr 28 13:01:41 2017 +0100
OpenVPN: Use SHA512 by default
This will break compatibility with old clients like Windows XP, but these are too old now to be supported.
SHA1 is considered to be weak and should not be used any more
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/logrotate | 4 ++-- config/rootfiles/common/unbound | 2 +- config/rootfiles/packages/nano | 3 ++- html/cgi-bin/ovpnmain.cgi | 10 +++++----- lfs/bind | 4 ++-- lfs/logrotate | 12 ++++++++---- lfs/nano | 10 +++++----- lfs/unbound | 4 ++-- 8 files changed, 27 insertions(+), 22 deletions(-)
Difference in files: diff --git a/config/rootfiles/common/logrotate b/config/rootfiles/common/logrotate index 8ef728c..0583525 100644 --- a/config/rootfiles/common/logrotate +++ b/config/rootfiles/common/logrotate @@ -1,6 +1,6 @@ #etc/logrotate.d etc/logrotate.d/.empty -#usr/man/man5/logrotate.conf.5 -#usr/man/man8/logrotate.8 usr/sbin/logrotate +#usr/share/man/man5/logrotate.conf.5 +#usr/share/man/man8/logrotate.8 var/lib/logrotate.status diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound index 824567e..c626fd6 100644 --- a/config/rootfiles/common/unbound +++ b/config/rootfiles/common/unbound @@ -11,7 +11,7 @@ etc/unbound/unbound.conf #usr/lib/libunbound.la #usr/lib/libunbound.so usr/lib/libunbound.so.2 -usr/lib/libunbound.so.2.4.4 +usr/lib/libunbound.so.2.5.1 usr/sbin/unbound usr/sbin/unbound-anchor usr/sbin/unbound-checkconf diff --git a/config/rootfiles/packages/nano b/config/rootfiles/packages/nano index f8171b4..0e9341d 100644 --- a/config/rootfiles/packages/nano +++ b/config/rootfiles/packages/nano @@ -1,11 +1,12 @@ #etc/nano -etc/nano/nanorc.sample +etc/nano/sample.nanorc usr/bin/nano usr/bin/pico usr/bin/rnano #usr/share/doc/nano #usr/share/doc/nano/faq.html #usr/share/doc/nano/nano.1.html +#usr/share/doc/nano/nano.html #usr/share/doc/nano/nanorc.5.html #usr/share/doc/nano/rnano.1.html #usr/share/info/nano.info diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 037894d..d46a14e 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2631,7 +2631,7 @@ ADV_ERROR: $cgiparams{'PMTU_DISCOVERY'} = 'off'; } if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA1'; + $cgiparams{'DAUTH'} = 'SHA512'; } if ($cgiparams{'TLSAUTH'} eq '') { $cgiparams{'TLSAUTH'} = 'off'; @@ -2821,7 +2821,7 @@ print <<END; <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option> <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option> <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option> - <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'})</option> + <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> </select> </td> <td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td> @@ -4454,7 +4454,7 @@ if ($cgiparams{'TYPE'} eq 'net') { $cgiparams{'MSSFIX'} = 'on'; $cgiparams{'FRAGMENT'} = '1300'; $cgiparams{'PMTU_DISCOVERY'} = 'off'; - $cgiparams{'DAUTH'} = 'SHA1'; + $cgiparams{'DAUTH'} = 'SHA512'; ### # m.a.d n2n end ### @@ -4705,7 +4705,7 @@ if ($cgiparams{'TYPE'} eq 'net') { <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option> <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option> <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option> - <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'} Default)</option> + <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> </select> </td> </tr> @@ -5037,7 +5037,7 @@ END $cgiparams{'MSSFIX'} = 'off'; } if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA1'; + $cgiparams{'DAUTH'} = 'SHA512'; } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; diff --git a/lfs/bind b/lfs/bind index ea6fb83..1269e41 100644 --- a/lfs/bind +++ b/lfs/bind @@ -25,7 +25,7 @@
include Config
-VER = 9.11.0-P5 +VER = 9.11.1
THISAPP = bind-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -43,7 +43,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 3e1e525fc640308316cdf98cd29cfa11 +$(DL_FILE)_MD5 = c384ab071d902bac13487c1268e5a32f
install : $(TARGET)
diff --git a/lfs/logrotate b/lfs/logrotate index 0d50103..476f146 100644 --- a/lfs/logrotate +++ b/lfs/logrotate @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2016 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2017 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,10 +24,10 @@
include Config
-VER = 3.9.1 +VER = 3.12.1
THISAPP = logrotate-$(VER) -DL_FILE = logrotate_$(VER).orig.tar.gz +DL_FILE = logrotate-$(VER).tar.gz DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4492b145b6d542e4a2f41e77fa199ab0 +$(DL_FILE)_MD5 = 066b49891bad2849d5044c1952613ea6
install : $(TARGET)
@@ -70,6 +70,10 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + + cd $(DIR_APP) && ./autogen.sh + cd $(DIR_APP) && ./configure --prefix=/usr + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install mkdir -pv /etc/logrotate.d diff --git a/lfs/nano b/lfs/nano index 2ecb1a5..34e8444 100644 --- a/lfs/nano +++ b/lfs/nano @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2016 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2017 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 2.7.3 +VER = 2.8.1
THISAPP = nano-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = nano -PAK_VER = 14 +PAK_VER = 15
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 007ba6321212d3ec38f46236465b6ea8 +$(DL_FILE)_MD5 = 0dec96d839657e7f1a8396d7dbb19c07
install : $(TARGET)
@@ -87,7 +87,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install - cd $(DIR_APP) && install -v -m644 -D doc/nanorc.sample /etc/nano/nanorc.sample + cd $(DIR_APP) && install -v -m644 -D doc/sample.nanorc /etc/nano/sample.nanorc ln -sf /usr/bin/nano /usr/bin/pico @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/unbound b/lfs/unbound index d78bd95..c40f0ad 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -24,7 +24,7 @@
include Config
-VER = 1.6.1 +VER = 1.6.2
THISAPP = unbound-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = aa808f33d94a36c9312d1b8ad8805e14 +$(DL_FILE)_MD5 = 5a5d0cdf7164957ff2e7498db1758f01
install : $(TARGET)
hooks/post-receive -- IPFire 2.x development tree