This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 527078e439fc7376c3a7da3ae8551c853e99e2b7 (commit) via 69772b7dda05726077fa5c70e86f41169a91534f (commit) via ce46df9b83d15033156845e19e9a386e52a0a1cd (commit) via e263c29c929e69e345833f436d4958d88264020c (commit) via 91056adea5d6e203f41e7743443eb61ed2b885cf (commit) from 043e7aa50ff36e65eb0d6a341b09301ce25795f0 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 527078e439fc7376c3a7da3ae8551c853e99e2b7 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 12 17:25:13 2019 +0100
core134: Ship updated OpenSSL
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 69772b7dda05726077fa5c70e86f41169a91534f Author: Peter Müller peter.mueller@ipfire.org Date: Mon Jun 10 18:55:00 2019 +0000
OpenSSL: lower priority for CBC ciphers in default cipherlist
In order to avoid CBC ciphers as often as possible (they contain some known vulnerabilities), this changes the OpenSSL default ciphersuite to:
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(256) Mac=SHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(256) Mac=SHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(128) Mac=SHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(128) Mac=SHA256 DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA256 ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 CAMELLIA256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 CAMELLIA128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA256 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
Since TLS servers usually override the clients' preference with their own, this will neither break existing setups nor introduce huge differences in the wild. Unfortunately, CBC ciphers cannot be disabled at all, as they are still used by popular web sites.
TLS 1.3 ciphers will be added implicitly and can be omitted in the ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing AES-NI support for the majority of installations reporting to Fireinfo (see https://fireinfo.ipfire.org/processors for details, AES-NI support is 28.22% at the time of writing).
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ce46df9b83d15033156845e19e9a386e52a0a1cd Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 12 17:18:23 2019 +0100
Start Core Update 134
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e263c29c929e69e345833f436d4958d88264020c Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 12 17:14:28 2019 +0100
unbound: Make some zones type-transparent
If we remove other records (like MX) from the response, we won't be able to send mail to those hosts any more.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 91056adea5d6e203f41e7743443eb61ed2b885cf Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Jun 12 17:11:32 2019 +0100
unbound: Add yandex.com to safe search feature
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/{133 => 134}/exclude | 0 config/rootfiles/{oldcore/113 => core/134}/filelists/files | 2 +- .../{oldcore/100 => core/134}/filelists/i586/openssl-sse2 | 0 config/rootfiles/core/{133 => 134}/filelists/openssl | 0 config/rootfiles/{oldcore/130 => core/134}/update.sh | 9 ++------- config/rootfiles/{core => oldcore}/133/exclude | 0 .../{core => oldcore}/133/filelists/aarch64/binutils | 0 config/rootfiles/{core => oldcore}/133/filelists/aarch64/gcc | 0 .../rootfiles/{core => oldcore}/133/filelists/aarch64/glibc | 0 .../{core => oldcore}/133/filelists/armv5tel/binutils | 0 .../rootfiles/{core => oldcore}/133/filelists/armv5tel/gcc | 0 .../rootfiles/{core => oldcore}/133/filelists/armv5tel/glibc | 0 config/rootfiles/{core => oldcore}/133/filelists/bind | 0 config/rootfiles/{core => oldcore}/133/filelists/files | 0 .../rootfiles/{core => oldcore}/133/filelists/i586/binutils | 0 config/rootfiles/{core => oldcore}/133/filelists/i586/gcc | 0 config/rootfiles/{core => oldcore}/133/filelists/i586/glibc | 0 .../rootfiles/{core => oldcore}/133/filelists/i586/hyperscan | 0 .../{core => oldcore}/133/filelists/ids-ruleset-sources | 0 config/rootfiles/{core => oldcore}/133/filelists/knot | 0 config/rootfiles/{core => oldcore}/133/filelists/openssl | 0 config/rootfiles/{core => oldcore}/133/filelists/pam | 0 config/rootfiles/{core => oldcore}/133/filelists/rrdtool | 0 config/rootfiles/{core => oldcore}/133/filelists/squid | 0 config/rootfiles/{core => oldcore}/133/filelists/strongswan | 0 config/rootfiles/{core => oldcore}/133/filelists/suricata | 0 .../rootfiles/{core => oldcore}/133/filelists/wpa_supplicant | 0 .../{core => oldcore}/133/filelists/x86_64/binutils | 0 config/rootfiles/{core => oldcore}/133/filelists/x86_64/gcc | 0 .../rootfiles/{core => oldcore}/133/filelists/x86_64/glibc | 0 .../{core => oldcore}/133/filelists/x86_64/hyperscan | 0 config/rootfiles/{core => oldcore}/133/update.sh | 0 lfs/openssl | 2 +- make.sh | 2 +- src/initscripts/system/unbound | 12 ++++++++---- ...herlist.patch => openssl-1.1.1c-default-cipherlist.patch} | 8 ++++---- 36 files changed, 17 insertions(+), 18 deletions(-) copy config/rootfiles/core/{133 => 134}/exclude (100%) copy config/rootfiles/{oldcore/113 => core/134}/filelists/files (66%) copy config/rootfiles/{oldcore/100 => core/134}/filelists/i586/openssl-sse2 (100%) copy config/rootfiles/core/{133 => 134}/filelists/openssl (100%) copy config/rootfiles/{oldcore/130 => core/134}/update.sh (93%) rename config/rootfiles/{core => oldcore}/133/exclude (100%) rename config/rootfiles/{core => oldcore}/133/filelists/aarch64/binutils (100%) rename config/rootfiles/{core => oldcore}/133/filelists/aarch64/gcc (100%) rename config/rootfiles/{core => oldcore}/133/filelists/aarch64/glibc (100%) rename config/rootfiles/{core => oldcore}/133/filelists/armv5tel/binutils (100%) rename config/rootfiles/{core => oldcore}/133/filelists/armv5tel/gcc (100%) rename config/rootfiles/{core => oldcore}/133/filelists/armv5tel/glibc (100%) rename config/rootfiles/{core => oldcore}/133/filelists/bind (100%) rename config/rootfiles/{core => oldcore}/133/filelists/files (100%) rename config/rootfiles/{core => oldcore}/133/filelists/i586/binutils (100%) rename config/rootfiles/{core => oldcore}/133/filelists/i586/gcc (100%) rename config/rootfiles/{core => oldcore}/133/filelists/i586/glibc (100%) rename config/rootfiles/{core => oldcore}/133/filelists/i586/hyperscan (100%) rename config/rootfiles/{core => oldcore}/133/filelists/ids-ruleset-sources (100%) rename config/rootfiles/{core => oldcore}/133/filelists/knot (100%) rename config/rootfiles/{core => oldcore}/133/filelists/openssl (100%) rename config/rootfiles/{core => oldcore}/133/filelists/pam (100%) rename config/rootfiles/{core => oldcore}/133/filelists/rrdtool (100%) rename config/rootfiles/{core => oldcore}/133/filelists/squid (100%) rename config/rootfiles/{core => oldcore}/133/filelists/strongswan (100%) rename config/rootfiles/{core => oldcore}/133/filelists/suricata (100%) rename config/rootfiles/{core => oldcore}/133/filelists/wpa_supplicant (100%) rename config/rootfiles/{core => oldcore}/133/filelists/x86_64/binutils (100%) rename config/rootfiles/{core => oldcore}/133/filelists/x86_64/gcc (100%) rename config/rootfiles/{core => oldcore}/133/filelists/x86_64/glibc (100%) rename config/rootfiles/{core => oldcore}/133/filelists/x86_64/hyperscan (100%) rename config/rootfiles/{core => oldcore}/133/update.sh (100%) rename src/patches/{openssl-1.1.1a-default-cipherlist.patch => openssl-1.1.1c-default-cipherlist.patch} (66%)
Difference in files: diff --git a/config/rootfiles/core/133/exclude b/config/rootfiles/core/134/exclude similarity index 100% rename from config/rootfiles/core/133/exclude rename to config/rootfiles/core/134/exclude diff --git a/config/rootfiles/core/134/filelists/files b/config/rootfiles/core/134/filelists/files new file mode 100644 index 000000000..25ade1735 --- /dev/null +++ b/config/rootfiles/core/134/filelists/files @@ -0,0 +1,5 @@ +etc/system-release +etc/issue +etc/rc.d/init.d/unbound +srv/web/ipfire/cgi-bin/credits.cgi +var/ipfire/langs diff --git a/config/rootfiles/core/134/filelists/i586/openssl-sse2 b/config/rootfiles/core/134/filelists/i586/openssl-sse2 new file mode 120000 index 000000000..f424713d6 --- /dev/null +++ b/config/rootfiles/core/134/filelists/i586/openssl-sse2 @@ -0,0 +1 @@ +../../../../common/i586/openssl-sse2 \ No newline at end of file diff --git a/config/rootfiles/core/133/filelists/openssl b/config/rootfiles/core/134/filelists/openssl similarity index 100% rename from config/rootfiles/core/133/filelists/openssl rename to config/rootfiles/core/134/filelists/openssl diff --git a/config/rootfiles/core/134/update.sh b/config/rootfiles/core/134/update.sh new file mode 100644 index 000000000..30fe9c529 --- /dev/null +++ b/config/rootfiles/core/134/update.sh @@ -0,0 +1,60 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2019 IPFire-Team info@ipfire.org. # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +core=134 + +# Remove old core updates from pakfire cache to save space... +for (( i=1; i<=$core; i++ )); do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services + +# Extract files +extract_files + +# update linker config +ldconfig + +# Update Language cache +/usr/local/bin/update-lang-cache + +# Start services +/etc/init.d/unbound restart + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi + +sync + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/oldcore/133/exclude b/config/rootfiles/oldcore/133/exclude new file mode 100644 index 000000000..b22159878 --- /dev/null +++ b/config/rootfiles/oldcore/133/exclude @@ -0,0 +1,28 @@ +boot/config.txt +boot/grub/grub.cfg +boot/grub/grubenv +etc/alternatives +etc/collectd.custom +etc/default/grub +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/snort/snort.conf +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/dma +var/ipfire/time +var/ipfire/ovpn +var/lib/alternatives +var/log/cache +var/log/dhcpcd.log +var/log/messages +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/133/filelists/aarch64/binutils b/config/rootfiles/oldcore/133/filelists/aarch64/binutils similarity index 100% rename from config/rootfiles/core/133/filelists/aarch64/binutils rename to config/rootfiles/oldcore/133/filelists/aarch64/binutils diff --git a/config/rootfiles/core/133/filelists/aarch64/gcc b/config/rootfiles/oldcore/133/filelists/aarch64/gcc similarity index 100% rename from config/rootfiles/core/133/filelists/aarch64/gcc rename to config/rootfiles/oldcore/133/filelists/aarch64/gcc diff --git a/config/rootfiles/core/133/filelists/aarch64/glibc b/config/rootfiles/oldcore/133/filelists/aarch64/glibc similarity index 100% rename from config/rootfiles/core/133/filelists/aarch64/glibc rename to config/rootfiles/oldcore/133/filelists/aarch64/glibc diff --git a/config/rootfiles/core/133/filelists/armv5tel/binutils b/config/rootfiles/oldcore/133/filelists/armv5tel/binutils similarity index 100% rename from config/rootfiles/core/133/filelists/armv5tel/binutils rename to config/rootfiles/oldcore/133/filelists/armv5tel/binutils diff --git a/config/rootfiles/core/133/filelists/armv5tel/gcc b/config/rootfiles/oldcore/133/filelists/armv5tel/gcc similarity index 100% rename from config/rootfiles/core/133/filelists/armv5tel/gcc rename to config/rootfiles/oldcore/133/filelists/armv5tel/gcc diff --git a/config/rootfiles/core/133/filelists/armv5tel/glibc b/config/rootfiles/oldcore/133/filelists/armv5tel/glibc similarity index 100% rename from config/rootfiles/core/133/filelists/armv5tel/glibc rename to config/rootfiles/oldcore/133/filelists/armv5tel/glibc diff --git a/config/rootfiles/core/133/filelists/bind b/config/rootfiles/oldcore/133/filelists/bind similarity index 100% rename from config/rootfiles/core/133/filelists/bind rename to config/rootfiles/oldcore/133/filelists/bind diff --git a/config/rootfiles/core/133/filelists/files b/config/rootfiles/oldcore/133/filelists/files similarity index 100% rename from config/rootfiles/core/133/filelists/files rename to config/rootfiles/oldcore/133/filelists/files diff --git a/config/rootfiles/core/133/filelists/i586/binutils b/config/rootfiles/oldcore/133/filelists/i586/binutils similarity index 100% rename from config/rootfiles/core/133/filelists/i586/binutils rename to config/rootfiles/oldcore/133/filelists/i586/binutils diff --git a/config/rootfiles/core/133/filelists/i586/gcc b/config/rootfiles/oldcore/133/filelists/i586/gcc similarity index 100% rename from config/rootfiles/core/133/filelists/i586/gcc rename to config/rootfiles/oldcore/133/filelists/i586/gcc diff --git a/config/rootfiles/core/133/filelists/i586/glibc b/config/rootfiles/oldcore/133/filelists/i586/glibc similarity index 100% rename from config/rootfiles/core/133/filelists/i586/glibc rename to config/rootfiles/oldcore/133/filelists/i586/glibc diff --git a/config/rootfiles/core/133/filelists/i586/hyperscan b/config/rootfiles/oldcore/133/filelists/i586/hyperscan similarity index 100% rename from config/rootfiles/core/133/filelists/i586/hyperscan rename to config/rootfiles/oldcore/133/filelists/i586/hyperscan diff --git a/config/rootfiles/core/133/filelists/ids-ruleset-sources b/config/rootfiles/oldcore/133/filelists/ids-ruleset-sources similarity index 100% rename from config/rootfiles/core/133/filelists/ids-ruleset-sources rename to config/rootfiles/oldcore/133/filelists/ids-ruleset-sources diff --git a/config/rootfiles/core/133/filelists/knot b/config/rootfiles/oldcore/133/filelists/knot similarity index 100% rename from config/rootfiles/core/133/filelists/knot rename to config/rootfiles/oldcore/133/filelists/knot diff --git a/config/rootfiles/oldcore/133/filelists/openssl b/config/rootfiles/oldcore/133/filelists/openssl new file mode 120000 index 000000000..e011a9266 --- /dev/null +++ b/config/rootfiles/oldcore/133/filelists/openssl @@ -0,0 +1 @@ +../../../common/openssl \ No newline at end of file diff --git a/config/rootfiles/core/133/filelists/pam b/config/rootfiles/oldcore/133/filelists/pam similarity index 100% rename from config/rootfiles/core/133/filelists/pam rename to config/rootfiles/oldcore/133/filelists/pam diff --git a/config/rootfiles/core/133/filelists/rrdtool b/config/rootfiles/oldcore/133/filelists/rrdtool similarity index 100% rename from config/rootfiles/core/133/filelists/rrdtool rename to config/rootfiles/oldcore/133/filelists/rrdtool diff --git a/config/rootfiles/core/133/filelists/squid b/config/rootfiles/oldcore/133/filelists/squid similarity index 100% rename from config/rootfiles/core/133/filelists/squid rename to config/rootfiles/oldcore/133/filelists/squid diff --git a/config/rootfiles/core/133/filelists/strongswan b/config/rootfiles/oldcore/133/filelists/strongswan similarity index 100% rename from config/rootfiles/core/133/filelists/strongswan rename to config/rootfiles/oldcore/133/filelists/strongswan diff --git a/config/rootfiles/core/133/filelists/suricata b/config/rootfiles/oldcore/133/filelists/suricata similarity index 100% rename from config/rootfiles/core/133/filelists/suricata rename to config/rootfiles/oldcore/133/filelists/suricata diff --git a/config/rootfiles/core/133/filelists/wpa_supplicant b/config/rootfiles/oldcore/133/filelists/wpa_supplicant similarity index 100% rename from config/rootfiles/core/133/filelists/wpa_supplicant rename to config/rootfiles/oldcore/133/filelists/wpa_supplicant diff --git a/config/rootfiles/core/133/filelists/x86_64/binutils b/config/rootfiles/oldcore/133/filelists/x86_64/binutils similarity index 100% rename from config/rootfiles/core/133/filelists/x86_64/binutils rename to config/rootfiles/oldcore/133/filelists/x86_64/binutils diff --git a/config/rootfiles/core/133/filelists/x86_64/gcc b/config/rootfiles/oldcore/133/filelists/x86_64/gcc similarity index 100% rename from config/rootfiles/core/133/filelists/x86_64/gcc rename to config/rootfiles/oldcore/133/filelists/x86_64/gcc diff --git a/config/rootfiles/core/133/filelists/x86_64/glibc b/config/rootfiles/oldcore/133/filelists/x86_64/glibc similarity index 100% rename from config/rootfiles/core/133/filelists/x86_64/glibc rename to config/rootfiles/oldcore/133/filelists/x86_64/glibc diff --git a/config/rootfiles/core/133/filelists/x86_64/hyperscan b/config/rootfiles/oldcore/133/filelists/x86_64/hyperscan similarity index 100% rename from config/rootfiles/core/133/filelists/x86_64/hyperscan rename to config/rootfiles/oldcore/133/filelists/x86_64/hyperscan diff --git a/config/rootfiles/core/133/update.sh b/config/rootfiles/oldcore/133/update.sh similarity index 100% rename from config/rootfiles/core/133/update.sh rename to config/rootfiles/oldcore/133/update.sh diff --git a/lfs/openssl b/lfs/openssl index 9f9e7a684..47bd4aff0 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -117,7 +117,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1a-default-cipherlist.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1c-default-cipherlist.patch
# Apply our CFLAGS cd $(DIR_APP) && sed -i Configure \ diff --git a/make.sh b/make.sh index cdf5bbed7..5b1e0ed99 100755 --- a/make.sh +++ b/make.sh @@ -26,7 +26,7 @@ NAME="IPFire" # Software name SNAME="ipfire" # Short name # If you update the version don't forget to update backupiso and add it to core update VERSION="2.23" # Version number -CORE="133" # Core Level (Filename) +CORE="134" # Core Level (Filename) PAKFIRE_CORE="133" # Core Level (PAKFIRE) GIT_BRANCH=`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN="www.ipfire.org" # Software slogan diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index e797079c4..34b3e06fd 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -711,13 +711,13 @@ write_safe_search_conf() { echo "server:"
# Bing - echo " local-zone: www.bing.com transparent" + echo " local-zone: bing.com transparent" for address in $(resolve "strict.bing.com"); do echo " local-data: "www.bing.com ${LOCAL_TTL} IN A ${address}"" done
# DuckDuckGo - echo " local-zone: duckduckgo.com transparent" + echo " local-zone: duckduckgo.com typetransparent" for address in $(resolve "safe.duckduckgo.com"); do echo " local-data: "duckduckgo.com ${LOCAL_TTL} IN A ${address}"" done @@ -733,8 +733,12 @@ write_safe_search_conf() { done
# Yandex - echo " local-zone: yandex.ru transparent" - echo " local-data: "yandex.ru A 213.180.193.56"" + for domain in yandex.com yandex.ru; do + echo " local-zone: ${domain} typetransparent" + for address in $(resolve "familysearch.${domain}"); do + echo " local-data: "${domain} ${LOCAL_TTL} IN A ${address}"" + done + done
# YouTube echo " local-zone: youtube.com transparent" diff --git a/src/patches/openssl-1.1.1a-default-cipherlist.patch b/src/patches/openssl-1.1.1c-default-cipherlist.patch similarity index 66% rename from src/patches/openssl-1.1.1a-default-cipherlist.patch rename to src/patches/openssl-1.1.1c-default-cipherlist.patch index dfe156bf5..72f6ce3b1 100644 --- a/src/patches/openssl-1.1.1a-default-cipherlist.patch +++ b/src/patches/openssl-1.1.1c-default-cipherlist.patch @@ -1,11 +1,12 @@ ---- openssl-1.1.1.orig/include/openssl/ssl.h 2018-09-11 14:48:23.000000000 +0200 -+++ openssl-1.1.1/include/openssl/ssl.h 2018-11-05 16:55:03.935513159 +0100 +diff -Naur openssl-1.1.1c.orig/include/openssl/ssl.h openssl-1.1.1c/include/openssl/ssl.h +--- openssl-1.1.1c.orig/include/openssl/ssl.h 2019-06-10 20:41:21.209140012 +0200 ++++ openssl-1.1.1c/include/openssl/ssl.h 2019-06-10 20:42:26.733973129 +0200 @@ -170,11 +170,11 @@ * an application-defined cipher list string starts with 'DEFAULT'. * This applies to ciphersuites for TLSv1.2 and below. */ -# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" -+# define SSL_DEFAULT_CIPHER_LIST "TLSv1.3:CHACHA20:HIGH:+DH:+aRSA:+SHA:+kRSA:!aNULL:!eNULL:!SRP:!PSK:!DSS:!AESCCM" ++# define SSL_DEFAULT_CIPHER_LIST "CHACHA20:HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS" /* This is the default set of TLSv1.3 ciphersuites */ # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ @@ -15,4 +16,3 @@ "TLS_AES_128_GCM_SHA256" # else # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ -
hooks/post-receive -- IPFire 2.x development tree