This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, core120 has been created at 36600cef36577ca36d4349bc7658a68234311ea2 (commit)
- Log ----------------------------------------------------------------- commit 36600cef36577ca36d4349bc7658a68234311ea2 Merge: 6a8b2ef97 7eb86ee39 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Mar 30 09:35:28 2018 +0200
Merge branch 'core119' into next
commit 6a8b2ef9772b58406f9e9b073e68dcf71eabb327 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Mar 30 09:25:06 2018 +0200
core120: set pafire version to 120
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit f7e9c14842dee00529df1e4a30f46255a1ed37e4 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 29 13:49:44 2018 +0100
Rootfile update
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4b072d640efde44017aeceb66d816ea59639be46 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Mar 28 16:55:18 2018 +0100
pakfire: Use upstream proxy for HTTPS, too
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 66a0f3646ad2b1da568282464b9a63479c8b45d9 Author: Peter Müller peter.mueller@link38.eu Date: Wed Mar 28 05:41:50 2018 +0200
use protocol defined in server-list.db for mirror communication
For each mirror server, a protocol can be specified in the server-list.db database. However, it was not used for the actual URL query to a mirror before.
This might be useful for deploy HTTPS pinning for Pakfire. If a mirror is known to support HTTPS, all queries to it will be made with this protocol.
This saves some overhead if HTTPS is enforced on a mirror via 301 redirects. To enable this, the server-list.db needs to be adjusted.
The second version of this patch only handles protocols HTTP and HTTPS, since we do not expect anything else here at the moment.
Partially fixes #11661.
Signed-off-by: Peter Müller peter.mueller@link38.eu Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9f0999325dec7ffbcf8b18b846fbf6a8a6c5780f Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Mar 28 16:39:35 2018 +0100
unbound: Fix crash on startup
Zone names should not be terminated with a dot.
Fixes: #11689
Reported-by: Pontus Larsson pontuslarsson51@yahoo.se Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d97f43b309b7c041498189b231b7507627a194c6 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Mar 28 11:22:06 2018 +0100
Rootfile update for curl
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d9e656bb82542b2ef379563c02d642c3394f1c1c Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 27 20:56:31 2018 +0100
asterisk: Ship documentation
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d3cd99830a8554e8f9b4df314210cef82ef69376 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 27 20:53:31 2018 +0100
fetchmail: Permit building without SSLv3
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 76f422025ffe1baed977b5c8e1f072e5981e46ff Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 27 16:05:07 2018 +0100
openssl: Update to 1.0.2o
CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018:
Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Reported by OSS-fuzz.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 166ceacd6b375bc97eed722012a0f1fffd5a15e1 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 27 15:59:04 2018 +0100
openssl: Update to 1.1.0h
CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018:
Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Reported by OSS-fuzz.
This patch also entirely removes support for SSLv3. The patch to disable it didn't apply and since nobody has been using this before, we will not compile it into OpenSSL any more.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c98304604bfed3b29bb384ab0999596644573f2c Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 26 19:04:41 2018 +0100
core120: Ship updated QoS script and gnupg
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit be7878d5c92600e7d316a86b18a77819734b62a0 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Mon Mar 26 19:50:30 2018 +0200
Fix typo in 'makeqosscripts.pl'
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit dd48a7aac8088ef706d2299bc5b473e9389ba2a2 Author: Peter Müller peter.mueller@link38.eu Date: Sat Mar 24 16:45:02 2018 +0100
curl: update to 7.59.0
Update curl to 7.59.0 which fixes a number of bugs and some minor security issues.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 689fed340aab91240b51bf4da1daf0a606290ac1 Author: Peter Müller peter.mueller@link38.eu Date: Sat Mar 24 16:32:53 2018 +0100
gnupg: update to 1.4.22
Update GnuPG to 1.4.22, which fixes some security vulnerabilities, such as the memory side channel attack CVE-2017-7526.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit dfdfafc7af57b5088279680098408df823516703 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 20 20:36:15 2018 +0000
core120: Ship updated vnstat
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a05af852c5f2266151479c9424a9b36243fb1c79 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Tue Mar 20 20:46:52 2018 +0100
vnstat: Update to 1.18
For details see: https://humdi.net/vnstat/CHANGES
Changed "SaveInterval 5" to "SaveInterval 1" in '/etc/vnstat.conf', triggered by https://forum.ipfire.org/viewtopic.php?f=22&t=20448 to avoid data loss with 1Gbit connections and high traffic.
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e7ea357cecf5e069dd4fb4e5cd6099d8e5b7d9a4 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 20 11:08:58 2018 +0000
Forgot to "git add" the new pakfire init script
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 42deeb3b450c74138dfb76d9d45d4588a5271887 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 19 19:45:24 2018 +0000
Revert "installer: Import the Pakfire key at install time"
This reverts commit 7d995c9f56055f39e559bd6e355a9a1689585c6d.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit eb68e27dd27b538d84c8382389f83f1a57ba59e7 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 19 19:44:50 2018 +0000
pakfire: Import key when system boots up
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5876642d175609919d2f43892deec822d650bdf0 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 19 18:07:49 2018 +0000
ffmpeg: Ship libraries correctly
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 27ef66c26c480542f0ea60d85302da5ada0f0648 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Mar 18 17:32:43 2018 +0100
hdparm: Update to 9.55
Changelogs against 9.53:
"hdparm-9.55: - added #include <sys/sysmacros.h> for major()/minor() macros
hdparm-9.54: - Partial revert of Jmicron changes, from Jan Friesse."
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 71e5a29c8123014a8b740c3a99a83742a19019fa Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Mar 18 17:40:47 2018 +0100
dmidecode 3.1: Added patch (Fix firmware version of TPM device)
For details see: http://git.savannah.gnu.org/cgit/dmidecode.git/commit/?id=174387405e98cd94c6...
"Both the operator (detected by clang, reported by Xorg) and the mask for the minor firmware version field of TPM devices were wrong."
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 35cdaa194ac5d2abfc0a93f60ed99aab07be9ce3 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 19 11:52:26 2018 +0000
Fix python-m2crypto rootfile
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b2318b5e351923632c43e3d5d9e6a2351a1b63cd Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Mar 18 13:51:38 2018 +0000
core120: Ship updated logrotate and restart unbound
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9e9fdb39e63e521a4771e3e24746edad3c7430b2 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Mar 18 10:05:33 2018 +0100
unbound: Update to 1.7.0
For details see: http://www.unbound.net/download.html
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 399c2f9ccc2fa8cac89d27353571f3317b45bde4 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Mar 18 10:21:17 2018 +0100
logrotate: Update to 3.14.0
For details see: https://github.com/logrotate/logrotate/releases
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4e316ae0a0a63b6f6a4029fa3ba18c757713a49e Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Mar 18 10:14:07 2018 +0100
htop: Update to 2.1.0
For details see: https://hisham.hm/htop/index.php?page=downloads
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9051f3c9d71b483198373b5522f47399b68b9572 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Mar 18 10:00:34 2018 +0100
bind: Update to 9.11.3
For details see: http://ftp.isc.org/isc/bind9/9.11.3/RELEASE-NOTES-bind-9.11.3.html
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1c1c1ac238d2fd83b2fc17f9206dc9000e9079bc Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Mar 18 09:53:40 2018 +0100
nano: Update to 2.9.4
For details see: https://www.nano-editor.org/news.php
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8aeec0ba89b0179138cec1b5ac079c04ad7db410 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Mar 18 09:48:04 2018 +0100
rsync: Update to 3.1.3
For details see: https://download.samba.org/pub/rsync/src/rsync-3.1.3-NEWS
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e779b6bc7aa470289bde0bf99aa7051dffc4384b Author: Erik Kapfer erik.kapfer@ipfire.org Date: Sun Mar 18 13:55:31 2018 +0100
PAM: Delete old lib and symlinks
Core 119 update delivers an updated PAM whereby the libdir has been changed from /lib to /usr/lib but the old libraries and symlinks are still presant. Since the system searches /lib before /usr/lib , the old libs and symlinks are used which ends up in an `LIBPAM_EXTENSION_1.1' not found.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit cdc1a0e901c285e84f8cbb6a01248ce6a141b361 Author: Erik Kapfer erik.kapfer@ipfire.org Date: Mon Mar 12 13:47:34 2018 +0100
OpenVPN: Update to version 2.4.5
This is primarily a maintenance release, with further improved OpenSSL 1.1 integration, several minor bug fixes and other minor improvements. Further information can be found in here https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-245 and here https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 .
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 35b892b0dd69c482fb3024f8e1dfbd13679b07d8 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 16 14:36:05 2018 +0000
pakfire: Drop old key import mechanism
This was error-prone and allowed to potentially inject another key.
Fixes: #11539 Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7d995c9f56055f39e559bd6e355a9a1689585c6d Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 16 14:33:42 2018 +0000
installer: Import the Pakfire key at install time
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ceed3534e154944651be9659e7f299d077edc439 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 16 14:28:17 2018 +0000
core120: Import new pakfire PGP key
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5e5c2e541395bc5a2ab4d3304f6358861c594d3d Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Mar 16 14:23:56 2018 +0000
Import new Pakfire Signing Key
We will swap the key that we use to sign Pakfire packages since the current one is considered outdated cryptography.
Fixes: #11539
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f0e9ed78a2ae1b828493c523e5137735c780d833 Author: Stephan Feddersen sfeddersen@ipfire.org Date: Tue Mar 6 20:53:20 2018 +0100
WIO: increment PAK_VER
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c1fc92a9b8e2a049875c02a736087beacb8c6348 Author: Stephan Feddersen via Development development@lists.ipfire.org Date: Tue Feb 27 17:20:07 2018 +0100
WIO: Fix a problem with the Network-Table-Button
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit cc222a8e62ebaebf140f6287f8e55edd887b36aa Author: Stephan Feddersen via Development development@lists.ipfire.org Date: Tue Feb 27 17:18:39 2018 +0100
WIO: Fix some typos
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a25c95b3a0bf5a3db03fbed0e53f2f2d82d3e148 Author: Stephan Feddersen via Development development@lists.ipfire.org Date: Tue Feb 20 21:41:13 2018 +0100
WIO: Update to Version 1.3.2 several changes in many files
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d536c178ec90fd95b7e793923a856b8dab8bcb52 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Wed Mar 7 19:19:04 2018 +0100
ntp: Update to 4.2.8p11
For details see: http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
"This release addresses five security issues in ntpd:
LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability: ephemeral association attack While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11. Reported by Matt Van Gundy of Cisco. INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak Reported by Yihan Lian of Qihoo 360. LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated ephemeral associations Reported on the questions@ list. LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode cannot recover from bad state Reported by Miroslav Lichvar of Red Hat. LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909: Unauthenticated packet can reset authenticated interleaved association Reported by Miroslav Lichvar of Red Hat.
one security issue in ntpq:
MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909: ntpq:decodearr() can write beyond its buffer limit Reported by Michael Macnair of Thales-esecurity.com.
and provides over 33 bugfixes and 32 other improvements."
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit cc4816a1af40ee470fad90e0a7ec1655dc36367b Author: Matthias Fischer matthias.fischer@ipfire.org Date: Wed Mar 7 19:26:53 2018 +0100
clamav 0.99.4: removed gcc patch
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit dcd60d274ef7245552ffd0c57c15995a220d13a2 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 6 15:13:56 2018 +0000
core120: Ship updated qos.cgi
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 20ffa7d1a896e5d8101f4e82ef11f8fa5b2ad15c Author: Daniel Weismüller daniel.weismueller@ipfire.org Date: Tue Mar 6 15:56:48 2018 +0100
As described in bug 11257 there is a mistake in the qos templates. The sum of the guaranteed bandwidth of the classes 101 - 120 is bigger than the available bandwidth. I adjusted the guaranteed bandwidth of the classes 101 - 104 so that each of them has a
Signed-off-by: Daniel Weismüller daniel.weismueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 318434affb14cadbfdbe877ae5b1f00aacacea24 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 6 15:12:42 2018 +0000
core120: Ship updated proxy.cgi
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 53d6755451808f8d6eeca8275714d97985d9495b Author: Daniel Weismüller via Development development@lists.ipfire.org Date: Fri Feb 16 13:04:50 2018 +0100
squid: Add RAM-only Proxy functionality
As suggested by Oliver "giller" Fieker oli@new-lan.de in bug 10592 I added the functionality to use the squid as ram-only cache.
Further it defines the maximum_object_size_in_memory as 2% of the in the webif defined "Memory cache size". The maximum_object_size_in_memory should have a useful size of the defined memory cache and I don't want to create another variable which muste be fulled in by the user.
Signed-off-by: Daniel Weismüller daniel.weismueller@ipfire.org Suggested-by: Oliver "giller" Fieker oli@new-lan.de Suggested-by: Kim Wölfel xaver4all@gmx.de Acked-by: Michael Tremer michael.tremer@ipfire.org Cc: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Daniel Weismüller daniel.weismueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 01bec956555de7966990047406cbf417d314c40d Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 5 15:21:56 2018 +0000
core120: Ship updated unbound init script
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 438da7e0a012cb979e77efcb923ab86b9078fb57 Author: Peter Müller peter.mueller@link38.eu Date: Sun Mar 4 18:26:52 2018 +0100
test if nameservers with DNSSEC support return "ad"-flagged data
DNSSEC-validating nameservers return an "ad" (Authenticated Data) flag in the DNS response header. This can be used as a negative indicator for DNSSEC validation: In case a nameserver does not return the flag, but failes to look up a domain with an invalid signature, it does not support DNSSEC validation.
This makes it easier to detect nameservers which do not fully comply to the RFCs or try to tamper DNS queries.
See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further details.
The second version of this patch avoids unnecessary usage of grep. Thanks to Michael Tremer for the hint.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9d5e5eb01240cad610088fe2ea6b5b68e4f5e5ee Author: Peter Müller peter.mueller@link38.eu Date: Sun Mar 4 18:03:04 2018 +0100
Tor: update to 0.3.2.10
Update Tor to 0.3.2.10, which fixes some security and DoS issues especially important for relays.
The release notes are available at: https://blog.torproject.org/new-stable-tor-releases-security-fixes-and-dos-p...
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org Fixes: #11662
commit a12d48868202f0bef98b4c392eb7ca33cd6fe957 Author: Peter Müller peter.mueller@link38.eu Date: Sun Mar 4 17:57:15 2018 +0100
ClamAV: update to 0.99.4
Update ClamAV to 0.99.4 which fixes four security issues and compatibility issues with GCC 6 and C++ 11.
The release note can be found here: http://blog.clamav.net/2018/03/clamav-0994-has-been-released.html
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 568a227bd318c743225d90c8d93559d04ac72a8f Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Mar 1 19:58:11 2018 +0000
vpnmain.cgi: Fix reading common names from certificates
OpenSSL has changed the output of the subject lines of certificates.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 63b515dc260f2da9bd413fea254d2e5b634c793a Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Feb 28 11:55:35 2018 +0000
apache: Require TLSv1.2 for access to the web user interface
This will work fine for FF 27 or newer, Chrome 30 or newer, IE 11 on Windows 7 or newer, Opera 17 or newer, Safari 9 or newer, Android 5.0 or newer and Java 8 or newer
Since IPFire is not supposed to host any other applications and all have been removed in the last few Core Updates, only the web user interface is served over HTTPS here. We clearly prefer security over compatibility.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 464426d36348cdb468f5c03f50132cf6583e23bd Author: Peter Müller peter.mueller@link38.eu Date: Tue Nov 7 20:51:32 2017 +0100
change Apache TLS cipher list to "Mozilla Modern"
Change the TLS cipher list of Apache to "Mozilla Modern".
ECDSA is preferred over RSA to save CPU time on both server and client. Clients without support for TLS 1.2 and AES will experience connection failures.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 263d1e6484ad61711f07cad35057c324db28b480 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Feb 28 11:49:47 2018 +0000
openssl: Apply ciphers patch before running Configure
This works just fine here.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 592949344560592807b5155d1c0ed085ac02c8ab Author: Peter Müller via Development development@lists.ipfire.org Date: Tue Feb 27 18:35:22 2018 +0100
set OpenSSL 1.1.0 DEFAULT cipher list to secure value
Only use secure cipher list for the OpenSSL DEFAULT list: * ECDSA is preferred over RSA since it is faster and more scalable * TLS 1.2 suites are preferred over anything older * weak ciphers such as RC4 and 3DES have been eliminated * AES-GCM is preferred over AES-CBC (known as "mac-then-encrypt" problem) * ciphers without PFS are moved to the end of the cipher list
This patch leaves AES-CCM, AES-CCM8 and CHACHA20-POLY1305 suites where they are since they are considered secure and there is no need to change anything.
The DEFAULT cipher list is now (output of "openssl ciphers -v"):
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(128) Mac=AEAD ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(256) Mac=SHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(128) Mac=SHA256 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(256) Mac=SHA384 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(128) Mac=SHA256 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-RSA-AES256-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(256) Mac=AEAD DHE-RSA-AES256-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(256) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(128) Mac=AEAD DHE-RSA-AES128-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(128) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA256 ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES256-CCM8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(256) Mac=AEAD AES256-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(256) Mac=AEAD AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-CCM8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(128) Mac=AEAD AES128-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(128) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 CAMELLIA256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 CAMELLIA128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA256 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
This has been discussed at 2017-12-04 (https://wiki.ipfire.org/devel/telco/2017-12-04) and for a similar patch written for OpenSSL 1.0.x.
Signed-off-by: Peter Müller peter.mueller@link38.eu Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e707599d2cd8af8a1464ce31ee89a5401d5df0e2 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Feb 28 10:48:29 2018 +0000
core120: Call openvpnctrl with full path
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ca4c354e085083dacf66071b23e507ea2ebb1b81 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 26 16:28:16 2018 +0000
Bump release of all packages linked against OpenSSL
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d192815e839c42566c669999900a0dd62824eb8e Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 26 16:22:32 2018 +0000
core120: Ship everything that is linked against OpenSSL
This will make sure that everything is using the new version of the library.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1c0cfaa5949e4303e8e4e2f041af86a812f3fe6c Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 26 15:37:49 2018 +0000
Disable Path MTU discovery
This seems to be a failed concept and causes issues with transferring large packets through an IPsec tunnel connection.
This configures the kernel to still respond to PMTU ICMP discovery messages, but will not try this on its own.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f0e308ab2ff92858452d7c3ac3ad114b4ea862f4 Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 26 15:34:10 2018 +0000
core120: Fix typo in initscript name
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 61fcd32f152f36edec042dd8e35ae2ab3f2acc2f Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 26 13:06:34 2018 +0000
Rootfile update
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0eccedd1c8340e186a8329f66a235aea6c92b1af Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Feb 26 11:12:20 2018 +0000
dhcp: Allow adding extra DHCP interfaces
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 39d11d265e4f1a41994d0adf85498f54c63ba7ab Author: Erik Kapfer via Development development@lists.ipfire.org Date: Mon Feb 26 08:00:15 2018 +0100
OpenVPN: Ship missing OpenSSL configuration file for update
Core 115 delivered a patch which prevents the '--ns-cert-type server is deprecated' message and introduced also '--remote-cert-tls server' --> https://patchwork.ipfire.org/patch/1441/ whereby the changed ovpn.cnf has not been delivered.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 52f61e496df86f1a70fa9d468d64e756bdb66f4d Author: Erik Kapfer via Development development@lists.ipfire.org Date: Sun Feb 25 14:49:49 2018 +0100
OpenVPN: New AES-GCM cipher for N2N and RW
AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior section.
HMAC selection for N2N will be disabled if AES-GCM is used since GCM provides an own message authentication (GMAC). 'auth *' line in N2N.conf will be deleted appropriately if AES-GCM is used since '--tls-auth' is not available for N2N. HMAC selection menu for Roadwarriors is still available since '--tls-auth' is available for RWs which uses the configuered HMAC even AES-GCM has been applied.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 87484f5c784e013229bc6d32430cdc8eb7b8a709 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 22 18:52:03 2018 +0000
openssl-compat: Do not try to apply missing padlock patch
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b9c56c9e9cf261e5d35d060f2f0afce39c633d47 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Feb 22 18:50:38 2018 +0000
openssl-compat: Add missing library path
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8b080ef12b63e94d82b44c09cc00af40d9e9fe8d Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Feb 21 13:06:22 2018 +0000
core120: Remove deprecated sshd configuration option
This just created a warning and is now dropped
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c2646dff80ecd43986d4aafcb42d43303f362790 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Feb 21 12:55:36 2018 +0000
Revert "wget: Link against GnuTLS instead of OpenSSL"
This reverts commit a46b159a8dc0d191ee57cf48b66be8a39fd7d9ec.
wget 1.19.4 supports linking against OpenSSL 1.1.0.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c8e4391eccf6cff06b7ee17d1a50912fe77faf32 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Feb 21 12:41:05 2018 +0000
core120: Remove forgotten PHP file
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 53929f5ae8a2edc8dff4484b4d293fcba5dd50af Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Feb 21 12:39:55 2018 +0000
core120: Ship updated OpenSSL 1.1.0
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9434bffaf23228be1774a63ad19d4751339e663c Merge: cb8a6bf5a a4fd23254 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Feb 21 12:21:10 2018 +0000
Merge branch 'openssl-11' into next
commit cb8a6bf5a4a2794638da37b992799e275022c78d Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Feb 21 12:20:57 2018 +0000
Start Core Update 120
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a4fd232541bf5002eb7e256727d2b10c89b6d1bf Author: Erik Kapfer erik.kapfer@ipfire.org Date: Thu Feb 15 05:43:49 2018 +0100
OpenVPN: Added needed directive for v2.4 update
script-security: The support for the 'system' flag has been removed due to security implications with shell expansions when executing scripts via system() call. For more informations: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage .
ncp-disable: Negotiable crypto parameters has been disabled for the first.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit bd42f9f968112d2f15847c274d0e4c8b7bd9ddf1 Author: Erik Kapfer erik.kapfer@ipfire.org Date: Wed Feb 7 18:31:49 2018 +0100
CRL updater: Update script for OpenVPNs CRL
Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 . Script checks the next update field from the CRL and executes an update before it expires. Script is placed under fcron.daily for daily checks.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 59d77d2eae265304887408b1d36074269f6075a4 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Feb 7 12:43:28 2018 +0000
openssl: Properly pass CFLAGS and LDFLAGS to build
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 11e78f38b9fe0e5087dd59ef76782cd39bd8f197 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Feb 2 11:12:19 2018 +0000
Package openssl-compat (1.0.2.n)
This is provided for compatibility with binaries that have been compiled against this version of OpenSSL.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 56f8478e4daaf4028f7332561da4b3418eed6b3a Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Feb 2 10:59:37 2018 +0000
openssl: Rootfile update
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3b83dffc1961a3911e8197621c8e59ab44b5c614 Author: Erik Kapfer erik.kapfer@ipfire.org Date: Wed Jan 31 10:34:59 2018 +0100
OpenVPN: Update to version 2.4.4
Changed LFS and ROOTFILE for OpenVPN 2.4.4 update.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8b87254a02c275a1e19dcd25cf27d83eb5babd38 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Jan 13 12:00:08 2018 +0000
python-m2crypto: Install in correct directory
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1b7cb0484c0b9ca8bd20d480b8fa8ad6c31dfb12 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Jan 13 11:59:37 2018 +0000
openssl: Enable engines
Some tools that depend on openssl won't compile without it
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a46b159a8dc0d191ee57cf48b66be8a39fd7d9ec Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jan 11 11:49:31 2018 +0000
wget: Link against GnuTLS instead of OpenSSL
This version does not seem to be compatible with OpenSSL 1.1 and might be changed back to OpenSSL when ever it will compile.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit fd07dae7a4c6e78761b2005a9785155610adba0d Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Nov 28 16:51:51 2017 +0000
python-m2crypto: Update to 0.27.0
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5c82a9f0409e67dd10aeacf82fdcf3042fea31c7 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Nov 28 16:48:20 2017 +0000
python-typing: Required for m2crypto
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 7e63e4f8069e396296360584db498753490097d6 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Nov 28 16:39:38 2017 +0000
transmission: Patch to build against OpenSSL 1.1
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0d0fe16e22499868b38e35e190729f50c6acf1c9 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Nov 28 15:06:54 2017 +0000
net-snmp: Patch to build against OpenSSL 1.1
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 3b10b313032fe32e8e611a7c47e6e90259972ce3 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Nov 28 13:58:29 2017 +0000
elinks: Patch to build against OpenSSL 1.1
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2ab923bb8ee35327065f4c724b5a10deee22b364 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Nov 28 13:37:38 2017 +0000
ncat: Update to 7.60
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5809552f2fb1371870b4e111d4ef018730d683b9 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Nov 28 13:06:26 2017 +0000
krb5: Update to 1.15.2 to build against OpenSSL 1.1
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 07b8dcd0b2287fd316592dd0fe18d103b71b712e Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Nov 28 13:02:17 2017 +0000
openssh: Update to 7.6p1 and patch against OpenSSL 1.1
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a82d85131b8220c3800c54dec49bd1ce605f0e7a Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Nov 27 13:19:20 2017 +0000
Net-SSLeay: Update to 1.82
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f8ee1cfcfcc5a2fd520a40c66a5747480debb51a Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Nov 27 12:47:13 2017 +0000
cyrus-sasl: Disable OTP to build against OpenSSL 1.1
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 5a9bbaa93d7693c21dc6e2b23d07716c12aac220 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Nov 25 13:03:13 2017 +0000
openssl: Update to version 1.1
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
hooks/post-receive -- IPFire 2.x development tree