This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via fc5fc95f9a618eb67f19895aa1df57dfb76c97e6 (commit) via 8d07810dcefece495e8f3d321cb85e22ae5c6bd1 (commit) via a8f9804a76e4a7cda74e45381a88034ea4c16701 (commit) via 48db07db14138cf40453d3ee785f7ec7e25154ff (commit) via dfcf70ba39dfb35ce961e96dc2c4964a29fff2da (commit) via 014bbf241f00cc2dec1c435dfab983b99c84110a (commit) from d700ab532b6c5916edd500a339f2d36e9c832915 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit fc5fc95f9a618eb67f19895aa1df57dfb76c97e6 Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jan 29 19:33:29 2017 +0000
core109: Ship updated sysklogd
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 8d07810dcefece495e8f3d321cb85e22ae5c6bd1 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sun Jan 29 14:37:43 2017 +0100
sysklogd: Update to 1.5.1
...and now to something completely different... ;-)
Changelog:
- Bugfix against invalid PRI values (CVE-2014-3634)
CVE-2014-3634: "...sysklogd 1.5 and earlier allows remote attackers to cause a denial of service (crash), possibly execute arbitrary code, or have other unspecified impact via a crafted priority (PRI) value that triggers an out-of-bounds array access."
Nothing good for a firewall...and besides, 'sysklogd' wasn't updated since 2010.
Best, Matthias
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a8f9804a76e4a7cda74e45381a88034ea4c16701 Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Jan 29 19:28:39 2017 +0000
core109: Ship updated libpcap
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 48db07db14138cf40453d3ee785f7ec7e25154ff Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Jan 28 23:31:50 2017 +0100
squid: Update to 3.5.24
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit dfcf70ba39dfb35ce961e96dc2c4964a29fff2da Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Jan 28 19:05:01 2017 +0100
tcpdump: Update to 4.8.1
Change log:
Tuesday October 25, 2016 mcr@sandelman.ca Summary for 4.8.1 tcpdump release Fix "-x" for Apple PKTAP and PPI packets Use PRIx64 to print a 64-bit number in hex. Printer for HNCP (RFCs 7787 and 7788). dagid is always an IPv6 address, not an opaque 128-bit string, and other fixes to RPL printer. RSVP: Add bounds and length checks OSPF: Do more bounds checking Handle OpenSSL 1.1.x. Initial support for the REdis Serialization Protocol known as RESP. Add printing function for Generic Protocol Extension for VXLAN draft-ietf-nvo3-vxlan-gpe-01 Network Service Header: draft-ietf-sfc-nsh-01 Don't recompile the filter if the new file has the same DLT. Pass an adjusted struct pcap_pkthdr to the sub-printer. Add three test cases for already fixed CVEs CVE-2014-8767: OLSR CVE-2014-8768: Geonet CVE-2014-8769: AODV Don't do the DDP-over-UDP heuristic first: GitHub issue #499. Use the new debugging routines in libpcap. Harmonize TCP source or destination ports tests with UDP ones Introduce data types to use for integral values in packet structures. RSVP: Fix an infinite loop Support of Type 3 and Type 4 LISP packets. Don't require IPv6 library support in order to support IPv6 addresses. Many many changes to support libnetdissect usage. Add a test that makes unaligned accesses: GitHub issue #478. add a DNSSEC test case: GH #445 and GH #467. BGP: add decoding of ADD-PATH capability fixes to LLC header printing, and RFC948-style IP packets
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 014bbf241f00cc2dec1c435dfab983b99c84110a Author: Matthias Fischer matthias.fischer@ipfire.org Date: Sat Jan 28 18:56:08 2017 +0100
libpcap: Update to 1.8.1
Change log:
Tuesday, Oct. 25, 2016 mcr@sandelman.ca Summary for 1.8.1 libpcap release Add a target in Makefile.in for Exuberant Ctags use: 'extags'. Rename configure.in to configure.ac: autoconf 2.59 Clean up the name-to-DLT mapping table. Add some newer DLT_ values: IPMI_HPM_2,ZWAVE_R1_R2,ZWAVE_R3,WATTSTOPPER_DLM,ISO_14443,RDS Clarify what the return values are for both success and failure. Many changes to build on windows Check for the "break the loop" condition in the inner loop for TPACKET_V3. Fix handling of packet count in the TPACKET_V3 inner loop: GitHub issue #493. Filter out duplicate looped back CAN frames. Fix the handling of loopback filters for IPv6 packets. Add a link-layer header type for RDS (IEC 62106) groups. Use different intermediate folders for x86 and x64 builds on Windows. On Linux, handle all CAN captures with pcap-linux.c, in cooked mode. Removes the need for the "host-endian" link-layer header type. Compile with '-Wused-but-marked-unused' in devel mode if supported Have separate DLTs for big-endian and host-endian SocketCAN headers. Reflect version.h being renamed to pcap_version.h. Require that version.h be generated: all build procedures we support generate version.h (autoconf, CMake, MSVC)! Properly check for sock_recv() errors. Re-impose some of Winsock's limitations on sock_recv(). Replace sprintf() with pcap_snprintf(). Fix signature of pcap_stats_ex_remote(). Initial cmake support for remote packet capture. Have rpcap_remoteact_getsock() return a SOCKET and supply an "is active" flag. Clean up {DAG, Septel, Myricom SNF}-only builds. Do UTF-16-to-ASCII conversion into the right place. pcap_create_interface() needs the interface name on Linux. Clean up hardware time stamp support: the "any" device does not support any time stamp types. Add support for capturing on FreeBSD usbusN interfaces. Add a LINKTYPE/DLT_ value for FreeBSD USB. Go back to using PCAP_API on Windows. CMake support Add TurboCap support from WinPcap. Recognize 802.1ad nested VLAN tag in vlan filter.
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/libpcap | 5 ++- config/rootfiles/common/sysklogd | 2 ++ config/rootfiles/core/109/exclude | 2 ++ .../{oldcore/93 => core/109}/filelists/libpcap | 0 config/rootfiles/core/109/filelists/sysklogd | 1 + config/rootfiles/core/109/update.sh | 3 ++ lfs/libpcap | 6 ++-- lfs/squid | 9 +++-- lfs/sysklogd | 9 ++--- lfs/tcpdump | 8 ++--- ...=> squid-3.5.24-fix-max-file-descriptors.patch} | 0 src/patches/squid/squid-3.5-14129.patch | 41 ---------------------- 12 files changed, 26 insertions(+), 60 deletions(-) copy config/rootfiles/{oldcore/93 => core/109}/filelists/libpcap (100%) create mode 120000 config/rootfiles/core/109/filelists/sysklogd rename src/patches/{squid-3.5.23-fix-max-file-descriptors.patch => squid-3.5.24-fix-max-file-descriptors.patch} (100%) delete mode 100644 src/patches/squid/squid-3.5-14129.patch
Difference in files: diff --git a/config/rootfiles/common/libpcap b/config/rootfiles/common/libpcap index 2045ca7..6be2bd9 100644 --- a/config/rootfiles/common/libpcap +++ b/config/rootfiles/common/libpcap @@ -5,6 +5,9 @@ #usr/include/pcap.h #usr/include/pcap/bluetooth.h #usr/include/pcap/bpf.h +#usr/include/pcap/can_socketcan.h +#usr/include/pcap/dlt.h +#usr/include/pcap/export-defs.h #usr/include/pcap/ipnet.h #usr/include/pcap/namedb.h #usr/include/pcap/nflog.h @@ -15,7 +18,7 @@ #usr/lib/libpcap.a usr/lib/libpcap.so usr/lib/libpcap.so.1 -usr/lib/libpcap.so.1.7.4 +usr/lib/libpcap.so.1.8.1 #usr/share/man/man1/pcap-config.1 #usr/share/man/man3/pcap.3pcap #usr/share/man/man3/pcap_activate.3pcap diff --git a/config/rootfiles/common/sysklogd b/config/rootfiles/common/sysklogd index 9792097..f5d55c2 100644 --- a/config/rootfiles/common/sysklogd +++ b/config/rootfiles/common/sysklogd @@ -1,6 +1,8 @@ usr/sbin/klogd usr/sbin/syslogd +#usr/share/man/man5/syslog.conf.5 #usr/share/man/man8/klogd.8 #usr/share/man/man8/sysklogd.8 +#usr/share/man/man8/syslogd.8 var/log/dhcpcd.log var/log/messages diff --git a/config/rootfiles/core/109/exclude b/config/rootfiles/core/109/exclude index 7ddeae0..d6fd053 100644 --- a/config/rootfiles/core/109/exclude +++ b/config/rootfiles/core/109/exclude @@ -24,5 +24,7 @@ var/ipfire/time var/ipfire/ovpn var/lib/alternatives var/log/cache +var/log/dhcpcd.log +var/log/messages var/state/dhcp/dhcpd.leases var/updatecache diff --git a/config/rootfiles/core/109/filelists/libpcap b/config/rootfiles/core/109/filelists/libpcap new file mode 120000 index 0000000..c7f9f52 --- /dev/null +++ b/config/rootfiles/core/109/filelists/libpcap @@ -0,0 +1 @@ +../../../common/libpcap \ No newline at end of file diff --git a/config/rootfiles/core/109/filelists/sysklogd b/config/rootfiles/core/109/filelists/sysklogd new file mode 120000 index 0000000..e166ef2 --- /dev/null +++ b/config/rootfiles/core/109/filelists/sysklogd @@ -0,0 +1 @@ +../../../common/sysklogd \ No newline at end of file diff --git a/config/rootfiles/core/109/update.sh b/config/rootfiles/core/109/update.sh index 1143890..874ef79 100644 --- a/config/rootfiles/core/109/update.sh +++ b/config/rootfiles/core/109/update.sh @@ -45,6 +45,9 @@ ldconfig # Update Language cache #/usr/local/bin/update-lang-cache
+# Restart sysklogd +/etc/init.d/sysklogd restart + # Start services /etc/init.d/unbound start /etc/init.d/squid start diff --git a/lfs/libpcap b/lfs/libpcap index 10fbcd4..0fb62dc 100644 --- a/lfs/libpcap +++ b/lfs/libpcap @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2015 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2017 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 1.7.4 +VER = 1.8.1
THISAPP = libpcap-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -42,7 +42,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = b2e13142bbaba857ab1c6894aedaf547 +$(DL_FILE)_MD5 = 3d48f9cd171ff12b0efd9134b52f1447
install : $(TARGET)
diff --git a/lfs/squid b/lfs/squid index 0015208..4a8d9d8 100644 --- a/lfs/squid +++ b/lfs/squid @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2016 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2017 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 3.5.23 +VER = 3.5.24
THISAPP = squid-$(VER) DL_FILE = $(THISAPP).tar.xz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 9b68f689e3d9578932b9c6a4041037c2 +$(DL_FILE)_MD5 = 3fae511e16b6379b61c011914673973d
install : $(TARGET)
@@ -70,8 +70,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5-14129.patch - cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.23-fix-max-file-descriptors.patch + cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid-3.5.24-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi cd $(DIR_APP)/libltdl && autoreconf -vfi diff --git a/lfs/sysklogd b/lfs/sysklogd index ca6110a..75bde5f 100644 --- a/lfs/sysklogd +++ b/lfs/sysklogd @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2017 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 1.5 +VER = 1.5.1
THISAPP = sysklogd-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = e053094e8103165f98ddafe828f6ae4b +$(DL_FILE)_MD5 = c70599ab0d037fde724f7210c2c8d7f8
install : $(TARGET)
@@ -70,9 +70,6 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - #cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/$(THISAPP)-fixes-1.patch - #cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/$(THISAPP)-8bit-1.patch - #cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/$(THISAPP)_xen_empty_buffer_check.patch cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install touch /var/log/{dhcpcd.log,messages} diff --git a/lfs/tcpdump b/lfs/tcpdump index 646250d..cfeaffa 100644 --- a/lfs/tcpdump +++ b/lfs/tcpdump @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2015 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2017 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 4.7.4 +VER = 4.8.1
THISAPP = tcpdump-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tcpdump -PAK_VER = 6 +PAK_VER = 7
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 58af728de36f499341918fc4b8e827c3 +$(DL_FILE)_MD5 = 32f57943649f276e09236ba66622bb0c
install : $(TARGET)
diff --git a/src/patches/squid-3.5.23-fix-max-file-descriptors.patch b/src/patches/squid-3.5.23-fix-max-file-descriptors.patch deleted file mode 100644 index b740b61..0000000 --- a/src/patches/squid-3.5.23-fix-max-file-descriptors.patch +++ /dev/null @@ -1,21 +0,0 @@ ---- configure.ac.~ Wed Apr 20 14:26:07 2016 -+++ configure.ac Fri Apr 22 17:20:46 2016 -@@ -3135,6 +3135,9 @@ - ;; - esac - -+SQUID_CHECK_DEFAULT_FD_SETSIZE -+SQUID_CHECK_MAXFD -+ - dnl --with-maxfd present for compatibility with Squid-2. - dnl undocumented in ./configure --help to encourage using the Squid-3 directive - AC_ARG_WITH(maxfd,, -@@ -3165,8 +3168,6 @@ - esac - ]) - --SQUID_CHECK_DEFAULT_FD_SETSIZE --SQUID_CHECK_MAXFD - if test "x$squid_filedescriptors_num" != "x"; then - AC_MSG_NOTICE([Default number of fieldescriptors: $squid_filedescriptors_num]) - fi diff --git a/src/patches/squid-3.5.24-fix-max-file-descriptors.patch b/src/patches/squid-3.5.24-fix-max-file-descriptors.patch new file mode 100644 index 0000000..b740b61 --- /dev/null +++ b/src/patches/squid-3.5.24-fix-max-file-descriptors.patch @@ -0,0 +1,21 @@ +--- configure.ac.~ Wed Apr 20 14:26:07 2016 ++++ configure.ac Fri Apr 22 17:20:46 2016 +@@ -3135,6 +3135,9 @@ + ;; + esac + ++SQUID_CHECK_DEFAULT_FD_SETSIZE ++SQUID_CHECK_MAXFD ++ + dnl --with-maxfd present for compatibility with Squid-2. + dnl undocumented in ./configure --help to encourage using the Squid-3 directive + AC_ARG_WITH(maxfd,, +@@ -3165,8 +3168,6 @@ + esac + ]) + +-SQUID_CHECK_DEFAULT_FD_SETSIZE +-SQUID_CHECK_MAXFD + if test "x$squid_filedescriptors_num" != "x"; then + AC_MSG_NOTICE([Default number of fieldescriptors: $squid_filedescriptors_num]) + fi diff --git a/src/patches/squid/squid-3.5-14129.patch b/src/patches/squid/squid-3.5-14129.patch deleted file mode 100644 index b930aca..0000000 --- a/src/patches/squid/squid-3.5-14129.patch +++ /dev/null @@ -1,41 +0,0 @@ ------------------------------------------------------------- -revno: 14129 -revision-id: squid3@treenet.co.nz-20161226022200-u1dnvhu0rdby78u2 -parent: squid3@treenet.co.nz-20161216043137-lsk9s4fq21sqsdfo -fixes bug: http://bugs.squid-cache.org/show_bug.cgi?id=3940 -committer: Amos Jeffries squid3@treenet.co.nz -branch nick: 3.5 -timestamp: Mon 2016-12-26 15:22:00 +1300 -message: - Bug 3940 pt2: Make 'cache deny' do what is documented - - Instead of overriding whatever cacheability was previously set to - (including changing non-cacheables to be cacheable) actually - prevent both cache read and write. ------------------------------------------------------------- -# Bazaar merge directive format 2 (Bazaar 0.90) -# revision_id: squid3@treenet.co.nz-20161226022200-u1dnvhu0rdby78u2 -# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# testament_sha1: 579020c4bb34961317f8fd0498393aba4a797b14 -# timestamp: 2016-12-26 02:23:14 +0000 -# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.5 -# base_revision_id: squid3@treenet.co.nz-20161216043137-\ -# lsk9s4fq21sqsdfo -# -# Begin patch -=== modified file 'src/client_side_request.cc' ---- src/client_side_request.cc 2016-09-23 15:28:42 +0000 -+++ src/client_side_request.cc 2016-12-26 02:22:00 +0000 -@@ -1407,7 +1407,10 @@ - ClientRequestContext::checkNoCacheDone(const allow_t &answer) - { - acl_checklist = NULL; -- http->request->flags.cachable = (answer == ACCESS_ALLOWED); -+ if (answer == ACCESS_DENIED) { -+ http->request->flags.noCache = true; // dont read reply from cache -+ http->request->flags.cachable = false; // dont store reply into cache -+ } - http->doCallouts(); - } - -
hooks/post-receive -- IPFire 2.x development tree