This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, master has been updated via fd2dccaabb2e28cf875d7d81c7faf90f7941f56b (commit) via a59cf47b9e3dc8fe1f7a086b0e97ce6102d1f017 (commit) via 19ad0ddb2f92acb4d40aa615b2ab23a7c27a0efb (commit) from a15dbe44971a47d8749497d75cbfd829ba09e9a3 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit fd2dccaabb2e28cf875d7d81c7faf90f7941f56b Author: Peter Müller peter.mueller@ipfire.org Date: Fri Dec 13 17:28:00 2019 +0000
Core Update 139: fix syntax of generated Suricata DNS server file
The YAML syntax of /var/ipfire/suricata/suricata-dns-servers.yaml was invalid and caused Suricata to crash after upgrading to Core Update 139.
Due to strange NFQUEUE behaviour, this caused IPsec traffic to be emitted to the internet directly. While this patch represents a quick solution for Core Update 139, another one is needed for changing the IPtables chain order to avoid similar information leaks in future.
Thanks to Michael for his debugging effort.
Fixes #12260 Partially fixes #12257
Cc: Michael Tremer michael.tremer@ipfire.org Cc: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit a59cf47b9e3dc8fe1f7a086b0e97ce6102d1f017 Author: Peter Müller peter.mueller@ipfire.org Date: Fri Dec 13 16:31:00 2019 +0000
Core Update 139 needs a reboot
Fixes #12258
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 19ad0ddb2f92acb4d40aa615b2ab23a7c27a0efb Author: Peter Müller peter.mueller@ipfire.org Date: Fri Dec 13 16:30:00 2019 +0000
Core Update 139: apply SSH configuration and restart SSH daemon
Fixes #12259
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/cfgroot/ids-functions.pl | 51 +++++++++++++++++++------------------ config/rootfiles/core/139/update.sh | 6 ++++- 2 files changed, 31 insertions(+), 26 deletions(-)
Difference in files: diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 54d86f70f..89ad90c2e 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -17,7 +17,7 @@ # along with IPFire; if not, write to the Free Software # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # # -# Copyright (C) 2018 IPFire Team info@ipfire.org. # +# Copyright (C) 2018-2019 IPFire Team info@ipfire.org # # # ############################################################################
@@ -706,7 +706,7 @@ sub generate_dns_servers_file() { open (FILE, "${General::swroot}/red/dns") or die "Could not read DNS configuration from ${General::swroot}/red/dns. $!\n";
# Read-in whole file content and store it in a temporary array. - my @file_content = <FILE>; + my @file_content = split(' ', <FILE>);
# Close file handle. close(FILE); @@ -714,31 +714,32 @@ sub generate_dns_servers_file() { # Format dns servers declaration. my $line = ""[";
- # Loop through the array which contains the file content. - foreach my $server (@file_content) { - # Remove newlines. - chomp($server); - - # Check if the current DNS configuration is using the local recursor mode. - if ($server eq "local recursor") { - # The responsible DNS servers on red are directly used, and because we are not able - # to specify each single DNS server address here, we currently have to thread each - # address which is not part of the HOME_NET as possible DNS server. - $line = "$line" . "!$HOME_NET"; - } else { + # Check if the current DNS configuration is using the local recursor mode. + if ($file_content[0] eq "local" && $file_content[1] eq "recursor") { + # The responsible DNS servers on red are directly used, and because we are not able + # to specify each single DNS server address here, we currently have to thread each + # address which is not part of the HOME_NET as possible DNS server. + $line = "$line" . "!$HOME_NET"; + + } else { + # Loop through the array which contains the file content. + foreach my $server (@file_content) { + # Remove newlines. + chomp($server); + # Add the DNS server to the line. $line = "$line" . "$server"; + + # Check if the current DNS server was the last in the array. + if ($server ne $file_content[-1]) { + # Add "," for the next DNS server. + $line = "$line" . ","; + } } + }
- # Check if the current DNS server was the last in the array. - if ($server eq $file_content[-1]) { - # Close the line. - $line = "$line" . "]""; - } else { - # Add "," for the next DNS server. - $line = "$line" . ","; - } - } + # Close the line... + $line = "$line" . "]"";
# Open file to store the used DNS server addresses. open(FILE, ">$dns_servers_file") or die "Could not open $dns_servers_file. $!\n"; @@ -866,7 +867,7 @@ sub get_suricata_version($) { # Remove newlines. chomp($version_string);
- # Grab the version from the version string. + # Grab the version from the version string. $version_string =~ /([0-9]+([.][0-9]+)+)/;
# Splitt the version into single chunks. @@ -882,7 +883,7 @@ sub get_suricata_version($) { } else { # Return the full version string. return "$major_ver.$minor_ver.$patchlevel"; - } + } }
# diff --git a/config/rootfiles/core/139/update.sh b/config/rootfiles/core/139/update.sh index d0b979d6b..df45990bb 100644 --- a/config/rootfiles/core/139/update.sh +++ b/config/rootfiles/core/139/update.sh @@ -58,10 +58,14 @@ ldconfig # Update Language cache /usr/local/bin/update-lang-cache
+# Apply local configuration to sshd_config +/usr/local/bin/sshctrl + # Start services +/etc/init.d/sshd restart
# This update needs a reboot... -#touch /var/run/need_reboot +touch /var/run/need_reboot
# Finish /etc/init.d/fireinfo start
hooks/post-receive -- IPFire 2.x development tree