This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 6e8e9cba2a2865dd207dfbf8224e3a6c92941d9d (commit) via 2689789ec088dfb2a24d4b9ae85b001a4b8576fb (commit) via 2f0fb4492901771f6a830876155f3caf0b9d560b (commit) via 12697266f4004bf3dc99296bb56d76213cccf0c0 (commit) via b655b21a45b550714e8bb75efeae5bdd36791956 (commit) via 520d214419650f90cb9491b6aea5cfe3763688b8 (commit) via bd053b99b3feb2e7036822dbbac24b5ce80ce2df (commit) from d62babe08e3284c3f18ad574b2a255195348c309 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 6e8e9cba2a2865dd207dfbf8224e3a6c92941d9d Author: Peter Müller peter.mueller@ipfire.org Date: Fri Sep 30 17:20:37 2022 +0000
linux: Update to 5.15.71
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 2689789ec088dfb2a24d4b9ae85b001a4b8576fb Author: Peter Müller peter.mueller@ipfire.org Date: Fri Sep 30 17:20:17 2022 +0000
configroot: Increase verbosiness of chown operations
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 2f0fb4492901771f6a830876155f3caf0b9d560b Author: Peter Müller peter.mueller@ipfire.org Date: Fri Sep 30 15:48:03 2022 +0000
Core Update 171: Ship and restart Suricata
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 12697266f4004bf3dc99296bb56d76213cccf0c0 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu Sep 29 22:21:57 2022 +0200
libhtp: Update to 0.5.41
Needed for 'suricata 6.0.8'
For details see: https://github.com/OISF/libhtp/releases/tag/0.5.41
"trim white space of invalid folding for first header
clear buffered data for body data
minor optimization for decompression code"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit b655b21a45b550714e8bb75efeae5bdd36791956 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Thu Sep 29 22:21:56 2022 +0200
suricata: Update to 6.0.8
Changelog:
"6.0.8 -- 2022-09-27
Task #5552: libhtp 0.5.41
6.0.7 -- 2022-09-27
Security #5430: mqtt: DOS by quadratic with too many transactions in one parse (6.0.x backport) Bug #5559: BUG_ON triggered from TmThreadsInjectFlowById (6.0.x backport) Bug #5549: Failed assert DeStateSearchState (6.0.x) Bug #5548: tcp: assertion failed in DoInsertSegment (BUG_ON) (6.0.x) Bug #5547: rules: less strict parsing of unexpected flowbit options Bug #5546: rules: don't error on bad hex in content Bug #5540: detect: transform strip whitespace creates a 0-sized variable-length array: backport6 Bug #5505: http2: slow http2_frames_get_header_value_vec because of allocation [backport6] Bug #5471: Reject action is no longer working (6.0.x backport) Bug #5467: rules: more graceful handling of anomalies for stable versions Bug #5459: Counters are not initialized in all places. (6.0.x backport) Bug #5448: nfs: add maximum number of operations per compound (6.0.x backport) Bug #5436: Infinite loop if the sniffing interface temporarily goes down (6.0.x backports) Bug #5335: flow: vlan.use-for-tracking is not used for ICMPv4 (6.0.x backport) Bug #4421: flow manager: using too much CPU during idle (6.0.x backport) Feature #5535: ips: add "reject" action to exception policies (6.0.x backport) Feature #5500: ips: midstream: add "exception policy" for midstream (6.0.x backport) Task #5551: doc: add exception policy documentation (6.0.x) Task #5533: detect/parse: add tests for parsing signatures with reject and drop action (6.0.x backport) Task #5525: exceptions: error out when invalid configuration value is passed (6.0.x backport) Task #5381: add `alert-queue-expand-fails` command-line option (6.0.x backport) Task #5328: python: distutils deprecation warning (6.0.x backport)"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 520d214419650f90cb9491b6aea5cfe3763688b8 Author: Peter Müller peter.mueller@ipfire.org Date: Tue Sep 27 10:54:45 2022 +0000
Core Update 171: Fix backup {ex,in}clude file permissions
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit bd053b99b3feb2e7036822dbbac24b5ce80ce2df Author: Peter Müller peter.mueller@ipfire.org Date: Mon Sep 26 18:50:08 2022 +0000
backup: Set owner of {ex,in}clude{,.user} files to "root"
Since these files are static, there is no legitimate reason why they should be owned (hence writable) by "nobody". Also, according to configroot's LFS file, this is the intended behaviour for the *.user files, which is then overwritten by the backup LFS file. Therefore, set the file mode of these statically - configroot does not feature other files in /var/ipfire/backup/ anyway.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/suricata | 4 ++++ config/rootfiles/{oldcore/131 => core/171}/filelists/libhtp | 0 config/rootfiles/{oldcore/131 => core/171}/filelists/suricata | 0 config/rootfiles/core/171/update.sh | 7 +++++++ lfs/backup | 6 +++--- lfs/configroot | 8 ++++---- lfs/libhtp | 4 ++-- lfs/linux | 4 ++-- lfs/suricata | 4 ++-- .../suricata-5.0.8-fix-level1-cache-line-size-detection.patch | 2 +- 10 files changed, 25 insertions(+), 14 deletions(-) copy config/rootfiles/{oldcore/131 => core/171}/filelists/libhtp (100%) copy config/rootfiles/{oldcore/131 => core/171}/filelists/suricata (100%)
Difference in files: diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index 043aba072..df297ebd6 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -1,6 +1,7 @@ etc/suricata etc/suricata/suricata.yaml usr/bin/suricata +#usr/include/suricata-plugin.h usr/sbin/convert-ids-backend-files #usr/share/doc/suricata #usr/share/doc/suricata/AUTHORS @@ -29,13 +30,16 @@ usr/share/suricata #usr/share/suricata/rules/dns-events.rules #usr/share/suricata/rules/files.rules #usr/share/suricata/rules/http-events.rules +#usr/share/suricata/rules/http2-events.rules #usr/share/suricata/rules/ipsec-events.rules #usr/share/suricata/rules/kerberos-events.rules #usr/share/suricata/rules/modbus-events.rules +#usr/share/suricata/rules/mqtt-events.rules #usr/share/suricata/rules/nfs-events.rules #usr/share/suricata/rules/ntp-events.rules #usr/share/suricata/rules/smb-events.rules #usr/share/suricata/rules/smtp-events.rules +#usr/share/suricata/rules/ssh-events.rules #usr/share/suricata/rules/stream-events.rules #usr/share/suricata/rules/tls-events.rules #usr/share/suricata/threshold.config diff --git a/config/rootfiles/core/171/filelists/libhtp b/config/rootfiles/core/171/filelists/libhtp new file mode 120000 index 000000000..676e2c5e8 --- /dev/null +++ b/config/rootfiles/core/171/filelists/libhtp @@ -0,0 +1 @@ +../../../common/libhtp \ No newline at end of file diff --git a/config/rootfiles/core/171/filelists/suricata b/config/rootfiles/core/171/filelists/suricata new file mode 120000 index 000000000..f671f6993 --- /dev/null +++ b/config/rootfiles/core/171/filelists/suricata @@ -0,0 +1 @@ +../../../common/suricata \ No newline at end of file diff --git a/config/rootfiles/core/171/update.sh b/config/rootfiles/core/171/update.sh index f626ed3b6..a8172a929 100644 --- a/config/rootfiles/core/171/update.sh +++ b/config/rootfiles/core/171/update.sh @@ -50,6 +50,7 @@ done /usr/local/bin/openvpnctrl -k /usr/local/bin/openvpnctrl -kn2n /etc/rc.d/init.d/ipsec stop +/etc/init.d/rc.d/suricata stop /etc/rc.d/init.d/collectd stop
KVER="xxxKVERxxx" @@ -221,8 +222,14 @@ ldconfig # Rebuild fcrontab from scratch /usr/bin/fcrontab -z
+# Fix backup file permissions +chown -v root:root /var/ipfire/backup/{in,ex}clude* + # Start services /etc/rc.d/init.d/collectd start +if grep -q "ENABLED=on" /var/ipfire/suricata/settings; then + /etc/rc.d/init.d/suricata start +fi /etc/rc.d/init.d/unbound start /etc/rc.d/init.d/apache start if grep -q "ENABLED=on" /var/ipfire/ovpn/settings; then diff --git a/lfs/backup b/lfs/backup index 6f686bf22..cf1e58c7e 100644 --- a/lfs/backup +++ b/lfs/backup @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -61,10 +61,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) -mkdir -p /var/ipfire/backup/bin install -v -m 755 -o root $(DIR_SRC)/config/backup/backup.pl /var/ipfire/backup/bin - install -v -m 644 $(DIR_SRC)/config/backup/include /var/ipfire/backup/ - install -v -m 644 $(DIR_SRC)/config/backup/exclude /var/ipfire/backup/ chown nobody:nobody -R /var/ipfire/backup/ chown root:root -R /var/ipfire/backup/bin/ + install -v -m 644 $(DIR_SRC)/config/backup/include /var/ipfire/backup/ + install -v -m 644 $(DIR_SRC)/config/backup/exclude /var/ipfire/backup/ -mkdir -p /var/ipfire/backup/addons -mkdir -p /var/ipfire/backup/addons/includes -mkdir -p /var/ipfire/backup/addons/backup diff --git a/lfs/configroot b/lfs/configroot index 31b9a9463..f278ccf77 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -167,10 +167,10 @@ $(TARGET) : cp $(DIR_SRC)/langs/*/cgi-bin/*.pl $(CONFIG_ROOT)/langs/
# Configroot permissions - chown -R nobody:nobody $(CONFIG_ROOT) - chown root:root $(CONFIG_ROOT) - for i in backup/ *.pl addon-lang/ langs/ ; do \ - chown -R root:root $(CONFIG_ROOT)/$$i; \ + chown -Rv nobody:nobody $(CONFIG_ROOT) + chown root:root $(CONFIG_ROOT) + for i in backup/exclude.user backup/include.user *.pl addon-lang/ langs/ ; do \ + chown -Rv root:root $(CONFIG_ROOT)/$$i; \ done chown -Rv root:root $(CONFIG_ROOT)/*/bin chown root:nobody $(CONFIG_ROOT)/dhcpc diff --git a/lfs/libhtp b/lfs/libhtp index ffc82f8cd..e3be4a73a 100644 --- a/lfs/libhtp +++ b/lfs/libhtp @@ -24,7 +24,7 @@
include Config
-VER = 0.5.40 +VER = 0.5.41
THISAPP = libhtp-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 37239d8d0afb6841c54bab1669a17ec7336b10998f8835ef91cf9556dd7449991ce6fb04a408d16b431ba6327b32f6f509a79a4c79ffc6e88e555fcf2e9f2cce +$(DL_FILE)_BLAKE2 = e6e790f76b8d08b89ffc483a218dd1b3a6f910ff1fe8e44d48bfaae2189d9df567c0199e9f20fde05dc4059f75a1e3c34f4f76f2c8818dc7ca4111538095e16d
install : $(TARGET)
diff --git a/lfs/linux b/lfs/linux index a1b32cc25..d35057b22 100644 --- a/lfs/linux +++ b/lfs/linux @@ -24,7 +24,7 @@
include Config
-VER = 5.15.68 +VER = 5.15.71 ARM_PATCHES = 5.15-ipfire5
THISAPP = linux-$(VER) @@ -78,7 +78,7 @@ objects =$(DL_FILE) \ $(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE) arm-multi-patches-$(ARM_PATCHES).patch.xz = $(URL_IPFIRE)/arm-multi-patches-$(ARM_PATCHES).patch.xz
-$(DL_FILE)_BLAKE2 = b97474cbe59654ac29a5f514c08a85db9ec330f58e08de53386d4fcedeab3845d6ea5b55e478a49fa94466eda296f80c7835704e2a13d1d56f6e38ed51953ca1 +$(DL_FILE)_BLAKE2 = 77da2393a31b6c6fed7cdfef61a112ae49fcdfce96968daf8c7a690a6e65025c7238c1fe084d0bfda403dc56db877b6db99def12803e840cacf318da40327d7b arm-multi-patches-$(ARM_PATCHES).patch.xz_BLAKE2 = 58a70e757a9121a0aac83604a37aa787ec7ac0ee4970c5a3ac3bcb2dbaca32b00089cae6c0da5cf2fe0a2e156427b5165c6a86e0371a3e896f4c7cdd699c34a0
install : $(TARGET) diff --git a/lfs/suricata b/lfs/suricata index 1fbc2c185..857fb4e7b 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -24,7 +24,7 @@
include Config
-VER = 5.0.10 +VER = 6.0.8
THISAPP = suricata-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = b5c83b9882e89894c3dedb7f536d584a20bbeab24236752e528171db6589a6308422c8b0be4f433fc63b8cfc227aa0b67935a4aece943b10f4577398ea9ed467 +$(DL_FILE)_BLAKE2 = 1e445885f3a672081cbb8f17de9fb0fa21a2c618b80ea8d3d9362c0475149d833986cac047ad90b1c1a5b5b19025ff501a695e0f197c00457859b3858f51ecba
install : $(TARGET)
diff --git a/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch b/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch index 68a21f1e9..5aaabb167 100644 --- a/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch +++ b/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch @@ -2,7 +2,7 @@ diff --git a/configure.ac b/configure.ac index d56d3a550..81abf8f00 100644 --- a/configure.ac +++ b/configure.ac -@@ -2318,7 +2318,7 @@ fi +@@ -2390,7 +2390,7 @@ fi AC_PATH_PROG(HAVE_GETCONF_CMD, getconf, "no") if test "$HAVE_GETCONF_CMD" != "no"; then CLS=$(getconf LEVEL1_DCACHE_LINESIZE)
hooks/post-receive -- IPFire 2.x development tree