This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 74f47b18b1715d239639d135117a3c9f7b4b3755 (commit) via dc5a89c948ec9c30352e44d19495e596758beabf (commit) via a839e63f74ddf0618846164dc6d0c4cdef014289 (commit) via 70f6a96b46787cf2307574ef6f979154522833c1 (commit) from 327ded3408697884ec9fa484fca744e386facd1e (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 74f47b18b1715d239639d135117a3c9f7b4b3755 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Sep 30 17:16:12 2020 +0000
core151: Ship & load /etc/sysctl.conf
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit dc5a89c948ec9c30352e44d19495e596758beabf Author: Peter Müller peter.mueller@ipfire.org Date: Wed Sep 30 14:46:07 2020 +0000
sysctl.conf: drop RST packets for sockets in TIME-WAIT state
RFC 1337 describes various TCP (side channel) attacks against prematurely closed connections stalling in TIME-WAIT state, such as DoS or injecting arbitrary TCP segments, and recommends to silently discard RST packets for sockets in this state.
While applications still tied to such sockets should tolerate invalid input (thanks to Jon Postel), there is little legitimate reason to send such RST packets altogether.
At the time of writing, no collateral damage related to active RFC 1337 implementations is known. Measuerements in productive environments did not reveal any side effects either, which is why I consider enabling RFC 1337 implementation to be a safe change.
See also: https://tools.ietf.org/html/rfc1337
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit a839e63f74ddf0618846164dc6d0c4cdef014289 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Sep 30 17:10:39 2020 +0000
stunnel: Package /var/lib/stunnel
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 70f6a96b46787cf2307574ef6f979154522833c1 Author: Erik Kapfer ummeegge@ipfire.org Date: Wed Sep 30 15:06:07 2020 +0200
stunnel: Update to version 5.56
The version jump from 5.44 to 5.56 includes several 'LOW' and 'HIGH' urgent bugfixes which are also secure relevant. A full overview of fixes and new features can be found in here --> https://www.stunnel.org/NEWS.html .
Signed-off-by: Erik Kapfer ummeegge@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/etc/sysctl.conf | 11 ++++++++--- config/rootfiles/core/151/filelists/files | 1 + config/rootfiles/core/151/update.sh | 3 +++ config/rootfiles/packages/stunnel | 27 +++++++++++++-------------- lfs/stunnel | 8 ++++---- 5 files changed, 29 insertions(+), 21 deletions(-)
Difference in files: diff --git a/config/etc/sysctl.conf b/config/etc/sysctl.conf index 7e7ebee44..d48c7734e 100644 --- a/config/etc/sysctl.conf +++ b/config/etc/sysctl.conf @@ -32,7 +32,7 @@ net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
# Enable netfilter accounting -net.netfilter.nf_conntrack_acct=1 +net.netfilter.nf_conntrack_acct = 1
# Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 @@ -86,10 +86,15 @@ net.ipv4.tcp_wmem = 4096 16384 16777216 net.ipv4.udp_mem = 3145728 4194304 16777216
# Prefer low latency over higher throughput -net.ipv4.tcp_low_latency=1 +net.ipv4.tcp_low_latency = 1
# Reserve more socket space for the TCP window -net.ipv4.tcp_adv_win_scale=2 +net.ipv4.tcp_adv_win_scale = 2
# Enable TCP fast-open net.ipv4.tcp_fastopen = 3 + +# Drop RST packets for sockets in TIME-WAIT state, as described in RFC 1337. +# This protects against various TCP attacks, such as DoS against or injection +# of arbitrary segments into prematurely closed connections. +net.ipv4.tcp_rfc1337 = 1 diff --git a/config/rootfiles/core/151/filelists/files b/config/rootfiles/core/151/filelists/files index bee0dabd5..8223d97de 100644 --- a/config/rootfiles/core/151/filelists/files +++ b/config/rootfiles/core/151/filelists/files @@ -3,6 +3,7 @@ etc/issue etc/rc.d/helper/exoscale-setup etc/rc.d/init.d/cloud-init etc/rc.d/init.d/functions +etc/sysctl.conf srv/web/ipfire/cgi-bin/country.cgi srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/ipinfo.cgi diff --git a/config/rootfiles/core/151/update.sh b/config/rootfiles/core/151/update.sh index 69e34ae81..16135b2ef 100644 --- a/config/rootfiles/core/151/update.sh +++ b/config/rootfiles/core/151/update.sh @@ -57,6 +57,9 @@ if grep -q "ENABLED=on" /var/ipfire/vpn/settings; then fi /etc/init.d/collectd restart
+# Reload sysctl.conf +sysctl -p + # This update needs a reboot... #touch /var/run/need_reboot
diff --git a/config/rootfiles/packages/stunnel b/config/rootfiles/packages/stunnel index 6ec82dacd..0882ef4de 100644 --- a/config/rootfiles/packages/stunnel +++ b/config/rootfiles/packages/stunnel @@ -8,19 +8,18 @@ usr/bin/stunnel #usr/lib/stunnel/libstunnel.la usr/lib/stunnel/libstunnel.so #usr/share/doc/stunnel -#usr/share/doc/stunnel/AUTHORS -#usr/share/doc/stunnel/BUGS -#usr/share/doc/stunnel/COPYING -#usr/share/doc/stunnel/COPYRIGHT.GPL -#usr/share/doc/stunnel/CREDITS -#usr/share/doc/stunnel/ChangeLog -#usr/share/doc/stunnel/INSTALL -#usr/share/doc/stunnel/INSTALL.FIPS -#usr/share/doc/stunnel/INSTALL.W32 -#usr/share/doc/stunnel/INSTALL.WCE -#usr/share/doc/stunnel/PORTS -#usr/share/doc/stunnel/README -#usr/share/doc/stunnel/TODO +#usr/share/doc/stunnel/AUTHORS.md +#usr/share/doc/stunnel/BUGS.md +#usr/share/doc/stunnel/COPYING.md +#usr/share/doc/stunnel/COPYRIGHT.md +#usr/share/doc/stunnel/CREDITS.md +#usr/share/doc/stunnel/INSTALL.FIPS.md +#usr/share/doc/stunnel/INSTALL.W32.md +#usr/share/doc/stunnel/INSTALL.WCE.md +#usr/share/doc/stunnel/NEWS.md +#usr/share/doc/stunnel/PORTS.md +#usr/share/doc/stunnel/README.md +#usr/share/doc/stunnel/TODO.md #usr/share/doc/stunnel/examples #usr/share/doc/stunnel/examples/ca.html #usr/share/doc/stunnel/examples/ca.pl @@ -38,4 +37,4 @@ usr/lib/stunnel/libstunnel.so #usr/share/man/man8/stunnel.pl.8 var/ipfire/backup/addons/includes/stunnel var/lib/stunnel -var/lib/stunnel/run +#var/lib/stunnel/run diff --git a/lfs/stunnel b/lfs/stunnel index c7e8608c3..1ddb2a963 100644 --- a/lfs/stunnel +++ b/lfs/stunnel @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2018 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 5.44 +VER = 5.56
THISAPP = stunnel-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = stunnel -PAK_VER = 4 +PAK_VER = 5
DEPS =
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 47697dee496c80c8e352b2b705c4a571 +$(DL_FILE)_MD5 = 01b0ca9e071f582ff803a85d5ed72166
install : $(TARGET)
hooks/post-receive -- IPFire 2.x development tree