This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 0b075172af1ae899337e7f072fc8490ae57e5501 (commit) via 0cf6bacad2cafcacdee5810c2a4080cb19aa85ae (commit) via b00797e260bc84be15cea26a144f560244be4c6e (commit) via 915c88931a2c5c4cd34ece5dc754cb8da984d2e3 (commit) from 06988eaf4961be6c74a9aefb8203eb7b53157bd6 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 0b075172af1ae899337e7f072fc8490ae57e5501 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 19 12:54:41 2015 +0000
core96: Ship changed files
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0cf6bacad2cafcacdee5810c2a4080cb19aa85ae Author: Alexander Marx alexander.marx@ipfire.org Date: Mon Nov 16 12:01:07 2015 +0100
BUG10984: Fix portforwardconverter for upgrades before core 77
When upgrading from a post core-77 installation, the portforwarding rules seem to get broken. With this patch the sourceports and the subnetmasks from the rules are converted correctly.
Signed-off-by: Alexander Marx alexander.marx@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b00797e260bc84be15cea26a144f560244be4c6e Author: Alexander Marx alexander.marx@ipfire.org Date: Thu Nov 19 11:09:49 2015 +0100
BUG10963: implement a better email verification
We now check all allowed chars in the address before the @ sign. The domainpart after the '@' sign is just checked for valid chars, so that user@ipfire is valid, too
Signed-off-by: Alexander Marx alexander.marx@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 915c88931a2c5c4cd34ece5dc754cb8da984d2e3 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Nov 19 12:52:31 2015 +0000
strongswan: Update to 5.3.4
Fixes a security vulnerability in the EAP-MSCHAPv2 plugin that is filed under CVE-2015-8023.
https://www.strongswan.org/blog/2015/11/16/strongswan-vulnerability-%28cve-2...
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/cfgroot/general-functions.pl | 29 +++++++++++++++------- config/firewall/convert-portfw | 29 +++++++++++++--------- config/rootfiles/core/96/filelists/files | 2 ++ .../96}/filelists/i586/strongswan-padlock | 0 .../{oldcore/95 => core/96}/filelists/strongswan | 0 lfs/strongswan | 4 +-- 6 files changed, 41 insertions(+), 23 deletions(-) copy config/rootfiles/{oldcore/95 => core/96}/filelists/i586/strongswan-padlock (100%) copy config/rootfiles/{oldcore/95 => core/96}/filelists/strongswan (100%)
Difference in files: diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 2b5cd19..f3a2e47 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -655,7 +655,7 @@ sub validfqdn my @parts = split (/./, $fqdn); # Split hostname at the '.' if (scalar(@parts) < 2) { # At least two parts should return 0;} # exist in a FQDN - # (i.e. hostname.domain) + # (i.e.hostname.domain) foreach $part (@parts) { # Each part should be at least one character in length # but no more than 63 characters @@ -747,14 +747,25 @@ sub ipcidr2msk { }
sub validemail { - my $mail = shift; - return 0 if ( $mail !~ /^[0-9a-zA-Z.-_]+@[0-9a-zA-Z.-]+$/ ); - return 0 if ( $mail =~ /^[^0-9a-zA-Z]|[^0-9a-zA-Z]$/); - return 0 if ( $mail !~ /([0-9a-zA-Z]{1})@./ ); - return 0 if ( $mail !~ /.@([0-9a-zA-Z]{1})/ ); - return 0 if ( $mail =~ /..-.|.-..|....|.--./g ); - return 0 if ( $mail =~ /.._.|.-_.|._..|._-.|.__./g ); - return 0 if ( $mail !~ /.([a-zA-Z]{2,4})$/ ); + my $address = shift; + my @parts = split( /@/, $address ); + my $count=@parts; + + #check if we have one part before and after '@' + return 0 if ( $count != 2 ); + + #check if one of the parts starts or ends with a dot + return 0 if ( substr($parts[0],0,1) eq '.' ); + return 0 if ( substr($parts[0],-1,1) eq '.' ); + return 0 if ( substr($parts[1],0,1) eq '.' ); + return 0 if ( substr($parts[1],-1,1) eq '.' ); + + #check first addresspart (before '@' sign) + return 0 if ( $parts[0] !~ m/^[a-zA-Z0-9.!-+#]+$/ ); + + #check second addresspart (after '@' sign) + return 0 if ( $parts[1] !~ m/^[a-zA-Z0-9.-]+$/ ); + return 1; }
diff --git a/config/firewall/convert-portfw b/config/firewall/convert-portfw index 8660e7c..8383b5a 100755 --- a/config/firewall/convert-portfw +++ b/config/firewall/convert-portfw @@ -60,24 +60,24 @@ close(ALIAS); &write_rules; sub get_config { + my $baseipfireport; + my $basesource; print LOG "STEP 1: Get config from old portforward\n#########################################\n"; foreach my $line (@current){ - if($jump eq '1'){ - $jump=''; - $count++; - next; - } my $u=$count+1; ($key,$flag,$prot,$ipfireport,$target,$targetport,$active,$alias,$source,$remark) = split(",",$line); ($key1,$flag1,$prot1,$ipfireport1,$target1,$targetport1,$active1,$alias1,$source1,$remark1) = split(",",$current[$u]); - if ($flag1 eq '1'){ - $source=$source1; - $jump='1'; + if ($key == $key1 && $flag == '0'){ + $baseipfireport = $ipfireport; + } + if ($key == $key1 && $flag1 == '1'){ + $count++; + next; } my $now=localtime; chomp($remark); - print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $ipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n"; - push (@values,$prot.",".$ipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark); + print LOG "$now processing-> KEY: $key FLAG: $flag PROT: $prot FIREPORT: $baseipfireport TARGET: $target TGTPORT: $targetport ACTIVE: $active ALIAS: $alias SOURCE: $source REM: $remark Doublerule: $jump\n"; + push (@values,$prot.",".$baseipfireport.",".$target.",".$targetport.",".$active.",".$alias.",".$source.",".$remark); $count++; } } @@ -101,10 +101,15 @@ sub build_rules }else{ $src = 'src_addr'; my ($a,$b) = split("/",$source); - $src1 = $a."/32"; + if ($b != ''){ + $b = &General::iporsubtocidr($b); + }else{ + $b = "32"; + } + $src1 = $a."/".$b; } #get ipfire ip - if($alias eq '0.0.0.0'){ + if($alias eq '0.0.0.0' || $alias eq '0'){ $alias='Default IP'; }else{ foreach my $ali (@alias){ diff --git a/config/rootfiles/core/96/filelists/files b/config/rootfiles/core/96/filelists/files index 9e120af..9e64edc 100644 --- a/config/rootfiles/core/96/filelists/files +++ b/config/rootfiles/core/96/filelists/files @@ -2,3 +2,5 @@ etc/system-release etc/issue etc/rc.d/init.d/snort opt/pakfire/lib/functions.pl +usr/sbin/convert-portfw +var/ipfire/general-functions.pl diff --git a/config/rootfiles/core/96/filelists/i586/strongswan-padlock b/config/rootfiles/core/96/filelists/i586/strongswan-padlock new file mode 120000 index 0000000..2412824 --- /dev/null +++ b/config/rootfiles/core/96/filelists/i586/strongswan-padlock @@ -0,0 +1 @@ +../../../../common/i586/strongswan-padlock \ No newline at end of file diff --git a/config/rootfiles/core/96/filelists/strongswan b/config/rootfiles/core/96/filelists/strongswan new file mode 120000 index 0000000..90c727e --- /dev/null +++ b/config/rootfiles/core/96/filelists/strongswan @@ -0,0 +1 @@ +../../../common/strongswan \ No newline at end of file diff --git a/lfs/strongswan b/lfs/strongswan index 2a181a3..566f1af 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@
include Config
-VER = 5.3.3 +VER = 5.3.4
THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -48,7 +48,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 5a25f3d1c31a77ef44d14a2e7b3eaad0 +$(DL_FILE)_MD5 = 655a632a515c74a99f2e9cc337ab2f33
install : $(TARGET)
hooks/post-receive -- IPFire 2.x development tree