This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 0b0a3634cdb241335f629e3173b607c3f4c3f304 (commit) via 55f4de214f5e0743af231eb79fae046f431bfefd (commit) via 8bf1c9f65de3004d2e5f967c5d8b295d6efe4977 (commit) via d383248063ada7a923fef245fa7ff7a5bdaf2444 (commit) via 006b79aaa9c2da9a71267d93f0f15a6e34fe81a2 (commit) via af8e5145fa969f0c99c9650c16e05bc71d7297b1 (commit) via 2ff56df4e045f5ebca0bc3142ce60410bc51cb30 (commit) via dce34b2dcba3ed3db2051f2b0a3e415c6205913c (commit) from 3c90dd92a5c23afe5216e91d57b19d1563adb2aa (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 0b0a3634cdb241335f629e3173b607c3f4c3f304 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Apr 1 14:59:42 2020 +0000
core143: stop/start updated services
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 55f4de214f5e0743af231eb79fae046f431bfefd Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Apr 1 14:50:47 2020 +0000
core143: add suricata.yaml
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 8bf1c9f65de3004d2e5f967c5d8b295d6efe4977 Author: Peter Müller peter.mueller@ipfire.org Date: Wed Apr 1 12:17:00 2020 +0000
OpenSSL: update to 1.1.1f
Fixes #12345 (yes, that's the real bug ID :-) )
Cc: Arne Fitzenreiter arne.fitzenreiter@ipfire.org Cc: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit d383248063ada7a923fef245fa7ff7a5bdaf2444 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Apr 1 11:02:06 2020 +0200
Suricata: Add port 81 (UpdateAccelerator) to group of HTTP ports.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 006b79aaa9c2da9a71267d93f0f15a6e34fe81a2 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Wed Apr 1 14:42:55 2020 +0000
core143: add ids.cgi
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit af8e5145fa969f0c99c9650c16e05bc71d7297b1 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Wed Apr 1 10:32:40 2020 +0200
ids.cgi: Restart suricata if necessary when altering the ruleset.
Suricata does support re-reading it's configuration files and therfore we need to restart it, if one or more ruleset files should be loaded or not loaded anymore.
If simple some rules inside the same files are activated or deactivated we are still fine to call the reload method to send suricata the signal to reload its ruleset.
Fixes #12340.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 2ff56df4e045f5ebca0bc3142ce60410bc51cb30 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 31 09:49:04 2020 +0000
strongswan: Build sha3 plugin
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit dce34b2dcba3ed3db2051f2b0a3e415c6205913c Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 31 09:49:03 2020 +0000
strongswan: Update to 5.8.4
Signed-off-by: Michael Tremer michael.tremer@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/common/strongswan | 3 +++ config/rootfiles/core/143/filelists/files | 2 ++ config/rootfiles/core/143/update.sh | 9 ++++++++- config/suricata/suricata.yaml | 2 +- html/cgi-bin/ids.cgi | 19 +++++++++++++++++-- lfs/openssl | 6 +++--- lfs/strongswan | 5 +++-- 7 files changed, 37 insertions(+), 9 deletions(-)
Difference in files: diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan index d337ef506..ff363f08c 100644 --- a/config/rootfiles/common/strongswan +++ b/config/rootfiles/common/strongswan @@ -57,6 +57,7 @@ etc/strongswan.d/charon/resolve.conf etc/strongswan.d/charon/revocation.conf etc/strongswan.d/charon/sha1.conf etc/strongswan.d/charon/sha2.conf +etc/strongswan.d/charon/sha3.conf etc/strongswan.d/charon/socket-default.conf etc/strongswan.d/charon/sshkey.conf etc/strongswan.d/charon/stroke.conf @@ -153,6 +154,7 @@ usr/lib/ipsec/plugins/libstrongswan-resolve.so usr/lib/ipsec/plugins/libstrongswan-revocation.so usr/lib/ipsec/plugins/libstrongswan-sha1.so usr/lib/ipsec/plugins/libstrongswan-sha2.so +usr/lib/ipsec/plugins/libstrongswan-sha3.so usr/lib/ipsec/plugins/libstrongswan-socket-default.so usr/lib/ipsec/plugins/libstrongswan-sshkey.so usr/lib/ipsec/plugins/libstrongswan-stroke.so @@ -240,6 +242,7 @@ usr/sbin/swanctl #usr/share/strongswan/templates/config/plugins/revocation.conf #usr/share/strongswan/templates/config/plugins/sha1.conf #usr/share/strongswan/templates/config/plugins/sha2.conf +#usr/share/strongswan/templates/config/plugins/sha3.conf #usr/share/strongswan/templates/config/plugins/socket-default.conf #usr/share/strongswan/templates/config/plugins/sshkey.conf #usr/share/strongswan/templates/config/plugins/stroke.conf diff --git a/config/rootfiles/core/143/filelists/files b/config/rootfiles/core/143/filelists/files index 216c98fa9..28c759fe3 100644 --- a/config/rootfiles/core/143/filelists/files +++ b/config/rootfiles/core/143/filelists/files @@ -4,8 +4,10 @@ srv/web/ipfire/cgi-bin/credits.cgi var/ipfire/langs etc/rc.d/init.d/firewall etc/rc.d/init.d/localnet +etc/suricata/suricata.yaml srv/web/ipfire/cgi-bin/dhcp.cgi srv/web/ipfire/cgi-bin/fireinfo.cgi +srv/web/ipfire/cgi-bin/ids.cgi srv/web/ipfire/cgi-bin/mail.cgi srv/web/ipfire/cgi-bin/netother.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi diff --git a/config/rootfiles/core/143/update.sh b/config/rootfiles/core/143/update.sh index 51c4557bd..cb07bbb59 100644 --- a/config/rootfiles/core/143/update.sh +++ b/config/rootfiles/core/143/update.sh @@ -24,7 +24,7 @@ . /opt/pakfire/lib/functions.sh /usr/local/bin/backupctrl exclude >/dev/null 2>&1
-core=142 +core=143
exit_with_error() { # Set last succesfull installed core. @@ -48,6 +48,7 @@ done rm -rf /usr/lib/go/9.2.0
# Stop services +/etc/init.d/suricata stop
# move swap after mount mv -f /etc/rc.d/rcsysinit.d/S20swap \ @@ -74,6 +75,12 @@ telinit u # Apply local configuration to sshd_config /usr/local/bin/sshctrl
+# Start services +/usr/local/bin/ipsecctrl S +/etc/init.d/unbound restart +/etc/init.d/sshd restart +/etc/init.d/suricata start + # remove dropped packages for package in bluetooth; do if [ -e /opt/pakfire/db/installed/meta-$package ]; then diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index ed71898f4..cb7ececb4 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -30,7 +30,7 @@ vars: ENIP_SERVER: "$HOME_NET"
port-groups: - HTTP_PORTS: "80" + HTTP_PORTS: "[80,81]" SHELLCODE_PORTS: "!80" ORACLE_PORTS: 1521 SSH_PORTS: "[22,222]" diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 2a8a7cb26..c3e5eefdb 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -412,6 +412,9 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { # Hash to store the user-enabled and disabled sids. my %enabled_disabled_sids;
+ # Store if a restart of suricata is required. + my $suricata_restart_required; + # Loop through the hash of idsrules. foreach my $rulefile(keys %idsrules) { # Check if the rulefile is enabled. @@ -419,6 +422,12 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { # Add rulefile to the array of enabled rulefiles. push(@enabled_rulefiles, $rulefile);
+ # Check if the state of the rulefile has been changed. + unless ($cgiparams{$rulefile} eq $idsrules{$rulefile}{'Rulefile'}{'State'}) { + # A restart of suricata is required to apply the changes of the used rulefiles. + $suricata_restart_required = 1; + } + # Drop item from cgiparams hash. delete $cgiparams{$rulefile}; } @@ -513,8 +522,14 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
# Check if the IDS is running. if(&IDS::ids_is_running()) { - # Call suricatactrl to perform a reload. - &IDS::call_suricatactrl("reload"); + # Check if a restart of suricata is required. + if ($suricata_restart_required) { + # Call suricatactrl to perform the restart. + &IDS::call_suricatactrl("restart"); + } else { + # Call suricatactrl to perform a reload. + &IDS::call_suricatactrl("reload"); + } }
# Reload page. diff --git a/lfs/openssl b/lfs/openssl index c46e0d53f..06b999a15 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2019 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 1.1.1e +VER = 1.1.1f
THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -87,7 +87,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = baeff2a64d2f3d7e0a69b677c9977b57 +$(DL_FILE)_MD5 = 3f486f2f4435ef14b81814dbbc7b48bb
install : $(TARGET)
diff --git a/lfs/strongswan b/lfs/strongswan index ed88c0458..3be90db9a 100644 --- a/lfs/strongswan +++ b/lfs/strongswan @@ -24,7 +24,7 @@
include Config
-VER = 5.8.2 +VER = 5.8.4
THISAPP = strongswan-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = d94eac2caed51b0cc776e5887b10bace +$(DL_FILE)_MD5 = 0634e7f40591bd3f6770e583c3f27d29
install : $(TARGET)
@@ -95,6 +95,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-eap-mschapv2 \ --enable-eap-identity \ --enable-chapoly \ + --enable-sha3 \ --disable-padlock \ --disable-rc2 \ $(CONFIGURE_OPTIONS)
hooks/post-receive -- IPFire 2.x development tree