From: git@ipfire.org
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. b5fe050fce03a7ee2547a1162452c8211d2eea8d
Date: Fri, 28 Apr 2017 13:10:00 +0100 [thread overview]
Message-ID: <20170428121001.1826310853C3@git01.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 15341 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via b5fe050fce03a7ee2547a1162452c8211d2eea8d (commit)
via 07002f2bca7efd49d8baea0dadf193a29f27604b (commit)
via abd12bd073dd0be74d97e2f204027f2a4346549a (commit)
via 3d5c499e0ca73c9a787815b8894d6cfcb0416a1b (commit)
via f3dfb261c8c78f7806bcf215646f9d3618d151f5 (commit)
via 7090074557516deaaff9b1a84f4f8beec6c4dadd (commit)
from 0e8f275e80d8ad517019f7c0f8349a5a16ea9f1b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b5fe050fce03a7ee2547a1162452c8211d2eea8d
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Mon Apr 24 20:56:29 2017 +0200
unbound: Update to 1.6.2
For details see:
http://www.unbound.net/download.html
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 07002f2bca7efd49d8baea0dadf193a29f27604b
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Tue Apr 25 21:08:32 2017 +0200
bind: Update to 9.11.1
For details see:
https://ftp.isc.org/isc/bind9/9.11.1/RELEASE-NOTES-bind-9.11.1.html
"Security Fixes
rndc "" could trigger an assertion failure in named. This flaw is disclosed
in (CVE-2017-3138). [RT #44924]
Some chaining (i.e., type CNAME or DNAME) responses to upstream queries could
trigger assertion failures. This flaw is disclosed in CVE-2017-3137. [RT #44734]
dns64 with break-dnssec yes; can result in an assertion failure. This flaw is
disclosed in CVE-2017-3136. [RT #44653]
If a server is configured with a response policy zone (RPZ) that rewrites an
answer with local data, and is also configured for DNS64 address mapping, a NULL
pointer can be read triggering a server crash. This flaw is disclosed in
CVE-2017-3135. [RT #44434]
A coding error in the nxdomain-redirect feature could lead to an assertion failure
if the redirection namespace was served from a local authoritative data source such
as a local zone or a DLZ instead of via recursive lookup. This flaw is disclosed in
CVE-2016-9778. [RT #43837]
named could mishandle authority sections with missing RRSIGs, triggering an
assertion failure. This flaw is disclosed in CVE-2016-9444. [RT #43632]
named mishandled some responses where covering RRSIG records were returned without
the requested data, resulting in an assertion failure. This flaw is disclosed in
CVE-2016-9147. [RT #43548]
named incorrectly tried to cache TKEY records which could trigger an assertion failure
when there was a class mismatch. This flaw is disclosed in CVE-2016-9131. [RT #43522]
It was possible to trigger assertions when processing responses containing answers of
type DNAME. This flaw is disclosed in CVE-2016-8864. [RT #43465]
Added the ability to specify the maximum number of records permitted in a zone
(max-records #;). This provides a mechanism to block overly large zone transfers, which
is a potential risk with slave zones from other parties, as described in CVE-2016-6170.
[RT #42143]
Bug Fixes
A synthesized CNAME record appearing in a response before the associated DNAME could be
cached, when it should not have been. This was a regression introduced while addressing
CVE-2016-8864. [RT #44318]
named could deadlock if multiple changes to NSEC/NSEC3 parameters for the same zone were
being processed at the same time. [RT #42770]
named could trigger an assertion when sending NOTIFY messages. [RT #44019]
Referencing a nonexistent zone in a response-policy statement could cause an assertion
failure during configuration. [RT #43787]
rndc addzone could cause a crash when attempting to add a zone with a type other than
master or slave. Such zones are now rejected. [RT #43665]
named could hang when encountering log file names with large apparent gaps in version
number (for example, when files exist called "logfile.0", "logfile.1", and
"logfile.1482954169"). This is now handled correctly. [RT #38688]
If a zone was updated while named was processing a query for nonexistent data, it could
return out-of-sync NSEC3 records causing potential DNSSEC validation failure. [RT #43247]"
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit abd12bd073dd0be74d97e2f204027f2a4346549a
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Tue Apr 25 21:13:17 2017 +0200
nano: Update to 2.8.1
For details see:
https://www.nano-editor.org/news.php
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3d5c499e0ca73c9a787815b8894d6cfcb0416a1b
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Fri Apr 28 08:17:33 2017 +0200
logrotate: Update to 3.12.1
For details see:
https://github.com/logrotate/logrotate/blob/master/ChangeLog.md
Best,
Matthias
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit f3dfb261c8c78f7806bcf215646f9d3618d151f5
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Apr 28 13:03:46 2017 +0100
OpenVPN: Mark SHA1 as weak
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 7090074557516deaaff9b1a84f4f8beec6c4dadd
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Apr 28 13:01:41 2017 +0100
OpenVPN: Use SHA512 by default
This will break compatibility with old clients like
Windows XP, but these are too old now to be supported.
SHA1 is considered to be weak and should not be used any more
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/common/logrotate | 4 ++--
config/rootfiles/common/unbound | 2 +-
config/rootfiles/packages/nano | 3 ++-
html/cgi-bin/ovpnmain.cgi | 10 +++++-----
lfs/bind | 4 ++--
lfs/logrotate | 12 ++++++++----
lfs/nano | 10 +++++-----
lfs/unbound | 4 ++--
8 files changed, 27 insertions(+), 22 deletions(-)
Difference in files:
diff --git a/config/rootfiles/common/logrotate b/config/rootfiles/common/logrotate
index 8ef728c..0583525 100644
--- a/config/rootfiles/common/logrotate
+++ b/config/rootfiles/common/logrotate
@@ -1,6 +1,6 @@
#etc/logrotate.d
etc/logrotate.d/.empty
-#usr/man/man5/logrotate.conf.5
-#usr/man/man8/logrotate.8
usr/sbin/logrotate
+#usr/share/man/man5/logrotate.conf.5
+#usr/share/man/man8/logrotate.8
var/lib/logrotate.status
diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound
index 824567e..c626fd6 100644
--- a/config/rootfiles/common/unbound
+++ b/config/rootfiles/common/unbound
@@ -11,7 +11,7 @@ etc/unbound/unbound.conf
#usr/lib/libunbound.la
#usr/lib/libunbound.so
usr/lib/libunbound.so.2
-usr/lib/libunbound.so.2.4.4
+usr/lib/libunbound.so.2.5.1
usr/sbin/unbound
usr/sbin/unbound-anchor
usr/sbin/unbound-checkconf
diff --git a/config/rootfiles/packages/nano b/config/rootfiles/packages/nano
index f8171b4..0e9341d 100644
--- a/config/rootfiles/packages/nano
+++ b/config/rootfiles/packages/nano
@@ -1,11 +1,12 @@
#etc/nano
-etc/nano/nanorc.sample
+etc/nano/sample.nanorc
usr/bin/nano
usr/bin/pico
usr/bin/rnano
#usr/share/doc/nano
#usr/share/doc/nano/faq.html
#usr/share/doc/nano/nano.1.html
+#usr/share/doc/nano/nano.html
#usr/share/doc/nano/nanorc.5.html
#usr/share/doc/nano/rnano.1.html
#usr/share/info/nano.info
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 037894d..d46a14e 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -2631,7 +2631,7 @@ ADV_ERROR:
$cgiparams{'PMTU_DISCOVERY'} = 'off';
}
if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA1';
+ $cgiparams{'DAUTH'} = 'SHA512';
}
if ($cgiparams{'TLSAUTH'} eq '') {
$cgiparams{'TLSAUTH'} = 'off';
@@ -2821,7 +2821,7 @@ print <<END;
<option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
<option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
<option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
- <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'})</option>
+ <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
</select>
</td>
<td>$Lang::tr{'openvpn default'}: <span class="base">SHA1 (160 $Lang::tr{'bit'})</span></td>
@@ -4454,7 +4454,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
$cgiparams{'MSSFIX'} = 'on';
$cgiparams{'FRAGMENT'} = '1300';
$cgiparams{'PMTU_DISCOVERY'} = 'off';
- $cgiparams{'DAUTH'} = 'SHA1';
+ $cgiparams{'DAUTH'} = 'SHA512';
###
# m.a.d n2n end
###
@@ -4705,7 +4705,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
<option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
<option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
<option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
- <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'} Default)</option>
+ <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
</select>
</td>
</tr>
@@ -5037,7 +5037,7 @@ END
$cgiparams{'MSSFIX'} = 'off';
}
if ($cgiparams{'DAUTH'} eq '') {
- $cgiparams{'DAUTH'} = 'SHA1';
+ $cgiparams{'DAUTH'} = 'SHA512';
}
if ($cgiparams{'DOVPN_SUBNET'} eq '') {
$cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
diff --git a/lfs/bind b/lfs/bind
index ea6fb83..1269e41 100644
--- a/lfs/bind
+++ b/lfs/bind
@@ -25,7 +25,7 @@
include Config
-VER = 9.11.0-P5
+VER = 9.11.1
THISAPP = bind-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -43,7 +43,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 3e1e525fc640308316cdf98cd29cfa11
+$(DL_FILE)_MD5 = c384ab071d902bac13487c1268e5a32f
install : $(TARGET)
diff --git a/lfs/logrotate b/lfs/logrotate
index 0d50103..476f146 100644
--- a/lfs/logrotate
+++ b/lfs/logrotate
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2016 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2017 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,10 +24,10 @@
include Config
-VER = 3.9.1
+VER = 3.12.1
THISAPP = logrotate-$(VER)
-DL_FILE = logrotate_$(VER).orig.tar.gz
+DL_FILE = logrotate-$(VER).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 4492b145b6d542e4a2f41e77fa199ab0
+$(DL_FILE)_MD5 = 066b49891bad2849d5044c1952613ea6
install : $(TARGET)
@@ -70,6 +70,10 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+
+ cd $(DIR_APP) && ./autogen.sh
+ cd $(DIR_APP) && ./configure --prefix=/usr
+
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
mkdir -pv /etc/logrotate.d
diff --git a/lfs/nano b/lfs/nano
index 2ecb1a5..34e8444 100644
--- a/lfs/nano
+++ b/lfs/nano
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2016 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2017 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 2.7.3
+VER = 2.8.1
THISAPP = nano-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = nano
-PAK_VER = 14
+PAK_VER = 15
DEPS = ""
@@ -44,7 +44,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 007ba6321212d3ec38f46236465b6ea8
+$(DL_FILE)_MD5 = 0dec96d839657e7f1a8396d7dbb19c07
install : $(TARGET)
@@ -87,7 +87,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
- cd $(DIR_APP) && install -v -m644 -D doc/nanorc.sample /etc/nano/nanorc.sample
+ cd $(DIR_APP) && install -v -m644 -D doc/sample.nanorc /etc/nano/sample.nanorc
ln -sf /usr/bin/nano /usr/bin/pico
@rm -rf $(DIR_APP)
@$(POSTBUILD)
diff --git a/lfs/unbound b/lfs/unbound
index d78bd95..c40f0ad 100644
--- a/lfs/unbound
+++ b/lfs/unbound
@@ -24,7 +24,7 @@
include Config
-VER = 1.6.1
+VER = 1.6.2
THISAPP = unbound-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = aa808f33d94a36c9312d1b8ad8805e14
+$(DL_FILE)_MD5 = 5a5d0cdf7164957ff2e7498db1758f01
install : $(TARGET)
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2017-04-28 12:10 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170428121001.1826310853C3@git01.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox