From mboxrd@z Thu Jan 1 00:00:00 1970 From: git@ipfire.org To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. b5fe050fce03a7ee2547a1162452c8211d2eea8d Date: Fri, 28 Apr 2017 13:10:00 +0100 Message-ID: <20170428121001.1826310853C3@git01.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8845772709510516605==" List-Id: --===============8845772709510516605== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via b5fe050fce03a7ee2547a1162452c8211d2eea8d (commit) via 07002f2bca7efd49d8baea0dadf193a29f27604b (commit) via abd12bd073dd0be74d97e2f204027f2a4346549a (commit) via 3d5c499e0ca73c9a787815b8894d6cfcb0416a1b (commit) via f3dfb261c8c78f7806bcf215646f9d3618d151f5 (commit) via 7090074557516deaaff9b1a84f4f8beec6c4dadd (commit) from 0e8f275e80d8ad517019f7c0f8349a5a16ea9f1b (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit b5fe050fce03a7ee2547a1162452c8211d2eea8d Author: Matthias Fischer Date: Mon Apr 24 20:56:29 2017 +0200 unbound: Update to 1.6.2 =20 For details see: http://www.unbound.net/download.html =20 Best, Matthias =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 07002f2bca7efd49d8baea0dadf193a29f27604b Author: Matthias Fischer Date: Tue Apr 25 21:08:32 2017 +0200 bind: Update to 9.11.1 =20 For details see: https://ftp.isc.org/isc/bind9/9.11.1/RELEASE-NOTES-bind-9.11.1.html =20 "Security Fixes =20 rndc "" could trigger an assertion failure in named. This flaw is disclos= ed in (CVE-2017-3138). [RT #44924] =20 Some chaining (i.e., type CNAME or DNAME) responses to upstream queries c= ould trigger assertion failures. This flaw is disclosed in CVE-2017-3137. [RT = #44734] =20 dns64 with break-dnssec yes; can result in an assertion failure. This fla= w is disclosed in CVE-2017-3136. [RT #44653] =20 If a server is configured with a response policy zone (RPZ) that rewrites= an answer with local data, and is also configured for DNS64 address mapping,= a NULL pointer can be read triggering a server crash. This flaw is disclosed in CVE-2017-3135. [RT #44434] =20 A coding error in the nxdomain-redirect feature could lead to an assertio= n failure if the redirection namespace was served from a local authoritative data s= ource such as a local zone or a DLZ instead of via recursive lookup. This flaw is di= sclosed in CVE-2016-9778. [RT #43837] =20 named could mishandle authority sections with missing RRSIGs, triggering = an assertion failure. This flaw is disclosed in CVE-2016-9444. [RT #43632] =20 named mishandled some responses where covering RRSIG records were returne= d without the requested data, resulting in an assertion failure. This flaw is discl= osed in CVE-2016-9147. [RT #43548] =20 named incorrectly tried to cache TKEY records which could trigger an asse= rtion failure when there was a class mismatch. This flaw is disclosed in CVE-2016-9131.= [RT #43522] =20 It was possible to trigger assertions when processing responses containin= g answers of type DNAME. This flaw is disclosed in CVE-2016-8864. [RT #43465] =20 Added the ability to specify the maximum number of records permitted in a= zone (max-records #;). This provides a mechanism to block overly large zone tr= ansfers, which is a potential risk with slave zones from other parties, as described in = CVE-2016-6170. [RT #42143] =20 Bug Fixes =20 A synthesized CNAME record appearing in a response before the associated = DNAME could be cached, when it should not have been. This was a regression introduced wh= ile addressing CVE-2016-8864. [RT #44318] =20 named could deadlock if multiple changes to NSEC/NSEC3 parameters for the= same zone were being processed at the same time. [RT #42770] =20 named could trigger an assertion when sending NOTIFY messages. [RT #44019] =20 Referencing a nonexistent zone in a response-policy statement could cause= an assertion failure during configuration. [RT #43787] =20 rndc addzone could cause a crash when attempting to add a zone with a typ= e other than master or slave. Such zones are now rejected. [RT #43665] =20 named could hang when encountering log file names with large apparent gap= s in version number (for example, when files exist called "logfile.0", "logfile.1", and "logfile.1482954169"). This is now handled correctly. [RT #38688] =20 If a zone was updated while named was processing a query for nonexistent = data, it could return out-of-sync NSEC3 records causing potential DNSSEC validation fail= ure. [RT #43247]" =20 Best, Matthias =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit abd12bd073dd0be74d97e2f204027f2a4346549a Author: Matthias Fischer Date: Tue Apr 25 21:13:17 2017 +0200 nano: Update to 2.8.1 =20 For details see: https://www.nano-editor.org/news.php =20 Best, Matthias =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 3d5c499e0ca73c9a787815b8894d6cfcb0416a1b Author: Matthias Fischer Date: Fri Apr 28 08:17:33 2017 +0200 logrotate: Update to 3.12.1 =20 For details see: https://github.com/logrotate/logrotate/blob/master/ChangeLog.md =20 Best, Matthias =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit f3dfb261c8c78f7806bcf215646f9d3618d151f5 Author: Michael Tremer Date: Fri Apr 28 13:03:46 2017 +0100 OpenVPN: Mark SHA1 as weak =20 Signed-off-by: Michael Tremer commit 7090074557516deaaff9b1a84f4f8beec6c4dadd Author: Michael Tremer Date: Fri Apr 28 13:01:41 2017 +0100 OpenVPN: Use SHA512 by default =20 This will break compatibility with old clients like Windows XP, but these are too old now to be supported. =20 SHA1 is considered to be weak and should not be used any more =20 Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/rootfiles/common/logrotate | 4 ++-- config/rootfiles/common/unbound | 2 +- config/rootfiles/packages/nano | 3 ++- html/cgi-bin/ovpnmain.cgi | 10 +++++----- lfs/bind | 4 ++-- lfs/logrotate | 12 ++++++++---- lfs/nano | 10 +++++----- lfs/unbound | 4 ++-- 8 files changed, 27 insertions(+), 22 deletions(-) Difference in files: diff --git a/config/rootfiles/common/logrotate b/config/rootfiles/common/logr= otate index 8ef728c..0583525 100644 --- a/config/rootfiles/common/logrotate +++ b/config/rootfiles/common/logrotate @@ -1,6 +1,6 @@ #etc/logrotate.d etc/logrotate.d/.empty -#usr/man/man5/logrotate.conf.5 -#usr/man/man8/logrotate.8 usr/sbin/logrotate +#usr/share/man/man5/logrotate.conf.5 +#usr/share/man/man8/logrotate.8 var/lib/logrotate.status diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound index 824567e..c626fd6 100644 --- a/config/rootfiles/common/unbound +++ b/config/rootfiles/common/unbound @@ -11,7 +11,7 @@ etc/unbound/unbound.conf #usr/lib/libunbound.la #usr/lib/libunbound.so usr/lib/libunbound.so.2 -usr/lib/libunbound.so.2.4.4 +usr/lib/libunbound.so.2.5.1 usr/sbin/unbound usr/sbin/unbound-anchor usr/sbin/unbound-checkconf diff --git a/config/rootfiles/packages/nano b/config/rootfiles/packages/nano index f8171b4..0e9341d 100644 --- a/config/rootfiles/packages/nano +++ b/config/rootfiles/packages/nano @@ -1,11 +1,12 @@ #etc/nano -etc/nano/nanorc.sample +etc/nano/sample.nanorc usr/bin/nano usr/bin/pico usr/bin/rnano #usr/share/doc/nano #usr/share/doc/nano/faq.html #usr/share/doc/nano/nano.1.html +#usr/share/doc/nano/nano.html #usr/share/doc/nano/nanorc.5.html #usr/share/doc/nano/rnano.1.html #usr/share/info/nano.info diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 037894d..d46a14e 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2631,7 +2631,7 @@ ADV_ERROR: $cgiparams{'PMTU_DISCOVERY'} =3D 'off'; } if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} =3D 'SHA1'; + $cgiparams{'DAUTH'} =3D 'SHA512'; } if ($cgiparams{'TLSAUTH'} eq '') { $cgiparams{'TLSAUTH'} =3D 'off'; @@ -2821,7 +2821,7 @@ print <SHA2 (512 $Lang:= :tr{'bit'}) - + $Lang::tr{'openvpn default'}: SHA1 (160 $Lang::tr= {'bit'}) @@ -4454,7 +4454,7 @@ if ($cgiparams{'TYPE'} eq 'net') { $cgiparams{'MSSFIX'} =3D 'on'; $cgiparams{'FRAGMENT'} =3D '1300'; $cgiparams{'PMTU_DISCOVERY'} =3D 'off'; - $cgiparams{'DAUTH'} =3D 'SHA1'; + $cgiparams{'DAUTH'} =3D 'SHA512'; ### # m.a.d n2n end ###=09 @@ -4705,7 +4705,7 @@ if ($cgiparams{'TYPE'} eq 'net') { - + @@ -5037,7 +5037,7 @@ END $cgiparams{'MSSFIX'} =3D 'off'; } if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} =3D 'SHA1'; + $cgiparams{'DAUTH'} =3D 'SHA512'; } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} =3D '10.' . int(rand(256)) . '.' . int(rand(256= )) . '.0/255.255.255.0'; diff --git a/lfs/bind b/lfs/bind index ea6fb83..1269e41 100644 --- a/lfs/bind +++ b/lfs/bind @@ -25,7 +25,7 @@ =20 include Config =20 -VER =3D 9.11.0-P5 +VER =3D 9.11.1 =20 THISAPP =3D bind-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -43,7 +43,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D 3e1e525fc640308316cdf98cd29cfa11 +$(DL_FILE)_MD5 =3D c384ab071d902bac13487c1268e5a32f =20 install : $(TARGET) =20 diff --git a/lfs/logrotate b/lfs/logrotate index 0d50103..476f146 100644 --- a/lfs/logrotate +++ b/lfs/logrotate @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2016 IPFire Team = # +# Copyright (C) 2007-2017 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -24,10 +24,10 @@ =20 include Config =20 -VER =3D 3.9.1 +VER =3D 3.12.1 =20 THISAPP =3D logrotate-$(VER) -DL_FILE =3D logrotate_$(VER).orig.tar.gz +DL_FILE =3D logrotate-$(VER).tar.gz DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D 4492b145b6d542e4a2f41e77fa199ab0 +$(DL_FILE)_MD5 =3D 066b49891bad2849d5044c1952613ea6 =20 install : $(TARGET) =20 @@ -70,6 +70,10 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + + cd $(DIR_APP) && ./autogen.sh + cd $(DIR_APP) && ./configure --prefix=3D/usr + cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install mkdir -pv /etc/logrotate.d diff --git a/lfs/nano b/lfs/nano index 2ecb1a5..34e8444 100644 --- a/lfs/nano +++ b/lfs/nano @@ -1,7 +1,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2016 IPFire Team = # +# Copyright (C) 2007-2017 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 2.7.3 +VER =3D 2.8.1 =20 THISAPP =3D nano-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM =3D $(URL_IPFIRE) DIR_APP =3D $(DIR_SRC)/$(THISAPP) TARGET =3D $(DIR_INFO)/$(THISAPP) PROG =3D nano -PAK_VER =3D 14 +PAK_VER =3D 15 =20 DEPS =3D "" =20 @@ -44,7 +44,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D 007ba6321212d3ec38f46236465b6ea8 +$(DL_FILE)_MD5 =3D 0dec96d839657e7f1a8396d7dbb19c07 =20 install : $(TARGET) =20 @@ -87,7 +87,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) =20 cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install - cd $(DIR_APP) && install -v -m644 -D doc/nanorc.sample /etc/nano/nanorc.sam= ple + cd $(DIR_APP) && install -v -m644 -D doc/sample.nanorc /etc/nano/sample.nan= orc ln -sf /usr/bin/nano /usr/bin/pico @rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/unbound b/lfs/unbound index d78bd95..c40f0ad 100644 --- a/lfs/unbound +++ b/lfs/unbound @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 1.6.1 +VER =3D 1.6.2 =20 THISAPP =3D unbound-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D aa808f33d94a36c9312d1b8ad8805e14 +$(DL_FILE)_MD5 =3D 5a5d0cdf7164957ff2e7498db1758f01 =20 install : $(TARGET) =20 hooks/post-receive -- IPFire 2.x development tree --===============8845772709510516605==--