This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, core120 has been created at 36600cef36577ca36d4349bc7658a68234311ea2 (commit) - Log ----------------------------------------------------------------- commit 36600cef36577ca36d4349bc7658a68234311ea2 Merge: 6a8b2ef97 7eb86ee39 Author: Arne Fitzenreiter Date: Fri Mar 30 09:35:28 2018 +0200 Merge branch 'core119' into next commit 6a8b2ef9772b58406f9e9b073e68dcf71eabb327 Author: Arne Fitzenreiter Date: Fri Mar 30 09:25:06 2018 +0200 core120: set pafire version to 120 Signed-off-by: Arne Fitzenreiter commit f7e9c14842dee00529df1e4a30f46255a1ed37e4 Author: Michael Tremer Date: Thu Mar 29 13:49:44 2018 +0100 Rootfile update Signed-off-by: Michael Tremer commit 4b072d640efde44017aeceb66d816ea59639be46 Author: Michael Tremer Date: Wed Mar 28 16:55:18 2018 +0100 pakfire: Use upstream proxy for HTTPS, too Signed-off-by: Michael Tremer commit 66a0f3646ad2b1da568282464b9a63479c8b45d9 Author: Peter Müller Date: Wed Mar 28 05:41:50 2018 +0200 use protocol defined in server-list.db for mirror communication For each mirror server, a protocol can be specified in the server-list.db database. However, it was not used for the actual URL query to a mirror before. This might be useful for deploy HTTPS pinning for Pakfire. If a mirror is known to support HTTPS, all queries to it will be made with this protocol. This saves some overhead if HTTPS is enforced on a mirror via 301 redirects. To enable this, the server-list.db needs to be adjusted. The second version of this patch only handles protocols HTTP and HTTPS, since we do not expect anything else here at the moment. Partially fixes #11661. Signed-off-by: Peter Müller Cc: Michael Tremer Signed-off-by: Michael Tremer commit 9f0999325dec7ffbcf8b18b846fbf6a8a6c5780f Author: Michael Tremer Date: Wed Mar 28 16:39:35 2018 +0100 unbound: Fix crash on startup Zone names should not be terminated with a dot. Fixes: #11689 Reported-by: Pontus Larsson Signed-off-by: Michael Tremer commit d97f43b309b7c041498189b231b7507627a194c6 Author: Michael Tremer Date: Wed Mar 28 11:22:06 2018 +0100 Rootfile update for curl Signed-off-by: Michael Tremer commit d9e656bb82542b2ef379563c02d642c3394f1c1c Author: Michael Tremer Date: Tue Mar 27 20:56:31 2018 +0100 asterisk: Ship documentation Signed-off-by: Michael Tremer commit d3cd99830a8554e8f9b4df314210cef82ef69376 Author: Michael Tremer Date: Tue Mar 27 20:53:31 2018 +0100 fetchmail: Permit building without SSLv3 Signed-off-by: Michael Tremer commit 76f422025ffe1baed977b5c8e1f072e5981e46ff Author: Michael Tremer Date: Tue Mar 27 16:05:07 2018 +0100 openssl: Update to 1.0.2o CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Reported by OSS-fuzz. Signed-off-by: Michael Tremer commit 166ceacd6b375bc97eed722012a0f1fffd5a15e1 Author: Michael Tremer Date: Tue Mar 27 15:59:04 2018 +0100 openssl: Update to 1.1.0h CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018: Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Reported by OSS-fuzz. This patch also entirely removes support for SSLv3. The patch to disable it didn't apply and since nobody has been using this before, we will not compile it into OpenSSL any more. Signed-off-by: Michael Tremer commit c98304604bfed3b29bb384ab0999596644573f2c Author: Michael Tremer Date: Mon Mar 26 19:04:41 2018 +0100 core120: Ship updated QoS script and gnupg Signed-off-by: Michael Tremer commit be7878d5c92600e7d316a86b18a77819734b62a0 Author: Matthias Fischer Date: Mon Mar 26 19:50:30 2018 +0200 Fix typo in 'makeqosscripts.pl' Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit dd48a7aac8088ef706d2299bc5b473e9389ba2a2 Author: Peter Müller Date: Sat Mar 24 16:45:02 2018 +0100 curl: update to 7.59.0 Update curl to 7.59.0 which fixes a number of bugs and some minor security issues. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer commit 689fed340aab91240b51bf4da1daf0a606290ac1 Author: Peter Müller Date: Sat Mar 24 16:32:53 2018 +0100 gnupg: update to 1.4.22 Update GnuPG to 1.4.22, which fixes some security vulnerabilities, such as the memory side channel attack CVE-2017-7526. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer commit dfdfafc7af57b5088279680098408df823516703 Author: Michael Tremer Date: Tue Mar 20 20:36:15 2018 +0000 core120: Ship updated vnstat Signed-off-by: Michael Tremer commit a05af852c5f2266151479c9424a9b36243fb1c79 Author: Matthias Fischer Date: Tue Mar 20 20:46:52 2018 +0100 vnstat: Update to 1.18 For details see: https://humdi.net/vnstat/CHANGES Changed "SaveInterval 5" to "SaveInterval 1" in '/etc/vnstat.conf', triggered by https://forum.ipfire.org/viewtopic.php?f=22&t=20448 to avoid data loss with 1Gbit connections and high traffic. Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit e7ea357cecf5e069dd4fb4e5cd6099d8e5b7d9a4 Author: Michael Tremer Date: Tue Mar 20 11:08:58 2018 +0000 Forgot to "git add" the new pakfire init script Signed-off-by: Michael Tremer commit 42deeb3b450c74138dfb76d9d45d4588a5271887 Author: Michael Tremer Date: Mon Mar 19 19:45:24 2018 +0000 Revert "installer: Import the Pakfire key at install time" This reverts commit 7d995c9f56055f39e559bd6e355a9a1689585c6d. Signed-off-by: Michael Tremer commit eb68e27dd27b538d84c8382389f83f1a57ba59e7 Author: Michael Tremer Date: Mon Mar 19 19:44:50 2018 +0000 pakfire: Import key when system boots up Signed-off-by: Michael Tremer commit 5876642d175609919d2f43892deec822d650bdf0 Author: Michael Tremer Date: Mon Mar 19 18:07:49 2018 +0000 ffmpeg: Ship libraries correctly Signed-off-by: Michael Tremer commit 27ef66c26c480542f0ea60d85302da5ada0f0648 Author: Matthias Fischer Date: Sun Mar 18 17:32:43 2018 +0100 hdparm: Update to 9.55 Changelogs against 9.53: "hdparm-9.55: - added #include for major()/minor() macros hdparm-9.54: - Partial revert of Jmicron changes, from Jan Friesse." Best, Matthias Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 71e5a29c8123014a8b740c3a99a83742a19019fa Author: Matthias Fischer Date: Sun Mar 18 17:40:47 2018 +0100 dmidecode 3.1: Added patch (Fix firmware version of TPM device) For details see: http://git.savannah.gnu.org/cgit/dmidecode.git/commit/?id=174387405e98cd94c627832ae23abcb9be7e5623 "Both the operator (detected by clang, reported by Xorg) and the mask for the minor firmware version field of TPM devices were wrong." Best, Matthias Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 35cdaa194ac5d2abfc0a93f60ed99aab07be9ce3 Author: Michael Tremer Date: Mon Mar 19 11:52:26 2018 +0000 Fix python-m2crypto rootfile Signed-off-by: Michael Tremer commit b2318b5e351923632c43e3d5d9e6a2351a1b63cd Author: Michael Tremer Date: Sun Mar 18 13:51:38 2018 +0000 core120: Ship updated logrotate and restart unbound Signed-off-by: Michael Tremer commit 9e9fdb39e63e521a4771e3e24746edad3c7430b2 Author: Matthias Fischer Date: Sun Mar 18 10:05:33 2018 +0100 unbound: Update to 1.7.0 For details see: http://www.unbound.net/download.html Best, Matthias Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 399c2f9ccc2fa8cac89d27353571f3317b45bde4 Author: Matthias Fischer Date: Sun Mar 18 10:21:17 2018 +0100 logrotate: Update to 3.14.0 For details see: https://github.com/logrotate/logrotate/releases Best, Matthias Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 4e316ae0a0a63b6f6a4029fa3ba18c757713a49e Author: Matthias Fischer Date: Sun Mar 18 10:14:07 2018 +0100 htop: Update to 2.1.0 For details see: https://hisham.hm/htop/index.php?page=downloads Best, Matthias Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 9051f3c9d71b483198373b5522f47399b68b9572 Author: Matthias Fischer Date: Sun Mar 18 10:00:34 2018 +0100 bind: Update to 9.11.3 For details see: http://ftp.isc.org/isc/bind9/9.11.3/RELEASE-NOTES-bind-9.11.3.html Best, Matthias Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 1c1c1ac238d2fd83b2fc17f9206dc9000e9079bc Author: Matthias Fischer Date: Sun Mar 18 09:53:40 2018 +0100 nano: Update to 2.9.4 For details see: https://www.nano-editor.org/news.php Best, Matthias Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 8aeec0ba89b0179138cec1b5ac079c04ad7db410 Author: Matthias Fischer Date: Sun Mar 18 09:48:04 2018 +0100 rsync: Update to 3.1.3 For details see: https://download.samba.org/pub/rsync/src/rsync-3.1.3-NEWS Best, Matthias Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit e779b6bc7aa470289bde0bf99aa7051dffc4384b Author: Erik Kapfer Date: Sun Mar 18 13:55:31 2018 +0100 PAM: Delete old lib and symlinks Core 119 update delivers an updated PAM whereby the libdir has been changed from /lib to /usr/lib but the old libraries and symlinks are still presant. Since the system searches /lib before /usr/lib , the old libs and symlinks are used which ends up in an `LIBPAM_EXTENSION_1.1' not found. Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit cdc1a0e901c285e84f8cbb6a01248ce6a141b361 Author: Erik Kapfer Date: Mon Mar 12 13:47:34 2018 +0100 OpenVPN: Update to version 2.4.5 This is primarily a maintenance release, with further improved OpenSSL 1.1 integration, several minor bug fixes and other minor improvements. Further information can be found in here https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-245 and here https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 . Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit 35b892b0dd69c482fb3024f8e1dfbd13679b07d8 Author: Michael Tremer Date: Fri Mar 16 14:36:05 2018 +0000 pakfire: Drop old key import mechanism This was error-prone and allowed to potentially inject another key. Fixes: #11539 Signed-off-by: Michael Tremer commit 7d995c9f56055f39e559bd6e355a9a1689585c6d Author: Michael Tremer Date: Fri Mar 16 14:33:42 2018 +0000 installer: Import the Pakfire key at install time Signed-off-by: Michael Tremer commit ceed3534e154944651be9659e7f299d077edc439 Author: Michael Tremer Date: Fri Mar 16 14:28:17 2018 +0000 core120: Import new pakfire PGP key Signed-off-by: Michael Tremer commit 5e5c2e541395bc5a2ab4d3304f6358861c594d3d Author: Michael Tremer Date: Fri Mar 16 14:23:56 2018 +0000 Import new Pakfire Signing Key We will swap the key that we use to sign Pakfire packages since the current one is considered outdated cryptography. Fixes: #11539 Signed-off-by: Michael Tremer commit f0e9ed78a2ae1b828493c523e5137735c780d833 Author: Stephan Feddersen Date: Tue Mar 6 20:53:20 2018 +0100 WIO: increment PAK_VER Signed-off-by: Michael Tremer commit c1fc92a9b8e2a049875c02a736087beacb8c6348 Author: Stephan Feddersen via Development Date: Tue Feb 27 17:20:07 2018 +0100 WIO: Fix a problem with the Network-Table-Button Signed-off-by: Michael Tremer commit cc222a8e62ebaebf140f6287f8e55edd887b36aa Author: Stephan Feddersen via Development Date: Tue Feb 27 17:18:39 2018 +0100 WIO: Fix some typos Signed-off-by: Michael Tremer commit a25c95b3a0bf5a3db03fbed0e53f2f2d82d3e148 Author: Stephan Feddersen via Development Date: Tue Feb 20 21:41:13 2018 +0100 WIO: Update to Version 1.3.2 several changes in many files Signed-off-by: Michael Tremer commit d536c178ec90fd95b7e793923a856b8dab8bcb52 Author: Matthias Fischer Date: Wed Mar 7 19:19:04 2018 +0100 ntp: Update to 4.2.8p11 For details see: http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities "This release addresses five security issues in ntpd: LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability: ephemeral association attack While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11. Reported by Matt Van Gundy of Cisco. INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak Reported by Yihan Lian of Qihoo 360. LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated ephemeral associations Reported on the questions@ list. LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode cannot recover from bad state Reported by Miroslav Lichvar of Red Hat. LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909: Unauthenticated packet can reset authenticated interleaved association Reported by Miroslav Lichvar of Red Hat. one security issue in ntpq: MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909: ntpq:decodearr() can write beyond its buffer limit Reported by Michael Macnair of Thales-esecurity.com. and provides over 33 bugfixes and 32 other improvements." Best, Matthias Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit cc4816a1af40ee470fad90e0a7ec1655dc36367b Author: Matthias Fischer Date: Wed Mar 7 19:26:53 2018 +0100 clamav 0.99.4: removed gcc patch Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit dcd60d274ef7245552ffd0c57c15995a220d13a2 Author: Michael Tremer Date: Tue Mar 6 15:13:56 2018 +0000 core120: Ship updated qos.cgi Signed-off-by: Michael Tremer commit 20ffa7d1a896e5d8101f4e82ef11f8fa5b2ad15c Author: Daniel Weismüller Date: Tue Mar 6 15:56:48 2018 +0100 As described in bug 11257 there is a mistake in the qos templates. The sum of the guaranteed bandwidth of the classes 101 - 120 is bigger than the available bandwidth. I adjusted the guaranteed bandwidth of the classes 101 - 104 so that each of them has a Signed-off-by: Daniel Weismüller Signed-off-by: Michael Tremer commit 318434affb14cadbfdbe877ae5b1f00aacacea24 Author: Michael Tremer Date: Tue Mar 6 15:12:42 2018 +0000 core120: Ship updated proxy.cgi Signed-off-by: Michael Tremer commit 53d6755451808f8d6eeca8275714d97985d9495b Author: Daniel Weismüller via Development Date: Fri Feb 16 13:04:50 2018 +0100 squid: Add RAM-only Proxy functionality As suggested by Oliver "giller" Fieker in bug 10592 I added the functionality to use the squid as ram-only cache. Further it defines the maximum_object_size_in_memory as 2% of the in the webif defined "Memory cache size". The maximum_object_size_in_memory should have a useful size of the defined memory cache and I don't want to create another variable which muste be fulled in by the user. Signed-off-by: Daniel Weismüller Suggested-by: Oliver "giller" Fieker Suggested-by: Kim Wölfel Acked-by: Michael Tremer Cc: Stefan Schantl Signed-off-by: Daniel Weismüller Signed-off-by: Michael Tremer commit 01bec956555de7966990047406cbf417d314c40d Author: Michael Tremer Date: Mon Mar 5 15:21:56 2018 +0000 core120: Ship updated unbound init script Signed-off-by: Michael Tremer commit 438da7e0a012cb979e77efcb923ab86b9078fb57 Author: Peter Müller Date: Sun Mar 4 18:26:52 2018 +0100 test if nameservers with DNSSEC support return "ad"-flagged data DNSSEC-validating nameservers return an "ad" (Authenticated Data) flag in the DNS response header. This can be used as a negative indicator for DNSSEC validation: In case a nameserver does not return the flag, but failes to look up a domain with an invalid signature, it does not support DNSSEC validation. This makes it easier to detect nameservers which do not fully comply to the RFCs or try to tamper DNS queries. See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=11595) for further details. The second version of this patch avoids unnecessary usage of grep. Thanks to Michael Tremer for the hint. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer commit 9d5e5eb01240cad610088fe2ea6b5b68e4f5e5ee Author: Peter Müller Date: Sun Mar 4 18:03:04 2018 +0100 Tor: update to 0.3.2.10 Update Tor to 0.3.2.10, which fixes some security and DoS issues especially important for relays. The release notes are available at: https://blog.torproject.org/new-stable-tor-releases-security-fixes-and-dos-prevention-03210-03110-02915 Signed-off-by: Peter Müller Signed-off-by: Michael Tremer Fixes: #11662 commit a12d48868202f0bef98b4c392eb7ca33cd6fe957 Author: Peter Müller Date: Sun Mar 4 17:57:15 2018 +0100 ClamAV: update to 0.99.4 Update ClamAV to 0.99.4 which fixes four security issues and compatibility issues with GCC 6 and C++ 11. The release note can be found here: http://blog.clamav.net/2018/03/clamav-0994-has-been-released.html Signed-off-by: Peter Müller Signed-off-by: Michael Tremer commit 568a227bd318c743225d90c8d93559d04ac72a8f Author: Michael Tremer Date: Thu Mar 1 19:58:11 2018 +0000 vpnmain.cgi: Fix reading common names from certificates OpenSSL has changed the output of the subject lines of certificates. Signed-off-by: Michael Tremer commit 63b515dc260f2da9bd413fea254d2e5b634c793a Author: Michael Tremer Date: Wed Feb 28 11:55:35 2018 +0000 apache: Require TLSv1.2 for access to the web user interface This will work fine for FF 27 or newer, Chrome 30 or newer, IE 11 on Windows 7 or newer, Opera 17 or newer, Safari 9 or newer, Android 5.0 or newer and Java 8 or newer Since IPFire is not supposed to host any other applications and all have been removed in the last few Core Updates, only the web user interface is served over HTTPS here. We clearly prefer security over compatibility. Signed-off-by: Michael Tremer commit 464426d36348cdb468f5c03f50132cf6583e23bd Author: Peter Müller Date: Tue Nov 7 20:51:32 2017 +0100 change Apache TLS cipher list to "Mozilla Modern" Change the TLS cipher list of Apache to "Mozilla Modern". ECDSA is preferred over RSA to save CPU time on both server and client. Clients without support for TLS 1.2 and AES will experience connection failures. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer commit 263d1e6484ad61711f07cad35057c324db28b480 Author: Michael Tremer Date: Wed Feb 28 11:49:47 2018 +0000 openssl: Apply ciphers patch before running Configure This works just fine here. Signed-off-by: Michael Tremer commit 592949344560592807b5155d1c0ed085ac02c8ab Author: Peter Müller via Development Date: Tue Feb 27 18:35:22 2018 +0100 set OpenSSL 1.1.0 DEFAULT cipher list to secure value Only use secure cipher list for the OpenSSL DEFAULT list: * ECDSA is preferred over RSA since it is faster and more scalable * TLS 1.2 suites are preferred over anything older * weak ciphers such as RC4 and 3DES have been eliminated * AES-GCM is preferred over AES-CBC (known as "mac-then-encrypt" problem) * ciphers without PFS are moved to the end of the cipher list This patch leaves AES-CCM, AES-CCM8 and CHACHA20-POLY1305 suites where they are since they are considered secure and there is no need to change anything. The DEFAULT cipher list is now (output of "openssl ciphers -v"): ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(256) Mac=AEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(256) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM8(128) Mac=AEAD ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESCCM(128) Mac=AEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(256) Mac=SHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=Camellia(128) Mac=SHA256 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(256) Mac=SHA384 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=Camellia(128) Mac=SHA256 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD DHE-RSA-AES256-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(256) Mac=AEAD DHE-RSA-AES256-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(256) Mac=AEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-CCM8 TLSv1.2 Kx=DH Au=RSA Enc=AESCCM8(128) Mac=AEAD DHE-RSA-AES128-CCM TLSv1.2 Kx=DH Au=RSA Enc=AESCCM(128) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA256 ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1 AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES256-CCM8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(256) Mac=AEAD AES256-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(256) Mac=AEAD AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-CCM8 TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM8(128) Mac=AEAD AES128-CCM TLSv1.2 Kx=RSA Au=RSA Enc=AESCCM(128) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 CAMELLIA256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA256 AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 CAMELLIA128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA256 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1 This has been discussed at 2017-12-04 (https://wiki.ipfire.org/devel/telco/2017-12-04) and for a similar patch written for OpenSSL 1.0.x. Signed-off-by: Peter Müller Signed-off-by: Michael Tremer commit e707599d2cd8af8a1464ce31ee89a5401d5df0e2 Author: Michael Tremer Date: Wed Feb 28 10:48:29 2018 +0000 core120: Call openvpnctrl with full path Signed-off-by: Michael Tremer commit ca4c354e085083dacf66071b23e507ea2ebb1b81 Author: Michael Tremer Date: Mon Feb 26 16:28:16 2018 +0000 Bump release of all packages linked against OpenSSL Signed-off-by: Michael Tremer commit d192815e839c42566c669999900a0dd62824eb8e Author: Michael Tremer Date: Mon Feb 26 16:22:32 2018 +0000 core120: Ship everything that is linked against OpenSSL This will make sure that everything is using the new version of the library. Signed-off-by: Michael Tremer commit 1c0cfaa5949e4303e8e4e2f041af86a812f3fe6c Author: Michael Tremer Date: Mon Feb 26 15:37:49 2018 +0000 Disable Path MTU discovery This seems to be a failed concept and causes issues with transferring large packets through an IPsec tunnel connection. This configures the kernel to still respond to PMTU ICMP discovery messages, but will not try this on its own. Signed-off-by: Michael Tremer commit f0e308ab2ff92858452d7c3ac3ad114b4ea862f4 Author: Michael Tremer Date: Mon Feb 26 15:34:10 2018 +0000 core120: Fix typo in initscript name Signed-off-by: Michael Tremer commit 61fcd32f152f36edec042dd8e35ae2ab3f2acc2f Author: Michael Tremer Date: Mon Feb 26 13:06:34 2018 +0000 Rootfile update Signed-off-by: Michael Tremer commit 0eccedd1c8340e186a8329f66a235aea6c92b1af Author: Michael Tremer Date: Mon Feb 26 11:12:20 2018 +0000 dhcp: Allow adding extra DHCP interfaces Signed-off-by: Michael Tremer commit 39d11d265e4f1a41994d0adf85498f54c63ba7ab Author: Erik Kapfer via Development Date: Mon Feb 26 08:00:15 2018 +0100 OpenVPN: Ship missing OpenSSL configuration file for update Core 115 delivered a patch which prevents the '--ns-cert-type server is deprecated' message and introduced also '--remote-cert-tls server' --> https://patchwork.ipfire.org/patch/1441/ whereby the changed ovpn.cnf has not been delivered. Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit 52f61e496df86f1a70fa9d468d64e756bdb66f4d Author: Erik Kapfer via Development Date: Sun Feb 25 14:49:49 2018 +0100 OpenVPN: New AES-GCM cipher for N2N and RW AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior section. HMAC selection for N2N will be disabled if AES-GCM is used since GCM provides an own message authentication (GMAC). 'auth *' line in N2N.conf will be deleted appropriately if AES-GCM is used since '--tls-auth' is not available for N2N. HMAC selection menu for Roadwarriors is still available since '--tls-auth' is available for RWs which uses the configuered HMAC even AES-GCM has been applied. Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit 87484f5c784e013229bc6d32430cdc8eb7b8a709 Author: Michael Tremer Date: Thu Feb 22 18:52:03 2018 +0000 openssl-compat: Do not try to apply missing padlock patch Signed-off-by: Michael Tremer commit b9c56c9e9cf261e5d35d060f2f0afce39c633d47 Author: Michael Tremer Date: Thu Feb 22 18:50:38 2018 +0000 openssl-compat: Add missing library path Signed-off-by: Michael Tremer commit 8b080ef12b63e94d82b44c09cc00af40d9e9fe8d Author: Michael Tremer Date: Wed Feb 21 13:06:22 2018 +0000 core120: Remove deprecated sshd configuration option This just created a warning and is now dropped Signed-off-by: Michael Tremer commit c2646dff80ecd43986d4aafcb42d43303f362790 Author: Michael Tremer Date: Wed Feb 21 12:55:36 2018 +0000 Revert "wget: Link against GnuTLS instead of OpenSSL" This reverts commit a46b159a8dc0d191ee57cf48b66be8a39fd7d9ec. wget 1.19.4 supports linking against OpenSSL 1.1.0. Signed-off-by: Michael Tremer commit c8e4391eccf6cff06b7ee17d1a50912fe77faf32 Author: Michael Tremer Date: Wed Feb 21 12:41:05 2018 +0000 core120: Remove forgotten PHP file Signed-off-by: Michael Tremer commit 53929f5ae8a2edc8dff4484b4d293fcba5dd50af Author: Michael Tremer Date: Wed Feb 21 12:39:55 2018 +0000 core120: Ship updated OpenSSL 1.1.0 Signed-off-by: Michael Tremer commit 9434bffaf23228be1774a63ad19d4751339e663c Merge: cb8a6bf5a a4fd23254 Author: Michael Tremer Date: Wed Feb 21 12:21:10 2018 +0000 Merge branch 'openssl-11' into next commit cb8a6bf5a4a2794638da37b992799e275022c78d Author: Michael Tremer Date: Wed Feb 21 12:20:57 2018 +0000 Start Core Update 120 Signed-off-by: Michael Tremer commit a4fd232541bf5002eb7e256727d2b10c89b6d1bf Author: Erik Kapfer Date: Thu Feb 15 05:43:49 2018 +0100 OpenVPN: Added needed directive for v2.4 update script-security: The support for the 'system' flag has been removed due to security implications with shell expansions when executing scripts via system() call. For more informations: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage . ncp-disable: Negotiable crypto parameters has been disabled for the first. Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit bd42f9f968112d2f15847c274d0e4c8b7bd9ddf1 Author: Erik Kapfer Date: Wed Feb 7 18:31:49 2018 +0100 CRL updater: Update script for OpenVPNs CRL Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling since v.2.4.0 . Script checks the next update field from the CRL and executes an update before it expires. Script is placed under fcron.daily for daily checks. Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit 59d77d2eae265304887408b1d36074269f6075a4 Author: Michael Tremer Date: Wed Feb 7 12:43:28 2018 +0000 openssl: Properly pass CFLAGS and LDFLAGS to build Signed-off-by: Michael Tremer commit 11e78f38b9fe0e5087dd59ef76782cd39bd8f197 Author: Michael Tremer Date: Fri Feb 2 11:12:19 2018 +0000 Package openssl-compat (1.0.2.n) This is provided for compatibility with binaries that have been compiled against this version of OpenSSL. Signed-off-by: Michael Tremer commit 56f8478e4daaf4028f7332561da4b3418eed6b3a Author: Michael Tremer Date: Fri Feb 2 10:59:37 2018 +0000 openssl: Rootfile update Signed-off-by: Michael Tremer commit 3b83dffc1961a3911e8197621c8e59ab44b5c614 Author: Erik Kapfer Date: Wed Jan 31 10:34:59 2018 +0100 OpenVPN: Update to version 2.4.4 Changed LFS and ROOTFILE for OpenVPN 2.4.4 update. Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit 8b87254a02c275a1e19dcd25cf27d83eb5babd38 Author: Michael Tremer Date: Sat Jan 13 12:00:08 2018 +0000 python-m2crypto: Install in correct directory Signed-off-by: Michael Tremer commit 1b7cb0484c0b9ca8bd20d480b8fa8ad6c31dfb12 Author: Michael Tremer Date: Sat Jan 13 11:59:37 2018 +0000 openssl: Enable engines Some tools that depend on openssl won't compile without it Signed-off-by: Michael Tremer commit a46b159a8dc0d191ee57cf48b66be8a39fd7d9ec Author: Michael Tremer Date: Thu Jan 11 11:49:31 2018 +0000 wget: Link against GnuTLS instead of OpenSSL This version does not seem to be compatible with OpenSSL 1.1 and might be changed back to OpenSSL when ever it will compile. Signed-off-by: Michael Tremer commit fd07dae7a4c6e78761b2005a9785155610adba0d Author: Michael Tremer Date: Tue Nov 28 16:51:51 2017 +0000 python-m2crypto: Update to 0.27.0 Signed-off-by: Michael Tremer commit 5c82a9f0409e67dd10aeacf82fdcf3042fea31c7 Author: Michael Tremer Date: Tue Nov 28 16:48:20 2017 +0000 python-typing: Required for m2crypto Signed-off-by: Michael Tremer commit 7e63e4f8069e396296360584db498753490097d6 Author: Michael Tremer Date: Tue Nov 28 16:39:38 2017 +0000 transmission: Patch to build against OpenSSL 1.1 Signed-off-by: Michael Tremer commit 0d0fe16e22499868b38e35e190729f50c6acf1c9 Author: Michael Tremer Date: Tue Nov 28 15:06:54 2017 +0000 net-snmp: Patch to build against OpenSSL 1.1 Signed-off-by: Michael Tremer commit 3b10b313032fe32e8e611a7c47e6e90259972ce3 Author: Michael Tremer Date: Tue Nov 28 13:58:29 2017 +0000 elinks: Patch to build against OpenSSL 1.1 Signed-off-by: Michael Tremer commit 2ab923bb8ee35327065f4c724b5a10deee22b364 Author: Michael Tremer Date: Tue Nov 28 13:37:38 2017 +0000 ncat: Update to 7.60 Signed-off-by: Michael Tremer commit 5809552f2fb1371870b4e111d4ef018730d683b9 Author: Michael Tremer Date: Tue Nov 28 13:06:26 2017 +0000 krb5: Update to 1.15.2 to build against OpenSSL 1.1 Signed-off-by: Michael Tremer commit 07b8dcd0b2287fd316592dd0fe18d103b71b712e Author: Michael Tremer Date: Tue Nov 28 13:02:17 2017 +0000 openssh: Update to 7.6p1 and patch against OpenSSL 1.1 Signed-off-by: Michael Tremer commit a82d85131b8220c3800c54dec49bd1ce605f0e7a Author: Michael Tremer Date: Mon Nov 27 13:19:20 2017 +0000 Net-SSLeay: Update to 1.82 Signed-off-by: Michael Tremer commit f8ee1cfcfcc5a2fd520a40c66a5747480debb51a Author: Michael Tremer Date: Mon Nov 27 12:47:13 2017 +0000 cyrus-sasl: Disable OTP to build against OpenSSL 1.1 Signed-off-by: Michael Tremer commit 5a9bbaa93d7693c21dc6e2b23d07716c12aac220 Author: Michael Tremer Date: Sat Nov 25 13:03:13 2017 +0000 openssl: Update to version 1.1 Signed-off-by: Michael Tremer ----------------------------------------------------------------------- hooks/post-receive -- IPFire 2.x development tree