From mboxrd@z Thu Jan 1 00:00:00 1970 From: git@ipfire.org To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, core120, created. 36600cef36577ca36d4349bc7658a68234311ea2 Date: Fri, 30 Mar 2018 08:37:32 +0100 Message-ID: <20180330073732.B55A710853B9@git01.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6861990939657079711==" List-Id: --===============6861990939657079711== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, core120 has been created at 36600cef36577ca36d4349bc7658a68234311ea2 (commit) - Log ----------------------------------------------------------------- commit 36600cef36577ca36d4349bc7658a68234311ea2 Merge: 6a8b2ef97 7eb86ee39 Author: Arne Fitzenreiter Date: Fri Mar 30 09:35:28 2018 +0200 Merge branch 'core119' into next commit 6a8b2ef9772b58406f9e9b073e68dcf71eabb327 Author: Arne Fitzenreiter Date: Fri Mar 30 09:25:06 2018 +0200 core120: set pafire version to 120 =20 Signed-off-by: Arne Fitzenreiter commit f7e9c14842dee00529df1e4a30f46255a1ed37e4 Author: Michael Tremer Date: Thu Mar 29 13:49:44 2018 +0100 Rootfile update =20 Signed-off-by: Michael Tremer commit 4b072d640efde44017aeceb66d816ea59639be46 Author: Michael Tremer Date: Wed Mar 28 16:55:18 2018 +0100 pakfire: Use upstream proxy for HTTPS, too =20 Signed-off-by: Michael Tremer commit 66a0f3646ad2b1da568282464b9a63479c8b45d9 Author: Peter M=C3=BCller Date: Wed Mar 28 05:41:50 2018 +0200 use protocol defined in server-list.db for mirror communication =20 For each mirror server, a protocol can be specified in the server-list.db database. However, it was not used for the actual URL query to a mirror before. =20 This might be useful for deploy HTTPS pinning for Pakfire. If a mirror is known to support HTTPS, all queries to it will be made with this protocol. =20 This saves some overhead if HTTPS is enforced on a mirror via 301 redirects. To enable this, the server-list.db needs to be adjusted. =20 The second version of this patch only handles protocols HTTP and HTTPS, since we do not expect anything else here at the moment. =20 Partially fixes #11661. =20 Signed-off-by: Peter M=C3=BCller Cc: Michael Tremer Signed-off-by: Michael Tremer commit 9f0999325dec7ffbcf8b18b846fbf6a8a6c5780f Author: Michael Tremer Date: Wed Mar 28 16:39:35 2018 +0100 unbound: Fix crash on startup =20 Zone names should not be terminated with a dot. =20 Fixes: #11689 =20 Reported-by: Pontus Larsson Signed-off-by: Michael Tremer commit d97f43b309b7c041498189b231b7507627a194c6 Author: Michael Tremer Date: Wed Mar 28 11:22:06 2018 +0100 Rootfile update for curl =20 Signed-off-by: Michael Tremer commit d9e656bb82542b2ef379563c02d642c3394f1c1c Author: Michael Tremer Date: Tue Mar 27 20:56:31 2018 +0100 asterisk: Ship documentation =20 Signed-off-by: Michael Tremer commit d3cd99830a8554e8f9b4df314210cef82ef69376 Author: Michael Tremer Date: Tue Mar 27 20:53:31 2018 +0100 fetchmail: Permit building without SSLv3 =20 Signed-off-by: Michael Tremer commit 76f422025ffe1baed977b5c8e1f072e5981e46ff Author: Michael Tremer Date: Tue Mar 27 16:05:07 2018 +0100 openssl: Update to 1.0.2o =20 CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018: =20 Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Reported by OSS-fuzz. =20 Signed-off-by: Michael Tremer commit 166ceacd6b375bc97eed722012a0f1fffd5a15e1 Author: Michael Tremer Date: Tue Mar 27 15:59:04 2018 +0100 openssl: Update to 1.1.0h =20 CVE-2018-0739 (OpenSSL advisory) [Moderate severity] 27 March 2018: =20 Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Reported by OSS-fuzz. =20 This patch also entirely removes support for SSLv3. The patch to disable it didn't apply and since nobody has been using this before, we will not compile it into OpenSSL any more. =20 Signed-off-by: Michael Tremer commit c98304604bfed3b29bb384ab0999596644573f2c Author: Michael Tremer Date: Mon Mar 26 19:04:41 2018 +0100 core120: Ship updated QoS script and gnupg =20 Signed-off-by: Michael Tremer commit be7878d5c92600e7d316a86b18a77819734b62a0 Author: Matthias Fischer Date: Mon Mar 26 19:50:30 2018 +0200 Fix typo in 'makeqosscripts.pl' =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit dd48a7aac8088ef706d2299bc5b473e9389ba2a2 Author: Peter M=C3=BCller Date: Sat Mar 24 16:45:02 2018 +0100 curl: update to 7.59.0 =20 Update curl to 7.59.0 which fixes a number of bugs and some minor security issues. =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 689fed340aab91240b51bf4da1daf0a606290ac1 Author: Peter M=C3=BCller Date: Sat Mar 24 16:32:53 2018 +0100 gnupg: update to 1.4.22 =20 Update GnuPG to 1.4.22, which fixes some security vulnerabilities, such as the memory side channel attack CVE-2017-7526. =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit dfdfafc7af57b5088279680098408df823516703 Author: Michael Tremer Date: Tue Mar 20 20:36:15 2018 +0000 core120: Ship updated vnstat =20 Signed-off-by: Michael Tremer commit a05af852c5f2266151479c9424a9b36243fb1c79 Author: Matthias Fischer Date: Tue Mar 20 20:46:52 2018 +0100 vnstat: Update to 1.18 =20 For details see: https://humdi.net/vnstat/CHANGES =20 Changed "SaveInterval 5" to "SaveInterval 1" in '/etc/vnstat.conf', trigg= ered by https://forum.ipfire.org/viewtopic.php?f=3D22&t=3D20448 to avoid data los= s with 1Gbit connections and high traffic. =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit e7ea357cecf5e069dd4fb4e5cd6099d8e5b7d9a4 Author: Michael Tremer Date: Tue Mar 20 11:08:58 2018 +0000 Forgot to "git add" the new pakfire init script =20 Signed-off-by: Michael Tremer commit 42deeb3b450c74138dfb76d9d45d4588a5271887 Author: Michael Tremer Date: Mon Mar 19 19:45:24 2018 +0000 Revert "installer: Import the Pakfire key at install time" =20 This reverts commit 7d995c9f56055f39e559bd6e355a9a1689585c6d. =20 Signed-off-by: Michael Tremer commit eb68e27dd27b538d84c8382389f83f1a57ba59e7 Author: Michael Tremer Date: Mon Mar 19 19:44:50 2018 +0000 pakfire: Import key when system boots up =20 Signed-off-by: Michael Tremer commit 5876642d175609919d2f43892deec822d650bdf0 Author: Michael Tremer Date: Mon Mar 19 18:07:49 2018 +0000 ffmpeg: Ship libraries correctly =20 Signed-off-by: Michael Tremer commit 27ef66c26c480542f0ea60d85302da5ada0f0648 Author: Matthias Fischer Date: Sun Mar 18 17:32:43 2018 +0100 hdparm: Update to 9.55 =20 Changelogs against 9.53: =20 "hdparm-9.55: - added #include for major()/minor() macros =20 hdparm-9.54: - Partial revert of Jmicron changes, from Jan Friesse." =20 Best, Matthias =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 71e5a29c8123014a8b740c3a99a83742a19019fa Author: Matthias Fischer Date: Sun Mar 18 17:40:47 2018 +0100 dmidecode 3.1: Added patch (Fix firmware version of TPM device) =20 For details see: http://git.savannah.gnu.org/cgit/dmidecode.git/commit/?id=3D174387405e98c= d94c627832ae23abcb9be7e5623 =20 "Both the operator (detected by clang, reported by Xorg) and the mask for the minor firmware version field of TPM devices were wrong." =20 Best, Matthias =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 35cdaa194ac5d2abfc0a93f60ed99aab07be9ce3 Author: Michael Tremer Date: Mon Mar 19 11:52:26 2018 +0000 Fix python-m2crypto rootfile =20 Signed-off-by: Michael Tremer commit b2318b5e351923632c43e3d5d9e6a2351a1b63cd Author: Michael Tremer Date: Sun Mar 18 13:51:38 2018 +0000 core120: Ship updated logrotate and restart unbound =20 Signed-off-by: Michael Tremer commit 9e9fdb39e63e521a4771e3e24746edad3c7430b2 Author: Matthias Fischer Date: Sun Mar 18 10:05:33 2018 +0100 unbound: Update to 1.7.0 =20 For details see: http://www.unbound.net/download.html =20 Best, Matthias =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 399c2f9ccc2fa8cac89d27353571f3317b45bde4 Author: Matthias Fischer Date: Sun Mar 18 10:21:17 2018 +0100 logrotate: Update to 3.14.0 =20 For details see: https://github.com/logrotate/logrotate/releases =20 Best, Matthias =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 4e316ae0a0a63b6f6a4029fa3ba18c757713a49e Author: Matthias Fischer Date: Sun Mar 18 10:14:07 2018 +0100 htop: Update to 2.1.0 =20 For details see: https://hisham.hm/htop/index.php?page=3Ddownloads =20 Best, Matthias =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 9051f3c9d71b483198373b5522f47399b68b9572 Author: Matthias Fischer Date: Sun Mar 18 10:00:34 2018 +0100 bind: Update to 9.11.3 =20 For details see: http://ftp.isc.org/isc/bind9/9.11.3/RELEASE-NOTES-bind-9.11.3.html =20 Best, Matthias =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 1c1c1ac238d2fd83b2fc17f9206dc9000e9079bc Author: Matthias Fischer Date: Sun Mar 18 09:53:40 2018 +0100 nano: Update to 2.9.4 =20 For details see: https://www.nano-editor.org/news.php =20 Best, Matthias =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit 8aeec0ba89b0179138cec1b5ac079c04ad7db410 Author: Matthias Fischer Date: Sun Mar 18 09:48:04 2018 +0100 rsync: Update to 3.1.3 =20 For details see: https://download.samba.org/pub/rsync/src/rsync-3.1.3-NEWS =20 Best, Matthias =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit e779b6bc7aa470289bde0bf99aa7051dffc4384b Author: Erik Kapfer Date: Sun Mar 18 13:55:31 2018 +0100 PAM: Delete old lib and symlinks =20 Core 119 update delivers an updated PAM whereby the libdir has been chang= ed from /lib to /usr/lib but the old libraries and symlinks are still presant. Since the system se= arches /lib before /usr/lib , the old libs and symlinks are used which ends up in an `LIBPAM= _EXTENSION_1.1' not found. =20 Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit cdc1a0e901c285e84f8cbb6a01248ce6a141b361 Author: Erik Kapfer Date: Mon Mar 12 13:47:34 2018 +0100 OpenVPN: Update to version 2.4.5 =20 This is primarily a maintenance release, with further improved OpenSSL 1.= 1 integration, several minor bug fixes and other minor improvements. Further information can be found in here https://github.com/OpenVPN/openv= pn/blob/release/2.4/Changes.rst#version-245 and here https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 . =20 Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit 35b892b0dd69c482fb3024f8e1dfbd13679b07d8 Author: Michael Tremer Date: Fri Mar 16 14:36:05 2018 +0000 pakfire: Drop old key import mechanism =20 This was error-prone and allowed to potentially inject another key. =20 Fixes: #11539 Signed-off-by: Michael Tremer commit 7d995c9f56055f39e559bd6e355a9a1689585c6d Author: Michael Tremer Date: Fri Mar 16 14:33:42 2018 +0000 installer: Import the Pakfire key at install time =20 Signed-off-by: Michael Tremer commit ceed3534e154944651be9659e7f299d077edc439 Author: Michael Tremer Date: Fri Mar 16 14:28:17 2018 +0000 core120: Import new pakfire PGP key =20 Signed-off-by: Michael Tremer commit 5e5c2e541395bc5a2ab4d3304f6358861c594d3d Author: Michael Tremer Date: Fri Mar 16 14:23:56 2018 +0000 Import new Pakfire Signing Key =20 We will swap the key that we use to sign Pakfire packages since the current one is considered outdated cryptography. =20 Fixes: #11539 =20 Signed-off-by: Michael Tremer commit f0e9ed78a2ae1b828493c523e5137735c780d833 Author: Stephan Feddersen Date: Tue Mar 6 20:53:20 2018 +0100 WIO: increment PAK_VER =20 Signed-off-by: Michael Tremer commit c1fc92a9b8e2a049875c02a736087beacb8c6348 Author: Stephan Feddersen via Development Date: Tue Feb 27 17:20:07 2018 +0100 WIO: Fix a problem with the Network-Table-Button =20 Signed-off-by: Michael Tremer commit cc222a8e62ebaebf140f6287f8e55edd887b36aa Author: Stephan Feddersen via Development Date: Tue Feb 27 17:18:39 2018 +0100 WIO: Fix some typos =20 Signed-off-by: Michael Tremer commit a25c95b3a0bf5a3db03fbed0e53f2f2d82d3e148 Author: Stephan Feddersen via Development Date: Tue Feb 20 21:41:13 2018 +0100 WIO: Update to Version 1.3.2 several changes in many files =20 Signed-off-by: Michael Tremer commit d536c178ec90fd95b7e793923a856b8dab8bcb52 Author: Matthias Fischer Date: Wed Mar 7 19:19:04 2018 +0100 ntp: Update to 4.2.8p11 =20 For details see: http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities =20 "This release addresses five security issues in ntpd: =20 LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability: e= phemeral association attack While fixed in ntp-4.2.8p7, there are significant additional protection= s for this issue in 4.2.8p11. Reported by Matt Van Gundy of Cisco. INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909: ctl_getitem(): buffer= read overrun leads to undefined behavior and information leak Reported by Yihan Lian of Qihoo 360. LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated epheme= ral associations Reported on the questions@ list. LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode ca= nnot recover from bad state Reported by Miroslav Lichvar of Red Hat. LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909: Unauthenticated packet= can reset authenticated interleaved association Reported by Miroslav Lichvar of Red Hat. =20 one security issue in ntpq: =20 MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909: ntpq:decodearr() can write= beyond its buffer limit Reported by Michael Macnair of Thales-esecurity.com. =20 and provides over 33 bugfixes and 32 other improvements." =20 Best, Matthias =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit cc4816a1af40ee470fad90e0a7ec1655dc36367b Author: Matthias Fischer Date: Wed Mar 7 19:26:53 2018 +0100 clamav 0.99.4: removed gcc patch =20 Signed-off-by: Matthias Fischer Signed-off-by: Michael Tremer commit dcd60d274ef7245552ffd0c57c15995a220d13a2 Author: Michael Tremer Date: Tue Mar 6 15:13:56 2018 +0000 core120: Ship updated qos.cgi =20 Signed-off-by: Michael Tremer commit 20ffa7d1a896e5d8101f4e82ef11f8fa5b2ad15c Author: Daniel Weism=C3=BCller Date: Tue Mar 6 15:56:48 2018 +0100 As described in bug 11257 there is a mistake in the qos templates. The su= m of the guaranteed bandwidth of the classes 101 - 120 is bigger than the ava= ilable bandwidth. I adjusted the guaranteed bandwidth of the classes 101 - 10= 4 so that each of them has a =20 Signed-off-by: Daniel Weism=C3=BCller Signed-off-by: Michael Tremer commit 318434affb14cadbfdbe877ae5b1f00aacacea24 Author: Michael Tremer Date: Tue Mar 6 15:12:42 2018 +0000 core120: Ship updated proxy.cgi =20 Signed-off-by: Michael Tremer commit 53d6755451808f8d6eeca8275714d97985d9495b Author: Daniel Weism=C3=BCller via Development Date: Fri Feb 16 13:04:50 2018 +0100 squid: Add RAM-only Proxy functionality =20 As suggested by Oliver "giller" Fieker in bug 10592 I added the functionality to use the squid as ram-only cache. =20 Further it defines the maximum_object_size_in_memory as 2% of the in the webif defined "Memory cache size". The maximum_object_size_in_memory should have a useful size of the defined memory cache and I don't want to create another variable which muste be fulled in by the user. =20 Signed-off-by: Daniel Weism=C3=BCller Suggested-by: Oliver "giller" Fieker Suggested-by: Kim W=C3=B6lfel Acked-by: Michael Tremer Cc: Stefan Schantl Signed-off-by: Daniel Weism=C3=BCller Signed-off-by: Michael Tremer commit 01bec956555de7966990047406cbf417d314c40d Author: Michael Tremer Date: Mon Mar 5 15:21:56 2018 +0000 core120: Ship updated unbound init script =20 Signed-off-by: Michael Tremer commit 438da7e0a012cb979e77efcb923ab86b9078fb57 Author: Peter M=C3=BCller Date: Sun Mar 4 18:26:52 2018 +0100 test if nameservers with DNSSEC support return "ad"-flagged data =20 DNSSEC-validating nameservers return an "ad" (Authenticated Data) flag in the DNS response header. This can be used as a negative indicator for DNSSEC validation: In case a nameserver does not return the flag, but failes to look up a domain with an invalid signature, it does not support DNSSEC validation. =20 This makes it easier to detect nameservers which do not fully comply to the RFCs or try to tamper DNS queries. =20 See bug #11595 (https://bugzilla.ipfire.org/show_bug.cgi?id=3D11595) for = further details. =20 The second version of this patch avoids unnecessary usage of grep. Thanks to Michael Tremer for the hint. =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 9d5e5eb01240cad610088fe2ea6b5b68e4f5e5ee Author: Peter M=C3=BCller Date: Sun Mar 4 18:03:04 2018 +0100 Tor: update to 0.3.2.10 =20 Update Tor to 0.3.2.10, which fixes some security and DoS issues especially important for relays. =20 The release notes are available at: https://blog.torproject.org/new-stable-tor-releases-security-fixes-and-do= s-prevention-03210-03110-02915 =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer Fixes: #11662 commit a12d48868202f0bef98b4c392eb7ca33cd6fe957 Author: Peter M=C3=BCller Date: Sun Mar 4 17:57:15 2018 +0100 ClamAV: update to 0.99.4 =20 Update ClamAV to 0.99.4 which fixes four security issues and compatibility issues with GCC 6 and C++ 11. =20 The release note can be found here: http://blog.clamav.net/2018/03/clamav= -0994-has-been-released.html =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 568a227bd318c743225d90c8d93559d04ac72a8f Author: Michael Tremer Date: Thu Mar 1 19:58:11 2018 +0000 vpnmain.cgi: Fix reading common names from certificates =20 OpenSSL has changed the output of the subject lines of certificates. =20 Signed-off-by: Michael Tremer commit 63b515dc260f2da9bd413fea254d2e5b634c793a Author: Michael Tremer Date: Wed Feb 28 11:55:35 2018 +0000 apache: Require TLSv1.2 for access to the web user interface =20 This will work fine for FF 27 or newer, Chrome 30 or newer, IE 11 on Windows 7 or newer, Opera 17 or newer, Safari 9 or newer, Android 5.0 or newer and Java 8 or newer =20 Since IPFire is not supposed to host any other applications and all have been removed in the last few Core Updates, only the web user interface is served over HTTPS here. We clearly prefer security over compatibility. =20 Signed-off-by: Michael Tremer commit 464426d36348cdb468f5c03f50132cf6583e23bd Author: Peter M=C3=BCller Date: Tue Nov 7 20:51:32 2017 +0100 change Apache TLS cipher list to "Mozilla Modern" =20 Change the TLS cipher list of Apache to "Mozilla Modern". =20 ECDSA is preferred over RSA to save CPU time on both server and client. Clients without support for TLS 1.2 and AES will experience connection failures. =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit 263d1e6484ad61711f07cad35057c324db28b480 Author: Michael Tremer Date: Wed Feb 28 11:49:47 2018 +0000 openssl: Apply ciphers patch before running Configure =20 This works just fine here. =20 Signed-off-by: Michael Tremer commit 592949344560592807b5155d1c0ed085ac02c8ab Author: Peter M=C3=BCller via Development Date: Tue Feb 27 18:35:22 2018 +0100 set OpenSSL 1.1.0 DEFAULT cipher list to secure value =20 Only use secure cipher list for the OpenSSL DEFAULT list: * ECDSA is preferred over RSA since it is faster and more scalable * TLS 1.2 suites are preferred over anything older * weak ciphers such as RC4 and 3DES have been eliminated * AES-GCM is preferred over AES-CBC (known as "mac-then-encrypt" problem) * ciphers without PFS are moved to the end of the cipher list =20 This patch leaves AES-CCM, AES-CCM8 and CHACHA20-POLY1305 suites where they are since they are considered secure and there is no need to change anything. =20 The DEFAULT cipher list is now (output of "openssl ciphers -v"): =20 ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESG= CM(256) Mac=3DAEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DCHAC= HA20/POLY1305(256) Mac=3DAEAD ECDHE-ECDSA-AES256-CCM8 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESCCM8(25= 6) Mac=3DAEAD ECDHE-ECDSA-AES256-CCM TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESCCM(256= ) Mac=3DAEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESG= CM(128) Mac=3DAEAD ECDHE-ECDSA-AES128-CCM8 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESCCM8(12= 8) Mac=3DAEAD ECDHE-ECDSA-AES128-CCM TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESCCM(128= ) Mac=3DAEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAES(256)= Mac=3DSHA384 ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DCam= ellia(256) Mac=3DSHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAES(128)= Mac=3DSHA256 ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DCam= ellia(128) Mac=3DSHA256 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAESGCM(= 256) Mac=3DAEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DCHACHA2= 0/POLY1305(256) Mac=3DAEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAESGCM(= 128) Mac=3DAEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAES(256) M= ac=3DSHA384 ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DCamell= ia(256) Mac=3DSHA384 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAES(128) M= ac=3DSHA256 ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DCamell= ia(128) Mac=3DSHA256 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESGCM(25= 6) Mac=3DAEAD DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DCHACHA20/= POLY1305(256) Mac=3DAEAD DHE-RSA-AES256-CCM8 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESCCM8(256= ) Mac=3DAEAD DHE-RSA-AES256-CCM TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESCCM(256)= Mac=3DAEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESGCM(12= 8) Mac=3DAEAD DHE-RSA-AES128-CCM8 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESCCM8(128= ) Mac=3DAEAD DHE-RSA-AES128-CCM TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESCCM(128)= Mac=3DAEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAES(256) M= ac=3DSHA256 DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DCamellia= (256) Mac=3DSHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAES(128) M= ac=3DSHA256 DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DCamellia= (128) Mac=3DSHA256 ECDHE-ECDSA-AES256-SHA TLSv1 Kx=3DECDH Au=3DECDSA Enc=3DAES(256) Ma= c=3DSHA1 ECDHE-ECDSA-AES128-SHA TLSv1 Kx=3DECDH Au=3DECDSA Enc=3DAES(128) Ma= c=3DSHA1 ECDHE-RSA-AES256-SHA TLSv1 Kx=3DECDH Au=3DRSA Enc=3DAES(256) Mac= =3DSHA1 ECDHE-RSA-AES128-SHA TLSv1 Kx=3DECDH Au=3DRSA Enc=3DAES(128) Mac= =3DSHA1 DHE-RSA-AES256-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DAES(256) Mac= =3DSHA1 DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DCamellia(256)= Mac=3DSHA1 DHE-RSA-AES128-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DAES(128) Mac= =3DSHA1 DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DCamellia(128)= Mac=3DSHA1 AES256-GCM-SHA384 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAESGCM(256)= Mac=3DAEAD AES256-CCM8 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAESCCM8(256= ) Mac=3DAEAD AES256-CCM TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAESCCM(256)= Mac=3DAEAD AES128-GCM-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAESGCM(128)= Mac=3DAEAD AES128-CCM8 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAESCCM8(128= ) Mac=3DAEAD AES128-CCM TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAESCCM(128)= Mac=3DAEAD AES256-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAES(256) M= ac=3DSHA256 CAMELLIA256-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DCamellia(25= 6) Mac=3DSHA256 AES128-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAES(128) M= ac=3DSHA256 CAMELLIA128-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DCamellia(12= 8) Mac=3DSHA256 AES256-SHA SSLv3 Kx=3DRSA Au=3DRSA Enc=3DAES(256) Mac= =3DSHA1 CAMELLIA256-SHA SSLv3 Kx=3DRSA Au=3DRSA Enc=3DCamellia(256)= Mac=3DSHA1 AES128-SHA SSLv3 Kx=3DRSA Au=3DRSA Enc=3DAES(128) Mac= =3DSHA1 CAMELLIA128-SHA SSLv3 Kx=3DRSA Au=3DRSA Enc=3DCamellia(128)= Mac=3DSHA1 =20 This has been discussed at 2017-12-04 (https://wiki.ipfire.org/devel/telc= o/2017-12-04) and for a similar patch written for OpenSSL 1.0.x. =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit e707599d2cd8af8a1464ce31ee89a5401d5df0e2 Author: Michael Tremer Date: Wed Feb 28 10:48:29 2018 +0000 core120: Call openvpnctrl with full path =20 Signed-off-by: Michael Tremer commit ca4c354e085083dacf66071b23e507ea2ebb1b81 Author: Michael Tremer Date: Mon Feb 26 16:28:16 2018 +0000 Bump release of all packages linked against OpenSSL =20 Signed-off-by: Michael Tremer commit d192815e839c42566c669999900a0dd62824eb8e Author: Michael Tremer Date: Mon Feb 26 16:22:32 2018 +0000 core120: Ship everything that is linked against OpenSSL =20 This will make sure that everything is using the new version of the library. =20 Signed-off-by: Michael Tremer commit 1c0cfaa5949e4303e8e4e2f041af86a812f3fe6c Author: Michael Tremer Date: Mon Feb 26 15:37:49 2018 +0000 Disable Path MTU discovery =20 This seems to be a failed concept and causes issues with transferring large packets through an IPsec tunnel connection. =20 This configures the kernel to still respond to PMTU ICMP discovery messages, but will not try this on its own. =20 Signed-off-by: Michael Tremer commit f0e308ab2ff92858452d7c3ac3ad114b4ea862f4 Author: Michael Tremer Date: Mon Feb 26 15:34:10 2018 +0000 core120: Fix typo in initscript name =20 Signed-off-by: Michael Tremer commit 61fcd32f152f36edec042dd8e35ae2ab3f2acc2f Author: Michael Tremer Date: Mon Feb 26 13:06:34 2018 +0000 Rootfile update =20 Signed-off-by: Michael Tremer commit 0eccedd1c8340e186a8329f66a235aea6c92b1af Author: Michael Tremer Date: Mon Feb 26 11:12:20 2018 +0000 dhcp: Allow adding extra DHCP interfaces =20 Signed-off-by: Michael Tremer commit 39d11d265e4f1a41994d0adf85498f54c63ba7ab Author: Erik Kapfer via Development Date: Mon Feb 26 08:00:15 2018 +0100 OpenVPN: Ship missing OpenSSL configuration file for update =20 Core 115 delivered a patch which prevents the '--ns-cert-type server is d= eprecated' message and introduced also '--remote-cert-tls server' --> https://patchwork.ipfire.org/patch/1441/ whereby the changed ovpn.cnf has= not been delivered. =20 Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit 52f61e496df86f1a70fa9d468d64e756bdb66f4d Author: Erik Kapfer via Development Date: Sun Feb 25 14:49:49 2018 +0100 OpenVPN: New AES-GCM cipher for N2N and RW =20 AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior= section. =20 HMAC selection for N2N will be disabled if AES-GCM is used since GCM prov= ides an own message authentication (GMAC). 'auth *' line in N2N.conf will be deleted appropriately if AES-GCM is= used since '--tls-auth' is not available for N2N. HMAC selection menu for Roadwarriors is still available since '--tls-auth= ' is available for RWs which uses the configuered HMAC even AES-GCM has been applied. =20 Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit 87484f5c784e013229bc6d32430cdc8eb7b8a709 Author: Michael Tremer Date: Thu Feb 22 18:52:03 2018 +0000 openssl-compat: Do not try to apply missing padlock patch =20 Signed-off-by: Michael Tremer commit b9c56c9e9cf261e5d35d060f2f0afce39c633d47 Author: Michael Tremer Date: Thu Feb 22 18:50:38 2018 +0000 openssl-compat: Add missing library path =20 Signed-off-by: Michael Tremer commit 8b080ef12b63e94d82b44c09cc00af40d9e9fe8d Author: Michael Tremer Date: Wed Feb 21 13:06:22 2018 +0000 core120: Remove deprecated sshd configuration option =20 This just created a warning and is now dropped =20 Signed-off-by: Michael Tremer commit c2646dff80ecd43986d4aafcb42d43303f362790 Author: Michael Tremer Date: Wed Feb 21 12:55:36 2018 +0000 Revert "wget: Link against GnuTLS instead of OpenSSL" =20 This reverts commit a46b159a8dc0d191ee57cf48b66be8a39fd7d9ec. =20 wget 1.19.4 supports linking against OpenSSL 1.1.0. =20 Signed-off-by: Michael Tremer commit c8e4391eccf6cff06b7ee17d1a50912fe77faf32 Author: Michael Tremer Date: Wed Feb 21 12:41:05 2018 +0000 core120: Remove forgotten PHP file =20 Signed-off-by: Michael Tremer commit 53929f5ae8a2edc8dff4484b4d293fcba5dd50af Author: Michael Tremer Date: Wed Feb 21 12:39:55 2018 +0000 core120: Ship updated OpenSSL 1.1.0 =20 Signed-off-by: Michael Tremer commit 9434bffaf23228be1774a63ad19d4751339e663c Merge: cb8a6bf5a a4fd23254 Author: Michael Tremer Date: Wed Feb 21 12:21:10 2018 +0000 Merge branch 'openssl-11' into next commit cb8a6bf5a4a2794638da37b992799e275022c78d Author: Michael Tremer Date: Wed Feb 21 12:20:57 2018 +0000 Start Core Update 120 =20 Signed-off-by: Michael Tremer commit a4fd232541bf5002eb7e256727d2b10c89b6d1bf Author: Erik Kapfer Date: Thu Feb 15 05:43:49 2018 +0100 OpenVPN: Added needed directive for v2.4 update =20 script-security: The support for the 'system' flag has been removed due t= o security implications with shell expansions when executing scripts via system() call. For more informations: https://community.openvpn.net/openvpn/wiki/Ope= nvpn24ManPage . =20 ncp-disable: Negotiable crypto parameters has been disabled for the first. =20 Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit bd42f9f968112d2f15847c274d0e4c8b7bd9ddf1 Author: Erik Kapfer Date: Wed Feb 7 18:31:49 2018 +0100 CRL updater: Update script for OpenVPNs CRL =20 Update script for OpenVPNs CRL cause OpenVPN refactors the CRL handling s= ince v.2.4.0 . Script checks the next update field from the CRL and executes an upda= te before it expires. Script is placed under fcron.daily for daily checks. =20 Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit 59d77d2eae265304887408b1d36074269f6075a4 Author: Michael Tremer Date: Wed Feb 7 12:43:28 2018 +0000 openssl: Properly pass CFLAGS and LDFLAGS to build =20 Signed-off-by: Michael Tremer commit 11e78f38b9fe0e5087dd59ef76782cd39bd8f197 Author: Michael Tremer Date: Fri Feb 2 11:12:19 2018 +0000 Package openssl-compat (1.0.2.n) =20 This is provided for compatibility with binaries that have been compiled against this version of OpenSSL. =20 Signed-off-by: Michael Tremer commit 56f8478e4daaf4028f7332561da4b3418eed6b3a Author: Michael Tremer Date: Fri Feb 2 10:59:37 2018 +0000 openssl: Rootfile update =20 Signed-off-by: Michael Tremer commit 3b83dffc1961a3911e8197621c8e59ab44b5c614 Author: Erik Kapfer Date: Wed Jan 31 10:34:59 2018 +0100 OpenVPN: Update to version 2.4.4 =20 Changed LFS and ROOTFILE for OpenVPN 2.4.4 update. =20 Signed-off-by: Erik Kapfer Signed-off-by: Michael Tremer commit 8b87254a02c275a1e19dcd25cf27d83eb5babd38 Author: Michael Tremer Date: Sat Jan 13 12:00:08 2018 +0000 python-m2crypto: Install in correct directory =20 Signed-off-by: Michael Tremer commit 1b7cb0484c0b9ca8bd20d480b8fa8ad6c31dfb12 Author: Michael Tremer Date: Sat Jan 13 11:59:37 2018 +0000 openssl: Enable engines =20 Some tools that depend on openssl won't compile without it =20 Signed-off-by: Michael Tremer commit a46b159a8dc0d191ee57cf48b66be8a39fd7d9ec Author: Michael Tremer Date: Thu Jan 11 11:49:31 2018 +0000 wget: Link against GnuTLS instead of OpenSSL =20 This version does not seem to be compatible with OpenSSL 1.1 and might be changed back to OpenSSL when ever it will compile. =20 Signed-off-by: Michael Tremer commit fd07dae7a4c6e78761b2005a9785155610adba0d Author: Michael Tremer Date: Tue Nov 28 16:51:51 2017 +0000 python-m2crypto: Update to 0.27.0 =20 Signed-off-by: Michael Tremer commit 5c82a9f0409e67dd10aeacf82fdcf3042fea31c7 Author: Michael Tremer Date: Tue Nov 28 16:48:20 2017 +0000 python-typing: Required for m2crypto =20 Signed-off-by: Michael Tremer commit 7e63e4f8069e396296360584db498753490097d6 Author: Michael Tremer Date: Tue Nov 28 16:39:38 2017 +0000 transmission: Patch to build against OpenSSL 1.1 =20 Signed-off-by: Michael Tremer commit 0d0fe16e22499868b38e35e190729f50c6acf1c9 Author: Michael Tremer Date: Tue Nov 28 15:06:54 2017 +0000 net-snmp: Patch to build against OpenSSL 1.1 =20 Signed-off-by: Michael Tremer commit 3b10b313032fe32e8e611a7c47e6e90259972ce3 Author: Michael Tremer Date: Tue Nov 28 13:58:29 2017 +0000 elinks: Patch to build against OpenSSL 1.1 =20 Signed-off-by: Michael Tremer commit 2ab923bb8ee35327065f4c724b5a10deee22b364 Author: Michael Tremer Date: Tue Nov 28 13:37:38 2017 +0000 ncat: Update to 7.60 =20 Signed-off-by: Michael Tremer commit 5809552f2fb1371870b4e111d4ef018730d683b9 Author: Michael Tremer Date: Tue Nov 28 13:06:26 2017 +0000 krb5: Update to 1.15.2 to build against OpenSSL 1.1 =20 Signed-off-by: Michael Tremer commit 07b8dcd0b2287fd316592dd0fe18d103b71b712e Author: Michael Tremer Date: Tue Nov 28 13:02:17 2017 +0000 openssh: Update to 7.6p1 and patch against OpenSSL 1.1 =20 Signed-off-by: Michael Tremer commit a82d85131b8220c3800c54dec49bd1ce605f0e7a Author: Michael Tremer Date: Mon Nov 27 13:19:20 2017 +0000 Net-SSLeay: Update to 1.82 =20 Signed-off-by: Michael Tremer commit f8ee1cfcfcc5a2fd520a40c66a5747480debb51a Author: Michael Tremer Date: Mon Nov 27 12:47:13 2017 +0000 cyrus-sasl: Disable OTP to build against OpenSSL 1.1 =20 Signed-off-by: Michael Tremer commit 5a9bbaa93d7693c21dc6e2b23d07716c12aac220 Author: Michael Tremer Date: Sat Nov 25 13:03:13 2017 +0000 openssl: Update to version 1.1 =20 Signed-off-by: Michael Tremer ----------------------------------------------------------------------- hooks/post-receive -- IPFire 2.x development tree --===============6861990939657079711==--