From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 527078e439fc7376c3a7da3ae8551c853e99e2b7 Date: Thu, 13 Jun 2019 13:01:31 +0100 Message-ID: <20190613120132.A82BF84FDC0@people01.i.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4146677435917963370==" List-Id: --===============4146677435917963370== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 527078e439fc7376c3a7da3ae8551c853e99e2b7 (commit) via 69772b7dda05726077fa5c70e86f41169a91534f (commit) via ce46df9b83d15033156845e19e9a386e52a0a1cd (commit) via e263c29c929e69e345833f436d4958d88264020c (commit) via 91056adea5d6e203f41e7743443eb61ed2b885cf (commit) from 043e7aa50ff36e65eb0d6a341b09301ce25795f0 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 527078e439fc7376c3a7da3ae8551c853e99e2b7 Author: Michael Tremer Date: Wed Jun 12 17:25:13 2019 +0100 core134: Ship updated OpenSSL =20 Signed-off-by: Michael Tremer commit 69772b7dda05726077fa5c70e86f41169a91534f Author: Peter M=C3=BCller Date: Mon Jun 10 18:55:00 2019 +0000 OpenSSL: lower priority for CBC ciphers in default cipherlist =20 In order to avoid CBC ciphers as often as possible (they contain some known vulnerabilities), this changes the OpenSSL default ciphersuite to: =20 TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=3Dany Au=3Dany Enc=3DCHACHA= 20/POLY1305(256) Mac=3DAEAD TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=3Dany Au=3Dany Enc=3DAESGCM(256)= Mac=3DAEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=3Dany Au=3Dany Enc=3DAESGCM(128)= Mac=3DAEAD ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DCHAC= HA20/POLY1305(256) Mac=3DAEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESG= CM(256) Mac=3DAEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAESG= CM(128) Mac=3DAEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DCHACHA2= 0/POLY1305(256) Mac=3DAEAD ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAESGCM(= 256) Mac=3DAEAD ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAESGCM(= 128) Mac=3DAEAD ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAES(256)= Mac=3DSHA384 ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DCam= ellia(256) Mac=3DSHA384 ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAES(256) M= ac=3DSHA384 ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DCamell= ia(256) Mac=3DSHA384 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DAES(128)= Mac=3DSHA256 ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DECDH Au=3DECDSA Enc=3DCam= ellia(128) Mac=3DSHA256 ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DAES(128) M= ac=3DSHA256 ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DECDH Au=3DRSA Enc=3DCamell= ia(128) Mac=3DSHA256 DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DCHACHA20/= POLY1305(256) Mac=3DAEAD DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESGCM(25= 6) Mac=3DAEAD DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAESGCM(12= 8) Mac=3DAEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAES(256) M= ac=3DSHA256 DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DCamellia= (256) Mac=3DSHA256 DHE-RSA-AES128-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DAES(128) M= ac=3DSHA256 DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=3DDH Au=3DRSA Enc=3DCamellia= (128) Mac=3DSHA256 ECDHE-ECDSA-AES256-SHA TLSv1 Kx=3DECDH Au=3DECDSA Enc=3DAES(256) Ma= c=3DSHA1 ECDHE-ECDSA-AES128-SHA TLSv1 Kx=3DECDH Au=3DECDSA Enc=3DAES(128) Ma= c=3DSHA1 ECDHE-RSA-AES256-SHA TLSv1 Kx=3DECDH Au=3DRSA Enc=3DAES(256) Mac= =3DSHA1 ECDHE-RSA-AES128-SHA TLSv1 Kx=3DECDH Au=3DRSA Enc=3DAES(128) Mac= =3DSHA1 DHE-RSA-AES256-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DAES(256) Mac= =3DSHA1 DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DCamellia(256)= Mac=3DSHA1 DHE-RSA-AES128-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DAES(128) Mac= =3DSHA1 DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=3DDH Au=3DRSA Enc=3DCamellia(128)= Mac=3DSHA1 AES256-GCM-SHA384 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAESGCM(256)= Mac=3DAEAD AES128-GCM-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAESGCM(128)= Mac=3DAEAD AES256-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAES(256) M= ac=3DSHA256 CAMELLIA256-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DCamellia(25= 6) Mac=3DSHA256 AES128-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DAES(128) M= ac=3DSHA256 CAMELLIA128-SHA256 TLSv1.2 Kx=3DRSA Au=3DRSA Enc=3DCamellia(12= 8) Mac=3DSHA256 AES256-SHA SSLv3 Kx=3DRSA Au=3DRSA Enc=3DAES(256) Mac= =3DSHA1 CAMELLIA256-SHA SSLv3 Kx=3DRSA Au=3DRSA Enc=3DCamellia(256)= Mac=3DSHA1 AES128-SHA SSLv3 Kx=3DRSA Au=3DRSA Enc=3DAES(128) Mac= =3DSHA1 CAMELLIA128-SHA SSLv3 Kx=3DRSA Au=3DRSA Enc=3DCamellia(128)= Mac=3DSHA1 =20 Since TLS servers usually override the clients' preference with their own, this will neither break existing setups nor introduce huge differences in the wild. Unfortunately, CBC ciphers cannot be disabled at all, as they are still used by popular web sites. =20 TLS 1.3 ciphers will be added implicitly and can be omitted in the ciphersting. Chacha20/Poly1305 is preferred over AES-GCM due to missing AES-NI support for the majority of installations reporting to Fireinfo (see https://fireinfo.ipfire.org/processors for details, AES-NI support is 28.22% at the time of writing). =20 Signed-off-by: Peter M=C3=BCller Signed-off-by: Michael Tremer commit ce46df9b83d15033156845e19e9a386e52a0a1cd Author: Michael Tremer Date: Wed Jun 12 17:18:23 2019 +0100 Start Core Update 134 =20 Signed-off-by: Michael Tremer commit e263c29c929e69e345833f436d4958d88264020c Author: Michael Tremer Date: Wed Jun 12 17:14:28 2019 +0100 unbound: Make some zones type-transparent =20 If we remove other records (like MX) from the response, we won't be able to send mail to those hosts any more. =20 Signed-off-by: Michael Tremer commit 91056adea5d6e203f41e7743443eb61ed2b885cf Author: Michael Tremer Date: Wed Jun 12 17:11:32 2019 +0100 unbound: Add yandex.com to safe search feature =20 Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/rootfiles/core/{133 =3D> 134}/exclude | 0 config/rootfiles/{oldcore/113 =3D> core/134}/filelists/files | 2 +- .../{oldcore/100 =3D> core/134}/filelists/i586/openssl-sse2 | 0 config/rootfiles/core/{133 =3D> 134}/filelists/openssl | 0 config/rootfiles/{oldcore/130 =3D> core/134}/update.sh | 9 ++------- config/rootfiles/{core =3D> oldcore}/133/exclude | 0 .../{core =3D> oldcore}/133/filelists/aarch64/binutils | 0 config/rootfiles/{core =3D> oldcore}/133/filelists/aarch64/gcc | 0 .../rootfiles/{core =3D> oldcore}/133/filelists/aarch64/glibc | 0 .../{core =3D> oldcore}/133/filelists/armv5tel/binutils | 0 .../rootfiles/{core =3D> oldcore}/133/filelists/armv5tel/gcc | 0 .../rootfiles/{core =3D> oldcore}/133/filelists/armv5tel/glibc | 0 config/rootfiles/{core =3D> oldcore}/133/filelists/bind | 0 config/rootfiles/{core =3D> oldcore}/133/filelists/files | 0 .../rootfiles/{core =3D> oldcore}/133/filelists/i586/binutils | 0 config/rootfiles/{core =3D> oldcore}/133/filelists/i586/gcc | 0 config/rootfiles/{core =3D> oldcore}/133/filelists/i586/glibc | 0 .../rootfiles/{core =3D> oldcore}/133/filelists/i586/hyperscan | 0 .../{core =3D> oldcore}/133/filelists/ids-ruleset-sources | 0 config/rootfiles/{core =3D> oldcore}/133/filelists/knot | 0 config/rootfiles/{core =3D> oldcore}/133/filelists/openssl | 0 config/rootfiles/{core =3D> oldcore}/133/filelists/pam | 0 config/rootfiles/{core =3D> oldcore}/133/filelists/rrdtool | 0 config/rootfiles/{core =3D> oldcore}/133/filelists/squid | 0 config/rootfiles/{core =3D> oldcore}/133/filelists/strongswan | 0 config/rootfiles/{core =3D> oldcore}/133/filelists/suricata | 0 .../rootfiles/{core =3D> oldcore}/133/filelists/wpa_supplicant | 0 .../{core =3D> oldcore}/133/filelists/x86_64/binutils | 0 config/rootfiles/{core =3D> oldcore}/133/filelists/x86_64/gcc | 0 .../rootfiles/{core =3D> oldcore}/133/filelists/x86_64/glibc | 0 .../{core =3D> oldcore}/133/filelists/x86_64/hyperscan | 0 config/rootfiles/{core =3D> oldcore}/133/update.sh | 0 lfs/openssl | 2 +- make.sh | 2 +- src/initscripts/system/unbound | 12 ++++++++--= -- ...herlist.patch =3D> openssl-1.1.1c-default-cipherlist.patch} | 8 ++++---- 36 files changed, 17 insertions(+), 18 deletions(-) copy config/rootfiles/core/{133 =3D> 134}/exclude (100%) copy config/rootfiles/{oldcore/113 =3D> core/134}/filelists/files (66%) copy config/rootfiles/{oldcore/100 =3D> core/134}/filelists/i586/openssl-sse= 2 (100%) copy config/rootfiles/core/{133 =3D> 134}/filelists/openssl (100%) copy config/rootfiles/{oldcore/130 =3D> core/134}/update.sh (93%) rename config/rootfiles/{core =3D> oldcore}/133/exclude (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/aarch64/binutils (= 100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/aarch64/gcc (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/aarch64/glibc (100= %) rename config/rootfiles/{core =3D> oldcore}/133/filelists/armv5tel/binutils = (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/armv5tel/gcc (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/armv5tel/glibc (10= 0%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/bind (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/files (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/i586/binutils (100= %) rename config/rootfiles/{core =3D> oldcore}/133/filelists/i586/gcc (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/i586/glibc (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/i586/hyperscan (10= 0%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/ids-ruleset-source= s (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/knot (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/openssl (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/pam (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/rrdtool (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/squid (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/strongswan (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/suricata (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/wpa_supplicant (10= 0%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/x86_64/binutils (1= 00%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/x86_64/gcc (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/x86_64/glibc (100%) rename config/rootfiles/{core =3D> oldcore}/133/filelists/x86_64/hyperscan (= 100%) rename config/rootfiles/{core =3D> oldcore}/133/update.sh (100%) rename src/patches/{openssl-1.1.1a-default-cipherlist.patch =3D> openssl-1.1= .1c-default-cipherlist.patch} (66%) Difference in files: diff --git a/config/rootfiles/core/133/exclude b/config/rootfiles/core/134/ex= clude similarity index 100% rename from config/rootfiles/core/133/exclude rename to config/rootfiles/core/134/exclude diff --git a/config/rootfiles/core/134/filelists/files b/config/rootfiles/cor= e/134/filelists/files new file mode 100644 index 000000000..25ade1735 --- /dev/null +++ b/config/rootfiles/core/134/filelists/files @@ -0,0 +1,5 @@ +etc/system-release +etc/issue +etc/rc.d/init.d/unbound +srv/web/ipfire/cgi-bin/credits.cgi +var/ipfire/langs diff --git a/config/rootfiles/core/134/filelists/i586/openssl-sse2 b/config/r= ootfiles/core/134/filelists/i586/openssl-sse2 new file mode 120000 index 000000000..f424713d6 --- /dev/null +++ b/config/rootfiles/core/134/filelists/i586/openssl-sse2 @@ -0,0 +1 @@ +../../../../common/i586/openssl-sse2 \ No newline at end of file diff --git a/config/rootfiles/core/133/filelists/openssl b/config/rootfiles/c= ore/134/filelists/openssl similarity index 100% rename from config/rootfiles/core/133/filelists/openssl rename to config/rootfiles/core/134/filelists/openssl diff --git a/config/rootfiles/core/134/update.sh b/config/rootfiles/core/134/= update.sh new file mode 100644 index 000000000..30fe9c529 --- /dev/null +++ b/config/rootfiles/core/134/update.sh @@ -0,0 +1,60 @@ +#!/bin/bash +############################################################################ +# # +# This file is part of the IPFire Firewall. # +# # +# IPFire is free software; you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation; either version 3 of the License, or # +# (at your option) any later version. # +# # +# IPFire is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with IPFire; if not, write to the Free Software # +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # +# # +# Copyright (C) 2019 IPFire-Team . = # +# # +############################################################################ +# +. /opt/pakfire/lib/functions.sh +/usr/local/bin/backupctrl exclude >/dev/null 2>&1 + +core=3D134 + +# Remove old core updates from pakfire cache to save space... +for (( i=3D1; i<=3D$core; i++ )); do + rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire +done + +# Stop services + +# Extract files +extract_files + +# update linker config +ldconfig + +# Update Language cache +/usr/local/bin/update-lang-cache + +# Start services +/etc/init.d/unbound restart + +# Finish +/etc/init.d/fireinfo start +sendprofile + +# Update grub config to display new core version +if [ -e /boot/grub/grub.cfg ]; then + grub-mkconfig -o /boot/grub/grub.cfg +fi + +sync + +# Don't report the exitcode last command +exit 0 diff --git a/config/rootfiles/oldcore/133/exclude b/config/rootfiles/oldcore/= 133/exclude new file mode 100644 index 000000000..b22159878 --- /dev/null +++ b/config/rootfiles/oldcore/133/exclude @@ -0,0 +1,28 @@ +boot/config.txt +boot/grub/grub.cfg +boot/grub/grubenv +etc/alternatives +etc/collectd.custom +etc/default/grub +etc/ipsec.conf +etc/ipsec.secrets +etc/ipsec.user.conf +etc/ipsec.user.secrets +etc/localtime +etc/shadow +etc/snort/snort.conf +etc/ssl/openssl.cnf +etc/sudoers +etc/sysconfig/firewall.local +etc/sysconfig/rc.local +etc/udev/rules.d/30-persistent-network.rules +srv/web/ipfire/html/proxy.pac +var/ipfire/dma +var/ipfire/time +var/ipfire/ovpn +var/lib/alternatives +var/log/cache +var/log/dhcpcd.log +var/log/messages +var/state/dhcp/dhcpd.leases +var/updatecache diff --git a/config/rootfiles/core/133/filelists/aarch64/binutils b/config/ro= otfiles/oldcore/133/filelists/aarch64/binutils similarity index 100% rename from config/rootfiles/core/133/filelists/aarch64/binutils rename to config/rootfiles/oldcore/133/filelists/aarch64/binutils diff --git a/config/rootfiles/core/133/filelists/aarch64/gcc b/config/rootfil= es/oldcore/133/filelists/aarch64/gcc similarity index 100% rename from config/rootfiles/core/133/filelists/aarch64/gcc rename to config/rootfiles/oldcore/133/filelists/aarch64/gcc diff --git a/config/rootfiles/core/133/filelists/aarch64/glibc b/config/rootf= iles/oldcore/133/filelists/aarch64/glibc similarity index 100% rename from config/rootfiles/core/133/filelists/aarch64/glibc rename to config/rootfiles/oldcore/133/filelists/aarch64/glibc diff --git a/config/rootfiles/core/133/filelists/armv5tel/binutils b/config/r= ootfiles/oldcore/133/filelists/armv5tel/binutils similarity index 100% rename from config/rootfiles/core/133/filelists/armv5tel/binutils rename to config/rootfiles/oldcore/133/filelists/armv5tel/binutils diff --git a/config/rootfiles/core/133/filelists/armv5tel/gcc b/config/rootfi= les/oldcore/133/filelists/armv5tel/gcc similarity index 100% rename from config/rootfiles/core/133/filelists/armv5tel/gcc rename to config/rootfiles/oldcore/133/filelists/armv5tel/gcc diff --git a/config/rootfiles/core/133/filelists/armv5tel/glibc b/config/root= files/oldcore/133/filelists/armv5tel/glibc similarity index 100% rename from config/rootfiles/core/133/filelists/armv5tel/glibc rename to config/rootfiles/oldcore/133/filelists/armv5tel/glibc diff --git a/config/rootfiles/core/133/filelists/bind b/config/rootfiles/oldc= ore/133/filelists/bind similarity index 100% rename from config/rootfiles/core/133/filelists/bind rename to config/rootfiles/oldcore/133/filelists/bind diff --git a/config/rootfiles/core/133/filelists/files b/config/rootfiles/old= core/133/filelists/files similarity index 100% rename from config/rootfiles/core/133/filelists/files rename to config/rootfiles/oldcore/133/filelists/files diff --git a/config/rootfiles/core/133/filelists/i586/binutils b/config/rootf= iles/oldcore/133/filelists/i586/binutils similarity index 100% rename from config/rootfiles/core/133/filelists/i586/binutils rename to config/rootfiles/oldcore/133/filelists/i586/binutils diff --git a/config/rootfiles/core/133/filelists/i586/gcc b/config/rootfiles/= oldcore/133/filelists/i586/gcc similarity index 100% rename from config/rootfiles/core/133/filelists/i586/gcc rename to config/rootfiles/oldcore/133/filelists/i586/gcc diff --git a/config/rootfiles/core/133/filelists/i586/glibc b/config/rootfile= s/oldcore/133/filelists/i586/glibc similarity index 100% rename from config/rootfiles/core/133/filelists/i586/glibc rename to config/rootfiles/oldcore/133/filelists/i586/glibc diff --git a/config/rootfiles/core/133/filelists/i586/hyperscan b/config/root= files/oldcore/133/filelists/i586/hyperscan similarity index 100% rename from config/rootfiles/core/133/filelists/i586/hyperscan rename to config/rootfiles/oldcore/133/filelists/i586/hyperscan diff --git a/config/rootfiles/core/133/filelists/ids-ruleset-sources b/config= /rootfiles/oldcore/133/filelists/ids-ruleset-sources similarity index 100% rename from config/rootfiles/core/133/filelists/ids-ruleset-sources rename to config/rootfiles/oldcore/133/filelists/ids-ruleset-sources diff --git a/config/rootfiles/core/133/filelists/knot b/config/rootfiles/oldc= ore/133/filelists/knot similarity index 100% rename from config/rootfiles/core/133/filelists/knot rename to config/rootfiles/oldcore/133/filelists/knot diff --git a/config/rootfiles/oldcore/133/filelists/openssl b/config/rootfile= s/oldcore/133/filelists/openssl new file mode 120000 index 000000000..e011a9266 --- /dev/null +++ b/config/rootfiles/oldcore/133/filelists/openssl @@ -0,0 +1 @@ +../../../common/openssl \ No newline at end of file diff --git a/config/rootfiles/core/133/filelists/pam b/config/rootfiles/oldco= re/133/filelists/pam similarity index 100% rename from config/rootfiles/core/133/filelists/pam rename to config/rootfiles/oldcore/133/filelists/pam diff --git a/config/rootfiles/core/133/filelists/rrdtool b/config/rootfiles/o= ldcore/133/filelists/rrdtool similarity index 100% rename from config/rootfiles/core/133/filelists/rrdtool rename to config/rootfiles/oldcore/133/filelists/rrdtool diff --git a/config/rootfiles/core/133/filelists/squid b/config/rootfiles/old= core/133/filelists/squid similarity index 100% rename from config/rootfiles/core/133/filelists/squid rename to config/rootfiles/oldcore/133/filelists/squid diff --git a/config/rootfiles/core/133/filelists/strongswan b/config/rootfile= s/oldcore/133/filelists/strongswan similarity index 100% rename from config/rootfiles/core/133/filelists/strongswan rename to config/rootfiles/oldcore/133/filelists/strongswan diff --git a/config/rootfiles/core/133/filelists/suricata b/config/rootfiles/= oldcore/133/filelists/suricata similarity index 100% rename from config/rootfiles/core/133/filelists/suricata rename to config/rootfiles/oldcore/133/filelists/suricata diff --git a/config/rootfiles/core/133/filelists/wpa_supplicant b/config/root= files/oldcore/133/filelists/wpa_supplicant similarity index 100% rename from config/rootfiles/core/133/filelists/wpa_supplicant rename to config/rootfiles/oldcore/133/filelists/wpa_supplicant diff --git a/config/rootfiles/core/133/filelists/x86_64/binutils b/config/roo= tfiles/oldcore/133/filelists/x86_64/binutils similarity index 100% rename from config/rootfiles/core/133/filelists/x86_64/binutils rename to config/rootfiles/oldcore/133/filelists/x86_64/binutils diff --git a/config/rootfiles/core/133/filelists/x86_64/gcc b/config/rootfile= s/oldcore/133/filelists/x86_64/gcc similarity index 100% rename from config/rootfiles/core/133/filelists/x86_64/gcc rename to config/rootfiles/oldcore/133/filelists/x86_64/gcc diff --git a/config/rootfiles/core/133/filelists/x86_64/glibc b/config/rootfi= les/oldcore/133/filelists/x86_64/glibc similarity index 100% rename from config/rootfiles/core/133/filelists/x86_64/glibc rename to config/rootfiles/oldcore/133/filelists/x86_64/glibc diff --git a/config/rootfiles/core/133/filelists/x86_64/hyperscan b/config/ro= otfiles/oldcore/133/filelists/x86_64/hyperscan similarity index 100% rename from config/rootfiles/core/133/filelists/x86_64/hyperscan rename to config/rootfiles/oldcore/133/filelists/x86_64/hyperscan diff --git a/config/rootfiles/core/133/update.sh b/config/rootfiles/oldcore/1= 33/update.sh similarity index 100% rename from config/rootfiles/core/133/update.sh rename to config/rootfiles/oldcore/133/update.sh diff --git a/lfs/openssl b/lfs/openssl index 9f9e7a684..47bd4aff0 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -117,7 +117,7 @@ $(subst %,%_MD5,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1a-default= -cipherlist.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/openssl-1.1.1c-default= -cipherlist.patch =20 # Apply our CFLAGS cd $(DIR_APP) && sed -i Configure \ diff --git a/make.sh b/make.sh index cdf5bbed7..5b1e0ed99 100755 --- a/make.sh +++ b/make.sh @@ -26,7 +26,7 @@ NAME=3D"IPFire" # Software name SNAME=3D"ipfire" # Short name # If you update the version don't forget to update backupiso and add it to c= ore update VERSION=3D"2.23" # Version number -CORE=3D"133" # Core Level (Filename) +CORE=3D"134" # Core Level (Filename) PAKFIRE_CORE=3D"133" # Core Level (PAKFIRE) GIT_BRANCH=3D`git rev-parse --abbrev-ref HEAD` # Git Branch SLOGAN=3D"www.ipfire.org" # Software slogan diff --git a/src/initscripts/system/unbound b/src/initscripts/system/unbound index e797079c4..34b3e06fd 100644 --- a/src/initscripts/system/unbound +++ b/src/initscripts/system/unbound @@ -711,13 +711,13 @@ write_safe_search_conf() { echo "server:" =20 # Bing - echo " local-zone: www.bing.com transparent" + echo " local-zone: bing.com transparent" for address in $(resolve "strict.bing.com"); do echo " local-data: \"www.bing.com ${LOCAL_TTL} IN A ${address}\"" done =20 # DuckDuckGo - echo " local-zone: duckduckgo.com transparent" + echo " local-zone: duckduckgo.com typetransparent" for address in $(resolve "safe.duckduckgo.com"); do echo " local-data: \"duckduckgo.com ${LOCAL_TTL} IN A ${address}\"" done @@ -733,8 +733,12 @@ write_safe_search_conf() { done =20 # Yandex - echo " local-zone: yandex.ru transparent" - echo " local-data: \"yandex.ru A 213.180.193.56\"" + for domain in yandex.com yandex.ru; do + echo " local-zone: ${domain} typetransparent" + for address in $(resolve "familysearch.${domain}"); do + echo " local-data: \"${domain} ${LOCAL_TTL} IN A ${address}\"" + done + done =20 # YouTube echo " local-zone: youtube.com transparent" diff --git a/src/patches/openssl-1.1.1a-default-cipherlist.patch b/src/patche= s/openssl-1.1.1c-default-cipherlist.patch similarity index 66% rename from src/patches/openssl-1.1.1a-default-cipherlist.patch rename to src/patches/openssl-1.1.1c-default-cipherlist.patch index dfe156bf5..72f6ce3b1 100644 --- a/src/patches/openssl-1.1.1a-default-cipherlist.patch +++ b/src/patches/openssl-1.1.1c-default-cipherlist.patch @@ -1,11 +1,12 @@ ---- openssl-1.1.1.orig/include/openssl/ssl.h 2018-09-11 14:48:23.000000000 += 0200 -+++ openssl-1.1.1/include/openssl/ssl.h 2018-11-05 16:55:03.935513159 +0100 +diff -Naur openssl-1.1.1c.orig/include/openssl/ssl.h openssl-1.1.1c/include/= openssl/ssl.h +--- openssl-1.1.1c.orig/include/openssl/ssl.h 2019-06-10 20:41:21.209140012 = +0200 ++++ openssl-1.1.1c/include/openssl/ssl.h 2019-06-10 20:42:26.733973129 +0200 @@ -170,11 +170,11 @@ * an application-defined cipher list string starts with 'DEFAULT'. * This applies to ciphersuites for TLSv1.2 and below. */ -# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" -+# define SSL_DEFAULT_CIPHER_LIST "TLSv1.3:CHACHA20:HIGH:+DH:+aRSA:+SHA:+kRS= A:!aNULL:!eNULL:!SRP:!PSK:!DSS:!AESCCM" ++# define SSL_DEFAULT_CIPHER_LIST "CHACHA20:HIGH:+aRSA:+SHA384:+SHA256:+DH:+= SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS" /* This is the default set of TLSv1.3 ciphersuites */ # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) -# define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ @@ -15,4 +16,3 @@ "TLS_AES_128_GCM_SHA256" # else # define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \ - hooks/post-receive -- IPFire 2.x development tree --===============4146677435917963370==--