* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 0b0a3634cdb241335f629e3173b607c3f4c3f304
@ 2020-04-01 15:00 Arne Fitzenreiter
0 siblings, 0 replies; only message in thread
From: Arne Fitzenreiter @ 2020-04-01 15:00 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 11563 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 0b0a3634cdb241335f629e3173b607c3f4c3f304 (commit)
via 55f4de214f5e0743af231eb79fae046f431bfefd (commit)
via 8bf1c9f65de3004d2e5f967c5d8b295d6efe4977 (commit)
via d383248063ada7a923fef245fa7ff7a5bdaf2444 (commit)
via 006b79aaa9c2da9a71267d93f0f15a6e34fe81a2 (commit)
via af8e5145fa969f0c99c9650c16e05bc71d7297b1 (commit)
via 2ff56df4e045f5ebca0bc3142ce60410bc51cb30 (commit)
via dce34b2dcba3ed3db2051f2b0a3e415c6205913c (commit)
from 3c90dd92a5c23afe5216e91d57b19d1563adb2aa (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 0b0a3634cdb241335f629e3173b607c3f4c3f304
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Wed Apr 1 14:59:42 2020 +0000
core143: stop/start updated services
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 55f4de214f5e0743af231eb79fae046f431bfefd
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Wed Apr 1 14:50:47 2020 +0000
core143: add suricata.yaml
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 8bf1c9f65de3004d2e5f967c5d8b295d6efe4977
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Wed Apr 1 12:17:00 2020 +0000
OpenSSL: update to 1.1.1f
Fixes #12345 (yes, that's the real bug ID :-) )
Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit d383248063ada7a923fef245fa7ff7a5bdaf2444
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Apr 1 11:02:06 2020 +0200
Suricata: Add port 81 (UpdateAccelerator) to group of HTTP ports.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 006b79aaa9c2da9a71267d93f0f15a6e34fe81a2
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Wed Apr 1 14:42:55 2020 +0000
core143: add ids.cgi
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit af8e5145fa969f0c99c9650c16e05bc71d7297b1
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Wed Apr 1 10:32:40 2020 +0200
ids.cgi: Restart suricata if necessary when altering the ruleset.
Suricata does support re-reading it's configuration files and therfore
we need to restart it, if one or more ruleset files should be loaded or
not loaded anymore.
If simple some rules inside the same files are activated or deactivated
we are still fine to call the reload method to send suricata the signal
to reload its ruleset.
Fixes #12340.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 2ff56df4e045f5ebca0bc3142ce60410bc51cb30
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Mar 31 09:49:04 2020 +0000
strongswan: Build sha3 plugin
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit dce34b2dcba3ed3db2051f2b0a3e415c6205913c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Mar 31 09:49:03 2020 +0000
strongswan: Update to 5.8.4
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/common/strongswan | 3 +++
config/rootfiles/core/143/filelists/files | 2 ++
config/rootfiles/core/143/update.sh | 9 ++++++++-
config/suricata/suricata.yaml | 2 +-
html/cgi-bin/ids.cgi | 19 +++++++++++++++++--
lfs/openssl | 6 +++---
lfs/strongswan | 5 +++--
7 files changed, 37 insertions(+), 9 deletions(-)
Difference in files:
diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/strongswan
index d337ef506..ff363f08c 100644
--- a/config/rootfiles/common/strongswan
+++ b/config/rootfiles/common/strongswan
@@ -57,6 +57,7 @@ etc/strongswan.d/charon/resolve.conf
etc/strongswan.d/charon/revocation.conf
etc/strongswan.d/charon/sha1.conf
etc/strongswan.d/charon/sha2.conf
+etc/strongswan.d/charon/sha3.conf
etc/strongswan.d/charon/socket-default.conf
etc/strongswan.d/charon/sshkey.conf
etc/strongswan.d/charon/stroke.conf
@@ -153,6 +154,7 @@ usr/lib/ipsec/plugins/libstrongswan-resolve.so
usr/lib/ipsec/plugins/libstrongswan-revocation.so
usr/lib/ipsec/plugins/libstrongswan-sha1.so
usr/lib/ipsec/plugins/libstrongswan-sha2.so
+usr/lib/ipsec/plugins/libstrongswan-sha3.so
usr/lib/ipsec/plugins/libstrongswan-socket-default.so
usr/lib/ipsec/plugins/libstrongswan-sshkey.so
usr/lib/ipsec/plugins/libstrongswan-stroke.so
@@ -240,6 +242,7 @@ usr/sbin/swanctl
#usr/share/strongswan/templates/config/plugins/revocation.conf
#usr/share/strongswan/templates/config/plugins/sha1.conf
#usr/share/strongswan/templates/config/plugins/sha2.conf
+#usr/share/strongswan/templates/config/plugins/sha3.conf
#usr/share/strongswan/templates/config/plugins/socket-default.conf
#usr/share/strongswan/templates/config/plugins/sshkey.conf
#usr/share/strongswan/templates/config/plugins/stroke.conf
diff --git a/config/rootfiles/core/143/filelists/files b/config/rootfiles/core/143/filelists/files
index 216c98fa9..28c759fe3 100644
--- a/config/rootfiles/core/143/filelists/files
+++ b/config/rootfiles/core/143/filelists/files
@@ -4,8 +4,10 @@ srv/web/ipfire/cgi-bin/credits.cgi
var/ipfire/langs
etc/rc.d/init.d/firewall
etc/rc.d/init.d/localnet
+etc/suricata/suricata.yaml
srv/web/ipfire/cgi-bin/dhcp.cgi
srv/web/ipfire/cgi-bin/fireinfo.cgi
+srv/web/ipfire/cgi-bin/ids.cgi
srv/web/ipfire/cgi-bin/mail.cgi
srv/web/ipfire/cgi-bin/netother.cgi
srv/web/ipfire/cgi-bin/ovpnmain.cgi
diff --git a/config/rootfiles/core/143/update.sh b/config/rootfiles/core/143/update.sh
index 51c4557bd..cb07bbb59 100644
--- a/config/rootfiles/core/143/update.sh
+++ b/config/rootfiles/core/143/update.sh
@@ -24,7 +24,7 @@
. /opt/pakfire/lib/functions.sh
/usr/local/bin/backupctrl exclude >/dev/null 2>&1
-core=142
+core=143
exit_with_error() {
# Set last succesfull installed core.
@@ -48,6 +48,7 @@ done
rm -rf /usr/lib/go/9.2.0
# Stop services
+/etc/init.d/suricata stop
# move swap after mount
mv -f /etc/rc.d/rcsysinit.d/S20swap \
@@ -74,6 +75,12 @@ telinit u
# Apply local configuration to sshd_config
/usr/local/bin/sshctrl
+# Start services
+/usr/local/bin/ipsecctrl S
+/etc/init.d/unbound restart
+/etc/init.d/sshd restart
+/etc/init.d/suricata start
+
# remove dropped packages
for package in bluetooth; do
if [ -e /opt/pakfire/db/installed/meta-$package ]; then
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index ed71898f4..cb7ececb4 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -30,7 +30,7 @@ vars:
ENIP_SERVER: "$HOME_NET"
port-groups:
- HTTP_PORTS: "80"
+ HTTP_PORTS: "[80,81]"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: "[22,222]"
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 2a8a7cb26..c3e5eefdb 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -412,6 +412,9 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
# Hash to store the user-enabled and disabled sids.
my %enabled_disabled_sids;
+ # Store if a restart of suricata is required.
+ my $suricata_restart_required;
+
# Loop through the hash of idsrules.
foreach my $rulefile(keys %idsrules) {
# Check if the rulefile is enabled.
@@ -419,6 +422,12 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
# Add rulefile to the array of enabled rulefiles.
push(@enabled_rulefiles, $rulefile);
+ # Check if the state of the rulefile has been changed.
+ unless ($cgiparams{$rulefile} eq $idsrules{$rulefile}{'Rulefile'}{'State'}) {
+ # A restart of suricata is required to apply the changes of the used rulefiles.
+ $suricata_restart_required = 1;
+ }
+
# Drop item from cgiparams hash.
delete $cgiparams{$rulefile};
}
@@ -513,8 +522,14 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
# Check if the IDS is running.
if(&IDS::ids_is_running()) {
- # Call suricatactrl to perform a reload.
- &IDS::call_suricatactrl("reload");
+ # Check if a restart of suricata is required.
+ if ($suricata_restart_required) {
+ # Call suricatactrl to perform the restart.
+ &IDS::call_suricatactrl("restart");
+ } else {
+ # Call suricatactrl to perform a reload.
+ &IDS::call_suricatactrl("reload");
+ }
}
# Reload page.
diff --git a/lfs/openssl b/lfs/openssl
index c46e0d53f..06b999a15 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2019 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2020 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 1.1.1e
+VER = 1.1.1f
THISAPP = openssl-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -87,7 +87,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = baeff2a64d2f3d7e0a69b677c9977b57
+$(DL_FILE)_MD5 = 3f486f2f4435ef14b81814dbbc7b48bb
install : $(TARGET)
diff --git a/lfs/strongswan b/lfs/strongswan
index ed88c0458..3be90db9a 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -24,7 +24,7 @@
include Config
-VER = 5.8.2
+VER = 5.8.4
THISAPP = strongswan-$(VER)
DL_FILE = $(THISAPP).tar.bz2
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = d94eac2caed51b0cc776e5887b10bace
+$(DL_FILE)_MD5 = 0634e7f40591bd3f6770e583c3f27d29
install : $(TARGET)
@@ -95,6 +95,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
--enable-eap-mschapv2 \
--enable-eap-identity \
--enable-chapoly \
+ --enable-sha3 \
--disable-padlock \
--disable-rc2 \
$(CONFIGURE_OPTIONS)
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-04-01 15:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-01 15:00 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 0b0a3634cdb241335f629e3173b607c3f4c3f304 Arne Fitzenreiter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox