From mboxrd@z Thu Jan  1 00:00:00 1970
From: Arne Fitzenreiter <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated.
 0b0a3634cdb241335f629e3173b607c3f4c3f304
Date: Wed, 01 Apr 2020 15:00:31 +0000
Message-ID: <48sqBR4jXTz2y4h@people01.haj.ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============9154767942537380604=="
List-Id: <ipfire-scm.lists.ipfire.org>

--===============9154767942537380604==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  0b0a3634cdb241335f629e3173b607c3f4c3f304 (commit)
       via  55f4de214f5e0743af231eb79fae046f431bfefd (commit)
       via  8bf1c9f65de3004d2e5f967c5d8b295d6efe4977 (commit)
       via  d383248063ada7a923fef245fa7ff7a5bdaf2444 (commit)
       via  006b79aaa9c2da9a71267d93f0f15a6e34fe81a2 (commit)
       via  af8e5145fa969f0c99c9650c16e05bc71d7297b1 (commit)
       via  2ff56df4e045f5ebca0bc3142ce60410bc51cb30 (commit)
       via  dce34b2dcba3ed3db2051f2b0a3e415c6205913c (commit)
      from  3c90dd92a5c23afe5216e91d57b19d1563adb2aa (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 0b0a3634cdb241335f629e3173b607c3f4c3f304
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date:   Wed Apr 1 14:59:42 2020 +0000

    core143: stop/start updated services
   =20
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 55f4de214f5e0743af231eb79fae046f431bfefd
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date:   Wed Apr 1 14:50:47 2020 +0000

    core143: add suricata.yaml
   =20
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 8bf1c9f65de3004d2e5f967c5d8b295d6efe4977
Author: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
Date:   Wed Apr 1 12:17:00 2020 +0000

    OpenSSL: update to 1.1.1f
   =20
    Fixes #12345 (yes, that's the real bug ID :-) )
   =20
    Cc: Arne Fitzenreiter <arne.fitzenreiter(a)ipfire.org>
    Cc: Michael Tremer <michael.tremer(a)ipfire.org>
    Signed-off-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
    Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit d383248063ada7a923fef245fa7ff7a5bdaf2444
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date:   Wed Apr 1 11:02:06 2020 +0200

    Suricata: Add port 81 (UpdateAccelerator) to group of HTTP ports.
   =20
    Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 006b79aaa9c2da9a71267d93f0f15a6e34fe81a2
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date:   Wed Apr 1 14:42:55 2020 +0000

    core143: add ids.cgi
   =20
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit af8e5145fa969f0c99c9650c16e05bc71d7297b1
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date:   Wed Apr 1 10:32:40 2020 +0200

    ids.cgi: Restart suricata if necessary when altering the ruleset.
   =20
    Suricata does support re-reading it's configuration files and therfore
    we need to restart it, if one or more ruleset files should be loaded or
    not loaded anymore.
   =20
    If simple some rules inside the same files are activated or deactivated
    we are still fine to call the reload method to send suricata the signal
    to reload its ruleset.
   =20
    Fixes #12340.
   =20
    Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit 2ff56df4e045f5ebca0bc3142ce60410bc51cb30
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Tue Mar 31 09:49:04 2020 +0000

    strongswan: Build sha3 plugin
   =20
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Reviewed-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

commit dce34b2dcba3ed3db2051f2b0a3e415c6205913c
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Tue Mar 31 09:49:03 2020 +0000

    strongswan: Update to 5.8.4
   =20
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
    Reviewed-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>
    Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/rootfiles/common/strongswan        |  3 +++
 config/rootfiles/core/143/filelists/files |  2 ++
 config/rootfiles/core/143/update.sh       |  9 ++++++++-
 config/suricata/suricata.yaml             |  2 +-
 html/cgi-bin/ids.cgi                      | 19 +++++++++++++++++--
 lfs/openssl                               |  6 +++---
 lfs/strongswan                            |  5 +++--
 7 files changed, 37 insertions(+), 9 deletions(-)

Difference in files:
diff --git a/config/rootfiles/common/strongswan b/config/rootfiles/common/str=
ongswan
index d337ef506..ff363f08c 100644
--- a/config/rootfiles/common/strongswan
+++ b/config/rootfiles/common/strongswan
@@ -57,6 +57,7 @@ etc/strongswan.d/charon/resolve.conf
 etc/strongswan.d/charon/revocation.conf
 etc/strongswan.d/charon/sha1.conf
 etc/strongswan.d/charon/sha2.conf
+etc/strongswan.d/charon/sha3.conf
 etc/strongswan.d/charon/socket-default.conf
 etc/strongswan.d/charon/sshkey.conf
 etc/strongswan.d/charon/stroke.conf
@@ -153,6 +154,7 @@ usr/lib/ipsec/plugins/libstrongswan-resolve.so
 usr/lib/ipsec/plugins/libstrongswan-revocation.so
 usr/lib/ipsec/plugins/libstrongswan-sha1.so
 usr/lib/ipsec/plugins/libstrongswan-sha2.so
+usr/lib/ipsec/plugins/libstrongswan-sha3.so
 usr/lib/ipsec/plugins/libstrongswan-socket-default.so
 usr/lib/ipsec/plugins/libstrongswan-sshkey.so
 usr/lib/ipsec/plugins/libstrongswan-stroke.so
@@ -240,6 +242,7 @@ usr/sbin/swanctl
 #usr/share/strongswan/templates/config/plugins/revocation.conf
 #usr/share/strongswan/templates/config/plugins/sha1.conf
 #usr/share/strongswan/templates/config/plugins/sha2.conf
+#usr/share/strongswan/templates/config/plugins/sha3.conf
 #usr/share/strongswan/templates/config/plugins/socket-default.conf
 #usr/share/strongswan/templates/config/plugins/sshkey.conf
 #usr/share/strongswan/templates/config/plugins/stroke.conf
diff --git a/config/rootfiles/core/143/filelists/files b/config/rootfiles/cor=
e/143/filelists/files
index 216c98fa9..28c759fe3 100644
--- a/config/rootfiles/core/143/filelists/files
+++ b/config/rootfiles/core/143/filelists/files
@@ -4,8 +4,10 @@ srv/web/ipfire/cgi-bin/credits.cgi
 var/ipfire/langs
 etc/rc.d/init.d/firewall
 etc/rc.d/init.d/localnet
+etc/suricata/suricata.yaml
 srv/web/ipfire/cgi-bin/dhcp.cgi
 srv/web/ipfire/cgi-bin/fireinfo.cgi
+srv/web/ipfire/cgi-bin/ids.cgi
 srv/web/ipfire/cgi-bin/mail.cgi
 srv/web/ipfire/cgi-bin/netother.cgi
 srv/web/ipfire/cgi-bin/ovpnmain.cgi
diff --git a/config/rootfiles/core/143/update.sh b/config/rootfiles/core/143/=
update.sh
index 51c4557bd..cb07bbb59 100644
--- a/config/rootfiles/core/143/update.sh
+++ b/config/rootfiles/core/143/update.sh
@@ -24,7 +24,7 @@
 . /opt/pakfire/lib/functions.sh
 /usr/local/bin/backupctrl exclude >/dev/null 2>&1
=20
-core=3D142
+core=3D143
=20
 exit_with_error() {
 	# Set last succesfull installed core.
@@ -48,6 +48,7 @@ done
 rm -rf /usr/lib/go/9.2.0
=20
 # Stop services
+/etc/init.d/suricata stop
=20
 # move swap after mount
 mv -f /etc/rc.d/rcsysinit.d/S20swap \
@@ -74,6 +75,12 @@ telinit u
 # Apply local configuration to sshd_config
 /usr/local/bin/sshctrl
=20
+# Start services
+/usr/local/bin/ipsecctrl S
+/etc/init.d/unbound restart
+/etc/init.d/sshd restart
+/etc/init.d/suricata start
+
 # remove dropped packages
 for package in bluetooth; do
 	if [ -e /opt/pakfire/db/installed/meta-$package ]; then
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index ed71898f4..cb7ececb4 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -30,7 +30,7 @@ vars:
     ENIP_SERVER: "$HOME_NET"
=20
   port-groups:
-    HTTP_PORTS: "80"
+    HTTP_PORTS: "[80,81]"
     SHELLCODE_PORTS: "!80"
     ORACLE_PORTS: 1521
     SSH_PORTS: "[22,222]"
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 2a8a7cb26..c3e5eefdb 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -412,6 +412,9 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 	# Hash to store the user-enabled and disabled sids.
 	my %enabled_disabled_sids;
=20
+	# Store if a restart of suricata is required.
+	my $suricata_restart_required;
+
 	# Loop through the hash of idsrules.
 	foreach my $rulefile(keys %idsrules) {
 		# Check if the rulefile is enabled.
@@ -419,6 +422,12 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
 			# Add rulefile to the array of enabled rulefiles.
 			push(@enabled_rulefiles, $rulefile);
=20
+			# Check if the state of the rulefile has been changed.
+			unless ($cgiparams{$rulefile} eq $idsrules{$rulefile}{'Rulefile'}{'State'=
}) {
+				# A restart of suricata is required to apply the changes of the used rul=
efiles.
+				$suricata_restart_required =3D 1;
+			}
+
 			# Drop item from cgiparams hash.
 			delete $cgiparams{$rulefile};
 		}
@@ -513,8 +522,14 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) {
=20
 	# Check if the IDS is running.
 	if(&IDS::ids_is_running()) {
-		# Call suricatactrl to perform a reload.
-		&IDS::call_suricatactrl("reload");
+		# Check if a restart of suricata is required.
+		if ($suricata_restart_required) {
+			# Call suricatactrl to perform the restart.
+			&IDS::call_suricatactrl("restart");
+		} else {
+			# Call suricatactrl to perform a reload.
+			&IDS::call_suricatactrl("reload");
+		}
 	}
=20
 	# Reload page.
diff --git a/lfs/openssl b/lfs/openssl
index c46e0d53f..06b999a15 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -1,7 +1,7 @@
 ############################################################################=
###
 #                                                                           =
  #
 # IPFire.org - A linux based firewall                                       =
  #
-# Copyright (C) 2007-2019  IPFire Team  <info(a)ipfire.org>                 =
    #
+# Copyright (C) 2007-2020  IPFire Team  <info(a)ipfire.org>                 =
    #
 #                                                                           =
  #
 # This program is free software: you can redistribute it and/or modify      =
  #
 # it under the terms of the GNU General Public License as published by      =
  #
@@ -24,7 +24,7 @@
=20
 include Config
=20
-VER        =3D 1.1.1e
+VER        =3D 1.1.1f
=20
 THISAPP    =3D openssl-$(VER)
 DL_FILE    =3D $(THISAPP).tar.gz
@@ -87,7 +87,7 @@ objects =3D $(DL_FILE)
=20
 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
=20
-$(DL_FILE)_MD5 =3D baeff2a64d2f3d7e0a69b677c9977b57
+$(DL_FILE)_MD5 =3D 3f486f2f4435ef14b81814dbbc7b48bb
=20
 install : $(TARGET)
=20
diff --git a/lfs/strongswan b/lfs/strongswan
index ed88c0458..3be90db9a 100644
--- a/lfs/strongswan
+++ b/lfs/strongswan
@@ -24,7 +24,7 @@
=20
 include Config
=20
-VER        =3D 5.8.2
+VER        =3D 5.8.4
=20
 THISAPP    =3D strongswan-$(VER)
 DL_FILE    =3D $(THISAPP).tar.bz2
@@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
=20
 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
=20
-$(DL_FILE)_MD5 =3D d94eac2caed51b0cc776e5887b10bace
+$(DL_FILE)_MD5 =3D 0634e7f40591bd3f6770e583c3f27d29
=20
 install : $(TARGET)
=20
@@ -95,6 +95,7 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 		--enable-eap-mschapv2 \
 		--enable-eap-identity \
 		--enable-chapoly \
+		--enable-sha3 \
 		--disable-padlock \
 		--disable-rc2 \
 		$(CONFIGURE_OPTIONS)


hooks/post-receive
--
IPFire 2.x development tree

--===============9154767942537380604==--