From mboxrd@z Thu Jan 1 00:00:00 1970 From: Arne Fitzenreiter To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, master, updated. eaa9032166dcf1be88b6987419f23b617aa4a627 Date: Tue, 08 Dec 2020 22:29:59 +0000 Message-ID: <4CrFHD0ZLyz2xkF@people01.haj.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2792318185630733340==" List-Id: --===============2792318185630733340== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, master has been updated via eaa9032166dcf1be88b6987419f23b617aa4a627 (commit) via 00e1105b9294b13570b931c6212f13da8a753581 (commit) via a99b73211a06c00e6dd36324a33120da7320c6a4 (commit) via 591738dc5c867cac63a6301a6c1292c471fb617a (commit) via 4aae5f819a6a8dc2b2adce83cd63ee96e79666fe (commit) from 8372d890002df382f814c975a73a70701b523bae (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit eaa9032166dcf1be88b6987419f23b617aa4a627 Author: Arne Fitzenreiter Date: Tue Dec 8 17:40:57 2020 +0000 core153: add ddns.cgi to update =20 Signed-off-by: Arne Fitzenreiter commit 00e1105b9294b13570b931c6212f13da8a753581 Author: Stefan Schantl Date: Wed Dec 2 12:30:11 2020 +0100 ddns.cgi: Drop static provider list for token based auth. =20 This is really hard to maintain when adding new or altering existing providers. =20 Reference #12415. =20 Signed-off-by: Stefan Schantl Signed-off-by: Arne Fitzenreiter commit a99b73211a06c00e6dd36324a33120da7320c6a4 Author: Arne Fitzenreiter Date: Tue Dec 8 18:33:47 2020 +0100 core153: add openssl to updater =20 Signed-off-by: Arne Fitzenreiter commit 591738dc5c867cac63a6301a6c1292c471fb617a Author: Arne Fitzenreiter Date: Tue Dec 8 18:27:00 2020 +0100 openssl: update to 1.1.1i =20 fix: EDIPARTYNAME NULL pointer de-reference (CVE-2020-1971) =20 Severity: High =20 The X.509 GeneralName type is a generic type for representing different t= ypes of names. One of those name types is known as EDIPartyName. OpenSSL provi= des a function GENERAL_NAME_cmp which compares different instances of a GENERAL= _NAME to see if they are equal or not. This function behaves incorrectly when b= oth GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a c= rash may occur leading to a possible denial of service attack. =20 OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a = CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the time= stamp authority name (exposed via the API functions TS_RESP_verify_response = and TS_RESP_verify_token) =20 If an attacker can control both items being compared then that attacker c= ould trigger a crash. For example if the attacker can trick a client or server= into checking a malicious certificate against a malicious CRL then this may oc= cur. Note that some applications automatically download CRLs based on a URL em= bedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and veri= fy tools have support for the "-crl_download" option which implements automa= tic CRL downloading and this attack has been demonstrated to work against tho= se tools. =20 Note that an unrelated bug means that affected versions of OpenSSL cannot= parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and = hence trigger this attack. =20 Signed-off-by: Arne Fitzenreiter commit 4aae5f819a6a8dc2b2adce83cd63ee96e79666fe Author: Arne Fitzenreiter Date: Tue Dec 8 18:26:37 2020 +0100 kernel: update to 4.14.211 =20 Signed-off-by: Arne Fitzenreiter ----------------------------------------------------------------------- Summary of changes: config/rootfiles/core/153/filelists/files | 1 + .../{oldcore/100 =3D> core/153}/filelists/i586/openssl-sse2 | 0 config/rootfiles/{oldcore/100 =3D> core/153}/filelists/openssl | 0 html/cgi-bin/ddns.cgi | 8 ++++--= -- lfs/linux | 6 +++--- lfs/openssl | 4 ++-- 6 files changed, 10 insertions(+), 9 deletions(-) copy config/rootfiles/{oldcore/100 =3D> core/153}/filelists/i586/openssl-sse= 2 (100%) copy config/rootfiles/{oldcore/100 =3D> core/153}/filelists/openssl (100%) Difference in files: diff --git a/config/rootfiles/core/153/filelists/files b/config/rootfiles/cor= e/153/filelists/files index 0649f85cb..f77958ae6 100644 --- a/config/rootfiles/core/153/filelists/files +++ b/config/rootfiles/core/153/filelists/files @@ -10,6 +10,7 @@ srv/web/ipfire/cgi-bin/connections.cgi srv/web/ipfire/cgi-bin/country.cgi srv/web/ipfire/cgi-bin/credits.cgi srv/web/ipfire/cgi-bin/dns.cgi +srv/web/ipfire/cgi-bin/ddns.cgi srv/web/ipfire/cgi-bin/index.cgi srv/web/ipfire/cgi-bin/ipinfo.cgi srv/web/ipfire/cgi-bin/location-block.cgi diff --git a/config/rootfiles/core/153/filelists/i586/openssl-sse2 b/config/r= ootfiles/core/153/filelists/i586/openssl-sse2 new file mode 120000 index 000000000..f424713d6 --- /dev/null +++ b/config/rootfiles/core/153/filelists/i586/openssl-sse2 @@ -0,0 +1 @@ +../../../../common/i586/openssl-sse2 \ No newline at end of file diff --git a/config/rootfiles/core/153/filelists/openssl b/config/rootfiles/c= ore/153/filelists/openssl new file mode 120000 index 000000000..e011a9266 --- /dev/null +++ b/config/rootfiles/core/153/filelists/openssl @@ -0,0 +1 @@ +../../../common/openssl \ No newline at end of file diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi index 715c37290..024eaf7f6 100644 --- a/html/cgi-bin/ddns.cgi +++ b/html/cgi-bin/ddns.cgi @@ -665,13 +665,13 @@ sub GenerateDDNSConfigFile { =20 my $use_token =3D 0; =20 - # Handle token based auth for various providers. - if ($provider ~~ ["dns.lightningwirelabs.com", "entrydns.net", "regfish.co= m", - "spdns.de", "zzzz.io"] && $username eq "token") { + # Check if token based auth is configured. + if ($username eq "token") { $use_token =3D 1; + } =20 # Handle token auth for freedns.afraid.org and regfish.com. - } elsif ($provider ~~ ["freedns.afraid.org", "regfish.com"] && $password e= q "") { + if ($provider ~~ ["freedns.afraid.org", "regfish.com"] && $password eq "")= { $use_token =3D 1; $password =3D $username; =20 diff --git a/lfs/linux b/lfs/linux index 04205ee57..e4467c477 100644 --- a/lfs/linux +++ b/lfs/linux @@ -24,8 +24,8 @@ =20 include Config =20 -VER =3D 4.14.210 -ARM_PATCHES =3D 4.14.210-ipfire0 +VER =3D 4.14.211 +ARM_PATCHES =3D 4.14.211-ipfire0 =20 THISAPP =3D linux-$(VER) DL_FILE =3D linux-$(VER).tar.xz @@ -79,7 +79,7 @@ objects =3D$(DL_FILE) \ $(DL_FILE) =3D $(URL_IPFIRE)/$(DL_FILE) arm-multi-patches-$(ARM_PATCHES).patch.xz =3D $(URL_IPFIRE)/arm-multi-patche= s-$(ARM_PATCHES).patch.xz =20 -$(DL_FILE)_MD5 =3D 84918d49079e7a75b4c2450fa3b4fcb9 +$(DL_FILE)_MD5 =3D 41241e9508acc9183540db785f78ec78 arm-multi-patches-$(ARM_PATCHES).patch.xz_MD5 =3D 2b0e8e3ebe9827b2bfed7397b0= 43dbc5 =20 install : $(TARGET) diff --git a/lfs/openssl b/lfs/openssl index 84f1d0fa5..16e20b439 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@ =20 include Config =20 -VER =3D 1.1.1h +VER =3D 1.1.1i =20 THISAPP =3D openssl-$(VER) DL_FILE =3D $(THISAPP).tar.gz @@ -87,7 +87,7 @@ objects =3D $(DL_FILE) =20 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) =20 -$(DL_FILE)_MD5 =3D 53840c70434793127a3574433494e8d3 +$(DL_FILE)_MD5 =3D 08987c3cf125202e2b0840035efb392c =20 install : $(TARGET) =20 hooks/post-receive -- IPFire 2.x development tree --===============2792318185630733340==--