Awesome Privacy

Recent Commits

• Michael Tremer (03 Apr 24)

  suricata: Disable fail-open on NFQUEUE This change causes that if suricata crashes, the NFQUEUE will no longer fall into a mode where ALL packets are being accepted. This used the be the case before which opened the entire firewall. If suricata randomly crashes, we will fall back to the "bypass" mode where packets will bypass suricata, but nothing else. Fixes: #13642 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Arne Fitzenreiter (31 Mar 24)

  core185: excplicit erase liblzma.so.5.6.* because if this file exist the cleanap script will remove the older version after downgrade and the system still use the malewared version. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

• Michael Tremer (30 Mar 24)

  frr: Bump release version Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Michael Tremer (28 Mar 24)

  frr: Update reloading all services Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Michael Tremer (28 Mar 24)

  frr: Start the management daemon, too This daemon is running the configuration validation and required to run at all times. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Michael Tremer (28 Mar 24)

  protobuf-c: Ship libraries FRR links against this and fails to start without. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Michael Tremer (30 Mar 24)

  make.sh: Update contributors Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Rico Hoppe (28 Mar 24)

  README.md: fix minor typo Signed-off-by: Rico Hoppe <rico.hoppe@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Rico Hoppe (28 Mar 24)

  README.md: update text & adjust links to new URLs - links for: about, documentation, help - wording: wiki to documentation Signed-off-by: Rico Hoppe <rico.hoppe@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Michael Tremer (30 Mar 24)

  core185: Ship new perl modules for libarchive Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Stefan Schantl (30 Mar 24)

  ids-functions.pl: Use libarchive to extract archives This gives us a lot of benefits: * Speed up the extraction process * More supported archive types due the power of libarchive * Support of passphrase protected archives It also fixes a problem with non extracted files next to a zero sized file inside an archive. Fixes #13632. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Stefan Schantl (30 Mar 24)

  perl-Archive-Peek-Libarchive: New package As very simple XS based perl binding for libarchive to get header data and extract files. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Stefan Schantl (30 Mar 24)

  perl-Object-Tiny: New package This is a runtime dependency of perl-Archive-Peek-Libarchive Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Stefan Schantl (30 Mar 24)

  perl-Config-AutoConf: New package This is only a build dependency for perl-Arhive-Peek-Libarchive and will not be installed on a system Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Stefan Schantl (30 Mar 24)

  perl-Capture-Tiny: New package This is only a build dependency for perl-Config-AutoConf and will not be installed on a system Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Michael Tremer (30 Mar 24)

  core185: Ship everything that is linked against XZ This is a precautionary step to avoid that we have any issues to face because of a downgrade as new symbols have been added to liblzma 5.6.0. Furthermore, this should avoid shipping any traces of any other potential malware in XZ that has been added in 5.6.0 or after. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Michael Tremer (30 Mar 24)

  xz: Remove excess whitespace Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Adolf Belka (30 Mar 24)

  xz: Revert back to version 5.4.5 due to backdoor issue - xz version 5.6.0 and 5.6.1 discovered to have been backdoored by what looks to have been one of the xz devs. - IPFire looks not to be affected by the problem as we don't patch openssh to be linked with liblzma - However due to question marks about what else might be in these 5.6.x versions it is better to revert back to a version that did not have the build-to-host.m4 file with the code that modifies the build if it meets certain criteria. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Michael Tremer (26 Mar 24)

  IPS: Fix how we show EOL providers There is no need to add a legend as I find it confusing. The change that people are using an EOL is rather slim and so I don't to waste space. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Michael Tremer (26 Mar 24)

  core185: Fix update.sh syntax issues Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Adolf Belka (25 Mar 24)

  CU185-update.sh: Add drop hostile in & out logging entries if not already present - This v2 patch corrects that the previous script was looking for =on. If a user had modified the preferences to change it to =off then the script would have resulted in both =on and =off versions being in the settings file. - This patch ensures that those people who updated to CU184 before the CU184-update.sh patch fix to add the logging entries was added will get their optionsfw settings file correctly updated with CU185 - This only adds the LOGDROPHOSTILEIN & LOGDROPHOSTILEOUT entries if they do not already exist in the optionsfw settings file. - This change also does the check for LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT as two separate checks and then runs the firewall update command Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Adolf Belka (25 Mar 24)

  shadow: Update login.defs to remove reference to cracklib - From shadow-15.0.0 all references to cracklib were removed from shadow. Apparently some functions were no longer accessible and the shadow team decided to remove cracklib references completely. This was not mentioned in the changelkog for 15.0.0 - This resulkts in gettinbg the message configuration error - unknown item 'CRACKKLIB_DICTPATH' ( notify administrator ) when logging in to the console. - The login to the console occurs successfully so the message is only a warning that cracklib is no longer used. - IPfire does not use cracklkib anyway so this patch removes the section referring to cracklib from the login.defs configuration file. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Adolf Belka (25 Mar 24)

  samba: Add wsdd as a dependency to samba - Add wsdd as a dependency to samba so it will be installed together with samba Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Adolf Belka (20 Mar 24)

  CU185-update.sh: Add drop hostile in & out logging entries if not already present - This patch ensures that those people who updated to CU184 before the CU184-update.sh patch fix to add the logging entries was added will get their optionsfw settings file correctly updated with CU185 - This only adds the LOGDROPHOSTILEIN & LOGDROPHOSTILEOUT entries if they do noit already exist in the optionsfw settings file. Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Stefan Schantl (22 Mar 24)

  ids.cgi: Improve add provider logic Do not longer add unsupported/removed providers as an option when adding a new/first ruleset provider. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Michael Tremer (22 Mar 24)

  core185: Ship IPS files Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Stefan Schantl (21 Mar 24)

  ids.cgi: Adjust code for marking unsupported providers Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Stefan Schantl (21 Mar 24)

  ruleset-sources: Restore generic details about recently dropped providers At least these informations are required to display something usefull on the webgui, even if a provider has been dropped. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Stefan Schantl (21 Mar 24)

  update-ids-ruleset: Disable provider if not dl_url can be obtained Unsupported/Removed provides does not longer have these information Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

• Stefan Schantl (21 Mar 24)

  ids.cgi: Change check if a provider is not longer supported This check is now based on a download URL instead of checking if an entry in the ruleset sources is present. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>