commit 76ba16aef070d5efd10325b8a34a134ec04dcaf2 Author: Michael Tremer Date: Tue Apr 9 10:51:18 2024 +0100 suricata: Change midstream policy to "pass-flow" Pass packet isn't allowed here. Signed-off-by: Michael Tremer commit ee13f80e5938cc4e16304810a356462647f46c3c Author: Adolf Belka Date: Mon Apr 8 18:57:21 2024 +0200 configroot: Add in LOGDROPHOSTILExxx values - I checked out doing a fresh install of CU184 and found that although the LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries were selected as "on" the values were not in the /var/ipfire/optionsfw/settings file. - After some investigfation I realised that when I created the LOGDROPHOSTILE split into incoming and outgoing I had not added them into the configroot lfs file. - This patch adds the two entries and this was tested out with a fresh install and confirmed to update the settings file. Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit b7da97fd59f010ea8fa7bca845d18e52ca89bc5a Author: Michael Tremer Date: Mon Apr 8 16:01:20 2024 +0000 suricata: Disable Landlock support See #13645 for details. Signed-off-by: Michael Tremer commit b4847c387a9692a09b0921b87198d411f548d0ed Author: Michael Tremer Date: Mon Apr 8 16:00:41 2024 +0000 suricata: Update require paths for Landlock Signed-off-by: Michael Tremer commit 763c7f67fa93f4a2f0284a6a65fb39a13d76844b Author: Michael Tremer Date: Mon Apr 8 14:57:49 2024 +0000 suricata: Enable midstream scanning We require this because Suricata might be restarted due to development or rule refreshment purposes. We should then try to resume any decoders/app-layers wherever possible. Signed-off-by: Michael Tremer commit 76a451809154ae1aa338e2ec38b820283a68b788 Author: Stefan Schantl Date: Fri Apr 5 21:26:40 2024 +0200 suricata: Set midstream-policy to pass-packet Set this value to the same as the exception-policy to keep in sync and hopefully have the same behaviour. In case this option is not set an ugly message about a not correctly set value will be logged to syslog during startup. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 64e057aaa5ac0eb45094773709e481b535891ec4 Author: Stefan Schantl Date: Fri Apr 5 21:26:39 2024 +0200 suricata: Enable landlock security feature This will limit the suricata process to only read and write to a certain files/directories. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 4d24d99461e3aa79ab8565ba2d96ced1ec3f6b83 Author: Stefan Schantl Date: Fri Apr 5 21:26:38 2024 +0200 suricata: Set exception-policy to pass-packet This simply will skip processing a packet that caused an exception and will allow Suricata to process all following packets of a flow. Reference: #13638 Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit a4ade63ef1823a6f5e657f0c0ebb60be5fd3ad33 Author: Stefan Schantl Date: Fri Apr 5 21:26:37 2024 +0200 suricata: Update suricata.yaml Updata the configuration file for suricata 7. This includes: * Default values for newly introduced features and parsers * Enable recently added protocol parsers for HTTP2, QUIC, Telnet and Torrent * Update of URL for documentation * Fixes of various typos and other clarifications Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 69031f7674295d6d95219a97063c718beecc1052 Author: Michael Tremer Date: Wed Apr 3 21:42:13 2024 +0100 suricata: Disable fail-open on NFQUEUE This change causes that if suricata crashes, the NFQUEUE will no longer fall into a mode where ALL packets are being accepted. This used the be the case before which opened the entire firewall. If suricata randomly crashes, we will fall back to the "bypass" mode where packets will bypass suricata, but nothing else. Fixes: #13642 Signed-off-by: Michael Tremer commit bb46f3bef8445a0dba2e92bbb614113a9a4adcaf Author: Arne Fitzenreiter Date: Sun Mar 31 13:27:46 2024 +0200 core185: excplicit erase liblzma.so.5.6.* because if this file exist the cleanap script will remove the older version after downgrade and the system still use the malewared version. Signed-off-by: Arne Fitzenreiter commit ee08f7aea1f9414bf13ff929a2236d747e7e6546 Author: Michael Tremer Date: Sat Mar 30 12:14:51 2024 +0000 frr: Bump release version Signed-off-by: Michael Tremer commit 56d32cbe9150302ec5516c0c66f8c36aaa0a38a2 Author: Michael Tremer Date: Thu Mar 28 17:41:12 2024 +0000 frr: Update reloading all services Signed-off-by: Michael Tremer commit 7c6b05dfb8a5270a8434f9304ea5b44f6d59da94 Author: Michael Tremer Date: Thu Mar 28 17:41:11 2024 +0000 frr: Start the management daemon, too This daemon is running the configuration validation and required to run at all times. Signed-off-by: Michael Tremer commit 0972da95bf50e4528d09097c23673779aaf7a634 Author: Michael Tremer Date: Thu Mar 28 17:41:10 2024 +0000 protobuf-c: Ship libraries FRR links against this and fails to start without. Signed-off-by: Michael Tremer commit bd49143228a4c79b8d70edb7ab3922b4d86336fc Author: Michael Tremer Date: Sat Mar 30 12:13:08 2024 +0000 make.sh: Update contributors Signed-off-by: Michael Tremer commit 417182c49b3cceaea5925503fd772e66c37775bc Author: Rico Hoppe Date: Thu Mar 28 09:51:53 2024 +0000 README.md: fix minor typo Signed-off-by: Rico Hoppe Reviewed-by: Michael Tremer Signed-off-by: Michael Tremer commit 64d6bbe5a37ea9fb0de816725e88e0692159b163 Author: Rico Hoppe Date: Thu Mar 28 09:51:52 2024 +0000 README.md: update text & adjust links to new URLs - links for: about, documentation, help - wording: wiki to documentation Signed-off-by: Rico Hoppe Reviewed-by: Michael Tremer Signed-off-by: Michael Tremer commit 21f467d65a7a4d3927601731f59dc6ab5f895142 Author: Michael Tremer Date: Sat Mar 30 12:11:42 2024 +0000 core185: Ship new perl modules for libarchive Signed-off-by: Michael Tremer commit ee16b227a55aa2ee61a906342ca322de3c0fcf67 Author: Stefan Schantl Date: Sat Mar 30 12:35:30 2024 +0100 ids-functions.pl: Use libarchive to extract archives This gives us a lot of benefits: * Speed up the extraction process * More supported archive types due the power of libarchive * Support of passphrase protected archives It also fixes a problem with non extracted files next to a zero sized file inside an archive. Fixes #13632. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 2ef62acc017de41ff59e0dd76b405374a2b55d18 Author: Stefan Schantl Date: Sat Mar 30 12:35:29 2024 +0100 perl-Archive-Peek-Libarchive: New package As very simple XS based perl binding for libarchive to get header data and extract files. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit d33b29e2b13de7730cd4a67f7aa2bde000776485 Author: Stefan Schantl Date: Sat Mar 30 12:35:28 2024 +0100 perl-Object-Tiny: New package This is a runtime dependency of perl-Archive-Peek-Libarchive Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit c85407615508fb5c62ddc92b7a6e83e4a278901d Author: Stefan Schantl Date: Sat Mar 30 12:35:27 2024 +0100 perl-Config-AutoConf: New package This is only a build dependency for perl-Arhive-Peek-Libarchive and will not be installed on a system Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit cf94463c4c5c7f7eb71c1ac4bcef2160446fab79 Author: Stefan Schantl Date: Sat Mar 30 12:35:26 2024 +0100 perl-Capture-Tiny: New package This is only a build dependency for perl-Config-AutoConf and will not be installed on a system Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit c283a6f615f5fe4bea63d5534bda8a0c6270b486 Author: Michael Tremer Date: Sat Mar 30 12:07:22 2024 +0000 core185: Ship everything that is linked against XZ This is a precautionary step to avoid that we have any issues to face because of a downgrade as new symbols have been added to liblzma 5.6.0. Furthermore, this should avoid shipping any traces of any other potential malware in XZ that has been added in 5.6.0 or after. Signed-off-by: Michael Tremer commit 16901fee6aa334a705cf67018277898f42834f5d Author: Michael Tremer Date: Sat Mar 30 11:58:24 2024 +0000 xz: Remove excess whitespace Signed-off-by: Michael Tremer commit 1b8437340bc1c4b343640690692071795716ba80 Author: Adolf Belka Date: Sat Mar 30 09:14:58 2024 +0100 xz: Revert back to version 5.4.5 due to backdoor issue - xz version 5.6.0 and 5.6.1 discovered to have been backdoored by what looks to have been one of the xz devs. - IPFire looks not to be affected by the problem as we don't patch openssh to be linked with liblzma - However due to question marks about what else might be in these 5.6.x versions it is better to revert back to a version that did not have the build-to-host.m4 file with the code that modifies the build if it meets certain criteria. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 9dd2a4635fbc9d3da96c7916cd0bf2d5cd24d145 Author: Michael Tremer Date: Tue Mar 26 15:08:01 2024 +0000 IPS: Fix how we show EOL providers There is no need to add a legend as I find it confusing. The change that people are using an EOL is rather slim and so I don't to waste space. Signed-off-by: Michael Tremer commit c2df627c8c29d43d1acfbdf60878f6a3339151e1 Author: Michael Tremer Date: Tue Mar 26 14:43:39 2024 +0000 core185: Fix update.sh syntax issues Signed-off-by: Michael Tremer commit 3d947e6e6b9f492fa0a12b40db0495b6eac6d967 Author: Adolf Belka Date: Mon Mar 25 18:44:56 2024 +0100 CU185-update.sh: Add drop hostile in & out logging entries if not already present - This v2 patch corrects that the previous script was looking for =on. If a user had modified the preferences to change it to =off then the script would have resulted in both =on and =off versions being in the settings file. - This patch ensures that those people who updated to CU184 before the CU184-update.sh patch fix to add the logging entries was added will get their optionsfw settings file correctly updated with CU185 - This only adds the LOGDROPHOSTILEIN & LOGDROPHOSTILEOUT entries if they do not already exist in the optionsfw settings file. - This change also does the check for LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT as two separate checks and then runs the firewall update command Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 2e94953dd40134d05d3dd93c9c3e125f5ec427f9 Author: Adolf Belka Date: Mon Mar 25 14:41:38 2024 +0100 shadow: Update login.defs to remove reference to cracklib - From shadow-15.0.0 all references to cracklib were removed from shadow. Apparently some functions were no longer accessible and the shadow team decided to remove cracklib references completely. This was not mentioned in the changelkog for 15.0.0 - This resulkts in gettinbg the message configuration error - unknown item 'CRACKKLIB_DICTPATH' ( notify administrator ) when logging in to the console. - The login to the console occurs successfully so the message is only a warning that cracklib is no longer used. - IPfire does not use cracklkib anyway so this patch removes the section referring to cracklib from the login.defs configuration file. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit cb0488997b9c2237058a0ff8c546c269b6a6f1ed Author: Adolf Belka Date: Mon Mar 25 12:17:52 2024 +0100 samba: Add wsdd as a dependency to samba - Add wsdd as a dependency to samba so it will be installed together with samba Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 08b7500b267a54aa634fb34b67b4dfc0934ae2be Author: Adolf Belka Date: Wed Mar 20 15:43:27 2024 +0100 CU185-update.sh: Add drop hostile in & out logging entries if not already present - This patch ensures that those people who updated to CU184 before the CU184-update.sh patch fix to add the logging entries was added will get their optionsfw settings file correctly updated with CU185 - This only adds the LOGDROPHOSTILEIN & LOGDROPHOSTILEOUT entries if they do noit already exist in the optionsfw settings file. Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit ad0d064a487c8912cbe4bd77ae652a4212e0fae9 Author: Stefan Schantl Date: Fri Mar 22 06:01:45 2024 +0100 ids.cgi: Improve add provider logic Do not longer add unsupported/removed providers as an option when adding a new/first ruleset provider. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 4e8225a778f838dadc530759b9341fc9dbf5d534 Author: Michael Tremer Date: Fri Mar 22 15:29:22 2024 +0000 core185: Ship IPS files Signed-off-by: Michael Tremer commit cf6eaba833abee235fffdf377a0d6379a0ff8406 Author: Stefan Schantl Date: Thu Mar 21 21:51:18 2024 +0100 ids.cgi: Adjust code for marking unsupported providers Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 563e4a4298b881d612a14994d90bbb7503e1d754 Author: Stefan Schantl Date: Thu Mar 21 21:51:17 2024 +0100 ruleset-sources: Restore generic details about recently dropped providers At least these informations are required to display something usefull on the webgui, even if a provider has been dropped. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 0842e694a6b577843362ea6b854d336b867d6f00 Author: Stefan Schantl Date: Thu Mar 21 21:51:16 2024 +0100 update-ids-ruleset: Disable provider if not dl_url can be obtained Unsupported/Removed provides does not longer have these information Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit df7977fde7dec9516036afd8b687acab9f034bf4 Author: Stefan Schantl Date: Thu Mar 21 21:51:15 2024 +0100 ids.cgi: Change check if a provider is not longer supported This check is now based on a download URL instead of checking if an entry in the ruleset sources is present. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 738ee720275e56bd6fff06b2b53730f903dd02df Author: Stefan Schantl Date: Thu Mar 21 21:51:14 2024 +0100 ids-functions.pl: Improve logic to get the cached rulesfile of a provider Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 0564584a5887b7498ae9ea638bc4799d2a6147e8 Author: Michael Tremer Date: Thu Mar 21 14:56:41 2024 +0000 core185: Ship IPS ruleset sources Signed-off-by: Michael Tremer commit 08d869d54f4903593992d7aee2ef17d79d235108 Author: Michael Tremer Date: Wed Mar 20 10:03:51 2024 +0000 suricata: Update to 7.0.4 https://suricata.io/2024/03/19/suricata-7-0-4-and-6-0-17-released/ Signed-off-by: Michael Tremer commit 5e9fd833e6eac8bb3481b744782f1e2409eef6f7 Author: Michael Tremer Date: Wed Mar 20 10:01:13 2024 +0000 core185: Ship libhtp Signed-off-by: Michael Tremer commit d4f66c22a8a240ba87e63fcd7fa0174e6bea03ec Author: Michael Tremer Date: Wed Mar 20 10:00:51 2024 +0000 libhtp: Update to 0.5.47 Signed-off-by: Michael Tremer commit 3396c743034c41413a7078e752ef426ef074ef77 Author: Michael Tremer Date: Wed Mar 20 09:56:14 2024 +0000 Config: Update source upload URL Signed-off-by: Michael Tremer commit 5552f51de026fe1657bf404ce73e73462389854a Author: Michael Tremer Date: Tue Mar 19 11:14:42 2024 +0000 wsdd: Remove dropped initscript Signed-off-by: Michael Tremer commit 4913c14477214f285ade2dfc304baaa6fbfaf2d1 Author: Adolf Belka Date: Mon Mar 18 19:43:14 2024 +0100 wsdd: Update install and uninstall pak files - As wsdd is now started by samba when it is started then the wsdd install and uninstall paks no longer need to create the symlinks for starting and stopping wsdd and no longer need the start_service and stop_service commands in the paks. Fixes: bug#13445 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 6e600296bb3ec7d5151ed6282726c06c5dda1569 Author: Adolf Belka Date: Mon Mar 18 19:43:13 2024 +0100 wsdd: Update of lfs file - fixes bug#13445 - Removal of services line as wsdd will now be started by the samba option in the addon services wui page - Removal of installing separate wsdd initscript as it is nowe integrated into the samba initscript. Fixes: bug#13445 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit cfb0ced3c413cdd4b02b222ed93cebaa75246d53 Author: Adolf Belka Date: Mon Mar 18 19:43:12 2024 +0100 wsdd: remove wsdd initscript as now covered by samba - fixes bug#13445 Fixes: bug#13445 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit b1e521c8f107c97c2179f0a48907ae1ab6e2810a Author: Adolf Belka Date: Mon Mar 18 19:43:11 2024 +0100 samba: Integrate wsdd initscript into samba initscript - bug#13445 - This integrates the wsdd initscript functions into the samba initscript. When samba is started or stopped or the status requested then wsdd is part of that process. - Tested in my vm testbed and confirmed to work for start, stop and status. Confirmed pid's shown with status command are in the appropriate pid files. Fixes: bug#13445 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer