lp:~vcs-imports/ipfire/ipfire-2.x

Created by Jelmer Vernooij on 2010-05-31 and last modified on 2021-02-16
Get this branch:
bzr branch lp:~vcs-imports/ipfire/ipfire-2.x

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
VCS imports
Project:
IPFire.org
Status:
Development

Import details

Import Status: Reviewed

This branch is an import of the HEAD branch of the Git repository at git://git.ipfire.org/ipfire-2.x.git.

The next import is scheduled to run in 3 hours.

Last successful import was 2 hours ago.

Import started 2 hours ago on izar and finished 2 hours ago taking 15 seconds — see the log
Import started 8 hours ago on alnitak and finished 8 hours ago taking 15 seconds — see the log
Import started 14 hours ago on alnitak and finished 14 hours ago taking 15 seconds — see the log
Import started 20 hours ago on alnitak and finished 20 hours ago taking 15 seconds — see the log
Import started on 2021-02-26 on alnitak and finished on 2021-02-26 taking 15 seconds — see the log
Import started on 2021-02-26 on alnitak and finished on 2021-02-26 taking 20 seconds — see the log
Import started on 2021-02-26 on alnitak and finished on 2021-02-26 taking 15 seconds — see the log
Import started on 2021-02-26 on alnitak and finished on 2021-02-26 taking 15 seconds — see the log
Import started on 2021-02-25 on izar and finished on 2021-02-25 taking 15 seconds — see the log
Import started on 2021-02-25 on alnitak and finished on 2021-02-25 taking 15 seconds — see the log

Recent revisions

8632. By Michael Tremer <email address hidden> on 2021-02-16

Merge remote-tracking branch 'ms/wifi-fixes'

8631. By Michael Tremer <email address hidden> on 2021-02-16

core154: Ship openssl

Signed-off-by: Michael Tremer <email address hidden>

8630. By Michael Tremer <email address hidden> on 2021-02-16

openssl: Update to 1.1.1j

Null pointer deref in X509_issuer_and_serial_hash() (CVE-2021-23841)
====================================================================

Severity: Moderate

The OpenSSL public API function X509_issuer_and_serial_hash() attempts to
create a unique hash value based on the issuer and serial number data contained
within an X509 certificate. However it fails to correctly handle any errors
that may occur while parsing the issuer field (which might occur if the issuer
field is maliciously constructed). This may subsequently result in a NULL
pointer deref and a crash leading to a potential denial of service attack.

The function X509_issuer_and_serial_hash() is never directly called by OpenSSL
itself so applications are only vulnerable if they use this function directly
and they use it on certificates that may have been obtained from untrusted
sources.

OpenSSL versions 1.1.1i and below are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1j.

OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL
1.0.2 is out of support and no longer receiving public updates. Premium support
customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade
to 1.1.1j.

This issue was reported to OpenSSL on 15th December 2020 by Tavis Ormandy from
Google. The fix was developed by Matt Caswell.

Incorrect SSLv2 rollback protection (CVE-2021-23839)
====================================================

Severity: Low

OpenSSL 1.0.2 supports SSLv2. If a client attempts to negotiate SSLv2 with a
server that is configured to support both SSLv2 and more recent SSL and TLS
versions then a check is made for a version rollback attack when unpadding an
RSA signature. Clients that support SSL or TLS versions greater than SSLv2 are
supposed to use a special form of padding. A server that supports greater than
SSLv2 is supposed to reject connection attempts from a client where this special
form of padding is present, because this indicates that a version rollback has
occurred (i.e. both client and server support greater than SSLv2, and yet this
is the version that is being requested).

The implementation of this padding check inverted the logic so that the
connection attempt is accepted if the padding is present, and rejected if it
is absent. This means that such as server will accept a connection if a version
rollback attack has occurred. Further the server will erroneously reject a
connection if a normal SSLv2 connection attempt is made.

Only OpenSSL 1.0.2 servers from version 1.0.2s to 1.0.2x are affected by this
issue. In order to be vulnerable a 1.0.2 server must:

1) have configured SSLv2 support at compile time (this is off by default),
2) have configured SSLv2 support at runtime (this is off by default),
3) have configured SSLv2 ciphersuites (these are not in the default ciphersuite
  list)

OpenSSL 1.1.1 does not have SSLv2 support and therefore is not vulnerable to
this issue. The underlying error is in the implementation of the
RSA_padding_check_SSLv23() function. This also affects the RSA_SSLV23_PADDING
padding mode used by various other functions. Although 1.1.1 does not support
SSLv2 the RSA_padding_check_SSLv23() function still exists, as does the
RSA_SSLV23_PADDING padding mode. Applications that directly call that function
or use that padding mode will encounter this issue. However since there is no
support for the SSLv2 protocol in 1.1.1 this is considered a bug and not a
security issue in that version.

OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium
support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should
upgrade to 1.1.1j.

This issue was reported to OpenSSL on 21st January 2021 by D. Katz and Joel
Luellwitz from Trustwave. The fix was developed by Matt Caswell.

Integer overflow in CipherUpdate (CVE-2021-23840)
=================================================

Severity: Low

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow
the output length argument in some cases where the input length is close to the
maximum permissable length for an integer on the platform. In such cases the
return value from the function call will be 1 (indicating success), but the
output length value will be negative. This could cause applications to behave
incorrectly or crash.

OpenSSL versions 1.1.1i and below are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1j.

OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL
1.0.2 is out of support and no longer receiving public updates. Premium support
customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade
to 1.1.1j.

This issue was reported to OpenSSL on 13th December 2020 by Paul Kehrer. The fix
was developed by Matt Caswell.

Signed-off-by: Michael Tremer <email address hidden>

8629. By Adolf Belka <email address hidden> on 2021-02-16

dhcp.cgi: Fix incorrect { placement from patch 3724

- When patch 3724 was created for bug #10743 a curly bracket was placed in the wrong place
This results in the overlap of two if loops meaning that there will be no validity
check carried out on Default Lease Time if Deny Known Clients is not checked.
- This patch moves the { bracket to the right location.

Signed-off-by: Adolf Belka <email address hidden>
Signed-off-by: Michael Tremer <email address hidden>

8628. By Michael Tremer <email address hidden> on 2021-02-16

Revert "dhcpcd: Update to 9.3.4"

This reverts commit d96d979e2a0bb199b5ae7bec75964f4091996268.

Arne requested to revert this commit as well since dhcpcd still does not
run without any problems on i586 systems.

Signed-off-by: Michael Tremer <email address hidden>

8627. By Michael Tremer <email address hidden> on 2021-02-07

misc-progs: Call unpriv_system commands in a shell

Reported-by: Arne Fitzenreiter <email address hidden>
Signed-off-by: Michael Tremer <email address hidden>

8626. By Michael Tremer <email address hidden> on 2021-02-05

fireperf: I accidentially committed an empty rootfile

Signed-off-by: Michael Tremer <email address hidden>

8625. By Michael Tremer <email address hidden> on 2021-02-05

Revert "dhcpcd: Update to 9.4.0"

This reverts commit 15194c7c52c2438611832cecf4dad24fec304322.

This version still fails to run on i586 without this patch.

Signed-off-by: Michael Tremer <email address hidden>

8624. By Michael Tremer <email address hidden> on 2021-02-05

Update contributors

Signed-off-by: Michael Tremer <email address hidden>

8623. By Michael Tremer <email address hidden> on 2021-02-05

core154: Ship lzip

Signed-off-by: Michael Tremer <email address hidden>

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.