* fix a processing race condition
* it's now possible to disable the icmp/syn/udp safeguards in pre-routing - set the threshold to '0'.
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 083554094b)
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 0db33e866b)
[added a patch to fix build with go 1.21]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
The new validation_method option can be: dns, webroot or standalone.
Previously we guessed the challenge type:
1. if the DNS provider is specified then it's dns
2. if standalone=1
3. fallback to webroot
The logic is preserved and if the validation_method wasn't set explicitly we'll guess it in old manner.
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
This commit adds the following features:
1. UCI support for local DNS over HTTPS/TLS/QUIC server.
2. UCI support for using private reverse DNS.
3. procd jail with CAP_NET_BIND_SERVICE, allowing
dnsproxy to serve on standard ports directly.
Signed-off-by: Emily H. <battery_tag708@simplelogin.com>
(cherry picked from commit 5df794e343)
Backport patch for PCRE2 support as PCRE is EOL and won't receive any
support updates anymore.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit baa0d51270)
This swaps the order of the lines in the description so that when LuCI displays only the first line, it still offers some helpful information.
Signed-off-by: Nathan Friedly <nathan@nfriedly.com>
(cherry picked from commit 06ea66c558)
* fixed possible Set search race condition (initiated from LuCI frontend)
* fixed the "no result" Set search problem in LuCI
* removed abandoned feeds: spamhaus edrop (was merged with spamhaus drop)
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit ad755e0c4d)
* added a DDoS protection rules in a new pre-routing chain to prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets, flood tresholds are configured via 'ban_icmplimit' (default 10/s), 'ban_synlimit' (default 10/s) and 'ban_udplimit' (default 100/s)
* the new pre-routing rules are tracked via named nft counters and are part of the standard reporting, set 'ban_logprerouting' accordingly
* block countries dynamically by Regional Internet Registry (RIR)/regions, e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE, set 'ban_region' accordingly
* it's now possible to always allow certain protocols/destination ports in wan-input and wan-forward chains, set 'ban_allowflag' accordingly - e.g. ' tcp 80 443-445'
* filter/convert possible windows line endings of external feeds during processing
* the cpu core autodetection is now limited to max. 16 cores in parallel, set 'ban_cores' manually to overrule this limitation
* set the default nft priority to -100 for banIP input/forward chains (pre-routing is set to -150)
* update readme
* a couple of bugfixes & performance improvements
* removed abandoned feeds: darklist, ipblackhole
* added new feeds: becyber, ipsum, pallebone, debl (changed URL)
* requires a LuCI frontend update as well (separate PR/commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit fa80fefe22)
The GitHub CI offers currenlty more architecture and the Signed-of-by
test is covered via the DOC CI test. In case GitHub ever changes
policies, we can simply switch back.
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 26c101edc3)
* include `server:` directive at the top of unbound file
* update unbound-related outputGzip variable to include full path
* return always_nxdomain for blocked domains
* also update copyright stamp/license
Signed-off-by: Stan Grishin <stangri@melmac.ca>
(cherry picked from commit 474587a1f4)
Maintainer: Stan Grishin <stangri@melmac.ca>
Run tested: aarch64, Dynalink DL-WRX36, Master Branch
Signed-off-by: Sean Khan <datapronix@protonmail.com>
(cherry picked from commit 3cbb7474c3)
This is a security release.
Notable Changes
* CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
Also some spell fixes for README.md
Drop patch-0001 - ntpd >= 4.2.8p16 patched this behaviour. See:
https://bugs.ntp.org/show_bug.cgi?id=3741 (and the linked diff there)
d2a7faef2f
Signed-off-by: Paul Donald <newtwen@gmail.com>
(cherry picked from commit b2742ed05d)
Bump to latest 2.0.25.1 release
Drop upstream PCRE2 patch and alarm memory leak fix.
Rework and refresh patch due to release bump.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit a9371952c9)
Add experimental pcre2 patch and drop pcre in favor of pcre2 library.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 4374c3250f)
Bump to release 2.0.22 to make it easier to apply patch for pcre2
support.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 94ded8ff31)
IPv6 has accidentally been disabled in all Exim builds since the
package was introduced in OpenWrt due to a faulty `sed` script. This
has now been fixed, so beware that IPv6 is now enabled when updating
from previous releases.
Upstream changes since version 4.96.2 (bottom up):
JH/s1 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in
LF-only mode (as detected from the first header line). Previously we did
accept that in (normal) CRLF mode; this has been raised as a possible
attack scenario (under the name "smtp smuggling", CVE-2023-51766).
JH/01 The hosts_connection_nolog main option now also controls "no MAIL in
SMTP connection" log lines.
JH/02 Option default value updates:
- queue_fast_ramp (main) true (was false)
- remote_max_parallel (main) 4 (was 2)
JH/03 Cache static regex pattern compilations, for use by ACLs.
JH/04 Bug 2903: avoid exit on an attempt to rewrite a malformed address.
Make the rewrite never match and keep the logging. Trust the
admin to be using verify=header-syntax (to actually reject the message).
JH/05 Follow symlinks for placing a watch on TLS creds files. This means
(under Linux) we watch the dir containing the final file; previously
it would be the dir with the first symlink. We still do not monitor
the entire path.
JH/06 Check for bad chars in rDNS for sender_host_name. The OpenBSD (at least)
dn_expand() is happy to pass them through.
JH/07 OpenSSL Fix auto-reload of changed server OCSP proof. Previously, if
the file with the proof had an unchanged name, the new proof(s) were
loaded on top of the old ones (and nover used; the old ones were stapled).
JH/08 Bug 2915: Fix use-after-free for $regex<n> variables. Previously when
more than one message arrived in a single connection a reference from
the earlier message could be re-used. Often a sigsegv resulted.
These variables were introduced in Exim 4.87.
Debug help from Graeme Fowler.
JH/09 Fix ${filter } for conditions that modify $value. Previously the
modified version would be used in construction the result, and a memory
error would occur.
JH/10 GnuTLS: fix for (IOT?) clients offering no TLS extensions at all.
Find and fix by Jasen Betts.
JH/11 OpenSSL: fix for ancient clients needing TLS support for versions earlier
than TLSv1,2, Previously, more-recent versions of OpenSSL were permitting
the systemwide configuration to override the Exim config.
HS/01 Bug 2728: Introduce EDITME option "DMARC_API" to work around incompatible
API changes in libopendmarc.
JH/12 Bug 2930: Fix daemon startup. When started from any process apart from
pid 1, in the normal "background daemon" mode, having to drop process-
group leadership also lost track of needing to create listener sockets.
JH/13 Bug 2929: Fix using $recipients after ${run...}. A change made for 4.96
resulted in the variable appearing empty. Find and fix by Ruben Jenster.
JH/14 Bug 2933: Fix regex substring match variables for null matches. Since 4.96
a capture group which obtained no text (eg. "(abc)*" matching zero
occurrences) could cause a segfault if the corresponding $<n> was
expanded.
JH/15 Fix argument parsing for ${run } expansion. Previously, when an argument
included a close-brace character (eg. it itself used an expansion) an
error occurred.
JH/16 Move running the smtp connect ACL to before, for TLS-on-connect ports,
starting TLS. Previously it was after, meaning that attackers on such
ports had to be screened using the host_reject_connection main config
option. The new sequence aligns better with the STARTTLS behaviour, and
permits defences against crypto-processing load attacks, even though it
is strictly an incompatible change.
Also, avoid sending any SMTP fail response for either the connect ACL
or host_reject_connection, for TLS-on-connect ports.
JH/17 Permit the ACL "encrypted" condition to be used in a HELO/EHLO ACL,
Previously this was not permitted, but it makes reasonable sense.
While there, restore a restriction on using it from a connect ACL; given
the change JH/16 it could only return false (and before 4.91 was not
permitted).
JH/18 Fix a fencepost error in logging. Previously (since 4.92) when a log line
was exactly sized compared to the log buffer, a crash occurred with the
misleading message "bad memory reference; pool not found".
Found and traced by Jasen Betts.
JH/19 Bug 2911: Fix a recursion in DNS lookups. Previously, if the main option
dns_again_means_nonexist included an element causing a DNS lookup which
itself returned DNS_AGAIN, unbounded recursion occurred. Possible results
included (though probably not limited to) a process crash from stack
memory limit, or from excessive open files. Replace this with a paniclog
whine (as this is likely a configuration error), and returning
DNS_NOMATCH.
JH/20 Bug 2954: (OpenSSL) Fix setting of explicit EC curve/group. Previously
this always failed, probably leading to the usual downgrade to in-clear
connections.
JH/21 Fix TLSA lookups. Previously dns_again_means_nonexist would affect
SERVFAIL results, which breaks the downgrade resistance of DANE. Change
to not checking that list for these lookups.
JH/22 Bug 2434: Add connection-elapsed "D=" element to more connection
closure log lines.
JH/23 Fix crash in string expansions. Previously, if an empty variable was
immediately followed by an expansion operator, a null-indirection read
was done, killing the process.
JH/24 Bug 2997: When built with EXPERIMENTAL_DSN_INFO, bounce messages can
include an SMTP response string which is longer than that supported
by the delivering transport. Alleviate by wrapping such lines before
column 80.
JH/25 Bug 2827: Restrict size of References: header in bounce messages to 998
chars (RFC limit). Previously a limit of 12 items was made, which with
a not-impossible References: in the message being bounced could still
be over-large and get stopped in the transport.
JH/26 For a ${readsocket } in TLS mode, send a TLS Close Alert before the TCP
close. Previously a bare socket close was done.
JH/27 Fix ${srs_encode ..}. Previously it would give a bad result for one day
every 1024 days.
JH/28 Bug 2996: Fix a crash in the smtp transport. When finding that the
message being considered for delivery was already being handled by
another process, and having an SMTP connection already open, the function
to close it tried to use an uninitialized variable. This would afftect
high-volume sites more, especially when running mailing-list-style loads.
Pollution of logs was the major effect, as the other process delivered
the message. Found and partly investigated by Graeme Fowler.
JH/29 Change format of the internal ID used for message identification. The old
version only supported 31 bits for a PID element; the new 64 (on systems
which can use Base-62 encoding, which is all currently supported ones
but not Darwin (MacOS) or Cygwin, which have case-insensitive filesystems
and must use Base-36). The new ID is 23 characters rather than 16, and is
visible in various places - notably logs, message headers, and spool file
names. Various of the ancillary utilities also have to know the format.
As well as the expanded PID portion, the sub-second part of the time
recorded in the ID is expanded to support finer precision. Theoretically
this permits a receive rate from a single comms channel of better than the
previous 2000/sec.
The major timestamp part of the ID is not changed; at 6 characters it is
usable until about year 3700.
Updating from previously releases is fully supported: old-format spool
files are still usable, and the utilities support both formats. New
message will use the new format. The one hints-DB file type which uses
message-IDs (the transport wait- DB) will be discarded if an old-format ID
is seen; new ones will be built with only new-format IDs.
Optionally, a utility can be used to convert spool files from old to new,
but this is only an efficiency measure not a requirement for operation
Downgrading from new to old requires running a provided utility, having
first stopped all operations. This will convert any spool files from new
back to old (losing time-precision and PID information) and remove any
wait- hints databases.
JH/30 Bug 3006: Fix handling of JSON strings having embedded commas. Previously
we treated them as item separators when parsing for a list item, but they
need to be protected by the doublequotes. While there, add handling for
backslashes.
JH/31 Bug 2998: Fix ${utf8clean:...} to disallow UTF-16 surrogate codepoints.
Found and fixed by Jasen Betts. No testcase for this as my usual text
editor insists on emitting only valid UTF-8.
JH/32 Fix "tls_dhparam = none" under GnuTLS. At least with 3.7.9 this gave
a null-indirection SIGSEGV for the receive process.
JH/33 Fix free for live variable $value created by a ${run ...} expansion during
-bh use. Internal checking would spot this and take a panic.
JH/34 Bug 3013: Fix use of $recipients within arguments for ${run...}.
In 4.96 this would expand to empty.
JH/35 Bug 3014: GnuTLS: fix expiry date for an auto-generated server
certificate. Find and fix by Andreas Metzler.
JH/36 Add ARC info to DMARC hostory records.
JH/37 Bug 3016: Avoid sending DSN when message was accepted under fakereject
or fakedefer. Previously the sender could discover that the message
had in fact been accepted.
JH/38 Taint-track intermediate values from the peer in multi-stage authentation
sequences. Previously the input was not noted as being tainted; notably
this resulted in behaviour of LOGIN vs. PLAIN being inconsistent under
bad coding of authenticators.
JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings
and ${tr...}. Found and diagnosed by Heiko Schlichting.
JH/40 Bug 2999: Fix a possible OOB write in the external authenticator, which
CVE-2023-42115
JH/41 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could
be triggered by externally-controlled input. Found by Trend Micro.
CVE-2023-42116
JH/42 Bug 3001: Fix a possible OOB read in the SPA authenticator, which could
be triggered by externally-controlled input. Found by Trend Micro.
CVE-2023-42114
JH/43 Bug 2903: avoid exit on an attempt to rewrite a malformed address.
Make the rewrite never match and keep the logging. Trust the
admin to be using verify=header-syntax (to actually reject the message).
JH/44 Bug 3033: Harden dnsdb lookups against crafted DNS responses.
CVE-2023-42219
could be triggered by externally-supplied input. Found by Trend Micro.
CVE-2023-42115
JH/41 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could
be triggered by externally-controlled input. Found by Trend Micro.
CVE-2023-42116
JH/42 Bug 3001: Fix a possible OOB read in the SPA authenticator, which could
be triggered by externally-controlled input. Found by Trend Micro.
CVE-2023-42114
JH/43 Bug 2903: avoid exit on an attempt to rewrite a malformed address.
Make the rewrite never match and keep the logging. Trust the
admin to be using verify=header-syntax (to actually reject the message).
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit e8600462c7)
Nikos Mavrogiannopoulos