* Create working directory when it is not present. Apparently
some recent change made adguardhome fail to start when working
directory is missing.
* Full changelog available at:
* https://github.com/AdguardTeam/AdGuardHome/releases/tag/v0.106.1
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
* fix pid file processing of the background monitor plus child
processes (bug reported in the forum)
* made the enabled/disabled switch of the background monitor functional
Signed-off-by: Dirk Brenken <dev@brenken.org>
Samplicator receives UDP datagrams on a given port and resends those
datagrams to a specified set of receivers.
Use Cases:
- replicate Flow Samples to multiple receivers
- use with conntrackd to synchronize via unicast to multiple targets
Signed-off-by: Nick Hainke <vincent@systemli.org>
In the procd refactor, support for interfaces with no tracking IPs was
inadvertentiy removed. This commit restores the previous behavior
Signed-off-by: Aaron Goodman <aaronjg@stanford.edu>
Fixes the following security issues:
* CVE-2021-25215 - named crashed when a DNAME record placed in the ANSWER
section during DNAME chasing turned out to be the final
answer to a client query.
* CVE-2021-25214 - Insufficient IXFR checks could result in named serving a
zone without an SOA record at the apex, leading to a
RUNTIME_CHECK assertion failure when the zone was
subsequently refreshed. This has been fixed by adding an
owner name check for all SOA records which are included
in a zone transfer.
Signed-off-by: Noah Meyerhans <frodo@morgul.net>
Using `$(INSTALL_CONF)` will cause the program has no access to
configurations file when someone enabled the selinux support.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Xray now is no longer planning to keep compatibility with original
v2ray. Remove PROVIDES before it is totally broken.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
From mosquitto 2.x, port became optional and deprecated in the config,
and it was recommended that listeners be used instead. Drop the hard
requirement in our config conversion script.
Reported in: https://github.com/openwrt/packages/issues/15506
Signed-off-by: <karlp@etactica.com>
Maintainer: @neheb / @BKPepe / @zhanhb
Compile tested: ipq806x, generic, netgear_r7800, master
Run tested: ipq806x, generic, netgear_r7800, openwrt-19.07
Description:
Squid now only support HTTPS proxy in TCP tunnel mode (e.g. `ssl_bump splice all`):
https_port 3128 ssl-bump tls-cert=/etc/squid/squid.pem generate-host-certificates=on
ssl_bump splice all
In order to operate in SSL Bump mode, we need to compile with `--enable-ssl-crtd` for following configuration:
https_port 3128 ssl-bump tls-cert=/etc/squid/squid.pem generate-host-certificates=on
sslcrtd_program /usr/lib/squid/security_file_certgen -s /car/cache/squid/ssl_db -M 4MB
ssl_bump stare all
ssl_bump bump all
This PR switch the `SQUID_enable-ssl-crtd` into `default y`, therefore default enable SSL Bump mode.
Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>
Staging certificates have the advantage that their retry limits are loose.
Therefore they can be obtained quickly when automatic retries are used.
Unfortunately they can not be used for deployments because their CA is not
accepted by clients. Production certificates do not have this limitation, but
their retry limits are strict. For production certificates, automatic retries
can only be performed a few times per hour. This makes automatic obtainment of
certificates tenacious.
With use_auto_staging=1, the advantages of the two certificate types are
combined. Uacme will first obtain a staging certificate. When the staging
certificate is successfully obtained, uacme will switch and obtain a production
certificate. Since the staging certificate has already been successfully
obtained, we can ensure that the production certificate is successfully
obtained in the first attempt. This means that "retries" are performed on the
staging certificate and the production certificate is obtained in the first
attempt.
In summary, this feature enables fast obtaining of production certificates when
automatic retries are used.
By default, this feature is set to use_auto_staging=0, which means that
uacme will behave as before by default.
Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
With this commit, issue_cert() can be called multiple times alternating
between staging and production certificates within a script.
Before this commit, the production state dir was stored in $STATE_DIR.
But in the case of $use_staging=1, this variable was overwritten in
issue_cert() with $STAGING_STATE_DIR. This made it impossible to call
issue_cert() with $use_staging=0 afterwards. Now the production state
dir is stored in $PRODUCTION_STATE_DIR. This way it is not overridden
anymore and issue_cert() can be called multiple times alternating with
production and staging.
Signed-off-by: Leonardo Mörlein <git@irrelefant.net>
The get_bool() functionality was already merged to lib/functions.sh, so
it is redundant in the init script. Remove it.
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
- ignore Content-Length from backend if 101 Switching Protocols
- close HTTP/2 connection after bad password
- skip cert chain build for self-issued certs
- meson zstd fix
- ls-hpack upstream update
- discard some HTTP/2 DATA frames received after response
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
- Exit start if a probe_key is not present
- Add create_key command to generate a private_key based on the provided username in the atlas config.
- Add registration instruction in /etc/atlas
- Rework script to save probe_key on sysupgrade (the key are now adviced to be placed in the /etc/atlas dir and a link is used to make them accessible in the atlas-sw-scripts etc dir)
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
* lots of fixes for many subsystems
* new messenger group chat service
* 'abd' temporarily removed due to upstream issue
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fixes two related security vulnerabilities (CVE-2020-15078) which
under very specific circumstances allow tricking a server using delayed
authentication (plugin or management) into returning a PUSH_REPLY before
the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup. In combination with "--auth-gen-token" or
a user-specific token auth solution it can be possible to get access to
a VPN with an otherwise-invalid account.
OpenVPN 2.5.2 also includes other bug fixes and improvements.
Add CI build test script.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* add a "whitelist only" mode, this option allows to restrict Internet
access from/to a small number of secure websites/IPs, and block access
from/to the rest of the Internet.
Signed-off-by: Dirk Brenken <dev@brenken.org>
