Introduce further ACL checks to verify that the request-supplied
upload location may be written to. This prevents overwriting things
like /bin/busybox and allows to confine uploads to specific directories.
To setup the required ACLs, the following ubus command may be used
on the command line:
ubus call session grant '{
"ubus_rpc_session": "d41d8cd98f00b204e9800998ecf8427e",
"scope": "cgi-io",
"objects": [
[ "/etc/certificates/*", "write" ],
[ "/var/uploads/*", "write" ]
]
}'
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 22be9a1c01)
* the WAN auto detection now supports multiple interfaces, too
* no longer filter out possible LAN devices
* add a new DoH (DNS over HTTPS) blocklist source with public
DoH DNS server addresses, to effectively block client side DoH
communication, e.g. via Firefox or Chrome
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 70ab67649b)
* new 'ca-bundle' dependency as all https connections
are now validated by default
* automatically select the download utility: 'aria2', 'curl',
'uclient-fetch' with libustream-* or wget are supported
* track & ban failed LuCI login attempts as well
* add a small log/banIP background monitor to block
SSH/LuCI brute force attacks in realtime (disabled by default)
* add a config version check (please update your default config!)
* made the automatic wan detection more stable
* fix the IPv6 logfile parser
* fix the service status message
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit ff8b853a6d)
These patches address issues:
CVE-2019-16056: email.utils.parseaddr mistakenly parse an email
CVE-2019-16935: A reflected XSS in python/Lib/DocXMLRPCServer.py (for
Python 2.7)
CVE-2019-16935 was fixed for python3 in #10109
Links to Python issues:
https://bugs.python.org/issue34155https://bugs.python.org/issue38243
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
This release incorporates fixes for CVE-2019-13224 and CVE-2019-13225,
and "fixed many problems (found by libfuzzer programs)."
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit b7d0a82a7f)
Add code blocks for easier reading and change "dns" to "DNS".
Signed-off-by: Claudius Ellsel <claudius.ellsel@live.de>
(cherry picked from commit 088a14e5ce)
This can be helpful for example in hotels where you need to
enter a new user/password combination every week.
Signed-off-by: Johannes Rothe <mail@johannes-rothe.de>
(cherry picked from commit a7f87f939d)
Go 1.13 added a new -trimpath option to the "go build" command[1] that
removes system paths from compiled executables. This replaces the
previous -trimpath flags.
There are still system paths in the compiled executable (for crti.o and
crtn.o, when cross-compiling); these appear to be stripped during the
packaging process.
[1]: https://golang.org/doc/go1.13#trimpath
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry-picked from commit 22ee6e86a0)
Patch 002 - Force Python3 is no longer applying, let's try to throw it
away to see if it is still necessary
Patch 003 - Was backported from the master branch and it was included in
Netdata version 1.17.0
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry-picked from commit 5e89816)
Repository was moved.
Also cleaned up Makefile slightly.
Ran init script through shellcheck.
Added PKG_BUILD_PARALLEL for faster compilation.
Added several CFLAGS and LDFLAGS for smaller size.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry-picked from f3245e6c7d)
When passing -Wimplicit-function-declaration
Also got rid of std=gnu89. It's easy to patch out.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry-picked from 1b5e4883a4)
Cleaned up Makefile for consistency between packages.
Switched to CMAKE_INSTALL to get rid of the InstallDev section.
Refreshed patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry-picked from 2e2929366b)
