Update is splitted in two part because of a kernel update to accomodate free space limitation.
1.4.19 contain some packages updates, most notabily a dnsmasq update to be immune on recent dns advisory.
1.4.20 install the second part of the kernel update and configure the new kernel.
1.4.19 could be installed separately from 1.4.20. A reboot is not needed after 1.4.19 installation.
Concerning the dns issue, see more details in
http://www.heise-online.co.uk/news/DNS-security-problem-details-released--/111145
It is very likely anyone need to a patch without waiting and our is in 1.4.19 for
dnsmasq.
The dns server you use need to be patched too or you may switch to opendns.
You need to reboot to use the new kernel after 1.4.20 installation.
Files are available on 'IPCop' package at Sourceforge
Sources
47b820fc1c28f2b1865ede8a3f0015fe ipcop-1.4.20-sources.tgz
External sources packages (./make.sh getothersrc could do that for you)
938e4ffda38dac874a12e6f0e9d7dd0d ipcop-1.4.20-othersrc.tar.bz2
412de52fc0bde67613d8e460003a1c68 ipcop-1.4.20-othersrc.tar.bz2.md5
I will publish only binaries for x86 for 1.4.20 unless requested
If you use the alpha port, please report.
The new kernel contain :
- a new security protection against against null pointer dereference
( mmap_min_addr=4096)
- some new nic drivers skge sky2 sc92031 atl1 atl2
- improved support in some IDE or sata driver
Please report success/failure for nic and disk controllers detection.
Silan sc92031 driver should recognize RslTek 8139D card.
It's a patch I have made and I need to know if everything is right.
Original driver has some bugs I try to fix.
As usual, this version can be installed as an update from previous v1.4.x versions or with a ready-to-go ISO or usb bootable images for a fresh install.
ipcop-avmdrv-2.4.36-1.i386.tgz.gpg is needed to install for avm drivers users.
The date on the machine where the update is installed has to be good.
If date is in the past, signature is considered in the futur and update will refuse to install.
You would have only the 'This is not an authorized update' message warning on web interface.
Gilles
Changes summary
Upgrade openssh to 4.7p1
Include lzo binary so, it will match openssl version if openssl is updated
Update dnsmasq to 2.45
Update tzdata to 2008d
Update pcre from 7.4 to 7.7
Update apache to 1.3.41
Upgrade e1000 to 7.6.15.5 solve issue with 7.6.12
Update bzip2 from 1.0.3 to 1.0.5 CVE-2008-1372
Upgrade e2fsprogs from 1.35 to 1.40.11
Update squid to 2.6.STABLE21
Compile r1000 with jumbo frame support
Upgrade bin package to 9.4.2-P1
sysctl.conf
- insert mmap_min_addr=4096 to protect again null pointer on new kernel
does not hurt on lower kernel than 2.4.36
rc.halt
- no need to source rc.flash.down
- save random seed on halt and use that value at start in rc.sysinit
rc.network
- no need to source rc.netaddress.up
rc.updatered
- use readhash to read dhcpcd info file
rc.sysinit
- include fcron -s 86400 for flash
snort
- modify snort.conf to protect against CVE-2008-1804
updfstab
- remove kudzu keyword from /etc/fstab so mount -t ext2 /dev/floppy /mnt/floppy work
log.dat
Fix system log section on update
ddns.cgi
- fix for SF Bug 1728880 - comma in password
- changes for regfish, closes #1950435
time.cgi
- update default time servers to include IPCops vendor name.
update.cgi
- Use cleanhtml to fully display gpg signature.
- The new kernel (with same settings) is automaticly selected during update.
- add a protection in update script against installing binary update package from another arch.
That would broke any binaries
Various
- add an help message for dummies attempting to compile directly inside IPCop
- add a script to set grub default booting kernel
- modify detection for Opera 9.50
Compilation
- Automaticly set vdso_enabled=0 when needed to be able to compile our glibc-3.3 on kernel running after 2.6.17
- uClic : More recent mke2fs use strod and we need to activate UCLIBC_HAS_FLOATS for that
- Allow toolchain compilation when AS_NEEDED is present inside /usr/lib/libc.so (binutils patch).
- Enable previously available nic drivers happymeal sungem
- Add new nic drivers skge sky2 sc92031 atl1 atl2
- Patch for improved amd74xx support NForce IDE (MCP51, MCP61, MCP65, MCP67, MCP73, MCP77) AMD CS5536
- Patch for improved ahci support sata Intel ICH7-M, ICH8, ICH8M, ICH9/ICH9R, ICH9M, ICH10, Tolapay, VIA MP67, MP73, MP79, MP7B, SiS 966, 968, Marvel 6145
- Fix file reload on md5 change
- Fix unzip CVE-2008-0888
- Add machine to the iso label and publisher
- Add german install pdf to iso
- Remove no more used CC=KGCC since we drop gcc-2.95.3
- Fix a bug in lfs/bash that replace building machine original /bin/sh when building toolchain
This has replaced Ubuntu original link to dash, Ubuntu users could recreate the link to dash manually if needed.
- Force SHELL to bash during toolchain because some of our script need that
(brace expansion) on glibc, bzip2 and Ubuntu default link to /bin/sh is dash
- Force SHELL=/bin/sh in lfs/gcc or it fail to build
- Add a comment that syslinux-3.70 and later can't be compiled because of our binutil,
but we still could used precompiled version
- ppc port have been introduced. It does compile but a few work is still needed.
parted fail to partition the disk actually.
1.4.20 has been tested to compile (including toolchain compilation) with 32b
distrib on Debian etch, Ubuntu-8.04, Centos-5.1/5.2,Fedora-9 without any changes.
On 64b distrib, you need to open a linux32 console and load precompiled
toolchain get with ./make.sh gettoolchain
Installer
- not needed to link installer against libpci
- need a link from /proc/mounts to /etc/mtab for more recent e2fsprogs version
- separate package for disk partitioning utility to spare space on network and scsi floppies for added drivers
- badblock is available on install (but not yet used)
- Avoid modules.conf is more recent..., if you install now from old version and update to 1.4.20
Posted by: Gesp on Tuesday, July 22, 2008 - 09:49 PM
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest (c) 2003 by me. This web site was made with PostNuke, a web portal system written in PHP. PostNuke is Free Software released under the GNU/GPL license.
