Fixes: CVE-2020-15180

Default recommended EDNS buffer size must be 1232 bytes instead of 4096 bytes.

More details about it can be found here:
https://dnsflagday.net/2020/

This reverts commit 25e88c1f.

There is a file netdata.lighttpd and because of that, we need to restart
lighttpd to reflect those changes

(cherry picked from commit 05676d57)

In generic package there was missing /etc directory.

Michal Hrusecky authored 4 years ago and Karel Koci committed 4 years ago

Long press does factory reset as well as the default reset mode
triggered during boot.

If you want to run generate_dh.sh, it fails with permission denied.

root@turris:~# /usr/share/dhparam/generate_dh.sh
-ash: /usr/share/dhparam/generate_dh.sh: Permission denied

Michal Hrusecky authored 4 years ago and Karel Koci committed 4 years ago

Adding interface into correct firewall zone was broken, so fixing the
setup.

There is just one line of shell here to run other script. There is no
reason to to replace original process with fix script.

The reason is that with bump we trigger update of that package and rerun
of install script. The point of fix package is that updater controls
when it is installed and removed so when install and removal scripts are
executed.

This changes name for fix package that recovers corrupted contract
variable.
It primarilly removes nor-update from it. It can be replaced by just
installing nor-update package.
It is problematic to detect Turris Shield before this fix so it is
easier to install this packages on all moxes. It is also beneficial to
do so because of Omnias that are under contract. We do not want to force
nor-update on all routers so we can't do nor-update here.

Michal Hrusecky authored 4 years ago and Karel Koci committed 4 years ago

Also drop PKG_RELEASE back to 1. Fix packages are intended to be
installed and immediatelly removed so there is no reason to bump version
on release as package should not be installed in system to upgrade it.

In Turris OS 3.x there was UCI config and integration for sshd. Now
there is just standard config. Simple fix is to move original generated
one to appropriate location.

This move only happens if configuration of sshd in UCI is not the
default one. The second check is if target file exists and that is just
to make sure but it should always be there.

Thanks to David Hopfmueller for pointing this out.

The reason for append is to not overrule rules configured in Luci.

There can potentially be some drop rule as well and that was one of the
original reasons why insert was used instead of append but until such
case is discovered this should be enough.

This checks and reorders sentinel-firewall config on firewall start.
This is not ideal as this reorder is not applied in firewall run when
reorder happens and there seems to be no reliable way to request
firewall reload from firewall script itself (would cause firewall
nesting with unknown results).

We also does not have to reorder in uci-defaults as new config sections
are always appended so they are the last one, making that operation
useless code.

This removes any preserved rules from firewall. Firewall3 removes any
rules in chains and tables it manages but others ignores. This is
considered as feature (as some lists survive reload) but for our use
case it is not ideal as scripts just insert rules in appropriate
location. Instead removing all rules we previously added and were
preserved is better option in this case.

There is one exception and those are our rules that are terminations for
chains created by us. We are not removing those chains and so we do not
want to remove those  rules as well. We prevent that by using slightly
different comment. We do not add additional commentary and drop colon.
Because of missing colon this rule is not matched and is not removed.
For termination rule additional comment about source is not necessary so
we are not loosing anything.

Michal Hrusecky authored 4 years ago and Karel Koci committed 4 years ago

After some debuging found out that CONFIG_CC_OPTIMIZE_FOR_SIZE breaks
Omnia kernel and while at it added extra kernel options for LEDs.

There was invalid commit command in uci-default script. This changes it
to correct one.

This also adds prerm script to remove UCI section from config. It should
not stay in place when package is removed.

There are some issues with languages, which shouldnt be there.
It requires investigation, but we need to release 5.1.1 from HBT

This reverts commit beadc582.

Note:
This fixes switch form dnsmasq --dhcp-script to dhcp-script.sh
where del and old actions were renamed to remove and update

Co-authored-by: M. Reiser <AJB007@seznam.cz>
Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>

See https://gitlab.nic.cz/turris/schnapps/-/tags/v2.3

Fixes CVE-2020-13904

Fixes: turris/reforis/foris-js#17

This adds missing dependency on luci-app-commands. This package can't be
used without it and it even fails installation unless config file and
section from that package is pressent.

This also little bit refactors package to be cleaner.