https://github.com/vyos/build-iso/commit/180d2aab0156401f699025fa05451155389cf9ad

Will be basically simple curl wrapper

Agree, @EwaldvanGeffen can you move it to 1.2.x please

It's new feature, but still will need to implement it for support service purpose in 1.1.x

@syncer I think we can remove this task from 1.1.8 backlog, because this is new feature.

@syncer I think we can remove this task from 1.1.8 backlog, because this is new feature.

Fix for 1.1.8: https://github.com/vyos/vyatta-cluster/commit/de4974ac517e37dc5ac6d1d65df4c2e0f9961028

Fix for 1.1.8: https://github.com/vyos/vyos-kernel/commit/3326adbda316de01bb4b620124e434183bb2d564

https://github.com/vyos/vyos-kernel/commit/9158e8196faa47205a7fee449322d0b44e8a9331

Fixed in helium branch for 1.1.8: https://github.com/vyos/vyatta-quagga/commit/e18428d724ba20af4d9282a90900de8d96758610

Sorry. It's wrong. Linux kernel through 4.9.11 is affected. So 1.1.x is affected.

VyOS 1.1.x is not affected. See http://www.cvedetails.com/cve/CVE-2017-6074/

Thanks,
will move this to 1.2 project instead

CVE-2014-8104 is fixed by this commit: https://github.com/vyos/openvpn/commit/eb42da67b9a971a1cec94e3c65350d2e5dccf096

@syncer The version of openvpn in 1.1.7 is 2.1.3. 2.1.3 is not affected by these CVEs. See https://www.cvedetails.com/vulnerability-list/vendor_id-3278/product_id-5768/version_id-176319/Openvpn-Openvpn-2.1.3.html

Good!

I installed squeeze, think @dmbaturin will add it to CI once it ready

@syncer I guess we need Squeeze host for building packages. But if we use pbuilder, we can build packages on Jessie.
Example script is here: https://gist.github.com/higebu/139c786fab3c88113d54eef16b462655

Hey @higebu!
agree on CVE-2015-4171

Packages for testing:

Jenkins job is broken. https://ci.vyos.net/job/vyatta-strongswan/

I applied the patch for CVE-2015-8023 to helium branch. https://github.com/vyos/vyatta-strongswan/commit/1f431fed4988a5e7f20a3f8ab464fed85c5f7e1c

The CVSS score of CVE-2015-4171 is low, and it needs a valid certificate for attack. Can we ignore CVE-2015-4171?

1.1.7 has 4.5.2-1.1-bpo60+vyos1+helium4. We should apply 2 patches, CVE-2015-4171 and CVE-2015-8023 to vyatta-strongswan helium branch.

@mickvav can you assign it to me please

please assign it to me @syncer

https://secure.phabricator.com/conduit/method/paste.edit/
title
language
text
projects.add
subscribers.add

Currently,
you need to add yourself to the subscribers, rest will be added by default policy
i think we can do that via conduit api
https://secure.phabricator.com/book/phabricator/article/conduit_edit/

could you create a phabricator test paste with the correct permission settings as example. Next step is to programmaticly create the same and then integrate w/ vyos.

default policy for paste which limits visibility of paste to author and maintainers(+ support team)

basic idea is to give user enter their credentials on the fly rather than store them in the config

This requires that VyOS has either some kind of token that allows him to post-as user or the user credentials for pastebin. PHabricator Bots could be perhaps leveraged.

Pull request - https://github.com/vyos/vyatta-quagga/pull/5
Anybody tested this .debs?

fix for 1.2:
https://github.com/vyos/vyos-kernel/commit/31097c58bc2674bd5f0be5a6d08678af8fcedfa5

fix for 1.2:
https://github.com/vyos/vyos-kernel/commit/31097c58bc2674bd5f0be5a6d08678af8fcedfa5

Resolved in https://github.com/vyos/vyatta-cfg-vpn/commit/0ff779958f9c8951bb7e3e866ca52bc70b470fa9

https://github.com/vyos/vyatta-cfg/commit/3b8b2e11f322994cfa82fc6b09ce6af4ed715dfa
used 10MB for size and 6 rotates, for embedded devices and space...

I guess instead of creating the file, I could have edited the ipsec logrotate to add:

I checked a couple of routers and every router without IPSec configured has this error, but every router with IPSec configured had this file so no errors.

@EwaldvanGeffen - P15

@Alexis , I've got my build environment up and running and created .deb's for this issue. Feel free to test.

Can you provide the output of /etc/logrotate.conf via a pastebin

Looks like copytruncate not works as expected,
so my proposal will be to use reload command instead
also, I added compress and delaycompress
i think it make sense for systems where space limited for any reason

/var/log/auth.log 
{
rotate 10
size=100M
delaycompress
compress
postrotate
                /etc/init.d/rsyslog reload >/dev/null 2>&1 
endscript
}

So, after investigating further, it seems that rotation is broken for auth.log
We hade conversation with @UnicronNL about this matter
and agreed that we need to define logrotate conf for auth log similar to provided below

Mentioning: http://pastebin.com/yZLVRfnA
Which is an example of how would WLB work with a custom script.

@EwaldvanGeffen apply this rule on what? a WLB?
the WLB from what I understood required an interface per gateway while PBR allows me to route the traffic towards any of the gateways which can be the next-hop ie 10.0.0.100/24 or 10.0.0.101/24.
This is what I remember from vyatta and I haven't digged into the subject since I have a huge gap ahead as far as I can see.

@elico if you apply a 'source my-lan-clients, destination port-80, proto tcp' rule with gateway your proxy server + the custom testing-target script. If the proxy is up it will be routed towards it. If the target goes down, without any other policies the packet will fall onto PBR and then routing. Isn't that the behaviour you were looking for?

@EwaldvanGeffen WLB has a difference from PBR and what is required a PBR.
The code is not something I was looking for but an example of implementation in the configuration.
Then I will be able to look at the code and understand what might be applied to PBR compared to WLB.

Wan-load-balance. Example is here: https://github.com/vyos/vyatta-wanloadbalance/blob/current/scripts/http_test.pl and implementation https://github.com/vyos/vyatta-wanloadbalance/blob/current/templates/load-balancing/wan/interface-health/node.tag/test/node.tag/type/node.def

@EwaldvanGeffen Can you help with giving an example of implementing this?
Like with a tiny ping that returns a status code?
(I do not know what WLB is...)

@elico it's pretty simple since WLB supports custom tests for gateway/targets. You can simply script it up to that.

@EwaldvanGeffen technically we can simplify it into a form of a script that monitors the service using http or another tcp\udp based and would flag the avaliability of the service.
The marking and forwarding rule can be automativally bypassed if the service is flagged as down.
Anyone interested working with me on this?
It's basically a simple conditional PBR.. and since WCCP is "OK" for tiny routers for beafy machines such VYOS have I believe that it would be a piece of cake to cook this up.

Thanks for reporting!
@dmbaturin @EwaldvanGeffen @UnicronNL
Easy one?

I'll start with 1.2 and backport from there if necessary.

@dmbaturin should be no harm from including into 1.1.8 right?

Moving this to 1.1.8 milestone

@dmbaturin candidate for 1.1.8 inclusion

I wrote this hook script
Any available options ignoring this code

set system options beep-on-startup