Deleted
Deleted Member
Posts: 0
|
Post by Deleted on Dec 6, 2015 1:03:38 GMT
SmallWall is using dnsmasq version 2.66 which is a fairly old version. dnsmasq it at version 2.75 now. Appears version 2.66 could potentially contain 1 -2 exploits. A very old version of PHP ( exploits) is being used as well. Should I be concerned about any potential exploits at this point using SmallWall?
|
|
|
Post by Lee Sharp on Dec 6, 2015 16:12:52 GMT
Yes, the versions are old. But there are some limiting factors... SmallWall does not have a shell, and many of those exploits require one. But to specifics... DNSmasq - I believe CVE-2008-3214 was patched many years ago. CVE-2009-2957 and CVE-2009-2958 requires components not in SmallWall. CVE-2012-3411 CVE-2013-0198 use libvirt, which is not in SmallWall. The new one is probably still a risk, but it fails closed, so is still secure. If all you want to do is close a link, you can DoS it a number of ways, regardless of the software. PHP - Yes. Just yes. Many of the older issues do not apply, or have been patched. Again, without shell access, and with a virtual file system, a lot of these attacks are of limited functionality. But updating PHP is something that needs to be done. But it is not a small amount of work. This is where I ask if you want to help...
|
|
|
Post by Lee Sharp on Dec 6, 2015 16:16:10 GMT
As a side note, this is a list of software I want to make sure stays current...
dnsmasq-2.66.tar.gz Current dnsmasq-2.75 ez-ipupdate-3.0.11b8.tar.gz Current ez-ipupdate-3.0.11b8-13.4.dsc ip_fil4.1.34.tar.gz Current ip_fil5.1.2.tar.gz (Fixed in 10) modem-stats-1.0.1.src.elf.tar.gz (Unnedded?) nsupdate dudders-1.04.tar.bz2 (Fixed in 10) php-4.4.9.tar.bz2 Current php55-5.5.28 radius-1.2.5.tgz Current radius-1.2.7.tgz mini_httpd-1.21 Current mini_httpd-1.22
Fixed net-snmp-5.7.3
|
|
azdps
Junior Member
Posts: 20
|
Post by azdps on Dec 6, 2015 20:50:03 GMT
Lee I was able to update dnsmasq to version 2.75 from version 2.66. unixwall is built using the FreeBSD 10.2 code base and udpated ports except obviously some of the local sources. The unixwall test branch code can fully build usable firmware. Can be found at unixwall. I've already updated IPFILTER, mini_httpd, nsupdate to dudders. Radius and snmp don't apply to unixwall since I removed those from the code base. I attempted to update PHP but there's going to be 2 issues. The PHP binary will increase in size by about 2 mbs or so and the php code will need to be updated to work with the newer PHP. The size really doesn't matter to me but the changes in the PHP code will be an issue.
|
|
|
Post by Lee Sharp on Dec 6, 2015 21:33:48 GMT
That is a clean patch on the dnsmasq build from m0n0wall, right? I wonder if it would build on the 8.4 codebase... 10.2 is the future, but I am being more conservative right now. I have a lot of business clients using SmallWall, from m0n0wall, and stability is key for them! Think I could brinbe you into working on SmallWall?
|
|
azdps
Junior Member
Posts: 20
|
Post by azdps on Dec 7, 2015 5:06:15 GMT
The patch appears to have all he same intentions but with updated code and a few additions. For instance config.h isn't patched which m0n0wall patch does. There's significant code changes but while running dnsmasq 2.75 with the patches in place I see no difference. Appears to work as intended. This patch was incorporated from ipfire firewall repository which has the same intentions as m0n0wall related to dnsmasq.
I tested the build process on FreeBSD 8.4 and was able to build dnsmasq 2.75 with the patches in place without any issues.
I can help where I'm able to with SmallWall but my current focus is on my unixwall project.
You should really do a poll to see if anyone actually uses modem-stats. Wondering if that should just disappear at this point.
Also can you tell me a little more about your update to PHP5-5.5.28. Has it been updated or is that the version you would like to see PHP updated to?
|
|
|
Post by Lee Sharp on Dec 8, 2015 0:49:41 GMT
I do not think anyone is still using a modem to connect to the Internet thees days. I was planning on removing it once I could trace all of it's fingerprints. As for the dnsmasq, if you can send me a zip of the new files that compiled successfully, I can test them in SmallWall. Attribution to you, of course.
|
|
azdps
Junior Member
Posts: 20
|
Post by azdps on Dec 8, 2015 3:47:29 GMT
I can't really take credit for the patch since it was originally created by ipfire firewall developers as a git type patch. I just used diff to create another one based off theirs. I'm attaching the patch which should work just fine with dnsmasq version 2.75. Also I was curious about the different options that dnsmasq had so I asked about it on the dnsmasq mailing list and got some good responses. You can see that thread at: dnsmasq mailing list
Attachments:dnsmasq.patch (9.72 KB)
|
|
|
Post by Lee Sharp on Dec 8, 2015 20:15:17 GMT
Thanks! I will test it as soon as I can. I have a backlog of imports...
|
|
andy
New Member
Amazing developer of the *walls...
Posts: 8
|
Post by andy on Dec 20, 2015 23:54:46 GMT
I do not think anyone is still using a modem to connect to the Internet thees days. I was planning on removing it once I could trace all of it's fingerprints. modem-stats is not used by *wall , it's there for diagnostics and can be safely removed. when you think modems, think 3g modems , thats what modem support was added for, 3g usb sticks.
|
|
andy
New Member
Amazing developer of the *walls...
Posts: 8
|
Post by andy on Dec 20, 2015 23:57:21 GMT
I've already updated IPFILTER, mini_httpd, nsupdate to dudders. Radius and snmp don't apply to unixwall since I removed those from the code base. I attempted to update PHP but there's going to be 2 issues. The PHP binary will increase in size by about 2 mbs or so and the php code will need to be updated to work with the newer PHP. The size really doesn't matter to me but the changes in the PHP code will be an issue. The size increase was the main reason not to move from php4. the features in php5+ don't really do anything for *wall. there are some nice functions in php5 that would be nice, but they have never justified the increase in size. Also note, that lots of php bugs and security updates in php versions, are listed as <php5.x , but that doesn't mean they exist in php4, just earlier version of 5.x ...
|
|
azdps
Junior Member
Posts: 20
|
Post by azdps on Dec 21, 2015 7:10:55 GMT
Since modem stats is depreciated at this point can the rest of the code you (andy) implemented back in 2012 be pruned out as well? v4.freshbsd.org/commit/m0n0wall/m0n0wall/515On a side note I was able to update to php55 with minimal code changes in the php related files. And yes the binary size increases approximately 2mbs which is a significant increase from php4. The size increase doesn't take into account the necessary extensions needed as well.
|
|
andy
New Member
Amazing developer of the *walls...
Posts: 8
|
Post by andy on Dec 24, 2015 11:50:15 GMT
yes, if you don't want to support 3g (or any type of) modems, then yes
|
|
|
Post by jrronimo on Dec 31, 2015 18:08:43 GMT
What's the big problem with PHP? Is it changes in functions? I have one very tiny php page where I had to update a bunch of functions going from a version of PHP to another version. If it's something like that, I might be able to take crack at it.
Although PHP is up to v 7.0.1 now, which boasts lots of speed improvements, if those are of any interest...
|
|
|
Post by Lee Sharp on Dec 31, 2015 23:44:23 GMT
A lot of shorthand changes with each version, and *wall is ALL php... But also, it gets bigger each time as well, and that is a real problem when you are trying to fit into 16meg of flash!
|
|