chore: disable irc in conntrack

Talos users probably have no reason to use irc. Disable IRC in conntrack to prevent issues like [NAT slipstreaming](https://dgl.cx/2022/08/nat-again-irc-cve-2022-2663) Signed-off-by: Noel Georgi <[email protected]>
siderolabs · Sep 5, 2022 · eee5c8a · eee5c8a
1 parent 70e6c46
commit eee5c8a
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 10 deletions.
diff --git a/Pkgfile b/Pkgfile
@@ -81,10 +81,10 @@ vars:
   libjson_c_sha256: b8d80a1ddb718b3ba7492916237bbf86609e9709fb007e7f7d4322f02341a4c6
   libjson_c_sha512: dc01298bcc78f0f31a34f5fcfe45c0feebfd88518e97fb4f96f1a652f71ccdd303415a4c7bf5b573bdcbcca80428281f0dfccefc6545ea3a7f18dbb819332f34
 
-  # renovate: datasource=git-tags depName=https://git.tukaani.org/xz.git
-  xz_version: v5.2.4
-  xz_sha256: 9717ae363760dedf573dad241420c5fea86256b65bc21d2cf71b2b12f0544f4b
-  xz_sha512: 00db7dd31a61541b1ce6946e0f21106f418dd1ac3f27cdb8682979cbc3bd777cd6dd1f04f9ba257a0a7e24041e15ca40d0dd5c130380dce62280af67a0beb97f
+  # renovate: datasource=git-tags extractVersion=^v(?<version>.*)$ depName=https://git.tukaani.org/xz.git
+  xz_version: 5.2.5
+  xz_sha256: 3e1e518ffc912f86608a8cb35e4bd41ad1aec210df2a47aaa1f95e7f5576ef56
+  xz_sha512: 59266068a51cb616eb31b67cd8f07ffeb2288d1391c61665ae2ec6814465afac80fec69248f6a2f2db45b44475af001296a99af6a32287226a9c41419173ccbb
 
   # renovate: datasource=github-releases extractVersion=^popt-(?<version>.*)-release$ versioning=loose depName=rpm-software-management/popt
   libpopt_version: 1.18

diff --git a/kernel/build/config-amd64 b/kernel/build/config-amd64
@@ -1117,7 +1117,7 @@ CONFIG_NF_CT_PROTO_GRE=y
 # CONFIG_NF_CONNTRACK_AMANDA is not set
 CONFIG_NF_CONNTRACK_FTP=y
 # CONFIG_NF_CONNTRACK_H323 is not set
-CONFIG_NF_CONNTRACK_IRC=y
+# CONFIG_NF_CONNTRACK_IRC is not set
 CONFIG_NF_CONNTRACK_BROADCAST=y
 CONFIG_NF_CONNTRACK_NETBIOS_NS=y
 CONFIG_NF_CONNTRACK_SNMP=y
@@ -1130,7 +1130,6 @@ CONFIG_NF_CT_NETLINK=y
 CONFIG_NETFILTER_NETLINK_GLUE_CT=y
 CONFIG_NF_NAT=y
 CONFIG_NF_NAT_FTP=y
-CONFIG_NF_NAT_IRC=y
 CONFIG_NF_NAT_SIP=y
 CONFIG_NF_NAT_TFTP=y
 CONFIG_NF_NAT_REDIRECT=y

diff --git a/kernel/build/config-arm64 b/kernel/build/config-arm64
@@ -1172,7 +1172,7 @@ CONFIG_NF_CT_PROTO_GRE=y
 # CONFIG_NF_CONNTRACK_AMANDA is not set
 CONFIG_NF_CONNTRACK_FTP=y
 # CONFIG_NF_CONNTRACK_H323 is not set
-CONFIG_NF_CONNTRACK_IRC=y
+# CONFIG_NF_CONNTRACK_IRC is not set
 CONFIG_NF_CONNTRACK_BROADCAST=y
 CONFIG_NF_CONNTRACK_NETBIOS_NS=y
 CONFIG_NF_CONNTRACK_SNMP=y
@@ -1185,7 +1185,6 @@ CONFIG_NF_CT_NETLINK=y
 CONFIG_NETFILTER_NETLINK_GLUE_CT=y
 CONFIG_NF_NAT=y
 CONFIG_NF_NAT_FTP=y
-CONFIG_NF_NAT_IRC=y
 CONFIG_NF_NAT_SIP=y
 CONFIG_NF_NAT_TFTP=y
 CONFIG_NF_NAT_REDIRECT=y

diff --git a/liblzma/pkg.yaml b/liblzma/pkg.yaml
@@ -5,13 +5,14 @@ dependencies:
   - stage: base
 steps:
   - sources:
-      - url: https://github.com/xz-mirror/xz/archive/refs/tags/{{ .xz_version }}.tar.gz
+      # redirect url of https://tukaani.org/xz/xz-{{ .xz_version }}.tar.xz
+      - url: https://onboardcloud.dl.sourceforge.net/project/lzmautils/xz-{{ .xz_version }}.tar.xz
         destination: xz.tar.xz
         sha256: "{{ .xz_sha256 }}"
         sha512: "{{ .xz_sha512 }}"
     prepare:
       - |
-        tar -xJf xz.tar.xz --strip-components=1
+        tar -xf xz.tar.xz --strip-components=1
 
         ./configure \
           --prefix=/usr \