Re: URGENT - Re: IPFire 2.27 - Core Update 175 released

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3071 bytes --]

Hello Adolf,

> On 12 Jun 2023, at 13:43, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
> 
> Hi Michael,
> 
> I am afraid somehow I made an error with the last patch I provided. I was sure I transferred the ovpnmain.cgi file from my virtual testbed system and created the patch for bug#13137 from that.
> 
> However after upgrading the virtual machines I am finding that the legacy bits are not being applied to legacy certs but to openssl-3.x certs.
> 
> It looks like I submitted the subroutine iscertlegacy from ovpnmain.cgi with the return values the wrong way round.
> 
> 
> The sub routine was issued like
> 
> sub iscertlegacy
> {
>         my $file=$_[0];
>         my @certinfo = &General::system_output("/usr/bin/openssl", "pkcs12", "-info", "-nodes",
>         "-in", "$file.p12", "-noout", "-passin", "pass:''");
>         if (index ($certinfo[0], "MAC: sha1") != -1) {
>                 return 0;
>         }
>         return 1;
> }
> 
> but it should have been
> 
> sub iscertlegacy
> {
>         my $file=$_[0];
>         my @certinfo = &General::system_output("/usr/bin/openssl", "pkcs12", "-info", "-nodes",
>         "-in", "$file.p12", "-noout", "-passin", "pass:''");
>         if (index ($certinfo[0], "MAC: sha1") != -1) {
>                 return 1;
>         }
>         return 0;
> }
> 
> I don't know how I managed to do that error but I did.

No reason to panic. The good thing is that everything will continue working unless people edit their connections.

I have taken your change and committed it:

  https://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff;h=0ebb271d1ec8b68f73dbd396b0f3a0aa4a50a501

> How can we deal with that now?

I will start a build and as soon as that is done, I will replace the updater.

Then there is the problem with the installation images. Replacing those is painful and therefore I am not going to do it. The chaos wouldn’t be worth it. Because generally creating connections on a new system and importing it to any other that is properly patched (or a new one that isn’t patched) should be working fine.

That only leaves us with a very small amount of people being affected by this in real terms. For those we will have to ship this change again with the next update and then everything is cool.

So, no need to panic. Bugs happen. We had a review process and didn’t catch it. That’s why we have updates :)

-Michael

> 
> Sorry,
> Adolf.
> 
> 
> On 12/06/2023 12:45, IPFire Project wrote:
>> IPFire Logo
>> there is a new post from Michael Tremer on the IPFire Blog:
>> *IPFire 2.27 - Core Update 175 released*
>>    Finally, the next update, IPFire 2.27 - Core Update 175, has been released! It updates OpenSSL to the 3.1 branch, features a kernel update as well as a large number of package updates and a variety of bug fixes.
>> Click Here To Read More <https://blog.ipfire.org/post/ipfire-2-27-core-update-175-released>
>> The IPFire Project
>> Don't like these emails? Unsubscribe <https://people.ipfire.org/unsubscribe>.