From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: URGENT - Re: IPFire 2.27 - Core Update 175 released Date: Wed, 14 Jun 2023 17:55:44 +0100 Message-ID: In-Reply-To: <69077BB2-BE26-4FE1-A861-F244C9128427@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1620312279691130230==" List-Id: --===============1620312279691130230== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Jon, Well, technically yes. We could simply create an =E2=80=9Cadd-on=E2=80=9D whi= ch makes the required change and then disappears after it has been installed = once. However, that would probably be a lot of hassle for only very few users actua= lly installing it. So I won=E2=80=99t go down this route. So far we didn=E2=80=99t have any complaints which means that we caught the p= roblem quick enough for most people not noticing a thing. Best, -Michael > On 12 Jun 2023, at 15:46, jon wrote: >=20 >=20 > For a quick update, is it possible to create a "quick_update" add-on script= ? =20 >=20 > User installs the pakfire "quick_update" add-on and the install.sh does a q= uick patch. It only executes the code in the install.sh if the patch is need= ed. >=20 >=20 > Jon Murphy > jon.murphy(a)ipfire.org >=20 >=20 >=20 >> On Jun 12, 2023, at 9:01 AM, Michael Tremer = wrote: >>=20 >> Hello Adolf, >>=20 >>> On 12 Jun 2023, at 13:43, Adolf Belka wrote: >>>=20 >>> Hi Michael, >>>=20 >>> I am afraid somehow I made an error with the last patch I provided. I was= sure I transferred the ovpnmain.cgi file from my virtual testbed system and = created the patch for bug#13137 from that. >>>=20 >>> However after upgrading the virtual machines I am finding that the legacy= bits are not being applied to legacy certs but to openssl-3.x certs. >>>=20 >>> It looks like I submitted the subroutine iscertlegacy from ovpnmain.cgi w= ith the return values the wrong way round. >>>=20 >>>=20 >>> The sub routine was issued like >>>=20 >>> sub iscertlegacy >>> { >>> my $file=3D$_[0]; >>> my @certinfo =3D &General::system_output("/usr/bin/openssl", "pkcs= 12", "-info", "-nodes", >>> "-in", "$file.p12", "-noout", "-passin", "pass:''"); >>> if (index ($certinfo[0], "MAC: sha1") !=3D -1) { >>> return 0; >>> } >>> return 1; >>> } >>>=20 >>> but it should have been >>>=20 >>> sub iscertlegacy >>> { >>> my $file=3D$_[0]; >>> my @certinfo =3D &General::system_output("/usr/bin/openssl", "pkcs= 12", "-info", "-nodes", >>> "-in", "$file.p12", "-noout", "-passin", "pass:''"); >>> if (index ($certinfo[0], "MAC: sha1") !=3D -1) { >>> return 1; >>> } >>> return 0; >>> } >>>=20 >>> I don't know how I managed to do that error but I did. >>=20 >> No reason to panic. The good thing is that everything will continue workin= g unless people edit their connections. >>=20 >> I have taken your change and committed it: >>=20 >> https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommitdiff;h=3D0ebb271d1ec= 8b68f73dbd396b0f3a0aa4a50a501 >>=20 >>> How can we deal with that now? >>=20 >> I will start a build and as soon as that is done, I will replace the updat= er. >>=20 >> Then there is the problem with the installation images. Replacing those is= painful and therefore I am not going to do it. The chaos wouldn=E2=80=99t be= worth it. Because generally creating connections on a new system and importi= ng it to any other that is properly patched (or a new one that isn=E2=80=99t = patched) should be working fine. >>=20 >> That only leaves us with a very small amount of people being affected by t= his in real terms. For those we will have to ship this change again with the = next update and then everything is cool. >>=20 >> So, no need to panic. Bugs happen. We had a review process and didn=E2=80= =99t catch it. That=E2=80=99s why we have updates :) >>=20 >> -Michael >>=20 >>>=20 >>> Sorry, >>> Adolf. >>>=20 >>>=20 >>> On 12/06/2023 12:45, IPFire Project wrote: >>>> IPFire Logo >>>> there is a new post from Michael Tremer on the IPFire Blog: >>>> *IPFire 2.27 - Core Update 175 released* >>>> Finally, the next update, IPFire 2.27 - Core Update 175, has been rele= ased! It updates OpenSSL to the 3.1 branch, features a kernel update as well = as a large number of package updates and a variety of bug fixes. >>>> Click Here To Read More >>>> The IPFire Project >>>> Don't like these emails? Unsubscribe . >=20 >=20 --===============1620312279691130230==--