Hello,
On 15 Jan 2022, at 09:15, Peter Müller peter.mueller@ipfire.org wrote:
At the time of writing, Fireinfo reports more 51.67% of all installations reporting back to us are running at least two Core Updates older than the latest one.
While I doubt we can expect our userbase to patch their systems within 24 hours (which is the recommended timespan given for critical infrastructures by multiple CERTs), if they the last Core Update was installed more than 90 days ago, we can safely consider the system in question being outdated and insecure.
Therefore, this patch displays a warning on index.cgi, in addition to the "an update is available" message - in the hope to nudge people to keep their IPFire machines up to date.
I am not sure whether it is a good idea to have this in addition. I would prefer a highlighted message if someone is more than one update behind. There should be a difference between:
Hey, we just wanted to let you know that a new update is available.
And:
Dude, you really need to make sure your system is up to date.
I understand that 90 days sounds long, but considering that we take up to 60 days between releases, this only leaves you with 30 days. Is that really what you are going for here?
-Michael
Signed-off-by: Peter Müller peter.mueller@ipfire.org
html/cgi-bin/index.cgi | 10 +++++++++- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 3 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index 2b7ccdb0f..fbd656988 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2014 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -541,6 +541,14 @@ if ( ! -e "/var/ipfire/main/send_profile") { $warnmessage .= "<li><a style='color: white;' href='fireinfo.cgi'>$Lang::tr{'fireinfo please enable'}</a></li>"; }
+# Running on likely outdated Core Update (last update was more than 90 days ago) +my ($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = stat "/opt/pakfire/db/core/mine"; +my $core_update_age = time() - $mtime;
+if ( "$core_update_age" > "7776000" ) {
- $warnmessage .= "<li>$Lang::tr{'outdated installation warning'}</li>";
+}
# EOL architecture my ($sysname, $nodename, $release, $version, $machine) = &POSIX::uname(); if ($machine =~ m/^i.86$/) { diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index c81b28fea..2ae0f948c 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1878,6 +1878,7 @@ 'otherport' => 'Anderer Port', 'our donors' => 'Unsere Unterstützer', 'out' => 'Aus', +'outdated installation warning' => 'Diese IPFire-Installation ist veraltet, was ein Sicherheitsrisiko darstellt. Bitte aktualisieren Sie das System schnellstmöglich.', 'outgoing' => 'ausgehend', 'outgoing compression in bytes per second' => 'Abgehende Kompression', 'outgoing firewall' => 'Ausgehende Firewall', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 2f7038fb1..8d1eb3e2d 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1914,6 +1914,7 @@ 'otherport' => 'other Port', 'our donors' => 'Our donors', 'out' => 'Out', +'outdated installation warning' => 'This IPFire installation is outdated, which is a security risk. Please check for and install updates as soon as possible.', 'outgoing' => 'outgoing', 'outgoing compression in bytes per second' => 'Outgoing compression', 'outgoing firewall' => 'Outgoing Firewall', -- 2.31.1