From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, master, updated. f0acc9e4a3a446307684dfe9ee9031313407546a
Date: Tue, 29 Apr 2025 15:23:06 +0000 (UTC) [thread overview]
Message-ID: <4Zn3wp5f5lz2xbZ@people01.haj.ipfire.org> (raw)
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
via f0acc9e4a3a446307684dfe9ee9031313407546a (commit)
via 5f0a9eb10ee55181179dbb54985c9559e5390ba9 (commit)
via cc6e5188fa3f8ffaeb52f644e411195a7cfa12b8 (commit)
via 73a2afbcf5b923c4b56637227d5621f7800d4d62 (commit)
from f9f02b4c244fea3025245348678bb08bbfbd48a8 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit f0acc9e4a3a446307684dfe9ee9031313407546a
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue Apr 29 16:42:19 2025 +0200
backup.pl: Fix restores for ipsec backups before regen was fixed
- Prior to the ipsec host cert regen fix, the backup did not include the serial or the
index.txt files.
- After the ipsec regen patch set, if a backup from before the change is retsored then
the serial and index.attr could end up not matching. This would break the ipsec regen
again.
- All backups before the change will have hostcerts with serial numbers of 1.
- This patch extracts the serial number from the restored hostcert.pem. If the serial
number is 1 and if the existing serial number file does not contain 02, then the
serial file contents are replaced by 02 and the index.txt contents are deleted.
- If the restored hostcert.pem serial number is greater than 1 then the backup will
contain the serial anf index.txt files.
- If the restored hostcert.pem serial number is 1 and the serial file contains 02 then
the ipsec regen will work correctly.
Fixes: bug13737
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 5f0a9eb10ee55181179dbb54985c9559e5390ba9
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 29 15:22:37 2025 +0000
core194: Fix missing whitespace and quote filenames
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit cc6e5188fa3f8ffaeb52f644e411195a7cfa12b8
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Tue Apr 29 12:10:49 2025 +0200
update.sh: Core 194 - increment ipsec serial file if x509 set exists
- This is related to the fix patch set for bug13737. That patch set works with no problems
if the root/host x509 set is created for the first time with that patch set merged.
However if the x509 is already created previously then the contents of serial will
still be 01 instead of 02.
- This patch checks if the hostcert.pm file exists and that the index.txt file is empty,
and then increments the serial content from 01 to 02. This means that when the x509
is regenerated the system will not complain that 01 cannot be used as it has already
been revoked but will use 02 for the new host and everything works fine after that.
Fixes: bug13737
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 73a2afbcf5b923c4b56637227d5621f7800d4d62
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Tue Apr 29 14:56:48 2025 +0000
dnsdist: Update to 1.9.9
We released PowerDNS DNSdist 1.9.9 today, an emergency release fixing a security issue tracked as CVE-2025-30194 where a remote, unauthenticated attacker can cause a denial of service via a crafted DNS over HTTPS connection. The issue was reported to us via our public GitHub tracker, so once it was clear that the issue had a security impact we prepared to release a new version as soon as possible.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/backup/backup.pl | 12 ++++++++++++
config/rootfiles/core/194/update.sh | 5 +++++
lfs/dnsdist | 6 +++---
3 files changed, 20 insertions(+), 3 deletions(-)
Difference in files:
diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index 0cfbd4fc3..301faa3df 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -307,6 +307,18 @@ restore_backup() {
# start collectd after restore
/etc/rc.d/init.d/collectd start
+ # Check if ipsec hosctcert.pem serial number is 1 and if the serial file does not contain 02
+ # In this case set the serial file to 02 and empty the index.txt file
+ ARR=()
+ while IFS= read -r line; do
+ ARR+=("$line")
+ done <<< "$(openssl x509 -in /var/ipfire/certs/hostcert.pem -noout -text)"
+ if [ $(echo ${ARR[3]} | sed -E 's,^[^0-9]*([0-9]+).*$,\1,') = 1 ] && \
+ [ $(expr $(cat "/var/ipfire/certs/serial") + 0) != 2 ]; then
+ sed -i "s/.*/02/" /var/ipfire/certs/serial
+ sed -i 'd' /var/ipfire/certs/index.txt
+ fi
+
# Restart ipsec if enabled
# This will ensure that the restored certs and secrets etc are loaded and used
if [ $(grep -c "ENABLED=on" /var/ipfire/vpn/settings) -eq 1 ] ; then
diff --git a/config/rootfiles/core/194/update.sh b/config/rootfiles/core/194/update.sh
index e1e9dde9b..b758c7bf6 100644
--- a/config/rootfiles/core/194/update.sh
+++ b/config/rootfiles/core/194/update.sh
@@ -103,6 +103,11 @@ ldconfig
# Filesytem cleanup
/usr/local/bin/filesystem-cleanup
+# Increment ipsec serial file if x509 certificates present and no content in index.txt
+if [ -e "/var/ipfire/certs/hostcert.pm" ] && [ -z "/var/ipfire/certs/index.txt" ]; then
+ sed -i "s/01/02/" /var/ipfire/certs/serial
+fi
+
# Start services
/etc/init.d/ipsec restart
/etc/init.d/suricata restart
diff --git a/lfs/dnsdist b/lfs/dnsdist
index 656f62135..6ce6359fa 100644
--- a/lfs/dnsdist
+++ b/lfs/dnsdist
@@ -26,7 +26,7 @@ include Config
SUMMARY = A highly DNS-, DoS- and abuse-aware loadbalancer
-VER = 1.9.8
+VER = 1.9.9
THISAPP = dnsdist-$(VER)
DL_FILE = $(THISAPP).tar.bz2
@@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = dnsdist
-PAK_VER = 26
+PAK_VER = 27
DEPS =
@@ -50,7 +50,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 854344eb6b82f98001171830715fe5cf564628405b4c79c07b43fccdbca0a4c9da7e527a748bc2972261a32ed9c51582eac2e6fdbef5c25bd71b161318a62155
+$(DL_FILE)_BLAKE2 = 54517c396d8b5b546e9bcc5890f6df0cfa8470b65d9c7dcece0c7d503fff3fc0d4e2898a7bda8e16f9935279849128293967b38865345fa4c963705b9c9b8cad
install : $(TARGET)
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2025-04-29 15:23 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4Zn3wp5f5lz2xbZ@people01.haj.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox