From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Zn3wq2lDDz30sN for ; Tue, 29 Apr 2025 15:23:07 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Zn3wq2VDhz2y0C for ; Tue, 29 Apr 2025 15:23:07 +0000 (UTC) Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [172.28.1.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "people01.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Zn3wp6mvwz2kJ for ; Tue, 29 Apr 2025 15:23:06 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1745940186; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=4NRX/YQ0FQZcxE/tVto3bNBrzc44Xroi5tz30lGZa5w=; b=usF2Nqza1ovUtJKCun7wo1nII149Cc0ZpjNlD4MOHnac9grFVE2z6wokeI5FC0CaIoj319 qWVAUmQaic9WFBCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1745940186; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=4NRX/YQ0FQZcxE/tVto3bNBrzc44Xroi5tz30lGZa5w=; b=Qta+XmtZioRxi7Jl1XnxuVPqTXwe6nviF9lk8KWfVmbWQH5KV+6+gSFsajVZFk3JH2oUg/ sGVvJ+KiAFQ5KbETyUktD319cRlmT5McQCgDja8yo+6K0oeuP6G2LEwbDWLhYPrtK66NqP oYPkzBCl9JQRSxTpr7Pppz57e4AkgfGTQ2TmCGc4uaptOXFa+nU4ZdzzZJdCbRi+PI20Km qZ6CBN3Uy2BGylctFCR8c5KWalGeSW3vBuYBSHpSag7LhdO4E2Osy00F1vw9EV3DvgSmk+ hqAbbK/+te5tHz/61n7oWQwlJRO21Vv84nxgNsoDHNKLaDoJNeCoXAA7cni4oQ== Received: by people01.haj.ipfire.org (Postfix, from userid 1000) id 4Zn3wp5f5lz2xbZ; Tue, 29 Apr 2025 15:23:06 +0000 (UTC) To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, master, updated. f0acc9e4a3a446307684dfe9ee9031313407546a X-Git-Refname: refs/heads/master X-Git-Reftype: branch X-Git-Oldrev: f9f02b4c244fea3025245348678bb08bbfbd48a8 X-Git-Newrev: f0acc9e4a3a446307684dfe9ee9031313407546a Message-Id: <4Zn3wp5f5lz2xbZ@people01.haj.ipfire.org> Date: Tue, 29 Apr 2025 15:23:06 +0000 (UTC) From: Michael Tremer Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, master has been updated via f0acc9e4a3a446307684dfe9ee9031313407546a (commit) via 5f0a9eb10ee55181179dbb54985c9559e5390ba9 (commit) via cc6e5188fa3f8ffaeb52f644e411195a7cfa12b8 (commit) via 73a2afbcf5b923c4b56637227d5621f7800d4d62 (commit) from f9f02b4c244fea3025245348678bb08bbfbd48a8 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit f0acc9e4a3a446307684dfe9ee9031313407546a Author: Adolf Belka Date: Tue Apr 29 16:42:19 2025 +0200 backup.pl: Fix restores for ipsec backups before regen was fixed - Prior to the ipsec host cert regen fix, the backup did not include the serial or the index.txt files. - After the ipsec regen patch set, if a backup from before the change is retsored then the serial and index.attr could end up not matching. This would break the ipsec regen again. - All backups before the change will have hostcerts with serial numbers of 1. - This patch extracts the serial number from the restored hostcert.pem. If the serial number is 1 and if the existing serial number file does not contain 02, then the serial file contents are replaced by 02 and the index.txt contents are deleted. - If the restored hostcert.pem serial number is greater than 1 then the backup will contain the serial anf index.txt files. - If the restored hostcert.pem serial number is 1 and the serial file contains 02 then the ipsec regen will work correctly. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 5f0a9eb10ee55181179dbb54985c9559e5390ba9 Author: Michael Tremer Date: Tue Apr 29 15:22:37 2025 +0000 core194: Fix missing whitespace and quote filenames Signed-off-by: Michael Tremer commit cc6e5188fa3f8ffaeb52f644e411195a7cfa12b8 Author: Adolf Belka Date: Tue Apr 29 12:10:49 2025 +0200 update.sh: Core 194 - increment ipsec serial file if x509 set exists - This is related to the fix patch set for bug13737. That patch set works with no problems if the root/host x509 set is created for the first time with that patch set merged. However if the x509 is already created previously then the contents of serial will still be 01 instead of 02. - This patch checks if the hostcert.pm file exists and that the index.txt file is empty, and then increments the serial content from 01 to 02. This means that when the x509 is regenerated the system will not complain that 01 cannot be used as it has already been revoked but will use 02 for the new host and everything works fine after that. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 73a2afbcf5b923c4b56637227d5621f7800d4d62 Author: Michael Tremer Date: Tue Apr 29 14:56:48 2025 +0000 dnsdist: Update to 1.9.9 We released PowerDNS DNSdist 1.9.9 today, an emergency release fixing a security issue tracked as CVE-2025-30194 where a remote, unauthenticated attacker can cause a denial of service via a crafted DNS over HTTPS connection. The issue was reported to us via our public GitHub tracker, so once it was clear that the issue had a security impact we prepared to release a new version as soon as possible. Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/backup/backup.pl | 12 ++++++++++++ config/rootfiles/core/194/update.sh | 5 +++++ lfs/dnsdist | 6 +++--- 3 files changed, 20 insertions(+), 3 deletions(-) Difference in files: diff --git a/config/backup/backup.pl b/config/backup/backup.pl index 0cfbd4fc3..301faa3df 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -307,6 +307,18 @@ restore_backup() { # start collectd after restore /etc/rc.d/init.d/collectd start + # Check if ipsec hosctcert.pem serial number is 1 and if the serial file does not contain 02 + # In this case set the serial file to 02 and empty the index.txt file + ARR=() + while IFS= read -r line; do + ARR+=("$line") + done <<< "$(openssl x509 -in /var/ipfire/certs/hostcert.pem -noout -text)" + if [ $(echo ${ARR[3]} | sed -E 's,^[^0-9]*([0-9]+).*$,\1,') = 1 ] && \ + [ $(expr $(cat "/var/ipfire/certs/serial") + 0) != 2 ]; then + sed -i "s/.*/02/" /var/ipfire/certs/serial + sed -i 'd' /var/ipfire/certs/index.txt + fi + # Restart ipsec if enabled # This will ensure that the restored certs and secrets etc are loaded and used if [ $(grep -c "ENABLED=on" /var/ipfire/vpn/settings) -eq 1 ] ; then diff --git a/config/rootfiles/core/194/update.sh b/config/rootfiles/core/194/update.sh index e1e9dde9b..b758c7bf6 100644 --- a/config/rootfiles/core/194/update.sh +++ b/config/rootfiles/core/194/update.sh @@ -103,6 +103,11 @@ ldconfig # Filesytem cleanup /usr/local/bin/filesystem-cleanup +# Increment ipsec serial file if x509 certificates present and no content in index.txt +if [ -e "/var/ipfire/certs/hostcert.pm" ] && [ -z "/var/ipfire/certs/index.txt" ]; then + sed -i "s/01/02/" /var/ipfire/certs/serial +fi + # Start services /etc/init.d/ipsec restart /etc/init.d/suricata restart diff --git a/lfs/dnsdist b/lfs/dnsdist index 656f62135..6ce6359fa 100644 --- a/lfs/dnsdist +++ b/lfs/dnsdist @@ -26,7 +26,7 @@ include Config SUMMARY = A highly DNS-, DoS- and abuse-aware loadbalancer -VER = 1.9.8 +VER = 1.9.9 THISAPP = dnsdist-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = dnsdist -PAK_VER = 26 +PAK_VER = 27 DEPS = @@ -50,7 +50,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 854344eb6b82f98001171830715fe5cf564628405b4c79c07b43fccdbca0a4c9da7e527a748bc2972261a32ed9c51582eac2e6fdbef5c25bd71b161318a62155 +$(DL_FILE)_BLAKE2 = 54517c396d8b5b546e9bcc5890f6df0cfa8470b65d9c7dcece0c7d503fff3fc0d4e2898a7bda8e16f9935279849128293967b38865345fa4c963705b9c9b8cad install : $(TARGET) hooks/post-receive -- IPFire 2.x development tree