[git.ipfire.org] IPFire 2.x development tree branch, master, updated. f0acc9e4a3a446307684dfe9ee9031313407546a

public inbox for ipfire-scm@lists.ipfire.org
 help / color / mirror / Atom feed

* [git.ipfire.org] IPFire 2.x development tree branch, master, updated. f0acc9e4a3a446307684dfe9ee9031313407546a
@ 2025-04-29 15:23 Michael Tremer
  0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2025-04-29 15:23 UTC (permalink / raw)
  To: ipfire-scm

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, master has been updated
       via  f0acc9e4a3a446307684dfe9ee9031313407546a (commit)
       via  5f0a9eb10ee55181179dbb54985c9559e5390ba9 (commit)
       via  cc6e5188fa3f8ffaeb52f644e411195a7cfa12b8 (commit)
       via  73a2afbcf5b923c4b56637227d5621f7800d4d62 (commit)
      from  f9f02b4c244fea3025245348678bb08bbfbd48a8 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f0acc9e4a3a446307684dfe9ee9031313407546a
Author: Adolf Belka <adolf.belka@ipfire.org>
Date:   Tue Apr 29 16:42:19 2025 +0200

    backup.pl: Fix restores for ipsec backups before regen was fixed
    
    - Prior to the ipsec host cert regen fix, the backup did not include the serial or the
       index.txt files.
    - After the ipsec regen patch set, if a backup from before the change is retsored then
       the serial and index.attr could end up not matching. This would break the ipsec regen
       again.
    - All backups before the change will have hostcerts with serial numbers of 1.
    - This patch extracts the serial number from the restored hostcert.pem. If the serial
       number is 1 and if the existing serial number file does not contain 02, then the
       serial file contents are replaced by 02 and the index.txt contents are deleted.
    - If the restored hostcert.pem  serial number is greater than 1 then the backup will
       contain the serial anf index.txt files.
    - If the restored hostcert.pem serial number is 1 and the serial file contains 02 then
       the ipsec regen will work correctly.
    
    Fixes: bug13737
    Tested-by: Adolf Belka <adolf.belka@ipfire.org>
    Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

commit 5f0a9eb10ee55181179dbb54985c9559e5390ba9
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Tue Apr 29 15:22:37 2025 +0000

    core194: Fix missing whitespace and quote filenames
    
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

commit cc6e5188fa3f8ffaeb52f644e411195a7cfa12b8
Author: Adolf Belka <adolf.belka@ipfire.org>
Date:   Tue Apr 29 12:10:49 2025 +0200

    update.sh: Core 194 - increment ipsec serial file if x509 set exists
    
    - This is related to the fix patch set for bug13737. That patch set works with no problems
       if the root/host x509 set is created for the first time with that patch set merged.
       However if the x509 is already created previously then the contents of serial will
       still be 01 instead of 02.
    - This patch checks if the hostcert.pm file exists and that the index.txt file is empty,
       and then increments the serial content from 01 to 02. This means that when the x509
       is regenerated the system will not complain that 01 cannot be used as it has already
       been revoked but will use 02 for the new host and everything works fine after that.
    
    Fixes: bug13737
    Tested-by: Adolf Belka <adolf.belka@ipfire.org>
    Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

commit 73a2afbcf5b923c4b56637227d5621f7800d4d62
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Tue Apr 29 14:56:48 2025 +0000

    dnsdist: Update to 1.9.9
    
    We released PowerDNS DNSdist 1.9.9 today, an emergency release fixing a security issue tracked as CVE-2025-30194 where a remote, unauthenticated attacker can cause a denial of service via a crafted DNS over HTTPS connection. The issue was reported to us via our public GitHub tracker, so once it was clear that the issue had a security impact we prepared to release a new version as soon as possible.
    
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/backup/backup.pl             | 12 ++++++++++++
 config/rootfiles/core/194/update.sh |  5 +++++
 lfs/dnsdist                         |  6 +++---
 3 files changed, 20 insertions(+), 3 deletions(-)

Difference in files:
diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index 0cfbd4fc3..301faa3df 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -307,6 +307,18 @@ restore_backup() {
 	# start collectd after restore
 	/etc/rc.d/init.d/collectd start
 
+	# Check if ipsec hosctcert.pem serial number is 1 and if the serial file does not contain 02
+	# In this case set the serial file to 02 and empty the index.txt file
+	ARR=()
+	while IFS= read -r line; do
+		ARR+=("$line")
+	done <<< "$(openssl x509 -in /var/ipfire/certs/hostcert.pem -noout -text)"
+       if [ $(echo ${ARR[3]} | sed -E 's,^[^0-9]*([0-9]+).*$,\1,') = 1 ] && \
+			[ $(expr $(cat "/var/ipfire/certs/serial") + 0) != 2 ]; then
+		sed -i "s/.*/02/" /var/ipfire/certs/serial
+		sed -i 'd' /var/ipfire/certs/index.txt
+	fi
+
         # Restart ipsec if enabled
         # This will ensure that the restored certs and secrets etc are loaded and used
         if [ $(grep -c "ENABLED=on" /var/ipfire/vpn/settings) -eq 1  ] ; then
diff --git a/config/rootfiles/core/194/update.sh b/config/rootfiles/core/194/update.sh
index e1e9dde9b..b758c7bf6 100644
--- a/config/rootfiles/core/194/update.sh
+++ b/config/rootfiles/core/194/update.sh
@@ -103,6 +103,11 @@ ldconfig
 # Filesytem cleanup
 /usr/local/bin/filesystem-cleanup
 
+# Increment ipsec serial file if x509 certificates present and no content in index.txt
+if [ -e "/var/ipfire/certs/hostcert.pm" ] && [ -z "/var/ipfire/certs/index.txt" ]; then
+    sed -i "s/01/02/" /var/ipfire/certs/serial
+fi
+
 # Start services
 /etc/init.d/ipsec restart
 /etc/init.d/suricata restart
diff --git a/lfs/dnsdist b/lfs/dnsdist
index 656f62135..6ce6359fa 100644
--- a/lfs/dnsdist
+++ b/lfs/dnsdist
@@ -26,7 +26,7 @@ include Config
 
 SUMMARY    = A highly DNS-, DoS- and abuse-aware loadbalancer
 
-VER        = 1.9.8
+VER        = 1.9.9
 
 THISAPP    = dnsdist-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
@@ -34,7 +34,7 @@ DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = dnsdist
-PAK_VER    = 26
+PAK_VER    = 27
 
 DEPS       =
 
@@ -50,7 +50,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 854344eb6b82f98001171830715fe5cf564628405b4c79c07b43fccdbca0a4c9da7e527a748bc2972261a32ed9c51582eac2e6fdbef5c25bd71b161318a62155
+$(DL_FILE)_BLAKE2 = 54517c396d8b5b546e9bcc5890f6df0cfa8470b65d9c7dcece0c7d503fff3fc0d4e2898a7bda8e16f9935279849128293967b38865345fa4c963705b9c9b8cad
 
 install : $(TARGET)
 


hooks/post-receive
--
IPFire 2.x development tree


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2025-04-29 15:23 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-04-29 15:23 [git.ipfire.org] IPFire 2.x development tree branch, master, updated. f0acc9e4a3a446307684dfe9ee9031313407546a Michael Tremer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox