This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via dadbaef0ae1e669e617cb0abfb08f81c91be2aa3 (commit) via e5bbca89e6a79c428fd81ae916960d5402a286e2 (commit) via 1f95c7ea8c7f615e0d808fac72fbb4622ec23a7f (commit) from 3e945cb3f0644f9dae356b0cbe0ddf9e532497b1 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit dadbaef0ae1e669e617cb0abfb08f81c91be2aa3 Author: Arne Fitzenreiter Date: Tue Jul 22 08:16:54 2025 +0200 core197: add kernel to updater Signed-off-by: Arne Fitzenreiter commit e5bbca89e6a79c428fd81ae916960d5402a286e2 Author: Arne Fitzenreiter Date: Tue Jul 22 08:04:09 2025 +0200 vulnarabilities: add transient sheduler attacks Signed-off-by: Arne Fitzenreiter commit 1f95c7ea8c7f615e0d808fac72fbb4622ec23a7f Author: Arne Fitzenreiter Date: Tue Jul 22 08:03:22 2025 +0200 kernel: update to 6.12.39 Signed-off-by: Arne Fitzenreiter ----------------------------------------------------------------------- Summary of changes: config/kernel/kernel.config.aarch64-ipfire | 10 ++- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 11 +++- config/rootfiles/common/aarch64/linux | 4 ++ config/rootfiles/common/x86_64/linux | 7 +- .../124 => core/197}/filelists/aarch64/linux | 0 .../181 => core/197}/filelists/riscv64/linux | 0 .../100 => core/197}/filelists/x86_64/linux | 0 config/rootfiles/core/197/update.sh | 74 +++++++++++++++++++++- html/cgi-bin/vulnerabilities.cgi | 3 +- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + lfs/linux | 4 +- 13 files changed, 106 insertions(+), 11 deletions(-) copy config/rootfiles/{oldcore/124 => core/197}/filelists/aarch64/linux (100%) copy config/rootfiles/{oldcore/181 => core/197}/filelists/riscv64/linux (100%) copy config/rootfiles/{oldcore/100 => core/197}/filelists/x86_64/linux (100%) Difference in files: diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index 9bdebe571..304ae9243 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/arm64 6.12.34 Kernel Configuration +# Linux/arm64 6.12.39 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 15.1.0" CONFIG_CC_IS_GCC=y @@ -8181,7 +8181,13 @@ CONFIG_FUSE_FS=m CONFIG_CUSE=m # CONFIG_VIRTIO_FS is not set CONFIG_FUSE_PASSTHROUGH=y -# CONFIG_OVERLAY_FS is not set +CONFIG_OVERLAY_FS=y +# CONFIG_OVERLAY_FS_REDIRECT_DIR is not set +CONFIG_OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW=y +# CONFIG_OVERLAY_FS_INDEX is not set +# CONFIG_OVERLAY_FS_XINO_AUTO is not set +# CONFIG_OVERLAY_FS_METACOPY is not set +# CONFIG_OVERLAY_FS_DEBUG is not set # # Caches diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 02d441620..f7335a339 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6881,7 +6881,7 @@ CONFIG_FUSE_FS=m CONFIG_CUSE=m # CONFIG_VIRTIO_FS is not set CONFIG_FUSE_PASSTHROUGH=y -# CONFIG_OVERLAY_FS is not set +CONFIG_OVERLAY_FS=y # # Caches diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index cedc58ebd..b7b2dc432 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -1,6 +1,6 @@ # # Automatically generated file; DO NOT EDIT. -# Linux/x86 6.12.34 Kernel Configuration +# Linux/x86 6.12.39 Kernel Configuration # CONFIG_CC_VERSION_TEXT="gcc (GCC) 15.1.0" CONFIG_CC_IS_GCC=y @@ -542,6 +542,7 @@ CONFIG_MITIGATION_SPECTRE_V2=y CONFIG_MITIGATION_SRBDS=y CONFIG_MITIGATION_SSB=y CONFIG_MITIGATION_ITS=y +CONFIG_MITIGATION_TSA=y CONFIG_ARCH_HAS_ADD_PAGES=y # @@ -7277,7 +7278,13 @@ CONFIG_FUSE_FS=m CONFIG_CUSE=m # CONFIG_VIRTIO_FS is not set CONFIG_FUSE_PASSTHROUGH=y -# CONFIG_OVERLAY_FS is not set +CONFIG_OVERLAY_FS=y +# CONFIG_OVERLAY_FS_REDIRECT_DIR is not set +CONFIG_OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW=y +# CONFIG_OVERLAY_FS_INDEX is not set +# CONFIG_OVERLAY_FS_XINO_AUTO is not set +# CONFIG_OVERLAY_FS_METACOPY is not set +# CONFIG_OVERLAY_FS_DEBUG is not set # # Caches diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux index c2b85c31a..9b848d211 100644 --- a/config/rootfiles/common/aarch64/linux +++ b/config/rootfiles/common/aarch64/linux @@ -10708,6 +10708,8 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER/build/include/config/OID_REGISTRY #lib/modules/KVER/build/include/config/OLD_SIGSUSPEND3 #lib/modules/KVER/build/include/config/OPEN_ALLIANCE_HELPERS +#lib/modules/KVER/build/include/config/OVERLAY_FS +#lib/modules/KVER/build/include/config/OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW #lib/modules/KVER/build/include/config/P54_COMMON #lib/modules/KVER/build/include/config/P54_LEDS #lib/modules/KVER/build/include/config/P54_PCI @@ -19634,6 +19636,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER/build/scripts/gdb/linux/interrupts.py #lib/modules/KVER/build/scripts/gdb/linux/kasan.py #lib/modules/KVER/build/scripts/gdb/linux/lists.py +#lib/modules/KVER/build/scripts/gdb/linux/mapletree.py #lib/modules/KVER/build/scripts/gdb/linux/mm.py #lib/modules/KVER/build/scripts/gdb/linux/modules.py #lib/modules/KVER/build/scripts/gdb/linux/page_owner.py @@ -19649,6 +19652,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER/build/scripts/gdb/linux/utils.py #lib/modules/KVER/build/scripts/gdb/linux/vfs.py #lib/modules/KVER/build/scripts/gdb/linux/vmalloc.py +#lib/modules/KVER/build/scripts/gdb/linux/xarray.py #lib/modules/KVER/build/scripts/gdb/vmlinux-gdb.py #lib/modules/KVER/build/scripts/gen-randstruct-seed.sh #lib/modules/KVER/build/scripts/generate_builtin_ranges.awk diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux index a33704270..c58d0a4bb 100644 --- a/config/rootfiles/common/x86_64/linux +++ b/config/rootfiles/common/x86_64/linux @@ -8710,7 +8710,6 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER/build/include/config/HID_TIVO #lib/modules/KVER/build/include/config/HID_TOPSEED #lib/modules/KVER/build/include/config/HID_TWINHAN -#lib/modules/KVER/build/include/config/HID_UNIVERSAL_PIDFF #lib/modules/KVER/build/include/config/HID_ZYDACRON #lib/modules/KVER/build/include/config/HIGH_RES_TIMERS #lib/modules/KVER/build/include/config/HINIC @@ -9491,6 +9490,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER/build/include/config/MITIGATION_SRSO #lib/modules/KVER/build/include/config/MITIGATION_SSB #lib/modules/KVER/build/include/config/MITIGATION_TAA +#lib/modules/KVER/build/include/config/MITIGATION_TSA #lib/modules/KVER/build/include/config/MITIGATION_UNRET_ENTRY #lib/modules/KVER/build/include/config/MLX4_CORE #lib/modules/KVER/build/include/config/MLX4_CORE_GEN2 @@ -10203,6 +10203,8 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER/build/include/config/OID_REGISTRY #lib/modules/KVER/build/include/config/OPEN_ALLIANCE_HELPERS #lib/modules/KVER/build/include/config/OUTPUT_FORMAT +#lib/modules/KVER/build/include/config/OVERLAY_FS +#lib/modules/KVER/build/include/config/OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW #lib/modules/KVER/build/include/config/P2SB #lib/modules/KVER/build/include/config/P54_COMMON #lib/modules/KVER/build/include/config/P54_LEDS @@ -19365,6 +19367,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER/build/scripts/gdb/linux/interrupts.py #lib/modules/KVER/build/scripts/gdb/linux/kasan.py #lib/modules/KVER/build/scripts/gdb/linux/lists.py +#lib/modules/KVER/build/scripts/gdb/linux/mapletree.py #lib/modules/KVER/build/scripts/gdb/linux/mm.py #lib/modules/KVER/build/scripts/gdb/linux/modules.py #lib/modules/KVER/build/scripts/gdb/linux/page_owner.py @@ -19380,6 +19383,7 @@ etc/modprobe.d/ipv6.conf #lib/modules/KVER/build/scripts/gdb/linux/utils.py #lib/modules/KVER/build/scripts/gdb/linux/vfs.py #lib/modules/KVER/build/scripts/gdb/linux/vmalloc.py +#lib/modules/KVER/build/scripts/gdb/linux/xarray.py #lib/modules/KVER/build/scripts/gdb/vmlinux-gdb.py #lib/modules/KVER/build/scripts/gen-randstruct-seed.sh #lib/modules/KVER/build/scripts/generate_builtin_ranges.awk @@ -21245,7 +21249,6 @@ lib/modules/KVER/kernel #lib/modules/KVER/kernel/drivers/hid/hid-tivo.ko.xz #lib/modules/KVER/kernel/drivers/hid/hid-topseed.ko.xz #lib/modules/KVER/kernel/drivers/hid/hid-twinhan.ko.xz -#lib/modules/KVER/kernel/drivers/hid/hid-universal-pidff.ko.xz #lib/modules/KVER/kernel/drivers/hid/hid-zydacron.ko.xz #lib/modules/KVER/kernel/drivers/hid/i2c-hid #lib/modules/KVER/kernel/drivers/hid/i2c-hid/i2c-hid-acpi.ko.xz diff --git a/config/rootfiles/core/197/filelists/aarch64/linux b/config/rootfiles/core/197/filelists/aarch64/linux new file mode 120000 index 000000000..3a2532bc7 --- /dev/null +++ b/config/rootfiles/core/197/filelists/aarch64/linux @@ -0,0 +1 @@ +../../../../common/aarch64/linux \ No newline at end of file diff --git a/config/rootfiles/core/197/filelists/riscv64/linux b/config/rootfiles/core/197/filelists/riscv64/linux new file mode 120000 index 000000000..c8e8350ca --- /dev/null +++ b/config/rootfiles/core/197/filelists/riscv64/linux @@ -0,0 +1 @@ +../../../../common/riscv64/linux \ No newline at end of file diff --git a/config/rootfiles/core/197/filelists/x86_64/linux b/config/rootfiles/core/197/filelists/x86_64/linux new file mode 120000 index 000000000..0615b5b9a --- /dev/null +++ b/config/rootfiles/core/197/filelists/x86_64/linux @@ -0,0 +1 @@ +../../../../common/x86_64/linux \ No newline at end of file diff --git a/config/rootfiles/core/197/update.sh b/config/rootfiles/core/197/update.sh index 2cb5e98cc..805369b38 100644 --- a/config/rootfiles/core/197/update.sh +++ b/config/rootfiles/core/197/update.sh @@ -26,6 +26,18 @@ core=197 +exit_with_error() { + # Set last succesfull installed core. + echo $(($core-1)) > /opt/pakfire/db/core/mine + # force fsck at next boot, this may fix free space on xfs + touch /forcefsck + # don't start pakfire again at error + killall -KILL pak_update + /usr/bin/logger -p syslog.emerg -t ipfire \ + "core-update-${core}: $1" + exit $2 +} + # Remove old core updates from pakfire cache to save space... for (( i=1; i<=$core; i++ )); do rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire @@ -35,6 +47,46 @@ done /usr/local/bin/openvpnctrl -k /usr/local/bin/openvpnctrl -kn2n +KVER="xxxKVERxxx" + +# Backup uEnv.txt if exist +if [ -e /boot/uEnv.txt ]; then + cp -vf /boot/uEnv.txt /boot/uEnv.txt.org +fi + +# Do some sanity checks prior to the kernel update +case $(uname -r) in + *-ipfire*) + # Ok. + ;; + *) + exit_with_error "ERROR cannot update. No IPFire Kernel." 1 + ;; +esac + +# Check diskspace on root and size of boot +ROOTSPACE=$( df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1 ) +if [ $ROOTSPACE -lt 200000 ]; then + exit_with_error "ERROR cannot update because not enough free space on root." 2 +fi +BOOTSIZE=$( df /boot -Pk | sed "s| * | |g" | cut -d" " -f2 | tail -n 1 ) +if [ $BOOTSIZE -lt 100000 ]; then + exit_with_error "ERROR cannot update. BOOT partition is to small." 3 +fi + +# Remove the old kernel +rm -rvf \ + /boot/System.map-* \ + /boot/config-* \ + /boot/ipfirerd-* \ + /boot/initramfs-* \ + /boot/vmlinuz-* \ + /boot/uImage-* \ + /boot/zImage-* \ + /boot/uInit-* \ + /boot/dtb-* \ + /lib/modules + # Remove files rm -vf \ /etc/rc.d/init.d/networking/red.down/10-ovpn \ @@ -107,8 +159,28 @@ fi # Reload Apache2 /etc/init.d/apache reload +# Build initial ramdisks +dracut --regenerate-all --force +KVER="xxxKVERxxx" +case "$(uname -m)" in + aarch64) + mkimage -A arm64 -T ramdisk -C lzma -d /boot/initramfs-${KVER}.img /boot/uInit-${KVER} + # dont remove initramfs because grub need this to boot. + ;; +esac + +# Upadate Kernel version in uEnv.txt +if [ -e /boot/uEnv.txt ]; then + sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt +fi + +# Call user update script (needed for some ARM boards) +if [ -e /boot/pakfire-kernel-update ]; then + /boot/pakfire-kernel-update ${KVER} +fi + # This update needs a reboot... -#touch /var/run/need_reboot +touch /var/run/need_reboot # Finish /etc/init.d/fireinfo start diff --git a/html/cgi-bin/vulnerabilities.cgi b/html/cgi-bin/vulnerabilities.cgi index cab38d8de..d307881b1 100644 --- a/html/cgi-bin/vulnerabilities.cgi +++ b/html/cgi-bin/vulnerabilities.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team # +# Copyright (C) 2007-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -44,6 +44,7 @@ my %VULNERABILITIES = ( "spectre_v1" => "$Lang::tr{'spectre variant 1'} (CVE-2017-5753)", "spectre_v2" => "$Lang::tr{'spectre variant 2'} (CVE-2017-5715)", "srbds" => "$Lang::tr{'srbds'} (CVE-2020-0543)", + "tsa" => "$Lang::tr{'transient sheduler attacks'} (CVE-2024-36350,36357,36348,36349)", "tsx_async_abort" => "$Lang::tr{'taa zombieload2'} (CVE-2019-11135)", ); diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 4df95fdaf..210a701ff 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -2544,6 +2544,7 @@ 'trafficto' => 'Nach', 'transfer limits' => 'Transferbeschränkungen', 'transfers' => 'Datenübertragungen', +'transient sheduler attacks' => 'Transient sheduler attacks', 'transparent on' => 'Transparent auf', 'transport mode does not support vti' => 'VTI wird im Transport-Modus nicht unterstützt', 'tripwire' => 'Tripwire', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 22ab0bad1..57ccaa701 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2649,6 +2649,7 @@ 'trafficto' => 'To', 'transfer limits' => 'Transfer limits', 'transfers' => 'Transfers', +'transient sheduler attacks' => 'Transient sheduler attacks', 'transparent on' => 'Transparent on', 'transport mode does not support vti' => 'VTI is not support in transport mode', 'tripwire' => 'Tripwire', diff --git a/lfs/linux b/lfs/linux index 122d3517e..a1f705786 100644 --- a/lfs/linux +++ b/lfs/linux @@ -24,7 +24,7 @@ include Config -VER = 6.12.34 +VER = 6.12.39 THISAPP = linux-$(VER) DL_FILE = linux-$(VER).tar.xz @@ -69,7 +69,7 @@ objects = \ $(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = a1527edf5ea06d55ad4468341d2e8cc44406df1edfe1a619ece86692e42afe7f5919ee051942fc9e70c47d79bcd4f0fc2e54ae32c79392702d8493596dca1a83 +$(DL_FILE)_BLAKE2 = 405c076e8ad055fb593c219b3810cdcfc84117c289744778e89e8f6076b8a0b6f238d1a438a0a46f615a4da50c05814d7da76ccedd6656c4ff6917d99a4c13e4 install : $(TARGET) hooks/post-receive -- IPFire 2.x development tree