* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. dadbaef0ae1e669e617cb0abfb08f81c91be2aa3
@ 2025-07-22 6:17 Arne Fitzenreiter
0 siblings, 0 replies; only message in thread
From: Arne Fitzenreiter @ 2025-07-22 6:17 UTC (permalink / raw)
To: ipfire-scm
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 15881 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via dadbaef0ae1e669e617cb0abfb08f81c91be2aa3 (commit)
via e5bbca89e6a79c428fd81ae916960d5402a286e2 (commit)
via 1f95c7ea8c7f615e0d808fac72fbb4622ec23a7f (commit)
from 3e945cb3f0644f9dae356b0cbe0ddf9e532497b1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit dadbaef0ae1e669e617cb0abfb08f81c91be2aa3
Author: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Tue Jul 22 08:16:54 2025 +0200
core197: add kernel to updater
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
commit e5bbca89e6a79c428fd81ae916960d5402a286e2
Author: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Tue Jul 22 08:04:09 2025 +0200
vulnarabilities: add transient sheduler attacks
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
commit 1f95c7ea8c7f615e0d808fac72fbb4622ec23a7f
Author: Arne Fitzenreiter <arne_f@ipfire.org>
Date: Tue Jul 22 08:03:22 2025 +0200
kernel: update to 6.12.39
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/kernel/kernel.config.aarch64-ipfire | 10 ++-
config/kernel/kernel.config.riscv64-ipfire | 2 +-
config/kernel/kernel.config.x86_64-ipfire | 11 +++-
config/rootfiles/common/aarch64/linux | 4 ++
config/rootfiles/common/x86_64/linux | 7 +-
.../124 => core/197}/filelists/aarch64/linux | 0
.../181 => core/197}/filelists/riscv64/linux | 0
.../100 => core/197}/filelists/x86_64/linux | 0
config/rootfiles/core/197/update.sh | 74 +++++++++++++++++++++-
html/cgi-bin/vulnerabilities.cgi | 3 +-
langs/de/cgi-bin/de.pl | 1 +
langs/en/cgi-bin/en.pl | 1 +
lfs/linux | 4 +-
13 files changed, 106 insertions(+), 11 deletions(-)
copy config/rootfiles/{oldcore/124 => core/197}/filelists/aarch64/linux (100%)
copy config/rootfiles/{oldcore/181 => core/197}/filelists/riscv64/linux (100%)
copy config/rootfiles/{oldcore/100 => core/197}/filelists/x86_64/linux (100%)
Difference in files:
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index 9bdebe571..304ae9243 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/arm64 6.12.34 Kernel Configuration
+# Linux/arm64 6.12.39 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 15.1.0"
CONFIG_CC_IS_GCC=y
@@ -8181,7 +8181,13 @@ CONFIG_FUSE_FS=m
CONFIG_CUSE=m
# CONFIG_VIRTIO_FS is not set
CONFIG_FUSE_PASSTHROUGH=y
-# CONFIG_OVERLAY_FS is not set
+CONFIG_OVERLAY_FS=y
+# CONFIG_OVERLAY_FS_REDIRECT_DIR is not set
+CONFIG_OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW=y
+# CONFIG_OVERLAY_FS_INDEX is not set
+# CONFIG_OVERLAY_FS_XINO_AUTO is not set
+# CONFIG_OVERLAY_FS_METACOPY is not set
+# CONFIG_OVERLAY_FS_DEBUG is not set
#
# Caches
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index 02d441620..f7335a339 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6881,7 +6881,7 @@ CONFIG_FUSE_FS=m
CONFIG_CUSE=m
# CONFIG_VIRTIO_FS is not set
CONFIG_FUSE_PASSTHROUGH=y
-# CONFIG_OVERLAY_FS is not set
+CONFIG_OVERLAY_FS=y
#
# Caches
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index cedc58ebd..b7b2dc432 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 6.12.34 Kernel Configuration
+# Linux/x86 6.12.39 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 15.1.0"
CONFIG_CC_IS_GCC=y
@@ -542,6 +542,7 @@ CONFIG_MITIGATION_SPECTRE_V2=y
CONFIG_MITIGATION_SRBDS=y
CONFIG_MITIGATION_SSB=y
CONFIG_MITIGATION_ITS=y
+CONFIG_MITIGATION_TSA=y
CONFIG_ARCH_HAS_ADD_PAGES=y
#
@@ -7277,7 +7278,13 @@ CONFIG_FUSE_FS=m
CONFIG_CUSE=m
# CONFIG_VIRTIO_FS is not set
CONFIG_FUSE_PASSTHROUGH=y
-# CONFIG_OVERLAY_FS is not set
+CONFIG_OVERLAY_FS=y
+# CONFIG_OVERLAY_FS_REDIRECT_DIR is not set
+CONFIG_OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW=y
+# CONFIG_OVERLAY_FS_INDEX is not set
+# CONFIG_OVERLAY_FS_XINO_AUTO is not set
+# CONFIG_OVERLAY_FS_METACOPY is not set
+# CONFIG_OVERLAY_FS_DEBUG is not set
#
# Caches
diff --git a/config/rootfiles/common/aarch64/linux b/config/rootfiles/common/aarch64/linux
index c2b85c31a..9b848d211 100644
--- a/config/rootfiles/common/aarch64/linux
+++ b/config/rootfiles/common/aarch64/linux
@@ -10708,6 +10708,8 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER/build/include/config/OID_REGISTRY
#lib/modules/KVER/build/include/config/OLD_SIGSUSPEND3
#lib/modules/KVER/build/include/config/OPEN_ALLIANCE_HELPERS
+#lib/modules/KVER/build/include/config/OVERLAY_FS
+#lib/modules/KVER/build/include/config/OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW
#lib/modules/KVER/build/include/config/P54_COMMON
#lib/modules/KVER/build/include/config/P54_LEDS
#lib/modules/KVER/build/include/config/P54_PCI
@@ -19634,6 +19636,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER/build/scripts/gdb/linux/interrupts.py
#lib/modules/KVER/build/scripts/gdb/linux/kasan.py
#lib/modules/KVER/build/scripts/gdb/linux/lists.py
+#lib/modules/KVER/build/scripts/gdb/linux/mapletree.py
#lib/modules/KVER/build/scripts/gdb/linux/mm.py
#lib/modules/KVER/build/scripts/gdb/linux/modules.py
#lib/modules/KVER/build/scripts/gdb/linux/page_owner.py
@@ -19649,6 +19652,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER/build/scripts/gdb/linux/utils.py
#lib/modules/KVER/build/scripts/gdb/linux/vfs.py
#lib/modules/KVER/build/scripts/gdb/linux/vmalloc.py
+#lib/modules/KVER/build/scripts/gdb/linux/xarray.py
#lib/modules/KVER/build/scripts/gdb/vmlinux-gdb.py
#lib/modules/KVER/build/scripts/gen-randstruct-seed.sh
#lib/modules/KVER/build/scripts/generate_builtin_ranges.awk
diff --git a/config/rootfiles/common/x86_64/linux b/config/rootfiles/common/x86_64/linux
index a33704270..c58d0a4bb 100644
--- a/config/rootfiles/common/x86_64/linux
+++ b/config/rootfiles/common/x86_64/linux
@@ -8710,7 +8710,6 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER/build/include/config/HID_TIVO
#lib/modules/KVER/build/include/config/HID_TOPSEED
#lib/modules/KVER/build/include/config/HID_TWINHAN
-#lib/modules/KVER/build/include/config/HID_UNIVERSAL_PIDFF
#lib/modules/KVER/build/include/config/HID_ZYDACRON
#lib/modules/KVER/build/include/config/HIGH_RES_TIMERS
#lib/modules/KVER/build/include/config/HINIC
@@ -9491,6 +9490,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER/build/include/config/MITIGATION_SRSO
#lib/modules/KVER/build/include/config/MITIGATION_SSB
#lib/modules/KVER/build/include/config/MITIGATION_TAA
+#lib/modules/KVER/build/include/config/MITIGATION_TSA
#lib/modules/KVER/build/include/config/MITIGATION_UNRET_ENTRY
#lib/modules/KVER/build/include/config/MLX4_CORE
#lib/modules/KVER/build/include/config/MLX4_CORE_GEN2
@@ -10203,6 +10203,8 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER/build/include/config/OID_REGISTRY
#lib/modules/KVER/build/include/config/OPEN_ALLIANCE_HELPERS
#lib/modules/KVER/build/include/config/OUTPUT_FORMAT
+#lib/modules/KVER/build/include/config/OVERLAY_FS
+#lib/modules/KVER/build/include/config/OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW
#lib/modules/KVER/build/include/config/P2SB
#lib/modules/KVER/build/include/config/P54_COMMON
#lib/modules/KVER/build/include/config/P54_LEDS
@@ -19365,6 +19367,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER/build/scripts/gdb/linux/interrupts.py
#lib/modules/KVER/build/scripts/gdb/linux/kasan.py
#lib/modules/KVER/build/scripts/gdb/linux/lists.py
+#lib/modules/KVER/build/scripts/gdb/linux/mapletree.py
#lib/modules/KVER/build/scripts/gdb/linux/mm.py
#lib/modules/KVER/build/scripts/gdb/linux/modules.py
#lib/modules/KVER/build/scripts/gdb/linux/page_owner.py
@@ -19380,6 +19383,7 @@ etc/modprobe.d/ipv6.conf
#lib/modules/KVER/build/scripts/gdb/linux/utils.py
#lib/modules/KVER/build/scripts/gdb/linux/vfs.py
#lib/modules/KVER/build/scripts/gdb/linux/vmalloc.py
+#lib/modules/KVER/build/scripts/gdb/linux/xarray.py
#lib/modules/KVER/build/scripts/gdb/vmlinux-gdb.py
#lib/modules/KVER/build/scripts/gen-randstruct-seed.sh
#lib/modules/KVER/build/scripts/generate_builtin_ranges.awk
@@ -21245,7 +21249,6 @@ lib/modules/KVER/kernel
#lib/modules/KVER/kernel/drivers/hid/hid-tivo.ko.xz
#lib/modules/KVER/kernel/drivers/hid/hid-topseed.ko.xz
#lib/modules/KVER/kernel/drivers/hid/hid-twinhan.ko.xz
-#lib/modules/KVER/kernel/drivers/hid/hid-universal-pidff.ko.xz
#lib/modules/KVER/kernel/drivers/hid/hid-zydacron.ko.xz
#lib/modules/KVER/kernel/drivers/hid/i2c-hid
#lib/modules/KVER/kernel/drivers/hid/i2c-hid/i2c-hid-acpi.ko.xz
diff --git a/config/rootfiles/core/197/filelists/aarch64/linux b/config/rootfiles/core/197/filelists/aarch64/linux
new file mode 120000
index 000000000..3a2532bc7
--- /dev/null
+++ b/config/rootfiles/core/197/filelists/aarch64/linux
@@ -0,0 +1 @@
+../../../../common/aarch64/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/197/filelists/riscv64/linux b/config/rootfiles/core/197/filelists/riscv64/linux
new file mode 120000
index 000000000..c8e8350ca
--- /dev/null
+++ b/config/rootfiles/core/197/filelists/riscv64/linux
@@ -0,0 +1 @@
+../../../../common/riscv64/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/197/filelists/x86_64/linux b/config/rootfiles/core/197/filelists/x86_64/linux
new file mode 120000
index 000000000..0615b5b9a
--- /dev/null
+++ b/config/rootfiles/core/197/filelists/x86_64/linux
@@ -0,0 +1 @@
+../../../../common/x86_64/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/197/update.sh b/config/rootfiles/core/197/update.sh
index 2cb5e98cc..805369b38 100644
--- a/config/rootfiles/core/197/update.sh
+++ b/config/rootfiles/core/197/update.sh
@@ -26,6 +26,18 @@
core=197
+exit_with_error() {
+ # Set last succesfull installed core.
+ echo $(($core-1)) > /opt/pakfire/db/core/mine
+ # force fsck at next boot, this may fix free space on xfs
+ touch /forcefsck
+ # don't start pakfire again at error
+ killall -KILL pak_update
+ /usr/bin/logger -p syslog.emerg -t ipfire \
+ "core-update-${core}: $1"
+ exit $2
+}
+
# Remove old core updates from pakfire cache to save space...
for (( i=1; i<=$core; i++ )); do
rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
@@ -35,6 +47,46 @@ done
/usr/local/bin/openvpnctrl -k
/usr/local/bin/openvpnctrl -kn2n
+KVER="xxxKVERxxx"
+
+# Backup uEnv.txt if exist
+if [ -e /boot/uEnv.txt ]; then
+ cp -vf /boot/uEnv.txt /boot/uEnv.txt.org
+fi
+
+# Do some sanity checks prior to the kernel update
+case $(uname -r) in
+ *-ipfire*)
+ # Ok.
+ ;;
+ *)
+ exit_with_error "ERROR cannot update. No IPFire Kernel." 1
+ ;;
+esac
+
+# Check diskspace on root and size of boot
+ROOTSPACE=$( df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1 )
+if [ $ROOTSPACE -lt 200000 ]; then
+ exit_with_error "ERROR cannot update because not enough free space on root." 2
+fi
+BOOTSIZE=$( df /boot -Pk | sed "s| * | |g" | cut -d" " -f2 | tail -n 1 )
+if [ $BOOTSIZE -lt 100000 ]; then
+ exit_with_error "ERROR cannot update. BOOT partition is to small." 3
+fi
+
+# Remove the old kernel
+rm -rvf \
+ /boot/System.map-* \
+ /boot/config-* \
+ /boot/ipfirerd-* \
+ /boot/initramfs-* \
+ /boot/vmlinuz-* \
+ /boot/uImage-* \
+ /boot/zImage-* \
+ /boot/uInit-* \
+ /boot/dtb-* \
+ /lib/modules
+
# Remove files
rm -vf \
/etc/rc.d/init.d/networking/red.down/10-ovpn \
@@ -107,8 +159,28 @@ fi
# Reload Apache2
/etc/init.d/apache reload
+# Build initial ramdisks
+dracut --regenerate-all --force
+KVER="xxxKVERxxx"
+case "$(uname -m)" in
+ aarch64)
+ mkimage -A arm64 -T ramdisk -C lzma -d /boot/initramfs-${KVER}.img /boot/uInit-${KVER}
+ # dont remove initramfs because grub need this to boot.
+ ;;
+esac
+
+# Upadate Kernel version in uEnv.txt
+if [ -e /boot/uEnv.txt ]; then
+ sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt
+fi
+
+# Call user update script (needed for some ARM boards)
+if [ -e /boot/pakfire-kernel-update ]; then
+ /boot/pakfire-kernel-update ${KVER}
+fi
+
# This update needs a reboot...
-#touch /var/run/need_reboot
+touch /var/run/need_reboot
# Finish
/etc/init.d/fireinfo start
diff --git a/html/cgi-bin/vulnerabilities.cgi b/html/cgi-bin/vulnerabilities.cgi
index cab38d8de..d307881b1 100644
--- a/html/cgi-bin/vulnerabilities.cgi
+++ b/html/cgi-bin/vulnerabilities.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2023 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -44,6 +44,7 @@ my %VULNERABILITIES = (
"spectre_v1" => "$Lang::tr{'spectre variant 1'} (CVE-2017-5753)",
"spectre_v2" => "$Lang::tr{'spectre variant 2'} (CVE-2017-5715)",
"srbds" => "$Lang::tr{'srbds'} (CVE-2020-0543)",
+ "tsa" => "$Lang::tr{'transient sheduler attacks'} (CVE-2024-36350,36357,36348,36349)",
"tsx_async_abort" => "$Lang::tr{'taa zombieload2'} (CVE-2019-11135)",
);
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 4df95fdaf..210a701ff 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -2544,6 +2544,7 @@
'trafficto' => 'Nach',
'transfer limits' => 'Transferbeschränkungen',
'transfers' => 'Datenübertragungen',
+'transient sheduler attacks' => 'Transient sheduler attacks',
'transparent on' => 'Transparent auf',
'transport mode does not support vti' => 'VTI wird im Transport-Modus nicht unterstützt',
'tripwire' => 'Tripwire',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 22ab0bad1..57ccaa701 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2649,6 +2649,7 @@
'trafficto' => 'To',
'transfer limits' => 'Transfer limits',
'transfers' => 'Transfers',
+'transient sheduler attacks' => 'Transient sheduler attacks',
'transparent on' => 'Transparent on',
'transport mode does not support vti' => 'VTI is not support in transport mode',
'tripwire' => 'Tripwire',
diff --git a/lfs/linux b/lfs/linux
index 122d3517e..a1f705786 100644
--- a/lfs/linux
+++ b/lfs/linux
@@ -24,7 +24,7 @@
include Config
-VER = 6.12.34
+VER = 6.12.39
THISAPP = linux-$(VER)
DL_FILE = linux-$(VER).tar.xz
@@ -69,7 +69,7 @@ objects = \
$(DL_FILE) = $(URL_IPFIRE)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = a1527edf5ea06d55ad4468341d2e8cc44406df1edfe1a619ece86692e42afe7f5919ee051942fc9e70c47d79bcd4f0fc2e54ae32c79392702d8493596dca1a83
+$(DL_FILE)_BLAKE2 = 405c076e8ad055fb593c219b3810cdcfc84117c289744778e89e8f6076b8a0b6f238d1a438a0a46f615a4da50c05814d7da76ccedd6656c4ff6917d99a4c13e4
install : $(TARGET)
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-07-22 6:17 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-07-22 6:17 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. dadbaef0ae1e669e617cb0abfb08f81c91be2aa3 Arne Fitzenreiter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox