Turris OS packages issueshttps://gitlab.nic.cz/turris/os/packages/-/issues2020-11-03T01:41:15+01:00https://gitlab.nic.cz/turris/os/packages/-/issues/481Cancel certificate pinning for our packages2020-11-03T01:41:15+01:00Vojtech MyslivecCancel certificate pinning for our packagesSome of our tools insist certificate pinning which is not handled well (e.g. 2 LE intermediate certificates...). We should get rid of them.
There was already a MR !77 do handle this but it was insufficient.
This is mainly about `/etc/s...Some of our tools insist certificate pinning which is not handled well (e.g. 2 LE intermediate certificates...). We should get rid of them.
There was already a MR !77 do handle this but it was insufficient.
This is mainly about `/etc/ssl/www_turris_cz_ca.pem` file from `cznic-cacert-bundle` package. I have discovered these packages using this file as a *CAFile*:
- `server-uplink` (from turris/turris-os-packages>)
- `haas` (also from turris/turris-os-packages>)
- `netmetr` (from turris/netmetr-client>)Turris OS 3.11.8https://gitlab.nic.cz/turris/os/packages/-/issues/488ludus: update to version 0.92023-08-16T14:42:11+02:00Jan Pavlinecludus: update to version 0.9Update ludus to version 0.9, reduce log and enable to switch strategiesUpdate ludus to version 0.9, reduce log and enable to switch strategiesTurris OS 3.11.8Jan PavlinecJan Pavlinechttps://gitlab.nic.cz/turris/os/packages/-/issues/492[unbound] version bump 1.9.4 (fix for vulnerability CVE-2019-16866)2019-10-10T12:51:02+02:00Ghost User[unbound] version bump 1.9.4 (fix for vulnerability CVE-2019-16866)https://github.com/NLnetLabs/unbound/releases/tag/release-1.9.4
> This release is a fix for vulnerability CVE-2019-16866 that causes a failure when a specially crafted query is received.
>
> Bug Fixes:
> - Fix for the reported...https://github.com/NLnetLabs/unbound/releases/tag/release-1.9.4
> This release is a fix for vulnerability CVE-2019-16866 that causes a failure when a specially crafted query is received.
>
> Bug Fixes:
> - Fix for the reported vulnerability.
>
> The CVE number for this vulnerability is CVE-2019-16866
>
> == Summary
> Recent versions of Unbound contain a problem that may cause Unbound to
> crash after receiving a specially crafted query. This issue can only be
> triggered by queries received from addresses allowed by Unbound's ACL.
>
> == Affected products
> Unbound 1.7.1 up to and including 1.9.3.
>
> == Description
> Due to an error in parsing NOTIFY queries, it is possible for Unbound to
> continue processing malformed queries and may ultimately result in a
> pointer dereference in uninitialized memory. This results in a crash of
> the Unbound daemon.
>
> Whether this issue leads to a crash depends on the content of the
> uninitialized memory space and cannot be predicted. This issue can only
> be triggered by queries received from addresses that are allowed to send
> queries according to Unbound's ACL (access-control in the Unbound
> configuration).
>
> == Solution
> Download patched version of Unbound, or apply the patch manually.
>
> + Downloading patched version
> Unbound 1.9.4 is released with the patch
> https://nlnetlabs.nl/downloads/unbound/unbound-1.9.4.tar.gz
>
> + Applying the Patch manually
> For Unbound 1.7.1 up to and including 1.9.3 the patch is:
> https://nlnetlabs.nl/downloads/unbound/patch_cve_2019-16866.diff
>
> Apply the patch on Unbound source directory with:
> 'patch -p0 < patch_cve_2019-16866.diff'
> then run 'make install' to install Unboun d.Turris OS 3.11.8