Turris OS packages issueshttps://gitlab.nic.cz/turris/os/packages/-/issues2023-08-16T14:37:32+02:00https://gitlab.nic.cz/turris/os/packages/-/issues/511HaaS-proxy: invalid removal of rules from firewall2023-08-16T14:37:32+02:00Karel KociHaaS-proxy: invalid removal of rules from firewallRemoval of rules is invalid. It does not work. The chain specification is invalid.Removal of rules is invalid. It does not work. The chain specification is invalid.Turris OS 4.0.3https://gitlab.nic.cz/turris/os/packages/-/issues/510[unbound] version bump 1.9.5 (fix for vulnerability CVE-2019-16866)2023-08-16T14:42:08+02:00Ghost User[unbound] version bump 1.9.5 (fix for vulnerability CVE-2019-16866)Unbound 1.9.5 is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.9.5.tar.gz
sha256 8a8d400f697c61d73d109c250743a1b6b79848297848026d82b43e831045db57
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.9.5.tar.gz
Thi...Unbound 1.9.5 is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.9.5.tar.gz
sha256 8a8d400f697c61d73d109c250743a1b6b79848297848026d82b43e831045db57
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.9.5.tar.gz
This release is a fix for vulnerability CVE-2019-18934, that can cause
shell execution in ipsecmod.
Bug Fixes:
- Fix for the reported vulnerability.
The CVE number for this vulnerability is CVE-2019-18934
== Summary
Recent versions of Unbound contain a vulnerability that can cause shell
code execution after receiving a specially crafted answer. This issue
can only be triggered if unbound was compiled with `--enable-ipsecmod`
support, and ipsecmod is enabled and used in the configuration.
== Affected products
Unbound 1.6.4 up to and including 1.9.4.
== Description
Due to unsanitized characters passed to the ipsecmod-hook shell command,
it is possible for Unbound to allow shell code execution from a
specially crafted IPSECKEY answer.
This issue can only be triggered when *all* of the below conditions are met:
* unbound was compiled with `--enable-ipsecmod` support, and
* ipsecmod is enabled and used in the configuration, and
* a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is
used), and
* unbound receives an A/AAAA query for a domain that has an A/AAAA
record(s) *and* an IPSECKEY record(s) available.
The shell code execution can then happen if either the qname or the
gateway field of the IPSECKEY (when gateway type == 3) contain a
specially crafted domain name.
== Solution
Download patched version of Unbound, or apply the patch manually.
+ Downloading patched version
Unbound 1.9.5 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.9.5.tar.gz
+ Applying the Patch manually
For Unbound 1.6.4 up to and including 1.9.4 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_cve_2019-18934.diff
Apply the patch on the Unbound source directory with:
'patch -p1 < patch_cve_2019-18934.diff'
then run 'make install' to install Unbound.Turris OS 3.11.10Jan PavlinecJan Pavlinechttps://gitlab.nic.cz/turris/os/packages/-/issues/509[Turris OS 3.x] Upgrade pyuci2019-11-19T10:38:27+01:00Vojtech Myslivec[Turris OS 3.x] Upgrade pyuciUpgrade turris/pyuci> to most recent version (>= 0.6) in TOS 3.x
We can drop Python 2 compatibilityUpgrade turris/pyuci> to most recent version (>= 0.6) in TOS 3.x
We can drop Python 2 compatibilityTurris OS 3.11.10https://gitlab.nic.cz/turris/os/packages/-/issues/508ripe atlas probe - add new package2019-11-18T11:02:15+01:00Jan Pavlinecripe atlas probe - add new packageadd package for software atlas probe.
related MR https://gitlab.labs.nic.cz/turris/turris-os-packages/merge_requests/139add package for software atlas probe.
related MR https://gitlab.labs.nic.cz/turris/turris-os-packages/merge_requests/139Turris OS 3.11.9https://gitlab.nic.cz/turris/os/packages/-/issues/507Write packages style guidelines to README.adoc2019-11-13T10:41:36+01:00Karel KociWrite packages style guidelines to README.adocWe should define how packages and mainly `Makefile` should look like and be formatted. This should serve as a rule book as well as example of packages creation.
The appropriate file is README.asciidoc.We should define how packages and mainly `Makefile` should look like and be formatted. This should serve as a rule book as well as example of packages creation.
The appropriate file is README.asciidoc.https://gitlab.nic.cz/turris/os/packages/-/issues/506Move Foris and Foris-controller repositories to appropriate groups2023-08-16T14:42:10+02:00Karel KociMove Foris and Foris-controller repositories to appropriate groupsForis repositories and foris-controller repositories should be moved to appropriate subgroups to make management of them better.
* [ ] update packages in branch `master` and `for-v4.0` (Turris OS 4.0+)
* [ ] update packages in branch `t...Foris repositories and foris-controller repositories should be moved to appropriate subgroups to make management of them better.
* [ ] update packages in branch `master` and `for-v4.0` (Turris OS 4.0+)
* [ ] update packages in branch `test` (Turris OS 3.x)
* [ ] update CI scripts in repositories
* [ ] move repositories
* [ ] update documentation links
On notice @vmyslivec @mhrusecky @jschlehofer
Please closely watch and update your repositories @bbodnar @shenek @mlenartowicz when move is done.https://gitlab.nic.cz/turris/os/packages/-/issues/505Verify that package dhparam is required2020-09-30T14:06:28+02:00Karel KociVerify that package dhparam is requiredPackage dhparam might not be required. The only dependency is foris-controller-openvpn-plugin but core package for openvpn `turris-cagen` does not depend on it. `turris-cagen` also seems to generate dhparam itself. It seems that turris-c...Package dhparam might not be required. The only dependency is foris-controller-openvpn-plugin but core package for openvpn `turris-cagen` does not depend on it. `turris-cagen` also seems to generate dhparam itself. It seems that turris-cagen just does that for itself and it might not be required at all in the end.
Please @jschlehofer investigate.Turris OS 5.2.0https://gitlab.nic.cz/turris/os/packages/-/issues/504[resolver-conf] Default msg_buffer_size too small for Unbound2023-08-16T14:37:34+02:00Ondřej Caletka[resolver-conf] Default msg_buffer_size too small for UnboundIn the default config, `msg_buffer_size` is [set to 4096](https://gitlab.labs.nic.cz/turris/turris-os-packages/blob/master/net/resolver-conf/files/resolver-turris-config#L8). According to [Unbound manual](https://nlnetlabs.nl/documentati...In the default config, `msg_buffer_size` is [set to 4096](https://gitlab.labs.nic.cz/turris/turris-os-packages/blob/master/net/resolver-conf/files/resolver-turris-config#L8). According to [Unbound manual](https://nlnetlabs.nl/documentation/unbound/unbound.conf/), this option limits the size of DNS messages unbound can handle and default should be set to 65552.
Such low value makes some domains unresolvable, for instance `www.aquapark-uh.cz`, as [reported here](https://forum.root.cz/index.php?topic=22062.msg320038;topicseen) and confirmed by me.
Also please note that the very same option `msg_buffer_size` is mapped to option [`net.bufsize`](https://knot-resolver.readthedocs.io/en/stable/daemon.html#c.net.bufsize) in Knot resolver, which is incorrect – option `net.bufsize` of Knot Resolver is similar to `edns-buffer-size` option of Unbound.Turris OS 4.0.5Jan PavlinecJan Pavlinechttps://gitlab.nic.cz/turris/os/packages/-/issues/503turris-cagen: more granural locking2021-08-16T16:38:14+02:00Štěpán Henekturris-cagen: more granural lockingRight now it locks by CA name. It should lock by locked by CA dirname (slugified).
Problem:
Netboot uses cagen to generate CA for the client and the new ca is always called remote.
e.g.
```sh
CA_DIR=transfering/0000000D30001605 /tmp/cag...Right now it locks by CA name. It should lock by locked by CA dirname (slugified).
Problem:
Netboot uses cagen to generate CA for the client and the new ca is always called remote.
e.g.
```sh
CA_DIR=transfering/0000000D30001605 /tmp/cagen.sh new_ca remote gen_ca gen_server turris gen_client 0000000A00000214-0000000D30001605
```
This will lock all `remote` CAs. => `/etc/ssl/remote` CA and `/srv/turris-neboot/clients/transfering/*` CAs can't be modified while the script is running, although it can safely run in parellel.https://gitlab.nic.cz/turris/os/packages/-/issues/501Add openvpn-hotplug as dependency for OpenVPN in userlists2020-04-10T17:12:52+02:00Martin MatějekAdd openvpn-hotplug as dependency for OpenVPN in userlistsAdd dependency on openvpn-hotplug in user-lists, because it is probaly easiest solution right now.
For more reasoning see this comment:
https://gitlab.labs.nic.cz/turris/turris-os-packages/merge_requests/148#note_125892Add dependency on openvpn-hotplug in user-lists, because it is probaly easiest solution right now.
For more reasoning see this comment:
https://gitlab.labs.nic.cz/turris/turris-os-packages/merge_requests/148#note_125892Turris OS 5.0https://gitlab.nic.cz/turris/os/packages/-/issues/500Package lists with options2020-06-05T19:17:53+02:00Karel KociPackage lists with optionsFor Sentinel and data collection in general we decided to have optional parts for package lists. Those are for example Samba for NAS or honeypot for data collection.
* [x] support in pkglists package
* [x] support in updater-ng package
...For Sentinel and data collection in general we decided to have optional parts for package lists. Those are for example Samba for NAS or honeypot for data collection.
* [x] support in pkglists package
* [x] support in updater-ng package
* [x] support in updater-supervisor
* [x] support in foris-controller
* [x] support in foris
* [x] support in reForis
* [x] migration package to update configuration
* [x] modification of current lists to use optionsTurris OS 5.1https://gitlab.nic.cz/turris/os/packages/-/issues/499[atlas probe] buddyinfo: can't open '/proc/buddyinfo': No such file or directory2023-08-16T14:55:18+02:00Ghost User[atlas probe] buddyinfo: can't open '/proc/buddyinfo': No such file or directory>{"kernel":"4.14.150","hostname":"to","system":"ARMv7 Processor rev 1 (v7l)","model":"Turris Omnia","board_name":"cznic,turris-omnia","release":{"distribution":"TurrisOS","version":"5.0-dev","revision":"fe1c399","target":"mvebu/cortexa9"...>{"kernel":"4.14.150","hostname":"to","system":"ARMv7 Processor rev 1 (v7l)","model":"Turris Omnia","board_name":"cznic,turris-omnia","release":{"distribution":"TurrisOS","version":"5.0-dev","revision":"fe1c399","target":"mvebu/cortexa9","description":"TurrisOS 5.0-dev fe1c399"}}
> atlas-probe 2.0.0-1.0
> atlas-sw-probe 1.0.0-1.0
___
>ATLAS enough space free, no need to do anything
>ATLAS buddyinfo: can't open '/proc/buddyinfo': No such file or directory
>ATLAS buddyinfo: can't open '/proc/buddyinfo': No such file or directory
>ATLAS buddyinfo: can't open '/proc/buddyinfo': No such file or directory
>ATLAS buddyinfo: can't open '/proc/buddyinfo': No such file or directory
>ATLAS perd: in my_exit (exit was called!)
>ATLAS Aborted
>ATLAS eperd: in my_exit (exit was called!)
>ATLAS Aborted
>ATLAS buddyinfo: can't open '/proc/buddyinfo': No such file or directory
>ATLAS And we are done
>ATLAS buddyinfo: can't open '/proc/buddyinfo': No such file or directory
>ATLAS buddyinfo: can't open '/proc/buddyinfo': No such file or directory
>ATLAS buddyinfo: can't open '/proc/buddyinfo': No such file or directory
>ATLAS condmv: not moving, destination '/usr/libexec/atlas-probe-scripts/data/out/simpleping' exists
>ATLAS And we are done
>ATLAS buddyinfo: can't open '/proc/buddyinfo': No such file or directory
>ATLAS buddyinfo: can't open '/proc/buddyinfo': No such file or directory
>ATLAS buddyinfo: can't open '/proc/buddyinfo': No such file or directory
>ATLAS condmv: not moving, destination '/usr/libexec/atlas-probe-scripts/data/out/v6addr.txt' exists
>ATLAS condmv: not moving, destination '/usr/libexec/atlas-probe-scripts/data/out/simpleping' exists
>ATLAS enough space free, no need to do anything
>ATLAS And we are done
>ATLAS buddyinfo: can't open '/proc/buddyinfo': No such file or directory
>ATLAS buddyinfo: can't open '/proc/buddyinfo': No such file or directory
>ATLAS buddyinfo: can't open '/proc/buddyinfo': No such file or directory
>ATLAS condmv: not moving, destination '/usr/libexec/atlas-probe-scripts/data/out/v6addr.txt' exists
>ATLAS condmv: not moving, destination '/usr/libexec/atlas-probe-scripts/data/out/simpleping' existsJan PavlinecJan Pavlinechttps://gitlab.nic.cz/turris/os/packages/-/issues/498reforis language packages2020-02-04T10:34:53+01:00Štěpán Henekreforis language packagesMake sure that when a language `XX` is checked all `reforis-l10n-XX` and `reforis-*-plugin-l10n-XX` are installed.
(The same for current foris packages)Make sure that when a language `XX` is checked all `reforis-l10n-XX` and `reforis-*-plugin-l10n-XX` are installed.
(The same for current foris packages)https://gitlab.nic.cz/turris/os/packages/-/issues/497Update sslh from v1.17-3 to 1.19 from openwrt repo2019-11-04T09:15:50+01:00LiveUpdate sslh from v1.17-3 to 1.19 from openwrt repoHey there,
running into the issue, that sslh isn't build with libconfig support, which would be VERY convenient to have that on the turris, without recompiling it myself or adding another repository (and doing work again, which has been...Hey there,
running into the issue, that sslh isn't build with libconfig support, which would be VERY convenient to have that on the turris, without recompiling it myself or adding another repository (and doing work again, which has been done from the openwrt project or breaking the omnia because of incompatible packages)
So I'd like to request the sslh v1.19 package from openwrt to be available via the turris repo.https://gitlab.nic.cz/turris/os/packages/-/issues/496Change repository flow2020-01-13T13:28:32+01:00Karel KociChange repository flowSteps:
* [x] write readme with flow of this repository
* [x] rename `master` to `develop`
* [x] rename `for-v4.0` to `master`
* [x] set protected branches and tags appropriately
-------------
In response to https://gitlab.labs.nic.cz/t...Steps:
* [x] write readme with flow of this repository
* [x] rename `master` to `develop`
* [x] rename `for-v4.0` to `master`
* [x] set protected branches and tags appropriately
-------------
In response to https://gitlab.labs.nic.cz/turris/turris-build/issues/85 we should change flow of this repository as well. At the moment we have master as development branch with `for-v4.0` as stable branch for `hbk`.
There are effectively two questions.
1. What should be name for stable and development branches
2. Should default branch be stable or developmentTurris OS 5.1https://gitlab.nic.cz/turris/os/packages/-/issues/495[broken package dependency] foris-controller-diagnostics-module requires pack...2019-10-18T22:31:08+02:00Ghost User[broken package dependency] foris-controller-diagnostics-module requires package turris-diagnostics> {"kernel":"4.14.149","hostname":"to","system":"ARMv7 Processor rev 1 (v7l)","model":"Turris Omnia","board_name":"cznic,turris-omnia","release":{"distribution":"TurrisOS","version":"5.0-dev","revision":"e3a130a","target":"mvebu/cortexa9...> {"kernel":"4.14.149","hostname":"to","system":"ARMv7 Processor rev 1 (v7l)","model":"Turris Omnia","board_name":"cznic,turris-omnia","release":{"distribution":"TurrisOS","version":"5.0-dev","revision":"e3a130a","target":"mvebu/cortexa9","description":"TurrisOS 5.0-dev e3a130a"}}
___
`pkgupdate` prints since yesterday
> ERROR:
> inconsistent: Package foris-controller-diagnostics-module requires package turris-diagnostics that is not available.https://gitlab.nic.cz/turris/os/packages/-/issues/493Sentinel packages integration2020-06-29T11:51:20+02:00Vojtech MyslivecSentinel packages integrationIntegrate Sentinel packages and package-list for updater, Foris and EULA.
- [x] Meta package for data collection (using proxy package for that) !287
- [x] uCI configuration file for Sentinel !287
- [x] ~~Documentation for Foris team~~Integrate Sentinel packages and package-list for updater, Foris and EULA.
- [x] Meta package for data collection (using proxy package for that) !287
- [x] uCI configuration file for Sentinel !287
- [x] ~~Documentation for Foris team~~Sentinel migrationhttps://gitlab.nic.cz/turris/os/packages/-/issues/492[unbound] version bump 1.9.4 (fix for vulnerability CVE-2019-16866)2019-10-10T12:51:02+02:00Ghost User[unbound] version bump 1.9.4 (fix for vulnerability CVE-2019-16866)https://github.com/NLnetLabs/unbound/releases/tag/release-1.9.4
> This release is a fix for vulnerability CVE-2019-16866 that causes a failure when a specially crafted query is received.
>
> Bug Fixes:
> - Fix for the reported...https://github.com/NLnetLabs/unbound/releases/tag/release-1.9.4
> This release is a fix for vulnerability CVE-2019-16866 that causes a failure when a specially crafted query is received.
>
> Bug Fixes:
> - Fix for the reported vulnerability.
>
> The CVE number for this vulnerability is CVE-2019-16866
>
> == Summary
> Recent versions of Unbound contain a problem that may cause Unbound to
> crash after receiving a specially crafted query. This issue can only be
> triggered by queries received from addresses allowed by Unbound's ACL.
>
> == Affected products
> Unbound 1.7.1 up to and including 1.9.3.
>
> == Description
> Due to an error in parsing NOTIFY queries, it is possible for Unbound to
> continue processing malformed queries and may ultimately result in a
> pointer dereference in uninitialized memory. This results in a crash of
> the Unbound daemon.
>
> Whether this issue leads to a crash depends on the content of the
> uninitialized memory space and cannot be predicted. This issue can only
> be triggered by queries received from addresses that are allowed to send
> queries according to Unbound's ACL (access-control in the Unbound
> configuration).
>
> == Solution
> Download patched version of Unbound, or apply the patch manually.
>
> + Downloading patched version
> Unbound 1.9.4 is released with the patch
> https://nlnetlabs.nl/downloads/unbound/unbound-1.9.4.tar.gz
>
> + Applying the Patch manually
> For Unbound 1.7.1 up to and including 1.9.3 the patch is:
> https://nlnetlabs.nl/downloads/unbound/patch_cve_2019-16866.diff
>
> Apply the patch on Unbound source directory with:
> 'patch -p0 < patch_cve_2019-16866.diff'
> then run 'make install' to install Unboun d.Turris OS 3.11.8https://gitlab.nic.cz/turris/os/packages/-/issues/489resolver-conf: DNSSEC rootkey update2023-08-16T14:57:04+02:00Jan Pavlinecresolver-conf: DNSSEC rootkey updateThis is a meta issue.
It's possible that DNSSEC root key will be rotated more frequently (once per year). Right now we ships omnia/mox with enabled DNSSEC.
In case that someone will buy the version with an older firmware, auto-update f...This is a meta issue.
It's possible that DNSSEC root key will be rotated more frequently (once per year). Right now we ships omnia/mox with enabled DNSSEC.
In case that someone will buy the version with an older firmware, auto-update function will not be possible because DNSSEC validation will fail. We should discuss a possible solution here.
cc @jschlehofer @kkoci @mhruseckyhttps://gitlab.nic.cz/turris/os/packages/-/issues/488ludus: update to version 0.92023-08-16T14:42:11+02:00Jan Pavlinecludus: update to version 0.9Update ludus to version 0.9, reduce log and enable to switch strategiesUpdate ludus to version 0.9, reduce log and enable to switch strategiesTurris OS 3.11.8Jan PavlinecJan Pavlinec