Skip to content

Commit

Permalink
v8.20
Browse files Browse the repository at this point in the history
- DietPi-Dashboard | Resolved an issue where an attacker could have caused a Denial-of-Service via parallel unanswered TLS handshakes (CVE-2023-38505). The update to the dashboard v0.6.2, which solves the issue, will be automatically applied as part of the DietPi update: GHSA-3jr4-9rxf-fr44
  • Loading branch information
MichaIng committed Jul 27, 2023
1 parent a7b7caf commit 611d775
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 0 deletions.
7 changes: 7 additions & 0 deletions .update/patches
Original file line number Diff line number Diff line change
Expand Up @@ -1414,6 +1414,13 @@ Patch_8_20()
[[ -f '/etc/nginx/sites-dietpi/dietpi-pihole.conf' ]] && G_EXEC sed -i 's/add_header X-XSS-Protection "1; mode=block";/add_header X-XSS-Protection "0";/' /etc/nginx/sites-dietpi/dietpi-pihole.conf
[[ -f '/etc/lighttpd/conf-enabled/99-dietpi-pihole.conf' ]] && G_EXEC sed -i 's/"X-XSS-Protection" => "1; mode=block"/"X-XSS-Protection" => "0"/' /etc/lighttpd/conf-enabled/99-dietpi-pihole.conf
fi

# DietPi-Dashboard: https://github.com/ravenclaw900/DietPi-Dashboard/releases/tag/v0.6.2
if grep -q '^[[:blank:]]*aSOFTWARE_INSTALL_STATE\[200\]=2' /boot/dietpi/.installed
then
G_DIETPI-NOTIFY 2 'Preparing DietPi-Dashboard update to fix CVE-2023-38505 DoS vulnerability ...'
echo 200 >> /var/tmp/dietpi/dietpi-update_reinstalls
fi
fi
}

Expand Down
1 change: 1 addition & 0 deletions CHANGELOG.txt
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ Enhancements:
Bug fixes:
- General | Resolved an issue where the automated first run setup could have failed as images were shipped with cron enabled, which could have led to concurrent APT executions. cron is now disabled first and enabled after first run setup has finished. Many thanks to @Timoses for reporting this issue: https://dietpi.com/forum/t/during-initial-boot-could-not-get-lock-var-lib-apt-lists-lock/17385
- Raspberry Pi | Resolved an issue on Bookworm systems where FFmpeg and related A/V libraries and development headers could not be installed, since the raised epoch version of those from the Raspberry Pi repository is leading to conflicts with the newer ones from the Debian Bookworm repository.
- DietPi-Dashboard | Resolved an issue where an attacker could have caused a Denial-of-Service via parallel unanswered TLS handshakes (CVE-2023-38505). The update to the dashboard v0.6.2, which solves the issue, will be automatically applied as part of the DietPi update: https://github.com/ravenclaw900/DietPi-Dashboard/security/advisories/GHSA-3jr4-9rxf-fr44
- DietPi-LetsEncrypt | Resolved a DietPi v8.19 regression where applying the HTTPS certificate for Lighttpd fails. Many thanks to @midniteca for reporting this issue: https://github.com/MichaIng/DietPi/issues/6460
- DietPi-Config | Resolved an issue where enabling Bluetooth on SBCs with Armbian firmware failed, because of a conflict between armbian-firmware and bluez-firmware packages. bluez-firmware will not be tried to be installed anymore if armbian-firmware is. Many thanks to @innovodev for reporting this issue: https://dietpi.com/forum/t/upgrading-dietpi-from-bullseye-to-bookworm/15963/16
- DietPi-Software | Lighttpd: Resolved a DietPi v8.19 regression where the installation of Pi-hole, ownCloud, Nextcloud, Pydio and WikiMedia failed if Lighttpd was selected as webserver and HTTPS not yet enabled via dietpi-letsencrypt. Many thanks to @bruno-briner for reporting this issue: https://github.com/MichaIng/DietPi/issues/6455
Expand Down

0 comments on commit 611d775

Please sign in to comment.