From 611d775559ff56f13554fa50093ad54f2b554f8d Mon Sep 17 00:00:00 2001 From: MichaIng Date: Thu, 27 Jul 2023 20:37:03 +0200 Subject: [PATCH] v8.20 - DietPi-Dashboard | Resolved an issue where an attacker could have caused a Denial-of-Service via parallel unanswered TLS handshakes (CVE-2023-38505). The update to the dashboard v0.6.2, which solves the issue, will be automatically applied as part of the DietPi update: https://github.com/ravenclaw900/DietPi-Dashboard/security/advisories/GHSA-3jr4-9rxf-fr44 --- .update/patches | 7 +++++++ CHANGELOG.txt | 1 + 2 files changed, 8 insertions(+) diff --git a/.update/patches b/.update/patches index d19d2cee63..f5976f0190 100755 --- a/.update/patches +++ b/.update/patches @@ -1414,6 +1414,13 @@ Patch_8_20() [[ -f '/etc/nginx/sites-dietpi/dietpi-pihole.conf' ]] && G_EXEC sed -i 's/add_header X-XSS-Protection "1; mode=block";/add_header X-XSS-Protection "0";/' /etc/nginx/sites-dietpi/dietpi-pihole.conf [[ -f '/etc/lighttpd/conf-enabled/99-dietpi-pihole.conf' ]] && G_EXEC sed -i 's/"X-XSS-Protection" => "1; mode=block"/"X-XSS-Protection" => "0"/' /etc/lighttpd/conf-enabled/99-dietpi-pihole.conf fi + + # DietPi-Dashboard: https://github.com/ravenclaw900/DietPi-Dashboard/releases/tag/v0.6.2 + if grep -q '^[[:blank:]]*aSOFTWARE_INSTALL_STATE\[200\]=2' /boot/dietpi/.installed + then + G_DIETPI-NOTIFY 2 'Preparing DietPi-Dashboard update to fix CVE-2023-38505 DoS vulnerability ...' + echo 200 >> /var/tmp/dietpi/dietpi-update_reinstalls + fi fi } diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 6f42aaa99e..0f354f1dfa 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -13,6 +13,7 @@ Enhancements: Bug fixes: - General | Resolved an issue where the automated first run setup could have failed as images were shipped with cron enabled, which could have led to concurrent APT executions. cron is now disabled first and enabled after first run setup has finished. Many thanks to @Timoses for reporting this issue: https://dietpi.com/forum/t/during-initial-boot-could-not-get-lock-var-lib-apt-lists-lock/17385 - Raspberry Pi | Resolved an issue on Bookworm systems where FFmpeg and related A/V libraries and development headers could not be installed, since the raised epoch version of those from the Raspberry Pi repository is leading to conflicts with the newer ones from the Debian Bookworm repository. +- DietPi-Dashboard | Resolved an issue where an attacker could have caused a Denial-of-Service via parallel unanswered TLS handshakes (CVE-2023-38505). The update to the dashboard v0.6.2, which solves the issue, will be automatically applied as part of the DietPi update: https://github.com/ravenclaw900/DietPi-Dashboard/security/advisories/GHSA-3jr4-9rxf-fr44 - DietPi-LetsEncrypt | Resolved a DietPi v8.19 regression where applying the HTTPS certificate for Lighttpd fails. Many thanks to @midniteca for reporting this issue: https://github.com/MichaIng/DietPi/issues/6460 - DietPi-Config | Resolved an issue where enabling Bluetooth on SBCs with Armbian firmware failed, because of a conflict between armbian-firmware and bluez-firmware packages. bluez-firmware will not be tried to be installed anymore if armbian-firmware is. Many thanks to @innovodev for reporting this issue: https://dietpi.com/forum/t/upgrading-dietpi-from-bullseye-to-bookworm/15963/16 - DietPi-Software | Lighttpd: Resolved a DietPi v8.19 regression where the installation of Pi-hole, ownCloud, Nextcloud, Pydio and WikiMedia failed if Lighttpd was selected as webserver and HTTPS not yet enabled via dietpi-letsencrypt. Many thanks to @bruno-briner for reporting this issue: https://github.com/MichaIng/DietPi/issues/6455