Turris OS packages issueshttps://gitlab.nic.cz/turris/os/packages/-/issues2024-03-12T14:20:58+01:00https://gitlab.nic.cz/turris/os/packages/-/issues/866turris-auth+lighttpd: make sure that turris webapps are not accessible in cas...2024-03-12T14:20:58+01:00Martin Matějekturris-auth+lighttpd: make sure that turris webapps are not accessible in case turris-auth is not runningIn case that turris-auth check & redirection (`https://<router-ip>/login?/`)
```
https://<router-ip>/login?/<target_url> --> https://<router-ip>/<target_url>
```
is not available to lighttpd for some reason - for example [turris-auth c...In case that turris-auth check & redirection (`https://<router-ip>/login?/`)
```
https://<router-ip>/login?/<target_url> --> https://<router-ip>/<target_url>
```
is not available to lighttpd for some reason - for example [turris-auth config for lighttpd](https://gitlab.nic.cz/turris/os/packages/-/blob/master/web/turris-auth/files/lighttpd.conf) cannot be loaded - then turris webapps are directly accessible without authentication.
It would be useful to have failsave config for lighttpd (or some other measure), which would block access to reforis in case that turris-auth is not running, but reforis is running.
---
Please note that in case turris-auth is running, but runtime error occurs, reforis and pakon (and probably other turris webapps that lacks internal authentication) won't be accessible - which is fine, because they are still, although in weird way, protected by turris-auth.
cc: @mhrusecky, @jschlehofer, @shenekRichard MuzikRichard Muzikhttps://gitlab.nic.cz/turris/os/packages/-/issues/700Unbound CVE-2020-289352023-08-16T14:40:58+02:00Josef SchlehoferUnbound CVE-2020-28935More details here: https://bugzilla.redhat.com/show_bug.cgi?id=1878761 and here https://github.com/NLnetLabs/unbound/issues/303
Fixed by these commits: https://github.com/NLnetLabs/unbound/commit/ad387832979b6ce4c93f64fe706301cd7d034e8...More details here: https://bugzilla.redhat.com/show_bug.cgi?id=1878761 and here https://github.com/NLnetLabs/unbound/issues/303
Fixed by these commits: https://github.com/NLnetLabs/unbound/commit/ad387832979b6ce4c93f64fe706301cd7d034e87 and https://github.com/NLnetLabs/unbound/commit/19f8f4d9f99a44906ab9dcc46d44da299fde3506
Should be fixed in 1.13.0 (not yet released)Turris OS 5.1.5Jan PavlinecJan Pavlinechttps://gitlab.nic.cz/turris/os/packages/-/issues/689initial-config: Allow hashed passwords to be specified in config2020-10-31T02:57:21+01:00Karel Kociinitial-config: Allow hashed passwords to be specified in configInitial version of initial-config addressed only unsecure but simple configuration. It would be better to allows users to use hashed password even when generating of it is more complicated. It would be an option for advanced users having...Initial version of initial-config addressed only unsecure but simple configuration. It would be better to allows users to use hashed password even when generating of it is more complicated. It would be an option for advanced users having to do configuration without ethernet as well.
The following discussion from !560 should be addressed:
- [ ] @vmyslivec started a [discussion](https://gitlab.nic.cz/turris/turris-os-packages/-/merge_requests/560#note_178336): (+5 comments)
> follow-up from https://gitlab.nic.cz/turris/turris-os-packages/-/merge_requests/560#note_177635
>
> Is it intended to let users generate a config that would be left on some USB flash drive with cleartext (non-hashed) passwords?
>
> I know we can't get rid of Wi-Fi password in clear text but foris and system password can be prepared in their hashed form.
>
> This README can include steps to generate desired hash.https://gitlab.nic.cz/turris/os/packages/-/issues/525kresd on 5.0-dev does not forward requests to the selected server2023-08-16T14:42:07+02:00Giuseppe Piscitellikresd on 5.0-dev does not forward requests to the selected serverI'm using Turris OS 5.0-dev on Omnia. Although it chooses a server from the list of those in Foris / DNS to forward my DNS queries, they continue to be resolved by my ISP's servers. I enclose two screenshots: in the first one we see that...I'm using Turris OS 5.0-dev on Omnia. Although it chooses a server from the list of those in Foris / DNS to forward my DNS queries, they continue to be resolved by my ISP's servers. I enclose two screenshots: in the first one we see that the configuration (in the example with Cloudflare) is correctly loaded in kresd; in the other, we see that by performing a test on dnsleaktest.com the server used is that of Telecom Italia (my ISP).
In addition, using reForis and opening the DNS tab, I see an error, which could be related to the bug above.![Schermata_del_2019-12-13_17-19-33](/uploads/7111745f00c20cc11b6d785b6bda4474/Schermata_del_2019-12-13_17-19-33.png)![Schermata_del_2019-12-13_17-20-15](/uploads/791ffe694c4f0d5adf8f6bb6dc5768d0/Schermata_del_2019-12-13_17-20-15.png)![Schermata_del_2019-12-13_15-47-50](/uploads/e4d8d90de74e45489be431fcc8bb04e9/Schermata_del_2019-12-13_15-47-50.png)Jan PavlinecJan Pavlinechttps://gitlab.nic.cz/turris/os/packages/-/issues/510[unbound] version bump 1.9.5 (fix for vulnerability CVE-2019-16866)2023-08-16T14:42:08+02:00Ghost User[unbound] version bump 1.9.5 (fix for vulnerability CVE-2019-16866)Unbound 1.9.5 is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.9.5.tar.gz
sha256 8a8d400f697c61d73d109c250743a1b6b79848297848026d82b43e831045db57
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.9.5.tar.gz
Thi...Unbound 1.9.5 is available:
https://nlnetlabs.nl/downloads/unbound/unbound-1.9.5.tar.gz
sha256 8a8d400f697c61d73d109c250743a1b6b79848297848026d82b43e831045db57
pgp https://nlnetlabs.nl/downloads/unbound/unbound-1.9.5.tar.gz
This release is a fix for vulnerability CVE-2019-18934, that can cause
shell execution in ipsecmod.
Bug Fixes:
- Fix for the reported vulnerability.
The CVE number for this vulnerability is CVE-2019-18934
== Summary
Recent versions of Unbound contain a vulnerability that can cause shell
code execution after receiving a specially crafted answer. This issue
can only be triggered if unbound was compiled with `--enable-ipsecmod`
support, and ipsecmod is enabled and used in the configuration.
== Affected products
Unbound 1.6.4 up to and including 1.9.4.
== Description
Due to unsanitized characters passed to the ipsecmod-hook shell command,
it is possible for Unbound to allow shell code execution from a
specially crafted IPSECKEY answer.
This issue can only be triggered when *all* of the below conditions are met:
* unbound was compiled with `--enable-ipsecmod` support, and
* ipsecmod is enabled and used in the configuration, and
* a domain is part of the ipsecmod-whitelist (if ipsecmod-whitelist is
used), and
* unbound receives an A/AAAA query for a domain that has an A/AAAA
record(s) *and* an IPSECKEY record(s) available.
The shell code execution can then happen if either the qname or the
gateway field of the IPSECKEY (when gateway type == 3) contain a
specially crafted domain name.
== Solution
Download patched version of Unbound, or apply the patch manually.
+ Downloading patched version
Unbound 1.9.5 is released with the patch
https://nlnetlabs.nl/downloads/unbound/unbound-1.9.5.tar.gz
+ Applying the Patch manually
For Unbound 1.6.4 up to and including 1.9.4 the patch is:
https://nlnetlabs.nl/downloads/unbound/patch_cve_2019-18934.diff
Apply the patch on the Unbound source directory with:
'patch -p1 < patch_cve_2019-18934.diff'
then run 'make install' to install Unbound.Turris OS 3.11.10Jan PavlinecJan Pavlinechttps://gitlab.nic.cz/turris/os/packages/-/issues/382weak password encryption algorithm2019-05-13T13:50:09+02:00Ghost Userweak password encryption algorithmTO | OS4.x beta 1
___
as outlined in https://gitlab.labs.nic.cz/turris/openwrt/issues/255
/etc/login.defs utilizes weak password encryption
> DES-based algorithm will be used for encrypting password (default)
Instead it should be
`E...TO | OS4.x beta 1
___
as outlined in https://gitlab.labs.nic.cz/turris/openwrt/issues/255
/etc/login.defs utilizes weak password encryption
> DES-based algorithm will be used for encrypting password (default)
Instead it should be
`ENCRYPT_METHOD SHA512`https://gitlab.nic.cz/turris/os/packages/-/issues/209hostapd: CVE-2018-14526 - patch hostapd-common2018-08-09T18:32:12+02:00Ghost Userhostapd: CVE-2018-14526 - patch hostapd-commonInfo:
https://nvd.nist.gov/vuln/detail/CVE-2018-14526
Patch:
https://w1.fi/cgit/hostap-www/commit/?id=a28b295e9920bee4cb58b90df9671c8cb3e07da5
Info:
https://nvd.nist.gov/vuln/detail/CVE-2018-14526
Patch:
https://w1.fi/cgit/hostap-www/commit/?id=a28b295e9920bee4cb58b90df9671c8cb3e07da5
Turris OS 3.10.4https://gitlab.nic.cz/turris/os/packages/-/issues/167unbound: run as unbound user2023-08-16T14:49:42+02:00Jan Pavlinecunbound: run as unbound userWe should use username option in config for that purpose see
https://www.unbound.net/documentation/unbound.conf.htmlWe should use username option in config for that purpose see
https://www.unbound.net/documentation/unbound.conf.htmlTurris OS 5.0Jan PavlinecJan Pavlinechttps://gitlab.nic.cz/turris/os/packages/-/issues/52[Github Issue] Update request: dnsmasq2020-07-12T12:10:44+02:00Jan Pavlinec[Github Issue] Update request: dnsmasq---------
#### **DO NOT EDIT HERE!** Copy from https://github.com/CZ-NIC/turris-os-packages/issues/41
---------
https://forum.turris.cz/t/dnsmasq-cves-please-provide-updates/5166
Please update dnsmasq to the newest version.---------
#### **DO NOT EDIT HERE!** Copy from https://github.com/CZ-NIC/turris-os-packages/issues/41
---------
https://forum.turris.cz/t/dnsmasq-cves-please-provide-updates/5166
Please update dnsmasq to the newest version.