core138: insert emergency core update for new intel vulnarabilities. core138 master v2.23-core138
authorArne Fitzenreiter <arne_f@ipfire.org>
Fri, 15 Nov 2019 06:10:37 +0000 (06:10 +0000)
committerArne Fitzenreiter <arne_f@ipfire.org>
Fri, 15 Nov 2019 06:10:37 +0000 (06:10 +0000)
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
16 files changed:
config/rootfiles/core/138/exclude [new file with mode: 0644]
config/rootfiles/core/138/filelists/aarch64/linux [new symlink]
config/rootfiles/core/138/filelists/aarch64/linux-initrd [new symlink]
config/rootfiles/core/138/filelists/armv5tel/linux-initrd-kirkwood [new symlink]
config/rootfiles/core/138/filelists/armv5tel/linux-initrd-multi [new symlink]
config/rootfiles/core/138/filelists/armv5tel/linux-kirkwood [new symlink]
config/rootfiles/core/138/filelists/armv5tel/linux-multi [new symlink]
config/rootfiles/core/138/filelists/files [new file with mode: 0644]
config/rootfiles/core/138/filelists/i586/intel-microcode [new symlink]
config/rootfiles/core/138/filelists/i586/linux [new symlink]
config/rootfiles/core/138/filelists/i586/linux-initrd [new symlink]
config/rootfiles/core/138/filelists/x86_64/intel-microcode [new symlink]
config/rootfiles/core/138/filelists/x86_64/linux [new symlink]
config/rootfiles/core/138/filelists/x86_64/linux-initrd [new symlink]
config/rootfiles/core/138/update.sh [new file with mode: 0644]
make.sh

diff --git a/config/rootfiles/core/138/exclude b/config/rootfiles/core/138/exclude
new file mode 100644 (file)
index 0000000..b221598
--- /dev/null
@@ -0,0 +1,28 @@
+boot/config.txt
+boot/grub/grub.cfg
+boot/grub/grubenv
+etc/alternatives
+etc/collectd.custom
+etc/default/grub
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+etc/localtime
+etc/shadow
+etc/snort/snort.conf
+etc/ssl/openssl.cnf
+etc/sudoers
+etc/sysconfig/firewall.local
+etc/sysconfig/rc.local
+etc/udev/rules.d/30-persistent-network.rules
+srv/web/ipfire/html/proxy.pac
+var/ipfire/dma
+var/ipfire/time
+var/ipfire/ovpn
+var/lib/alternatives
+var/log/cache
+var/log/dhcpcd.log
+var/log/messages
+var/state/dhcp/dhcpd.leases
+var/updatecache
diff --git a/config/rootfiles/core/138/filelists/aarch64/linux b/config/rootfiles/core/138/filelists/aarch64/linux
new file mode 120000 (symlink)
index 0000000..3a2532b
--- /dev/null
@@ -0,0 +1 @@
+../../../../common/aarch64/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/138/filelists/aarch64/linux-initrd b/config/rootfiles/core/138/filelists/aarch64/linux-initrd
new file mode 120000 (symlink)
index 0000000..8acdb0f
--- /dev/null
@@ -0,0 +1 @@
+../../../../common/aarch64/linux-initrd
\ No newline at end of file
diff --git a/config/rootfiles/core/138/filelists/armv5tel/linux-initrd-kirkwood b/config/rootfiles/core/138/filelists/armv5tel/linux-initrd-kirkwood
new file mode 120000 (symlink)
index 0000000..39c5591
--- /dev/null
@@ -0,0 +1 @@
+../../../../common/armv5tel/linux-initrd-kirkwood
\ No newline at end of file
diff --git a/config/rootfiles/core/138/filelists/armv5tel/linux-initrd-multi b/config/rootfiles/core/138/filelists/armv5tel/linux-initrd-multi
new file mode 120000 (symlink)
index 0000000..0b1b453
--- /dev/null
@@ -0,0 +1 @@
+../../../../common/armv5tel/linux-initrd-multi
\ No newline at end of file
diff --git a/config/rootfiles/core/138/filelists/armv5tel/linux-kirkwood b/config/rootfiles/core/138/filelists/armv5tel/linux-kirkwood
new file mode 120000 (symlink)
index 0000000..7217107
--- /dev/null
@@ -0,0 +1 @@
+../../../../common/armv5tel/linux-kirkwood
\ No newline at end of file
diff --git a/config/rootfiles/core/138/filelists/armv5tel/linux-multi b/config/rootfiles/core/138/filelists/armv5tel/linux-multi
new file mode 120000 (symlink)
index 0000000..204eb4c
--- /dev/null
@@ -0,0 +1 @@
+../../../../common/armv5tel/linux-multi
\ No newline at end of file
diff --git a/config/rootfiles/core/138/filelists/files b/config/rootfiles/core/138/filelists/files
new file mode 100644 (file)
index 0000000..393ad72
--- /dev/null
@@ -0,0 +1,5 @@
+etc/system-release
+etc/issue
+srv/web/ipfire/cgi-bin/credits.cgi
+var/ipfire/langs
+srv/web/ipfire/cgi-bin/vulnerabilities.cgi
diff --git a/config/rootfiles/core/138/filelists/i586/intel-microcode b/config/rootfiles/core/138/filelists/i586/intel-microcode
new file mode 120000 (symlink)
index 0000000..f03e847
--- /dev/null
@@ -0,0 +1 @@
+../../../../common/i586/intel-microcode
\ No newline at end of file
diff --git a/config/rootfiles/core/138/filelists/i586/linux b/config/rootfiles/core/138/filelists/i586/linux
new file mode 120000 (symlink)
index 0000000..693ec4b
--- /dev/null
@@ -0,0 +1 @@
+../../../../common/i586/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/138/filelists/i586/linux-initrd b/config/rootfiles/core/138/filelists/i586/linux-initrd
new file mode 120000 (symlink)
index 0000000..32a03e6
--- /dev/null
@@ -0,0 +1 @@
+../../../../common/i586/linux-initrd
\ No newline at end of file
diff --git a/config/rootfiles/core/138/filelists/x86_64/intel-microcode b/config/rootfiles/core/138/filelists/x86_64/intel-microcode
new file mode 120000 (symlink)
index 0000000..d5ac074
--- /dev/null
@@ -0,0 +1 @@
+../../../../common/x86_64/intel-microcode
\ No newline at end of file
diff --git a/config/rootfiles/core/138/filelists/x86_64/linux b/config/rootfiles/core/138/filelists/x86_64/linux
new file mode 120000 (symlink)
index 0000000..0615b5b
--- /dev/null
@@ -0,0 +1 @@
+../../../../common/x86_64/linux
\ No newline at end of file
diff --git a/config/rootfiles/core/138/filelists/x86_64/linux-initrd b/config/rootfiles/core/138/filelists/x86_64/linux-initrd
new file mode 120000 (symlink)
index 0000000..1b9fff7
--- /dev/null
@@ -0,0 +1 @@
+../../../../common/x86_64/linux-initrd
\ No newline at end of file
diff --git a/config/rootfiles/core/138/update.sh b/config/rootfiles/core/138/update.sh
new file mode 100644 (file)
index 0000000..e659555
--- /dev/null
@@ -0,0 +1,151 @@
+#!/bin/bash
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 3 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2019 IPFire-Team <info@ipfire.org>.                        #
+#                                                                          #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+core=138
+
+exit_with_error() {
+       # Set last succesfull installed core.
+       echo $(($core-1)) > /opt/pakfire/db/core/mine
+       # don't start pakfire again at error
+       killall -KILL pak_update
+       /usr/bin/logger -p syslog.emerg -t ipfire \
+               "core-update-${core}: $1"
+       exit $2
+}
+
+# Remove old core updates from pakfire cache to save space...
+for (( i=1; i<=$core; i++ )); do
+       rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+KVER="xxxKVERxxx"
+
+# Backup uEnv.txt if exist
+if [ -e /boot/uEnv.txt ]; then
+       cp -vf /boot/uEnv.txt /boot/uEnv.txt.org
+fi
+
+# Do some sanity checks.
+case $(uname -r) in
+       *-ipfire*)
+               # Ok.
+               ;;
+       *)
+               exit_with_error "ERROR cannot update. No IPFire Kernel." 1
+               ;;
+esac
+
+# Check diskspace on root
+ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+
+if [ $ROOTSPACE -lt 80000 ]; then
+       exit_with_error "ERROR cannot update because not enough free space on root." 2
+       exit 2
+fi
+
+# Remove the old kernel
+rm -rf /boot/System.map-*
+rm -rf /boot/config-*
+rm -rf /boot/ipfirerd-*
+rm -rf /boot/initramfs-*
+rm -rf /boot/vmlinuz-*
+rm -rf /boot/uImage-*-ipfire-*
+rm -rf /boot/zImage-*-ipfire-*
+rm -rf /boot/uInit-*-ipfire-*
+rm -rf /boot/dtb-*-ipfire-*
+rm -rf /lib/modules
+rm -f  /etc/sysconfig/lm_sensors
+
+# Remove files
+
+# Stop services
+
+# Extract files
+extract_files
+
+# update dhcpcd.conf
+
+# update linker config
+ldconfig
+
+# Update Language cache
+/usr/local/bin/update-lang-cache
+
+# Start services
+
+# Search sensors again after reboot into the new kernel
+rm -f  /etc/sysconfig/lm_sensors
+
+# Upadate Kernel version uEnv.txt
+if [ -e /boot/uEnv.txt ]; then
+       sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt
+fi
+
+# call user update script (needed for some arm boards)
+if [ -e /boot/pakfire-kernel-update ]; then
+       /boot/pakfire-kernel-update ${KVER}
+fi
+
+case "$(uname -m)" in
+       i?86)
+               # Force (re)install pae kernel if pae is supported
+               rm -rf /opt/pakfire/db/installed/meta-linux-pae
+               rm -rf /opt/pakfire/db/rootfiles/linux-pae
+               if [ ! "$(grep "^flags.* pae " /proc/cpuinfo)" == "" ]; then
+                       ROOTSPACE=`df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+                       BOOTSPACE=`df /boot -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1`
+                       if [ $BOOTSPACE -lt 22000 -o $ROOTSPACE -lt 120000 ]; then
+                               /usr/bin/logger -p syslog.emerg -t ipfire \
+                               "core-update-${core}: WARNING not enough space for pae kernel."
+                               touch /var/run/need_reboot
+                       else
+                               echo "Name: linux-pae" > /opt/pakfire/db/installed/meta-linux-pae
+                               echo "ProgVersion: 0" >> /opt/pakfire/db/installed/meta-linux-pae
+                               echo "Release: 0"     >> /opt/pakfire/db/installed/meta-linux-pae
+                       fi
+               else
+                       touch /var/run/need_reboot
+               fi
+               ;;
+       *)
+               # This update needs a reboot...
+               touch /var/run/need_reboot
+               ;;
+esac
+
+# Finish
+/etc/init.d/fireinfo start
+sendprofile
+
+# Update grub config to display new core version
+if [ -e /boot/grub/grub.cfg ]; then
+       grub-mkconfig -o /boot/grub/grub.cfg
+fi
+
+sync
+
+# Don't report the exitcode last command
+exit 0
diff --git a/make.sh b/make.sh
index 170b165..2377c40 100755 (executable)
--- a/make.sh
+++ b/make.sh
@@ -26,8 +26,8 @@ NAME="IPFire"                                                 # Software name
 SNAME="ipfire"                                                 # Short name
 # If you update the version don't forget to update backupiso and add it to core update
 VERSION="2.23"                                                 # Version number
-CORE="137"                                                     # Core Level (Filename)
-PAKFIRE_CORE="137"                                             # Core Level (PAKFIRE)
+CORE="138"                                                     # Core Level (Filename)
+PAKFIRE_CORE="138"                                             # Core Level (PAKFIRE)
 GIT_BRANCH=`git rev-parse --abbrev-ref HEAD`                   # Git Branch
 SLOGAN="www.ipfire.org"                                                # Software slogan
 CONFIG_ROOT=/var/ipfire                                                # Configuration rootdir