Trouble when upgrading from core 157 to core 158

Getting Started with IPFire Updates Trouble
56

Hi all,

since there are actually two issues discussed in this thread, I will try and bring some light into it:

  1. It is fine to experience an “Internal Server Error” or a temporarily unresponsive web interface during the update. This is because we change all the CGIs in the background due to this security vulnerability. Since there is a short timeframe where some CGIs are updated and some are not, quirks are expected here.
    This behaviour should only last for a couple of seconds, and everything should behave fine afterwards again without any manual interaction.

  2. Any other issues we are currently aware of are caused by a tar bug, which is apparently causing directory permissions to go down the drain on some systems (we do not really know how this group of affected IPFire installations look like).
    This is fixed by this commit, and cannot happen again in future releases. However, there is a chicken-and-egg problem here, as existing installations will extract the update using the old tar command - this is why, despite being fixed, this error appears in production.
    However, to prevent any further damage, this commit has been added after the release of Core Update 158, and fixes potentially bogus permissions for good measure.
    All installations not yet upgraded to C158 should therefore not run into these errors. :slight_smile:

To repair semi-broken installations, all you need to do is to run the command introduced in the second commit:

chmod -v 755 /usr /usr/bin /usr/lib /usr/sbin /var /var/ipfire

As @ms already pointed out, please do not set other permissions, or be too permissive: Insecure file system permission are a huge security threat, especially when it comes to confidential files such as private keys.

Needless to say, users are as always strongly advised to keep their IPFire machines up to date. :slight_smile:

Also, please test Core Updates and provide feedback on them. The more people are doing so, the better - especially if they are running setups we are not aware of or are unable to test ourselves.

To avoid duplicates and confusion, please use this thread for questions related to (2) only. Should you experience any different issues, please open up new threads for them, so we investigate step by step.

I will close duplicate threads discussing the same problem, and link them to this one. Feel free to continue conversations related to (2) here. :slight_smile:

Thanks, and best regards,
Peter Müller

5 Likes