From patchwork Sat Jan 15 09:15:54 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 4970
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JbXb55fLJz3wtb
	for <patchwork@web04.haj.ipfire.org>; Sat, 15 Jan 2022 09:16:01 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4JbXb44b91zsy;
	Sat, 15 Jan 2022 09:16:00 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JbXb435K8z2ySQ;
	Sat, 15 Jan 2022 09:16:00 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
 client-signature ECDSA (P-384) client-digest SHA384)
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JbXb30W5zz2ySQ
 for <development@lists.ipfire.org>; Sat, 15 Jan 2022 09:15:59 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4JbXb16TcTzf9
 for <development@lists.ipfire.org>; Sat, 15 Jan 2022 09:15:57 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1642238158;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=7/8eYFkxLmSdA5A5Jib77JO9+zAt2eWdECkNuB+BlC8=;
 b=79icExcFVGgTlU+7JUSAyvf2FZ7V0H2FUpSl8Fx8eI4kvkUYxmqdtpZWgNjRD+nje711o+
 2HldMlbZu5vmYACA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1642238158;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=7/8eYFkxLmSdA5A5Jib77JO9+zAt2eWdECkNuB+BlC8=;
 b=rOJtnx803rAIc9f+baT+2NFMkr2toUO36CKLOLEeMkgWn1VreEgqBz3VwLFyaBzE6Xr+as
 AVaTfurdtVnygXRoBcexQieUSSxZ2ohfwPVjtTuyiLaNPHTE3ELwVgDIHQhXoLzUO+yFpa
 JAP3L0ZHQ0ghdq86m7oD76nkAM4NPo3hbkVejOGOgEBFV9dNYoCtNPdwaE3MVXdLAeE0Aw
 A93OJwkx2Ds/CXhW6XWbwmcAIiGnMYP2xuypwPLvwNFrXL6d0702uJ1wsOfMn8ngLdV6+D
 BCP37vPu8DZru2FsCsjk0Eu6E31OOgDF2s3uReMYP4lE96MIqTUQvKcuXPdZ2g==
Message-ID: <9e7f86f1-3db1-cdab-f246-a786fde22c79@ipfire.org>
Date: Sat, 15 Jan 2022 09:15:54 +0000
MIME-Version: 1.0
Content-Language: en-US
To: "IPFire: Development" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH] index.cgi: Display a warning if the last Core Update was
 installed more than 90 days ago
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

At the time of writing, Fireinfo reports more 51.67% of all
installations reporting back to us are running at least two Core Updates
older than the latest one.

While I doubt we can expect our userbase to patch their systems within
24 hours (which is the recommended timespan given for critical
infrastructures by multiple CERTs), if they the last Core Update was
installed more than 90 days ago, we can safely consider the system in
question being outdated and insecure.

Therefore, this patch displays a warning on index.cgi, in addition to
the "an update is available" message - in the hope to nudge people to
keep their IPFire machines up to date.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Bernhard Bitsch <bbitsch@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
---
 html/cgi-bin/index.cgi | 10 +++++++++-
 langs/de/cgi-bin/de.pl |  1 +
 langs/en/cgi-bin/en.pl |  1 +
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi
index 2b7ccdb0f..fbd656988 100644
--- a/html/cgi-bin/index.cgi
+++ b/html/cgi-bin/index.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2014  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2022  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -541,6 +541,14 @@ if ( ! -e "/var/ipfire/main/send_profile") {
 	$warnmessage .= "<li><a style='color: white;' href='fireinfo.cgi'>$Lang::tr{'fireinfo please enable'}</a></li>";
 }
 
+# Running on likely outdated Core Update (last update was more than 90 days ago)
+my ($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = stat "/opt/pakfire/db/core/mine";
+my $core_update_age = time() - $mtime;
+
+if ( "$core_update_age" > "7776000" ) {
+	$warnmessage .= "<li>$Lang::tr{'outdated installation warning'}</li>";
+}
+
 # EOL architecture
 my ($sysname, $nodename, $release, $version, $machine) = &POSIX::uname();
 if ($machine =~ m/^i.86$/) {
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index c81b28fea..2ae0f948c 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1878,6 +1878,7 @@
 'otherport' => 'Anderer Port',
 'our donors' => 'Unsere Unterstützer',
 'out' => 'Aus',
+'outdated installation warning' => 'Diese IPFire-Installation ist veraltet, was ein Sicherheitsrisiko darstellt. Bitte aktualisieren Sie das System schnellstmöglich.',
 'outgoing' => 'ausgehend',
 'outgoing compression in bytes per second' => 'Abgehende Kompression',
 'outgoing firewall' => 'Ausgehende Firewall',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 2f7038fb1..8d1eb3e2d 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1914,6 +1914,7 @@
 'otherport' => 'other Port',
 'our donors' => 'Our donors',
 'out' => 'Out',
+'outdated installation warning' => 'This IPFire installation is outdated, which is a security risk. Please check for and install updates as soon as possible.',
 'outgoing' => 'outgoing',
 'outgoing compression in bytes per second' => 'Outgoing compression',
 'outgoing firewall' => 'Outgoing Firewall',