Weekly Release Notes / Up-to-date Test Snap

For topics that do not fit in another sub-forum.

Moderator: Oberlus

Message
Author
User avatar
LienRag
Large Juggernaut
Posts: 929
Joined: Fri May 17, 2019 5:03 pm

Re: Weekly Release Notes / Up-to-date Test Snap

#136 Post by LienRag »

Ophiuchus wrote: Sat May 29, 2021 7:31 am Do we have a list of security concerns? Running a multiplayer server is probably the most exposed.
Else connecting to a malicous multiplayer server. Loading a tainted save game.
So what shall we do about the sixteen mutliplayer game ?
If I understand correctly to patch the vulnerability we need to update the server, then restart it ?
Which means starting the game anew ?

Ophiuchus wrote: Sat May 29, 2021 7:31 am "it's well known" means in this case that you do not know what you are talking about.
I will neither confirm nor deny this.

o01eg
Programmer
Posts: 1284
Joined: Sat Dec 10, 2011 5:46 am

Re: Weekly Release Notes / Up-to-date Test Snap

#137 Post by o01eg »

LienRag wrote: Sat May 29, 2021 3:10 pm So what shall we do about the sixteen mutliplayer game ?
If I understand correctly to patch the vulnerability we need to update the server, then restart it ?
Which means starting the game anew ?
All listed vulnerability is in libx11 which the server doesn't use.
Gentoo Linux x64, gcc-10.3, boost-1.76.0
Ubuntu Server 20.04 x64, gcc-9.3, boost-1.71.0
Welcome to the slow multiplayer game at freeorion-lt.dedyn.io.Version 2021-10-05.980fd8e.
Donations're welcome:BTC:bc1q007qldm6eppqcukewtfkfcj0naut9njj7audnm

Ophiuchus
Programmer
Posts: 2192
Joined: Tue Sep 30, 2014 10:01 am
Location: Wall IV

Re: Weekly Release Notes / Up-to-date Test Snap

#138 Post by Ophiuchus »

o01eg wrote: Sun May 30, 2021 6:08 am All listed vulnerability is in libx11 which the server doesn't use.
Also the server does not use the snap.
Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.

Look, ma... four combat bouts!

User avatar
LienRag
Large Juggernaut
Posts: 929
Joined: Fri May 17, 2019 5:03 pm

Re: Weekly Release Notes / Up-to-date Test Snap

#139 Post by LienRag »

Ophiuchus wrote: Sun May 30, 2021 11:11 am Also the server does not use the snap.
Oh.
So I just need to refresh the snap and I'll be able to play the sixteen game without any vulnerability ?
(I mean any of the recently discovered ones)

Ophiuchus
Programmer
Posts: 2192
Joined: Tue Sep 30, 2014 10:01 am
Location: Wall IV

Re: Weekly Release Notes / Up-to-date Test Snap

#140 Post by Ophiuchus »

LienRag wrote: Sun May 30, 2021 7:44 pm
Ophiuchus wrote: Sun May 30, 2021 11:11 am Also the server does not use the snap.
Oh.
So I just need to refresh the snap and I'll be able to play the sixteen game without any vulnerability ?
(I mean any of the recently discovered ones)
Basically yes, but until its rebuilt you will have the vuln. Pretty sure it is this one: https://ubuntu.com/security/CVE-2021-31535

But it is the x system inside of the container which is vulnerable. So if you exec into the container and e.g. connect to a malicious server via ssh you might get owned.
Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.

Look, ma... four combat bouts!

User avatar
Geoff the Medio
Programming, Design, Admin
Posts: 13140
Joined: Wed Oct 08, 2003 1:33 am
Location: Munich

Re: Weekly Release Notes / Up-to-date Test Snap

#141 Post by Geoff the Medio »

Ophiuchus wrote: Sun May 30, 2021 10:43 pmBut it is the x system inside of the container which is vulnerable.
The chances that there are no other potentially exploitable bugs with all the other FreeOrion dependencies and within FreeOrion's own code seem quite low to me. Nobody's doing detailed audits or interface fuzzing tests. The checksum mechanism to verify isn't (and isn't intended to be) crytographically secure and can easily be patched out server side. I doubt anyone's even tested what happens if a server sends a nominally game-rule compliant but unusual gamestate or maliciously constructed chat message. Outside of an oddly-specific targetted attack, using FreeOrion as an attack vector would seem not worth the effort, but if someone is paranoid enough to care about the risk... then I probably don't need to point out that they exist anyway... so I'm not sure what my point is here.

Ophiuchus
Programmer
Posts: 2192
Joined: Tue Sep 30, 2014 10:01 am
Location: Wall IV

Re: Weekly Release Notes / Up-to-date Test Snap

#142 Post by Ophiuchus »

LienRag wrote: Sun May 30, 2021 7:44 pm...
YFJI as you seemed especially anxious, I published a rebuild of the latest/beta/long game on amd64.
Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.

Look, ma... four combat bouts!

User avatar
LienRag
Large Juggernaut
Posts: 929
Joined: Fri May 17, 2019 5:03 pm

Re: Weekly Release Notes / Up-to-date Test Snap

#143 Post by LienRag »

Thanks !

As you pointed at it earlier, I'm not really knowledgeable enough to know if it's rational to be anxious, but general politic is to not let known vulnerabilities unpatched.

Ophiuchus
Programmer
Posts: 2192
Joined: Tue Sep 30, 2014 10:01 am
Location: Wall IV

Re: Weekly Release Notes / Up-to-date Test Snap

#144 Post by Ophiuchus »

Quick note: I also did a rebuild of latest/stable aka 0.4.10/stable (rev 215 (amd64) and 216 (i386)).

Also I tried building the weekly test build, but there is suddenly some library issue "freeorion: error while loading shared libraries: libOpenGL.so.0: cannot open shared object file: No such file or directory". Dont have time to fix this this week probably.
Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.

Look, ma... four combat bouts!

Ophiuchus
Programmer
Posts: 2192
Joined: Tue Sep 30, 2014 10:01 am
Location: Wall IV

Re: Weekly Release Notes / Up-to-date Test Snap

#145 Post by Ophiuchus »

Ophiuchus wrote: Wed Jun 02, 2021 5:08 am Also I tried building the weekly test build, but there is suddenly some library issue "freeorion: error while loading shared libraries: libOpenGL.so.0: cannot open shared object file: No such file or directory". Dont have time to fix this this week probably.
Hoped that was just a glitch, but the error seems to stay, so i get this from revisions 217 and 219 (amd64).

edit1: ok, I guess 1d443f1c5600 (or related) is the culprit - according to description it prefers to link libOpenGL, which is currentliy not included my snap build (remote-build based on core18) i think. Not sure how to deliver/expose the necessary lib (or force libgl) yet. Will probably open an issue in order to get help
Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.

Look, ma... four combat bouts!

Ophiuchus
Programmer
Posts: 2192
Joined: Tue Sep 30, 2014 10:01 am
Location: Wall IV

Re: Weekly Release Notes / Up-to-date Test Snap

#146 Post by Ophiuchus »

Stable 0.4.10.1 build is available on channel 0.4.10/stable; the 0.4.10 channel is also the current default channel (v0.4.10.1 rev=215 amd64 rev=216 i386).

Weekly test build based on master:

freeorion_2021-06-08. rev=222 channel=beta (amd64)
no i386 build; someone changed the dependencies and i do not have a fitting build (yet)

news
  • snap weekly: build-remote on core20; i386 build is broken
    ...
Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.

Look, ma... four combat bouts!

Ophiuchus
Programmer
Posts: 2192
Joined: Tue Sep 30, 2014 10:01 am
Location: Wall IV

Re: Weekly Release Notes / Up-to-date Test Snap

#147 Post by Ophiuchus »

Stable 0.4.10.1 build is available on channel 0.4.10/stable; the 0.4.10 channel is also the current default channel (v0.4.10.1 rev=215 amd64 rev=216 i386).

Weekly test build based on master - THIS IS NOT SMOKE TESTED (dont have a machine to do that until the next weekly build, so i think it is better to release it anyway):

Temporarily reverted to rev=222

freeorion_2021-06-14.60a4a7e rev=223 channel=beta (amd64)
no i386 build; someone changed the dependencies and i do not have a fitting build (yet)

news
  • content: add Bureaucracy policy (geoff)
  • content: unlock Exploration policy with Galactic Exploration tech (geoff)
  • content: split Terror Suppression into half stability improvement and have directly reducing rebel troop levels (geoff)
  • content: Reduce influence malus of Indoctrination and Checkpoints policies (oberlus)
  • content: Indoctrination doubles influence production of influence-focused planets (oberlus)
  • content: Species influence trait applied at scaling priority (oberlus)
  • content: Influence upkeep costs and begginer bonus applied after most other effects. (oberlus)
  • content: Destroy on capture and set visibility: BLD_ABANDON_OUTPOST, BLD_COLONY_INDEPENDENCE_DECREE (agrrr3)
  • bugfix: indoctrination policy was missing an import (agrrr3)
  • focs: TurnSystemExplored, TurnsSincePolicyAdopted and CumulativeTurnsPolicyAdopted (geoff)
  • UI/pedia: sort adopted policies in empire pedia article by adoption turn (geoff)
  • UI/pedia: population improvements, new named valrefs (oberlus)
  • python/AI: refactorings (cjkjvfnby)
  • backend: lots of grooming and some refactoring (geoff)
  • i18n: french update as usual (Ouaz)
edit1: 2021-06-18, temporarily reverted to rev=222 (last weeks build) as LienRag reported beta channel not working for him.
edit2: found a machine to test channel latest/edge (at rev 223); worked for me, so probably a problem on LienRag's side.

Also branch channel latest/beta/slow-game-016 timed out, I pushed rev=214 freeorion_2021-05-11.4f04bdc
Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.

Look, ma... four combat bouts!

Ophiuchus
Programmer
Posts: 2192
Joined: Tue Sep 30, 2014 10:01 am
Location: Wall IV

Re: Weekly Release Notes / Up-to-date Test Snap

#148 Post by Ophiuchus »

Stable 0.4.10.1 build is available on channel 0.4.10/stable; the 0.4.10 channel is also the current default channel (v0.4.10.1 rev=215 amd64 rev=216 i386).

Weekly test build based on master, seems we skipped a week

freeorion_2021-06-29.24a08d6 rev=224 channel=beta (amd64)
no i386 build; someone changed the dependencies and i do not have a fitting build (yet)

news
  • content: fix Industry Center to make sure you never lose production after researching a refinement (grummel7)
  • content: Nymnmn attract some fields, added field repellor building (geoff)
  • content: added Technocracy policy, like Industrialism but for research, unlocked by having Bureaucracy adopted (geoff)
  • content: Fixed calculation for (dis-)liked building in other systems (#3503, grummel7)
  • content: Adjust diversity policy effects to match description (grummel7)
  • content: reduced Meteor Blizzard total research generation to depend on sqrt(#ships) within it (geoff)
  • content: Environmentalism bonus nerfs, also only apply when not using Industry focus and when there are no buildings on a planet (geoff)
  • content: added exploration research policy that grants research when exploring a system. accounting tooltips are glitchy due to use of CurrentTurn comparison. (geoff)
  • content: Military Command provides a 2nd slot after killing 5 ships (geoff)
  • content: lowered stability requirements of solar orbital generation effects (geoff)
  • content: fix calculation issues of research bonus in Distributed Thought Computing (geoff)
  • content: Add happines species trait plus some rebalance (#3493, oberlus)
  • FOCS: Added NoOp ValueRef::Operation for debug purposes (geoff)
  • FOCS: added Field type condition (geoff)
  • GUI: Combine list of identical building effects into one (#3488, grummel7)
  • GUI: disallow newlines in pedia search edit, which prevents weirdness when pasting in multi-line text (geoff)
  • backend: fixed long-standing bug with ContainedBy condition that returned the opposite what it should; note that it probably didnt affect gameplay as all uses in the current content follows a different codepath (geoff)
  • backend: track ships that an empire has destroyed, so that they can't be double-counted if multiple ships attack it the same combat round (geoff)
  • cpp/backend: refactorings and groomings (geoff)
  • python/AI: refactorings (..., #3491, ... cjkjvfnby)
  • build: hide cmake PATH-Variables in the advanced section (#3490, sevu)
  • build: Fix compilation (#3496, o01eg)
  • stringtables: documentation updates, additional MIN_STABILITY valuerefs (grummel7)
  • i18n: french update as usual (Ouaz)
Also for channel latest/beta/slow-game-016, I repushed rev=214 freeorion_2021-05-11.4f04bdc so it does not time out.
Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.

Look, ma... four combat bouts!

User avatar
Vezzra
Release Manager, Design
Posts: 5606
Joined: Wed Nov 16, 2011 12:56 pm
Location: Sol III

Re: Weekly Release Notes / Up-to-date Test Snap

#149 Post by Vezzra »

Ophiuchus wrote: Sat Jul 03, 2021 5:15 pmWeekly test build based on master, seems we skipped a week
Yep, last weeks builds were broken on macOS.

Ophiuchus
Programmer
Posts: 2192
Joined: Tue Sep 30, 2014 10:01 am
Location: Wall IV

Re: Weekly Release Notes / Up-to-date Test Snap

#150 Post by Ophiuchus »

Stable 0.4.10.1 build is available on channel 0.4.10/stable; the 0.4.10 channel is also the current default channel (v0.4.10.1 rev=215 amd64 rev=216 i386).

Weekly test build based on master,

freeorion_2021-07-06.82b2143 rev=225 channel=beta (amd64)
if nobody is complaining, i will drop i386 support as i do not find the time to make the build work.

news
  • content: added Flanking policy - if your stationary ships outnumber the enemy you do extra damage; does not take alliances in count (geoff)
  • content: added The Hunt policy - gain happiness, influence and troops by hunting down natives in your system (geoff)
  • content: Environmentalism penalties also affect Gas Giants, Environmentalism and Industrialism are mutually exclusive (geoff)
  • content: Terraforming policy gives additional bonuses to stability, research, and influence generation on planets that have been terraformed (geoff)
  • content: Two more min stability case and a fix; Ancient ruins, divine authority changed (grummel7)
  • GUI: Split damage estimation into a structural damage part (against ships) and destroy fighters part (agrrr3)
  • GUI: bugfixes for policy slots drag n drop (geoff)
Also for channel latest/beta/slow-game-016, I repushed rev=214 freeorion_2021-05-11.4f04bdc so it does not time out.
Any code or patches in anything posted here is released under the CC and GPL licences in use for the FO project.

Look, ma... four combat bouts!

Post Reply