From ab044c15b1a2d7bc1b43ef541ec62d46a4040bce Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Sun, 7 Jul 2024 15:26:52 +0200 Subject: [PATCH] feat: bump Pi-Hole version Many of the Pi-Hole releases of this year were made due to security vulnerabilities. None of them are to concern to Qusal users. - GHSA-jg6g-rrj6-xfg6: Requires authenticated user; - GHSA-95g6-7q26-mp9x: Requires authenticated user; and - GHSA-3597-244c-wrpj: Requires shell in the same qube running Pi-Hole. The admin interface is only allowed through localhost, therefore only sys-pihole and sys-pihole-browser qubes have access to it, blocked by firewall (nftables) and HTTP server (lighttpd). Qubes with access to the admin interface are not of a concern, we assume that every qube that has access to the admin interface is trusted, therefore, only if a qube doesn't have access to the admin interface and can gain access, it becomes a concern, which hasn't happened. --- salt/sys-pihole/install.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/sys-pihole/install.sls b/salt/sys-pihole/install.sls index 1c96ac22..e43d8ecc 100644 --- a/salt/sys-pihole/install.sls +++ b/salt/sys-pihole/install.sls @@ -7,7 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later {% if grains['nodename'] != 'dom0' %} -{% set pihole_tag = 'v5.18.2' -%} +{% set pihole_tag = 'v5.18.3' -%} include: - utils.tools.common.update