Pi-Hole has announced that they are addressing two new DNSSEC vulnerabilities in their upcoming versions. The vulnerabilities are found in dnsmasq, the DNS resolver that Pi-hole FTL is forked from. These vulnerabilities can be exploited through specially crafted DNSSEC answers, leading to degraded performance and denial of service attacks. It is important to note that the vulnerabilities are not limited to Pi-hole and can affect other DNSSEC validating DNS resolvers as well.

The author of dnsmasq, Simon Kelley, explains that the vulnerabilities are due to a failure in the DNSSEC specification. The solution for dnsmasq is to impose hard limits on the amount of “work” a DNSSEC validation can take. These limits have been set with significant headroom and can be overridden if necessary. The vulnerabilities have been assigned the CVE numbers CVE-2023-50387 and CVE-2023-50868 and are rated as “high” severity.

Pi-Hole has already released fixes for these vulnerabilities in their beta version of Pi-hole v6.0 and is preparing to release them in the stable version as well. Disabling DNSSEC validation entirely can remove the vulnerability, but Pi-Hole strongly advises upgrading to the fixed version instead. Upgrading to the fixed version will ensure that DNSSEC validation does not impede other server workloads.

For users still using the stable versions of Pi-hole (v5.x), it is recommended to either manually check out the development branch or disable DNSSEC for the time being and rely on the upstream server for DNSSEC validation. However, it is important to ensure that the upstream server is on a sufficiently recent version, such as unbound version 1.19.1, which has been fixed.

Update: Pi-Hole has now released the update. Run pihole -up to apply.

Pi-hole has released updates to its FTL (v5.24) and Core (v5.17.3) components. These updates bring several changes and improvements to enhance the performance and functionality of Pi-hole.

While the development team is primarily focused on the upcoming v6.0 beta, they remain committed to supporting and enhancing v5. They understand that many users still rely on v5 and want to ensure that it remains robust and up-to-date. Consequently, certain improvements and changes developed for v6.0 will be backported to v5, providing the best experience for all users, whether they are part of the public beta or not.

The FTL changes in this release include updating the dependabot.yml file, adding pihole-FTL sqlite3 -ni, fixing a possible crash with high client activity, and implementing special domains whitelisting. These changes aim to improve the stability and performance of Pi-hole FTL.

On the other hand, the Core changes include adding “-ni” to all sqlite3 invocations in v5. This modification ensures the proper functioning of sqlite3 in Pi-hole Core.

Users are advised to read the detailed changelogs before updating to these latest versions. The FTL changelog can be found here, and the Core changelog can be accessed here.

Source: Pi-Hole.

BookStack has recently released version 23.10.1 of their software. This update brings several fixes and changes to improve the user experience.

One notable addition is the inclusion of “Norwegian Nynorsk” as a language option for users. This expands the accessibility of BookStack to a wider range of users who speak this language.

Another improvement is the addition of a JavaScript public event for customizing codemirror instances. This feature allows users to have more control over their coding experience within BookStack.

Additionally, the update includes handling that allows users to jump to headers and sections within collapsible sections. This enhances the navigation experience within the software and makes it easier for users to find the information they need.

BookStack v23.10.1 also introduces support for PHP 8.3, ensuring compatibility with a newer version of PHP.

Several fixes have also been implemented in this release. The header bar no longer peeks through on the markdown editor’s fullscreen mode, providing a seamless writing experience. Additionally, the incorrect color usage for editor toolbox active tabs has been fixed, improving the visual consistency of the software.

Gitea has announced the release of version 1.21.3. This update includes 18 merged pull requests and fixes for a security vulnerability. Users are strongly encouraged to update to this version for important bug fixes.

One notable improvement in this release is that it is built with the latest released version of Golang to resolve the announced CVE with Golang. The specific CVE addressed is CVE-2023-48795.

The problem that was fixed in this release was contributed by @wxiaoguang.

For those interested in updating to Gitea 1.21.3, the software can be downloaded from the downloads page. The installation guide provides more information on how to install the update.

For a full list of changes in Gitea 1.21.3, refer to the Changelog.

In this week’s issue of README Highlight (#50, 2023), we are taking a look at the following project: memos.

The memos project is a privacy-first, lightweight note-taking service that allows users to easily capture and share their great thoughts. It is designed for individuals who value their privacy and prefer a minimalist approach to note-taking.

Some key points about memos include:

• Open source and free forever: memos is an open-source solution that is available for free, ensuring that creativity knows no boundaries.
• Self-hosting with Docker in just seconds: With Docker, users can easily deploy memos and have full control over their data and privacy.
• Pure text with added Markdown support: memos focuses on simplicity by providing a pure text interface with support for Markdown formatting.
• Customize and share notes effortlessly: memos offers intuitive sharing features that allow users to collaborate and distribute their notes with others.
• RESTful API for third-party services: memos provides a RESTful API that enables integration with other services, opening up new possibilities.

To deploy memos with Docker, users can use the following command:

docker run -d --name memos -p 5230:5230 -v~/.memos/:/var/opt/memos ghcr.io/usememos/memos:latest

The ~/.memos/ directory serves as the data directory on the local machine, while /var/opt/memos is the directory of the volume in Docker and should not be modified.

Contributions to the memos project are greatly appreciated, as they help make the open-source community a vibrant place to learn, inspire, and create.

The project has also gained popularity and has been contributed to by various developers. Some notable contributions include:

• Moe Memos: A third-party client for iOS and Android.
• lmm214/memos-bber: A Chrome extension.
• Rabithua/memos_wmp: A WeChat MiniProgram.
• qazxcdswe123/telegramMemoBot: A Telegram bot.
• eallion/memos.top: A static page rendered with the Memos API.

In conclusion, memos is a privacy-focused note-taking service that offers a simple and customizable experience. With its open-source nature and support for Docker deployment, memos provides users with full control over their data and privacy. Whether you are a developer, a DevOps enthusiast, or someone who enjoys maintaining a home lab, memos can be a valuable tool for capturing and sharing your thoughts.

Source: memos README.

Uptime Kuma, the self-hosted uptime monitor, has released version 1.23.9, bringing several improvements, bug fixes, and security fixes to the platform.

One important note is that this release may be a breaking change for those using third-party frontends or tools. The WebSocket origin now needs to be the same as your server hostname. However, users can set an environment variable called UPTIME_KUMA_WS_ORIGIN_CHECK to bypass in order to skip this check.

Here are the improvements included in this release:

• Added an aria-label to the monitor search box, improving accessibility.
• Added a helptext for the ntfy’s priority field, providing better guidance to users.

The bug fixes in this release are as follows:

• Corrected the Maintenance Start/End Time Input to Use Explicitly Specified Timezone, ensuring accurate time tracking.
• Fixed the buttons of ActionsSelect and ActionsInput that had a default type="submit", preventing unintended form submission.

In terms of security fixes, the following updates were made:

• Changing the password now closes all logged-in socket connections immediately, preventing unauthorized access.
• The WebSocket server can now only be connected from the same origin, similar to the CORS policy.
• An environment variable called UPTIME_KUMA_WS_ORIGIN_CHECK has been added, with two options: cors-like (default) and bypass.

Additionally, this release includes other small changes, code refactoring, and comment/documentation updates.