This is release 220.127.116.1190831 of RaspberryMatic which is a major release including the following new features, minor bugfixes and important security fixes:
CCU service changes:
- updated OCCU firmware to 3.47.15-5 version with full compatibility to the CCU3 3.47.15 firmware which comes with the following changes:
- Changes in the WebUI were not saved anymore upon logoff from the WebUI.
- RF-based actors for registering energy consumption (
HM-ES-PMSw1-Pl*) showed energy values with “NaN” rather than the actual consumption numbers.
- The config dialogs for channel 3 of the
HM-MOD-EM-8Bit(Version 1.0) were not displayed.
- The duty cycle display on the main page of the WebUI could show incorrect values if additional LAN gateways were connected to the CCU.
- added new
R1.00.0388.0212 (Aug 28 2019)version with the following changes:
- if a system/esp url is accessed without a valid session id the web browser will be instructed to redirect to the login.htm instead. This should make these esp pages more secured to be accessed without a valid session id.
- fixed several security issues regarding potential remote code execution issues where processing POST requests even worked without a valid session.
- fixed CVE-2019-9583 where certain url redirections to the login page still ended up in exposing session ids in Location http response headers.
- fixed CVE-2019-9726 which allowed to display the content of any arbitrary file on the filesystem due to a NUL-byte vulnerability in the web server.
- fixed CVE-2019-14474 where an empty
Call("")execution caused ReGaHss to crash unexpectively.
- fixed bug where upon session clearance a warning was output even for empty session ids, thought the session was most probably cleared already.
- fixed a bug in the new
State()function with delay routines where due to missing ISE value conversion the delay functionality didn’t work for HSSDP objects. Now the routines try to convert the supplied ISE value to the appropriate type or returns false if the value conversion didn’t work and thus the
State()call couldn’t be executed as expected (#659).
- fixed invalid “pointer is null” error output in case no channel dps should be cleared.
- changed monit configuration to check for an existing
/etc/config/internetCheckDisabledfile which will cause the regular monit-based internet check to be disabled and thus not cause any alarm message if the internet connection is lost for a certain amount of time (#664).
- raised the monit-based alarm threshold to 5 minutes for warning about high cpu/memory usage so that the system will warn/alarm only if the cpu/memory is exhausted for a longer period of time.
- changed the daily cronBackup to be executed with a processing “nice” value of 10 so that other more important processes have higher cpu priority.
- updated embedded CloudMatic CCU Add-on package to latest version with additional sessionID-based security fixes applied.
- updated embedded Mediola NeoServer CCU Add-on package to version 2.4.6.
- integrated a new WebUI patch to improve the security in session clearance upon a WebUI logout (0060).
- integrated a new WebUI patch sorting the standard WebUI menu items alphabetically and adding dedicated menu icons as well as displaying the favorite list on the main page alphabetically sorted (#663, #665, @jp112sdl, 0061).
- enhanced the DutyCycle display WebUI patch to display up to 5 additional LAN gateway connections (#670, 0057).
- slightly enhanced the DutyCycle display WebUI patch to display more nicely (#674, #675, @ptweety, 0057).
- fixed a bug in the improved script editor WebUI patch where the editor window was automatically horizontally resized if the content in the editor got too large (#671, 0046).
- fixed a bug in the ESP Security WebUI patch which prevented the initial WebUI installation wizard to correctly save the provided Admin password (#677, @quickmic, 0052).
- reworked ESP Security WebUI patch to contain more robust fixes for certain ESP related security issues and also integrated some more ESP security fixes in
programs.fnwhich should fix CVE-2019-14475 and CVE-2019-14473 (0052).
Linux operating system changes:
- added support for new RaspberryPi4 Model B hardware supporting all three different 1GB, 2GB and 4GB models. Please note, that due to RaspberryPi firmware limitations the HDMI console will currently not show any kernel bootup messages and that the HDMI port can not be automatically powered off to reduce RF interferences.
- integrated USB ethernet gadget mode for RaspberryPi Zero and RaspberryPi Zero W (requires
/etc/config/usbGadgetModeEnabled) which allows to connect the USB port directly to a separate Linux/macOS/Windows system and use this connection as an alternative Ethernet connection (eth0) to connect to the internet (#648, #216, @fhirschmann).
- updated Linux kernel version to 4.19.69 for ASUS Tinkerboard and 4.19.68 for RaspberryPi including the corresponding RaspberryPi firmware files.
- updated embedded Java version to latest stable 1.8.0_222-18.104.22.168.
- updated the embedded Bluetooth firmware files for RaspberryPi to the latest official versions.
- streamlined all U-boot settings throughout all different hardware platforms to unify the feature sets accordingly.
- enabled lz4 compression for kernel images and cpio compression in all defconfig files. This should make uncompression (thus bootup) slightly faster since lz4 should perform way better than standard gzip.
max-workersetting in global
lighttpd.confto potentially fix issues with large file uploads.
👪 Contributors (alphabetically): 📝 Support:
For support on installation and help please visit the following (german speaking) help fora:
The following installation archives (
.zip files) can be downloaded for selected hardware platforms (including a
.tgz update archive to upgrade from a CCU3 firmware to RaspberryMatic). To verify their integrity a
sha256 checksum is listed as well. Please upload these zip files using the WebUI-based update mechanism available:
- RaspberryPi4 Model B:
- CCU3, ELV-Charly, RaspberryPi3 Model B+, RaspberryPi3 Model B, RaspberryPi3 Model A+, RaspberryPi2 Model B, RaspberryPi Compute Module 3, RaspberryPi Compute Module 3 lite:
- RaspberryPi Zero W, RaspberryPi Zero, RaspberryPi Compute Module 1, RaspberryPi1 (A+/B+):
- Tinker Board S, Tinker Board:
- CCU3 (only required once for switching from original CCU3 firmware to RaspberryMatic):