3.71.12.20231014 released

Created with Sketch.

This is release 3.71.12.20231014 of RaspberryMatic which is a maintenance release with the following bugfixes and feature changes:

Downloads License Donate GitHub sponsors

Hier klicken fΓΌr deutschsprachige πŸ‡©πŸ‡ͺπŸ‡¦πŸ‡ΉπŸ‡¨πŸ‡­ Version des ChangeLogs/Diskussionsbeitrag

🚧 Changes:

For all changes, see the full commit log.

CCU/HomeMatic service changes:

  • integrated CloudMatic addon update which integrates a temporary workaround to keep VPN connections working with newer OpenSSL/OpenVPN versions which marked connections with deprecated SHA1-hashed certificates as insecure/weak. Now the tls-cipher "DEFAULT:@SECLEVEL=0" vpn client option is added to workaround this until EasySmarthome/Cloudmatic has updated their certificate infrastructure to use proper SHA256 secured certificates (#2442).
  • updated Mediola NEOserver addon to latest 2.13.0 version.
  • modified lighttpd startup/config to return “503 Service unavailable” status codes if the CCU startup is not yet finished. This should prevent potential runtime issues in case external engines like ioBroker or HomeAssistant are trying to use remoteAPI ports when not all CCU services are properly started. In addition, we also allow now only certain query URLs for port 8181/48181.
  • modified ReGaHss init script to make sure the pid file will have world readable permissions so that hss_led can query its status.
  • made sure ReGaHss will run on umask 0027 per default so that the regadom file will be generated with a bit more strict file security settings.
  • integrated a first bunch of modifications so that the hss_led, eq3configd, ssdpd, snmpd and nut services/daemons will be executed using dedicated non-priviledged users and groups rather than always as the root user. This should slightly improve security for these services so that they are not able to access resources they don’t have explicit permission for (#599).

WebUI changes:

  • enhanced 0041-WebUI-Patch by adding CCU-Jack to interface/category selector (#2446, #2445, @Baxxy13).
  • updated CodeMirror to 5.65.15.
  • added another minor style glitch fix to 0039-WebUI-Fix-Style-Glitches WebUI patch to show the buttons in the direct link pages in bold font weight to make the look&feel consistent with the rest.

Operating system changes:

  • integrated openresolv/resolvconf support so that the resolv.conf DNS config management can be performed dynamically in future rather than always generating a static resolv.conf file upon bootup.
  • removed obsolete PATH settings in S46tailscaled init script. Together with the recently introduced openresolv package this finally allows to correctly utilize the MagicDNS functionality in tailscale so that DNS settings will be dynamically adapted accordingly, thus all tailscale machines being reachable via their names (#2399).
  • integrated new buildroot upstream patch to bump libcurl to 8.4.0 to integrate important security fixes (CVE-2023-38545, CVE-2023-38546)
  • fixed shellcheck warnings/errors in dhcp.script and eQ3StartNetwork
  • fixed tailscale reverse proxy setup in lighttpd so that we can register for tailscale VPN again using the WebUI.
  • updated upstream linux kernel to 6.1.57.
  • updated tailscale to latest 1.50.1 version.
  • updated buildroot to latest 2023.08.1 and retired a bunch of upstream patches we were maintaining for a while and are now integrated.
  • introduced rc.shutdown script execution (#2452, @Baxxy13).
  • enhanced all SXX init scripts which executes a rc.xxx script by adding echo outputs to signal that these scripts are executed and also added a maximum timeout of 120 seconds for these scripts so that they can’t block startup/shutdown anymore (#2450, @Baxxy13).
  • regression fix for rc.postlocal (#2449, @Baxxy13).
  • introduce /usr/local/etc/rc.postlocal post startup script (#2447, #2338, @Baxxy13).
  • replaced deprecated vga kernel command option with grub gfxpayload variable use so that no deprecated warning should be displayed anymore.
  • added new 0018-grub2-fix-incompat-ext2 buildroot upstream patch which patches grub2 to ignore certain newer ext filesystem features which could hinder grub2 from correctly recognized an ext filesystem thought it is still valid. This is especially critical for the metadata checksum seed feature which since the latest e2fsck 1.47.0 version is now a default settings, thus renders new ext filesystems as grub2 incompatible without these upstream grub2 patches not part of buildroot yet. (cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031325, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030939)
  • updated java azul to latest LTS major version 17 (17.44.53-ca-jre17.0.8.1) and modified java-azul buildroot package accordingly which is quite some major bump in the java version potentially improving processing speed of HMIPServer.
  • globally enable BR2_ENABLE_LTO for all our buildroot configs for potentially improved performance and smaller binaries.
  • use “armv7” in all our docker container builds rather than “linux/arm” or “armhf” to solve certain HA addon update issues (cf. #2393).
  • modified install-proxmox.sh to be able to choose a dedicated VM ID (#2424, @indiana11011100).
  • retire 0012-ffmpeg-rpi-userland-aarch64 buildroot upstream patch as upstream fixed the aarch64 builds for rpi-userland.
  • updated nodejs to 18.18.1 by adapting our nodejs buildroot upstream patchset.

πŸ‘ͺ Contributors (alphabetically):

πŸ“ Support:

For support on installation and help please visit the following web pages:

RaspberryMatic – Documentation πŸ‡ΊπŸ‡Έ
RaspberryMatic – Discussions πŸ‡ΊπŸ‡Έ
RaspberryMatic – Dokumentation πŸ‡©πŸ‡ͺ
RaspberryMatic – Forum πŸ‡©πŸ‡ͺ

πŸ“¦ Download:

The following installation archives can be downloaded for different hardware platforms. To verify their integrity a sha256 checksum is provided as well. You can either upload these files using the WebUI-based update mechanism or unarchive them to e.g. flash the included *.img files on a fresh installation media (e.g. microSD card):