v8.20

- DietPi-Dashboard | Resolved an issue where an attacker could have caused a Denial-of-Service via parallel unanswered TLS handshakes (CVE-2023-38505). The update to the dashboard v0.6.2, which solves the issue, will be automatically applied as part of the DietPi update: GHSA-3jr4-9rxf-fr44

.update/patches

@@ -1414,6 +1414,13 @@ Patch_8_20()
 			[[ -f '/etc/nginx/sites-dietpi/dietpi-pihole.conf' ]] && G_EXEC sed -i 's/add_header X-XSS-Protection "1; mode=block";/add_header X-XSS-Protection "0";/' /etc/nginx/sites-dietpi/dietpi-pihole.conf
 			[[ -f '/etc/lighttpd/conf-enabled/99-dietpi-pihole.conf' ]] && G_EXEC sed -i 's/"X-XSS-Protection" => "1; mode=block"/"X-XSS-Protection" => "0"/' /etc/lighttpd/conf-enabled/99-dietpi-pihole.conf
 		fi
+
+		# DietPi-Dashboard: https://github.com/ravenclaw900/DietPi-Dashboard/releases/tag/v0.6.2
+		if grep -q '^[[:blank:]]*aSOFTWARE_INSTALL_STATE\[200\]=2' /boot/dietpi/.installed
+		then
+			G_DIETPI-NOTIFY 2 'Preparing DietPi-Dashboard update to fix CVE-2023-38505 DoS vulnerability ...'
+			echo 200 >> /var/tmp/dietpi/dietpi-update_reinstalls
+		fi
 	fi
 }
 

CHANGELOG.txt

@@ -13,6 +13,7 @@ Enhancements:
 Bug fixes:
 - General | Resolved an issue where the automated first run setup could have failed as images were shipped with cron enabled, which could have led to concurrent APT executions. cron is now disabled first and enabled after first run setup has finished. Many thanks to @Timoses for reporting this issue: https://dietpi.com/forum/t/during-initial-boot-could-not-get-lock-var-lib-apt-lists-lock/17385
 - Raspberry Pi | Resolved an issue on Bookworm systems where FFmpeg and related A/V libraries and development headers could not be installed, since the raised epoch version of those from the Raspberry Pi repository is leading to conflicts with the newer ones from the Debian Bookworm repository.
+- DietPi-Dashboard | Resolved an issue where an attacker could have caused a Denial-of-Service via parallel unanswered TLS handshakes (CVE-2023-38505). The update to the dashboard v0.6.2, which solves the issue, will be automatically applied as part of the DietPi update: https://github.com/ravenclaw900/DietPi-Dashboard/security/advisories/GHSA-3jr4-9rxf-fr44
 - DietPi-LetsEncrypt | Resolved a DietPi v8.19 regression where applying the HTTPS certificate for Lighttpd fails. Many thanks to @midniteca for reporting this issue: https://github.com/MichaIng/DietPi/issues/6460
 - DietPi-Config | Resolved an issue where enabling Bluetooth on SBCs with Armbian firmware failed, because of a conflict between armbian-firmware and bluez-firmware packages. bluez-firmware will not be tried to be installed anymore if armbian-firmware is. Many thanks to @innovodev for reporting this issue: https://dietpi.com/forum/t/upgrading-dietpi-from-bullseye-to-bookworm/15963/16
 - DietPi-Software | Lighttpd: Resolved a DietPi v8.19 regression where the installation of Pi-hole, ownCloud, Nextcloud, Pydio and WikiMedia failed if Lighttpd was selected as webserver and HTTPS not yet enabled via dietpi-letsencrypt. Many thanks to @bruno-briner for reporting this issue: https://github.com/MichaIng/DietPi/issues/6455