commit c5b55a3e7cc6c1645970ca3a76079acc896094b1 Author: root Date: Mon Sep 22 14:33:29 2025 +0000 Add v2.7.7 critical security patch diff --git a/apply-v2.7.7.sh b/apply-v2.7.7.sh new file mode 100755 index 0000000..237d39c --- /dev/null +++ b/apply-v2.7.7.sh @@ -0,0 +1,134 @@ +#!/bin/bash +# IPTV Server Patch v2.7.7 - Critical Security Fix: Hardware ID Isolation +# This patch fixes a critical vulnerability where Hardware IDs were synchronized between servers + +set -e + +echo "=====================================" +echo "IPTV Server Security Patch v2.7.7" +echo "Critical: Hardware ID Isolation Fix" +echo "=====================================" +echo + +# Check if running as root +if [ "$EUID" -ne 0 ]; then + echo "❌ Please run as root (use sudo)" + exit 1 +fi + +# Find IPTV installation directory +INSTALL_DIR="/opt/iptv" +if [ ! -d "$INSTALL_DIR/app" ]; then + echo "❌ IPTV Server not found at $INSTALL_DIR" + echo "Looking for alternative locations..." + + # Check common locations + for dir in /home/*/iptv-server* /root/iptv-server*; do + if [ -d "$dir/app" ]; then + INSTALL_DIR="$dir" + echo "✅ Found IPTV installation at: $INSTALL_DIR" + break + fi + done + + if [ ! -d "$INSTALL_DIR/app" ]; then + echo "❌ Could not find IPTV installation" + exit 1 + fi +fi + +APP_DIR="$INSTALL_DIR/app" + +echo "🔍 Installation directory: $INSTALL_DIR" +echo "📁 Application directory: $APP_DIR" +echo + +# Backup current files +echo "📦 Creating backup..." +BACKUP_DIR="/tmp/iptv-backup-$(date +%Y%m%d-%H%M%S)" +mkdir -p "$BACKUP_DIR" + +# Backup files that will be modified +cp -p "$APP_DIR/license_validator.py" "$BACKUP_DIR/" 2>/dev/null || true +cp -p "$APP_DIR/license_manager.py" "$BACKUP_DIR/" 2>/dev/null || true +cp -p "$APP_DIR/demo_middleware.py" "$BACKUP_DIR/" 2>/dev/null || true +cp -p "$APP_DIR/app.py" "$BACKUP_DIR/" 2>/dev/null || true +cp -p "$APP_DIR/startup_fix.py" "$BACKUP_DIR/" 2>/dev/null || true +cp -p "$APP_DIR/version.py" "$BACKUP_DIR/" 2>/dev/null || true +cp -p "$APP_DIR/VERSION" "$BACKUP_DIR/" 2>/dev/null || true + +echo "✅ Backup created at: $BACKUP_DIR" +echo + +# Stop services +echo "🛑 Stopping IPTV services..." +docker-compose -f "$INSTALL_DIR/docker-compose.yml" down 2>/dev/null || \ +docker-compose -f "$INSTALL_DIR/docker/docker-compose.iptv.yml" down 2>/dev/null || \ +echo "⚠️ Could not stop services automatically" + +# Apply the patch - copy files from current working directory +echo "🔧 Applying security patch..." + +# Get the directory where this script is located +PATCH_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +SOURCE_DIR="$(dirname "$PATCH_DIR")/iptv-server-install-v2.0.0-licensed/app" + +if [ ! -d "$SOURCE_DIR" ]; then + echo "❌ Source files not found at: $SOURCE_DIR" + echo "Please ensure the patched files are in the correct location" + exit 1 +fi + +# Copy the patched files +echo "📝 Updating files..." +cp "$SOURCE_DIR/license_validator.py" "$APP_DIR/" +cp "$SOURCE_DIR/license_manager.py" "$APP_DIR/" +cp "$SOURCE_DIR/demo_middleware.py" "$APP_DIR/" +cp "$SOURCE_DIR/app.py" "$APP_DIR/" +cp "$SOURCE_DIR/startup_fix.py" "$APP_DIR/" +cp "$SOURCE_DIR/version.py" "$APP_DIR/" +cp "$SOURCE_DIR/VERSION" "$APP_DIR/" + +echo "✅ Files updated successfully" +echo + +# Clear Redis license cache (critical for this security fix) +echo "🗑️ Clearing Redis license cache..." +docker exec iptv-redis redis-cli --scan --pattern 'license:*' | xargs docker exec iptv-redis redis-cli del 2>/dev/null || \ +echo "⚠️ Could not clear Redis cache automatically - please do this manually" + +echo +echo "📋 Manual Redis cleanup (if automatic failed):" +echo " docker exec -it iptv-redis redis-cli" +echo " KEYS license:* | xargs DEL" +echo " exit" +echo + +# Start services +echo "🚀 Starting IPTV services..." +docker-compose -f "$INSTALL_DIR/docker-compose.yml" up -d 2>/dev/null || \ +docker-compose -f "$INSTALL_DIR/docker/docker-compose.iptv.yml" up -d 2>/dev/null || \ +echo "⚠️ Please start services manually" + +echo +echo "=====================================" +echo "✅ Security Patch v2.7.7 Applied!" +echo "=====================================" +echo +echo "🔒 SECURITY FIX: Hardware IDs are now isolated per server" +echo "🔒 Each server maintains its own license state" +echo "🔒 Prevents license sharing between servers" +echo +echo "🔄 Each server will regenerate its license validation on first run" +echo "📝 Backup saved at: $BACKUP_DIR" +echo +echo "⚠️ IMPORTANT: If you have multiple servers:" +echo " - Apply this patch to ALL servers" +echo " - Each server will validate independently" +echo " - License sharing is no longer possible" +echo +echo "If you encounter issues:" +echo "1. Check logs: docker logs iptv-backend" +echo "2. Restore from backup: cp $BACKUP_DIR/* $APP_DIR/" +echo "3. Contact support@powerdata.dk" +echo \ No newline at end of file diff --git a/v2.7.7.json b/v2.7.7.json new file mode 100644 index 0000000..424deb5 --- /dev/null +++ b/v2.7.7.json @@ -0,0 +1,73 @@ +{ + "version": "2.7.7", + "release_date": "2025-09-22", + "severity": "critical", + "description": "Critical Security Fix - Hardware ID Isolation", + "changelog": [ + "CRITICAL: Fixed security vulnerability where Hardware IDs were synchronized between servers through Redis", + "SECURITY: Each server now maintains completely isolated license state using hardware_id-specific Redis keys", + "SECURITY: Prevents license sharing between cloned VMs or servers sharing Redis instance", + "FIX: Hardware IDs no longer stored in global Redis keys", + "FIX: All license data now scoped to individual hardware_id namespaces", + "FIX: Updated license_validator.py to use hardware_id-specific cache keys", + "FIX: Updated license_manager.py to always use local hardware_id", + "FIX: Updated demo_middleware.py to use hardware_id-specific keys", + "FIX: Updated app.py license refresh to clear hardware_id-specific cache", + "ENHANCEMENT: Added security comments throughout codebase" + ], + "files": [ + { + "path": "app/license_validator.py", + "action": "update", + "content": "# File content will be retrieved from repository" + }, + { + "path": "app/license_manager.py", + "action": "update", + "content": "# File content will be retrieved from repository" + }, + { + "path": "app/demo_middleware.py", + "action": "update", + "content": "# File content will be retrieved from repository" + }, + { + "path": "app/app.py", + "action": "update", + "content": "# Partial update - license refresh endpoint only" + }, + { + "path": "app/startup_fix.py", + "action": "update", + "content": "# Updated version to 2.7.7" + }, + { + "path": "app/version.py", + "action": "update", + "content": "# Updated fallback version to 2.7.7" + }, + { + "path": "app/VERSION", + "action": "update", + "content": "2.7.7" + } + ], + "requirements": { + "min_version": "2.7.0", + "restart_required": true, + "clear_redis_required": true + }, + "install_instructions": [ + "1. This patch fixes a critical security vulnerability", + "2. Stop all services before applying", + "3. Apply the patch", + "4. Clear Redis license keys: redis-cli --scan --pattern 'license:*' | xargs redis-cli del", + "5. Restart all services", + "6. Each server will regenerate its own isolated license state" + ], + "rollback_instructions": [ + "1. Restore previous version files", + "2. Restart services", + "Note: Rolling back will re-introduce the security vulnerability" + ] +} \ No newline at end of file