Release date: 2021-01-26
Development branch: esr-11.9
Supported version: WSUS Offline Update, Community Edition 11.9.7
The Linux download scripts, version 1.19.4-ESR try to keep up with WSUS Offline Update, Community Edition 11.9.7. These scripts are not compatible with the upcoming Community Edition 11.9.8, because of major changes in the calculation of dynamic updates.
Bugfixes
The Security-only Safety Guard did not work with GitLab
If security-only downloads are selected, then the full update rollups must be excluded from both download and installation. This requires a manual configuration, because incremental security-only updates and cumulative update rollups cannot be distinguished automatically.
The function seconly_safety_guard tries to make sure, that several configuration files in the directories client/static and client/exclude have been updated after the last official patch day; otherwise the download will be postponed.
Previously, the file modification date of these files would be compared to the current date. This worked well with Trac/svn. It does not work anymore with GitLab, because GitLab does not set the Last-Modified header for files, which are extracted from the version control system. Therefore, newly downloaded files will always have the file modification date set to the current date and time.
The Security-only Safety Guard now searches literally for the expected month name in the configuration files.
New Features
Optional "fast mode" for the calculation of the integrity database
WSUS Offline Update uses three hash function to create the integrity database: MD5, SHA-1 and SHA-256. This always looked over-engineered, and it is unnecessarily slow on old machines. An optional "fast mode" was introduced, which only calculates the SHA-1 hash. This option can be enabled in the file preferences.bash.
The resulting hashdeep files will be compatible with previous versions of the Linux scripts and with the Windows scripts, because hashdeep recognizes the file format automatically in its auditing mode. You don't need to delete any existing files in the directory ../client/md, because the hashdeep files will be deleted and recreated automatically on each download run.
Note: The Windows script DownloadUpdates.cmd can use the same fast mode with a small patch. This is only needed, if you like to compare the results on Windows and Linux with the script compare-integrity-database.bash:
- Change the hashdeep option "-c md5,sha1,sha256" to "-c sha1" everywhere.
- Find the line:
- Code: Select all
for /F "usebackq tokens=3,5 delims=," %%i in ("%TEMP%\sha1-%1-%2.txt") do (
and change it to:- Code: Select all
for /F "usebackq tokens=2,3 delims=," %%i in ("%TEMP%\sha1-%1-%2.txt") do (
The hashdeep files are used for a quick integrity check: The expected SHA-1 hash is embedded into the filename of most security updates. It is compared to the calculated SHA-1 hash in the hashdeep file. If they don't match, then the downloaded file will be deleted.
For this comparison, the script extracts fields 3 and 5 of the comma-separated hashdeep files in its default mode. It extracts fields 2 and 3 in the fast mode.
Default field order of the hashdeep files:- Code: Select all
Field 1 = File size
Field 2 = MD5 hash
Field 3 = SHA-1 hash as calculated by hashdeep
Field 4 = SHA-256 hash
Field 5 = Relative pathname with embedded SHA-1 hash
Field order in the fast mode:- Code: Select all
Field 1 = File size
Field 2 = SHA-1 hash as calculated by hashdeep
Field 3 = Relative pathname with embedded SHA-1 hash
Warning: The patch for the Windows script DownloadUpdates.cmd was tested and should work so far, but if you mess this up, all existing downloads will be deleted due to "mismatching SHA-1 hashes".
Changed Features
Default languages are removed on the fly
By default, WSUS Offline Update downloads updates for the languages English and German.
In the Windows version, the default languages can be removed with the scripts RemoveGermanLanguageSupport.cmd and RemoveEnglishLanguageSupport.cmd. More languages can be added with the script AddCustomLanguageSupport.cmd.
The new Linux download scripts always tried to do that in a more consistent way:
- First, the default languages are removed from several global files in the directory wsusoffline/static.
- All languages, which are selected on the command-line, are then added back from the localized files in the same directory.
In previous versions, the removal of default languages would modify the global input files on disk. Now the default languages are removed on the fly, without changing the input files at all.
This functionality is implemented as a new function filter_default_languages in the file ./libraries/dos-files.bash. The script ./download-updates-tasks/30-remove-default-languages.bash is obsolete and will be removed.
hashdeep messages are duplicated with tee
The functions create_integrity_database and verify_integrity_database now use "tee" to duplicate messages from hashdeep and to write them to the logfile and the screen. This is possible, because the logfile is referenced with absolute paths since version 1.11 of the Linux download scripts.
Previously, a workaround was needed, because relative paths to the logfile would become invalid, if the working directory was changed with pushd/popd.
Network timeouts are increased
The values for timeout and waitretry are increased for both wget and aria2.
Sysinternals utilities are downloaded to the directory ../bin
The archives AutoLogon.zip, Sigcheck.zip and Streams.zip are downloaded to the directory ../bin, as in the Windows script DownloadUpdates.cmd.
Three more obsolete configuration files are removed
The following configuration files are no longer needed in the esr-11.9 version and will be removed:
- Code: Select all
../static/StaticDownloadLink-mkisofs.txt
../static/StaticDownloadLinks-mkisofs.txt
../client/static/StaticUpdateIds-ie10-w61.txt
Renamed the functions filter_cr and todos_line_endings
The functions filter_cr and todos_line_endings are both meant to change line endings from and to DOS. They are now named more appropriately:
- Code: Select all
filter_cr -> dos_to_unix
todos_line_endings -> unix_to_dos
Removed features
Removed support for Office 2010
This removes the following files:
- Code: Select all
../static/StaticDownloadLinks-o2k10-*.txt
../client/static/StaticUpdateIds-o2k10.txt
Removed support for Windows 10 version 1709
The following files will be removed:
- Code: Select all
../exclude/ExcludeList-w100-1709.txt
../client/static/StaticUpdateIds-w100-16299.txt
../client/static/StaticUpdateIds-w100-16299-x64.txt
../client/static/StaticUpdateIds-w100-16299-x86.txt
../client/static/StaticUpdateIds-wupre-w100-16299.txt
../client/static/StaticUpdateIds-servicing-w100-16299.txt
../client/static/StaticUpdateIds-w100-16299-dotnet.txt
../client/static/StaticUpdateIds-w100-16299-dotnet4-528049.txt
Downloads
The download links for this version are:
- http://downloads.hartmut-buhrmester.de/linux-scripts-1.19.4.tgz
- http://downloads.hartmut-buhrmester.de/linux-scripts-1.19.4_hashes.txt
- http://downloads.hartmut-buhrmester.de/linux-scripts-1.19.4_virusreport.pdf
- http://downloads.hartmut-buhrmester.de/linux-scripts-1.19.4_virusreport-fullpage.png
Link for the online check at VirusTotal. Note, that the URL includes the SHA-256 hash of the archive:
The hashes for the archive linux-scripts-1.19.4.tgz are:
- Code: Select all
MD5 9eb76a18e3a5561add6d1b5a92d16835
SHA-1 618e6697a4cb40cdeb31f537f45eaa0992bf977a
SHA-256 54b1323ea4300db6d860dc1e3726e715b92b22ea56926be3df00868260438e6c
Further Reading
The first three posts in the original topic A complete rewrite of the Linux scripts are still being updated, to point to the latest version: