fix some strings, add a blog post, fix docker container

Dockerfile

@@ -1,10 +1,12 @@
-FROM debian:buster
+FROM debian:oldoldstable
 ENV SERVERNAME=geti2p.net
 ENV SERVERMAIL=example@geti2p.net
 
 WORKDIR /var/www/i2p.www
 
     ## Install the dependencies
+#RUN #grep -v security.debian /etc/apt/sources.list > /etc/apt/sources.list.bak && \
+    #grep -v stretch-updates /etc/apt/sources.list.bak > /etc/apt/sources.list && \
 RUN apt-get update && \
     apt-get -y install apache2 apache2-utils libapache2-mod-wsgi python2-dev python-pip patch python-virtualenv git python-polib
 

i2p2www/blog/2023/06/25/new_release_2.3.0.rst

@@ -0,0 +1,67 @@
+{% trans -%}
+=================
+I2P Release 2.3.0
+=================
+{%- endtrans %}
+.. meta::
+    :author: idk
+    :date: 2023-06-25
+    :category: release
+    :excerpt: {% trans %}I2P 2.3.0: Security Fixes, Tweakable Blocklists{% endtrans %}
+
+{% trans -%}
+This release contains fixes for CVE-2023-36325.
+CVE-2023-36325 is a context-confusion bug which occurred in the bloom filter.
+An attacker crafts an I2NP message containing a unique messageID, and sends that messageID to a client.
+The message, after passing through the bloom filter, is not allowed to be re-used in a second message.
+The attacker then sends the same message directly to the router.
+The router passes the message to the bloom filter, and is dropped.
+This leaks the information that the messageID has been seen before, giving the attacker a strong reason to believe that the router is hosting the client.
+This has been fixed by separting the bloom filter's functionality into different contexts based on whether a message came down a client tunnel, an exploratory tunnel, was sent to the router directly.
+Under normal circumstances, this attack takes several days to perform successfully and may be confounded by several factors such as routers restarting during the attack phase and sensitivity to false-positives.
+Users of Java I2P are recommended to update immediately to avoid the attack.
+{%- endtrans %}
+
+{% trans -%}
+In the course of fixing this context confusion bug, we have revised some of our strategies to code defensively, against these types of leaks.
+This includes tweaks to the netDb, the rate-limiting mechanisms, and the behavior of floodfill routers.
+{%- endtrans %}
+
+{% trans -%}
+This release adds not_bob as a second default hosts provider, and adds <a href="http://notbob.i2p">notbob.i2p</a> and <a href="http://ramble.i2p">ramble.i2p</a> to the console homepage.
+{%- endtrans %}
+
+{% trans -%}
+This release also contains a tweakable blocklist.
+Blocklisting is semi-permanent, each blocked IP address is normally blocked until the router is restarted.
+Users who observe explosive blocklist growth during sybil attacks may opt-in to shorter timeouts by configuring the blocklist to expire entries at an interval.
+This feature is off-by-default and is only recommended for advanced users at this time.
+{%- endtrans %}
+
+{% trans -%}
+This release also includes an API for plugins to modify with the Desktop GUI(DTG).
+It is now possible to add menu items to the system tray, enabling more intuitive launching of plugins which use native application interfaces.
+{%- endtrans %}
+
+{% trans -%}
+As usual, we recommend that you update to this release.
+The best way to maintain security and help the network is to run the latest release.
+{%- endtrans %}
+
+**DETAILS**
+
+*Changes*
+
+- {% trans %}netDb: Throttle bursts of netDB lookups{% endtrans %}
+- {% trans %}Sybil/Blocklist: Allow users to override blocklist expiration with an interval{% endtrans %}
+- {% trans %}DTG: Provide an API for extending DTG with a plugin{% endtrans %}
+- {% trans %}Addressbook: add notbob's main addressbook to the default subscriptions.{% endtrans %}
+- {% trans %}Console: Add Ramble and notbob to console homepage{% endtrans %}
+
+*Bug Fixes*
+
+- {% trans %}Fix replay attack: CVE-2023-36325{% endtrans %}
+- {% trans %}Implement handling of multihomed routers in the netDb{% endtrans %}
+- {% trans %}Fully copy new leaseSets when a leaseSet recievedAsPublished overwrites a leaseSet recievedAsReply{% endtrans %}
+
+Full list of fixed bugs: http://git.idk.i2p/i2p-hackers/i2p.i2p/-/issues?scope=all&state=closed&milestone_title=2.3.0

i2p2www/pages/downloads/docker.html

@@ -29,7 +29,7 @@ services:
 <h4 id="volumes">{% trans -%}Volumes{%- endtrans %}</h4>
 <p>{% trans -%}The container requires a volume for the configuration data to be mounted. Optionally, you can mount a separate volume for torrent (“i2psnark”) downloads. See the example below.{%- endtrans %}</p>
 <h4 id="memory-usage">{% trans -%}Memory usage{%- endtrans %}</h4>
-<p>{% trans -%}By the default the image limits the memory available to the Java heap to 512MB. You can override that with the <code>JVM_XMX</code> environment variable.{%- endtrans %}</p>
+<p>{% trans -%}By default the image limits the memory available to the Java heap to 512MB. You can override that with the <code>JVM_XMX</code> environment variable.{%- endtrans %}</p>
 <h4 id="ports">{% trans -%}Ports{%- endtrans %}</h4>
 <p>{% trans -%}There are several ports which are exposed by the image. You can choose which ones to publish depending on your specific needs.{%- endtrans %}</p>
 <table>

i2p2www/pages/downloads/list.html

@@ -51,16 +51,17 @@ If you would like to try the latest experimental I2P projects, visit the <a href
     </div>
     {% endcall %}
 
-    <h5>{%- trans %}I2P Easy Install Bundle for Mac OS X{%- endtrans %}</h5>
+    <h5>{%- trans %}I2P for Mac OS X{%- endtrans %}</h5>
-    {% call package_outer('mac', "Mac OS X", 'images/download/mac-osx.png') %}
+    {% call package('mac') %}
-    <h3>{% trans %}I2P Easy Install Bundle for Mac OS X{% endtrans %}</h3>
+    <p>{% trans i2pversion=ver() -%} I2P is available as a Java application for Mac OSX. It is distributed as a Java <code>.jar</code> installer and therefore MacOS will ask you for explicit permission to run the software.
-    <p>{% trans i2pversion=ver() -%}The I2P Easy Install Bundle for Mac OS X is packaged using OSX's standard ".dmg" package type, which allows it to use Apple's built-in tools to securely, reliably, and easily install the package. It does not require Java to be installed.
         {%- endtrans %}</p>
     <div class="file">
-        <a class="default" href="{{ get_url('downloads_mac') }}">{% trans %}I2P Easy Install Bundle for Mac OS X{% endtrans %}</a>
+        <p></p>
+        <a class="default" href="{{ get_url('downloads_windows') }}">{% trans %}Here is a helpful guide to installing I2P for Mac OS using a separate Java installation and the classic installer.{% endtrans %}</a>
     </div>
     {% endcall %}
 
+
     <h5>{%- trans %}I2P for Linux{%- endtrans %}</h5>
     {% call package('unix') %}
     <p>{% trans i2pversion=ver() -%} The most reliable way to launch the installer is from a terminal like this: