How to install old version 2.5.1 of openHAB 2?

Hi all,

I am currently doing research for my thesis in the area of IoT device security, where I am specifically looking at the Raspberry Pi.

For this, I would like to reproduce and examine a CVE disclosed for org.openhab.binding.exec, affecting versions < 2.5.2 (see this security advisory Exec add-ons allow remote arbitrary command execution · Advisory · openhab/openhab-addons · GitHub).

In doing so, I need to install a sufficiently old version of openHAB - a use case that seems to be (for obvious reasons) not supported.

The way I see it, the following options would be potentially applicable to my situation:

  • Installation via package repositories, in my case via apt

    • Problem: after adding the unstable repository, the oldest package version that is still published is 2.5.3 - too young for my research:

      sudo apt-cache madison openhab2

      openhab2 |   2.5.12-1 | <https://openhab.jfrog.io/artifactory/openhab-linuxpkg> unstable/main i386 Packages
      openhab2 |   2.5.12-1 | <https://openhab.jfrog.io/artifactory/openhab-linuxpkg> unstable/main amd64 Packages
      openhab2 |    2.5.3-1 | <https://openhab.jfrog.io/artifactory/openhab-linuxpkg> unstable/main i386 Packages
      openhab2 |    2.5.3-1 | <https://openhab.jfrog.io/artifactory/openhab-linuxpkg> unstable/main amd64 Packages
      
  • Manual download as linked on the download site for openHAB v2

    • This links to this JFrog artifactory: JFrog - the oldest version is 2.5.12
  • Using the openHABian installer image/script

    • also downloads from the same JFrog artifactory, so even with an option to change the downloaded version, no other packages would be available than listed above

TL;DR: I can find no way to download a prepackaged/installable binary of the version 2.5.1 of openHAB.

Is there some way to either

  1. download the binary from somewhere, or
  2. build it from source, as is available on GitHub?

Disclaimer: I am aware that what I’m trying to achieve is not a supported use case as per the documentation, and I am thus on my own. However, I still attempt to ask here in the forum, on the off chance that someone else either has the same issue, or has found a way to get a hold of the older versions.

Thank you very much!

Florian

Because of the shutdown of Bintree and the way they shut it down we lost all the artifacts for all versions of OH prior to 2.5.12. You might be able to find something out on the internet archive or the like but we do not have any jar files, kar files, etc. prior to OH 2.5.12.

In a pinch, you should be able to pull the source code for the Exec binding from GitHub with the 2.5.2 tag (or earlier) and build it. There were no changes to OH core between 2.5.0 and 2.5.12. Only add-ons were changed during that time. So if you can manage to find or build a version of the add-on for an earlier 2.5 version, it will work on 2.5.12.

See Developer Guide | openHAB for details on how to build. GitHub - openhab/openhab-addons: Add-ons for openHAB is the repo with all the add-ons. There appears to be 2.5.0 and 2.5.1_pr6764 tags.

Check if Central Repository: org/openhab/distro/openhab/2.5.0 provides what you are looking for. Addons then would be available via Central Repository: org/openhab/distro/openhab-addons/2.5.0

Thank you very much for the help - this was exactly what I was looking for!
I tried installing openHAB 2.5.0 with the links to the Central Repository Wolfgang_S provided. This has worked fine, except for the fact that upon startup, openhab tries to download mvn:org.openhab.ui.bundles/org.openhab.ui.dashboard/2.5.0, for which it probably can’t find the artifacts online.
This results in an exception and the web interface not coming up.

The bundle listed in the stack trace seems to be from the repository GitHub - openhab/openhab-webui: Web UIs of openHAB. When I build these from source, can I add them into the /opt/openhab/addons/ directory as with the other add-ons in order to load them without having them available online?

The second link @Wolfgang_S provided is to a .kar file containing all the add-ons. If you put that into the addons folder OH will install them from it instead of trying to download it online.

I attempted this, and also setting remote = false in /opt/openhab/conf/services/addons.cfg as mentioned in other forum posts.
The addons file lies in the /opt/openhab/addons folder, with the following permissions:
-rwxr-xr-x 1 openhab openhab 190203584 Nov 23 13:46 openhab-addons-2.5.0.kar

Still, when I launch openhab with sudo su -s /bin/bash -c '/opt/openhab/start.sh' openhab, I run into the following exception:

org.apache.karaf.features.internal.util.MultiException: Error:
	Error downloading mvn:org.openhab.ui.bundles/org.openhab.ui.dashboard/2.5.0
	at org.apache.karaf.features.internal.download.impl.MavenDownloadManager$MavenDownloader.<init>(MavenDownloadManager.java:91)
	at org.apache.karaf.features.internal.download.impl.MavenDownloadManager.createDownloader(MavenDownloadManager.java:72)
	at org.apache.karaf.features.internal.region.Subsystem.downloadBundles(Subsystem.java:457)
	at org.apache.karaf.features.internal.region.Subsystem.downloadBundles(Subsystem.java:452)
	at org.apache.karaf.features.internal.region.SubsystemResolver.resolve(SubsystemResolver.java:224)
	...
	Suppressed: java.io.IOException: Error downloading mvn:org.openhab.ui.bundles/org.openhab.ui.dashboard/2.5.0
		at org.apache.karaf.features.internal.download.impl.AbstractRetryableDownloadTask.run(AbstractRetryableDownloadTask.java:77)
		at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
		at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
		at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:304)
		... 3 more
	Caused by: java.io.IOException: Error resolving artifact org.openhab.ui.bundles:org.openhab.ui.dashboard:jar:2.5.0: [Could not transfer artifact org.openhab.ui.bundles:org.openhab.ui.dashboard:jar:2.5.0 from/to openhab (https://dl.bintray.com/openhab/mvn/online-repo/2.5/): Remote host terminated the handshake]
        ...
		Caused by: shaded.org.apache.maven.wagon.TransferFailedException: Remote host terminated the handshake
        ...
		Caused by: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
			...
		Caused by: java.io.EOFException: SSL peer shut down incorrectly
			...
	Caused by: shaded.org.eclipse.aether.resolution.ArtifactResolutionException: Error resolving artifact org.openhab.ui.bundles:org.openhab.ui.dashboard:jar:2.5.0
		...

Edit: When I try the same with the current 2.5.12-files (.zip archive and .kar file) downloaded from the website, it works without the exception. Is there maybe an issue with the files linked above in the Maven Central Repository?

Should work it looks like the file is part of the kar file:


7z l  openhab-addons-2.5.0.kar  | grep -i bundles/org.openhab.ui.dashboard/2.5.0/org.openhab.ui.dashboard-2.5.0.jar
2019-12-15 22:23:54 .....       417840       390221  repository/org/openhab/ui/bundles/org.openhab.ui.dashboard/2.5.0/org.openhab.ui.dashboard-2.5.0.jar

This is what I saw as well - the remote = false setting in the config does not seem to affect the download that is started.
The issue also does not occur when I download the 2.5.12 from the website.
Is this somehow expected with this setup/is there a way around this problem?

When I run 2.5.12 with the add-ons from 2.5.0, both versions of all add-ons are listed in the Paper UI - but when I try to install binding-exec v2.5.0, it installs the 2.5.12-version, not 2.5.0 as locally provided in the add-ons folder.

In this case 2.5.12 was installed including its addons and then you added 2.5.0 addons ? Then I would say it is normal to see both.
What is the base for your installation ( did you use this tar file https://repo1.maven.org/maven2/org/openhab/distro/openhab/2.5.0/openhab-2.5.0.tar.gz ) and then add the related 2.5.0 addons or did you use a later distribution ( e.g. 2.5.12 ) and then added 2.5.0 addons ?