Thema: Firewall-Distributionen diverses

[SiLæncer]

Release Notes

Finally, the next update, IPFire 2.27 - Core Update 175, has been released! It updates OpenSSL to the 3.1 branch, features a kernel update as well as a large number of package updates and a variety of bug fixes.

Before we start talking about the changes in detail, we would like to ask for your support. This update has taken a lot of effort to put together and we can't do it without you. So please, if you can, donate to the project helping us to put more resources to bring you more and better updates. It is very much appreciated by all of us here!

OpenSSL 3.1.1

IPFire heavily relies on cryptography which is being implemented by OpenSSL - a library that brings lots of cryptographic primitives and so on. Keeping it up to date is essential for the development team.

Since this release is bringing a major update to OpenSSL 3.1.1 with lots of API changes, a lot of work was necessary under the hood. I would like to highlight that Adolf from our team has been working a lot of overtime to finally get lots of problems especially with OpenVPN resolved (#13137, #13138).

To avoid breaking any custom software IPFire users may run on their installations, OpenSSL 1.1.1's files remain untouched on existing installations until the release of Core Update 176. However, please note that OpenSSL 1.1.1 is scheduled for end of life on September 11, 2023, and ensure any custom changes are made compatible to OpenSSL 3.1.x as soon as possible.

Linux 6.1.30

This Core Update features an update of the Linux kernel. Aside from the usual heap of hardware support improvements, bug fixes, and other improvements, this fixes CVE-2023-32233, a flaw in Linux' Netfilter subsystem permitting local privilege escalation; IPFire installations properly kept up-to-date are thus not considered to be affected. Nevertheless, IPFire users are advised to install Core Update 175 as soon as possible once released, and reboot their systems afterwards.

The kernel now also supports the Armada 38X RTC (#12856) and Intel's XHCI USB Role Switch feature. In addition, IPFire now supports both the OrangePi R1 Plus LTS and NanoPi R2C (plus) SoC.

Miscellaneous

    The hostapd add-on now enables QCA vendor extensions to nl80211, improving performance and stability of WiFi networks provided by an IPFire system with Qualcomm and Atheros cards considerably.
    Legacy firewall rules for PPPoE/PPTP have been dropped, since they are no longer needed, and pose a security risk to IPFire installations with QMI enabled.
    In addition, any bogon filtering has been adjusted to no longer interfere with 224.0.0.0/4, used for multicasting services, such as IPTV.
    rsnapshot has been contributed by Gerd Hoerst and Jon Murphy as a new add-on.
    Downloading large backup files will no longer trigger the OOM killer (#13096).
    The size of the boot partition has been extended to 512 MBytes, which is XFS' minimum requirement.
    Firmware files for APU1 boards are now provided again, to ensure firmware-update can update even very outdated APU boards properly.
    The powertop add-on has been removed, since it requires kernel functionalities which have been disabled due to security concerns in Core Update 171.
    CUPS' HTTPS websites are now properly accessible again (#12924).
    The dbus add-on is now properly terminated after uninstallation (#13094).
    Robin Roevens contributed a patch for displaying the logs crated by Zabbix Agent in IPFire's web interface.
    Installation and removal procedure of the alsa add-on have seen notable improvements (#13087).
    FUSE mounts in BorgBackup are now working properly again (#13076).
    Updated packages: acpid 2.0.34, apache 2.4.57, apr 1.7.4, aprutil 1.6.3, arping 2.23, automake 1.16.5, bash 5.2 (with patches 1 to 15), bind 9.16.39, grep 3.10, harfbuzz 7.2.0, iproute2 6.3.0, libcap 2.67, libgcrypt 1.10.2, libgpg-error 1.47, libhtp 0.5.43, libpcap 1.10.4, libxml2 2.11.1, linux-firmware 20230404, lvm2 2.03.21, memtest86+ 6.10, newt 0.52.23, OpenSSH 9.3p1, parted 3.6, pciutils 3.9.0, slang 2.3.3, sqlite 3410200, Squid 5.9, Suricata 6.0.12, tzdata 2023b, unbound 1.17.1, xfsprogs 6.2.0, zstd 1.5.5
    Updated add-ons: 7zip 17.05, alsa 1.2.9, amazon-ssm-agent 3.2.582.0, aws-cli 1.27.100, bird 2.0.12, ClamAV 1.1.0, dnsdist 1.8.0, elfutils 0.189, ffmpeg 6.0, freeradius 3.0.26, ghostscript 10.01.1, nfs 2.6.3, opus 1.4, pmacct 1.7.8, Postfix 3.8.0, rng-tools 2.16, samba 4.18.1, sdl2 2.26.5, tcpdump 4.99.4, zabbix_agentd 6.0.16 (LTS)

[close]

https://www.ipfire.org/

[SiLæncer]

Release Notes

We are pleased to announce the release of IPFire 2.27 - Core Update 176. It features a large amount of package updates which include a security fixed and updated microcode for Intel processors as well as a couple of bug fixes.

Before we start talking about the changes in detail, we would like to ask for your donation. We have put a lot of effort into building and testing this update and could not do any of this without you. Please, if you can, donate to the project helping us to put more resources to bring you more and better updates. It is very much appreciated by all of us here!

Bug Fixes

    An edge case related to bug #13138, which caused IPsec root/host certificate generation to fail on the first attempt only, has been fixed.
    While editing OpenVPN static IP address pools, spaces are now handled correctly again (#13136).
    udev rules for LVM volumes have been fixed, allowing for configured LVM volumes to start properly on boot again (#13151).
    Remove entries for additional mass storage via the web interface of the ExtraHD add-on have been fixed, partially resolving #12863.

Miscellaneous

    Filesystem journal features are now always enabled for cloud images, and as soon as a disk with SMART support is detected.
    misc-progs, the safety net between IPFire's web interface and the core system, have been improved under the hood to allow for better return code enumeration.
    Stéphane Pautrel has contributed improvements to the French translation of IPFire's web interface.
    Updated packages: curl 8.1.0, dhcpcd 10.0.1, diffutils 3.9, ed 1.19, ethtool 6.3, freetype 2.13.1, gawk 5.2.2, gcc 13.1.0, gdb 13.2, go 1.20.4, grep 3.11, harfbuzz 7.3.0, intel-microcode 20230613, less 633, libcap 2.69, libhtp 0.5.44, man 2.11.2, nettle 3.9, pam 1.5.3, pciutils 3.10.0, procps 4.0.3, sqlite 3420000, strongswan 5.9.11, suricata 6.0.13, texinfo 7.0.3, whois 5.5.17
    Updated add-ons: CUPS 2.4.6, fping 5.1, minidlna 1.3.2, nginx 1.24.0, Postfix 3.8.1, strace 6.3, stress 1.0.7, stunnel 5.69, transmission 4.0.3, wavemon 0.9.4

Please reboot your system after installing this update if you are running on an Intel processor.

[close]

https://www.ipfire.org/

[SiLæncer]

Changelog

o system: use parse_url() to validate if the provided login redirect string is actually parseable to prevent redirect
o system: fix assorted PHP 8.2 deprecation notes
o system: fix assorted permission-after-write problems
o system: introduce a gateway watcher service and fix issue with unhandled "loss" trigger when "delay" is also reported
o system: enabled web GUI compression (contributed by kulikov-a)
o system: disable PHP deprecation notes due to Phalcon emitting such messages breaking the API responses
o system: allow "." DNS search domain override
o system: on boot let template generation wait for configd socket for up to 10 seconds
o system: do not allow state modification on GET for power off and reboot actions
o system: better validation and escaping for cron commands
o system: better validation for logging user input
o system: improve configuration import when interfaces or console settings do not match
o system: name unknown tunables as "environment" as they could still be supported by e.g. the boot loader
o system: sanitize $act parameter in trust pages
o system: add severity filter in system log widget (contributed by kulikov-a)
o system: mute openssl errors pushed to stderr
o system: add opnsense-crypt utility to encrypt/decrypt a config.xml
o system: call opnsense-crypt from opnsense-import to deal with encrypted imports
o interfaces: extend/modify IPv6 primary address behaviour
o interfaces: fix bug with reported number of flapping LAGG ports (contributed by Neil Greatorex)
o interfaces: introduce a lock and DAD timer into newwanip for IPv6
o interfaces: rewrite LAGG pages via MVC/API
o interfaces: allow manual protocol selection for VLANs
o interfaces: remove null_service toggle as empty service name in PPPoE works fine
o interfaces: on forceful IPv6 reload do not lose the event handling
o interfaces: allow primary address function to emit device used
o firewall: move all automatic rules for interface connectivity to priority 1
o firewall: rewrote group handling using MVC/API
o firewall: clean up AliasField to use new getStaticChildren()
o firewall: "kill states in selection" button was hidden when selecting only a rule for state search
o firewall: cleanup port forward page and only show the associated filter rule for this entry
o captive portal: safeguard template overlay distribution
o dhcp: rewrote both IPv4 and IPv6 lease pages using MVC/API
o dhcp: allow underscores in DNS names from DHCP leases in Dnsmasq and Unbound watchers (contributed by bugfixin)
o dhcp: align router advertisements VIP code and exclude /128
o dhcp: allow "." for DNSSL in router advertisements
o dhcp: print interface identifier and underlying device in "found no suitable address" warnings
o firmware: opnsense-version: remove obsolete "-f" option stub
o firmware: properly escape crash reports shown
o firmware: fix a faulty JSON construction during partial upgrade check
o firmware: fetch bogons/changelogs from amd64 ABI only
o ipsec: add missing config section for HA sync
o ipsec: add RADIUS server selection for "Connections" when RADIUS is not defined in legacy tunnel configuration
o ipsec: only write /var/db/ipsecpinghosts if not empty
o ipsec: check IPsec config exists before use (contributed by agh1467)
o ipsec: fix RSA key pair generation with size other than 2048
o ipsec: deprecating tunnel configuration in favour of new connections GUI
o ipsec: clean up SPDField and VTIField types to use new getStaticChildren()
o ipsec: add passthrough networks when specified to prevent overlapping "connections" missing them
o monit: fix alert script includes
o openvpn: rewrote OpenVPN configuration as "Instances" using MVC/API available as a separate configuration option[2]
o openvpn: rewrote client specific overrides using MVC/API
o unbound: rewrote general settings and ACL handling using MVC/API
o unbound: add forward-tcp-upstream in advanced settings
o unbound: move unbound-blocklists.conf to configuration location
o unbound: add database import/export functions for when DuckDB version changes on upgrades
o unbound: add cache-max-negative-ttl setting (contributed by hp197)
o unbound: fix upgrade migration when database is not enabled
o unbound: minor endpoint cleanups for DNS reporting page
o wizard: restrict to validating only IPv4 addresses
o backend: minor regression in deeper nested command structures in configd
o mvc: fill missing keys when sorting in searchRecordsetBase()
o mvc: properly support multi clause search phrases
o mvc: allow legacy services to hook into ApiMutableServiceController
o mvc: implement new Trust class usage in OpenVPN client export, captive portal and Syslog-ng
o mvc: add generic static record definition for ArrayField
o ui: introduce collapsible table headers for MVC forms
o plugins: os-acme-client 3.18[3]
o plugins: os-bind 1.27[4]
o plugins: os-dnscrypt-proxy 1.14[5]
o plugins: os-dyndns removed due to unmaintained code base
o plugins: os-frr 1.34[6]
o plugins: os-firewall 1.3 allows floating rules without interface set (contributed by Michael Muenz)
o plugins: os-telegraf 1.12.8[7]
o plugins: os-zabbix62-agent removed due to Zabbix 6.2 EoL
o plugins: os-zabbix62-proxy removed due to Zabbix 6.2 EoL
o src: axgbe: enable RSF to prevent zero-length packets while in Netmap mode
o src: axgbe: only set CSUM_DONE when IFCAP_RXCSUM enabled
o src: ipsec: add PMTUD support
o src: FreeBSD 13.2-RELEASE[8]
o ports: krb 1.21.1[9]
o ports: nss 3.91[10]
o ports: phalcon 5.2.3[11]
o ports: php 8.2.8[12]
o ports: py-duckdb 0.8.1
o ports: py-vici 5.9.11
o ports: sudo 1.9.14p3[13]
o ports: suricata now enables Netmap V14 API

Migration notes, known issues and limitations:

o The Unbound ACL now defaults to accept all traffic and no longer generates automatic entries.  This was done to avoid connectivity issues on dynamic address setups -- especially with VPN interfaces.  If this is undesirable you can set it to default to block instead and add your manual entries to pass.
o Dpinger no longer triggers alarms on its own as its mechanism is too simplistic for loss and delay detection as provided by apinger a long time ago.  Delay and loss triggers have been fixed and logging was improved.  The rc.syshook facility "monitor" still exists but is only provided for compatibility reasons with existing user scripts.
o IPsec "tunnel settings" GUI is now deprecated and manual migration to the "connections" GUI is recommended.  An appropriate EoL announcement will be made next year.
o The new OpenVPN instances pages and API create an independent set of instances more closely following the upstream documentation of OpenVPN.  Legacy client/server settings cannot be managed from the API and are not migrated, but will continue to work independently.
o The old DynDNS plugin was removed in favor of the newer MVC/API plugin for ddclient.  We are aware of the EoL state of ddclient which was unfortunately announced only one year after we started working on the new plugin.  We will try to add upstream fixes that have not been released yet and already offer our own ddclient-less Python backend in the same plugin as an alternative.

[close]

https://opnsense.org/about/about-opnsense/

[SiLæncer]

Release Notes

The next Core Update is available for testing: IPFire 2.27 - Core Update 178 which includes kernel and microcode fixes to mitigate vulnerabilities in Intel and AMD processors.

Intel

    Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers. This vulnerability, identified as CVE-2022-40982, enables a user to access and steal data from other users who share the same computer. For instance, a malicious app obtained from an app store could use the Downfall attack to steal sensitive information like passwords, encryption keys, and private data such as banking details, personal emails, and messages. Similarly, in cloud computing environments, a malicious customer could exploit the Downfall vulnerability to steal data and credentials from other customers who share the same cloud computer.

AMD

    Inception (CVE-2023-20569) is a novel transient execution attack that leaks arbitrary data on all AMD Zen CPUs in the presence of all previously deployed software- and hardware mitigations. As in the movie of the same name, Inception plants an “idea” in the CPU while it is in a sense “dreaming”, to make it take wrong actions based on supposedly self conceived experiences. Using this approach, Inception hijacks the transient control-flow of return instructions on all AMD Zen CPUs.

    Phantom (CVE-2022-23825) enables an attacker to create a transient window at arbitrary instructions. Suddenly, a seemingly harmless XOR instruction can behave like a call instruction, and allow the attacker to create a transient window.

How is IPFire affected?

IPFire is not directly affected by any of these attacks as the firewall never executes untrusted code. All programs on IPFire come from our package management system which signs all updates. However, it might be possible for an attacker to inject any code remotely by some undiscovered vulnerability and using these CPU vulnerabilities might allow the attacker to create more damage. Therefore, we recommend to install this update as soon as possible and to reboot your firewall.

This update has been added into the regular release cycle of IPFire. A previous version of Core Update 178 has been moved to 179 and users who installed the previous update from the unstable tree should reinstall this update once again to receive all fixes.

[close]

https://www.ipfire.org/

[SiLæncer]

Release Notes

It is time to upgrade your systems to IPFire 2.27 - Core Update 179. It will bring you Indirect Brand Tracking in user space in order to better mitigate any injected code, a completely rewritten ExtraHD and a large number of package updates & the usual bunch of bug fixes.

But before we start talking about the changes in detail, we would like to take a moment and ask for your donation. We put a lot of effort into building and testing this update and could not do any of this without your donation. Please, donate to the project helping us to put more resources to bring you more and better updates. It is very much appreciated by all of us here!
Indirect Branch Tracking for User Space

This technology uses a CPU extension which (if available) will check if a program returns from a function or jump correctly. If not, for example in case of injected code, an exception is being raised and the program is being terminated.

This is a follow-up after hardening our kernel against the same attack vector in Core Update 177 and had to be split off to keep updates an easier to handle smaller size.

ExtraHD

This feature that allows mounting any extra storage into IPFire has been entirely rewritten. The code was hard to extend and some smaller issues became hard to fix which resulted in us making the decision for a rewrite. It should now be a lot more robust and easy to use.

Misc.

    An issue where connected OpenVPN clients were shown disconnected (#13190)
    A non-critical validation error of location group names as been fixed.
    Package updates: cURL 8.2.1, eudev 3.2.12, fmt 10.0.0, freefont 20100919, fuse 3.15.0, glib 2.77.0, GNU Gettext 0.22, GMP 6.3.0, groff 1.23.0, harfbuzz 8.1.1, libarchive 3.7.0, libxcrypt 4.4.36, libxml2 2.11.4, LVM2 2.03.22, meson 1.2.0, mpfr 4.2.0p12, ninja 1.11.1, ntfs-3g 2022.10.3, rpcsvc-proto 1.4.4, oauth-toolkit 2.6.9, OpenLDAP 2.6.5, openjpeg 2.5.0, OpenSSL 3.1.2, popt 1.19, poppler 23.08.0, PPP 2.5.0, qpdf 11.5.0, SDL2 2.28.1, smartmontools 7.4, suricata 6.0.14, GNU tar 1.35, xfsprogs 6.4.0, XZ 5.4.4
    Samba has UNIX filesystem extensions disabled by default now (#13193)
    Updated add-ons: ebtables 2.0.11, FreeRADIUS 3.2.3, FRR 8.5.2, Git 2.41.0, HAProxy 2.8.1, hplip 3.23.5, MPD 0.23.13, ncat 7.94, nmap 7.94, Observium Agent 23.1, oci-cli 3.29.4, oci-python-sdk 2.107.0, QEMU + Guest Agent 8.0.3, Zabbix Agent 6.0.19 (LTS)
    The sox package has been dropped as it is only useful in combination with Asterisk which has been dropped some while ago

As always, we thank all people contributing to this release.

[close]

https://www.ipfire.org/

[SiLæncer]

Release Notes

It is time for another update for your most favourite firewall: IPFire 2.27 - Core Update 180 is out - coming with an updated toolchain, a large number of package updates, deprecation for ReiserFS as well as a number of bug and security fixes.
Toolchain Update

IPFire has been rebased on the latest version of the GNU toolchain comprising of glibc 2.38, GCC 13.2.0 & binutils 2.41. This allows us to keep IPFire modern, taking advantage of the latest advances in hardware support and acceleration, but most importantly use the latest hardening technologies available to us.
ReiserFS Deprecation

The Linux kernel maintainers have deprecated support for ReiserFS.

This filesystem has been available for installation in IPFire in the past, but we have removed the option to create new systems in Core Update 167. Therefore we do not expect many people to be using this on IPFire. If you do, you will see a warning on the web console that will warn you about using ReiserFS. Unfortunately, you will need to backup your system and perform a reinstall with a different filesystem, and finally restore the backup.

If you don't use see the warning, you ware using a different filesystem and no action is required.
Misc.

    cURL has been patched against a heap buffer overflow (CVE-2023-38545)
    Package updates: bind 9.16.44, Boost 1.83.0, dhcpcd 10.0.2, freetype 2.13.2, gzip 1.3, hwdata, iana-etc 20230810, json-c 0.17, krb5 1.21.2, libedit 20230828-3.1, libgudev 238, libtiff 4.5.1, libnl-3 3.8.0, mpfr 4.2.1, OpenSSH 9.4p1, procps 4.0.4, sqlite 3.43.0, squid 6.3, tcl 8.6.13, tzdata 2023c, unbound 1.18.0, util-linux 2.39.2, wireless-regdb 2023-05-03, vnstat 2.11, wget 1.21.4, whois 5.5.18, zlib 1.3
    Updated add-ons: bacula 11.0.6, clamav 1.2.0, foomatic 4.0.13, Git 2.42.0, mc 4.8.30, ncdu 1.18.1, samba 4.19.0, SDL 2.28.3, Tor 0.4.8.5, traceroute 2.1.2, transmission 4.0.4, xinetd 2.3.15.4, zabbix-agent 6.0.21
    Jonatan Schlag cleaned up some no longer used functionality from the network scripts
    wtmp files are now rotated monthly, keeping them for one year

Although this change log does not read very long, the update is a large step and moves IPFire forward to become an even better firewall. If you would like to support us, please donate!

[close]

https://www.ipfire.org/

[SiLæncer]

Release Notes

Happy Thanksgiving! Today, we are releasing the latest update for IPFire as our special Black Friday gift for you. It comes with a large number of security updates in OpenSSL, Suricata, Apache & Samba as well as a number of kernel fixes.

If you haven't spent all your money on all the great Black Friday offers, maybe consider making a donation to IPFire today. It helps us to bring you these updates more frequently and allows us to pack more exciting things into them. If you would like to support us, please donate today!

Under The Hood

This update features yet another kernel update based on Linux 6.1.61. It brings various security & stability fixes as well as improving IOMMU handling on ARM. To improve security, we have followed Google and disabled io_uring for the time being as it seems to have a lot of security issues.

We have also switched from eudev to the upstream udev which is now part of systemd as eudev is no longer maintained and was lagging behind upstream.

Security Updates

    OpenSSL 3.1.4: The OpenSSL project announced a security vulnerability (CVE-2023-5363)
    suricata 6.0.15: This update patches a potential denial-of-service vulnerability in the MIME decoder
    Apache 2.4.58 patches a number of security issues in the HTTP/2.0 engine (CVE-2023-45802, CVE-2023-43622 & CVE-2023-31122)
    Samba 4.19.2: Various security issues have been fixed which could be exploited to cause data loss and elevate privileges (CVE-2023-3961, CVE-2023-4091, CVE-2023-4154, CVE-2023-42669 & CVE-2023-42670)

Misc.

    A long standing issue in OpenVPN has been fixed where the web UI offered to download a configuration package in an incorrect format when no password was configured (#11048)
    Other package updates: lynis 3.0.9, Postfix 3.8.2, sysvinit 3.08, Tor 0.4.8.7, Zabbix Agent 6.0.22

[close]

https://www.ipfire.org/

[SiLæncer]

Release Notes

We are celebrating the next release of IPFire: Version 2.29 - Core Update 184. This release comes with a number of improvements around the entire operating system and a large number of packages updates. Although this change log isn't the longest, this update packs a lot of important changes and we recommend to install while it is still hot!

If you like to support the developers, please donate. It really helps a lot to keep you bringing these updates and making IPFire a little bit better every day!

What's in it?

    Intrusion Prevention System: Suricata has been updated to version 6.0.16 which fixes a number of vulnerabilities
    It is now possible to individually enable logging for packets from and to hostile networks. This allows for easier monitoring of compromised systems on the local network without a lot of noise from portscans and similar things from the Internet. They are also graphed individually in the firewall hits graph.
    A bug has been fixed in the installer: The process now fails if the boot loader could not be installed, when before, the installation completed successfully but left a newly installed system unbootable.
    Updated packages: acl 2.3.2, attr 2.5.2, bash 5.2.26, BIND 9.16.48, dhcpcd 10.0.6, diffutils 3.10, dmidecode 3.5, ed 1.20, expat 2.6.0 (CVE-2023-52425, CVE-2023-52426), file 5.45, fmt 10.2.1, gettext 0.22.4, GnuTLS 3.8.3 (CVE-2024-0553, CVE-2024-0567), help2man 1.49.3, iana-etc 20240125, iproute2 6.7.0, ipset 7.19, iputils 20240117, libhtp 0.5.46, libidn 1.42, libpng 1.6.41, libtalloc 2.4.1, libyang 2.1.148, lvm2 2.03.23, lzip 1.24, memtest86+ 7.0.0, PAM 1.6.0, pixman 43.0, poppler 24.01.0, readline 8.2.10, shadow 4.14.3, SQLite 3.45.1, squid 6.7, suricata 6.0.16, unbound 1.19.1 (CVE-2023-50387 & CVE-2023-50868), vnstat 2.12, xz 5.4.6, zlib 1.3.1

Add-ons

    Updated add-ons: bird 2.14, borgbackup 1.2.7 (CVE-2023-36811), FRR 9.1 (CVE-2023-47235, CVE-2023-47235), HAProxy 2.9.2, libvirt 10.0.0 (CVE-2023-3750), lshw B.02.00, mc 4.8.31, stunnel 5.71, transmission 4.0.5, VDR 2.6.6 + Plugins, wavemon 0.9.5
    mympd is a new package which provides a web user interface to mpd

[close]

https://www.ipfire.org/

[SiLæncer]

Release Notes

This update is another testing version for IPFire: It comes with the brand release of the IPFire IPS, a number of bug fixes across the entire system and a good amount of package updates. Test it while it's still hot!
Suricata 7 - Intrusion Prevention System

Finally, Suricata 7 is here. A new major version of what the IPFire IPS is based on. It finally brings support for HTTP/2 which is no longer considered experiental and now supports deflate compression and byte-ranges. There are new keywords for HTTP header inspection, and support for handling TLS client certificates, support for IKEv1, the PostgreSQL protocol, a BitTorrent parser, and last but not least QUICv1 and GQUIC. Suricata is also locking itself down more using Linux Landlocked to prevent any damage in case the process could be exploited; and the developers have spent time to make it slightly more memory efficient.

From abuse.ch, we have added the ThreatFox Indicators Of Compromise Rules. Those rules help to identify any local hosts that might have been compromised by detecting traffic to for example botnets. The PT Attack and Secureworks rulesets have been dropped as they are no longer available.

Toolchain Update

IPFire has been rebased on glibc 2.39 - the C standard library and binutils 2.42. IPFire is also now being compiled with the highest set of source fortification -D_FORTIFY_SOURCE=3. That means, that the compiler is adding compile time and runtime checks to avoid common errors like buffer overruns and overflows and so any undetected security vulnerabilities will be harder to exploit. Finally, we are now compiling the system with less debugging information which we don't need which slightly speeds up the compilation process.

Misc.

    OpenVPN

        Previously, the UI allowed creating certificates with a common name that was already in use (#13404)
        Imported net-to-net connections did not show correctly whether the certificate was password-protected (#13548)
        The OpenSSL configuration file has been cleaned up (#13595)
    The time server configuration page is now showing the current system time
    Custom DHCP options of type "integer 8" are now possible to configure (#12395)
    Comments have sometimes been incorrectly encoded to ISO-8859-1 which broke Umlauts and other special and non-ASCII characters

    Intel has published microcode updates for various of their processors to fix or mitigate the following security vulnerabilities:

        INTEL-SA-00972
        INTEL-SA-00982
        INTEL-SA-00898
        INTEL-SA-00960
        INTEL-SA-01045

    The CA certificate bundle has been updated
    Some basic functions of the initscripts have been cleaned up and enhanced to write shorter scripts
    Updated packages: elfutils 0.191, ethtool 6.7, expat 2.6.2, knot 3.3.5, libffi 3.4.6, libpng 1.6.42, libplist 2.4.0, libgpg-error 1.48, intel-microcode 20240312, iproute2 6.8.0, meson 1.4.0, newt 0.52.24, OpenJPEG 2.5.2, OpenSSH 9.7p1, pango 1.52.0, pciutils 3.11.1, pixman 0.43.4, poppler 24.03.0, qpdf 11.9.0, shadow 4.15.0, SQLite 3.45.2, squid 6.8, Suricata 7.0.3, Tcl 8.6.14, Unbound 1.19.3, util-linux 2.39.3, wget 1.24.5, whois 5.5.21, xz 5.6.1

Add-Ons

    wsdd is a service that implements the Web Service Discovery protocol for Windows. This enables clients from Windows 10 or older to discover any file shares exported by the Samba service. It will be automatically installed on all machines that run Samba. (#13445)
    Updated packages: ClamAV 1.3.0, dnsdist 1.9.1, GDB 14.2, Ghostscript 10.03.0, Git 2.44.0, gptfdisk 1.0.10, libmpdclient 2.22, mpc 0.35, mpd 0.23.15, mympd 14.1.0, opus 1.5.1, Samba 4.19.5, SDL 2.30.1, Zabbix Agent 6.0.24 (LTS)
    Entries to the IPFire web UI menu have been added for VDR and transmission if installed

[close]

https://www.ipfire.org/