Topics

Hi there,

This is a smallish update with a number of fixes and another round of Python
CVEs addressed.  New images based on this stable version are planned for next
week.

At the moment work focuses on the IPv6 support for the captive portal which
should not be too far away now.  The 26.7 roadmap will also be published at
the end of this month.

Here are the full patch notes:

o system: remove "upstream" from gateway grid as priority already reflects the proper data
o system: adjust gateway group priority (tier) wording
o interfaces: fix wlanmode argument usage
o firewall: fix target mapping inconsistency leading to references not being processed in destination NAT
o firewall: use local-port as target when specified in destination NAT
o firewall: fix missing reply-to when not specifically set in new rules
o firewall: live view: fix parsing of combined filters stored as converted strings
o firewall: fix group rename in source_net, destination_net and SNAT/DNAT target fields
o firewall: add tcpflags_any in new rules GUI for parity with legacy rules
o firewall: exclude loopback from interface selectpicker in new rules GUI
o firewall: well known ports added to filter rule selection
o firewall: undefined is also "*" in new rules grid
o firewall: add download button for validation errors in rule import
o firewall: allow TTL usage on host entries
o firmware: avoid update-hook background cleanups
o firmware: revoke 25.7 fingerprint
o kea: fix subnets GUI missing root node
o radvd: change tabs to spaces in radvd.conf for better maintenance
o unbound: safeguard the blocklist tester against empty configuration testing
o mvc: add $separator as parameter for CSV export and switch the default to a semicolon
o mvc: InterfaceField: minor adjustments and add resetStaticOptionList()
o mvc: catch empty data in CSV import
o tests: Shell: add testing framework
o plugins: os-haproxy 5.0[1]
o ports: expat 2.7.4[2]
o ports: hostwatch 1.0.12 now rate-limits database writes for recently seen hosts
o ports: ldns 1.9.0[3]
o ports: nss 3.120[4]
o ports: openldap 2.6.12[5]
o ports: openvpn 2.6.19[6]
o ports: py-duckdb 1.4.4[7]
o ports: python additional security fixes[8][9]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/26.1/net/haproxy/pkg-descr
[2] https://github.com/libexpat/libexpat/blob/R_2_7_4/expat/Changes
[3] https://raw.githubusercontent.com/NLnetLabs/ldns/1.9.0/Changelog
[4] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_120.html
[5] https://www.openldap.org/software/release/changes_lts.html
[6] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.19
[7] https://github.com/duckdb/duckdb/releases/tag/v1.4.4
[8] https://www.cve.org/cverecord?id=CVE-2026-1299
[9] https://www.cve.org/cverecord?id=CVE-2026-0865

This business release is based on the OPNsense 25.7.10 community version
with additional reliability improvements, but without revamped Unbound
blocklists for the time being.

Here are the full patch notes:

o system: gateway monitor Shell class use et al
o system: no longer back up DUID but add compatibility glue to opnsense-importer
o system: replace exec() in config encrypt/decrypt
o system: replace history diff exec() with shell_safe()
o system: safe execution tweaks in rc.routing_configure
o system: fix log keyword search regression introduced in 25.7.7
o system: clean up and normalise the sample config.xml
o system: replace "realif" variables with "device" in gateway code
o system: replace exec() in live banner SSH probe
o system: add tooltip explaining active status in snapshots
o system: add "lazy loading" model support on Trust\Cert
o system: properly fill DNS SAN from existing certificates (contributed by Klaas Demter)
o system: rename sudoers file to make it more sortable (contributed by David Jack Wange Olrik)
o system: numerous safe execution changes
o system: sort to retain order in syslog-ng source definitions
o system: fix edge case in tunable reset with one single tunable in the default config
o reporting: health: add CPU temperature y-axis label (contributed by NOYB)
o interfaces: scan pltime/vltime in "ifconfig -L" mode
o interfaces: fix comparison in PPP check code during assignment
o interfaces: prefer longer lifetimes if multiple exist
o interfaces: defer manual rtsold script execution
o interfaces: use mwexecfb() in two instances
o interfaces: move configure_interface_hardware() to main file
o interfaces: migrate "sharednet" setting to its respective sysctls
o firewall: run filterlog directly after rules apply and remove promiscuous mode
o firewall: allow setting a custom authentication HTTP header for alias URL fetch (contributed by nox-404)
o firewall: for better IPv6 PMTU let "timex" and "paramprob" ICMP types through
o firewall: safe execution changes in rules reloading code
o firewall: safe execution changes in rc.filter_synchronize
o firewall: aliases: add has_parser() to check if an alias has a valid parser available
o firewall: live log: allow column modifications and combine hostname columns
o firewall: live log: add bigger table size options and simplify table update
o firewall: minor simplification in filter sync script
o firewall: automation: only show ICMP type when protocol is ICMP
o firewall: automation: add multi-select ICMP6 options
o firewall: simplify port alias check
o firewall: improve GeoIP alias expiry condition
o firewall: prevent autocomplete in alias auth password
o captive portal: re-introduce ipfw for accounting purposes only
o captive portal: assign empty array when "interface list arp json" returns invalid JSON
o dhcrelay: add CARP VHID tracking option to relays
o dhcrelay: use the new mwexecf() $format support
o dhcrelay: reload table to update relay status
o dnsmasq: minor tweaks in lease commands
o dnsmasq: add DHCP logging flags to influence log verbosity
o firmware: Shell class replacements in scripting
o intrusion detection: refactor query scripts and deprecate params.py
o intrusion detection: increase maintainability of suricata.yaml file
o intrusion detection: add support for /usr/local/etc/suricata/conf.d directory
o intrusion detection: clean up views and controllers
o intrusion detection: datakey hint was missing for rules edit
o intrusion detection: replace "all" alert selection with explicit maximum choices
o ipsec: most safe execution transformations done
o isc-dhcp: move syslog definitions to plugin file
o isc-dhcp: interalize interfaces_staticarp_configure()
o isc-dhcp: safeguard access to DHCPv6 "enable" property
o isc-dhcp: check if device we try to configure exists in the system
o kea-dhcp: add lease commands, tabulator GroupBy, URL hashes
o kea-dhcp: add DNR option (contributed by schreibubi)
o kea-dhcp: refactor daemon(8) call to mwexecfb()
o network time: status: refactor to MVC/API
o network time: fix GPS coordinate display in status page (contributed by brotherla)
o openvpn: openvpn: add AES-256-CBC cipher for legacy compat (contributed by Fabian Franz)
o openvpn: add support for verify-x509-name option (contributed by laozhoubuluo)
o openvpn: replace exec() in MVC code
o openvpn: add simple search functionality for accounts table in client export
o openvpn: skip dynamic content when loading the model in client export
o openvpn: convert two more exec() calls
o openvpn: account for CARP status in start and restart cases as well
o unbound: remove delete selected button for single select overrides grid
o unbound: add overrides reference counter for aliases
o unbound: info section was larger than table width
o backend: minor shell execution changes and readability
o backend: use mwexecf(m) where possible
o backend: extend mwexecfb() with PID and log file support
o backend: exec() removal in get_sysctl()/set_sysctl()
o backend: exec() removal in auth scripts
o mvc: ApiMutableModelControllerBase: add invalidateModel() method
o mvc: Config: use is_int()/array_key_first() in toArray() and fromArray()
o mvc: Config: mvc: use LIBXML_NOBLANKS when loading config files
o mvc: get translated services description from API (contributed by Tobias Degen)
o mvc: BaseField: provide asInt() method
o mvc: reduce some call overheaad in BaseField/IntegerField
o mvc: introduce defaultConfig property for AppConfig
o mvc: uppercase all form labels
o mvc: use asInt() in GidField and UidField
o mvc: BaseField: add isSet()
o mvc: shield exec_safe() against fatal type errors
o rc: bootstrap /var/lib/php/tests for upcoming test case use
o shell: rewrite timeout() using safe execution functions
o tests: revamped config and base model tests
o ui: refresh notification status after default apply button is done
o ui: remove obsolete jQuery bootgrid files
o ui: bootgrid: allow conditional command rendering through a filter function
o plugins: os-acme-client 4.11[1]
o plugins: os-frr 1.50[2]
o plugins: os-ndp-proxy-go 1.3[3]
o plugins: os-telegraf 1.12.14[4]
o plugins: os-theme-rebellion 1.9.4 (contributed by Team Rebellion)
o plugins: os-turnserver 1.1[5]
o plugins: os-upnp 1.8 features assorted improvements to plugin and daemon (contributed by Self-Hosting-Group)
o plugins: os-zabbix-agent 1.18[6]
o plugins: os-zabbix-proxy 1.16[7]
o src: divert: define semantics for SO_REUSEPORT_LB on divert sockets
o src: divert: fix removal of divert sockets from a group
o src: divert: use a jenkins hash to select the target socket
o src: divert: use CK_SLISTs for the divcb hash table
o src: e1000: revert "try auto-negotiation for fixed 100 or 10 configuration"
o src: in6: modify address prefix lifetimes when updating address lifetimes
o src: ipv6: do not complain when deleting an address with prefix length of 128
o src: ipv6: fix off-by-one in pltime and vltime expiration checks
o src: netlink: do not directly access ifnet members
o src: netlink: do not overwrite existing data in a linear buffer in snl_writer
o src: netmap: let memory allocator parameters be settable via loader.conf
o src: pf: fix handling of IPv6 divert packets
o src: pf: rationalize the ip_divert_ptr test
o src: pfsync: avoid zeroing the state export union
o src: rtsold: check RA lifetime before triggering the one-shot always script
o src: fix multiple vulnerabilities in OpenSSL[8]
o src: jail escape by a privileged user via nullfs[9]
o src: arm64 SVE signal context misalignment[10]
o src: page fault handler fails to zero memory[11]
o ports: dpinger 3.4[12]
o ports: filterlog no longer uses unneeded promiscuous mode
o ports: libucl 0.9.3
o ports: libxml 2.15.1[13]
o ports: nss 3.119.1[14]
o ports: openssl 3.0.19[15]
o ports: phpseclib 3.0.48
o ports: python security fixes[16][17][18][19]
o ports: suricata 8.0.3[20]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.7/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.7/net/ndp-proxy-go/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.7/net/turnserver/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.7/net/upnp/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-agent/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-proxy/pkg-descr
[8] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:01.openssl.asc
[9] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:02.jail.asc
[10] https://www.freebsd.org/security/advisories/FreeBSD-EN-26:02.arm64.asc
[11] https://www.freebsd.org/security/advisories/FreeBSD-EN-26:03.vm.asc
[12] https://github.com/dennypage/dpinger/releases/tag/v3.4
[13] https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS
[14] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_119_1.html
[15] https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md
[16] https://www.cve.org/cverecord?id=CVE-2025-12084
[17] https://www.cve.org/cverecord?id=CVE-2025-13836
[18] https://www.cve.org/cverecord?id=CVE-2026-1299
[19] https://www.cve.org/cverecord?id=CVE-2026-0865
[20] https://suricata.io/2026/01/13/suricata-8-0-3-and-7-0-14-released/

Hello there,

This ships OpenSSL and Python security updates as well as address a number
of shortcomings of the initial 26.1 and community-infused improvements of
the new rules GUI which we would not have dreamed of to get this quickly.

We are very happy with the current state of the new rules GUI and all the
discussions we have had on how it can be further improved.  It is just the
beginning.  A roadmap for 26.7 will be in the works later this month.

Looking back 11 years it appears that the best hopes we had for the project
back then have all come true.  It took lot longer than expected but we
got there together with you, our beloved community.  It will only take
a bit more work now to achieve MVC/API support for all core components and
remove root access from the web GUI.  And we hope that you will be up for
it in the coming years as well.

Images will likely be reissued based on this release, but it is not an
immediate priority.  Upgrade paths from 25.7 will also be updated in the
near future to ensure the best possible upgrade experience.

Here are the full patch notes:

o interfaces: fix WLAN creation when $mode is empty
o interfaces: fix interface settings save with disabled ISC DHCPv6 server
o interfaces: add optional interval input to ping
o firewall: fix rule anchor rendering for plugins
o firewall: prevent autocomplete in alias auth password
o firewall: validate UUID on rules migration import
o firewall: fix overload table setting being written as UUID into pf.conf in new rules GUI
o firewall: local-port field in destination NAT does not support range and well-known name
o firewall: change toggle_log icon to help visibility in new rules GUI
o firewall: add missing schedules support for new rules GUI
o firewall: make statistics column responsive for new rules GUI
o firewall: add link to states and put it first in list in new rules GUI
o firewall: add "any" interface filter option and make it the default
o reporting: render RRD integer as string in command invoke
o dnsmasq: compare leases case insensitive
o firmware: opnsense-code: allow -r to specify the release branch for core/plugins
o firmware: opnsense-patch: when patching make no backups
o firmware: opnsense-update: batch use of -g and -G options
o kea: add several missing validations
o kea: use hostwatch as source for prefix watcher
o openssh: style update for config generation
o radvd: correctly verify constructor interface if used
o lang: added Persian as a new language and a few updates/fixes in existing translations
o installer: ufs: flush the disk to avoid spurious partitioning errors
o mvc: support verbose logging in run_migrations.php
o mvc: shield exec_safe() against fatal type errors
o mvc: mark exported CSV as content safe to disable escaping
o mvc: ArrayField: support throwing exceptions in importRecordSet()
o mvc: fix class names of ManualSpdController and VxlanController
o mvc: BaseModel: create missing nodes in legacy mapper
o ui: bootgrid: allow multi word tooltips (contributed by Matthias Kaduk)
o ui: bootgrid: introduce toggle-selected command
o ui: bootgrid: searchable column selectors
o ui: move refresh of selectpicker types into setFormData() and improve type detection
o plugins: os-acme-client 4.13[1]
o plugins: os-ddclient 1.30[2]
o plugins: os-freeradius 1.10.1[3]
o plugins: os-tayga 1.4[4]
o plugins: os-tinc 1.8 adds disable subnet routes option (contributed by Thojo0)
o src: fix multiple vulnerabilities in OpenSSL[5]
o src: jail escape by a privileged user via nullfs[6]
o src: arm64 SVE signal context misalignment[7]
o src: page fault handler fails to zero memory[8]
o ports: dnsmasq 2.92[9]
o ports: libxml 2.15.1[10]
o ports: openssl 3.0.19[11]
o ports: phalcon 5.10.0[12]
o ports: php 8.3.30[13]
o ports: phpseclib 3.0.49[14]
o ports: python security fixes[15][16]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/26.1/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/26.1/dns/ddclient/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/26.1/net/freeradius/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/26.1/net/tayga/pkg-descr
[5] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:01.openssl.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:02.jail.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-EN-26:02.arm64.asc
[8] https://www.freebsd.org/security/advisories/FreeBSD-EN-26:03.vm.asc
[9] https://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[10] https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS
[11] https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md
[12] https://github.com/phalcon/cphalcon/releases/tag/v5.10.0
[13] https://www.php.net/ChangeLog-8.php#8.3.30
[14] https://github.com/phpseclib/phpseclib/releases/tag/3.0.49
[15] https://www.cve.org/cverecord?id=CVE-2025-12084
[16] https://www.cve.org/cverecord?id=CVE-2025-13836

Hi there,

For over 11 years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, fast adoption
of upstream software updates, modern IPv6 support, as well as clear
and stable 2-Clause BSD licensing.

26.1, nicknamed "Witty Woodpecker", features almost a full firewall
MVC/API experience as automation rules have been promoted to the new
rules GUI, Suricata version 8 with inline inspection mode using "divert",
assorted IPv6 reliability and feature improvements, router advertisements
MVC/API, full code shell command escaping revamp, default IPv6
mode now using Dnsmsaq for client connectivity, Unbound blocklist source
selection, an automatic host discovery service, plus much more.

The upgrade path for 25.7 will likely be unlocked on January 29, which
is probably tomorrow if anyone is asking why it is not there yet.
We want to ensure the upgrade goes as smoothly as possible so please
be patient!  :)

Download links, an installation guide[1] and the checksums for the images
can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/26.1/
o US East Coast: https://mirror.wdc1.us.leaseweb.net/opnsense/releases/26.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/26.1/
o South America: http://mirror.ueb.edu.ec/opnsense/releases/26.1/
o East Asia: https://mirror.ntct.edu.tw/opnsense/releases/26.1/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes:

o system: factory reset and console tools now default to using Dnsmasq for DHCP
o system: wizard now offers an abort button and deployment type selections
o system: wizard can disable WAN or LAN interface now
o system: provide resolv.conf overrides via /etc/resolv.conf.local
o system: add XMLRPC option for hostwatch
o firewall: improve GeoIP alias expiry condition
o firewall: escape selector in rule_protocol
o firewall: "Port forward" was migrated to "Destination NAT" MVC/API
o firewall: unified look and feel of MVC/API pages formerly known as "automation"
o firewall: improved support of gateway groups in policy-based routing
o firewall: plugin support for "ether" rules has been removed
o firewall: add import/export to shaper queues and pipes
o firewall: "divert-to" support in new rules GUI
o firewall: added a rule migration page (use with care)
o firewall: make previously associated DNAT rules editable
o interfaces: a new IPv6 mode called "Identity association" was added
o interfaces: settings page was migrated to MVC/API
o interfaces: handle hostwatch user/group via package
o interfaces: force-reload IPv6 connectivity when PDINFO changes during renew
o interfaces: dhcp6c rapid-commit, request-dns and config write refactoring
o interfaces: generalise the rtsold_script code
o interfaces: use descriptive interface names in automatic discovery table
o interfaces: harden settings page with file_safe() and allowed_classes=false
o dhcrelay: relax the check for present addresses and CARP-related cleanups
o dnsmasq: add automatic RDNSS option when none is configured
o dnsmasq: fix log conditions
o firmware: opnsense-code: run configure script on upgrade if needed
o intrusion detection: add a "divert" intrusion prevention mode
o ipsec: expose ChaCha20-Poly1305 AEAD proposals in IKEv2 (contributed by Kota Shiratsuka)
o kea: add libdhcp_host_cmds.so to expose internal API commands for reservations
o kea: exit prefix watcher script if no lease file exists
o kea: allow "hw-address" for reservations
o kea: add pool in subnet validation
o kea: minor code cleanups in model code
o openvpn: account for CARP status in start and restart cases as well
o openvpn: removed the stale TheGreenBow client export
o radvd: migrated to MVC/API
o radvd: remove faulty empty address exception
o radvd: remove configuration file if disabled
o radvd: implement RemoveAdvOnExit override
o radvd: add Base6Interface constructor
o radvd: support nat64prefix
o console: opnsense-log now supports "backend" and "php" aliases
o backend: safe execution changes in the whole code base
o backend: removed short-lived mwexecf_bg() function
o lang: various translation updates
o mvc: add ChangeCase support to ProtocolField for DNAT special case
o mvc: improve importCsv() to support either comma or semicolon
o mvc: removed long obsolete sessionClose() from ControllerRoot
o mvc: BaseModel: isEmptyAndRequired() has been removed
o mvc: removed unusued RegexField
o rc: replace camcontrol with diskinfo for TRIM check (contributed by Maurice Walker)
o ui: allow HTML tags in menu items and title
o ui: improve user readability in SimpleFileUploadDlg()
o plugins: os-acme-client 4.12[2]
o plugins: os-ddclient 1.29[3]
o plugins: os-freeradius 1.10[4]
o plugins: os-isc-dhcp 1.0[5]
o plugins: os-nextcloud-backup 1.1[6]
o plugins: os-nginx 1.36[7]
o plugins: os-postfix 1.24.1[8]
o plugins: os-q-feeds-connector 1.4[9]
o plugins: os-wazuh-agent 1.3[10]
o src: assorted patches from stable/14 for LinuxKPI, QAT, and network stack
o src: e1000: revert "try auto-negotiation for fixed 100 or 10 configuration"
o src: if_ovpn: use epoch to free peers
o src: carp6: revise the generation of ND6 NA
o ports: dhcp6c v20260122
o ports: hostwatch 1.0.9

Migration notes, known issues and limitations:

o ISC-DHCP moves to a plugin. It will be automatically installed during upgrades. It is not installed on new installations because it is not being used, but you can still install and keep using it.
o To accommodate the change away from ISC-DCHP defaults the "Track interface" IPv6 mode now has a sibling called "Identity Association" which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups.
o Dnsmasq is now the default for DHCPv4 and DHCPv6 as well as RA out of the box.  One thing that the upstream software cannot cover is prefix delegation so that is no longer offered by default.  Use another DHCPv6 server in this case.
o Due to command line execution safety concerns the historic functions mwexec_bg() and mwexec() will be removed in 26.1.x.  Make sure your custom code is not using them and use mwexecf(), mwexecfb() and mwexecfm() instead.
o The function sessionClose() has also been removed from the MVC code and is no longer needed.  Make sure to remove it from your custom code.
o The custom.yaml support has been removed from intrusion detection.  Please migrate to the newer /usr/local/etc/suricata/conf.d override directory.
o The new host discovery service "hostwatch" is enabled by default (since 25.7.11).  You can always turn it off under Interfaces: Neighbors: Automatic Discovery if you so choose.
o The firewall migration page is not something you need to jump into right away.  Please make yourself familiar with the new rules GUI first and check the documentation for incompatibilities.  Single interface from the floating interface will not be considered "floating" in priorities.
o Firewall: NAT: Port Forwarding is now called "Destination NAT".  Firewall rule associations are no longer supported, but the old associated firewall rules remain in place with their last known configuration and can now be edited to suit future needs.
o Firewall: NAT: Source NAT is from the set of pages formerly known as automation, but Outbound NAT is still the main page for these types of rules.

The public key for the 26.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArTnFQp0jjj5bkLNx9G1j
q26WmN/EtAaJUt+2MY8W8h7L3kokRMlTgEvCYJOkUjbJYbjuG0Cut3JExNYa1vdD
1SLIlJShyI8OsjbAS/flZdJB9c0Vxz2CwpoX9Efmp5TaB3GWqhHS0OVLx4MSI3HJ
qP/aQLjZMuCQHX8beUQB77YWcT6sPC5UMYeNEW1uHR7Oki/TpOXWnzNStEQXRL6/
MiuYJovedlNXeNUeebJyG0TyLJ/3uGMYhHKYK+OJkB03P3iLGGVE/WWNugsqX6bY
tTU9PquHo5zDApndp8iG49Fs/DC0r7V1P85ETPtW2SuZQ7YeDuz3VKvuMxAqyQoC
1FLOsIuEfudDmRuMuTsRgB6jaGACEWUTuRyiFG4+kVDi1/qOWpYatP8C8B7Lx9UU
CTZhCl+Se4woWGtp5KOtYe+pvJ4oz40SL4drUQFEP3ZOsK/HzyLjPFRgxfANNUPG
ONayKHJXVVFPg2ATk9jeNPsLmXlcDmi/rihyN4RM2w0/bi8BWSc+dMGZ5ZhNJdsF
wHBIscgpiAhs+HS8Usxy3idv/JkY0h9tZ2QnljhUUwhYV+DT9yZf5ABU0B68VjJ4
/GloUc3bS7HBeSTAauYMOQvgkY1vcySGWTXvsGOw/Crpk4DYx5KpGNYHmENRey2c
AQdi+Fvi3fFkV1BoxGo78NcCAwEAAQ==
-----END PUBLIC KEY-----


Stay safe,
Your OPNsense team

--
SHA256 (OPNsense-26.1-dvd-amd64.iso.bz2) = 856c00a4ddf62f40cdc0871cd9fb6bbd455fb4dcca9337713b95ff42a41c88b2
SHA256 (OPNsense-26.1-nano-amd64.img.bz2) = 5731a3f21c5dbe221acf5b4777ed686f705f27e7560ffb05d29a68ea4e7c7e50
SHA256 (OPNsense-26.1-serial-amd64.img.bz2) = aaca6d4c44371673c555be354317533cf91ced86fc86c026716325c29c451d79
SHA256 (OPNsense-26.1-vga-amd64.img.bz2) = 3901b83750dd19ca26632b61bf5fe7ac86b8cfa0bfb3e633928c37416a14e5f9

[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/blob/stable/26.1/security/acme-client/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/26.1/dns/ddclient/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/26.1/net/freeradius/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/26.1/net/isc-dhcp/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/26.1/sysutils/nextcloud-backup/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/26.1/www/nginx/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/26.1/mail/postfix/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/26.1/security/q-feeds-connector/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/26.1/security/wazuh-agent/pkg-descr

Good morning again,

The second release candidate for 26.1 brings fixes for issues found by
our awesome community.  As an online-only update you need 26.1-RC1 to
install it.

The long-awaited dhcp6c refresh has been included as well as the latest
version for hostwatch addressing the community concerns collected from
25.7.11.

Here are the changes against version 26.1-RC1:

o system: add XMLRPC option for hostwatch
o interfaces: show ISC-DHCPv6 menu in "idassoc6" mode
o interfaces: fix validation issue in "idassoc6" mode
o interfaces: handle hostwatch user/group via package
o interfaces: avoid forced reloads when PDINFO is not set
o firewall: fix 3 issues and improve instructions in rule migration page
o firewall: improve GeoIP alias expiry condition
o firewall: escape selector in rule_protocol
o kea: add libdhcp_host_cmds.so to expose internal API commands for reservations
o kea: allow "hw-address" for reservations
o kea: add pool in subnet validation
o openvpn: account for CARP status in start and restart cases as well
o radvd: remove faulty empty address exception
o lang: various translation updates
o mvc: add ChangeCase support to ProtocolField for DNAT special case
o ports: dhcp6c v20260122
o ports: hostwatch 1.0.9

Migration notes, known issues and limitations:

o ISC-DHCP moves to a plugin. It will be automatically installed during upgrades. It is not installed on new installations because it is not being used, but you can still install and keep using it.
o To accomodate the change away from ISC-DCHP defaults the "Track interface" IPv6 mode now has a sibling called "Identity Association" which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups.
o Due to command line execution safety concerns the historic functions mwexec_bg() and mwexec() will be removed in 26.1.x.  Make sure your custom code is not using them and use mwexecf(), mwexecfb() and mwexecfm() instead.
o The function sessionClose() has also been removed from the MVC code and is no longer needed.  Make sure to remove it from your custom code.
o The custom.yaml support has been removed from intrusion detection.  Please migrate to the newer /usr/local/etc/suricata/conf.d override directory.
o The new host discovery service "hostwatch" is enabled by default (since 25.7.11).  You can always turn it off under Interfaces: Neighbors: Automatic Discovery if you so choose.
o The firewall migration page is not something you need to jump into right away.  Please make yourself familiar with the new rules GUI first and check the documentation for incompatibilities.
o Firewall: NAT: Port Forwarding is now called "Destination NAT".  Firewall rule associations are no longer supported, but the old associated firewall rules remain in place with their last known configuration and can now be edited to suit future needs.

Please let us know about your experience!


Stay safe,
Your OPNsense team

Good morning world,

Here we are now with the first release candidate to kickstart the 26.1
series.  While this marks the end of an era as ISC-DHCP functionality
moves to a plugin it is only the beginning of structural improvements
and further innovation of topics that are important to our users: firewall
GUI and API, IPv6, intrusion detection using Suricata and overall security.

Keep in mind this is mostly an image-based pre-production test release.
Upgrades from the 25.7.11 development version will be available at some
point, but it is not clear when. An online-only RC2 will probably follow
as well.  The final release date for 26.1 is January 28.

https://pkg.opnsense.org/releases/26.1/

Here are the development highlights since version 25.7 came out:

o Introduce a new consistent rules GUI using MVC/API (formerly known as "Automation")
o Suricata version 8 and new inline inspection mode using "divert"
o NAT port forwarding migrated to "Destination NAT" as MVC/API
o Various IPv6 stability improvements and additional features
o Setup wizard improvements including use case selection
o Services: Router Advertisements migrated to MVC/API
o Shell command escaping improvements and audit
o Interfaces: Settings migrated to MVC/API
o Default IPv6 setup now relies on Dnsmasq
o Factory reset for individual components
o The firewall live log was rewritten
o Unbound blocklist source selection
o Automatic host discovery service

A more detailed change log will follow!

Migration notes, known issues and limitations:

o ISC-DHCP moves to a plugin. It will be automatically installed during upgrades. It is not installed on new installations because it is not being used, but you can still install and keep using it.
o To accomodate the change away from ISC-DCHP defaults the "Track interface" IPv6 mode now has a sibling called "Identity Association" which does the same except it is not automatically starting ISC-DHCPv6 and Radvd router advertisements to allow better interoperability with Kea and Dnsmasq setups.
o Due to command line execution safety concerns the historic functions mwexec_bg() and mwexec() will be removed in 26.1.x.  Make sure your custom code is not using them and use mwexecf(), mwexecfb() and mwexecfm() instead.
o The function sessionClose() has also been removed from the MVC code and is no longer needed.  Make sure to remove it from your custom code.
o The custom.yaml support has been removed from intrusion detection.  Please migrate to the newer /usr/local/etc/suricata/conf.d override directory.

The public key for the 26.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArTnFQp0jjj5bkLNx9G1j
q26WmN/EtAaJUt+2MY8W8h7L3kokRMlTgEvCYJOkUjbJYbjuG0Cut3JExNYa1vdD
1SLIlJShyI8OsjbAS/flZdJB9c0Vxz2CwpoX9Efmp5TaB3GWqhHS0OVLx4MSI3HJ
qP/aQLjZMuCQHX8beUQB77YWcT6sPC5UMYeNEW1uHR7Oki/TpOXWnzNStEQXRL6/
MiuYJovedlNXeNUeebJyG0TyLJ/3uGMYhHKYK+OJkB03P3iLGGVE/WWNugsqX6bY
tTU9PquHo5zDApndp8iG49Fs/DC0r7V1P85ETPtW2SuZQ7YeDuz3VKvuMxAqyQoC
1FLOsIuEfudDmRuMuTsRgB6jaGACEWUTuRyiFG4+kVDi1/qOWpYatP8C8B7Lx9UU
CTZhCl+Se4woWGtp5KOtYe+pvJ4oz40SL4drUQFEP3ZOsK/HzyLjPFRgxfANNUPG
ONayKHJXVVFPg2ATk9jeNPsLmXlcDmi/rihyN4RM2w0/bi8BWSc+dMGZ5ZhNJdsF
wHBIscgpiAhs+HS8Usxy3idv/JkY0h9tZ2QnljhUUwhYV+DT9yZf5ABU0B68VjJ4
/GloUc3bS7HBeSTAauYMOQvgkY1vcySGWTXvsGOw/Crpk4DYx5KpGNYHmENRey2c
AQdi+Fvi3fFkV1BoxGo78NcCAwEAAQ==
-----END PUBLIC KEY-----

Please let us know about your experience!


Stay safe,
Your OPNsense team

--
SHA256 (OPNsense-26.1.r1-dvd-amd64.iso.bz2) = b0f1f48cd9104e96c37ab11c4381e3401d7d892c97ff8ec7aec1fcec44f16feb
SHA256 (OPNsense-26.1.r1-nano-amd64.img.bz2) = e9c6d72908bc60fc4172ee9c6cd92e7b34bc0e234cc5ad17b3d9f951824cc22a
SHA256 (OPNsense-26.1.r1-serial-amd64.img.bz2) = e03638f1d6fdbc300155fedf5d350603cb1479bf0f8ffe62c439ef0993b5aeb9
SHA256 (OPNsense-26.1.r1-vga-amd64.img.bz2) = f78a0bb9f771fe8846c32ab501875d3970e569b0c4163eff08cfc3bedc1ad747

Hello,

We have been working on a number of IPv6 improvements and I'd like to ask willing users to help test them with us!

1. dhcp6c improvements

dhcp6c has received a lot of refactoring and cleanups and can now set the lifetime of prefixes (formerly set to infinite by the code even though that's not what is being e). The code changed to offer the valid life time as preferred/valid life times during configuration, which makes them expire automatically. We found a few bugs in the FreeBSD kernel that were fixed in 25.7.11 so testing the new dhcp6c code is possible now.

Again: make sure you are on 25.7.11 :)

# opnsense-code dhcp6c
# cd /usr/dhcp6c
# ./configure
# make upgrade

dhcp6c will not restart automatically. The best way to use the new version is to reboot.

If you want to revert to the version that belongs to 25.7.11 you can do:

# opnsense-revert dhcp6c

(and reboot)

The first two pages here are the relevant changes: https://github.com/opnsense/dhcp6c/commits/master/

2. We're testing multi-dhcp6c again after deciding against it many years ago. There are some downsides to using one daemon for all WANs a patch exists to split the daemons up! This also makes it possible to get better control of individual PD associations requested from the ISP.

This requires the 25.7.11 DEVELOPMENT version to apply cleanly. I recommend using a snapshot before switching since a number of things will be migrated and it's not easy to switch back as some settings will be in the wrong place. A config backup and restore is also an idea if you make the direct transition back using the firmware GUI.

# opnsense-patch https://github.com/opnsense/core/commit/5b8c2a862e

A reboot would be the best course of action here too.

More context on the work we did here is in https://github.com/opnsense/core/issues/7647

If you have any questions please let me know.  All feedback is welcome, especially from multi-WAN IPv6 users!  :)


Cheers,
Franco

A happy new year to all of you!

25.7.11 comes at a strange point in time but we will try to offer a bit of
familiarity and common sense as we probably all need more of this.  <3

This release brings the new host discovery service which resolves and remembers
MAC addresses for IPv4 and IPv6 hosts in your connected networks and provides
this data for the firewall MAC aliases and captive portal clients.  It is now
enabled by default, but you can choose to opt out by disabling the automatic
discovery option.

A lot of work went into IPv6 improvements over the holidays as is tradition
with the help of users debugging their networks during that time.  A number
of kernel fixes have been supplied and dhcp6c will also receive a larger update
in 26.1 soon.

The changes are otherwise clustered around preparation for the major upgrade
which brings an number of fundamental changes with the ongoing removal of
ISC-DHCP from core.  A plugin is already available through the development
version and should auto-install.  If not make sure you install it before
attempting a reboot there.  For the stable version everything is as it was.

That being said, 26.1-RC1 will be out early next week and RC2 likely follows
quickly.  We are still set for a final release date of January 28.  See you on
the other side!

Here are the full patch notes:

o system: add tooltip explaining active status in snapshots
o system: add "lazy loading" model support on Trust\Cert
o system: properly fill DNS SAN from existing certificates (contributed by Klaas Demter)
o system: rename sudoers file to make it more sortable (contributed by David Jack Wange Olrik)
o system: numerous safe execution changes
o system: sort to retain order in syslog-ng source definitions
o interfaces: fix comparison in PPP check code during assignment
o interfaces: prefer longer lifetimes if multiple exist
o interfaces: defer manual rtsold script execution
o interfaces: use mwexecfb() in two instances
o interfaces: move configure_interface_hardware() to main file
o interfaces: migrate "sharednet" setting to its respective sysctls
o interfaces: add and enable new host discovery feature for neighbours via hostwatch
o firewall: automation: only show ICMP type when protocol is ICMP
o firewall: automation: add multi-select ICMP6 options
o firewall: use new host discovery in MAC type aliases
o firewall: simplify port alias check
o captive portal: assign empty array when "interface list arp json" returns invalid JSON
o captive portal: use new host discovery service by default
o dhcrelay: reload table to update relay status
o intrusion detection: datakey hint was missing for rules edit
o intrusion detection: replace "all" alert selection with explicit maximum choices
o ipsec: most safe execution transformations done
o isc-dhcp: interalize interfaces_staticarp_configure()
o isc-dhcp: safeguard access to DHCPv6 "enable" property
o kea: refactor daemon(8) call to mwexecfb()
o network time: fix GPS coordinate display in status page (contributed by brotherla)
o openvpn: add simple search functionality for accounts table in client export
o openvpn: skip dynamic content when loading the model in client export
o openvpn: convert two more exec() calls
o openvpn: fix archive client export
o unbound: remove delete selected button for single select overrides grid
o unbound: add per-policy quick actions in reporting overview
o unbound: add overrides reference counter for aliases
o unbound: info section was larger than table width
o backend: exec() removal in get_sysctl()/set_sysctl()
o backend: exec() removal in auth scripts
o mvc: reduce some call overheaad in BaseField/IntegerField
o mvc: introduce defaultConfig property for AppConfig
o mvc: uppercase all form labels
o mvc: use asInt() in GidField and UidField
o mvc: BaseField: add isSet()
o tests: revamped config and base model tests
o ui: bootgrid: allow conditional command rendering through a filter function
o plugins: os-frr 1.50[1]
o plugins: os-ndp-proxy-go 1.3[2]
o plugins: os-telegraf 1.12.14[3]
o src: in6: modify address prefix lifetimes when updating address lifetimes
o src: ipv6: fix off-by-one in pltime and vltime expiration checks
o src: ipv6: do not complain when deleting an address with prefix length of 128
o src: ifconfig: fix the -L flag when using netlink
o src: netlink: do not directly access ifnet members
o src: netlink: do not overwrite existing data in a linear buffer in snl_writer
o src: netmap: Let memory allocator parameters be settable via loader.conf
o src: pfsync: avoid zeroing the state export union
o src: divert: fix removal of divert sockets from a group
o src: divert: use a jenkins hash to select the target socket
o src: divert: define semantics for SO_REUSEPORT_LB on divert sockets
o src: divert: use CK_SLISTs for the divcb hash table
o src: pf: rationalize the ip_divert_ptr test
o src: pf: fix handling of IPv6 divert packets
o src: rtsold: check RA lifetime before triggering the one-shot always script
o ports: hostwatch 1.0.4
o ports: suricata 8.0.3[4]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.7/net/ndp-proxy-go/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/telegraf/pkg-descr
[4] https://suricata.io/2026/01/13/suricata-8-0-3-and-7-0-14-released/

Howdy,

This update is released mainly due to the fact that FreeBSD-SA-25:12.rtsold[2]
has impact on WAN-facing DHCPv6 connectivity being used, but also offers a
mid-size batch of improvements like CARP VHID awareness for DHCRelay and
a thorough cleanup and improvement pass over the Suricata integration we
have been discussing during Suricon in November.

Of special note is that the captive portal accounting moves back to ipfw(4)
from pf(4) because in larger deployments accounting rules are much faster
this way and the use case of Ethernet-less captive portals such as on top
of WireGuard now work properly again.  The hook for pluggable pf(4) "ether"
rules remains for now but will be removed in 26.1 as we do not intend to
advocate its use.

Also, Python has reported security issues of which a DoS in http.client could
potentially affect existing installations given that an HTTP server sends
a malicious response which "can consume a large amount of memory and CPU time
and cause swapping".  Python has not released an update for version 3.11 at
this point in time.

Here are the full patch notes:

o system: clean up and normalise the sample config.xml
o system: replace "realif" variables with "device" in gateway code
o system: replace exec() in live banner SSH probe
o interfaces: scan pltime/vltime in "ifconfig -L" mode
o firewall: live log: allow column modifications and combine hostname columns
o firewall: live log: add bigger table size options and simplify table update
o firewall: minor simplification in filter sync script
o reporting: health: add CPU temperature y-axis label (contributed by NOYB)
o dhcrelay: add CARP VHID tracking option to relays
o dhcrelay: use the new mwexecf() $format support
o firmware: opnsense-update: remove architecture pinning for -X option
o captive portal: re-introduce ipfw for accounting purposes only
o dnsmasq: add DHCP logging flags toinfluence log verbosity
o intrusion detection: refactor query scripts and deprecate params.py
o intrusion detection: increase maintainability of suricata.yaml file
o intrusion detection: add support for /usr/local/etc/suricata/conf.d directory
o intrusion detection: clean up views and controllers
o openvpn: openvpn: add AES-256-CBC cipher for legacy compat (contributed by Fabian Franz)
o openvpn: add support for verify-x509-name option (contributed by laozhoubuluo)
o openvpn: replace exec() in MVC code
o unbound: deprecate Blocklist.site blocklists (contributed by Drumba08)
o unbound: clean up blocklists update marker and size file handling
o mvc: ApiMutableModelControllerBase: add invalidateModel() method
o mvc: Config: use is_int()/array_key_first() in toArray() and fromArray()
o mvc: Config: mvc: use LIBXML_NOBLANKS when loading config files
o mvc: FilterBaseController: move shared automation rule logic here
o mvc: get translated services description from API (contributed by Tobias Degen)
o mvc: BaseField: provide asInt() method
o rc: bootstrap /var/lib/php/tests for upcoming test case use
o plugins: os-ndp-proxy-go 1.2[1]
o plugins: os-theme-rebellion 1.9.4 (contributed by Team Rebellion)
o src: e1000: do not enable ASPM L1 without L0s
o src: e1000: bump 82574/82583 PBA to 32K
o src: if_ovpn: use IFT_TUNNEL
o src: ifconfig: bring back -L for netlink
o src: igb: fix VLAN support on VFs
o src: irdma: fix potential memory leak on qhash cqp operation
o src: ix: add support for debug dump for E610 adapters
o src: netmap: fix error handling in nm_os_extmem_create()
o src: pf: reading rules with a read lock on ioctl
o src: pf: relax sctp v_tag verification
o src: pf: handle divert packets
o src: pfsync: fix incorrect unlock during destroy
o src: rtsold: remote code execution via ND6 router advertisements[2]
o ports: dpinger 3.4[3]
o ports: libucl 0.9.3
o ports: nss 3.119.1[4]
o ports: phpseclib 3.0.48


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.7/net/ndp-proxy-go/pkg-descr
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc
[3] https://github.com/dennypage/dpinger/releases/tag/v3.4
[4] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_119_1.html
[5] https://github.com/phpseclib/phpseclib/releases/tag/3.0.48

I want to make this snappy and the TLDR is in the subject. This is not to fish for solidarity or discussion at length, but if you have questions I will try to answer them below.

On Friday, September 5 at 21:55, I got a no further signed mail from a "FreeBSD Core Team Secretary":

Due to repeated behavior that violates our community's code of conduct,
your access to FreeBSD Project services (Bugzilla, Wiki, Phabricator,
and the mailing lists) is suspended for three months, until the end of
November 2025.

It's now two weeks into December and I'm still blocked. I appreciate good rules as long as everybody also follows them, but in the many years I've contributed to FreeBSD I've seen exceptions and loopholes time and again. I don't wish to see them any longer.

According to the mail this is in direct relation to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=283795 which is basically a continuation of a bug caused by https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 where the core team made clear that proper bug reports must be raised. To me it seemed wrong that the relevant topic was then still ignored for roughly half a year until a different user and not a committer found and fixed the issue. Only then it seemed right to answer and correct users asking what is going on?

Perhaps the ban is deserved and I've gladly done my time, but I still don't know what the punishment of an external contributor is meant to do other than give me a number of sleepless nights and the cozy feeling on a Friday evening that I'm a very bad person (thanks I guess). If this is how contributors are structurally treated I don't see the point in contributing. Or maybe me throwing the towel is the goal?

I've moderately contributed to FreeBSD roughly since 2013 with very mixed success. The key was to persistently ask for committers all the time because a patch is still nothing compared to the commit it will be going into the tree which takes a couple of seconds. I've seen many committers come and go. My patches do resemble the average quality of FreeBSD committers submissions. I've studied computer science and helped run OPNsense as a volunteer for many years. My patches are now committed by people who have been on the project for much shorter periods of time if they are not being ignored. Commits being made by others don't follow standards I was trained on in the early years of my tenure in FreeBSD.

There is a lot more to tell here but I know it's a waste of time given what I've been through. At some point the self-fulfilling prophecy of me being an unlikable, unreasonable, inept and uncooperative person/coder started by FreeBSD adjacent enthusiasts around 2015 had taken a life of its own. I've told several people and core team members about a pattern of neglect and abuse towards me, but it seems that throwing me under the bus is the easiest solution for everyone involved to this day. I'm ok with that, but I am free to say that I don't very much enjoy it. A number of people from FreeBSD are actually active in the OPNsense scope these days. PfSense uses code contributed by OPNsense. We are all benefiting from each other. The situation is perfectly natural for open source efforts, so I don't understand why I am not being tolerated. I'd really like to hear the explanation for a 3 year old but upon asking I haven't gotten any answer either.

So now I'll have a lot more time to build community and code and releases in OPNsense and that's a good thing. People can look up to our standards instead. Use our patches or leave them. Be friendly and cooperative or not. It will be neat and we will know it's because we're doing great things here together. :)


Cheers,
Franco

This business release is based on the OPNsense 25.7.8 community version
with additional reliability improvements, but without revamped Unbound
blocklists for the time being.

Please be aware that during the update check the new package manager will be
installed, but will fail to report the update status like it always had before
and so you will end up with an error that will require checking for updates
again.  The fix is in this update, but impossible to install without upgrading
the package manager first.  We hope this will only be a minor inconvenience
during the process.

Also, Python has reported security issues of which a DoS in http.client could
potentially affect existing installations given that an HTTP server sends
a malicious response which "can consume a large amount of memory and CPU time
and cause swapping".  Python has not released an update for version 3.11 at
this point in time.

Here are the full patch notes:

o system: use new file_safe() in two instances
o system: improve the HA VIP sync code
o system: simplify RRD backup code and remove exec() usage[1] (reported by Alex Williams from Pellera Technologies working with Trend Zero Day Initiative)
o system: move valid_from search criteria to log_matcher for faster end of search
o system: use file_safe() in gateway monitor watcher
o system: refactor factory reset page to MVC and add a reset per component operating on models
o system: fix a HA sync regression introduced in 25.7.6 that prevented a sync from succeeding in an edge case
o system: defaults: properly delete empty model containers in the configuration
o system: switch int/bool to string in gateway properties
o system: ignore TypeErrors when parsing log lines in the backend
o system: replace various raw exec(), system(), passthru() and shell_exec() calls with safer variants
o system: add host route deletion support to system_host_route()
o system: move the general page host route removal to system_host_route()
o system: add CA chain to PKCS12 export
o system: fix hidden syslog HA XMLRPC sync option
o interfaces: fix permission of packet capture file in strict security mode
o interfaces: ifctl: always allow reads to internal state files
o interfaces: fix overview details button not working
o interfaces: support link-local IPv6 mode
o interfaces: also stop PPPoE connections when CARP is temporarily disabled (contributed by René Mayrhofer)
o interfaces: fix packet capture and ping buttons not working since 25.7.7
o interfaces: limit execution of sysctl scope in PPP device edit code
o interfaces: safer interfaces_pfsync_configure() handling
o firewall: refactor live log using a ring buffer
o firewall: add toggles to disable selected automatic rules
o firewall: enable "safe delete" for categories
o firewall: improved stats rendering on automation rules
o firewall: allow searching aliases in automation rules inspect mode by IP address
o firewall: automation: fix alias IP address search
o firewall: automation: allow interface parameter to contain a list of interfaces for API users
o firewall: aliases: replace invalid unicode chars (contributed by Marius Halden)
o firewall: live log: only execute redraw on visibility state transition
o firewall: live log: optimize viewbuffer rendering
o firewall: live log: prevent re-resolving in-flight requests and move host lookup to current filtered view
o firewall: live log: fix data ordering and add table/history limit options
o firewall: live log: use "badge" class like before
o firewall: live log: make this grid static and slightly adjust info column width
o firewall: live log: backwards compatibility for old "interface_name" field type
o firewall: live log: fix wrong variable scope
o firewall: live log: restructure DOM layout to reduce wasted header space
o firewall: live log: revert static property, persistence is disabled for this grid
o firewall: states: fix delete_selected firewall states (contributed by Alexander Sulfrian)
o firewall: do not allow nesting in GeoIP aliases
o firewall: automation: split search logic and normalize legacy output
o firewall: aliases: add a few GeoIP related logging messages
o firewall: mute pfctl-based table entry expire to avoid cron noise due to stderr use
o firewall: aliases: missing placeholder for username in basic auth type selection
o firewall: support "0" as valid rule ID in rule lookup redirect
o firewall: automation: add per-rule state timeouts for "udp.first", "udp.multiple" and "udp.single"
o captive portal: fix selectpicker #voucher-groups not being re-rendered after change event
o captive portal: move grid init to tab show event
o dnsmasq: strict hostname and domain validation plus improved ipset validations
o dnsmasq: add optgroup support to DHCP option fields and expose all DHCPv4 options
o dnsmasq: switch to file_safe() use in backend
o dnsmasq: minor safe execution changes in backend
o firmware: package manager upgrade changes for pkg 2.x
o intrusion detection: remove obsolete "ac-bs" pattern matcher algorithm
o ipsec: sessions: add datakey property for row mapping
o ipsec: status: search phase 2 triggered twice on click and cleanup tooltip event as well
o ipsec: disable model caching on SPD page
o ipsec: add AES256GCM16 to the child ESP proposals list
o ipsec: hide phase 2 output based on phase 1 status instead of the row count for phase 2
o ipsec: add "reqid_base" setting to advanced settings
o ipsec: sessions: fix missing commands translation
o ipsec: connections: prevent model caching when referring items within the same model
o isc-dhcp: adjust backend for safe execution
o kea-dhcp: automatic route support for PD leases
o kea-dhcp: case insensitive MAC address comparison
o openssh: minor safe execution change in backend
o openvpn: add support for pushing excluded routes via net_gateway (contributed by Patrice Damezin)
o openvpn: allow multiple domains settings for client connection (contributed by Krisztian Ivancso)
o openvpn: use file_safe() to write CRL files
o openvpn: swap description and mode in "tls_key" and require a description for static keys
o openvpn: one safe execution change
o openvpn: add fast-io option (contributed by mdten)
o radvd: safe execution changes
o unbound: use file_safe() for root hint creation
o unbound: deprecate unmaintained AdAway blocklist (contributed by Maurice Walker)
o unbound: duplicate pointer records due to not casting the field types
o unbound: missing lock in del_host_override action
o wireguard: add debug option to instances
o wireguard: fix wrong maximum value for "PersistentKeepalive"
o backend: add file_safe() helper for atomic file creation
o backend: rename "realif" variables to "device" in a number of spots
o backend: avoid the use of get_real_interface() when it does not matter and remove dead code associated with that
o backend: exend shell_safe() to emulate exec() $output argument magic
o backend: reimplement existing command execution functions with Shell class implementation
o backend: replace mwexecf_bg() with mwexecfb() for clarity
o mvc: add RegexField to properly validate PCRE2 syntax
o mvc: support arrays in search clauses
o mvc: OptionField: properly translate optgroup
o mvc: JsonKeyValueStoreField: fix race condition when using SourceField in the model
o mvc: persist models description in root attribute of its respective configuration
o mvc: move translation to menu system and add "FixedName" property
o mvc: extend ModelRelationField so it can optionally disable caching
o mvc: rewrite the old Shell class according to our current standards for safe command execution (exec_safe() wrapper)
o mvc: fix default sort order being ignored in fetchBindRequest()
o mvc: make "data_change_message_content" configurable
o rc: do not clear /tmp on a diskless install
o rc: secure an exec() in the recovery script
o shell: assorted cleanups in console menu related scripts
o ui: assorted adjustments for dark theme
o ui: always show bootgrid reset button
o ui: improve grid responsiveness via minWidth()
o ui: remove this.dataIdentifier as datakey defines the key to be used when asking "row-id" or getSelectedRows
o ui: SimpleActionButton: add support for icons in action buttons
o ui: recompile default themes using dart sass (1.93.2) which changes color rendering
o ui: keyboard shortcuts for "a"dvanced and "h"elp in MVC pages (contributed by Konstantinos Spartalis)
o ui: bail out on dynamic grid resize if data is loading
o ui: bootgrid: prevent full table redraw without onDataProcessed trigger
o ui: bootgrid: add missing datakeys to two pages
o ui: fix tokenizer event trigger loop
o plugins: os-OPNWAF 2.1
o plugins: os-ddclient 1.28[2]
o plugins: os-freeradius 1.9.28[3]
o plugins: os-frr 1.49[4]
o plugins: os-git-backup 1.1[5]
o plugins: os-ndp-proxy-go 1.0 is a hot-off-the-press userspace IPv6 Neighbor Discovery Proxy[6]
o plugins: os-q-feeds-connector 1.3[7]
o plugins: os-tailscale 1.3[8]
o plugins: os-tayga 1.3[9]
o plugins: os-theme-flexcolor 1.0 is a new 3-in one theme[10] (contributed by Schnuffel2008)
o plugins: os-zabbix-proxy 1.15[11]
o src: dhclient: improve UDP checksum handling
o src: dummynet: move excessive logging messages under debug output
o src: ice: add PCI IDs for E835 devices
o src: ice: add support for E835-XXV-4 adapter
o src: if_vxlan: fix byteorder of source port
o src: ifconfig: assorted stable branch improvements
o src: igb: fix out-of-bounds register access on VFs
o src: ipfw: check for errors from sooptcopyin() and sooptcopyout()
o src: ipfw: pmod: avoid further rule processing after tcp-mod failures
o src: ix/ixv: add support for new Intel Ethernet E610 family devices
o src: ixl: fix multicast promiscuous mode state tracking and filter management
o src: net: validate interface group names in ioctl handlers
o src: netlink: in snl_init_writer() do not overwrite error in case of failure
o src: pf: improve add state validation
o src: pf: improve DIOCRCLRTABLES validation
o src: pf: SCTP abort messages fully close the connection
o src: sctp, tcp, udp: improve deferred computation of checksums
o src: SO_REUSEPORT_LB breaks connect(2) for UDP sockets[12]
o src: vtnet: assorted stable branch improvements
o ports: curl 8.17.0[13]
o ports: kea 3.0.2[14]
o ports: libxml 2.14.6[15]
o ports: nss 3.118.1[16]
o ports: openssh 10.2p1[17]
o ports: openvpn 2.6.17[18]
o ports: pcre2 10.47[19]
o ports: php 8.3.28[20]
o ports: pkg 2.3.1
o ports: python 3.11.14[21]
o ports: sqlite 3.50.4[22]
o ports: strongswan 6.0.3[23]
o ports: suricata 8.0.2[24]
o ports: syslog-ng 4.10.2[25]
o ports: unbound 1.24.2[26]


Stay safe,
Your OPNsense team

--
[1] https://www.cve.org/cverecord?id=CVE-2025-13698
[2] https://github.com/opnsense/plugins/blob/stable/25.7/dns/ddclient/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.7/net/freeradius/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.7/sysutils/git-backup/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/25.7/net/ndp-proxy-go/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/25.7/security/q-feeds-connector/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/25.7/security/tailscale/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/25.7/net/tayga/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/25.7/misc/theme-flexcolor/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-proxy/pkg-descr
[12] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:09.netinet.asc
[13] https://curl.se/changes.html#8_17_0
[14] https://downloads.isc.org/isc/kea/3.0.2/Kea-3.0.2-ReleaseNotes.txt
[15] https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS
[16] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_118_1.html
[17] https://www.openssh.com/txt/release-10.2
[18] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.17
[19] https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.47
[20] https://www.php.net/ChangeLog-8.php#8.3.28
[21] https://docs.python.org/release/3.11.14/whatsnew/changelog.html
[22] https://sqlite.org/releaselog/3_50_4.html
[23] https://github.com/strongswan/strongswan/releases/tag/6.0.3
[24] https://suricata.io/2025/11/06/suricata-8-0-2-and-7-0-13-released/
[25] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.10.2
[26] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-2

What is up everyone,

A bug snuck into the last release that did not properly disable the
caching of DNS entries when using multiple blocklists with different
network restrictions.  We have used the opportunity to polish the
notification code and apply behaviour during the migration of the
old blocklist to the new format.

The saga around safe command execution continues in this release
as well.  Otherwise it is a rather quiet release and 2025 is almost
over.  Happy holidays!

Here are the full patch notes:

o system: gateway monitor Shell class use et al
o system: no longer back up DUID but add compatibility glue to opnsense-importer
o system: replace exec() in config encrypt/decrypt
o system: replace history diff exec() with shell_safe()
o system: safe execution tweaks in rc.routing_configure
o system: fix log keyword search regression introduced in 25.7.7
o reporting: unbound: fix quick allow/blocklist actions by applying them to all blocklists
o firewall: run filterlog directly after rules apply and remove promiscous mode
o firewall: allow setting a custom authentication HTTP header for alias URL fetch (contributed by nox-404)
o firewall: for better IPv6 PMTU let "timex" and "paramprob" ICMP types through
o firewall: do not allow nesting in GeoIP aliases
o firewall: live log: restructure DOM layout to reduce wasted header space
o firewall: live log: revert static property, persistence is disabled for this grid
o firewall: safe execution changes in rules reloading code
o firewall: safe execution changes in rc.filter_synchronize
o dnsmasq: minor tweaks in lease commands
o firmware: Shell class replacements in scripting
o kea-dhcp: add lease commands, tabulator GroupBy, URL hashes
o kea-dhcp: add DNR option (contributed by schreibubi)
o network time: status: refactor to MVC/API
o ipsec: connections: prevent model caching when referring items within the same model
o ipsec: sessions: fix missing commands translation
o isc-dhcp: move syslog definitions to plugin file
o unbound: prevent caching of blocklist entries on overlapping subnet policies
o unbound: notify user if a blocklist reset is required
o unbound: reconfigure if marker file present
o unbound: missing lock in del_host_override action
o backend: minor shell execution changes and readability
o backend: use mwexecf(m) where possible
o backend: extend mwexecfb() with PID and log file support
o mvc: fix default sort order being ignored in fetchBindRequest()
o shell: rewite timeout() using safe execution functions
o ui: refresh notification status after default apply button is done
o ui: remove obsolete jQuery bootgrid files
o plugins: os-acme-client 4.11[1]
o plugins: os-ndp-proxy-go 1.1[2]
o plugins: os-tailscale 1.3[3]
o plugins: os-turnserver 1.1[4]
o plugins: os-upnp 1.8 features assorted improvements to plugin and daemon (contributed by Self-Hosting-Group)
o plugins: os-web-proxy-sso has been marked for removal in 26.1
o plugins: os-zabbix-agent 1.18[5]
o plugins: os-zabbix-proxy 1.16[6]
o ports: filterlog no longer uses unneeded promiscuous mode
o ports: openvpn 2.6.17[7]
o ports: unbound 1.24.2[8]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.7/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.7/net/ndp-proxy-go/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.7/security/tailscale/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.7/net/turnserver/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-agent/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-proxy/pkg-descr
[7] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.17
[8] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-2

Hey,

So we are making way for safer command execution since a comment was
added to the certification of the business version about a possible
injection into interfaces_pfsync_configure() -- note that it was a comment
and not a security issue since the exploit requires to edit the config.xml
and/or do a configuration import.

The issue in interfaces_pfsync_configure() has now been fixed, but as
mentioned the idea was to get rid of these problems once and for all so
the Shell class was rewritten and every call was audited.  You will see
more movement on our way to 26.1 in this area as we do not want to push
all changes into the 25.7 series immediately so that they can be properly
verified first.  Suffice to say most of the code we worked on over the
years was already much safer due to the introduction of exec_safe() very
early in the project history.

The Unbound blocklists feature formerly known as a business feature is
now a community feature.  Since this required merging both the existing
community one with the business one you need to make sure to reapply the
blocklist settings after the reboot since it will not generate a new and
possibly incompatible format.  Make sure to check your automatically
migrated settings while at it.

What does all of this mean?  It means security matters.  It also means
that community matters.  We will continue to improve the community version
because it is the base for the business version and that is exactly how
it should be so that everybody can benefit from these changes!

Note this release includes a new kernel with a lot of improvements in the
vtnet(4) driver department.  It is stable code according to release
engineering procedure but if you are seeing specific issues let us know.

Here are the full patch notes:

o system: defaults: properly delete empty model containers in the configuration
o system: switch int/bool to string in gateway properties
o system: ignore TypeErrors when parsing log lines in the backend
o system: replace various raw exec(), system(), passthru() and shell_exec() calls with safer variants
o system: add host route deletion support to system_host_route()
o system: move the general page host route removal to system_host_route()
o system: add CA chain to PKCS12 export
o interfaces: support link-local IPv6 mode
o interfaces: also stop PPPoE connections when CARP is temporarily disabled (contributed by René Mayrhofer)
o interfaces: fix packet capture and ping buttons not working since 25.7.7
o interfaces: limit execution of sysctl scope in PPP device edit code
o interfaces: safer interfaces_pfsync_configure() handling
o firewall: live log: make this grid static and slightly adjust info column width
o firewall: live log: backwards compatibility for old 'interface_name' field type
o firewall: live view: fix wrong variable scope
o firewall: automation: split search logic and normalize legacy output
o firewall: aliases: add a few GeoIP related logging messages
o firewall: mute pfctl-based table entry expire to avoid cron noise due to stderr use
o firewall: aliases: missing placeholder for username in basic auth type selection
o firewall: support "0" as valid rule ID in rule lookup redirect
o firewall: automation: add per-rule state timeouts for "udp.first", "udp.multiple" and "udp.single"
o captive portal: fix selectpicker #voucher-groups not being re-rendered after change event
o captive portal: move grid init to tab show event
o dnsmasq: switch to file_safe() use in backend
o dnsmasq: minor safe execution changes in backend
o kea-dhcp: automatic route support for PD leases
o kea-dhcp: case insensitive MAC address comparison
o isc-dhcp: adjust backend for safe execution
o ipsec: disable model caching on SPD page
o ipsec: add AES256GCM16 to the child ESP proposals list
o ipsec: hide phase 2 output based on phase 1 status instead of the row count for phase 2
o ipsec: add "reqid_base" setting to advanced settings
o openssh: minor safe execution change in backend
o openvpn: swap description and mode in "tls_key" and require a description for static keys
o openvpn: one safe execution change
o openvpn: add fast-io option (contributed by mdten)
o radvd: safe execution changes
o unbound: improve CNAME handling of whitelisted domains
o unbound: safe command execution changes
o unbound: merge extended blocklists into community version
o unbound: duplicate pointer records due to not casting the field types
o wireguard: fix wrong maximum value for "PersistentKeepalive"
o backend: rename "realif" variables to "device" in a number of spots
o backend: avoid the use of get_real_interface() when it does not matter and remove dead code associated with that
o backend: exend shell_safe() to emulate exec() $output argument magic
o backend: reimplement existing command execution functions with Shell class implementation
o backend: replace mwexecf_bg() with mwexecfb() for clarity
o mvc: move translation to menu system and add "FixedName" property
o mvc: extend ModelRelationField so it can optionally disable caching
o mvc: rewrite the old Shell class according to our current standards for safe command execution (exec_safe() wrapper)
o mvc: make "data_change_message_content" configurable
o shell: assorted cleanups in console menu related scripts
o ui: fix tokenizer event trigger loop
o plugins: os-freeradius 1.9.28[1]
o plugins: os-frr 1.49[2]
o plugins: os-ndp-proxy-go 1.0 is a hot-off-the-press userspace IPv6 Neighbor Discovery Proxy[3]
o plugins: os-q-feeds-connector 1.3[4]
o plugins: os-theme-flexcolor 1.0 is a new 3-in one theme[5] (contributed by Schnuffel2008)
o src: vtnet: assorted stable branch improvements
o src: ifconfig: assorted stable branch improvements
o src: SO_REUSEPORT_LB breaks connect(2) for UDP sockets[6]
o src: sctp, tcp, udp: improve deferred computation of checksums
o src: dhclient: improve UDP checksum handling
o src: ipfw: check for errors from sooptcopyin() and sooptcopyout()
o src: ipfw: pmod: avoid further rule processing after tcp-mod failures
o src: dummynet: move excessive logging messages under debug output
o src: net: validate interface group names in ioctl handlers
o src: pf: improve DIOCRCLRTABLES validation
o src: pf: improve add state validation
o src: pf: SCTP abort messages fully close the connection
o src: if_vxlan: fix byteorder of source port
o src: ixl: fix multicast promiscuous mode state tracking and filter management
o src: ix/ixv: add support for new Intel Ethernet E610 family devices
o src: ice: add PCI IDs for E835 devices
o src: ice: add support for E835-XXV-4 adapter
o src: igb: fix out-of-bounds register access on VFs
o src: netlink: in snl_init_writer() do not overwrite error in case of failure
o ports: curl 8.17.0[7]
o ports: nss 3.118.1[8]
o ports: openvpn 2.6.16[9]
o ports: pcre2 10.47[10]
o ports: php 8.3.28[11]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.7/net/freeradius/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr
[3] https://docs.opnsense.org/manual/ndp-proxy-go.html
[4] https://github.com/opnsense/plugins/blob/stable/25.7/security/q-feeds-connector/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.7/misc/theme-flexcolor/pkg-descr
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:09.netinet.asc
[7] https://curl.se/changes.html#8_17_0
[8] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_118_1.html
[9] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.16
[10] https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.47
[11] https://www.php.net/ChangeLog-8.php#8.3.28

Hi again,

This update ships a number of third party security updates, firewall live
log improvements based on user feedback from 25.7.6, plus minor fixes and
improvements like usual.

One focus at the moment is to get rid of the unsafe shell use in the backend
which has been the source of multiple security issues in the project history.
A few other things are coming to 25.7.x soon: a neighbor watch daemon, a new
NDP proxy plugin and a community theme.  Stay tuned.  :)

Here are the full patch notes:

o system: simplify RRD backup code and remove exec() usage (reported by Alex Williams from Pellera Technologies working with Trend Zero Day Initiative)
o system: move valid_from search criteria to log_matcher for faster end of search
o system: use file_safe() in gateway monitor watcher
o system: refactor factory reset page to MVC and add a reset per component operating on models
o interfaces: ifctl: always allow reads to internal state files
o firewall: automation: fix alias IP address search
o firewall: automation: allow interface parameter to contain a list of interfaces for API users
o firewall: aliases: replace invalid unicode chars (contributed by Marius Halden)
o firewall: live log: only execute redraw on visibility state transition
o firewall: live log: optimize viewbuffer rendering
o firewall: live log: prevent re-resolving in-flight requests and move host lookup to current filtered view
o firewall: live log: fix data ordering and add table/history limit options
o firewall: live log: use "badge" class like before
o firewall: states: fix delete_selected firewall states (contributed by Alexander Sulfrian)
o dnsmasq: add optgroup support to DHCP option fields and expose all DHCPv4 options
o ipsec: sessions: add datakey property for row mapping
o ipsec: status: search phase 2 triggered twice on click and cleanup tooltip event as well
o openvpn: use file_safe() to write CRL files
o mvc: OptionField: properly translate optgroup
o mvc: JsonKeyValueStoreField: fix race condition when using SourceField in the model
o mvc: persist models description in root attribute of its respective configuration
o rc: secure an exec() in the recovery script
o ui: improve grid responsiveness via minWidth()
o ui: remove this.dataIdentifier as datakey defines the key to be used when asking 'row-id' or getSelectedRows
o ui: SimpleActionButton: add support for icons in action buttons
o ui: recompile default themes using dart sass (1.93.2) which changes color rendering
o ui: keyboard shortcuts for "a"dvanced and "h"elp in MVC pages (contributed by Konstantinos Spartalis)
o ui: bail out on dynamic grid resize if data is loading
o plugins: os-frr 1.48[1]
o plugins: os-tayga 1.3[2]
o ports: kea 3.0.2[3]
o ports: libxml 2.14.6[4]
o ports: php 8.3.27[5]
o ports: sqlite 3.50.4[5]
o ports: strongswan 6.0.3[7]
o ports: suricata 8.0.2[8]
o ports: unbound 1.24.1[9]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.7/net/tayga/pkg-descr
[3] https://downloads.isc.org/isc/kea/3.0.2/Kea-3.0.2-ReleaseNotes.txt
[4] https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS
[5] https://www.php.net/ChangeLog-8.php#8.3.27
[6] https://sqlite.org/releaselog/3_50_4.html
[7] https://github.com/strongswan/strongswan/releases/tag/6.0.3
[8] https://suricata.io/2025/11/06/suricata-8-0-2-and-7-0-13-released/
[9] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-1

Hi there,

The usual round of additions and reliability fixes is being rounded off with
Suricata version 8 and a new package manager version 2 almost two years in the
making -- at least for our project.

Please be aware that during the update check the new package manager will be
installed, but will fail to report the update status like it always had before
and so you will end up with an error that will require checking for updates
again.  The fix is in is update, but impossible to install without upgrading
the package manager first.  We hope this will only be a minor inconvenience
during the process.

Syslog-ng is also being updated and includes a fix that previously prevented
2.9.x from shipping since it would hang the boot during daemonize.  Many
thanks to the authors for quickly picking this up and shipping a fixed version!

Here are the full patch notes:

o system: safeguard config history delete and revert by requiring HTTP POST method
o system: change atrun interval to every minute
o system: use new file_safe() in two instances
o system: improve the HA VIP sync code
o interfaces: fix permission of packet capture file in strict security mode
o firewall: refactor live log using a ring buffer
o firewall: add toggles to disable selected automatic rules
o firewall: enable "safe delete" for categories
o firewall: improved stats rendering on automation rules
o firewall: allow searching aliases in automation rules inspect mode by IP address
o dnsmasq: strict hostname and domain validation plus improved ipset validations
o firmware: package manager upgrade changes for pkg 2.x
o intrusion detection: remove obsolete "ac-bs" pattern matcher algorithm
o ipsec: allow underscores in PSK identifiers
o openvpn: add support for pushing excluded routes via net_gateway (contributed by Patrice Damezin)
o openvpn: allow multiple domains settings for client connection (contributed by Krisztian Ivancso)
o unbound: use file_safe() for root hint creation
o unbound: deprecate unmaintained AdAway blocklist (contributed by Maurice Walker)
o wireguard: add debug option to instances
o backend: add file_safe() helper for atomic file creation
o mvc: add RegexField to properly validate PCRE2 syntax
o mvc: support arrays in search clauses
o rc: make sure /var/lib/php/tmp can be accessed by "other" users
o rc: do not clear /tmp on a diskless install
o ui: assorted adjustments for dark theme
o ui: always show bootgrid reset button
o plugins: os-ddclient 1.28[1]
o plugins: os-git-backup 1.1[2]
o plugins: q-feeds-connector 1.2[3][4]
o plugins: os-squid 1.4 works around CVE-2025-62168 (contributed by m.a.x. it)
o plugins: os-zabbix-proxy 1.15[5]
o ports: openssh 10.2p1[6]
o ports: pkg 2.3.1
o ports: python 3.11.14[7]
o ports: suricata 8.0.1[8][9]
o ports: syslog-ng 4.10.2[10]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.7/dns/ddclient/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.7/sysutils/git-backup/pkg-descr
[3] https://docs.opnsense.org/manual/qfeeds.html
[4] https://github.com/opnsense/plugins/blob/stable/25.7/security/q-feeds-connector/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-proxy/pkg-descr
[6] https://www.openssh.com/txt/release-10.2
[7] https://docs.python.org/release/3.11.14/whatsnew/changelog.html
[8] https://suricata.io/2025/07/08/suricata-8-0-0-released/
[9] https://suricata.io/2025/09/16/suricata-8-0-1-and-7-0-12-released/
[10] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.10.2

The OPNsense business edition transitions to this 25.10 release including
revamped frontend grid UI, experimental privilege separation for the GUI,
a new and improved firewall automation GUI, performance enhancements especially
for numerous aliases being used at once, OpenID Connect integration, captive
portal backend rewrite, Greek as a new language, FreeBSD 14.3 plus much more.

Please make sure to read the migration notes before upgrading.

Download link is as follows.  An installation guide[1] and the checksums for
the images can be found below as well.

https://downloads.opnsense.com/

This business release is based on the OPNsense 25.7.5 community version
with additional reliability improvements.

Here are the full patch notes against version 25.4.3:

o system: the setup wizard was rewritten using MVC/API
o system: change default DHCP use from ISC to Dnsmasq for factory reset and console port and address assignments
o system: numerous permission, ownership and directory alignments for web GUI privilege separation
o system: allow experimental feature to run web GUI privilege separated as "wwwonly" user
o system: add a banner when trying to revert the privilege separated GUI back to root at run time
o system: consistently use empty() checks on "blockbogons", "blockpriv", "dnsallowoverride" and "dnsallowoverride_exclude"
o system: change default system domain to "internal" (contributed by Self-Hosting-Group)
o system: remove the "optional" notion of tunables known to the system
o system: enable kernel timestamps by default
o system: allow CSR to be downloaded from System/Trust/Certificates (contributed by Gavin Chappell)
o system: HTML decode entities when generating new QR code for user
o system: add missing timestamp formatter in snapshots
o system: prevent misconfigurations with the automatic user creation option
o system: add pluginctl hook for cache_flush
o system: rewrite wwwonly bootstrap procedure
o system: allow authentication events from wwwonly user
o system: fix two regressions due to stream output path safety addition
o system: fix reconfigure control on HA status page for small viewports
o system: add pluginctl -m and -v options for model migrations and validations calls
o system: add "power off" backend action to GUI cron options
o system: add the pfsync "defer" option to high availability
o system: return both interfaces in a single call for get_nameservers()
o system: safeguard legacy local_sync_accounts() against malformed user entries
o system: change atrun interval to every minute
o reporting: removed the unused second argument in getSystemHealthAction()
o reporting: renamed getRRDlistAction() to getRrdListAction()
o reporting: fixed internal parameter names in insight graphs
o interfaces: fix media settings write issue since 24.7 as it would not apply when "autoselect" result already matched
o interfaces: removed defunct SLAAC tracking functionality (SLAAC on WAN still works fine)
o interfaces: no longer fix improper WLAN clone naming at run time as it should be ensured by code for a long time now
o interfaces: remove the functions get_configured_carp_interface_list() and get_configured_ip_aliases_list()
o interfaces: add VIP grid formatter to hide row field content based on the set mode
o interfaces: drop redundant updates in rtsold_resolvconf.sh (contributed by Andrew Baumann)
o interfaces: moved get_real_interface() to util.inc
o interfaces: replace MAC vendor database from py-netaddr with a simple local implementation
o interfaces: refactor getting both devices from interface in settings page
o interfaces: get both devices of interface in one call
o interfaces: fix flags display in interface overview detail
o firewall: add expire option to external aliases to automatically cleanup tables via cron
o firewall: removed the expiretable binary use in favour of the builtin pfctl
o firewall: speed up alias functionality by using the new model caching
o firewall: consolidated ipfw/dnctl scripting and fix edge case reloads
o firewall: code cleanup and performance improvements for alias diagnostics page
o firewall: assorted UI updates for automation pages
o firewall: a few minor improvements in automation GUI
o firewall: remove unused "set loginterface" clause
o firewall: additional statistics for alias grid
o firewall: fix shaper reset button
o firewall: add "quick" mode in alias update to skip table size comparison during schedules
o firewall: adjust firewall_rule_lookup to open correct interface and rule from firewall live log
o firewall: add port alias selection to source_port and destination_port
o firewall: implement alias description tooltip and other UX tweaks
o firewall: add optional Tabulator tree view to show categories as rule folders in automation
o firewall: put sequence and sort_order in advanced mode of automation rules
o firewall: front-end table rendering performance improvement for alias diagnostics
o firewall: also set groups for special IPv6 interfaces
o firewall: ignore empty lines for pf table counting
o firewall: support tags in source NAT automation rules
o firewall: allow alias nesting for URL tables
o firewall: fix interface_net aliases not being populated
o firewall: fix return value when failing to resolve host entries for aliases and no previous content is known
o firewall: treat "skip" protocol as a string to avoid syntax error
o firewall: improve alias parsing performance in diagnostics page
o firewall: support IPinfo format for GeoIP[2]
o firewall: adapt default table size calculation
o captive portal: migrate backend from IPFW to PF
o captive portal: fix regression when NAT reflection is enabled
o captive portal: fix command line argument parsing in backend
o captive portal: remove obsolete interfaces_inbound option that works by default now
o captive portal: missing fix for command line argument parsing in backend
o captive portal: fix display issue for pass rule when client not in zone
o captive portal: allow disabling automatic firewall rules
o captive portal: exclude portal table in destination
o captive portal: restore the logging of drop reasons
o captive portal: fix last_accessed being cached from previous entries if N/A
o captive portal: mark alias as type external for use in rules
o captive portal: align accounting session timeout with API
o captive portal: balance fastcgi servers a bit better
o captive portal: do not share a fastcgi socket with web GUIo firewall: fix flags not showing on GeoIP selection
o captive portal: make room for additional authentication profiles
o captive portal: API dispatcher is now privilege separated via "wwwonly" user and group
o captive portal: preparations for SSO identification support
o captive portal: move backend scripts directory
o captive portal: various style cleanups
o captive portal: restyle default login template
o captive portal: case insensitive MAC parsing
o captive portal: remove stale dir-listing.activate from web server
o captive portal: support OpenID Connect authentication through custom template
o dnsmasq: add optional subnet mask to "dhcp-range" to satisfy DHCP relay requirements
o dnsmasq: sync CSV export with ISC and Kea structure
o dnsmasq: add CNAME configuration option to host overrides
o dnsmasq: add ipset support
o dnsmasq: swap hosts and domains tab for consistency reasons
o dnsmasq: allow disabling local for DHCP domains
o dnsmasq: add Tabulator "groupBy" functionality to group by interfaces
o dnsmasq: add leases widget that shows latest leases
o dnsmasq: refine the selection of automatic DHCP rules for eligible interfaces
o firmware: opnsense-version: build time package variable replacements can now be read at run time
o firmware: hide community plugins by default and add a checkbox to unhide them on the same page
o firmware: introduce a new support tier 4 for development and otherwise unknown plugins
o firmware: disable the FreeBSD-kmods repository by default
o firmware: opnsense-version: support more elaborate -R replacement
o firmware: store update and upgrade logs in edge cases
o firmware: opnsense-version: support file based -R option
o firmware: opnsense-update: support -g for update log view
o firmware: remove tier 2 workaround for Zenarmor plugins
o firmware: add date to modal header
o firmware: opnsense-patch: fix cache flush using new hook
o firmware: add vuxml.freebsd.org to CRL handling hostnames
o firmware: switch business mirror layout
o intrusion detection: add JA4 support (contributed by Maxime Thiebaut)
o intrusion detection: fix interface name conversion
o intrusion detection: fix ja4 option templating
o intrusion detection: fix and simplify grid search in download tab
o intrusion detection: fix downloads tab not loading with Tabulator
o intrusion detection: revert "fix downloads tab not loading with Tabulator"
o intrusion detection: make grids virtual to fix performance issues
o ipsec: fix regression in configuration write with introduced volatile fields
o ipsec: add firewall rules skip option for VTIs
o ipsec: deprecate legacy stroke and implement swanctl for overview
o ipsec: add default value to "make_before_break" that retains disabled default
o ipsec: fix bulk operations in SPD page
o ipsec: dots are not allowed in pool names
o ipsec: allow underscores in PSK identifiers
o isc-dhcp: show tracking IPv6 interfaces when automatically enabled and offer an explicit disable
o isc-dhcp: hide IPv4 menu items when Dnsmasq DHCP is enabled to improve out of the box experience
o isc-dhcp: add static mapping CSV export
o isc-dhcp: allow static mapping export for disabled entries
o kea-dhcp: honour IPv4 client specific reservation domain name option (contributed by NOYB)
o kea-dhcp: expose lease expiration settings to the GUI (contributed by Konstantinos Spartalis)
o kea-dhcp: support DHCP option 121 (classless static routes)
o lang: add Greek as a new language (contributed by sopex)
o lang: make more strings translate-able (contributed by Tobias Degen)
o lang: updates for Chinese, Czech, German and Greek
o lang: new Ukrainian language and assorted updates
o monit: move backend scripts directory
o monit: fix migration weirdness with run/post use
o openvpn: the server wizard functionality has been permanently removed as it required the old wizard implementation
o radvd: refine checks that ignored 6rd and 6to4
o wireguard: move backend scripts to proper location
o unbound: fix error in edge case of initial model migration
o unbound: configurable top domain list length in reporting view (contributed by sopex)
o unbound: remove unknown model reference and protect/simplify remaining one
o unbound: add support for TXT records in host overrides
o backend: trigger boot template reload without using configd
o backend: added IPv6 bracket helper for templates (contributed by BPplays)
o backend: add "!" operator to execute and flush cache when it exists
o mvc: introduce generic model caching to improve operational performance
o mvc: field types quality of life improvements with new getValues() and isEqual() functions
o mvc: filed types deprecated getCurrentValue() in favour of getValue() and removed isEmptyString()
o mvc: new BaseSetField() as a parent class for several other field types and numerous new and improved unit tests
o mvc: support chown/chgrp in File and FileObject classes
o mvc: use getNodeContent() to gather grid data
o mvc: allow PortOptional=Y for IPPortField
o mvc: remove SelectOptions support for CSVListField
o mvc: migrated use of setInternalIsVirtual() to volatile field types
o mvc: fix getDescription() in NetworkAliasField
o mvc: improve resilience of VPNIdField and LinkAddressField
o mvc: repair side affect of getDescription() change causing performance regressions
o mvc: modify existing and add missing descriptions in models
o mvc: set default validation message for CertificateField
o mvc: BaseModel: minor non-functional cleanups
o mvc: ModelRelationField: keep array structure in memory to avoid reinitiating object construction
o mvc: tweaked model definitions, especially descriptions and validation message style
o mvc: slightly adjust two getOption() calls in constraints
o mvc: BaseListField: always map values in getDescription()
o mvc: BaseListField: account for option container and passthrough value
o mvc: remove getCurrentValue() compatibility wrapper
o mvc: Backend: always return strings in configdRun() and configdpRun()
o mvc: improve replaceInputWithSelector() to support an empty placeholder
o mvc: setDefault() not fired as setValue() was set with an empty string
o mvc: allow empty responses to fix a regression due to stream output safety path addition
o mvc: remove empty string fallbacks for backend invokes that are no longer needed
o mvc: more style changes on existing core models
o mvc: disable Dnsmasq/Unbound template generation
o mvc: remove getDescription() overlay in ModelRelationField
o mvc: protect JSON response against UFT-8 encoding failures
o mvc: HTML-decode select element values
o rc: make changes to php,var,tmp bootstrap
o ui: switch from Bootgrid to Tabulator for MVC grid rendering
o ui: numerous switches to shared base_bootgrid_table and base_apply_button use
o ui: flatten nested containers for grid inclusion
o ui: use snake_case for all API URLs and adjust ACLs accordingly
o ui: move tooltip load event to single-fire mode
o ui: add checkmark to SimpleActionButton as additional indicator
o ui: improve menu icons/text spacing (contributed by sopex)
o ui: bootgrid: clean up leftover compatibility bits
o ui: bootgrid: add missing sortable option
o ui: bootgrid: provide more styling possibilities from formatters
o ui: fix language selection for low vertical resolution screens (contributed by sopex)
o ui: hide header of the picture widget on the dashboard (contributed by sopex)
o ui: bootgrid: add tabulatorOptions to translateCompatOptions()
o ui: bootgrid: raise rowCount default to 50 and adjust selections accordingly for most pages
o ui: bootgrid: simplify custom grid command additions
o ui: do not add an empty option into an empty option group
o ui: add datetime-local to field types
o plugins: replace variables in package scripts by default
o plugins: os-OPNBEcore 1.6 with OpenID Connect and scheduled jobs support
o plugins: os-OPNWAF 2.0 with OpenID Connect support, customizable error documents and updated rule set
o plugins: os-acme-client 4.10[3]
o plugins: os-bind 1.34[4]
o plugins: os-c-icap 1.9[5]
o plugins: os-caddy 2.0.4[6]
o plugins: os-clamav 1.8.1[7]
o plugins: os-crowdsec 1.0.12[8]
o plugins: os-dnscrypt-proxy 1.16[9]
o plugins: os-etpro-telemetry 1.8 now shows more status responses in widget
o plugins: os-frr 1.47[10]
o plugins: os-gdrive-backup 1.0 for Google Drive backup support
o plugins: os-grid_example 1.1 updates best practice on grid development
o plugins: os-netbird 1.0 (contributed by Gauss23 and Bethuel Mmbaga)
o plugins: os-netbird 1.1 fixes service startup and switches to syslog (contributed by Bethuel Mmbaga)
o plugins: os-nginx 1.35[11]
o plugins: os-openvpn-legacy 1.0 for legacy OpenVPN components support
o plugins: os-puppet-agent 1.2[12]
o plugins: os-shadowsocks 1.3[13]
o plugins: os-smart 2.4 adds extended info option (contributed by poisonbl)
o plugins: os-squid 1.3[14]
o plugins: os-strongswan-legacy 1.0 for legacy IPsec components support
o plugins: os-telegraf 1.12.13[15]
o plugins: os-theme-advanced 1.1 (contributed by Jaka Prašnikar and Raushan Patel)
o plugins: os-theme-cicada 1.40 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.30 (contributed by Team Rebellion)
o plugins: os-theme-vicuna 1.50 (contributed by Team Rebellion)
o plugins: os-zabbix-agent 1.17[16]
o plugins: os-zabbix-proxy 1.14[17]
o src: FreeBSD 14.3-RELEASE-p4 plus assorted stable/14 networking commits[18]
o src: add a new sysctl in order to differentiate UEFI architectures[19]
o src: libarchive: merge version 3.8.1[20]
o src: lagg: fix if_hw_tsomax_update() not being called
o src: wg: add support for removing allowed-ip entries and assorted cleanups
o src: ovpn: support multihomed server configurations and assorted cleanups
o src: netlink: fully clear parser state between messages
o src: udp: fix a inpcb refcount leak in the tunnel receive path
o src: p9fs: assorted fixes
o src: assorted network stack fixes via stable/14
o src: if_ovpn: support IPv6 link-local addresses
o src: if_ovpn: support floating clients
o src: if_ovpn: fill out sin_len/sin6_len
o src: if_ovpn: destroy cloned interfaces via a prison removal callback
o src: ifconfig: support VLAN ID in static/deladdr
o src: bnxt: fix the request length in bnxt_hwrm_func_backing_store_cfg()
o src: iflib: set the get counter routine prior to attaching the interface
o src: ifnet: defer detaching address family dependent data
o src: ixgbe: fix incomplete speed coverage in link status logging
o src: ixl: fix queue MSI and legacy IRQ rearming
o src: openssl: fix multiple vulnerabilities[21]
o src: re: add PNP info for module
o src: re: make sure re_rxeof() is called in net epoch context
o src: vfs: fix copy_file_range() failing to set output parameters[22]
o ports: curl 8.16.0[23]
o ports: dnspython 2.8.0[24]
o ports: expat 2.7.3[25]
o ports: kea 3.0.1[26]
o ports: krb5 1.22.1[27]
o ports: libpfctl 0.17
o ports: lighttpd 1.4.82[28]
o ports: nss 3.117[29]
o ports: openssl 3.0.18[30]
o ports: openvpn 2.6.15[31]
o ports: pcre2 10.46[32]
o ports: perl 5.42.0[33]
o ports: php 8.3.26[34]
o ports: phpseclib 3.0.47[35]
o ports: py-duckdb 1.3.2[36]
o ports: py-jq 1.10.0[37]
o ports: py-requests 2.32.5
o ports: strongswan 6.0.1[38][39]
o ports: sudo 1.9.17p2[40]
o ports: suricata 7.0.12[41]
o ports: unbound 1.24.0[42]

Migration notes, known issues and limitations:

o The captive portal implementation moves from IPFW to PF.  Check the technical details first, especially regarding the new ruleset behaviours.[43]
o Deprecated Google Drive backups due to upstream policy changes and moved to plugins for existing users.
o API URLs registered in the default ACLs have been switched from "camelCase" to "snake_case".
o API grid return values now offer "%field" for a value description when available.  "field" will now always be the literal value from the configuration.  The API previously returned a display value for some field types, but not all.
o Reverted tunables "hw.ibrs_disable" and "vm.pmap.pti" to FreeBSD defaults when no explicit values have been set in tunables.
o Moved OpenVPN legacy to plugins as a first step to deprecation.
o Moved IPsec legacy to plugins as a first step to deprecation.

The public key for the 25.10 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn9lXekbm5KcktbiWpmQf
drRC8LmAOTV9Cbdd3em6iDFFcw8vmRS7Rbo2/exxYiPCqEPxxPtUsW+g/a6fqPJp
pof5D1EHWqzPfkjRQV6ipQjm+ocJGkfbeHsp5I77L+w7om5TbPYBkOjg+iMd442d
VYxgqXmMZy+6v78ofVM+wyba0GkRymFt0qf5k5uk3Auztcfanc2Ymsc+PDdjGHQd
c9H8T0T6To8Z0xrbEXzY00IqSRkLto9Cl+xEmEAz/AiEu2WtEadOqSpDy9dsJfQg
HpBQVlGQdphj5zmkqG6JSL1Uw+02OeIXOfFWRtqgW7vMyU0IbER3hLpvh6BlsqNJ
LCPfD7F/dzDPU5LniDRRb4MrTlVpJk2h8pk7GbmJCqAyWJJZ6n3a+InPtUfl9gP5
T0d15N7myh8RLssP+TIy8hiBHtc/yK89dUahGei1xDuh0HdytRLLLWVXqgWwgXhd
9it8l8AJ/D2BtuyExpJOWx3sYvmhJiPN8phCaR2G2E+QRA2X5nHGyUw5jYpKI8Om
Q2khz1PBYcA/T5lKhM3HRFCu2HZsPKT5CEevZfUuPDXIqwx+LMFs6qqbzbGrdn1F
H6ZSlG0BWuokeyjhN2mB0Fr6kdLobmfVgZHUS7KOwcI9BdftSDbEk8kMxrQlwugh
4I1hTrAycMERbjeUKg1plx8CAwEAAQ==
-----END PUBLIC KEY-----


Stay safe and keep believing,
Your OPNsense team

--
SHA256 (OPNsense-business-25.10-dvd-amd64.iso.bz2) = 6c45cd311960d42aa87933d2134c19825565d1ab74caa4129d08a938dbf621e8
SHA256 (OPNsense-business-25.10-nano-amd64.img.bz2) = 2a706e56c45a1ecc8d4f14f85d3e07f1f3be85ac2d79459f62e9fed860edae19
SHA256 (OPNsense-business-25.10-serial-amd64.img.bz2) = 8e8460dc8751cb0c7ab863d44ceb59a59a3eadbb9622ac707e43aeda002a3d7e
SHA256 (OPNsense-business-25.10-vga-amd64.img.bz2) = fefac8e50c30c463072fbda508c675d176a0f0a7d910eacede3112e7a76dc365

[1] https://docs.opnsense.org/manual/install.html
[2] https://docs.opnsense.org/manual/how-tos/ipinfo_geo_ip.html
[3] https://github.com/opnsense/plugins/blob/stable/25.7/security/acme-client/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.7/dns/bind/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.7/www/c-icap/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/25.7/www/caddy/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/25.7/security/clamav/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/25.7/security/crowdsec/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/25.7/dns/dnscrypt-proxy/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/25.7/www/nginx/pkg-descr
[12] https://github.com/opnsense/plugins/blob/stable/25.7/sysutils/puppet-agent/pkg-descr
[13] https://github.com/opnsense/plugins/blob/stable/25.7/net/shadowsocks/pkg-descr
[14] https://github.com/opnsense/plugins/blob/stable/25.7/www/squid/pkg-descr
[15] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/telegraf/pkg-descr
[16] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-agent/pkg-descr
[17] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-proxy/pkg-descr
[18] https://www.freebsd.org/releases/14.3R/relnotes/
[19] https://www.freebsd.org/security/advisories/FreeBSD-EN-25:12.efi.asc
[20] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:07.libarchive.asc
[21] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:08.openssl.asc
[22] https://www.freebsd.org/security/advisories/FreeBSD-EN-25:16.vfs.asc
[23] https://curl.se/changes.html#8_16_0
[24] https://dnspython.readthedocs.io/en/stable/whatsnew.html
[25] https://github.com/libexpat/libexpat/blob/R_2_7_3/expat/Changes
[26] https://downloads.isc.org/isc/kea/3.0.1/Kea-3.0.1-ReleaseNotes.txt
[27] https://web.mit.edu/kerberos/krb5-1.22/
[28] https://www.lighttpd.net/2025/9/12/1.4.82/
[29] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_117.html
[30] https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md
[31] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.15
[32] https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.46
[33] https://perldoc.perl.org/5.42.0/perldelta
[34] https://www.php.net/ChangeLog-8.php#8.3.26
[35] https://github.com/phpseclib/phpseclib/releases/tag/3.0.47
[36] https://github.com/duckdb/duckdb/releases/tag/v1.3.2
[37] https://github.com/mwilliamson/jq.py/blob/master/CHANGELOG.rst
[38] https://github.com/strongswan/strongswan/releases/tag/6.0.0
[39] https://github.com/strongswan/strongswan/releases/tag/6.0.1
[40] https://www.sudo.ws/stable.html#1.9.17p2
[41] https://suricata.io/2025/09/16/suricata-8-0-1-and-7-0-12-released/
[42] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-0
[43] https://docs.opnsense.org/manual/captiveportal.html#migration-notes-technical-details.html

Hi all,

Suricata 8 has been out for a bit, but recently offered version 8.0.1 so it's time to do a public call for testing just to be sure it's safe to bring it into one of the next stable updates (ideally 25.7.6, but we will see).

The changes seem to be additive with the nicest change of libhtp now being reimplemented in native Rust.

The only incompatibility found was that "ac-bs" Aho-Corasick pattern matcher is no longer available. Already changed that for the development version if anyone was using it but it also only prints a warning and reverts to the standard "ac" variant at runtime. Just so you know that bit.  ;)

Testing looks good and Netmap IPS mode is behaving nicely.

Now it's your turn...

# opnsense-revert -z suricata

The service will need a restart to activate the new version.

Looking forward to all feedback--negative and positive!


Thanks,
Franco

https://suricata.io/2025/07/08/suricata-8-0-0-released/
https://suricata.io/2025/09/16/suricata-8-0-1-and-7-0-12-released/

A fantastic day to you all,

This updates provides for a new GeoIP database source by IPinfo, stability
fixes for several network drivers and the recent OpenSSL security update
amongst others.

Here are the full patch notes:

o system: add the pfsync "defer" option to high availability
o system: return both interfaces in a single call for get_nameservers()
o system: safeguard legacy local_sync_accounts() against malformed user entries
o firewall: support IPinfo format for GeoIP[1]
o firewall: adapt default table size calculation
o firewall: fix flags not showing on GeoIP selection
o captive portal: case insensitive MAC parsing
o captive portal: remove stale dir-listing.activate from web server
o dnsmasq: refine the selection of automatic DHCP rules for eligible interfaces
o firmware: switch business mirror layout
o ipsec: dots are not allowed in pool names
o kea-dhcp: expose lease expiration settings to the GUI (contributed by Konstantinos Spartalis)
o kea-dhcp: support DHCP option 121 (classless static routes)
o mvc: protect JSON response against UFT-8 encoding failures
o mvc: HTML-decode select element values
o plugins: os-etpro-telemetry 1.8 now shows more status responses in widget
o plugins: os-shadowsocks 1.3[2]
o src: bnxt: fix the request length in bnxt_hwrm_func_backing_store_cfg()
o src: iflib: set the get counter routine prior to attaching the interface
o src: ifnet: defer detaching address family dependent data
o src: ixgbe: fix incomplete speed coverage in link status logging
o src: ixl: fix queue MSI and legacy IRQ rearming
o src: openssl: fix multiple vulnerabilities[3]
o src: re: add PNP info for module
o src: re: make sure re_rxeof() is called in net epoch context
o src: vfs: fix copy_file_range() failing to set output parameters[4]
o ports: curl 8.16.0[5]
o ports: expat 2.7.3[6]
o ports: nss 3.117[7]
o ports: openssl 3.0.18[8]
o ports: pcre2 10.46[9]
o ports: phpseclib 3.0.47[10]


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/how-tos/ipinfo_geo_ip.html
[2] https://github.com/opnsense/plugins/blob/stable/25.7/net/shadowsocks/pkg-descr
[3] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:08.openssl.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-25:16.vfs.asc
[5] https://curl.se/changes.html#8_16_0
[6] https://github.com/libexpat/libexpat/blob/R_2_7_3/expat/Changes
[7] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_117.html
[8] https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md
[9] https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.46
[10] https://github.com/phpseclib/phpseclib/releases/tag/3.0.47

Hey everyone,

Updates are slower than usual at the moment, but it is also relatively
calm out there security-wise.  While this finally ships Kea version 3
we are still working on the package manager version 2 and Suricata 8
with good results.  Stay tuned!

Here are the full patch notes:

o system: fix reconfigure control on HA status page for small viewports
o system: add pluginctl -m and -v options for model migrations and validations calls
o system: add "power off" backend action to GUI cron options
o interfaces: replace MAC vendor database from py-netaddr with a simple local implementation
o interfaces: refactor getting both devices from interface in settings page
o interfaces: get both devices of interface in one call
o interfaces: fix flags display in interface overview detail
o firewall: treat "skip" protocol as a string to avoid syntax error
o firewall: improve alias parsing performance in diagnostics page
o intrusion detection: make grids virtual to fix performance issues
o kea-dhcp: honour IPv4 client specific reservation domain name option (contributed by NOYB)
o lang: new Ukrainian language and assorted updates
o monit: fix migration weirdness with run/post use
o unbound: add support for TXT records in host overrides
o backend: add "!" operator to execute and flush cache when it exists
o mvc: remove empty string fallbacks for backend invokes that are no longer needed
o mvc: more style changes on existing core models
o mvc: disable Dnsmasq/Unbound template generation
o mvc: remove getDescription() overlay in ModelRelationField
o ui: legacy_html_escape_form_data() was not escaping keys only data elements[1] (reported by Alex Williams from Pellera Technologies)
o ui: do not add an empty option into an empty option group
o ui: add datetime-local to field types
o plugins: os-caddy 2.0.4[2]
o plugins: os-netbird 1.1 fixes service startup and switches to syslog (contributed by Bethuel Mmbaga)
o plugins: os-theme-advanced 1.1 fixes styling issues on 25.7 (contributed by Jaka Prašnikar)
o plugins: os-zabbix-agent 1.17[3]
o plugins: os-zabbix-proxy 1.14[4]
o ports: dnspython 2.8.0[5]
o ports: kea 3.0.1[6]
o ports: libpfctl 0.17
o ports: lighttpd 1.4.82[7]
o ports: nss 3.116[8]
o ports: openvpn 2.6.15[9]
o ports: php 8.3.26[10]
o ports: py-requests 2.32.5
o ports: suricata 7.0.12[11]
o ports: unbound 1.24.0[12]


Stay safe,
Your OPNsense team

--
[1] https://www.cve.org/cverecord?id=CVE-2025-34182
[2] https://github.com/opnsense/plugins/blob/stable/25.7/www/caddy/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-agent/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/zabbix-proxy/pkg-descr
[5] https://dnspython.readthedocs.io/en/stable/whatsnew.html
[6] https://downloads.isc.org/isc/kea/3.0.1/Kea-3.0.1-ReleaseNotes.txt
[7] https://www.lighttpd.net/2025/9/12/1.4.82/
[8] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_116.html
[9] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.15
[10] https://www.php.net/ChangeLog-8.php#8.3.26
[11] https://suricata.io/2025/09/16/suricata-8-0-1-and-7-0-12-released/
[12] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-24-0

Howdy!

The Tabulator introduction into MVC grid views was a major success with
virtually no complaints.  Did you notice?  Maybe you will now that more
features have been unlocked: Dnsmasq grids group by interfaces, firewall
automation rules now can show folders using categories and row count default
and selections have been increased.  A few performance and UX tweaks were
carried out as well while at it.

StrongSwan moves to version 6.0.1 now after elaborate testing.  The
"make_before_break" value was flipped from off to on in their version
jump, but the settings will still default to off for everyone unless
already otherwise configured.

Here are the full patch notes:

o system: properly check request type on HA status page in restartAllAction() (reported by Stanislav Fort of Aisle Research)
o system: prevent misconfigurations with the automatic user creation option
o system: add pluginctl hook for cache_flush
o system: rewrite wwwonly bootstrap procedure
o system: allow authentication events from wwwonly user
o interfaces: moved get_real_interface() to util.inc
o firewall: add "quick" mode in alias update to skip table size comparison during schedules
o firewall: adjust firewall_rule_lookup to open correct interface and rule from firewall live log
o firewall: add port alias selection to source_port and destination_port
o firewall: implement alias description tooltip and other UX tweaks
o firewall: add optional Tabulator tree view to show categories as rule folders in automation
o firewall: put sequence and sort_order in advanced mode of automation rules
o firewall: front-end table rendering performance improvement for alias diagnostics
o firewall: also set groups for special IPv6 interfaces
o firewall: ignore empty lines for pf table counting
o firewall: support tags in source NAT automation rules
o firewall: allow alias nesting for URL tables
o captive portal: move backend scripts directory
o captive portal: various style cleanups
o captive portal: restyle default login template
o dnsmasq: add Tabulator "groupBy" functionality to group by interfaces
o dnsmasq: add leases widget that shows latest leases
o firmware: add US east coast mirror for business edition
o firmware: opnsense-patch: fix cache flush using new hook
o firmware: add vuxml.freebsd.org to CRL handling hostnames
o intrusion detection: fix downloads tab not loading with Tabulator
o ipsec: add default value to "make_before_break" that retains disabled default
o monit: move backend scripts directory
o mvc: BaseModel: minor non-functional cleanups
o mvc: ModelRelationField: keep array structure in memory to avoid reinitiating object construction
o mvc: tweaked model definitions, especially descriptions and validation message style
o mvc: slightly adjust two getOption() calls in constraints
o mvc: BaseListField: always map values in getDescription()
o mvc: BaseListField: account for option container and passthrough value
o mvc: remove getCurrentValue() compatibility wrapper
o mvc: Backend: always return strings in configdRun() and configdpRun()
o mvc: improve replaceInputWithSelector() to support an empty placeholder
o mvc: stream output not properly cleansed when used in widget (reported by Stanislav Fort of Aisle Research)
o ui: bootgrid: add tabulatorOptions to translateCompatOptions()
o ui: bootgrid: raise rowCount default to 50 and adjust selections accordingly for most pages
o ui: bootgrid: simplify custom grid command additions
o plugins: os-caddy 2.0.3[1]
o plugins: os-frr 1.47[2]
o plugins: os-netbird 1.0 (contributed by Gauss23 and Bethuel Mmbaga)
o plugins: os-nginx 1.35[3]
o plugins: os-squid 1.3[4]
o src: libfetch: ignore leaf certificates missing CRL which in practice is not offered by most authorities
o src: assorted network stack fixes via stable/14
o src: if_ovpn: support IPv6 link-local addresses
o src: if_ovpn: support floating clients
o src: if_ovpn: fill out sin_len/sin6_len
o src: if_ovpn: destroy cloned interfaces via a prison removal callback
o src: ifconfig: support VLAN ID in static/deladdr
o ports: krb5 1.22.1[5]
o ports: nss 3.115.1[6]
o ports: perl 5.42.0[7]
o ports: php 8.3.25[8]
o ports: strongswan 6.0.1[9][10]


Stay safe and proud,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/25.7/www/caddy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.7/www/nginx/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.7/www/squid/pkg-descr
[5] https://web.mit.edu/kerberos/krb5-1.22/
[6] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_115_1.html
[7] https://perldoc.perl.org/5.42.0/perldelta
[8] https://www.php.net/ChangeLog-8.php#8.3.25
[9] https://github.com/strongswan/strongswan/releases/tag/6.0.0
[10] https://github.com/strongswan/strongswan/releases/tag/6.0.1