This business release is based on the OPNsense 25.1.12 community version
with additional reliability improvements, but without Dnsmasq DHCP support
and without the captive portal backend switch.
Here are the full patch notes:
o system: safeguard local_group_set() since users may not exist for valid reasons
o system: fix regression in setGroupMembership()
o system: add "Source Networks" option to groups to restrict connectivity to web GUI
o system: remove defunct "sshlogingroup" OpenSSH option because non-admins are no longer permitted shell access
o system: reduce font size in thermal sensors widget tooltip (contributed by indeed-a-genius)
o system: allow access to cached watcher gateway status
o system: implement "force_down" failover support
o system: implement base_bootgrid_table in user, group and priv templates
o system: balance fastcgi servers a bit better
o system: check private key matches provided certificate data
o system: introduce a "wwwonly" user and group and related privilege separation preparations
o system: add minimalistic interface to support SSO authentication
o system: refactor a couple of existing empty() tests to isEmpty()
o system: refactor cache flush into system_cache_flush()
o system: add backend call for returning timezones
o system: fix "weight" default fallback causing non-string return in gateway status
o system: fix route status removal buttons
o system: fix passing "arguments" as parameters for cron jobs
o system: add banner to HA sync and firmware page when proxy environment override is used
o system: fix audit message strings
o system: add missing "kernel" application for remote logging
o interfaces: emulate device name return in ifconfig edge case for legacy_interface_create()
o interfaces: cleanup spurious functions regarding VIP access
o interfaces: interfaces: improve private and bogon network filters (contributed by Maurice Walker)
o interfaces: consider tracked interfaces linked devices on reload
o interfaces: convert bridge configuration to MVC/API
o interfaces: remove unused is_interface_assigned()
o interfaces: refactor newwanip IPv4/v6 scripts to reduce differences between them
o interfaces: do not call a description a "dmesg"
o interfaces: relax regex for dmesg probing to seamlessly support dmesg timestamps
o interfaces: remove unused "friendly" value from get_interface_list()
o interfaces: add update mode to ifctl
o interfaces: attempt to work around mangled MPD label
o firewall: add ability to specify IPv6 pipe and queue masking using the src-ip6/dst-ipv6 specifiers (contributed by Daniel Tang)
o firewall: use shared base_bootgrid_table and base_apply_button in shaper
o firewall: use CIDR notation for specifying masks to dnctl (contributed by Daniel Tang)
o firewall: improve dummynet_stats.py parsing of mask descriptor lines (contributed by Daniel Tang)
o firewall: exclude interfaces with local links only when generating force gateway rules
o firewall: fix missing lock while refactoring config for group changes
o firewall: properly synchronize load order for shaper when reloading configuration
o firewall: add toggle log command in automation
o firewall: since bogons source writes a comment first prefix our exclusions too
o firewall: tighten address / range validation for aliases
o firewall: align alias tokenizer options with the ones in our base template
o firewall: improve address family validation for rule source and destination
o firewall: fix faulty ICMP type evaluation on NAT rules
o firewall: skip reply-to for inversion rules
o firewall: fix AttributeError: DNAME object has no attribute address on DNS fetch for aliases
o captive portal: balance fastcgi servers a bit better
o captive portal: do not share a fastcgi socket with web GUI
o dnsmasq: allow AliasesField values to be cleared
o dnsmasq: allow host wildcards in domain overrides again
o dnsmasq: fix DomainIPField to allow IP address to be emptied
o firmware: upgrade scripts for automatic GDrive, IPsec and OpenVPN legacy plugin installation
o firmware: remove unbound/duckdb migration script
o intrusion detection: add an override banner for custom.yaml use
o ipsec: fix ipsec column identifier
o ipsec: add "cacert" option in remote auth section and allow spaces and wildcards in id fields
o ipsec: be more verbose when modifying SPDs
o ipsec: add aes256-sha1 ESP proposal
o kea-dhcp: fix parsing both address families in static mappings
o kea-dhcp: add advanced options (pd-)allocator in DHCPv6
o kea-dhcp: add static_routes validation (contributed by Dr. Uwe Meyer-Gruhl)
o kea-dhcp: fix fatal socket path refusal in new Kea release
o kea-dhcp: add DNS field to Kea DHCP4 reservations (contributed by Gtt1229)
o openvpn: add port-share as advanced feature
o openvpn: add (push) block-ipv6 option
o openvpn: remove deprecated use of is_interface_assigned() in legacy client/server
o openvpn: validate group membership after authentication
o openvpn: add nopool directive
o openvpn: let server/server_ipv6 require a netmask
o openvpn: "keepalive_timeout" must be at least twice the interval value validation
o unbound: remove "inplace" in chained assignment (contributed by dstapa)
o unbound: improve the chroot mounting code to avoid excessive (un)mount calls
o unbound: ignore TXT records for wildcard host entries
o wireguard: add diagnostics and log file ACL
o backend: use the new errors:no instead of "exit 0" in actions
o lang: update language translations to their latest state
o lang: further updates
o mvc: add contribDir to app config (contributed by Freddie Sackur)
o mvc: show versions on migration failure for clarity
o mvc: deny whitespaces, asterisks and slashes in HostnameField
o mvc: support array response type in session->get()
o mvc: eventually phase out getCurrentValue() in favour of getValue()
o ui: backwards-compatible merge of Tabulator grid replacement changes
o ui: replace self-closing select element (contributed by Gavin Chappell)
o ui: add standard HTML color input support
o plugins: os-OPMWAF 1.9
o plugins: os-beats 1.0 (contributed by Maxime Thiebaut)
o plugins: os-c-icap 1.8[1]
o plugins: os-caddy 2.0.2[2]
o plugins: os-crowdsec 1.0.10[3]
o plugins: os-haproxy 4.6[4]
o plugins: os-postfix 1.24[5]
o plugins: os-radsecproxy 1.1[6]
o plugins: os-stunnel 1.0.6 adds LDAP and NNTP to supported STARTTLS protocols (contributed by Patrick M. Hausen)
o plugins: os-sunnyvalley 1.5 switches mirror domain
o plugins: os-zabbix-agent 1.16[7]
o plugins: os-zabbix-proxy 1.13[8]
o src: pf: explicitly NULL state key pointers
o src: pf: fix panic in pf_return()
o src: pf: do not use state keys after pf_state_insert()
o src: netlink, socket, sctp, tcp, udp: assorted upstream stable changes
o src: in6_control_ioctl: correctly report errors from SIOCAIFADDR_IN6
o src: axgbe: add support for Yellow Carp Ethernet device
o src: dhclient: keep two clocks
o src: rtw88, rtw89: merge Realtek driver based on Linux v6.14
o src: iwlwififw: remove Intel iwlwifi firmware from src.git
o src: ifconfig: optimise non-listing case with netlink
o src: xz: fix use-after-free in multi-threaded xz decoder[9]
o src: ena: fix misconfiguration when requesting regular LLQ[10]
o src: zfs: fix corruption in ZFS replication streams from encrypted datasets[11]
o src: libc: allow __cxa_atexit handlers to be added during __cxa_finalize[12]
o ports: curl 8.14.1[13]
o ports: dhcp6c 20250513 fixes spawning multiple instances
o ports: kea 2.6.3[14]
o ports: libxml 2.14.5[15]
o ports: nss 3.113.1[16]
o ports: openldap 2.6.10[17]
o ports: openssl 3.0.17[18]
o ports: perl 5.40.2[19]
o ports: pftop 0.13
o ports: php 8.3.23[20]
o ports: phpseclib 3.0.46
o ports: py-duckdb 1.3.1[21]
o ports: python 3.11.13[22]
o ports: sqlite 3.50.2[23]
o ports: sudo 1.9.17p1[24]
o ports: suricata 7.0.11[25]
o ports: unbound 1.23.1[26]
Stay safe,
Your OPNsense team
--
[1] https://github.com/opnsense/plugins/blob/stable/25.1/www/c-icap/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/25.1/www/caddy/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/25.1/security/crowdsec/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/25.1/net/haproxy/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/25.1/mail/postfix/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/25.1/net/radsecproxy/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/25.1/net-mgmt/zabbix-agent/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/25.1/net-mgmt/zabbix-proxy/pkg-descr
[9] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:06.xz.asc
[10] https://www.freebsd.org/security/advisories/FreeBSD-EN-25:11.ena.asc
[11] https://www.freebsd.org/security/advisories/FreeBSD-EN-25:10.zfs.asc
[12] https://www.freebsd.org/security/advisories/FreeBSD-EN-25:09.libc.asc
[13] https://curl.se/changes.html#8_14_1
[14] https://downloads.isc.org/isc/kea/2.6.3/Kea-2.6.3-ReleaseNotes.txt
[15] https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS
[16] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_113_1.html
[17] https://www.openldap.org/software/release/changes.html
[18] https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md
[19] https://perldoc.perl.org/5.40.2/perldelta
[20] https://www.php.net/ChangeLog-8.php#8.3.23
[21] https://github.com/duckdb/duckdb/releases/tag/v1.3.1
[22] https://docs.python.org/release/3.11.13/whatsnew/changelog.html
[23] https://sqlite.org/releaselog/3_50_2.html
[24] https://www.sudo.ws/stable.html#1.9.17p1
[25] https://suricata.io/2025/07/08/suricata-7-0-11-released/
[26] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-23-1