Hi there,
This updated fixes two recently reported vulnerabilities in the core code
pertaining to WAN DHCPv4 configuration and user management. It also includes
third party updates to Dnsmasq, OpenSSH and Unbound amongst others.
Captive portal IPFW accounting rules will regain a performance boost by
bringing back hash lookups. Since this update does not issue a reboot
by itself either do so or restart the captive portal instances to activate
this change.
Here are the full patch notes:
o system: properly escape username in sync_user.php command invoke[1] (contributed by Konstantinos Spartalis)
o interfaces: safeguard DHCPv4 settings against arbitrary command injection[2] (reported by Kchigo)
o system: fix XMLRPC sync with VIP and "nosync" option
o system: link CA references after all changes
o system: parse certificate "key_type" and "digest"
o system: allow flushing legacy OpenVPN legacy config
o system: audit "staticroute" config access
o system: use safe config iteration in core_user_changed_groups()
o interfaces: add missing config locks in device controllers
o interfaces: use safe iteration in backend code
o interfaces: adjust and annotate interface_dhcpv6_id()
o firewall: use save method from ApiMutableModelControllerBase for log command, move rule command and savepoint action
o firewall: safe config access in list_legacy_rules.php
o firewall: remove duplicated CSV button hook
o firewall: fix NPTv6 validation for empty external subnet
o firewall: make getRealInterface() a static utility function
o firewall: refactor searchRuleAction() to use the same filtering and sorting logic on MVC and legacy data
o firewall: fix inverted source/destination cosmetic issue in SNAT and One-to-One NAT grids
o captive portal: re-introduce hash lookup for accounting purposes
o captive portal: reload IPFW on captive portal reconfigure too
o dnsmasq: ignore DHCP names for "wpad" to fix CERT Vulnerability VU#598349
o firmware: opnsense-bootstrap: add "-B" bare bootstrap mode
o firmware: add repo configuration output to connectivity audit
o kea: plug socket into dynamic PD route installation script
o kea: add prefix to reservations to allow for static PD allocations based on DUID/MAC
o kea: infer IPv6 lease type in delete script via lease lookup so IA_NA/IA_PD can be deleted
o kea: DDNS add ddns-conflict-resolution-mode per subnet (contributed by chaispaquichui)
o kea: allow customizing "mac_sources" and change default to "ipv6-link-local"
o kea: add user-context object to config to emit description
o kea: fix option_data_autocollect mismatch in DHCPv6 page
o kea: enable internalModelSafeDelete due to increased model relation field usage
o kea: build reservation status from control socket output
o kea: add subnet vltime (partially contributed by Brandan Giles)
o kea: add client-id to DHCPv4 reservations
o network time: fix ACL definitions (contributed by Konstantinos Spartalis)
o openvpn: reload configuration for group sync after successful authentication
o openvpn: add tls-crypt-v2 support
o openvpn: allow restart action via cron
o radvd: allow to start a manual configuration without primary IPv6
o unbound: minor style/refactor for safe config access
o unbound: hide unused tree row in form output for overrides
o unbound: restyle statistics page
o wireguard: use getValues() consistently in control script
o mvc: remove unused UIModelGrid imports in IDS, Monit and Syslog controllers
o mvc: remove Util imports where not needed
o mvc: BaseField: add count() helper
o mvc: fix validation to use getValue instead of plain string cast
o mvc: UIModelGrid: remove flatten() method as getFlatNodes() is almost the same
o shell: safe iteration for VLAN/LAGG in port assignment
o shell: use safe config iteration in live mode banner
o ui: add static dialog header support and fix bool/string compare
o ui: add type_formatter keyword to form rendering
o ui: add save/cancel button support to form rendering
o ui: remove "event" use from bootgrid showSaveAlert()
o ui: add support for binary file uploads
o plugins: os-ddclient 1.31[3]
o plugins: os-frr 1.52[4]
o plugins: os-netbird 1.3[5]
o plugins: os-q-feeds-connector 1.6[6]
o plugins: os-turnserver 1.3[7]
o ports: curl 8.20.0[8]
o ports: dnsmasq 2.92rel2[9]
o ports: expat 2.8.1[10]
o ports: kea 3.0.3[11]
o ports: krb5 1.22.2[12]
o ports: libxml 2.15.3[13]
o ports: nss 3.123.1[14]
o ports: openssh 10.3p1[15]
o ports: phalcon 5.12.1[16]
o ports: py-duckdb 1.5.2[17]
o ports: py-requests 2.33.1
o ports: unbound 1.25.0[18]
Stay safe,
Your OPNsense team
--
[1] https://www.cve.org/cverecord?id=CVE-2026-44194
[2] https://www.cve.org/cverecord?id=CVE-2026-45158
[3] https://github.com/opnsense/plugins/blob/stable/26.1/dns/ddclient/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/26.1/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/26.1/security/netbird/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/26.1/security/q-feeds-connector/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/26.1/net/turnserver/pkg-descr
[8] https://curl.se/changes.html#8_20_0
[9] https://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[10] https://github.com/libexpat/libexpat/blob/R_2_8_1/expat/Changes
[11] https://gitlab.isc.org/isc-projects/kea/-/wikis/Release-Notes/release-notes-3.0.3
[12] https://web.mit.edu/kerberos/krb5-1.22/
[13] https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS
[14] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_123_1.html
[15] https://www.openssh.com/txt/release-10.3
[16] https://github.com/phalcon/cphalcon/releases/tag/v5.12.1
[17] https://github.com/duckdb/duckdb/releases/tag/v1.5.2
[18] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-0