Topics

Hi there,

With a bit of delay we bring to you the usual mix of security and
reliability updates.  It is of note that the OpenVPN advisory tracked
as CVE-2020-15078 does not affect the provided version 2.4.11, but the
security audit will falsely flag it as vulnerable because the source
of the audit is FreeBSD where OpenVPN was migrated to 2.5 series already.

Plans for upcoming 21.1.x versions include a swift Phalcon 4 migration as
well as Python 3.8 and PHP 7.4 updates.

Here are the full patch notes:

o system: add audit log target and move related syslog messages there
o system: set HSTS max-age to 1 year (contributed by Maurice Walker)
o system: fix restore copy in console recovery
o interfaces: revise approach to clear states when WAN address changes
o interfaces: add policy-based routing support for "dynamic" interface gateways
o interfaces: return scoped link-local in get_configured_ip_addresses()
o firewall: NPTv6 configuration clean-up (contributed by Maurice Walker)
o firewall: remove redundant NPTv6 binat rule (contributed by Maurice Walker)
o firewall: live log widget multiple interfaces and inspect feature (contributed by kulikov-a)
o firewall: add live log filter templates feature (contributed by kulikov-a)
o dhcp: compress expanded IPv6 lease addresses for clean match with system
o dhcp: on the GUI pages avoid the use of dhcpd_dhcp_configure()
o dnsmasq: use dhcpd_staticmap() for lease registration
o firmware: opnsense-patch now also invalidates the menu cache
o ipsec: add "keyingtries" phase 1 configuration option
o ipsec: automatic outbound NAT rules missed mobile clients
o ipsec: fix typo in autogenerated rules for virtual IP use
o openvpn: fix wizard regression after certificate changes in 21.1.5
o openvpn: remove now defunct OpenSSL engine support
o unbound: cleanse blacklist domain input
o unbound: match whole entry in blacklists (contributed by kulikov-a)
o unbound: use dhcpd_staticmap() for lease registration
o ui: upgrade chart.js to 2.9.4
o ui: update chartjs-plugin-streaming to 1.9.0
o ui: order interfaces in groups
o ui: sidebar menu fix for long listings (contributed by Team Rebellion)
o plugins: os-acme-client 2.5[1]
o plugins: os-chrony 1.3[2]
o plugins: os-dyndns 1.24[3]
o plugins: os-freeradius 1.9.12[4]
o plugins: os-haproxy 3.3[5]
o plugins: os-intrusion-detection-content-et-open 1.0.1 adds emerging-inappropriate ruleset
o plugins: os-nginx expected MIME type fix (contributed by Kimotu Bates)
o plugins: os-qemu-guest-agent 1.0 (contributed by Frank Wall)
o plugins: os-relayd 2.5[6] (sponsored by Modirum)
o plugins: os-telegraf 1.10.1[7]
o plugins: os-zabbix4-proxy 1.3[8]
o plugins: os-zabbix5-proxy 1.5[9]
o src: axgbe: check for IFCAP_VLAN_HWTAGGING when reading descriptor
o src: axgbe: add 1000BASE-BX SFP support
o src: race condition in aesni(4) encrypt-then-auth operations[10]
o ports: curl 7.76.1[11]
o ports: expat 2.4.1
o ports: filterlog 0.4 adds label support to output if applicable
o ports: libressl 3.3.3[12]
o ports: libxml2 fix for CVE-2021-3541
o ports: nss 3.65[13]
o ports: openssh-portable 8.6p1[14]
o ports: openvpn 2.4.11[15]
o ports: php 7.3.28[16]
o ports: sqlite 3.35.5[17]
o ports: sudo 1.9.7[18]
o ports: syslog-ng 3.32.1[19]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/21.1/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/21.1/net/chrony/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/21.1/dns/dyndns/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/21.1/net/freeradius/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/21.1/net/haproxy/pkg-descr
[6] https://github.com/opnsense/plugins/issues/2232
[7] https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/telegraf/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/zabbix4-proxy/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/zabbix5-proxy/pkg-descr
[10] https://www.freebsd.org/security/advisories/FreeBSD-EN-21:11.aesni.asc
[11] https://curl.se/changes.html#7_76_1
[12] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.3-relnotes.txt
[13] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.65_release_notes
[14] https://www.openssh.com/txt/release-8.6
[15] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.11
[16] https://www.php.net/ChangeLog-7.php#7.3.28
[17] https://sqlite.org/releaselog/3_35_5.html
[18] https://www.sudo.ws/stable.html#1.9.7
[19] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.32.1

Dear all,

During the last 6 years we have followed a strategy where we included HardenedBSD patches on top of FreeBSD to construct the operating system on which OPNsense relies. Most of our system has been FreeBSD-based combined with security patches and more security centric defaults for different areas of our system.

Since most of the surrounding world, when supporting *BSD-based operating systems, aim for FreeBSD, we do value a great interoperability with FreeBSD since that is where the general developer community is focused on. This is not a change of strategy, but merely an explanation.

Over time we have seen that building on top of HardenedBSD not always guarantees interoperability, which means that issues we or our users run into are not always very widespread and have the tendency to complicate tracking issues. Since the HardenedBSD team is quite small, chances that issues are caught before we run into them are unfortunately not very substantial.

From time to time we considered leaving HardenedBSD, at some point in time there was practically no movement, but when things seemed to have picked up again last year we decided to wait and see if it would improve the situation. Also because FreeBSD did not incorporate some of the security enhancements which we have been delivering since 2015.

With FreeBSD 13 released and the gaining interest for security, we think it is now time to change our strategy a bit and focus our efforts further on FreeBSD to help improve security as much as we can. In time there is a risk that HardenedBSD additions are less compatible with new FreeBSD security features. For this reason we are aiming to incorporate FreeBSD 13.x into OPNsense 22.1 in January 2022. Since Shawn has been a core team member due to the involvement into our operating system, we decided to remove him from our core team as well.

Obviously we wish HardenedBSD and Shawn a bright future, maybe in time more of the original concepts and ideas will land in FreeBSD. We as OPNsense remain focused on security, but also believe more eyes help improve security as we have seen on our codebase as well with all the people involved in different areas of our project.


Stay safe,
Your OPNsense team

Good day everyone,

This is mainly a security and reliablility update.  There are several FreeBSD
security advisories and updates for third party tools such as curl.

The historic bsdinstaller has been replaced by a scriptable alternative
based on the readily available bsdinstall bundled with the base system.
And, yes, this brings ZFS installer support into the upcoming 21.7 release.

On the development side the migration to Phalcon 4 framework is now underway
and brings improved UI/API responsiveness.  One of the remaining road map
goals is the migration to PHP 7.4 which can be carried out after said
framework update is complete and released.

Here are the full patch notes:

o system: return authentication errors for RADIUS also
o system: better logic for serial console options -h and -D
o system: reorder loader.conf settings to let tunables override all
o system: lighttpd include directory for configuration (contributed by Greelan)
o system: remove /dev/crypto GUI support
o system: add route address family return on dynamic gateway
o system: allow CPU temperature display in Fahrenheit in widget (contributed by Team Rebellion)
o system: performance enhancement for local_sync_accounts()
o system: move extensions out of a certificate DN (contributed by kulikov-a)
o interfaces: treat deprecated addresses as non-primary
o interfaces: improve guess_interface_from_ip() (contributed by vnxme)
o firewall: resolve IP addresses in kernel for force gateway rule
o firewall: use tables in the shaper to avoid breaking ipfw with too many addresses
o firewall: clarify help text for firewall rules traffic direction (contributed by Greelan)
o firewall: sticky filter-rule-association setting for none/pass on copied items
o firewall: copy and paste for alias content (contributed by kulikov-a)
o firewall: improve loopack visibility
o reporting: format 24 hour timestamps in traffic graphs and widget
o dhcp: add dhcpd_staticmap() and fix DHCPv6 leases page with it
o dhcp: add "none" option to gateway setting of static mappings
o firmware: fix bug with subscription read from mirror URL
o firmware: separate update error for "forbidden"
o firmware: update error if upstream core package is missing yet installed
o installer: migrate to scripted solution using bsdinstall
o ipsec: validation to prevent saving of route-based tunnels with "install policy" set
o unbound: prefer domain list over host file format (contributed by Gareth Owen)
o rc: attempt to create /tmp if it does not exist
o rc: add opensolaris module load for ZFS
o rc: reverse list on stop action
o ui: prevent autocomplete in the quick navigation
o plugins: os-bind 1.17[1]
o plugins: os-chrony 1.2[2]
o plugins: os-debug 1.4 changes debugging profile to new version
o plugins: os-freeradius 1.9.11[3]
o plugins: os-haproxy 3.2[4]
o plugins: os-intrusion-detection-content-et-open 1.0
o plugins: os-maltrail 1.7[5]
o plugins: os-netdata 1.1[6]
o plugins: os-nginx 1.22[7]
o plugins: os-smart 2.2 JSON conversion (contributed by Arnav Singh)
o plugins: os-telegraf 1.10.0[8]
o plugins: os-theme-rebellion 1.8.7 (contributed by Team Rebellion)
o plugins: os-wireguard 1.6[9]
o plugins: os-zabbix5-proxy 1.4[10]
o src: axgbe: enable receive all mode to bypass the MAC filter to avoid dropping CARP MAC addresses
o src: accept_filter: fix filter parameter handling[11]
o src: vm_fault: shoot down multiply mapped COW source page mappings[12]
o src: mount: disallow mounting over a jail root[13]
o src: em: add support for Intel I219 V10 device
o src: em: fix a null de-reference in em_free_pci_resources
o src: bsdinstall: switch to OPNsense branding
o ports: curl 7.76.0[14]
o ports: dnsmasq 2.85[15]
o ports: expat 2.3.0
o ports: hyperscan 5.4.0[16]
o ports: monit 5.28.0[17]
o ports: nettle 3.7.2
o ports: phpseclib 2.0.31[18]
o ports: pkg 1.16.3

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/21.1/dns/bind/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/21.1/net/chrony/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/21.1/net/freeradius/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/21.1/net/haproxy/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/21.1/security/maltrail/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/netdata/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/21.1/www/nginx/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/telegraf/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/21.1/net/wireguard/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/zabbix5-proxy/pkg-descr
[11] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:09.accept_filter.asc
[12] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:08.vm.asc
[13] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:10.jail_mount.asc
[14] https://curl.se/changes.html#7_76_0
[15] https://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[16] https://github.com/intel/hyperscan/releases/tag/v5.4.0
[17] https://mmonit.com/monit/changes/
[18] https://github.com/phpseclib/phpseclib/releases/tag/2.0.31

The OPNsense business edition moves into a new era with this 21.4 release.
Note that the version numbers are now diverging from the community edition
to make it easier to distinguish between the two.  The next major update
will be 21.10 in October.

Download link is as follows.  An installation guide[1] and the checksums for
the images can be found below as well.

https://downloads.opnsense.com/

This business release is based on the OPNsense 21.1.4 community version
with additional reliability improvements.  Here are the full patch notes:

o system: use authentication factory for web GUI login
o system: allow case-insensitive matching for LDAP user authentication
o system: removed unused gateway API dashboard feed
o system: removed spurious comma from certificate subject print and unified underlying code
o system: harden web GUI defaults to TLS 1.2 minimum and strong ciphers
o system: generate a better self-signed certificate for web GUI default
o system: allow self-signed renew for web GUI default (using "configctl webgui restart renew")
o system: allow subdirectories in NextCloud backup (contributed by Lorenzo Milesi)
o system: first backup is same as current so ignore it on GUI and console
o system: optionally allow TOTP users to regenerate a token from the password page
o system: set hw.uart.console appropriately
o system: reconfigure routes on bootup
o system: relax gateway name validation
o system: ignore disabled gateways in dpinger services
o system: choose a better bind candidate for IPv4 in dpinger
o system: do not trim string fields in upstream XMLRPC library
o system: fix export API keys reload issue on Safari
o system: retain index after tunables sorting in 21.1.1
o system: fix firewall log widget update on small fixed number of entries
o system: replace traffic graphs in widget using chart.js
o system: make StartTLS work when retrieving LDAP authentication containers (contributed by Christian Brueffer)
o system: fix IPv6 route deletion on status page
o system: prevent duplicate dashboard traffic pollers mangling with the graphs
o system: added cron job "HA update and reconfigure backup"
o system: unify HA sync sections and remove legacy blocks
o system: adapt lighttpd ssl.privkey approach
o system: correctly remove routing entries directly connected to an interface
o system: fix dashboard traffic widget load behaviour (contributed by kulikov-a)
o system: fix dashboard widget title regression
o system: add assorted missing configuration sections for high availability sync
o system: restart web GUI with delay from services to prevent session disconnect
o system: improve error reporting in LDAP authentication (contributed by kulikov-a)
o system: changed USB serial option to use "on" instead of problematic "onifconsole"
o system: ignore garbled data in log lines
o system: fix single core activity display
o system: return authentication errors for RADIUS also
o system: better logic for serial console options -h and -D
o system: reorder loader.conf settings to let tunables override all
o interfaces: defer IPv6 disable in interface code to ensure PPP interfaces do exist
o interfaces: no longer assume configuration-less interfaces can reach static setup code
o interfaces: fix PPP links not linking to its advanced configuration page
o interfaces: read deprecated flag, allow family spec in (-)alias calls
o interfaces: fix address removal in IPv6 CARP case
o interfaces: pick proper route for 6RD and 6to4 tunnels
o interfaces: support 6RD with single /64 prefix (contributed by Marcel Hofer)
o interfaces: work around slow manufacturer lookups in py-netaddr 0.8.0
o interfaces: unhide primary IPv6 in overview page
o interfaces: fix IPv6 misalignment in get_interfaces_info()
o interfaces: correct dhcp6c configuration issue on PPPoE link down (contributed by Team Rebellion)
o interfaces: better primary IPv6 address detection in diagnostic tools
o interfaces: handle disabled interfaces in overview
o interfaces: drop early return in PPPoE link down
o interfaces: remove unused global definitions
o interfaces: immediately enable SLAAC during IPv6 initiation
o interfaces: fix a typo in the GIF setup code
o firewall: support category filters for firewall and NAT rules[2] (sponsored by Modirum)
o firewall: add live log "host", "port" and "not" filters
o firewall: create an appropriate max-mss scrub rule for IPv6
o firewall: fix anti-spoof option for separate bridge interfaces
o firewall: display zeros and sort columns in pfTables (contributed by kulikov-a)
o firewall: relax schedule name validation
o firewall: fix off-by-one error in alias utility listing
o firewall: fix live log matching with 'or' and empty filter (contributed by kulikov-a)
o firewall: change order of shaper delay parameter to prevent parser errors
o firewall: fix multiple PHP warnings regarding category additions
o firewall: fix icon toggle for block and reject (contributed by ElJeffe)
o firewall: typo in outbound alias use (contributed by kulikov-a)
o firewall: rules icon color after toggle fix (contributed by kulikov-a)
o firewall: allow to select rules with no category set
o firewall: sort pfTable results before slice (contributed by kulikov-a)
o firewall: make categories work with numbers only (contributed kulikov-a)
o reporting: prevent calling top talkers when no interfaces are selected
o reporting: cleanup deselected interface rows in top talkers
o reporting: prevent NetFlow crash when interface number is missing
o reporting: fix sidebar menu collapse for NetFlow link (contributed by Maurice Walker)
o reporting: prevent crash when NetFlow attributes are missing
o reporting: aggregate iftop results for traffic graphs
o reporting: skip damaged NetFlow records
o captive portal: validate that static IP address exists when writing the configuration
o dhcp: hostname validation now includes domain
o dhcp: use same logic as menu figuring out if DHCPv6 page is reachable from leases
o dhcp: correct DHCPv6 custom options unsigned integer field (contributed by Team Rebellion)
o dhcp: added toggle for disabling RDNSS in router advertisements (contributed by Team Rebellion)
o dhcp: removed the need for a static IPv4 being outside of the pool (contributed by Gauss23)
o dhcp: add min-secs option for each subnet (contributed by vnxme)
o dhcp: correct help text for IPv6 ranges (contributed by Team Rebellion)
o dhcp: remove obsolete subnet validation for static entries
o dnsmasq: remove advanced configuration in favour of plugin directory
o dnsmasq: use domain override for static hosts
o firmware: disable autoscroll if client position differs
o firmware: remove spurious *.pkgsave files and offload post install bits to rc.syshook
o firmware: repair display of removed packages during release type transition
o firmware: add ability to run audits from the console
o firmware: show repository in package and plugin overviews
o firmware: opnsense-update -t option executes after -p making it possible to run them at once
o firmware: opnsense-update -t option now also uses recovery code introduced recently for -p
o firmware: opnsense-update -vR no longer emits "unknown" if no version was found
o firmware: opnsense-verify -l option lists enabled package repositories
o firmware: add crypto package to health check
o firmware: fix two JS tracker bugs
o firmware: assorted non-breaking changes for upcoming firmware revamp
o firmware: add product status backend for upcoming firmware page redesign
o firmware: opnsense-code will now check out the default release branch
o firmware: opnsense-update adds "-R" option for major release selection
o firmware: opnsense-update will now update repositories if out of sync
o firmware: opnsense-update will attempt to recover from fatal pkg behaviour
o firmware: opnsense-update now correctly redirects stderr on major upgrades
o firmware: opnsense-update now retains vital flag on faulty release type transition
o firmware: opnsense-bootstrap shellcheck audit (contributed by Michael Adams)
o firmware: revamp the UI and API
o firmware: revoke old business key
o firmware: fix compatibility regression with IE 11
o firmware: refine missing/invalid signature message during health check (contributed by Erik Inge Bolso)
o firmware: zap changelog remove description (contributed by Jacek Tomasiak)
o firmware: make status API endpoint synchronous when using POST
o firmware: migrate subscription to business release package
o firmware: fix bug with subscription read from mirror URL
o intrusion detection: replace file-based policy changes with detailed filters
o intrusion detection: prevent flowbits:noalert from being dropped
o intrusion detection: fix policies not matching categories
o intrusion detection: clean up rule based additions  to prevent collisions with the new policies
o intrusion detection: add new Abuse.ch feed ThreatFox to detect indicators of compromise
o intrusion detection: make manual rule status boolean for policies (contributed by kulikov-a)
o ipsec: NAT with multiple phase 2[3] (sponsored by m.a.x. it)
o ipsec: prevent VTI interface to hit spurious 32768 limit
o ipsec: allow mixed IPv4/IPv6 for VTI
o ipsec: phase2 local/remote network check does not apply on VTI interfaces
o ipsec: calculate netmask for provided tunnel addresses when using VTI
o ipsec: do not pin reqid in case of mobile connections
o monit: minor bugfixes and UI changes (contributed by Manuel Faux)
o openvpn: added toggle for block-outside-dns (contributed by Julio Camargo)
o openvpn: hide "openvpn_add_dhcpopts" fields when not parsed via the backend
o openvpn: extend compression options (contributed by vnxme)
o openvpn: remove checks for NTP servers 3 and 4 (contributed by Christian Brueffer)
o unbound: allow /0 in ACL network
o unbound: default to SO_REUSEPORT
o unbound: update documentation URL (contributed by xorbital)
o unbound: handle DHCP client expiring and returning (contributed by Gareth Owen)
o unbound: Fix PTR records for DHCP endpoints (contributed by Gareth Owen)
o web proxy: add GSuite and YouTube filtering (contributed by Julio Camargo)
o web proxy: fix ownership issue on template directory
o mvc: do not discard valid application/json content type headers
o mvc: make sure isArraySequential() is only true on array input
o mvc: speed up processing time when over 2000 users are selected in a group
o mvc: add locking in JsonKeyValueStoreField type
o mvc: change LOG_LOCAL4 to LOG_LOCAL2 in base model
o images: use UFS2 as the default for nano, serial and vga
o images: support UEFI boot in serial image
o rc: opnsense-beep utility wrapper including manual page
o rc: support reading JSON metadata from plugin version files
o ui: add tooltips for service control widget
o ui: move sidebar stage from session to local storage
o ui: upgrade Tokenize2 to v1.3.3
o ui: format packet count with toLocaleString() in interface statistics widget (contributed by bleetsheep)
o ui: add compatibility for JS replaceAll() function
o ui: refactor bootgrid usage in ARP, NDP, captive portal session, system activity and routes
o ui: align layouts of select_multiple and dropdown types
o ui: use HTTPS everywhere (contributed by Robin Schneider)
o ui: bootgrid translation compatibility with Internet Explorer 11 (contributed by kulikov-a)
o plugins: increase revision number for all plugins to force installation of metadata added in 21.1.1
o plugins: provide JSON metadata in plugin version files
o plugins: add service annotations to supported plugins
o plugins: os-acme-client 2.4[4]
o plugins: os-bind 1.16[5]
o plugins: os-dyndns GratisDNS apex domain fix (contributed by Fredrik Rambris)
o plugins: os-freeradius 1.9.10[6]
o plugins: os-frr 1.21[7]
o plugins: os-haproxy 3.1[8]
o plugins: os-maltrail 1.6[9] (contributed by jkellerer)
o plugins: os-nginx 1.21[10]
o plugins: os-node_exporter 1.1[11]
o plugins: os-postfix 1.18[12]
o plugins: os-rspamd 1.11[13]
o plugins: os-smart adds cron jobs for useful actions (contributed by Jacek Tomasiak)
o plugins: os-stunnel 1.0.3 adds client mode (contributed by Nicola Bonavita)
o plugins: os-telegraf 1.9.0[14]
o plugins: os-theme-cicada 1.28 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.25 (contributed by Team Rebellion)
o plugins: os-theme-vicuna 1.4 (contributed by Team Rebellion)
o plugins: os-wireguard 1.5[15]
o plugins: os-wol 2.4 fixes dashboard widget (contributed by kulikov-a)
o src: fix AES-CCM requests with an AAD size smaller than a single block
o src: introduce HARDEN_KLD to ensure DTrace functionality
o src: refine pf_route* behaviour in PF_DUPTO case for shared forwarding
o src: assorted upstream fixes for ipfw, iflib, multicast processing and pf
o src: netmap tun(4) support adds pseudo addresses to ethernet header emulation (contributed by Sunny Valley Networks)
o src: add a manual page for axp(4) / AMD 10G Ethernet driver
o src: fix traffic graph not showing bandwidth when IPS is enabled
o src: panic when destroying VNET and epair simultaneously[16]
o src: uninitialized file system kernel stack leaks[17]
o src: Xen guest-triggered out of memory[18]
o src: update timezone database information[19]
o src: jail: Handle a possible race between jail_remove(2) and fork(2)[20]
o src: jail: Change both root and working directories in jail_attach(2)[21]
o src: x86: free microcode memory later[22]
o src: xen-blkback: fix leak of grant maps on ring setup failure[23]
o src: rtsold: auto-probe point to point interfaces
o src: growfs: update check-hash when doing large filesystem expansions
o src: axgbe: change default parameters to prevent manual tunable settings
o src: arp: avoid segfaulting due to out-of-bounds memory access
o src: fix multiple OpenSSL vulnerabilities[24]
o src: axgbe: enable receive all mode to bypass the MAC filter to avoid dropping CARP MAC addresses
o ports: ca_root_nss / nss 3.63[25]
o ports: curl 7.75.0[26]
o ports: dnsmasq 2.84[27]
o ports: igmpproxy 0.3[28]
o ports: krb5 1.19.1[29]
o ports: libressl 3.2.5[30]
o ports: lighttpd 1.4.59[31]
o ports: monit 5.27.2[32]
o ports: openldap 2.4.58[33]
o ports: openssh fix for double free in ssh-agent[34]
o ports: openssl 1.1.1k[35]
o ports: perl 5.32.1[36]
o ports: php 7.3.27[37]
o ports: pkg now provides fallback for version mismatch on pkg-add
o ports: py-netaddr 0.8.0[38]
o ports: python 3.7.10[39]
o ports: sqlite 3.34.1[40]
o ports: squid 4.14[41]
o ports: sudo 1.9.6p1[42]
o ports: suricata 5.0.6[43]
o ports: syslog-ng 3.31.2[44]
o ports: unbound 1.13.1[45]
o ports: wpa_supplicant p2p vulnerability[46]

The public key for the 21.4 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtiv4C8TPBnVAxUS+xW3W
uYhAOuLCZPA6F22Qatit4PVHI7AzfLbGjCQFZqjO+HRPVCmeiyggQWE4ZBOQrhbq
Em/NqmnDVos2rdGfEvp5miY4fstebtHI9CPv26QswgO7bsoJuCUoSmtGTbgNXyaF
ueNYTSXNEpWu35tQS830NCLW5Y6elfK99gxmNChlGdlz0wchaSA+myR6xH+TUw8L
D+87Tny/R2guC9Q0XnsKpKeOMxkNh0X3H0GsmcWmyV0rGAiMh6GuJXIN/yhNMkaD
wuHomqxd1OAyGLz9BjDNRKZ+b+y0iVpEx3qsDWlradtf8sUKZHJ96lf0jCRhEPvl
v1+QkAOzsauWBr3UtFbkKfHONpuwb5XVNgAJzFIRrnGhmWRXD7liiShOP4O+KBP1
Dzxs/X0plXgX2hOgzMbtgCMj4M1sV5HhKUrwiyqBpoe5nESJVrQ/DxETwEZIFoHy
hwQxd/DDp7uJmZlCkveuZeUAo7pfTUVchDpe2GB54bHEhIn3OES93PURMQtQxB12
mubV52vcfvzLnbv5FL5lMK/cgl64ip2bRu1jcB3wsKrKcGyUbtYJQDnHpowWrs5h
RdMHSfLyaC8ROMKhZmJTe141wr5p8d+NmgjlDblnNmUJ0jHVJeP0+RO/OcY/o3Zt
2MxL1Yp2cUu2l1HEmyrCsIcCAwEAAQ==
-----END PUBLIC KEY-----


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/core/issues/4587
[3] https://github.com/opnsense/core/issues/4460
[4] https://github.com/opnsense/plugins/blob/stable/21.1/security/acme-client/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/21.1/dns/bind/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/21.1/net/freeradius/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/21.1/net/frr/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/21.1/net/haproxy/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/21.1/security/maltrail/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/21.1/www/nginx/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/21.1/sysutils/node_exporter/pkg-descr
[12] https://github.com/opnsense/plugins/blob/stable/21.1/mail/postfix/pkg-descr
[13] https://github.com/opnsense/plugins/blob/stable/21.1/mail/rspamd/pkg-descr
[14] https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/telegraf/pkg-descr
[15] https://github.com/opnsense/plugins/blob/stable/21.1/net/wireguard/pkg-descr
[16] https://www.freebsd.org/security/advisories/FreeBSD-EN-21:03.vnet.asc
[17] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:01.fsdisclosure.asc
[18] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:02.xenoom.asc
[19] https://www.freebsd.org/security/advisories/FreeBSD-EN-21:01.tzdata.asc
[20] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:04.jail_remove.asc
[21] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc
[22] https://www.freebsd.org/security/advisories/FreeBSD-EN-21:06.microcode.asc
[23] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:06.xen.asc
[24] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:07.openssl.asc
[25] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.63_release_notes
[26] https://curl.se/changes.html#7_75_0
[27] https://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[28] https://github.com/pali/igmpproxy/releases/tag/0.3
[29] https://web.mit.edu/kerberos/krb5-1.19/
[30] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.5-relnotes.txt
[31] http://www.lighttpd.net/2021/2/2/1.4.59/
[32] https://mmonit.com/monit/changes/
[33] https://www.openldap.org/software/release/changes.html
[34] https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/015_sshagent.patch.sig
[35] https://www.openssl.org/news/openssl-1.1.1-notes.html
[36] https://perldoc.perl.org/5.32.1/perldelta
[37] https://www.php.net/ChangeLog-7.php#7.3.27
[38] https://pypi.org/project/netaddr/0.8.0/
[39] https://docs.python.org/release/3.7.10/whatsnew/changelog.html
[40] https://sqlite.org/releaselog/3_34_1.html
[41] http://www.squid-cache.org/Versions/v4/squid-4.14-RELEASENOTES.html
[42] https://www.sudo.ws/stable.html#1.9.6p1
[43] https://suricata-ids.org/2021/03/02/suricata-6-0-2-and-5-0-6-released/
[44] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.31.2
[45] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-13-1
[46] https://w1.fi/security/2021-1/wpa_supplicant-p2p-provision-discovery-processing-vulnerability.txt

SHA256 (OPNsense-business-21.4-OpenSSL-dvd-amd64.iso.bz2) = c7d5ff7e98af2be042b62b452aa4acfc38c00719bd739eb1e88c036ee612fbfd
SHA256 (OPNsense-business-21.4-OpenSSL-nano-amd64.img.bz2) = 6201854edbdf8d08a03a85d2ec41dffb1cd19a68da9ee293d7268371d583e0c1
SHA256 (OPNsense-business-21.4-OpenSSL-serial-amd64.img.bz2) = 6b33e1d9bcc5491286643200f4832040920bbc44fc8af67f895f16ef87c83a9b
SHA256 (OPNsense-business-21.4-OpenSSL-vga-amd64.img.bz2) = 516eac14099ff10a9b8616780b0fe3418cef6d684cc1a994d77fa930e0989e7e

Hi there,

The third party crypto libraries need patching so here we go!  The number of
user contributions and interaction regarding stability fixes and improvements
from the OPNsense side seems to be picking up as well and that is great to see.

The development version includes an update of Suricata to version 6.0.2
in case any of you want to try it out.  Also, improvements in the DHCP
static mapping can now deal with IPv6 prefix merge for such deployments
using Unbound and Dnsmasq host registration.

In the past 3 months we have also been working on a business edition relaunch
and now feel obligated to quickly present the results of these efforts:

The upcoming release of the business edition will be versioned as 21.4 in
order to decouple it from the community release cycle.  To that end--and
to stay true to open source--we have published the release engineering core
branch for said business release[1].

You will see more distinction between "community" and "business" in
communication, but the basic approach of a more conservative release
cycle in volume and timing for the business edition remains the same.
On top of this, the business edition also offers additional plugins,
e.g. for central management tasks.

Here are the full patch notes:

o system: add assorted missing configuration sections for high availability sync
o system: restart web GUI with delay from services to prevent session disconnect
o system: improve error reporting in LDAP authentication (contributed by kulikov-a)
o system: changed USB serial option to use "on" instead of problematic "onifconsole"
o system: ignore garbled data in log lines
o system: fix single core activity display
o interfaces: immediately enable SLAAC during IPv6 initiation
o interfaces: fix a typo in the GIF setup code
o firewall: allow to select rules with no category set
o firewall: sort pfTable results before slice (contributed by kulikov-a)
o firewall: make categories work with numbers only (contributed kulikov-a)
o reporting: skip damaged NetFlow records
o dhcp: correct help text for IPv6 ranges (contributed by Team Rebellion)
o dhcp: remove obsolete subnet validation for static entries
o firmware: refine missing/invalid signature message during health check (contributed by Erik Inge Bolso)
o firmware: zap changelog remove description (contributed by Jacek Tomasiak)
o firmware: make status API endpoint synchronous when using POST
o openvpn: remove checks for NTP servers 3 and 4 (contributed by Christian Brueffer)
o unbound: Fix PTR records for DHCP endpoints (contributed by Gareth Owen)
o ui: use HTTPS everywhere (contributed by Robin Schneider)
o ui: bootgrid translation compatibility with Internet Explorer 11 (contributed by kulikov-a)
o plugins: add service annotations to supported plugins
o plugins: os-freeradius 1.9.10[2]
o plugins: os-haproxy 3.1[3]
o plugins: os-stunnel 1.0.3 adds client mode (contributed by Nicola Bonavita)
o plugins: os-telegraf 1.9.0[4]
o plugins: os-theme-cicada 1.28 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.25 (contributed by Team Rebellion)
o plugins: os-theme-vicuna 1.4 (contributed by Team Rebellion)
o plugins: os-wireguard 1.5[5]
o plugins: os-wol 2.4 fixes dashboard widget (contributed by kulikov-a)
o src: fix multiple OpenSSL vulnerabilities[6]
o ports: ca_root_nss / nss 3.63[7]
o ports: libressl 3.2.5[8]
o ports: openldap 2.4.58[9]
o ports: openssh fix for double free in ssh-agent[10]
o ports: openssl 1.1.1k[11]
o ports: sudo 1.9.6p1[12]
o ports: suricata 5.0.6[13]
o ports: syslog-ng 3.31.2[14]
o ports: wpa_supplicant p2p vulnerability[15]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/core/commits/stable/21.4
[2] https://github.com/opnsense/plugins/blob/stable/21.1/net/freeradius/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/21.1/net/haproxy/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/telegraf/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/21.1/net/wireguard/pkg-descr
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:07.openssl.asc
[7] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.63_release_notes
[8] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.5-relnotes.txt
[9] https://www.openldap.org/software/release/changes.html
[10] https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/015_sshagent.patch.sig
[11] https://www.openssl.org/news/openssl-1.1.1-notes.html
[12] https://www.sudo.ws/stable.html#1.9.6p1
[13] https://suricata-ids.org/2021/03/02/suricata-6-0-2-and-5-0-6-released/
[14] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.31.2
[15] https://w1.fi/security/2021-1/wpa_supplicant-p2p-provision-discovery-processing-vulnerability.txt

Hello, hello,

Today we move ahead with the firmware UI and API rework as we are happy
with the new user experience.  You will also notice the new plugin conflict
dialog which will report that plugins have been installed previously but
not registered in the configuration.  This can be easily amended by reseting
the local conflicts, which essentially accepts the current plugin
configuration as the new default.

The HAProxy plugin was updated to version 3.0.  This release marks the
switch to the HAProxy 2.2 release series, which may result in incompatible
changes for some users.  Many new features were also added, including the
possibility to update SSL certificates in runtime.  These features should
be considered experimental.  We encourage everyone to install this version
in a test environment before using it in production.  As usual, please have
a look at the plugin changes[1] and report bugs on GitHub.

Here are the full patch notes:

o system: prevent duplicate dashboard traffic pollers mangling with the graphs
o system: added cron job "HA update and reconfigure backup"
o system: unify HA sync sections and remove legacy blocks
o system: adapt lighttpd ssl.privkey approach
o system: correctly remove routing entries directly connected to an interface
o interfaces: correct dhcp6c configuration issue on PPPoE link down (contributed by Team Rebellion)
o interfaces: better primary IPv6 address detection in diagnostic tools
o interfaces: handle disabled interfaces in overview
o interfaces: drop early return in PPPoE link down
o interfaces: remove unused global definitions
o firewall: typo in outbound alias use (contributed by kulikov-a)
o firewall: rules icon color after toggle fix (contributed by kulikov-a)
o reporting: prevent crash when NetFlow attributes are missing
o reporting: aggregate iftop results for traffic graphs
o firmware: opnsense-bootstrap shellcheck audit (contributed by Michael Adams)
o firmware: revamp the UI and API
o firmware: revoke old business key
o intrusion detection: add new Abuse.ch feed ThreatFox to detect indicators of compromise
o intrusion detection: make manual rule status boolean for policies (contributed by kulikov-a)
o ipsec: calculate netmask for provided tunnel addresses when using VTI
o ipsec: do not pin reqid in case of mobile connections
o openvpn: extend compression options (contributed by vnxme)
o unbound: handle DHCP client expiring and returning (contributed by Gareth Owen)
o ui: refactor bootgrid usage in ARP, NDP, captive portal session, system activity and routes
o ui: align layouts of select_multiple and dropdown types
o plugins: os-haproxy 3.0[1]
o plugins: os-nginx 1.21[2]
o plugins: os-node_exporter 1.1[3]
o src: jail: Handle a possible race between jail_remove(2) and fork(2)[4]
o src: jail: Change both root and working directories in jail_attach(2)[5]
o src: x86: free microcode memory later[6]
o src: xen-blkback: fix leak of grant maps on ring setup failure[7]
o src: rtsold: auto-probe point to point interfaces
o src: growfs: update check-hash when doing large filesystem expansions
o src: axgbe: change default parameters to prevent manual tunable settings
o src: arp: avoid segfaulting due to out-of-bounds memory access
o ports: cpdup 1.22[8]
o ports: krb5 1.19.1[9]
o ports: nss 3.62[10]
o ports: pkg now provides fallback for version mismatch on pkg-add
o ports: python 3.7.10[11]
o ports: syslog-ng 3.31.1[12]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/21.1/net/haproxy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/21.1/www/nginx/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/21.1/sysutils/node_exporter/pkg-descr
[4] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:04.jail_remove.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-EN-21:06.microcode.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:06.xen.asc
[8] https://github.com/DragonFlyBSD/cpdup/releases/tag/v1.22
[9] https://web.mit.edu/kerberos/krb5-1.19/
[10] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.62_release_notes
[11] https://docs.python.org/release/3.7.10/whatsnew/changelog.html#changelog
[12] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.31.1

Hello,

Please do enjoy this round of timely crypto library updates and
other reliability fixes.

Work has so far been focused on the firmware update process to ensure
its safety around edge cases and recovery methods for the worst case.
To that end 21.1.3 will likely receive the full revamp including API and
GUI changes for a swift transition after thorough testing of the changes
now available in the development package of this release.

Here are the full patch notes:

o system: do not trim string fields in upstream XMLRPC library
o system: fix export API keys reload issue on Safari
o system: retain index after tunables sorting in 21.1.1
o system: fix firewall log widget update on small fixed number of entries
o system: replace traffic graphs in widget using chart.js
o system: make StartTLS work when retrieving LDAP authentication containers (contributed by Christian Brueffer)
o system: fix IPv6 route deletion on status page
o interfaces: work around slow manufacturer lookups in py-netaddr 0.8.0
o firewall: fix off-by-one error in alias utility listing
o firewall: fix live log matching with 'or' and empty filter (contributed by kulikov-a)
o reporting: prevent NetFlow crash when interface number is missing
o firmware: opnsense-update -t option executes after -p making it possible to run them at once
o firmware: opnsense-update -t option now also uses recovery code introduced recently for -p
o firmware: opnsense-update -vR no longer emits "unknown" if no version was found
o firmware: opnsense-verify -l option lists enabled package repositories
o firmware: add crypto package to health check
o firmware: fix two JS tracker bugs
o firmware: assorted non-breaking changes for upcoming firmware revamp
o intrusion detection: prevent flowbits:noalert from being dropped
o intrusion detection: fix policies not matching categories
o ipsec: phase2 local/remote network check does not apply on VTI interfaces
o web proxy: fix ownership issue on template directory
o rc: opnsense-beep utility wrapper including manual page
o plugins: increase revision number for all plugins to force installation of metadata added in 21.1.1
o plugins: os-acme-client 2.4[1]
o plugins: os-postfix 1.18[2]
o plugins: os-rspamd 1.11[3]
o plugins: os-theme-cicada 1.27 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.24 (contributed by Team Rebellion)
o plugins: os-theme-vicuna 1.3 (contributed by Team Rebellion)
o ports: curl 7.75.0
o ports: libressl 3.2.4
o ports: openssl 1.1.1j
o ports: php 7.3.27
o ports: squid 4.14
o ports: unbound 1.13.1


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/21.1/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/21.1/mail/postfix/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/21.1/mail/rspamd/pkg-descr
[4] https://curl.se/changes.html#7_75_0
[5] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.4-relnotes.txt
[6] https://www.openssl.org/news/openssl-1.1.1-notes.html
[7] https://www.php.net/ChangeLog-7.php#7.3.27
[8] http://www.squid-cache.org/Versions/v4/squid-4.14-RELEASENOTES.html
[9] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-13-1

Hi everyone,

The 21.1 series debut looks pretty good so far. Thanks again for your input and comments!

We will be spending a lot of time this year improving and adapting the code base. As a first glimpse, the changes of this stable update are a mix of security and reliability updates coupled with preparations for the update framework revamp we have planned for 21.7. The roadmap is still not final, but will likely contain long-yearned-for features. Stay tuned.

Here are the full patch notes:

o firewall: change order of shaper delay parameter to prevent parser errors
o firewall: fix multiple PHP warnings regarding category additions
o firewall: fix icon toggle for block and reject (contributed by ElJeffe)
o interfaces: unhide primary IPv6 in overview page
o interfaces: fix IPv6 misalignment in get_interfaces_info()
o reporting: fix sidebar menu collapse for NetFlow link (contributed by Maurice Walker)
o captive portal: validate that static IP address exists when writing the configuration
o firmware: add product status backend for upcoming firmware page redesign
o firmware: opnsense-code will now check out the default release branch
o firmware: opnsense-update adds "-R" option for major release selection
o firmware: opnsense-update will now update repositories if out of sync
o firmware: opnsense-update will attempt to recover from fatal pkg behaviour
o firmware: opnsense-update now correctly redirects stderr on major upgrades
o firmware: opnsense-update now retains vital flag on faulty release type transition
o intrusion detection: clean up rule based additions  to prevent collisions with the new policies
o monit: minor bugfixes and UI changes (contributed by Manuel Faux)
o unbound: update documentation URL (contributed by xorbital)
o ui: format packet count with toLocaleString() in interface statistics widget (contributed by bleetsheep)
o ui: add compatibility for JS replaceAll() function
o rc: support reading JSON metadata from plugin version files
o plugins: provide JSON metadata in plugin version files
o plugins: os-dyndns GratisDNS apex domain fix (contributed by Fredrik Rambris)
o plugins: os-nginx upstream TLS verification fix (contributed by kulikov-a)
o plugins: os-theme-cicada 1.26 (contributed by Team Rebellion)
o plugins: os-theme-vicuna 1.2 (contributed by Team Rebellion)
o src: panic when destroying VNET and epair simultaneously[1]
o src: uninitialized file system kernel stack leaks[2]
o src: Xen guest-triggered out of memory[3]
o src: update timezone database information[4]
o ports: dnsmasq 2.84[5]
o ports: lighttpd 1.4.59[6]
o ports: krb5 1.19[7]
o ports: monit 5.27.2[8]
o ports: perl 5.32.1[9]
o ports: sqlite 3.34.1[10]


Stay safe,
Your OPNsense team

--
[1] https://www.freebsd.org/security/advisories/FreeBSD-EN-21:03.vnet.asc
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:01.fsdisclosure.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-SA-21:02.xenoom.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-21:01.tzdata.asc
[5] https://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[6] http://www.lighttpd.net/2021/2/2/1.4.59/
[7] https://web.mit.edu/kerberos/krb5-1.19/
[8] https://mmonit.com/monit/changes/
[9] https://perldoc.perl.org/5.32.1/perldelta
[10] https://sqlite.org/releaselog/3_34_1.html

Hi there,

For more than 6 years, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

21.1, nicknamed "Marvelous Meerkat", is the relentless continuation of open source dedication.  The last 6 years were not always easy, but we are happy to be where we are now and have the community to thank for it.

New and improved are the firewall rules and NAT categories, the traffic graphs supporting IPv6 along with a visual refresh,  intrusion detection rule management by policies, an alias for MAC addresses and NAT over IPsec with all phase 2 you could ever want.  Last but not least, the serial image now supports UEFI as well.

For those wondering, the WireGuard plugin has been available since 2019 and receives continuous improvements by its maintainer and various users alike.  And that is unlikey to change in the future.  ;)

As we continue to deprecate custom configuration inputs for a number of reasons, Dnsmasq has been switched to a pluggable file-based approach[1] with Unbound to follow in the upcoming 21.7 series.

Download links, an installation guide[2] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/21.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/21.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/21.1/
o South America: https://mirror.venturasystems.tech/opnsense/releases/21.1/
o Australia: http://mirror.as24220.net/opnsense/releases/21.1/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes against 20.7.8:

o system: use authentication factory for web GUI login
o system: allow case-insensitive matching for LDAP user authentication
o system: removed unused gateway API dashboard feed
o system: removed spurious comma from certificate subject print and unified underlying code
o system: harden web GUI defaults to TLS 1.2 minimum and strong ciphers
o system: generate a better self-signed certificate for web GUI default
o system: allow self-signed renew for web GUI default (using "configctl webgui restart renew")
o system: allow subdirectories in NextCloud backup (contributed by Lorenzo Milesi)
o system: first backup is same as current so ignore it on GUI and console
o system: optionally allow TOTP users to regenerate a token from the password page
o system: set hw.uart.console appropriately
o system: reconfigure routes on bootup
o system: relax gateway name validation
o system: ignore disabled gateways in dpinger services
o system: choose a better bind candidate for IPv4 in dpinger
o interfaces: defer IPv6 disable in interface code to ensure PPP interfaces do exist
o interfaces: no longer assume configuration-less interfaces can reach static setup code
o interfaces: fix PPP links not linking to its advanced configuration page
o interfaces: read deprecated flag, allow family spec in (-)alias calls
o interfaces: fix address removal in IPv6 CARP case
o interfaces: pick proper route for 6RD and 6to4 tunnels
o interfaces: support 6RD with single /64 prefix (contributed by Marcel Hofer)
o firewall: support category filters for firewall and NAT rules (sponsored by Modirum)
o firewall: add live log "host", "port" and "not" filters
o firewall: create an appropriate max-mss scrub rule for IPv6
o firewall: fix anti-spoof option for separate bridge interfaces
o firewall: display zeros and sort columns in pfTables (contributed by kulikov-a)
o firewall: relax schedule name validation
o reporting: prevent calling top talkers when no interfaces are selected
o reporting: cleanup deselected interface rows in top talkers
o dhcp: hostname validation now includes domain
o dhcp: use same logic as menu figuring out if DHCPv6 page is reachable from leases
o dhcp: correct DHCPv6 custom options unsigned integer field (contributed by Team Rebellion)
o dhcp: added toggle for disabling RDNSS in router advertisements (contributed by Team Rebellion)
o dhcp: removed the need for a static IPv4 being outside of the pool (contributed by Gauss23)
o dhcp: add min-secs option for each subnet (contributed by vnxme)
o dnsmasq: remove advanced configuration in favour of plugin directory
o dnsmasq: use domain override for static hosts
o firmware: disable autoscroll if client position differs
o firmware: remove spurious *.pkgsave files and offload post install bits to rc.syshook
o firmware: repair display of removed packages during release type transition
o firmware: add ability to run audits from the console
o firmware: show repository in package and plugin overviews
o intrusion detection: replace file-based policy changes with detailed filters
o ipsec: NAT with multiple phase 2 (sponsored by m.a.x. it)
o ipsec: prevent VTI interface to hit spurious 32768 limit
o ipsec: allow mixed IPv4/IPv6 for VTI
o openvpn: added toggle for block-outside-dns (contributed by Julio Camargo)
o openvpn: hide "openvpn_add_dhcpopts" fields when not parsed via the backend
o unbound: allow /0 in ACL network
o unbound: default to SO_REUSEPORT
o web proxy: add GSuite and YouTube filtering (contributed by Julio Camargo)
o mvc: do not discard valid application/json content type headers
o mvc: make sure isArraySequential() is only true on array input
o mvc: speed up processing time when over 2000 users are selected in a group
o mvc: add locking in JsonKeyValueStoreField type
o mvc: change LOG_LOCAL4 to LOG_LOCAL2 in base model
o images: use UFS2 as the default for nano, serial and vga
o images: support UEFI boot in serial image
o ui: add tooltips for service control widget
o ui: move sidebar stage from session to local storage
o ui: upgrade Tokenize2 to v1.3.3
o plugins: os-acme-client 2.3[3]
o plugins: os-bind 1.16[4]
o plugins: os-frr 1.21[5]
o plugins: os-maltrail 1.6[6] (contributed by jkellerer)
o plugins: os-smart adds cron jobs for useful actions (contributed by Jacek Tomasiak)
o plugins: os-telegraf 1.8.3 adds ping6 ability (contributed by DasSkelett)
o src: fix AES-CCM requests with an AAD size smaller than a single block
o src: introduce HARDEN_KLD to ensure DTrace functionality
o src: refine pf_route* behaviour in PF_DUPTO case for shared forwarding
o src: assorted upstream fixes for ipfw, iflib, multicast processing and pf
o src: netmap tun(4) support adds pseudo addresses to ethernet header emulation (contributed by Sunny Valley Networks)
o src: add a manual page for axp(4) / AMD 10G Ethernet driver
o src: fix traffic graph not showing bandwidth when IPS is enabled
o ports: dnsmasq 2.83[7]
o ports: igmpproxy 0.3[8]
o ports: nss 3.61[9]
o ports: openldap 2.4.57[10]
o ports: py-netaddr 0.8.0[11]

The public key for the 21.1 series is:

Code Select Expand

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtiv4C8TPBnVAxUS+xW3W
uYhAOuLCZPA6F22Qatit4PVHI7AzfLbGjCQFZqjO+HRPVCmeiyggQWE4ZBOQrhbq
Em/NqmnDVos2rdGfEvp5miY4fstebtHI9CPv26QswgO7bsoJuCUoSmtGTbgNXyaF
ueNYTSXNEpWu35tQS830NCLW5Y6elfK99gxmNChlGdlz0wchaSA+myR6xH+TUw8L
D+87Tny/R2guC9Q0XnsKpKeOMxkNh0X3H0GsmcWmyV0rGAiMh6GuJXIN/yhNMkaD
wuHomqxd1OAyGLz9BjDNRKZ+b+y0iVpEx3qsDWlradtf8sUKZHJ96lf0jCRhEPvl
v1+QkAOzsauWBr3UtFbkKfHONpuwb5XVNgAJzFIRrnGhmWRXD7liiShOP4O+KBP1
Dzxs/X0plXgX2hOgzMbtgCMj4M1sV5HhKUrwiyqBpoe5nESJVrQ/DxETwEZIFoHy
hwQxd/DDp7uJmZlCkveuZeUAo7pfTUVchDpe2GB54bHEhIn3OES93PURMQtQxB12
mubV52vcfvzLnbv5FL5lMK/cgl64ip2bRu1jcB3wsKrKcGyUbtYJQDnHpowWrs5h
RdMHSfLyaC8ROMKhZmJTe141wr5p8d+NmgjlDblnNmUJ0jHVJeP0+RO/OcY/o3Zt
2MxL1Yp2cUu2l1HEmyrCsIcCAwEAAQ==
-----END PUBLIC KEY-----


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/dnsmasq.html
[2] https://docs.opnsense.org/manual/install.html
[3] https://github.com/opnsense/plugins/blob/master/security/acme-client/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[5] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[6] https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr
[7] https://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[8] https://github.com/pali/igmpproxy/releases/tag/0.3
[9] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.61_release_notes
[10] https://www.openldap.org/software/release/changes.html
[11] https://pypi.org/project/netaddr/0.8.0/

Code Select Expand

SHA256 (OPNsense-21.1-OpenSSL-dvd-amd64.iso.bz2) = 936301cb53c7c3474171a076594bb00a29827b4aa1c9aa8dac7519e447f7ec81
SHA256 (OPNsense-21.1-OpenSSL-nano-amd64.img.bz2) = e5116c5037f4b4bbc68708e8f14ce023508ccf585164b778d6c158f170ea202f
SHA256 (OPNsense-21.1-OpenSSL-serial-amd64.img.bz2) = 472c8568d8c4a54743b3a2b1bc720e83c04cc2c63d68df1376c207f25b98ae20
SHA256 (OPNsense-21.1-OpenSSL-vga-amd64.img.bz2) = 44a930151472954626c237a1255712e6e7c542d7ac3c5317a74618d08ce36bbf

Hi there,

The particular volume of this stable update foreshadows the end of the 20.7 series in less than two weeks.

One longstanding issue with radvd on FreeBSD 12.1 has been resolved according to multiple user feedback.

The mailing lists have been archived and will no longer be used.

And before there are questions: yes, consumers of the development version are now able to upgrade to 21.1-RC1.

Here are the full patch notes:

o system: allow to recover from bad TLS certificate and/or bad settings in console interface assign
o system: display destination port number in firewall log widget (contributed by Team Rebellion)
o system: keep compatible TLS 1 defaults for web GUI on 20.7 series
o system: set default certificate lifetime to 397 days
o firewall: add type 128 to outgoing IPv6 RFC4890 requirements
o firewall: add manual refresh button to live log
o firewall: fix typo in ICMPv6 validation
o firewall: fix minor regression in maintaining target alias file
o firewall: fix all state value in pfTop (contributed by Lucas Held)
o firewall: remove duplicated destination field in live log
o firewall: add readonly actions to aliases permission (contributed by Manuel Faux)
o firewall: category selector missing caption
o reporting: add top talkers to revamped traffic graph page
o reporting: fix name resolution filter change in insight
o reporting: persist interface selection on traffic graph page
o captive portal: disable faulty TLS on HTTP since lighttpd 1.4.56
o dhcp: fix sorting of IPv6 static mappings (contributed by vnxme)
o dhcp: fix incorrect parsing of DUID (contributed by Matt Holgate)
o firmware: opnsense-code now updates the current directory if nothing was specified
o firmware: opnsense-code now uses flexible make.conf target from tools.git
o firmware: opnsense-update now supports snapshot access via -z option
o firmware: opnsense-update now fixes missing dependencies on the fly
o firmware: fix some issues with missing repository on server
o firmware: add version output and date to audit logs
o ipsec: display remote host in status overview (contributed by garlic17)
o opendns: add standalone mode
o openssh: honour MAX_LISTEN_SOCKS
o openvpn: set default certificate lifetime to 397 days in wizard
o unbound: generate all configuration files in service controller
o unbound: fix broken lines in large files (contributed by kulikov-a)
o web proxy: lock ACL download to prevent duplicate execution
o mvc: allow underscore in filter string (contributed by kulikov-a)
o plugins: os-haproxy 2.26[1]
o plugins: os-hw-probe 1.0 (contributed by Michael Muenz)
o plugins: os-maltrail fixes sensor start without server (contributed by Julio Camargo)
o plugins: os-nginx 1.20[2]
o plugins: os-tinc fixes for latest version (contributed by vnxme)
o src: fix OpenSSL NULL pointer de-reference[3]
o src: fix partial scrub of multicast packages
o src: free full mbuf chains in iflib when draining transmit queues
o src: initialize oifp to avoid bogus results/panics in edge cases
o src: 10Gigabit Ethernet driver for AMD SoC
o ports: libressl 3.2.3[4][5]
o ports: nss 3.60.1
o ports: php 7.3.26[6]
o ports: pkg fix for shell keyword by opening root file descriptor
o ports: radvd 2.19[7]
o ports: sudo 1.9.5p1[8]


Stay safe,
Your OPNsense team
--

[1] https://github.com/opnsense/plugins/blob/master/net/haproxy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[3] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:33.openssl.asc
[4] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.2-relnotes.txt
[5] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.3-relnotes.txt
[6] https://www.php.net/ChangeLog-7.php#7.3.26
[7] https://radvd.litech.org/CHANGES.txt
[8] https://www.sudo.ws/stable.html#1.9.5p1

Hi there,

For more than 6 years, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project!  We know it would not be the same without you.  <3

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/21.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/21.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/21.1/
o South America: https://mirror.venturasystems.tech/opnsense/releases/21.1/
o Australia: http://mirror.as24220.net/opnsense/releases/21.1/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes against 20.7.7_1:

o system: use authentication factory for web GUI login
o system: allow case-insensitive matching for LDAP user authentication
o system: removed unused gateway API dashboard feed
o system: removed spurious comma from certificate subject print and unified underlying code
o system: harden web GUI defaults to TLS 1.2 minimum and strong ciphers
o system: generate a better self-signed certificate for web GUI default
o system: allow self-signed renew for web GUI default (using "configctl webgui restart renew")
o system: allow subdirectories in NextCloud backup (contributed by Lorenzo Milesi)
o system: optionally allow TOTP users to regenerate a token from the password page
o system: set default certificate lifetime to 397 days
o system: relax gateway name validation
o system: display destination port number in firewall log widget (contributed by Team Rebellion)
o system: allow to recover from bad TLS certificate and/or bad settings in console interface assign
o interfaces: defer IPv6 disable in interface code to ensure PPP interfaces do exist
o interfaces: no longer assume configuration-less interfaces can reach static setup code
o interfaces: fix PPP links not linking to linked advanced configuration
o firewall: add live log "host", "port" and "not" filters
o firewall: add manual refresh button to live log
o firewall: create an appropriate max-mss scrub rule for IPv6
o firewall: fix anti-spoof option for separate bridge interfaces
o firewall: relax schedule name validation
o firewall: fix typo in ICMPv6 validation
o firewall: add type 128 to outgoing IPv6 RFC4890 requirements
o firewall: fix minor regression in maintaining target alias file
o firewall: category selector missing caption
o firewall: fix all state value in pfTop (contributed by Lucas Held)
o firewall: remove duplicated destination field in live log
o firewall: add readonly actions to aliases permission (contributed by Manuel Faux)
o reporting: add top talkers to revamped traffic graphs page
o dhcp: hostname validation now includes domain
o dhcp: correct DHCPv6 custom options unsigned integer field (contributed by Team Rebellion)
o dhcp: removed the need for a static IPv4 being outside of the pool (contributed by Gauss23)
o dhcp: add min-secs option for each subnet (contributed by vnxme)
o dhcp: fix sorting of IPv6 static mappings (contributed by vnxme)
o dnsmasq: remove advanced configuration in favour of plugin directory
o dnsmasq: use domain override for static hosts
o firmware: opnsense-code now updates the current directory if nothing was specified
o firmware: opnsense-code now uses flexible make.conf target from tools.git
o firmware: opnsense-update now supports snapshot access via -z option
o firmware: opnsense-update now fixes missing dependencies on the fly
o firmware: repair display of removed packages during release type transition
o firmware: fix some issues with missing repository on server
o firmware: add version output and date to audit logs
o intrusion detection: replace file-based policy changes with detailed filters
o ipsec: NAT with multiple phase 2 (sponsored by m.a.x. it)
o ipsec: prevent VTI interface to hit spurious 32768 limit
o ipsec: allow mixed IPv4/IPv6 for VTI
o ipsec: display remote host in status overview (contributed by garlic17)
o openssh: honour MAX_LISTEN_SOCKS to prevent startup failure
o openvpn: added toggle for block-outside-dns (contributed by Julio Camargo)
o openvpn: hide "openvpn_add_dhcpopts" fields when not parsed via the backend
o openvpn: set default certificate lifetime to 397 days in wizard
o unbound: default to SO_REUSEPORT
o web proxy: add GSuite and YouTube filtering (contributed by Julio Camargo)
o web proxy: lock ACL download to prevent duplicate execution
o mvc: make sure isArraySequential() is only true on array input
o mvc: speed up processing time when over 2000 users are selected in a group
o mvc: allow underscore in filter string (contributed by kulikov-a)
o images: use UFS2 as the default for nano, serial and vga
o images: support UEFI boot in serial image
o ui: add tooltips for service control widget
o ui: move sidebar stage from session to local storage
o plugins: os-bind 1.15[2]
o plugins: os-frr 1.21[3]
o src: fix OpenSSL NULL pointer de-reference[4]
o src: fix AES-CCM requests with an AAD size smaller than a single block
o src: introduce HARDEN_KLD to ensure DTrace functionality
o src: fix partial scrub of multicast packages
o src: refine pf_route* behaviour in PF_DUPTO case for shared forwarding
o src: assorted upstream fixes for ipfw, iflib, multicast processing and pf
o ports: libressl 3.2.3[5][6]
o ports: nss 3.60.1
o ports: pkg fix for shell keyword by opening root file descriptor
o ports: radvd 2.19[7]
o ports: sudo 1.9.4p2[8]

Known issues and limitations:

o Installer currently advertises 20.7

The public key for the 21.1 series is:

# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtiv4C8TPBnVAxUS+xW3W
# uYhAOuLCZPA6F22Qatit4PVHI7AzfLbGjCQFZqjO+HRPVCmeiyggQWE4ZBOQrhbq
# Em/NqmnDVos2rdGfEvp5miY4fstebtHI9CPv26QswgO7bsoJuCUoSmtGTbgNXyaF
# ueNYTSXNEpWu35tQS830NCLW5Y6elfK99gxmNChlGdlz0wchaSA+myR6xH+TUw8L
# D+87Tny/R2guC9Q0XnsKpKeOMxkNh0X3H0GsmcWmyV0rGAiMh6GuJXIN/yhNMkaD
# wuHomqxd1OAyGLz9BjDNRKZ+b+y0iVpEx3qsDWlradtf8sUKZHJ96lf0jCRhEPvl
# v1+QkAOzsauWBr3UtFbkKfHONpuwb5XVNgAJzFIRrnGhmWRXD7liiShOP4O+KBP1
# Dzxs/X0plXgX2hOgzMbtgCMj4M1sV5HhKUrwiyqBpoe5nESJVrQ/DxETwEZIFoHy
# hwQxd/DDp7uJmZlCkveuZeUAo7pfTUVchDpe2GB54bHEhIn3OES93PURMQtQxB12
# mubV52vcfvzLnbv5FL5lMK/cgl64ip2bRu1jcB3wsKrKcGyUbtYJQDnHpowWrs5h
# RdMHSfLyaC8ROMKhZmJTe141wr5p8d+NmgjlDblnNmUJ0jHVJeP0+RO/OcY/o3Zt
# 2MxL1Yp2cUu2l1HEmyrCsIcCAwEAAQ==
# -----END PUBLIC KEY-----

Please let us know about your experience!


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[4] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:33.openssl.asc
[5] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.2-relnotes.txt
[6] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.3-relnotes.txt
[7] https://radvd.litech.org/CHANGES.txt
[8] https://www.sudo.ws/stable.html#1.9.4p2

# SHA256 (OPNsense-21.1.r1-OpenSSL-dvd-amd64.iso.bz2) = c6cfdd88227bb58c94634dca01e9108647a83278a4549291a4b772094342c81a
# SHA256 (OPNsense-21.1.r1-OpenSSL-nano-amd64.img.bz2) = a60c3cb077b56202d3b02637054607f6180121b7da9faaf870f73a814dcfc2c7
# SHA256 (OPNsense-21.1.r1-OpenSSL-serial-amd64.img.bz2) = cba8578d7acbb323fd1fa6fe93d648c5d227010e1169ccbdf1111980d73fa447
# SHA256 (OPNsense-21.1.r1-OpenSSL-vga-amd64.img.bz2) = 1fce48c99e5c46d92fca7a00805873154832357c7de71f5035a01ca8047041dc

Howdy,

Important security updates inside. Also: happy holidays!

Here are the full patch notes:

o reporting: fix traffic graph widget link issue
o system: simplify log format parsing
o interfaces: fix DUID LL description  (contributed by Gabriel Mazzocato)
o unbound: fix dnsbl not reloading after update
o plugins: os-acme-client 2.2[1]
o plugins: os-freeradius 1.9.9[2]
o plugins: os-frr 1.20[3]
o plugins: os-tinc 1.6 enables multiple addresses per host (contributed by ElNounch)
o plugins: os-wireguard 1.4[4]
o ports: curl 7.74.0[5]
o ports: dhcp6c ignores advertise messages with none of requested data and missed status codes
o ports: libressl 3.1.5[6]
o ports: lighttpd 1.4.56[7]
o ports: nss 3.60[8]
o ports: openssl 1.1.1i[9]
o ports: pcre2 10.36[10]
o ports: sudo 1.9.4[11]
o ports: sqlite 3.34.0[12]
o ports: unbound 1.13.0[13]


Stay safe and healthy,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/net/wireguard/pkg-descr
[5] https://curl.se/changes.html
[6] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.5-relnotes.txt
[7] https://www.lighttpd.net/2020/11/29/1.4.56/
[8] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.60_release_notes
[9] https://www.openssl.org/news/secadv/20201208.txt
[10] https://www.pcre.org/changelog.txt
[11] https://www.sudo.ws/stable.html#1.9.4
[12] https://sqlite.org/changes.html
[13] https://nlnetlabs.nl/projects/unbound/download/

We are delighted to announce that starting January 2021 Franco Fichtner will join Deciso B.V. to work on OPNsense full-time!

Franco is already an OPNsense Core Team member since the very beginning of the project back in 2014. We are truly grateful for all the effort Franco put into the project while being quite busy during his normal day job. It is the same understanding of open-source software development, an excellent skillset and friendship that makes us eager to take our cooperation to the next level.

Franco's main focus will be on the development of OPNsense and the associated Business Edition.

Having Franco on the team allows Deciso - the company behind OPNsense - to focus even more on providing added value to our customers, our partners and the community.

We are looking forward to 2021 and continue the journey!


Be kind and take care,
OPNsense / Deciso

Dear all,

This update brings the usual mix of reliability fixes, plugin and third party software updates: FreeBSD, HardenedBSD, PHP, OpenSSH, StrongSwan, Suricata and Syslog-ng amongst others.

Please note that Let's Encrypt users need to reissue their certificates manually after upgrading to this version to fix the embedded certificate chain issue with the current signing CA switch going on.

The mail backup plugin is currently not available pending a response from the maintainer. Users are advised to avoid using it for the moment. 

Here are the full patch notes:

o system: no longer enforce alias names in gateways
o system: add "step into" icon on log lines when filtering
o system: add current CPU load progress bar (contributed by kulikov-a)
o firewall: allow larger selection in live log
o firewall: correctly select current IPv6 field in getInterfaceGateway()
o firewall: add validation for ipv6-icmp combined with inet
o reporting: traffic graph replacement using iftop
o openvpn: calculate first network address as gateway address when only ifconfig_local is given
o web proxy: throw startup error to user
o plugins: os-acme-client 2.1[1]
o plugins: os-frr 1.19[2]
o plugins: os-mail-backup not available due to unaddressed security concerns
o src: fix parsing of netmap legacy nmr->nr_ringid
o src: fix mutex double unlock bug in netmap
o src: minor misc netmap improvements
o src: improve netmap(4) and vale(4) man pages
o src: IPV6_PKTINFO support for v4-mapped IPv6 sockets
o src: zero-initialize variables in HBSD PaX SEGVGUARD
o src: fix execve/fexecve system call auditing[3]
o src: fix uninitialized variable in ipfw[4]
o src: fix race condition in callout CPU migration[5]
o src: fix ICMPv6 use-after-free in error message handling[6]
o src: fix multiple vulnerabilities in rtsold[7]
o src: update timezone database information[8]
o ports: krb5 1.18.3[9]
o ports: nss 3.59[10]
o ports: openldap 2.4.56[11]
o ports: openssh 8.4p1[12]
o ports: php 7.3.25[13]
o ports: strongswan 5.9.1[14]
o ports: suricata 5.0.5[15]
o ports: syslog-ng 3.30.1[16]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[3] https://www.freebsd.org/security/advisories/FreeBSD-EN-20:19.audit.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-20:21.ipfw.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-20:22.callout.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:31.icmp6.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:32.rtsold.asc
[8] https://www.freebsd.org/security/advisories/FreeBSD-EN-20:20.tzdata.asc
[9] https://web.mit.edu/kerberos/krb5-1.18/
[10] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.59_release_notes
[11] https://www.openldap.org/software/release/changes.html
[12] https://www.openssh.com/txt/release-8.4
[13] https://www.php.net/ChangeLog-7.php#7.3.25
[14] https://wiki.strongswan.org/versions/79
[15] https://suricata-ids.org/2020/12/04/suricata-6-0-1-5-0-5-and-4-1-10-released/
[16] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.30.1

What's up!

We return briefly for a small patch set and plan to pin the 20.1 upgrade path to this particular version to avoid unnecessary stepping stones. We wish you all a healthy Friday. And of course: patch responsibly!

Here are the full patch notes:

o system: syslog-ng related fixes during package management based restart
o system: change dpinger syslog message to reflect correct RTT and RTTd unit (contributed by fhloston)
o web proxy: add toggle for pinger service (contributed by nowyouseeit)
o web proxy: add missing X-Forwarded-For header option
o mvc: new Base64Field type
o mvc: new VirtualIPField type
o plugins: os-acme-client 2.0[1]
o plugins: os-bind 1.14[2]
o plugins: os-chrony 1.1[3]
o ports: monit 5.27.1[4]
o ports: php 7.3.24[5]
o ports: pkg upstream fix for upgrade script hang[6]
o ports: strongswan 5.9.0[7]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/net/chrony/pkg-descr
[4] https://mmonit.com/monit/changes/
[5] https://www.php.net/ChangeLog-7.php#7.3.24
[6] https://github.com/freebsd/pkg/pull/1893
[7] https://www.strongswan.org/blog/2020/07/29/strongswan-5.9.0-released.html

Good evening everyone,

This release finally wraps up the recent Netmap kernel changes and tests. The Realtek vendor driver was updated as well as third party software cURL, libxml2, OpenSSL, PHP, Suricata, Syslog-ng and Unbound just to name a couple of them.

We would like to thank Sunny Valley Networks for their relentless efforts to bring said Netmap fixes and improvements into FreeBSD.

If you are having trouble with a stuck update try the command sequence below from the root shell or simply reboot from the GUI and rerun the update in case it was not fully carried out yet.

# pkill syslog-ng
# service syslog-ng restart

Here are the full patch notes:

o system: switch web GUI address selection to avoid server.bind in IPv6 first case
o system: fix defunct "use default" button on web GUI listen interfaces
o system: signal "auth user changed" when a user is modified via web GUI
o system: replace gateway widget and add proper API endpoint for it
o system: fix reading displayName attribute on LDAP search (contributed by ServiusHack)
o interfaces: change maximum MTU value to 65535 in accordance with RFC 791
o interfaces: update wireless device detection prefixes
o interfaces: lexical sort interface keys for assignments
o firewall: add support for network exclusions in network alias type
o firewall: add NAT information to pfInfo page (contributed by kulikov-a)
o firewall: associated NAT rules missed state keyword
o firewall: allow "or" conditions in live log
o firewall: use pfctl for alias IP check (contributed by kulikov-a)
o dnsmasq: regenerate resolv.conf on save
o dnsmasq: log queries option
o intrusion detection: ignore pkill exit status when performing update
o ipsec: add description to reconfigure action (contributed by Frank Wall)
o unbound: rebuild unbound blacklist download
o unbound: restructure reconfigure so that we always flush config
o backend: add new "config changed" event using syshook structure (sponsored by Modirum)
o mvc: add a few missing control widgets from log pages
o ui: upgrade moment.js to 2.27.0
o plugins: os-freeradius 1.9.8[1]
o plugins: os-git-backup 1.0[2] (sponsored by Modirum)
o plugins: os-haproxy 2.25[3]
o plugins: os-stunnel 1.0.2 adds service protocol selector (contributed by fhloston)
o src: extended netmap update and driver fixes
o src: netmap tun and lagg support (contributed by Sunny Valley Networks)
o src: update Realtek re driver to upstream version 1.96.04 (contributed by Laurent Dinclaux)
o ports: curl 7.73.0[3]
o ports: libxml2 fixes for CVE-2019-20388, CVE-2020-7595 and CVE-2020-24977
o ports: nss 3.58[4]
o ports: openssl 1.1.1h[5]
o ports: php 7.3.23[6]
o ports: pkg 1.15.10
o ports: radvd patch for dynamic interface shifting index
o ports: sudo 1.9.3p1[7]
o ports: suricata 5.0.4[8]
o ports: syslog-ng 3.29.1[9]
o ports: unbound 1.12.0[10]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr
[2] https://github.com/opnsense/plugins/issues/2049
[3] https://curl.haxx.se/changes.html
[4] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes
[5] https://www.openssl.org/news/changelog.html#openssl-111
[6] https://www.php.net/ChangeLog-7.php#7.3.23
[7] https://www.sudo.ws/stable.html#1.9.3p1
[8] https://suricata-ids.org/2020/10/08/suricata-4-1-9-and-5-0-4-released/
[9] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.29.1
[10] https://nlnetlabs.nl/projects/unbound/download/

Hello hello,

Today is the day for a number of FreeBSD security advisories and a few reliability fixes.

We are still testing a batch of Netmap improvement patches with a separate kernel. This and the Realtek vendor driver update will likely follow in the next kernel update. All feedback is welcome.

Here are the full patch notes:

o system: use different shell gateway name to appease wizard
o system: simplify CARP hook
o interfaces: phase out netaddr.eui.ieee.OUI_REGISTRY_PATH usage
o firewall: add MAC type to top right filter selection
o firewall: fix two scrub rule parsing bugs
o firewall: omit group type interfaces in filter selection
o intrusion detection: re-create rule cache after rule deployment
o unbound: add "unbound-plus" section to XMLRPC sync
o dhcp: adding DDNS values of each additional pool to the $ddns_zones array (contributed by Mathieu St-Pierre)
o dhcp: add static interface mode to router advertisements
o rc: fix ssh key permissions on MSDOS import
o rc: support service identifier in pluginctl -s mode
o plugins: os-bind download link changes (contributed by gap579137)
o plugins: os-chrony 1.0 (contributed by Michael Muenz)
o plugins: os-dnscrypt-proxy blocklist script fixes (contributed by Mark Keisler)
o plugins: os-frr 1.17[1]
o plugins: os-postfix 1.17[2]
o plugins: os-rspamd 1.10[3]
o plugins: os-theme-cicada 1.25 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.23 (contributed by Team Rebellion)
o plugins: os-theme-vicuna 1.1 (contributed by Team Rebellion)
o plugins: os-wireguard 1.3[4]
o plugins: os-zabbix-agent 1.8[5]
o src: fix FreeBSD Linux ABI kernel panic[6]
o src: fix SCTP socket use-after-free[7]
o src: fix dhclient heap overflow[8]
o src: fix ure device driver susceptible to packet-in-packet attack[9]
o src: fix bhyve privilege escalation via VMCS access[10]
o src: fix bhyve SVM guest escape[11]
o src: fix ftpd privilege escalation via ftpchroot[12]
o src: set PAX_HARDENING_NOSHLIBRANDOM in the RTLD by default
o src: fix kernel panic while trying to read multicast stream
o ports: mpd 5.9[13]
o ports: nss 3.57[14]
o ports: php 7.3.22[15]
o ports: pkg 1.15.6[16]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/net/wireguard/pkg-descr
[5] https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix-agent/pkg-descr
[6] https://www.freebsd.org/security/advisories/FreeBSD-EN-20:17.linuxthread.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:25.sctp.asc
[8] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc
[9] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:27.ure.asc
[10] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc
[11] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc
[12] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:30.ftpd.asc
[13] http://mpd.sourceforge.net/doc5/mpd4.html#4
[14] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
[15] https://www.php.net/ChangeLog-7.php#7.3.22
[16] https://github.com/freebsd/freebsd-ports/commit/fd4f5566aea

Dear all,

While we are still looking closer at netmap/iflib performance on 12.1 we are rolling out a kernel with Intel em/igb updates that should avoid bad packet counts in the default installation. Syslog-ng received a workaround for the diagnosed startup issue and alias now supports MAC address content similar to how host content works.

Here are the full patch notes:

o system: set REQUESTS_CA_BUNDLE in environments
o system: improve parsing for temperature sensors
o system: add "new-password" hint for Chrome on login form
o system: rename syslog services description and hide legacy mode when not enabled
o system: force syslog-ng restart after boot sequence
o system: properly read new style logging directories
o reporting: replace line endings when sending traceback to syslog in flowd_aggregate
o reporting: dd traffic graph filter for private IPv4 networks (contributed by kcaj-burr)
o firewall: add MAC address alias type
o firewall: be more verbose when fetching alias remote content
o firewall: prevent pfctl error messages from being suppressed
o firewall: exclude all reserved pf.conf keywords from alias name
o firewall: bogons not loaded on initial load
o firewall: reset damaged bogons files on startup
o interfaces: add listen-queue-sizes in socket diagnostics
o firmware: properly report an unsigned repository
o firmware: revoke 20.1 fingerprint
o intrusion detection: rule cache parse error on invalid metadata
o intrusion detection: allow search for status enabled/disabled
o web proxy: correct template replacement during build time
o web proxy: bugfix in JSON access log
o unbound: updated project block lists links (contributed by gap579137)
o backend: add regex_replace template support
o plugins: os-acme-client 1.36[1]
o plugins: os-dyndns 1.23 adds Gandi LiveDNS support (contributed by vizion8-dan)
o plugins: os-haproxy 2.24[2]
o plugins: os-stunnel 1.0.1 includes performance tweaks
o plugins: os-telegraf 1.8.2[3]
o plugins: os-tinc fixes cipher parsing on 20.7
o src: remove ACPI workaround for serial console on AMD EPYC
o src: Make pf.conf ':0' ignore link-local v6 addresses too
o src: default "show bad packets" tunable to off in e100 driver
o src: fix unsolicited promisc mode in e1000 driver
o src: add valectl to the system commands
o ports: ca_root_nss/nss 3.56[4]
o ports: curl 7.72.0[5]
o ports: libressl 3.1.4[6]
o ports: openldap 2.4.51[7]
o ports: php 7.3.21[8]
o ports: python 3.7.9[9]
o ports: sqlite 3.33.0[10]
o ports: squid 4.13[11]
o ports: syslog-ng dlsym() workaround
o ports: unbound 1.11.0[12]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1974
[2] https://github.com/opnsense/plugins/blob/master/net/haproxy/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr
[4] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.56_release_notes
[5] https://curl.haxx.se/changes.html#7_72_0
[6] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.4-relnotes.txt
[7] https://www.openldap.org/software/release/changes.html
[8] https://www.php.net/ChangeLog-7.php#7.3.21
[9] https://www.python.org/downloads/release/python-379/
[10] https://sqlite.org/changes.html
[11] http://www.squid-cache.org/Versions/v4/squid-4.13-RELEASENOTES.html
[12] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-11-0

Dear all,

Small update here with security advisories, multicast fixes and logging reliability patches amongst others.

Overall, the jump to HardenedBSD 12.1 is looking promising from our end. From the reported issues we still have more logging quirks to investigate and especially Netmap support (used in IPS and Sensei) is lacking in some areas that were previously working. Patches are being worked on already so we shall get there soon enough. Stay tuned.

Here are the full patch notes:

o system: split log process name into separate column
o system: filter new style log directories accordingly
o system: add delay to improve syslog-ng startup
o system: properly switch login page to latest jQuery 3.5.1
o firewall: add select boxes for static filters in live log
o firmware: ignore mandoc.db files in health output as the system will regenerate them weekly
o firmware: bring back Chinese Aivian mirror
o firmware: remove defunct opn.sense.nz and RageNetwork mirrors
o web proxy: add JSON output following Elastic Common Schema (sponsored by Incenter Technology)
o backend: cap log messages to 4000 characters to prevent longer messages from vanishing
o plugins: os-acme-client 1.35[1]
o plugins: os-frr 1.15[2]
o plugins: os-postfix 1.15[3]
o plugins: os-udpbroadcastrelay 1.0 (contributed by Team Rebellion)
o src: set the current VNET before calling netisr_dispatch() in ng_iface(4)
o src: assorted multicast group join/leave corrections
o src: fix vmx driver packet loss and degraded performance[4]
o src: fix memory corruption in USB network device driver[5]
o src: fix multiple vulnerabilities in sqlite3[6]
o src: fix sendmsg(2) privilege escalation[7]
o ports: perl 5.32.0[8]
o ports: squid 4.12[9]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1950
[2] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-20:16.vmx.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:21.usb_net.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:22.sqlite.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:23.sendmsg.asc
[8] https://metacpan.org/changes/release/XSAWYERX/perl-5.32.0
[9] http://www.squid-cache.org/Versions/v4/squid-4.12-RELEASENOTES.html

Hi there,

For five and a half years, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

20.7, nicknamed "Legendary Lion", is a major operating system jump forward on a sustainable firewall experience.  This release adds DHCPv6 multi-WAN, custom error pages for the web proxy, Suricata 5, HardenedBSD 12.1, netstat tree view, basic firewall API support (via plugin) and extended live log filtering amongst
others.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
o South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
o Australia: http://mirror.as24220.net/opnsense/releases/20.7/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes against version 20.7-RC1:

o system: syslog-ng RFC5424 on FreeBSD 12 needs flags(syslog-protocol)
o installer: welcome users as genuine 20.7 installer
o web proxy: do not try to force cachemanager access to use ICAP
o plugins: os-collectd 1.3[2]
o plugins: os-zabbix5-proxy 1.3[3]
o src: prevent netgraph page fault for LTE usage
o ports: dnsmasq 2.82[4]
o ports: monit 5.27.0[5]
o ports: nss 3.55[6]
o ports: sudo 1.9.2[7]

Known issues and limitations:

o legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp are no longer available
o i386 architecture builds are no longer available

The public key for the 20.7 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAngIbBcRin9AmDSOsjpft
7aK52TLkOzRc94NqKKnn6ALd6poEuFqYl1tfNT6XumBJDsRL1s56UYfjS8zpvFW3
HdzKOv4YtIln6qUuC1w8TXYNprasB/laYoBn2xeCGX5L6carlujQ+h0rsj+kpawr
E0/d6oRzR69cxQyoDQHD559Wv4nA795M6QGDhhl3dDq/92gzrrq3C5gJ7ldHi13c
inM2Fw+oPUfEIWUt/sqUTZheEk0Df3LSiJlgjQDhjh5uujTLgvX8IzfYAb8clgY3
DplgOh4ReoFnx6XVERSPa91ZJGeCV4dTGD2hU40rzU1lkQaiVUITLsfjrYUsNMEo
jdG+ndGIPTOrwXH4yGRZuUZZ612ALtO6bd4V1kAOLOS07mo4JB4poEbbB0lvZJSG
iTmU9od8zutnLkD66Q/qI8e6OcL0yqjwwG9DzCKg23M6cVWfyBTJhKoqQyhNWnzZ
bzvgOXfhOA8jn8FPChaU5OiIrv+g56pQrWKcQsvgQMqlyR+/AFSIrrqprCjDkfOG
bxFqTGkPb1n32nbnXJOA5Z43G9/PtBV8lvaEzli6Vehh+Zrcuy8yupbiVWSqTOfp
E5cYAmrlDkxKyAlZQtH6EhMF1VBQRrlqGhss5XYoE3DQDqWdhUbGv8Qiiv7ROCza
SIMuSzc6u35MooDRDZF4Ba0CAwEAAQ==
-----END PUBLIC KEY-----


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/blob/master/net-mgmt/collectd/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix5-proxy/pkg-descr
[4] http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[5] https://mmonit.com/monit/changes/
[6] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes
[7] https://www.sudo.ws/stable.html#1.9.2

SHA256 (OPNsense-20.7-OpenSSL-dvd-amd64.iso.bz2) = 580070a3a0533418d58eaeb78122f804f2df7081c929288e1dccee34c4bf763a
SHA256 (OPNsense-20.7-OpenSSL-nano-amd64.img.bz2) = 6deb370c2a64fa6c60b7f59a4afb31b2dd28b812f5fcd59eaa6d458938d45630
SHA256 (OPNsense-20.7-OpenSSL-serial-amd64.img.bz2) = 1276cddd5f7b89aa54fc4a1517cb0686efe94f672627243c5b34d93340441d60
SHA256 (OPNsense-20.7-OpenSSL-vga-amd64.img.bz2) = 72cbffe3bba4884586c8ded8dbca4cf30fb34a094602e5f681efde2deea595c6