Topics

Dear all,

20.7-RC1 is already available and the final release of 20.7 is scheduled for July 30. A hotfix release for 20.1.9 will enable the upgrade path some hours after the initial 20.7 announcement is out, but please note that updated 32-bit builds (also known as i386) will no longer be available from this day forward.

Here are the full patch notes:

o system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo)
o firewall: validate if NAT destination contains a port
o firewall: prevent config_read_array() from adding an empty lo0
o network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe)
o network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe)
o mvc: LegacyLinkField not allowed to return null in __toString()
o plugins: os-collectd 1.3[1]
o plugins: os-dyndns 1.22[2]
o plugins: os-telegraf 1.8.1[3]
o plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion)
o plugins: os-tinc fixes switch mode[4]
o plugins: os-wireguard 1.2[5]
o ports: ca_root_nss 3.54
o ports: curl 7.71.1[6]
o ports: dnsmasq 2.82[7]
o ports: monit 5.27.0[8]
o ports: php 7.3.20[9]
o ports: python 3.7.8[10]
o ports: sqlite 3.32.3[11]
o ports: syslog-ng 3.27.1[12]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/net-mgmt/collectd/pkg-descr
[2] https://github.com/opnsense/plugins/pull/1654
[3] https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr
[4] https://github.com/opnsense/plugins/pull/1733
[5] https://github.com/opnsense/plugins/pull/1865
[6] https://curl.haxx.se/changes.html
[7] http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[8] https://mmonit.com/monit/changes/
[9] https://www.php.net/ChangeLog-7.php#7.3.20
[10] https://www.python.org/downloads/release/python-378/
[11] https://www.sqlite.org/changes.html
[12] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.27.1

Hi there,

For five and a half years, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.  <3

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
o South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
o Australia: http://mirror.as24220.net/opnsense/releases/20.7/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes against 20.1.8_1:

o system: allow to optionally disable legacy logging (clog)
o system: do not allow login redirects to visit external pages
o system: add new "auth user changed" config event and hook it into LDAP updatePolicies()
o system: adapt to 3wire serial console setting
o system: figure out which sysctls are writeable before attempting to write them
o system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo)
o system: disable PCRE JIT in PHP config
o system: clean up start / stop beep handler
o interfaces: improved VLAN handling and defaults for more stable netmap use on 12.1
o interfaces: support DHCPv6 multi-WAN (contributed by Team Rebellion)
o interfaces: show delegated prefix in overview (contributed by Team Rebellion)
o interfaces: DHCPv4 no-release and debug options moved to global interface settings
o interfaces: automatically register loopback device lo0
o firewall: handle new net.pf.request_maxcount system limit accordingly
o firewall: properly evaluate and execute gateway monitoring kill states feature
o firewall: add the iplen option to shaper rules (contributed by Maxfield Allison)
o firewall: show partial alias content in tooltip
o firewall: translated static log overview page to MVC
o firewall: aliases now show internal aliases
o firewall: validate if NAT destination contains a port
o firewall: prevent config_read_array() from adding an empty lo0
o firmware: added fingerprint for 20.7 series
o firmware: hint at missing plugins and request to install or dismiss
o intrusion detection: extent rule search with metadata and show results on rule info
o intrusion detection: updated pattern options (contributed by @Xeroxxx)
o intrusion detection: synchronize suricata.yaml with default template
o network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe)
o network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe)
o unbound: integrate functionality formerly known as "unbound-plus" plugin (contributed by Michael Muenz)
o web proxy: support for custom error pages (sponsored by Incenter Technology)
o web proxy: add connect_timeout (contributed by Michael Muenz)
o web proxy: allow PURGE on cache (contributed by @sazb)
o web proxy: add missing IPv6 listener
o mvc: add "S" option for AllowDynamic in InterfaceField type
o mvc: LegacyLinkField not allowed to return null in __toString()
o backend: add safeguard for illegal configd settings leading to overrides on the same command leaf
o backend: emove undocumented and unused alias support
o mvc: support virtual nodes in model instances
o rc: implement inline variables for skip and defer service start
o ui: unify edit dialog and add onBeforeRenderDialog event deferrable
o ui: use firewall groups to group interfaces menu accordingly
o ui: moved virtual IP menu entry to interfaces
o ui: jQuery 3.5.1
o plugins: os-dyndns 1.22[2]
o plugins: os-intrusion-detection-content-et-pro 1.0.2 switches to Suricata 5 rules
o plugins: os-telegraf 1.8.1[3]
o plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion)
o plugins: os-tinc fixes switch mode[4]
o plugins: os-wireguard 1.2[5]
o src: HardenedBSD 12.1-p7
o ports: ca_root_nss 3.54
o ports: curl 7.71.1[6]
o ports: php 7.3.20[7]
o ports: python 3.7.8[8]
o ports: sqlite 3.32.3[9]
o ports: suricata 5.0.3[10]

Known issues and limitations:

o Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp will no longer be available
o i386 architecture builds will no longer be available
o Installer still advertises 20.1

The public key for the 20.7 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAngIbBcRin9AmDSOsjpft
7aK52TLkOzRc94NqKKnn6ALd6poEuFqYl1tfNT6XumBJDsRL1s56UYfjS8zpvFW3
HdzKOv4YtIln6qUuC1w8TXYNprasB/laYoBn2xeCGX5L6carlujQ+h0rsj+kpawr
E0/d6oRzR69cxQyoDQHD559Wv4nA795M6QGDhhl3dDq/92gzrrq3C5gJ7ldHi13c
inM2Fw+oPUfEIWUt/sqUTZheEk0Df3LSiJlgjQDhjh5uujTLgvX8IzfYAb8clgY3
DplgOh4ReoFnx6XVERSPa91ZJGeCV4dTGD2hU40rzU1lkQaiVUITLsfjrYUsNMEo
jdG+ndGIPTOrwXH4yGRZuUZZ612ALtO6bd4V1kAOLOS07mo4JB4poEbbB0lvZJSG
iTmU9od8zutnLkD66Q/qI8e6OcL0yqjwwG9DzCKg23M6cVWfyBTJhKoqQyhNWnzZ
bzvgOXfhOA8jn8FPChaU5OiIrv+g56pQrWKcQsvgQMqlyR+/AFSIrrqprCjDkfOG
bxFqTGkPb1n32nbnXJOA5Z43G9/PtBV8lvaEzli6Vehh+Zrcuy8yupbiVWSqTOfp
E5cYAmrlDkxKyAlZQtH6EhMF1VBQRrlqGhss5XYoE3DQDqWdhUbGv8Qiiv7ROCza
SIMuSzc6u35MooDRDZF4Ba0CAwEAAQ==
-----END PUBLIC KEY-----

Please let us know about your experience!


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/pull/1654
[3] https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr
[4] https://github.com/opnsense/plugins/pull/1733
[5] https://github.com/opnsense/plugins/pull/1865
[6] https://curl.haxx.se/changes.html
[7] https://www.php.net/ChangeLog-7.php#7.3.20
[8] https://www.python.org/downloads/release/python-378/
[9] https://www.sqlite.org/changes.html
[10] https://suricata-ids.org/2020/04/28/suricata-5-0-3-released/

SHA256 (OPNsense-20.7.r1-OpenSSL-dvd-amd64.iso.bz2) = d54dca6390497d45b831f68f352fccf84881aac78a360247965e5c9b36fbfded
SHA256 (OPNsense-20.7.r1-OpenSSL-nano-amd64.img.bz2) = f78d51d53bf663df2d49a3724812893d8c55234ab8d4a9232663fa581496edbe
SHA256 (OPNsense-20.7.r1-OpenSSL-serial-amd64.img.bz2) = 984f8c9d63598f061cc8995245dea73703532c1bb688ac87cdb1e510fb53b80e
SHA256 (OPNsense-20.7.r1-OpenSSL-vga-amd64.img.bz2) = 711811e0a7d37d323a060c52590daa9f024e77c6da627530c6596367a09b412d

A good day everyone!

Sorry about the delay while we chased a race condition in the updates back to an issue with the latest FreeBSD package manager updates. For now we reverted to our current version but all relevant third party packages have been updated as updates became available over the last weeks, e.g. cURL and Python, and hostapd / wpa_supplicant amongst others.

Here are the full patch notes:

o system: simpler get_interface_ip() usage in IPv4 renewal
o system: allow HA sync of network time settings
o system: download all filtered items in log export
o system: add support for upstream LDAP accounts in Nextcloud backup (contributed by Fabian Franz)
o interfaces: fix stateless DHCPv6 for track6 interfaces (contributed by Maurice Walker)
o firewall: fix missing address filter error by moving NAT targets to runtime resolve
o firewall: prevent gateway protocol mismatch from breaking the ruleset
o firewall: work around categories typeahead issue with recent jQuery libraries
o firewall: improve alias help text (contributed by Team Rebellion)
o firewall: switch from single log filter to one per attribute
o intrusion detection: when enabling rules prefixed with '# ' consume the extra space (contributed by Tra5is)
o intrusion detection: less sensitive rule parsing
o intrusion detection: compress stats.log backups
o ipsec: valid IPSec Phase 2 hash config warning raises GUI alert (contributed by Brett Merrick)
o unbound: add DNS64 support (contributed by Maurice Walker)
o web proxy: fix wrong button label for Download ACLs (contributed by 90er)
o mvc: add sort_flags optional parameter support (contributed by NOYB)
o rc: add full PATH to rc.syshook invoke
o plugins: os-acme-client[1][2]
o plugins: os-dnscrypt-proxy 1.8[3]
o plugins: os-dyndns 1.21 improves Cloudflare support (contributed by Andreas Rupper)
o plugins: os-freeradius 1.9.7[4]
o plugins: os-haproxy 2.23[5]
o plugins: os-intrusion-detection-content-snort-vrt 1.1
o plugins: os-stunnel 1.0[6] (sponsored by Incenter Technology)
o plugins: os-tayga 1.1[7]
o plugins: os-theme-rebellion 1.8.4[8]
o ports: ca_root_nss 3.53
o ports: curl 7.71.0[9]
o ports: hostapd / wpa_supplicant UPnP SUBSCRIBE advisory[10]
o ports: krb5 1.18.2[11]
o ports: ntp 4.2.8p15[12]
o ports: pcre 8.44[13]
o ports: perl 5.30.3[14]
o ports: php 7.3.19[15]
o ports: python CVE-2019-18348 and CVE-2020-8492
o ports: sqlite 3.32.2[16]
o ports: sudo 1.9.1[17]
o ports: unbound 1.10.1[18]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1851
[2] https://github.com/opnsense/plugins/pull/1880
[3] https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr
[4] https://github.com/opnsense/plugins/pull/1726
[5] https://github.com/opnsense/plugins/pull/1883
[6] https://docs.opnsense.org/manual/how-tos/stunnel.html
[7] https://github.com/opnsense/plugins/pull/1826
[8] https://github.com/opnsense/plugins/pull/1892
[9] https://curl.haxx.se/changes.html
[10] https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt
[11] https://web.mit.edu/kerberos/krb5-1.18/
[12] http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
[13] https://www.pcre.org/original/changelog.txt
[14] https://perldoc.perl.org/5.30.3/perldelta.html
[15] https://www.php.net/ChangeLog-7.php#7.3.19
[16] https://www.sqlite.org/changes.html
[17] https://www.sudo.ws/stable.html#1.9.1
[18] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-10-1

Hi there,

Today we move to PHP 7.3 in order to be able to complete testing for the 20.7-BETA online upgrades. Also included is a patch for the packet filter kernel code which could crash with shared forwarding when interfaces disappeared due to use after free in the default network stack path.

Here are the full patch notes:

o system: default net.inet.icmp.reply_from_interface to 1
o system: fix static gateway wizard handing
o firewall: allow outbound NAT source and destination port ranges
o interfaces: use interfaces_primary_address6() inside get_interface_ipv6()
o dhcp: add AdvLinkMTU to router advertisements settings (contributed by Ilteris Eroglu)
o unbound: prevent wildcard domains for the local system domain
o backend: suppress inconsequential IDNA warnings for aliases
o backend: add option to return a key value list for TLS ciphers
o mvc: reference constraint pointing validation results to the wrong field
o plugins: os-acme-client 1.32 adds Acmeproxy DNS support (contributed by Maarten den Braber)
o src: added Novatel Wireless MiFi 8800/8000 support (contributed by rootless4real)
o src: fix pf shared forwarding on non-existing interfaces
o src: patch in tty 3wire autologin support
o src: fix insufficient packet length validation in libalias[1]
o src: fix memory disclosure vulnerability in libalias[2]
o src: fix improper checking in SCTP-AUTH shared key update[3]
o src: fix use after free in cryptodev module[4]
o src: update to tzdata 2020a[5]
o ports: ca_root_nss 3.52
o ports: curl 7.70.0[6]
o ports: dhcp6c v20200512
o ports: hyperscan 5.2.1[7]
o ports: openldap 2.4.50[8]
o ports: pcre2 10.35[9]
o ports: php 7.3.18[10]


Stay safe and healthy,
Your OPNsense team

--
[1] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:12.libalias.asc
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:13.libalias.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:14.sctp.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:15.cryptodev.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-20:08.tzdata.asc
[6] https://curl.haxx.se/changes.html
[7] https://github.com/intel/hyperscan/releases/tag/v5.2.1
[8] https://www.openldap.org/software/release/changes.html
[9] https://www.pcre.org/changelog.txt
[10] https://www.php.net/ChangeLog-7.php#7.3.18

Hi all,

Quick update as planned. Here are the full patch notes:

o system: add data length option to gateway monitor settings
o firewall: avoid greedy matching with live log parsing regression from 20.1.5
o firmware: detect runtime defaults when using "make upgrade" with core.git
o firmware: clean up packaging code and support ".link" file extension
o firmware: use CORE_FLAVOUR instead of FLAVOUR when using opnsense-bootstrap
o firmware: enable to optionally reach master branch when using opnsense-boostrap
o firmware: allow overriding CORE_ABI when using opnsense-bootstrap
o firmware: copy make.conf instead of linking when using opnsense-code
o firmware: always fetch tools.git when using opnsense-code
o rc: use "onifexists" for VGA TTY instead of "on"
o rc: missing ntpd user on 20.7 / 12.1
o plugins: os-unbound-plus DoT validation fix (contributed by Michael Muenz)
o src: fix ipfw invalid mbuf handling[1]
o ports: libyaml 0.2.4[2]
o ports: openssl 1.1.1g[3]
o ports: py-yaml 5.3.1[4]
o ports: radvd 2.18[5]
o ports: sqlite 3.31.1[6]
o ports: squid 4.11[7]
o ports: suricata 4.1.8[8]


Stay safe and healthy,
Your OPNsense team

--
[1] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:10.ipfw.asc
[2] https://raw.githubusercontent.com/yaml/libyaml/master/Changes
[3] https://www.openssl.org/news/openssl-1.1.1-notes.html
[4] https://raw.githubusercontent.com/yaml/pyyaml/master/CHANGES
[5] http://www.litech.org/radvd/CHANGES.txt
[6] https://www.sqlite.org/changes.html
[7] http://ftp.meisei-u.ac.jp/mirror/squid/squid-4.11-RELEASENOTES.html
[8] https://suricata-ids.org/2020/04/28/suricata-4-1-8-released/

Hi there,

Today ships the first release version of the supplemental firewall rule API via plugin, a new firewall shaper statistics GUI and API and the usual number of improvements and third party updates.

Note that this version does not ship OpenSSL 1.1.1g as at this point our release decision would have been to push 20.1.5 to next week or do a smaller 20.1.6 next week on top.

Here are the full patch notes:

o system: support configuration for SSH HostKeyAlgorithms, KexAlgorithms, Ciphers and MACs
o system: simplify validations in gateway monitor settings
o interfaces: mark VXLAN and loopback devices as configurable
o interfaces: validation typo caused failure to communicate unassignable targets
o interfaces: netstat tree view GUI and API
o interfaces: use libxo to extract ARP data
o firewall: checkbox selection ignores visibility setting
o firewall: add network group type to combine aliases cleanly
o firewall: IPv6 essential icmpv6 allow for ::
o firewall: new shaper statistics GUI and API
o firewall: support filter log messages with PID
o reporting: when flow times are not returned stick to receive timestamp
o openvpn: use multihome when selecting "any" interface with UDP
o unbound: create shared startup script for background task
o mvc: also store "" field value as initial state to prevent empty fields as being marked as changed
o mvc: firewall source NAT ranges support in plugins
o mvc:  keep options in static set for PortField
o mvc: support interface targets without addresses
o mvc. add "migration_prefix" attribute to model
o mvc: catch ArgumentCountError
o mvc: skip empty gateway artefact
o plugins: os-acme-client 1.31[1]
o plugins: os-firewall 1.0 API supplemental package
o plugins: os-haproxy 2.22[2]
o plugins: os-unbound-plus 1.1[3]
o plugins: os-wol 2.3 adds case insensitive matching in widget (contributed by Gauss23)
o ports: ca_root_nss 3.51.1
o ports: dnsmasq 2.81[4]
o ports: krb5 1.18.1[5]
o ports: openvpn 2.4.9[6]
o ports: php 7.2.30[7]
o ports: py-certifi 2020.4.5.1
o ports: strongswan 5.8.4[8]


Stay safe and healthy,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1784
[2] https://github.com/opnsense/plugins/pull/1783
[3] https://github.com/opnsense/plugins/blob/master/dns/unbound-plus/pkg-descr
[4] http://www.thekelleys.org.uk/dnsmasq/CHANGELOG
[5] https://web.mit.edu/kerberos/krb5-1.18/
[6] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9
[7] https://www.php.net/ChangeLog-7.php#7.2.30
[8] https://wiki.strongswan.org/versions/77

Hello everyone,

It almost looks like business as usual. But we all know it is not. We will get through this together.

Here are the full patch notes:

o system: add missing strtolower() in LDAP sync response
o system: fix /var/run/legacy_log socket creation race with Syslog-ng
o system: add info button to display privilege / ACL endpoints
o system: make IPsec tap tunables overwriteable
o firewall: floating means either all interfaces or more than one selected
o firewall: simplify group maintenance by only applying them on filter reload
o interfaces: use primary IPv6 and support VIP tracking
o interfaces: multiple changes in radvd.conf setup (contributed by maurice-w)
o dhcp: fix DDNS support in DHCPv6 (contributed by Wagner Sartori Junior)
o firmware: mirror opnsense.ieji.de renamed to opn.sense.nz
o openvpn: improve openvpn_port_used() logic
o unbound: minor cleanup in /api/unbound/diagnostics/stats endpoint
o unbound: remove 192.0.0.0/24 from rebinding prevention list (contributed by maurice-w)
o mvc: simplify reload of captive portal, cron, IDS, alias, loopback, VXLAN, web proxy, routes, syslog and shaper
o mvc: limit dropdown size to 10 is none specified
o mvc: support inheritance of the ArrayField type
o mvc: synchronize backup timestamps with revisions
o mvc: fixed width for timestamp column in logging
o mvc: init errorMessage to prevent crash reports
o shell: use interfaces_primary_address6() for correct IPv6 display
o shell: append a newline in pluginctl -g mode
o plugins: os-acme-client 1.30[1]
o plugins: os-bind 1.13[2]
o plugins: os-freeradius 1.9.6[3]
o plugins: os-haproxy 2.21[4]
o plugins: os-maltrail 1.5[5]
o plugins: os-nginx 1.19[6]
o plugins: os-nut 1.7[7]
o plugins: os-postfix 1.14[8]
o plugins: os-tayga 1.0 (contributed by Michael Muenz)
o plugins: os-telegraf 1.7.7[9]
o plugins: os-unbound-plus 1.0 (contributed by Michael Muenz and Petr Kejval)
o lang: multiple updates to supported languages
o lang: new Turkish translation (contributed by Aydin Yakar)
o src: work around PCI devices which return all zeros for reads of existing MSI-X table VCTRL registers
o src: fix incorrect checksum calculations with IPv6 extension headers[10]
o src: fix TCP IPv6 SYN cache kernel information disclosure[11]
o src: fix insufficient oce(4) ioctl(2) privilege checking[12]
o src: fix incorrect user-controlled pointer use in epair[13]
o src: fix kernel memory disclosure with nested jails[14]
o ports: curl 7.69.1[15]
o ports: krb5 1.18[16]
o ports: openssh 8.2p1[17]
o ports: openssl 1.1.1f[18]
o ports: perl 5.30.2[19]
o ports: php 7.2.29[20]
o ports: python 3.7.7[21]
o ports: strongswan 5.8.3[22]
o ports: sudo 1.8.31p1[23]


Stay safe and healthy,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1753
[2] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr
[4] https://github.com/opnsense/plugins/pull/1755
[5] https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr
[6] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[7] https://github.com/opnsense/plugins/blob/master/sysutils/nut/pkg-descr
[8] https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr
[9] https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr
[10] https://www.freebsd.org/security/advisories/FreeBSD-EN-20:06.ipv6.asc
[11] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:04.tcp.asc
[12] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:05.if_oce_ioctl.asc
[13] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:07.epair.asc
[14] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:08.jail.asc
[15] https://curl.haxx.se/changes.html
[16] https://web.mit.edu/kerberos/krb5-1.18/
[17] https://www.openssh.com/txt/release-8.2
[18] https://www.openssl.org/news/openssl-1.1.1-notes.html
[19] https://metacpan.org/pod/release/SHAY/perl-5.30.2/pod/perldelta.pod
[20] https://www.php.net/ChangeLog-7.php#7.2.29
[21] https://www.python.org/downloads/release/python-377/
[22] https://wiki.strongswan.org/versions/76
[23] https://www.sudo.ws/stable.html

Hi all,

We are pleased to announce that we hereby provide 20.7-BETA images with the following features and caveats:

* HardenedBSD 12.1
* Logging issues after major version change fixed
* Traffic shaper statistics API and GUI page
* Firewall API plugin
* Missing plugin GUI install/dismiss feature
* Suricata 5 and optimized ET Pro Telemetry rules plugin
* Images are amd64 only as we jump the major OS version and leave i386 behind
* Nano images probably have a defunct growfs feature, but already fixed on master

Please note these images are development snapshots which will be provided with further updates, but as of yet there is no production track of 20.7.

Last but not least, images can be found here:

https://pkg.opnsense.org/FreeBSD:12:amd64/snapshots/

Please keep all general feedback in this thread or create 20.7 forum posts for specific issues / discussions.


Cheers,
Franco

Hi all,

Quick reliability release for all of you out there doing the impossible providing VPN for road warriors and what not. Keep it up! :)

Here are the full patch notes:

o system: match group CN case-insensitive
o system: added pluggable log format parsing facility
o system: update nsComment in OpenSSL config (contributed by vnxme)
o interfaces: fix missing default gateway switch on linkup event
o firewall: properly lock alias_util API (contributed by Cedric Deconinck)
o firewall: flush priority sections to /tmp/rules.debug
o firewall: do not escape internal URLs
o firmware: revoke 19.7 fingerprint
o ipsec: add virtual IPv6 pool for mobile clients (contributed by vnxme)
o ipsec: add MVC service control API
o monit: simplify Monit reload
o openvpn: properly swapped help texts regarding routes
o unbound: multiple fixes in DHCP watcher
o mvc: fix CountryField for static options
o mvc: extend PortField to support multiple items
o mvc: BaseListField plus PortField now use getValidationMessage() to bootstrap defaults
o mvc: add NetworkAliasField, ProtocolField and LegacyLinkField types
o mvc: apply PSR12 style as found on master
o ui: add jQuery plugin to support a simple service reload/action button
o ui: hook bootgrid javascript texts
o plugins: os-munin-node 1.0 (contributed by Michael Muenz)
o plugins: os-sunnyvalley 1.2 (contributed by Sunny Valley
o plugins: os-wol: relax MAC address validation (contributed by Mikael Falkvidd)
o ports: ca_root_nss 3.51
o ports: ntp 4.2.8p14[1]

Stay safe and healthy,
Your OPNsense team

--
[1] https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable

Good evening,

Today we pick up the recent FreeBSD security advisories as well as the usual noise in bugfixes and third party updates. We are also at the brink of a first HardenedBSD 12.1 based image so stay tuned.

Here are the full patch notes:

o system: fix leap year issue in new log reader
o system: add valid from and to dates to user certs display
o system: drop unused services.inc and diag_logs_template.inc
o interfaces: make sure descriptions are properly cleansed
o interfaces: introduce interfaces_primary_address6()
o interfaces: validate interface input in packet capture
o firewall: immediately download GeoIP if not already found
o firewall: improve performance when working with large number of aliases
o firewall: fix visibility on internal CARP rules
o captive portal: fix expiry and validity for vouchers (contributed by xx4h)
o dhcp: fix DNS registration for DHCPv6 static mappings (contributed by maurice-w)
o dhcp: add icons next to online/offline lease status (contributed by Tyler Ham)
o ipsec: allow configuration of inactivity parameter (contributed by Marcel Menzel)
o unbound: minor changes while scanning ACL subnets
o web proxy: work around to skip passing additional auth properties
o backend: allow pluginctl to return config.xml values
o console: improve type checks in set address function
o rc: join CARP early startup scripts
o plugins: os-dnscrypt-proxy fix for setup.sh on reboot
o plugins: os-dyndns 1.20 fixes verify restrictions, GratisDNS and missing break for Linode (contributed by NOYB, Johan Pramming, Andrew Gunnerson)
o plugins: os-maltrail 1.4[1]
o plugins: os-nrpe fix for setup.sh on reboot
o plugins: os-tinc 1.5 fixes bug in IPv6 support (contributed by vnxme)
o src: fix imprecise ordering of SSP canary initialization[2]
o src: fix nmount invalid pointer dereference[3]
o src: fix libfetch buffer overflow[4]
o src: fix kernel stack data disclosure[5]
o ports: ca_root_nss 3.50
o ports: php 7.2.28[6]
o ports: squid 4.10[7]
o ports: suricata 4.1.7[8]
o ports: syslog-ng 3.25.1[9]
o ports: unbound 1.10.0[10]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr
[2] https://www.freebsd.org/security/advisories/FreeBSD-EN-20:01.ssp.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-EN-20:02.nmount.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:01.libfetch.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:03.thrmisc.asc
[6] https://www.php.net/ChangeLog-7.php#7.2.28
[7] http://squid.mirror.colo-serv.net/archive/4/squid-4.10-RELEASENOTES.html
[8] https://suricata-ids.org/2020/02/13/suricata-4-1-7-released/
[9] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.25.1
[10] https://nlnetlabs.nl/projects/unbound/download/

Hello, hello!

A tiny update to keep everyone happy. :)

Here are the full patch notes:

o system: increase size of user SSH key input box
o system: fix faulty PPP log link in the menu
o system: fix a PHP warning on the general settings page
o interfaces: update maximum MTU for 10Gb NICs (contributed by Len White)
o firewall: fix rule statistics display for rules using tagging
o reporting: fix missing separator in NetFlow configuration
o firmware: add Quantum mirror in Hungary
o openvpn: fix ifconfig-ipv6-push format
o plugins: os-dnscrypt-proxy 1.7[1]
o plugins: os-net-snmp 1.4[2]
o plugins: os-nginx 1.18[3]
o plugins: os-theme-vicuna 1.0 (contributed by Team Rebellion)
o ports: lighttpd 1.4.55[4]
o ports: openldap 2.4.49[5]
o ports: pkg libfetch security fix[6]
o ports: sudo 1.8.31[7]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/net-mgmt/net-snmp/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[4] https://www.lighttpd.net/2020/1/31/1.4.55/
[5] https://www.openldap.org/software/release/changes.html
[6] https://github.com/freebsd/freebsd-ports/commit/eec0b5c
[7] https://www.sudo.ws/stable.html#1.8.31

Hi there,

For over 5 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

20.1, nicknamed "Keen Kingfisher", is a subtle improvement on sustainable firewall experience. This release adds VXLAN and additional loopback device support, IPsec public key authentication and elliptic curve TLS certificate creation amongst others. Third party software has been updated to their latest versions. The logging frontend was rewritten for MVC with seamless API support. On the far side the documentation increased in quality as well as quantity and now presents itself in a familiar menu layout.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/20.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/
o South America: http://mirror.upb.edu.co/opnsense/releases/20.1/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/
o Full mirror list: https://opnsense.org/download/

These are the most prominent changes since version 19.7:

o Captive portal performance improvements
o IPsec public key authentication support
o Elliptic curve TLS certificate creation
o CARP service demotion hook
o VXLAN device support
o Loopback device support
o Extended firmware health audit checks
o Support direction and non-quick on interface rules
o Logging frontend migrated to MVC / API
o PSR 12 coding style
o Documentation for all core components
o Python 3.7 is now the default Python version
o LibreSSL 3.0 and OpenSSL 1.1.1
o Google Backup API 2.4
o jQuery 3.4.1

And here are the full patch notes against version 20.1-RC1:

o installer: welcome users as genuine 20.1 installer
o rc: revert growfs change since Nano does not grow anymore
o plugins: os-mail-backup 1.1[2]
o plugins: os-nrpe 1.0 (contributed by Michael Muenz)
o plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)
o plugins: os-vnstat 1.2[3]
o plugins: zabbix4-proxy 1.2[4]
o ports: ca_root_nss 3.49.2
o ports: curl 7.68.0[5]
o ports: isc-dhcp 4.4.2[6]
o ports: php 7.2.27[7]
o ports: urllib3 1.27.7[8]

Known issues and limitations:

o HardenedBSD 12.1 has been postponed to the next major release
o Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates
o To prevent stale configuration files for remote syslog we advise to setup the new targets first[9] and disable the old ones under System: Settings: Logging
o i386 has not been deprecated for the time being ;)

The public key for the 20.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oYxXjva1d2TC/jQ/ygT
GNB2QM2Flhq1CKwYKioT6kuKCelmG/vDRVYGs2VwBeshl53qnnob3rrCVtuS84VG
C8n0i7bWsVWuOCaPzVCOua7MyxQNDItwA5D18SrmDbs07JE9XD30cX36Lvyq8GvZ
bjk3AnHHqefR6F7fMGjDNPE3JofyLXEXN7TiH/Wk1MmBm3TXMJ4q63qa/clbY5zT
jd2k1dtKWy23CcBKfxplu8HycqdQLCRl4o9+qdq7OQ8v9VT5dPIJcJodCvX9hAf7
AUAMqsP3e6AyDM7iQcEkJiwAiytFAawyEIVOECxhEA+NpXHykd4G/00f5jGB259X
/A8ARhjyT3zadjgXTIcEEBe5YTmxZrrKvWud4PguBTQOo9+XpI0H8A+IcoZ9AXQT
J/IDBZJjsdSLspLPzLiwVQk9JrVylMLeyXCbtGCBZ8FOXyffceNQQl119ubkAZkx
+NvioMIYQ+8rX0vn0njJfot+GQh0ezadlzuAmBBsGD8EtMCj92l/7zOyGucG+dCW
kIv1yX0IOKeaNBZR3GDJJoyj5hFnoxkj2aNbuWjetg5MvpjBMl/h44brjL93m8PK
GUhwcEPqcwu4ngu12O6vEeJW4vAbFlEznvgxmwJhMQf1/R8SUmKmAiprWKnY/w0E
VHzlx7aRoGcRnnPs71DeloMCAwEAAQ==
-----END PUBLIC KEY-----


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/pull/1671
[3] https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix4-proxy/pkg-descr
[5] https://curl.haxx.se/changes.html
[6] https://downloads.isc.org/isc/dhcp/4.4.2/dhcp-4.4.2-RELNOTES
[7] https://www.php.net/ChangeLog-7.php#7.2.27
[8] https://github.com/urllib3/urllib3/blob/master/CHANGES.rst#1257-2019-11-11
[9] https://docs.opnsense.org/manual/settingsmenu.html#logging-targets

SHA256 (OPNsense-20.1-OpenSSL-dvd-amd64.iso.bz2) = 4b15e9b3d72732d325c5eaf46ba34575d4de8cdc3e3ac1b10666c7372563be6d
SHA256 (OPNsense-20.1-OpenSSL-nano-amd64.img.bz2) = 27544a78ae03d480a483cfd2e7cfa703b60e50938a1ed188ec3ccde6c426fefe
SHA256 (OPNsense-20.1-OpenSSL-serial-amd64.img.bz2) = f93bbcbe92059c5de49f22d485da292952b48658a28d1cdaf83191e8c95c03c2
SHA256 (OPNsense-20.1-OpenSSL-vga-amd64.img.bz2) = 019a877c4b4cb96cfda62d041774a91c030c5a8ecd58f8c3fd0067c7ac392982

SHA256 (OPNsense-20.1-OpenSSL-dvd-i386.iso.bz2) = 36146d0a066d9d696433599487e2a538ee5575a6b3d631293ad9e14e5fbbc6e0
SHA256 (OPNsense-20.1-OpenSSL-nano-i386.img.bz2) = 0980f49d1b3445505fd1db27ab070886a706388d3aa16d7c8d953f279b7e3b11
SHA256 (OPNsense-20.1-OpenSSL-serial-i386.img.bz2) = 322adbafe331ef7232c08d839a6f355ee633f5a662009b1801ebad0edab03d73
SHA256 (OPNsense-20.1-OpenSSL-vga-i386.img.bz2) = 8bdd109015d7d54d382c7293bdf8fac6397a6c2e37662b73647c276e98c19d64

Hey hey,

As Thursday nears the last preparations for 20.1 are underway. As a quick relief here is the End-Of-Life release of the 19.7 series with a tiny number of updates.

Remember that when 20.1 is available it will take up to a day before we release the hotfix with the major upgrade path enabled. Please be patient as we simply want to ensure that upgrades will not be bumpy affair. :)

Here are the full patch notes:

o firewall: fix a typo in CARP validation
o firmware: revoke 19.1 fingerprint
o ipsec: add configurable dpdaction (contributed by  Marcel Menzel)
o mvc: BaseListField ignoring empty selected field
o plugins: os-haproxy 2.20[1]
o plugins: os-mail-backup 1.1[2]
o plugins: os-nrpe 1.0 (contributed by Michael Muenz)
o plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)
o plugins: os-vnstat 1.2[3]
o plugins: zabbix4-proxy 1.2[4]
o ports: ca_root_nss 3.49.1
o ports: curl 7.68.0[5]
o ports: urllib3 1.27.7[6]
o ports: isc-dhcp 4.4.2[7]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1646
[2] https://github.com/opnsense/plugins/pull/1671
[3] https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix4-proxy/pkg-descr
[5] https://curl.haxx.se/changes.html
[6] https://github.com/urllib3/urllib3/blob/master/CHANGES.rst#1257-2019-11-11
[7] https://downloads.isc.org/isc/dhcp/4.4.2/dhcp-4.4.2-RELNOTES

Hi there,

For over 5 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/20.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/
o South America: http://mirror.upb.edu.co/opnsense/releases/20.1/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes against 19.7.9_1:

o system: support for manually removing static route entries
o system: migrated logging to MVC
o system: regenerate default DH parameters
o system: randomize session ID in test cookie
o system: remove legacy XMLRPC push on changes
o system: deprecate the use of services.inc
o system: opt-out on "Allow DNS server list to be overridden by DHCP/PPP on WAN" for selected interfaces
o system: increase PHP memory limit to 512 MB
o system: opnsense-auth can now respond with extended properties in JSON on successful authentication
o interfaces: loopback device support
o interfaces: VXLAN device support
o interfaces: first steps toward fully pluggable device infrastructure
o interfaces: remove default load of netgraph framework on bootup
o interfaces: interfaces: move description into top block and rename titles
o interfaces: only trigger newwanip event for affected interfaces
o firmware: revoke 19.1, trust 20.1 fingerprint
o firmware: new mirror in Zurich, CH contributed by ServerBase AG
o firmware: add live search to mirror selection
o dhcp: add OMAPI configuration support (contributed by Yuri Moens)
o ipsec: add configurable dpdaction (contributed by  Marcel Menzel)
o ipsec: refactor tunnel settings page
o unbound: add options for logging queries and extended statistics (contributed by Flightkick)
o mvc: BaseListField ignoring empty selected field
o ui: jQuery 3.4.1
o plugins: os-dyndns 1.19 adds dynv6 and Azure DNS support (contributed by Ralf Zerres and martgras)
o plugins: os-haproxy 2.20[2]
o plugins: os-zabbix-agent 1.7[3][4]
o ports: ca_root_nss 3.49.1
o ports: curl 7.68.0[5]
o ports: openssl 1.1.1d[6]

Known issues and limitations:

o HardenedBSD 12.1 has been postponed to the next major release
o Nano growfs does not work on this release candidate, but a fix for 20.1 already exists
o Installer still advertises 19.7, but a fix for 20.1 already exists
o Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates
o i386 has not been deprecated for the time being ;)

The public key for the 20.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oYxXjva1d2TC/jQ/ygT
GNB2QM2Flhq1CKwYKioT6kuKCelmG/vDRVYGs2VwBeshl53qnnob3rrCVtuS84VG
C8n0i7bWsVWuOCaPzVCOua7MyxQNDItwA5D18SrmDbs07JE9XD30cX36Lvyq8GvZ
bjk3AnHHqefR6F7fMGjDNPE3JofyLXEXN7TiH/Wk1MmBm3TXMJ4q63qa/clbY5zT
jd2k1dtKWy23CcBKfxplu8HycqdQLCRl4o9+qdq7OQ8v9VT5dPIJcJodCvX9hAf7
AUAMqsP3e6AyDM7iQcEkJiwAiytFAawyEIVOECxhEA+NpXHykd4G/00f5jGB259X
/A8ARhjyT3zadjgXTIcEEBe5YTmxZrrKvWud4PguBTQOo9+XpI0H8A+IcoZ9AXQT
J/IDBZJjsdSLspLPzLiwVQk9JrVylMLeyXCbtGCBZ8FOXyffceNQQl119ubkAZkx
+NvioMIYQ+8rX0vn0njJfot+GQh0ezadlzuAmBBsGD8EtMCj92l/7zOyGucG+dCW
kIv1yX0IOKeaNBZR3GDJJoyj5hFnoxkj2aNbuWjetg5MvpjBMl/h44brjL93m8PK
GUhwcEPqcwu4ngu12O6vEeJW4vAbFlEznvgxmwJhMQf1/R8SUmKmAiprWKnY/w0E
VHzlx7aRoGcRnnPs71DeloMCAwEAAQ==
-----END PUBLIC KEY-----

Please let us know about your experience!


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/pull/1646
[3] https://github.com/opnsense/plugins/pull/1578
[4] https://github.com/opnsense/plugins/pull/1618
[5] https://curl.haxx.se/changes.html
[6] https://www.openssl.org/news/openssl-1.1.1-notes.html

SHA256 (OPNsense-20.1.r1-OpenSSL-dvd-amd64.iso.bz2) = fed43e5cc5092da5adcfcb2ccdddf51a1cea6a69f06b764fcd9c3d36e0705d4a
SHA256 (OPNsense-20.1.r1-OpenSSL-nano-amd64.img.bz2) = bf825455cc09e2a410cbe702a0c1c5b454546c476c7e90ae87ab64fc3eee6a78
SHA256 (OPNsense-20.1.r1-OpenSSL-serial-amd64.img.bz2) = 906103fb4cc3e573a9e2d560a6365baa7162077b8933a253bb45fd23a154dd87
SHA256 (OPNsense-20.1.r1-OpenSSL-vga-amd64.img.bz2) = 3308412597f5b95f9b9e854ddbeb5f49735109d846af553dbe2553dedf73cb9b

SHA256 (OPNsense-20.1.r1-OpenSSL-dvd-i386.iso.bz2) = a110e2ed48228d918909daca5d93d8acafccdc4426e3e928d8561f7ad4180289
SHA256 (OPNsense-20.1.r1-OpenSSL-nano-i386.img.bz2) = 201b757b0d719e8f3c4aa473b414005a5544a4b1553ca9d79c1743610d67b460
SHA256 (OPNsense-20.1.r1-OpenSSL-serial-i386.img.bz2) = 74a8f6bc5cdf885f5ff906ad2dfd05584f8e217212f90cd2e3a3269a5a9b604a
SHA256 (OPNsense-20.1.r1-OpenSSL-vga-i386.img.bz2) = 1779ca5aeb37d2d97bd7e053421d64206b27189db74711600b93e458d858caff

Hi again,

As 20.1 nears we will be making adjustments to the scope of the release with an announcement following shortly.

For now, this update brings you a GeoIP database configuration page for aliases which is now required due to upstream database policy changes and a number of prominent third-party software updates we are happy to see included.

Here are the full patch notes:

o system: use 825 days as the default maximum certificate lifetime
o system: hide leaking hostname on SSH password auth (contributed by sooslaca)
o system: remove unused "lifetime" parameter from user manager page
o firewall: new GeoIP settings page to allow continued use of upstream database[1]
o firewall: log when alias couldn't resolve a hostname
o firewall: translate pfInfo page tabs (contributed by Smart-Soft)
o firmware: add mirror MARWAN (Moroccan Academic & Research Wide Area Network)
o dhcp: replace killbyname() usage which should not have killed both services
o dhcp: auto-replace windows DUID dashes (contributed by Team Rebellion)
o mvc: PSR12 code style updates
o plugins: os-acme-client 1.29[2]
o plugins: os-bind 1.12[3]
o plugins: os-dyndns must use dyndns_failover_interface() to translate gateway group
o plugins: os-frr 1.14[4]
o plugins: os-maltrail 1.3[5]
o plugins: os-nginx 1.17[6]
o plugins: os-nut fixes validation and snmp-ups selection (contributed by Michael Muenz)
o plugins: os-theme-cicada 1.24 (contributed by Team Rebellion)
o plugins: os-zabbix4-proxy 1.1[7]
o ports: openssh 8.1p1[8]
o ports: openssl 1.0.2u[9]
o ports: php 7.2.26[10]
o ports: phpseclib 2.0.23[11]
o ports: python 3.7.6[12]
o ports: strongswan 5.8.2[13]
o ports: sudo 1.8.30[14]
o ports: unbound 1.9.6[15]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/docs/blob/master/source/manual/how-tos/maxmind_geo_ip.rst
[2] https://github.com/opnsense/plugins/pull/1638
[3] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr
[6] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[7] https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix4-proxy/pkg-descr
[8] https://www.openssh.com/txt/release-8.1
[9] https://www.openssl.org/news/openssl-1.0.2-notes.html
[10] https://www.php.net/ChangeLog-7.php#7.2.26
[11] https://github.com/phpseclib/phpseclib/releases/tag/2.0.23
[12] https://www.python.org/downloads/release/python-376/
[13] https://wiki.strongswan.org/versions/75
[14] https://www.sudo.ws/stable.html#1.8.30
[15] https://nlnetlabs.nl/projects/unbound/download/

Ho ho ho,

A number of updates including security and reliability fixes inside. Of note is the new elliptic curve certificate creation support and better firmware health check and recovery methods.

We are almost at the point of a 20.1-BETA release with an isolated images for early bird testing as a special present at this time of year. Stay tuned. :)

Here are the full patch notes:

o system: "Mark Gateway as Down" also means exclude from default gateway selection
o system: fix PHP warning on gateways list due to wrong variable scope
o system: support elliptic curve TLS certificate creation (contributed by johnaheadley)
o system: remove unused current directory PHP include
o system: fix XSS in backup page and static menu pages
o firewall: use referential integrity check for model data
o reporting: improve NetFlow error handling (contributed by Frank Brendel)
o dhcp: always add dhcp6.domain-search and dhcp6.name-servers (contributed by maurice-w)
o dhcp: fix range check for advanced router advertisement options (contributed by maurice-w)
o dhcp: improve help texts for router advertisement modes (contributed by maurice-w)
o dhcp: replace defunct IPv6 domain name option with domain search list option (contributed by maurice-w)
o dhcp: fix storing advanced IPv6 options
o firmware: add "copy to clipboard" button in update text box
o firmware: use opnsense-revert in GUI reinstall package case
o firmware: when storing installed plugin names remove their development counterparts
o firmware: improved health check scope to include direct core package dependencies
o openvpn: fix Firefox "nowrap" issue in client export page
o backend: improve error handling while configd is either not active or not functional
o mvc: route to default page when controller or action not found
o mvc: field type refactor and unit tests
o mvc: added opt-in referential integrity check for models
o mvc: countless PSR12 style updates
o mvc: add "NetMaskAllowed" option to validate on single addresses in NetworkField
o plugins: os-bind 1.11[1]
o plugins: os-dyndns 1.18 adds Linode support (contributed by eAndrew Gunnerson)
o plugins: os-freeradius 1.9.5[2]
o plugins: os-frr 1.13[3]
o plugins: os-ftp-proxy style updates only
o plugins: os-postfix 1.13[4]
o plugins: os-rspamd 1.9[5]
o plugins: os-theme-cicada 1.23 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.22 (contributed by Team Rebellion)
o ports: ca_root_nss 3.48
o ports: krb5 1.17.1[6]
o ports: php 7.2.25[7]
o ports: suricata 4.1.6[8]
o ports: unbound 1.9.5[9]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr
[5] https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr
[6] https://web.mit.edu/kerberos/krb5-1.17/
[7] https://www.php.net/ChangeLog-7.php#7.2.25
[8] https://suricata-ids.org/2019/12/13/suricata-4-1-6-released/
[9] https://nlnetlabs.nl/projects/unbound/download/

Hi there,

Lots of small improvements. Of note are Eve JSON payload syslog export now works for 4 kb payload blobs. The outdated Google API PHP client was replaced. LibreSSL is now at version 3.0.2. Plus another Intel SA advisory via FreeBSD.

Here are the full patch notes:

o system: generate self-signed server certificate for web GUI by default
o system: let net.local.dgram.maxdgram default to 8192 bytes
o system: spawn Dpinger process in background to avoid hangs
o system: switch backup to Google API PHP client v2
o system: add interface groups to HA sync
o interfaces: remove the "Directly send SOLICIT" option
o firewall: fix issue with label parsing when "tag" keyword was involved
o firewall: skip empty lines in rule statistics parsing
o firmware: add /etc/remote to whitelist, NTP GPS uses it
o reporting: empty NetFlow egress default passes validation
o reporting: show dialog when RRD is disabled
o dhcp: fix for domain-search option in DHCPv6 (contributed by maurice-w)
o dnsmasq: fix storing settings when no settings exist yet
o intrusion detection: lower payload-buffer-size to prevent syslog size limit
o intrusion detection: fix issue with escaped file name during rules download
o unbound: exit wrapper when process not running
o web proxy: added check on SNI field checkbox (contributed by Northguy)
o mvc: fix forceReload()
o plugins: os-acme-client 1.28[1]
o plugins: os-bind 1.10[2]
o plugins: os-nginx 1.16[3]
o plugins: os-nut 1.6[4]
o plugins: os-postfix 1.12[5]
o src: fix machine check exception on page size change[6]
o src: bump libc syslog line size to 8k
o src: import tzdata 2019c[7]
o ports: curl 7.67.0[8]
o ports: libressl 3.0.2[9]
o ports: openvpn 2.4.8[10]
o ports: perl 5.30.1[11]
o ports: phalcon 3.4.5[12]
o ports: sqlite 3.30.1[13]
o ports: squid 4.9[14]
o ports: syslog-ng 3.24.1[15]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1565
[2] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/sysutils/nut/pkg-descr
[5] https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:25.mcepsc.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:18.tzdata.asc
[8] https://curl.haxx.se/changes.html
[9] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.0.2-relnotes.txt
[10] https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-248
[11] https://metacpan.org/pod/release/SHAY/perl-5.30.1/pod/perldelta.pod
[12] https://github.com/phalcon/cphalcon/releases/tag/v3.4.5
[13] https://sqlite.org/releaselog/3_30_1.html
[14] https://github.com/squid-cache/squid/blob/master/ChangeLog
[15] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.24.1

Hello from Suricon!

As we are experiencing the Suricata community first hand in Amsterdam we though to release this version a bit earlier than planned. Included is the latest Suricata 5.0.0 release in the development version. That means later this November we will releasing version 5 to the production version as we finish up tweaking the integration and maybe pick up 5.0.1 as it becomes available.

LDAP TLS connectivity is now integrated into the system trust store, which ensures that all required root and intermediate certificates will be seen by the connection setup when they have been added to the authorities section. The same is true for trusting self-signed certificates. On top of this, IPsec now supports public key authentication as contributed by Pascal Mathis.

Here are the full patch notes:

o system: hook LDAP TLS support into system-wide trust file
o system: fix dpinger custom parameters not being honoured
o system: fix PHP core loop fail in tunables overview
o system: only allow P12 export if password confirmation matches
o interfaces: change PCAP download to binary file stream
o firewall: store reference to outbound NAT address instead of literal address
o firewall: add log message for scheduled firewall reload
o firmware: tie pkg dependency to core
o ipsec: allow EC keys for certificate-based secrets (contributed by Martin Strigl)
o ipsec: add support for public key authentication (contributed by Pascal Mathis)
o openvpn: server wizard existing CA use and server cert check (contributed by johnaheadley)
o backend: add run mode to pluginctl using JSON-based output
o ui: fix tokenizer reorder on multiple saves, second try
o plugins: os-acme-client 1.27[1]
o plugins: os-bind 1.9[2]
o plugins: os-nginx 1.15[3]
o plugins: os-relayd 2.4 fixes protocol option migration (contributed by Frank Brendel)
o plugins: os-theme-cicada 1.22 (contributed by Team Rebellion)
o ports: ca_root_nss 3.47
o ports: php 7.2.24[4]
o ports: python 3.7.5[5]
o ports: sudo 1.8.29[6]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1536
[2] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[4] https://www.php.net/ChangeLog-7.php#7.2.24
[5] https://www.python.org/downloads/release/python-375/
[6] https://www.sudo.ws/stable.html#1.8.29

Hello friends and followers,

Lots of plugin and ports updates this time with a few minor improvements in all core areas.

Behind the scenes we are starting to migrate the base system to version 12.1 which is supposed to hit the next 20.1 release. Stay tuned for more infos in the next month or so.

Here are the full patch notes:

o system: show all swap partitions in system information widget
o system: flatten services_get() in preparation for removal
o system: pin Syslog-ng version to specific package name
o system: fix LDAP/StartTLS with user import page
o system: fix a PHP warning on authentication server page
o system: replace most subprocess.call use
o interfaces: fix devd handling of carp devices (contributed by stumbaumr)
o firewall: improve firewall rules inline toggles
o firewall: only allow TCP flags on TCP protocol
o firewall: simplify help text for direction setting
o firewall: make protocol log summary case insensitive
o reporting: ignore malformed flow records
o captive portal: fix type mismatch for timeout read
o dhcp: add note for static lease limitation with lease registration (contributed by Northguy)
o ipsec: add margintime and rekeyfuzz options
o ipsec: clear $dpdline correctly if not set
o ui: fix tokenizer reorder on multiple saves
o plugins: os-acme-client 1.26[1]
o plugins: os-bind will reload bind on record change (contributed by blablup)
o plugins: os-etpro-telemetry minor subprocess.call replacement
o plugins: os-freeradius 1.9.4[2]
o plugins: os-frr 1.12[3]
o plugins: os-haproxy 2.19[4]
o plugins: os-theme-cicada 1.21 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.21 (contributed by Team Rebellion)
o plugins: os-mailtrail 1.2[5]
o plugins: os-postfix 1.11[6]
o plugins: os-rspamd 1.8[7]
o plugins: os-sunnyvalley LibreSSL support (contributed by Sunny Valley Networks)
o plugins: os-telegraf 1.7.6[8]
o plugins: os-tinc minor subprocess.call replacement
o plugins: os-tor 1.8 adds dormant mode disable option (contributed by Fabian Franz)
o plugins: os-virtualbox 1.0 (contributed by andrewhotlab)
o ports: ca_root_nss 3.46.1
o ports: curl 7.66.0[9]
o ports. expat 2.2.8[10]
o ports: openssl 1.0.2t[11]
o ports: php 7.2.23[12]
o ports: pkg 1.12.0[13][14][15]
o ports: strongswan 5.8.1[16]
o ports: suricata 4.1.5[17]
o ports: syslog-ng 3.23.1[18]
o ports: unbound 1.9.4[19]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1499
[2] https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[4] https://github.com/opnsense/plugins/pull/1498
[5] https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr
[6] https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr
[7] https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr
[8] https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr
[9] https://curl.haxx.se/changes.html#7_66_0
[10] https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes
[11] https://www.openssl.org/news/secadv/20190910.txt
[12] https://www.php.net/ChangeLog-7.php#7.2.23
[13] https://github.com/freebsd/freebsd-ports/commit/95ac8ad2
[14] https://github.com/freebsd/freebsd-ports/commit/5a06e26ff
[15] https://github.com/freebsd/freebsd-ports/commit/77d4a311e
[16] https://wiki.strongswan.org/versions/74
[17] https://suricata-ids.org/2019/09/24/suricata-4-1-5-released/
[18] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.23.1
[19] https://nlnetlabs.nl/projects/unbound/download/

A good day to you all,

A wee bit of updates for you... nothing overly exciting. On the other hand, we have updated the roadmap page to include 20.1 if you want to take a closer look[1]. More exciting for sure. :)

Here are the full patch notes:

o system: fix legacy remote logging with custom port
o system: regenerate CA bundle when modifying trusted authorities
o system: fix translation order of tunables description
o system: fix CARP maintenance mode bootup
o firewall: missing daily refresh on GeoIP type
o firewall: fix fetch of GeoIP alias if its name is same as its country
o reporting: auto-load required kernel modules for NetFlow
o reporting: allow setting NetFlow active/inactive timeout (contributed by Frank Brendel)
o captive portal: optimise ipfw rule parsing
o firmware: Homelab.no has been superseded by TerraHost mirror (contributed by Thomas Jensen)
o unbound: support file-based custom includes
o unbound: set absolute path to root.hints (contributed by h-town)
o plugins: os-bind 1.8[2] (contributed by ErikJStaab)
o plugins: os-dnscrypt-proxy 1.6[3] (contributed by ErikJStaab)
o plugins: os-etpro-telemetry 1.4[4]
o plugins: os-theme-cicada 1.20 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.20 (contributed by Team Rebellion)
o ports: ca_root_nss 3.46
o ports: ldns 1.7.1[5]
o ports: pcre2 10.33[6]
o ports: php 7.2.22[7]
o ports: phpseclib 2.0.21[8]
o ports: unbound 1.9.3[9]


Stay safe,
Your OPNsense team

--
[1] https://opnsense.org/about/road-map/
[2] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr
[4] https://docs.opnsense.org/manual/etpro_telemetry.html
[5] https://raw.githubusercontent.com/NLnetLabs/ldns/release-1.7.1/Changelog
[6] https://www.pcre.org/changelog.txt
[7] https://www.php.net/ChangeLog-7.php#7.2.22
[8] https://github.com/phpseclib/phpseclib/releases
[9] https://nlnetlabs.nl/projects/unbound/download