Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - franco

Pages: [1] 2 3 ... 16

Announcements / OPNsense 20.1.1 released

« on: February 13, 2020, 12:40:48 pm »

Hello, hello!

A tiny update to keep everyone happy.

Here are the full patch notes:

o system: increase size of user SSH key input box
o system: fix faulty PPP log link in the menu
o system: fix a PHP warning on the general settings page
o interfaces: update maximum MTU for 10Gb NICs (contributed by Len White)
o firewall: fix rule statistics display for rules using tagging
o reporting: fix missing separator in NetFlow configuration
o firmware: add Quantum mirror in Hungary
o openvpn: fix ifconfig-ipv6-push format
o plugins: os-dnscrypt-proxy 1.7[1]
o plugins: os-net-snmp 1.4[2]
o plugins: os-nginx 1.18[3]
o plugins: os-theme-vicuna 1.0 (contributed by Team Rebellion)
o ports: lighttpd 1.4.55[4]
o ports: openldap 2.4.49[5]
o ports: pkg libfetch security fix[6]
o ports: sudo 1.8.31[7]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/net-mgmt/net-snmp/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[4] https://www.lighttpd.net/2020/1/31/1.4.55/
[5] https://www.openldap.org/software/release/changes.html
[6] https://github.com/freebsd/freebsd-ports/commit/eec0b5c
[7] https://www.sudo.ws/stable.html#1.8.31

Announcements / OPNsense 20.1 released

« on: January 30, 2020, 05:14:29 pm »

Hi there,

For over 5 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

20.1, nicknamed "Keen Kingfisher", is a subtle improvement on sustainable firewall experience. This release adds VXLAN and additional loopback device support, IPsec public key authentication and elliptic curve TLS certificate creation amongst others. Third party software has been updated to their latest versions. The logging frontend was rewritten for MVC with seamless API support. On the far side the documentation increased in quality as well as quantity and now presents itself in a familiar menu layout.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/20.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/
o South America: http://mirror.upb.edu.co/opnsense/releases/20.1/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/
o Full mirror list: https://opnsense.org/download/

These are the most prominent changes since version 19.7:

o Captive portal performance improvements
o IPsec public key authentication support
o Elliptic curve TLS certificate creation
o CARP service demotion hook
o VXLAN device support
o Loopback device support
o Extended firmware health audit checks
o Support direction and non-quick on interface rules
o Logging frontend migrated to MVC / API
o PSR 12 coding style
o Documentation for all core components
o Python 3.7 is now the default Python version
o LibreSSL 3.0 and OpenSSL 1.1.1
o Google Backup API 2.4
o jQuery 3.4.1

And here are the full patch notes against version 20.1-RC1:

o installer: welcome users as genuine 20.1 installer
o rc: revert growfs change since Nano does not grow anymore
o plugins: os-mail-backup 1.1[2]
o plugins: os-nrpe 1.0 (contributed by Michael Muenz)
o plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)
o plugins: os-vnstat 1.2[3]
o plugins: zabbix4-proxy 1.2[4]
o ports: ca_root_nss 3.49.2
o ports: curl 7.68.0[5]
o ports: isc-dhcp 4.4.2[6]
o ports: php 7.2.27[7]
o ports: urllib3 1.27.7[8]

Known issues and limitations:

o HardenedBSD 12.1 has been postponed to the next major release
o Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates
o To prevent stale configuration files for remote syslog we advise to setup the new targets first[9] and disable the old ones under System: Settings: Logging
o i386 has not been deprecated for the time being

The public key for the 20.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oYxXjva1d2TC/jQ/ygT
GNB2QM2Flhq1CKwYKioT6kuKCelmG/vDRVYGs2VwBeshl53qnnob3rrCVtuS84VG
C8n0i7bWsVWuOCaPzVCOua7MyxQNDItwA5D18SrmDbs07JE9XD30cX36Lvyq8GvZ
bjk3AnHHqefR6F7fMGjDNPE3JofyLXEXN7TiH/Wk1MmBm3TXMJ4q63qa/clbY5zT
jd2k1dtKWy23CcBKfxplu8HycqdQLCRl4o9+qdq7OQ8v9VT5dPIJcJodCvX9hAf7
AUAMqsP3e6AyDM7iQcEkJiwAiytFAawyEIVOECxhEA+NpXHykd4G/00f5jGB259X
/A8ARhjyT3zadjgXTIcEEBe5YTmxZrrKvWud4PguBTQOo9+XpI0H8A+IcoZ9AXQT
J/IDBZJjsdSLspLPzLiwVQk9JrVylMLeyXCbtGCBZ8FOXyffceNQQl119ubkAZkx
+NvioMIYQ+8rX0vn0njJfot+GQh0ezadlzuAmBBsGD8EtMCj92l/7zOyGucG+dCW
kIv1yX0IOKeaNBZR3GDJJoyj5hFnoxkj2aNbuWjetg5MvpjBMl/h44brjL93m8PK
GUhwcEPqcwu4ngu12O6vEeJW4vAbFlEznvgxmwJhMQf1/R8SUmKmAiprWKnY/w0E
VHzlx7aRoGcRnnPs71DeloMCAwEAAQ==
-----END PUBLIC KEY-----

Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/pull/1671
[3] https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix4-proxy/pkg-descr
[5] https://curl.haxx.se/changes.html
[6] https://downloads.isc.org/isc/dhcp/4.4.2/dhcp-4.4.2-RELNOTES
[7] https://www.php.net/ChangeLog-7.php#7.2.27
[8] https://github.com/urllib3/urllib3/blob/master/CHANGES.rst#1257-2019-11-11
[9] https://docs.opnsense.org/manual/settingsmenu.html#logging-targets

SHA256 (OPNsense-20.1-OpenSSL-dvd-amd64.iso.bz2) = 4b15e9b3d72732d325c5eaf46ba34575d4de8cdc3e3ac1b10666c7372563be6d
SHA256 (OPNsense-20.1-OpenSSL-nano-amd64.img.bz2) = 27544a78ae03d480a483cfd2e7cfa703b60e50938a1ed188ec3ccde6c426fefe
SHA256 (OPNsense-20.1-OpenSSL-serial-amd64.img.bz2) = f93bbcbe92059c5de49f22d485da292952b48658a28d1cdaf83191e8c95c03c2
SHA256 (OPNsense-20.1-OpenSSL-vga-amd64.img.bz2) = 019a877c4b4cb96cfda62d041774a91c030c5a8ecd58f8c3fd0067c7ac392982

SHA256 (OPNsense-20.1-OpenSSL-dvd-i386.iso.bz2) = 36146d0a066d9d696433599487e2a538ee5575a6b3d631293ad9e14e5fbbc6e0
SHA256 (OPNsense-20.1-OpenSSL-nano-i386.img.bz2) = 0980f49d1b3445505fd1db27ab070886a706388d3aa16d7c8d953f279b7e3b11
SHA256 (OPNsense-20.1-OpenSSL-serial-i386.img.bz2) = 322adbafe331ef7232c08d839a6f355ee633f5a662009b1801ebad0edab03d73
SHA256 (OPNsense-20.1-OpenSSL-vga-i386.img.bz2) = 8bdd109015d7d54d382c7293bdf8fac6397a6c2e37662b73647c276e98c19d64

Announcements / OPNsense 19.7.10 released

« on: January 27, 2020, 02:44:49 pm »

Hey hey,

As Thursday nears the last preparations for 20.1 are underway. As a quick relief here is the End-Of-Life release of the 19.7 series with a tiny number of updates.

Remember that when 20.1 is available it will take up to a day before we release the hotfix with the major upgrade path enabled. Please be patient as we simply want to ensure that upgrades will not be bumpy affair.

Here are the full patch notes:

o firewall: fix a typo in CARP validation
o firmware: revoke 19.1 fingerprint
o ipsec: add configurable dpdaction (contributed by Marcel Menzel)
o mvc: BaseListField ignoring empty selected field
o plugins: os-haproxy 2.20[1]
o plugins: os-mail-backup 1.1[2]
o plugins: os-nrpe 1.0 (contributed by Michael Muenz)
o plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)
o plugins: os-vnstat 1.2[3]
o plugins: zabbix4-proxy 1.2[4]
o ports: ca_root_nss 3.49.1
o ports: curl 7.68.0[5]
o ports: urllib3 1.27.7[6]
o ports: isc-dhcp 4.4.2[7]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1646
[2] https://github.com/opnsense/plugins/pull/1671
[3] https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix4-proxy/pkg-descr
[5] https://curl.haxx.se/changes.html
[6] https://github.com/urllib3/urllib3/blob/master/CHANGES.rst#1257-2019-11-11
[7] https://downloads.isc.org/isc/dhcp/4.4.2/dhcp-4.4.2-RELNOTES

Announcements / OPNsense 20.1-RC1 released

« on: January 24, 2020, 12:34:15 pm »

Hi there,

For over 5 years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/20.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/
o South America: http://mirror.upb.edu.co/opnsense/releases/20.1/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/
o Full mirror list: https://opnsense.org/download/

Here are the full patch notes against 19.7.9_1:

o system: support for manually removing static route entries
o system: migrated logging to MVC
o system: regenerate default DH parameters
o system: randomize session ID in test cookie
o system: remove legacy XMLRPC push on changes
o system: deprecate the use of services.inc
o system: opt-out on "Allow DNS server list to be overridden by DHCP/PPP on WAN" for selected interfaces
o system: increase PHP memory limit to 512 MB
o system: opnsense-auth can now respond with extended properties in JSON on successful authentication
o interfaces: loopback device support
o interfaces: VXLAN device support
o interfaces: first steps toward fully pluggable device infrastructure
o interfaces: remove default load of netgraph framework on bootup
o interfaces: interfaces: move description into top block and rename titles
o interfaces: only trigger newwanip event for affected interfaces
o firmware: revoke 19.1, trust 20.1 fingerprint
o firmware: new mirror in Zurich, CH contributed by ServerBase AG
o firmware: add live search to mirror selection
o dhcp: add OMAPI configuration support (contributed by Yuri Moens)
o ipsec: add configurable dpdaction (contributed by Marcel Menzel)
o ipsec: refactor tunnel settings page
o unbound: add options for logging queries and extended statistics (contributed by Flightkick)
o mvc: BaseListField ignoring empty selected field
o ui: jQuery 3.4.1
o plugins: os-dyndns 1.19 adds dynv6 and Azure DNS support (contributed by Ralf Zerres and martgras)
o plugins: os-haproxy 2.20[2]
o plugins: os-zabbix-agent 1.7[3][4]
o ports: ca_root_nss 3.49.1
o ports: curl 7.68.0[5]
o ports: openssl 1.1.1d[6]

Known issues and limitations:

o HardenedBSD 12.1 has been postponed to the next major release
o Nano growfs does not work on this release candidate, but a fix for 20.1 already exists
o Installer still advertises 19.7, but a fix for 20.1 already exists
o Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates
o i386 has not been deprecated for the time being

The public key for the 20.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oYxXjva1d2TC/jQ/ygT
GNB2QM2Flhq1CKwYKioT6kuKCelmG/vDRVYGs2VwBeshl53qnnob3rrCVtuS84VG
C8n0i7bWsVWuOCaPzVCOua7MyxQNDItwA5D18SrmDbs07JE9XD30cX36Lvyq8GvZ
bjk3AnHHqefR6F7fMGjDNPE3JofyLXEXN7TiH/Wk1MmBm3TXMJ4q63qa/clbY5zT
jd2k1dtKWy23CcBKfxplu8HycqdQLCRl4o9+qdq7OQ8v9VT5dPIJcJodCvX9hAf7
AUAMqsP3e6AyDM7iQcEkJiwAiytFAawyEIVOECxhEA+NpXHykd4G/00f5jGB259X
/A8ARhjyT3zadjgXTIcEEBe5YTmxZrrKvWud4PguBTQOo9+XpI0H8A+IcoZ9AXQT
J/IDBZJjsdSLspLPzLiwVQk9JrVylMLeyXCbtGCBZ8FOXyffceNQQl119ubkAZkx
+NvioMIYQ+8rX0vn0njJfot+GQh0ezadlzuAmBBsGD8EtMCj92l/7zOyGucG+dCW
kIv1yX0IOKeaNBZR3GDJJoyj5hFnoxkj2aNbuWjetg5MvpjBMl/h44brjL93m8PK
GUhwcEPqcwu4ngu12O6vEeJW4vAbFlEznvgxmwJhMQf1/R8SUmKmAiprWKnY/w0E
VHzlx7aRoGcRnnPs71DeloMCAwEAAQ==
-----END PUBLIC KEY-----

Please let us know about your experience!

Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/pull/1646
[3] https://github.com/opnsense/plugins/pull/1578
[4] https://github.com/opnsense/plugins/pull/1618
[5] https://curl.haxx.se/changes.html
[6] https://www.openssl.org/news/openssl-1.1.1-notes.html

SHA256 (OPNsense-20.1.r1-OpenSSL-dvd-amd64.iso.bz2) = fed43e5cc5092da5adcfcb2ccdddf51a1cea6a69f06b764fcd9c3d36e0705d4a
SHA256 (OPNsense-20.1.r1-OpenSSL-nano-amd64.img.bz2) = bf825455cc09e2a410cbe702a0c1c5b454546c476c7e90ae87ab64fc3eee6a78
SHA256 (OPNsense-20.1.r1-OpenSSL-serial-amd64.img.bz2) = 906103fb4cc3e573a9e2d560a6365baa7162077b8933a253bb45fd23a154dd87
SHA256 (OPNsense-20.1.r1-OpenSSL-vga-amd64.img.bz2) = 3308412597f5b95f9b9e854ddbeb5f49735109d846af553dbe2553dedf73cb9b

SHA256 (OPNsense-20.1.r1-OpenSSL-dvd-i386.iso.bz2) = a110e2ed48228d918909daca5d93d8acafccdc4426e3e928d8561f7ad4180289
SHA256 (OPNsense-20.1.r1-OpenSSL-nano-i386.img.bz2) = 201b757b0d719e8f3c4aa473b414005a5544a4b1553ca9d79c1743610d67b460
SHA256 (OPNsense-20.1.r1-OpenSSL-serial-i386.img.bz2) = 74a8f6bc5cdf885f5ff906ad2dfd05584f8e217212f90cd2e3a3269a5a9b604a
SHA256 (OPNsense-20.1.r1-OpenSSL-vga-i386.img.bz2) = 1779ca5aeb37d2d97bd7e053421d64206b27189db74711600b93e458d858caff

Announcements / OPNsense 19.7.9 released

« on: January 09, 2020, 02:32:14 pm »

Hi again,

As 20.1 nears we will be making adjustments to the scope of the release with an announcement following shortly.

For now, this update brings you a GeoIP database configuration page for aliases which is now required due to upstream database policy changes and a number of prominent third-party software updates we are happy to see included.

Here are the full patch notes:

o system: use 825 days as the default maximum certificate lifetime
o system: hide leaking hostname on SSH password auth (contributed by sooslaca)
o system: remove unused "lifetime" parameter from user manager page
o firewall: new GeoIP settings page to allow continued use of upstream database[1]
o firewall: log when alias couldn't resolve a hostname
o firewall: translate pfInfo page tabs (contributed by Smart-Soft)
o firmware: add mirror MARWAN (Moroccan Academic & Research Wide Area Network)
o dhcp: replace killbyname() usage which should not have killed both services
o dhcp: auto-replace windows DUID dashes (contributed by Team Rebellion)
o mvc: PSR12 code style updates
o plugins: os-acme-client 1.29[2]
o plugins: os-bind 1.12[3]
o plugins: os-dyndns must use dyndns_failover_interface() to translate gateway group
o plugins: os-frr 1.14[4]
o plugins: os-maltrail 1.3[5]
o plugins: os-nginx 1.17[6]
o plugins: os-nut fixes validation and snmp-ups selection (contributed by Michael Muenz)
o plugins: os-theme-cicada 1.24 (contributed by Team Rebellion)
o plugins: os-zabbix4-proxy 1.1[7]
o ports: openssh 8.1p1[8]
o ports: openssl 1.0.2u[9]
o ports: php 7.2.26[10]
o ports: phpseclib 2.0.23[11]
o ports: python 3.7.6[12]
o ports: strongswan 5.8.2[13]
o ports: sudo 1.8.30[14]
o ports: unbound 1.9.6[15]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/docs/blob/master/source/manual/how-tos/maxmind_geo_ip.rst
[2] https://github.com/opnsense/plugins/pull/1638
[3] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr
[6] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[7] https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix4-proxy/pkg-descr
[8] https://www.openssh.com/txt/release-8.1
[9] https://www.openssl.org/news/openssl-1.0.2-notes.html
[10] https://www.php.net/ChangeLog-7.php#7.2.26
[11] https://github.com/phpseclib/phpseclib/releases/tag/2.0.23
[12] https://www.python.org/downloads/release/python-376/
[13] https://wiki.strongswan.org/versions/75
[14] https://www.sudo.ws/stable.html#1.8.30
[15] https://nlnetlabs.nl/projects/unbound/download/

Announcements / OPNsense 19.7.8 released

« on: December 18, 2019, 03:30:18 pm »

Ho ho ho,

A number of updates including security and reliability fixes inside. Of note is the new elliptic curve certificate creation support and better firmware health check and recovery methods.

We are almost at the point of a 20.1-BETA release with an isolated images for early bird testing as a special present at this time of year. Stay tuned.

Here are the full patch notes:

o system: "Mark Gateway as Down" also means exclude from default gateway selection
o system: fix PHP warning on gateways list due to wrong variable scope
o system: support elliptic curve TLS certificate creation (contributed by johnaheadley)
o system: remove unused current directory PHP include
o system: fix XSS in backup page and static menu pages
o firewall: use referential integrity check for model data
o reporting: improve NetFlow error handling (contributed by Frank Brendel)
o dhcp: always add dhcp6.domain-search and dhcp6.name-servers (contributed by maurice-w)
o dhcp: fix range check for advanced router advertisement options (contributed by maurice-w)
o dhcp: improve help texts for router advertisement modes (contributed by maurice-w)
o dhcp: replace defunct IPv6 domain name option with domain search list option (contributed by maurice-w)
o dhcp: fix storing advanced IPv6 options
o firmware: add "copy to clipboard" button in update text box
o firmware: use opnsense-revert in GUI reinstall package case
o firmware: when storing installed plugin names remove their development counterparts
o firmware: improved health check scope to include direct core package dependencies
o openvpn: fix Firefox "nowrap" issue in client export page
o backend: improve error handling while configd is either not active or not functional
o mvc: route to default page when controller or action not found
o mvc: field type refactor and unit tests
o mvc: added opt-in referential integrity check for models
o mvc: countless PSR12 style updates
o mvc: add "NetMaskAllowed" option to validate on single addresses in NetworkField
o plugins: os-bind 1.11[1]
o plugins: os-dyndns 1.18 adds Linode support (contributed by eAndrew Gunnerson)
o plugins: os-freeradius 1.9.5[2]
o plugins: os-frr 1.13[3]
o plugins: os-ftp-proxy style updates only
o plugins: os-postfix 1.13[4]
o plugins: os-rspamd 1.9[5]
o plugins: os-theme-cicada 1.23 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.22 (contributed by Team Rebellion)
o ports: ca_root_nss 3.48
o ports: krb5 1.17.1[6]
o ports: php 7.2.25[7]
o ports: suricata 4.1.6[8]
o ports: unbound 1.9.5[9]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr
[5] https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr
[6] https://web.mit.edu/kerberos/krb5-1.17/
[7] https://www.php.net/ChangeLog-7.php#7.2.25
[8] https://suricata-ids.org/2019/12/13/suricata-4-1-6-released/
[9] https://nlnetlabs.nl/projects/unbound/download/

Announcements / OPNsense 19.7.7 released

« on: November 21, 2019, 03:27:12 pm »

Hi there,

Lots of small improvements. Of note are Eve JSON payload syslog export now works for 4 kb payload blobs. The outdated Google API PHP client was replaced. LibreSSL is now at version 3.0.2. Plus another Intel SA advisory via FreeBSD.

Here are the full patch notes:

o system: generate self-signed server certificate for web GUI by default
o system: let net.local.dgram.maxdgram default to 8192 bytes
o system: spawn Dpinger process in background to avoid hangs
o system: switch backup to Google API PHP client v2
o system: add interface groups to HA sync
o interfaces: remove the "Directly send SOLICIT" option
o firewall: fix issue with label parsing when "tag" keyword was involved
o firewall: skip empty lines in rule statistics parsing
o firmware: add /etc/remote to whitelist, NTP GPS uses it
o reporting: empty NetFlow egress default passes validation
o reporting: show dialog when RRD is disabled
o dhcp: fix for domain-search option in DHCPv6 (contributed by maurice-w)
o dnsmasq: fix storing settings when no settings exist yet
o intrusion detection: lower payload-buffer-size to prevent syslog size limit
o intrusion detection: fix issue with escaped file name during rules download
o unbound: exit wrapper when process not running
o web proxy: added check on SNI field checkbox (contributed by Northguy)
o mvc: fix forceReload()
o plugins: os-acme-client 1.28[1]
o plugins: os-bind 1.10[2]
o plugins: os-nginx 1.16[3]
o plugins: os-nut 1.6[4]
o plugins: os-postfix 1.12[5]
o src: fix machine check exception on page size change[6]
o src: bump libc syslog line size to 8k
o src: import tzdata 2019c[7]
o ports: curl 7.67.0[8]
o ports: libressl 3.0.2[9]
o ports: openvpn 2.4.8[10]
o ports: perl 5.30.1[11]
o ports: phalcon 3.4.5[12]
o ports: sqlite 3.30.1[13]
o ports: squid 4.9[14]
o ports: syslog-ng 3.24.1[15]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1565
[2] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/sysutils/nut/pkg-descr
[5] https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:25.mcepsc.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:18.tzdata.asc
[8] https://curl.haxx.se/changes.html
[9] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.0.2-relnotes.txt
[10] https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-248
[11] https://metacpan.org/pod/release/SHAY/perl-5.30.1/pod/perldelta.pod
[12] https://github.com/phalcon/cphalcon/releases/tag/v3.4.5
[13] https://sqlite.org/releaselog/3_30_1.html
[14] https://github.com/squid-cache/squid/blob/master/ChangeLog
[15] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.24.1

Announcements / OPNsense 19.7.6 released

« on: November 01, 2019, 08:52:06 am »

Hello from Suricon!

As we are experiencing the Suricata community first hand in Amsterdam we though to release this version a bit earlier than planned. Included is the latest Suricata 5.0.0 release in the development version. That means later this November we will releasing version 5 to the production version as we finish up tweaking the integration and maybe pick up 5.0.1 as it becomes available.

LDAP TLS connectivity is now integrated into the system trust store, which ensures that all required root and intermediate certificates will be seen by the connection setup when they have been added to the authorities section. The same is true for trusting self-signed certificates. On top of this, IPsec now supports public key authentication as contributed by Pascal Mathis.

Here are the full patch notes:

o system: hook LDAP TLS support into system-wide trust file
o system: fix dpinger custom parameters not being honoured
o system: fix PHP core loop fail in tunables overview
o system: only allow P12 export if password confirmation matches
o interfaces: change PCAP download to binary file stream
o firewall: store reference to outbound NAT address instead of literal address
o firewall: add log message for scheduled firewall reload
o firmware: tie pkg dependency to core
o ipsec: allow EC keys for certificate-based secrets (contributed by Martin Strigl)
o ipsec: add support for public key authentication (contributed by Pascal Mathis)
o openvpn: server wizard existing CA use and server cert check (contributed by johnaheadley)
o backend: add run mode to pluginctl using JSON-based output
o ui: fix tokenizer reorder on multiple saves, second try
o plugins: os-acme-client 1.27[1]
o plugins: os-bind 1.9[2]
o plugins: os-nginx 1.15[3]
o plugins: os-relayd 2.4 fixes protocol option migration (contributed by Frank Brendel)
o plugins: os-theme-cicada 1.22 (contributed by Team Rebellion)
o ports: ca_root_nss 3.47
o ports: php 7.2.24[4]
o ports: python 3.7.5[5]
o ports: sudo 1.8.29[6]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1536
[2] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[4] https://www.php.net/ChangeLog-7.php#7.2.24
[5] https://www.python.org/downloads/release/python-375/
[6] https://www.sudo.ws/stable.html#1.8.29

Announcements / OPNsense 19.7.5 released

« on: October 11, 2019, 11:35:56 am »

Hello friends and followers,

Lots of plugin and ports updates this time with a few minor improvements in all core areas.

Behind the scenes we are starting to migrate the base system to version 12.1 which is supposed to hit the next 20.1 release. Stay tuned for more infos in the next month or so.

Here are the full patch notes:

o system: show all swap partitions in system information widget
o system: flatten services_get() in preparation for removal
o system: pin Syslog-ng version to specific package name
o system: fix LDAP/StartTLS with user import page
o system: fix a PHP warning on authentication server page
o system: replace most subprocess.call use
o interfaces: fix devd handling of carp devices (contributed by stumbaumr)
o firewall: improve firewall rules inline toggles
o firewall: only allow TCP flags on TCP protocol
o firewall: simplify help text for direction setting
o firewall: make protocol log summary case insensitive
o reporting: ignore malformed flow records
o captive portal: fix type mismatch for timeout read
o dhcp: add note for static lease limitation with lease registration (contributed by Northguy)
o ipsec: add margintime and rekeyfuzz options
o ipsec: clear $dpdline correctly if not set
o ui: fix tokenizer reorder on multiple saves
o plugins: os-acme-client 1.26[1]
o plugins: os-bind will reload bind on record change (contributed by blablup)
o plugins: os-etpro-telemetry minor subprocess.call replacement
o plugins: os-freeradius 1.9.4[2]
o plugins: os-frr 1.12[3]
o plugins: os-haproxy 2.19[4]
o plugins: os-theme-cicada 1.21 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.21 (contributed by Team Rebellion)
o plugins: os-mailtrail 1.2[5]
o plugins: os-postfix 1.11[6]
o plugins: os-rspamd 1.8[7]
o plugins: os-sunnyvalley LibreSSL support (contributed by Sunny Valley Networks)
o plugins: os-telegraf 1.7.6[8]
o plugins: os-tinc minor subprocess.call replacement
o plugins: os-tor 1.8 adds dormant mode disable option (contributed by Fabian Franz)
o plugins: os-virtualbox 1.0 (contributed by andrewhotlab)
o ports: ca_root_nss 3.46.1
o ports: curl 7.66.0[9]
o ports. expat 2.2.8[10]
o ports: openssl 1.0.2t[11]
o ports: php 7.2.23[12]
o ports: pkg 1.12.0[13][14][15]
o ports: strongswan 5.8.1[16]
o ports: suricata 4.1.5[17]
o ports: syslog-ng 3.23.1[18]
o ports: unbound 1.9.4[19]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1499
[2] https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[4] https://github.com/opnsense/plugins/pull/1498
[5] https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr
[6] https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr
[7] https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr
[8] https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr
[9] https://curl.haxx.se/changes.html#7_66_0
[10] https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes
[11] https://www.openssl.org/news/secadv/20190910.txt
[12] https://www.php.net/ChangeLog-7.php#7.2.23
[13] https://github.com/freebsd/freebsd-ports/commit/95ac8ad2
[14] https://github.com/freebsd/freebsd-ports/commit/5a06e26ff
[15] https://github.com/freebsd/freebsd-ports/commit/77d4a311e
[16] https://wiki.strongswan.org/versions/74
[17] https://suricata-ids.org/2019/09/24/suricata-4-1-5-released/
[18] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.23.1
[19] https://nlnetlabs.nl/projects/unbound/download/

Announcements / OPNsense 19.7.4 released

« on: September 11, 2019, 03:00:07 pm »

A good day to you all,

A wee bit of updates for you... nothing overly exciting. On the other hand, we have updated the roadmap page to include 20.1 if you want to take a closer look[1]. More exciting for sure.

Here are the full patch notes:

o system: fix legacy remote logging with custom port
o system: regenerate CA bundle when modifying trusted authorities
o system: fix translation order of tunables description
o system: fix CARP maintenance mode bootup
o firewall: missing daily refresh on GeoIP type
o firewall: fix fetch of GeoIP alias if its name is same as its country
o reporting: auto-load required kernel modules for NetFlow
o reporting: allow setting NetFlow active/inactive timeout (contributed by Frank Brendel)
o captive portal: optimise ipfw rule parsing
o firmware: Homelab.no has been superseded by TerraHost mirror (contributed by Thomas Jensen)
o unbound: support file-based custom includes
o unbound: set absolute path to root.hints (contributed by h-town)
o plugins: os-bind 1.8[2] (contributed by ErikJStaab)
o plugins: os-dnscrypt-proxy 1.6[3] (contributed by ErikJStaab)
o plugins: os-etpro-telemetry 1.4[4]
o plugins: os-theme-cicada 1.20 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.20 (contributed by Team Rebellion)
o ports: ca_root_nss 3.46
o ports: ldns 1.7.1[5]
o ports: pcre2 10.33[6]
o ports: php 7.2.22[7]
o ports: phpseclib 2.0.21[8]
o ports: unbound 1.9.3[9]

Stay safe,
Your OPNsense team

--
[1] https://opnsense.org/about/road-map/
[2] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr
[4] https://docs.opnsense.org/manual/etpro_telemetry.html
[5] https://raw.githubusercontent.com/NLnetLabs/ldns/release-1.7.1/Changelog
[6] https://www.pcre.org/changelog.txt
[7] https://www.php.net/ChangeLog-7.php#7.2.22
[8] https://github.com/phpseclib/phpseclib/releases
[9] https://nlnetlabs.nl/projects/unbound/download

Announcements / OPNsense 19.7.3 released

« on: August 28, 2019, 03:15:57 pm »

Hello,

Please enjoy this release with improved CARP utility and a number of smaller fixes and updates for the operating system and third party tools. You can now also toggle logging directly from the rule overview to make debugging easier.

Here is the full list of changes:

o system: try all backups for automatic revert when config.xml is damaged
o system: do a system reset if all config.xml files are damaged
o system: only show tunables reboot hint when applying tunables (contributed by Northguy)
o system: use FQDN in system log remote messages
o system: add defunct gateways to GUI in disabled state
o interfaces: only allow VLAN parents that will work as VLAN parents
o interfaces: optionally promote/demote CARP on service status
o interfaces: CARP status page report with demotion level to avoid ambiguity
o firewall: revert problematic 19.7.2 change "unhide automatic interface-based output rules"
o firewall: restore automatic outbound NAT pre-19.7 behaviour which excludes gateways not configured and not dynamic
o firewall: add logging toggle to rules overview (contributed by johnaheadley)
o firewall: DHCPv6 relay would generate rules even if not enabled
o firmware: only do single-repository fingerprint verify defaulting to our OPNsense repository
o firmware: fix base and kernel package listing
o intrusion detection: show change message after toggle or save
o intrusion detection: rule download fix
o monit: add parent devices to interface list (contributed by Frank Brendel)
o monit: fix standard configuration migration (contributed by Frank Brendel)
o reporting: skip illegal NetFlow records in flow parser
o opendns: migrate update hook from DynDNS plugin to core to make it fully automatic
o backend: fix exception message string handling in Python 3
o backend: add help to pluginctl utility
o backend: configctl event handler support
o mvc: log API key when authentication failed
o ui: more consistent HTML (contributed by gisforgirard)
o ui: sidebar bug fix (contributed by Team Rebellion)
o ui: fix initFormAdvancedUI() on initial load
o plugins: os-acme-client 1.25[1]
o plugins: os-bind 1.7[2]
o plugins: os-dyndns 1.17 removes OpenDNS and fixes DyNS
o plugins: os-haproxy 2.18[3]
o plugins: os-maltrail 1.1[4]
o plugins: os-nginx log rotation fix (contributed by Fabian Franz)
o plugins: os-postfix 1.10[5]
o plugins: os-smart 2.1 fixes widget status and adds NVMe disk support (contributed by nhirokinet and ATL)
o plugins: os-theme-cicada 1.19 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.19 (contributed by Team Rebellion)
o plugins: os-wireguard 1.1[6]
o src: fix incorrect exception handling in libunwind[7]
o src: fix multiple vulnerabilities in bzip2[8]
o src: fix ICMPv6 / MLDv2 out-of-bounds memory access[9]
o src: fix insufficient message length validation in bsnmp library[10]
o src: fix insufficient validation of guest-supplied data (e1000 device)[11]
o src: fix IPv6 remote denial of service[12]
o src: fix kernel memory disclosure from /dev/midistat[13]
o src: fix reference count overflow in mqueuefs[14]
o ports: hostapd 2.9[15]
o ports: nghttp2 1.39.2[16]
o ports: openldap 2.4.48[17]
o ports: perl 5.30.0[18]
o ports: php 7.2.21[19]
o ports: py-openssl 19.0.0[20]
o ports: syslog-ng 3.22.1[21]
o ports: wpa_supplicant 2.9[22]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1452
[2] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/pull/1453
[4] https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr
[5] https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr
[6] https://github.com/opnsense/plugins/blob/master/net/wireguard/pkg-descr
[7] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:15.libunwind.asc
[8] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:18.bzip2.asc
[9] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:19.mldv2.asc
[10] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:20.bsnmp.asc
[11] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:21.bhyve.asc
[12] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:22.mbuf.asc
[13] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:23.midi.asc
[14] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:24.mqueuefs.asc
[15] https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
[16] https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2
[17] https://www.openldap.org/software/release/announce.html
[18] https://metacpan.org/pod/release/XSAWYERX/perl-5.30.0/pod/perldelta.pod
[19] https://www.php.net/ChangeLog-7.php#7.2.21
[20] https://www.pyopenssl.org/en/stable/changelog.html
[21] https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.22.1
[22] https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

Announcements / OPNsense 19.7.2 released

« on: August 05, 2019, 12:04:19 pm »

Hi there,

This update ships the latest FreeBSD security advisories along with several smaller improvements and fixes. Sunny Valley Networks is the first vendor to introduce additional software to the plugin framework in the form of the Sensei plugin.

Here are the full patch notes:

o system: missing "<PRI>" in legacy output via Syslog-ng
o system: fix writing gateway information for DNS servers
o system: allow gateway to work in DHCPv6 WAN when no router solicitation is available
o firewall: unhide automatic interface-based output rules
o firewall: unhide automatic non-interface-based floating rules
o firewall: lift length restriction in NAT rule description
o firewall: avoid newlines in rule descriptions
o firewall: only show usable addresses in NAT outbound rules
o interfaces: fix extended CARP output when parsing interface information
o interfaces: add more outputs to overview page to increase usefulness
o interfaces: use shared DHCP lease reader for ARP list
o captive portal: fix binary read issue in Python 3
o dhcp: fix DHCPv4 relay interface selection (contributed by jayantsahtoe)
o firmware: handle file signature verify correctly with multiple fingerprint repositories
o firmware: Aivian mirror is no longer active
o firmware: Cloudfence mirror in Brazil added
o plugins: os-acme-client 1.24[1]
o plugins: os-bind 1.6 (contributed by crazy-max)
o plugins: os-dnscrypt-proxy 1.5 (contributed by crazy-max)
o plugins: os-grid_example 1.0[2]
o plugins: os-helloworld Python 3 compatibility[3]
o plugins: os-nut 1.5 adds Riello driver (contributed by Michael Muenz)
o plugins: os-sunnyvalley 1.0[4][5]
o src: fix panic from Intel CPU vulnerability mitigation[6]
o src: fix multiple telnet client vulnerabilities[7]
o src: fix pts write-after-free[8]
o src: fix kernel memory disclosure in freebsd32_ioctl[9]
o src: fix reference count overflow in mqueuefs[10]
o src: fix byhve out-of-bounds read in XHCI device[11]
o src: fix file descriptor reference count leak[12]
o ports: libevent 2.1.11[13]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1399
[2] https://docs.opnsense.org/development/examples/using_grids.html
[3] https://docs.opnsense.org/development/examples/helloworld.html
[4] https://docs.opnsense.org/third_party_plugins.html
[5] https://www.sunnyvalley.io/sensei
[6] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:13.mds.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:12.telnet.asc
[8] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:13.pts.asc
[9] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:14.freebsd32.asc
[10] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:15.mqueuefs.asc
[11] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:16.bhyve.asc
[12] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:17.fd.asc
[13] https://raw.githubusercontent.com/libevent/libevent/release-2.1.11-stable/ChangeLog

Announcements / OPNsense 19.7.1 released

« on: July 25, 2019, 04:28:59 pm »

Dear all,

We do not wish to keep you from enjoying your summer time, but this is a recommended security update enriched with reliability fixes for the new 19.7 series. Of special note are performance improvements as well as a fix for a longstanding NAT before IPsec limitation.

Here are the full patch notes:

o system: do not create automatic copies of existing gateways
o system: do not translate empty tunables descriptions
o system: remove unwanted form action tags
o system: do not include Syslog-ng in rc.freebsd handler
o system: fix manual system log stop/start/restart
o system: scoped IPv6 "%" could confuse mwexecf(), use plain mwexec() instead
o system: allow curl-based downloads to use both trusted and local authorities
o system: fix group privilege print and correctly redirect after edit
o system: use cached address list in referrer check
o system: fix Syslog-ng search stats
o firewall: HTML-escape dynamic entries to display aliases
o firewall: display correct IP version in automatic rules
o firewall: fix a warning while reading empty outbound rules configuration
o firewall: skip illegal log lines in live log
o interfaces: performance improvements for configurations with hundreds of interfaces
o reporting: performance improvements for Python 3 NetFlow aggregator rewrite
o dhcp: move advanced router advertisement options to correct config section
o ipsec: replace global array access with function to ensure side-effect free boot
o ipsec: change DPD action on start to "dpdaction = restart"
o ipsec: remove already default "dpdaction = none" if not set
o ipsec: use interface IP address in local ID when doing NAT before IPsec
o web proxy: fix database reset for Squid 4 by replacing use of ssl_crtd with security_file_certgen
o plugins: os-acme-client 1.24[1]
o plugins: os-bind 1.6[2]
o plugins: os-dnscrypt-proxy 1.5[3]
o plugins: os-frr now restricts characters BGP prefix-list and route-maps[4]
o plugins: os-google-cloud-sdk 1.0[5]
o ports: curl 7.65.3[6]
o ports: monit 5.26.0[7]
o ports: openssh 8.0p1[8]
o ports: php 7.2.20[9]
o ports: python 3.7.4[10]
o ports: sqlite 3.29.0[11]
o ports: squid 4.8[12]

Stay safe and hydrated,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1399
[2] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/pull/1392
[6] https://curl.haxx.se/changes.html
[7] https://mmonit.com/monit/changes/
[8] https://www.openssh.com/txt/release-8.0
[9] https://www.php.net/ChangeLog-7.php#7.2.20
[10] https://www.python.org/downloads/release/python-374/
[11] https://sqlite.org/releaselog/3_29_0.html
[12] http://lists.squid-cache.org/pipermail/squid-announce/2019-July/000100.html

Announcements / OPNsense 19.7 released

« on: July 17, 2019, 11:03:29 am »

Hi there,

For four and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

19.7, nicknamed "Jazzy Jaguar", embodies an iteration of what should be considered enjoyable user experience for firewalls in general: improved statistics and visibility of rules, reliable and consistent live logging and alias utility improvements. Apart from the usual upgrades of third party software to up-to-date releases, OPNsense now also offers built-in remote system logging through Syslog-ng, route-based IPsec, updated translations with Spanish as a brand new and already fully translated language and newer Netmap code with VirtIO, VLAN child and vmxnet support.

Last but not least we would like to thank m.a.x. it for their sponsorship of the default gateway priority switching feature and their continued work of writing and maintaining plenty of community plugins. This time around, Maltrail, Netdata and WireGuard VPN have been freshly added to the mix.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/19.7/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.7/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.7/
o South America: http://mirror.upb.edu.co/opnsense/releases/19.7/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.7/
o Full mirror list: https://opnsense.org/download/

These are the most prominent changes since version 19.1:

o List automatic firewall rules
o Statistics for all firewall rules
o Alias JSON import / export
o Optional statistics for aliases
o Firewall rule locator for live log and automatic rules
o Rewritten gateway handling and switching
o Remote logging via Syslog-ng
o LDAP group sync support
o Support certificate signing requests
o Route-based IPsec support (VTI)
o XMLRPC sync support for alias, VHID, widgets
o Unbound host overrides alias support
o Web proxy and IPsec authentication using PAM
o Parent web proxy support
o Web proxy login privilege via group
o Improved reliability and utility of opnsense-patch
o Dpinger and DHCP servers ported to plugin framework
o Language updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
o Spanish as a new language
o Netdata, WireGuard, Maltrail and Mail-Backup (PGP) plugin
o Netmap update for VirtIO, VLAN child and vmxnet support
o Bootstrap 3.4, LibreSSL 2.9, Unbound 1.9, PHP 7.2, Python 3.7, Squid 4

And here are the full changes against version 19.7-RC1:

o system: lower automatic gateway priority for tunnel interfaces
o system: only show enabled interfaces on gateway edit
o system: speed up console banner interface print
o interfaces: typo in default WAN selection for packet capture
o interfaces: support multiple interfaces for packet capture
o interfaces: fix ambiguity in get_parent_interface()
o firewall: restart filterlog with every filter reload
o firmware: add update syshook
o ipsec: phase2 IP type selector using the wrong class
o reporting: fix Insight bug not processing top port and address statistics
o ui: window_highlight_table_option() fix for Safari
o wizard: improve logo contrast in welcome message
o plugins: os-frr redistribute configuration fix (contributed by Cedric Vanet)
o plugins: os-intrusion-detection-content-et-pro 1.0.1 now uses suricata-4.0 rulesets
o plugins: os-haproxy 2.17[2][3]
o plugins: os-mail-backup 1.0 (contributed by Joao Vilaca)
o plugins: os-maltrail 1.0 (contributed by Michael Muenz)
o plugins os-smart 2.0 MVC conversion (contributed by Smart-Soft)
o plugins: os-tinc chroot setup with resolv.conf
o plugins: os-wireguard 1.0 (contributed by Michael Muenz)
o plugins: os-wol 2.2 fixes byte conversion
o src: bump netmap ring size, still too small in FreeBSD
o src: add FCC6_FCCA regulatory domain to ath_hal(4)
o src: restore IPV6_NEXTHOP option support
o src: fix privilege escalation in cd(4) driver[4]
o src: fix kernel stack disclosure in UFS/FFS[5]
o src: fix iconv buffer overflow[6]
o src: import tzdata 2019b
o ports: ca_root_nss 3.45
o ports: filterlog 0.3 will not print to console and lowercase IPv6 protocol output
o ports: postfix update is now non-interactive to prevent stalls
o ports: rrdtool 1.7.2[7]

Known issues and limitations:

o Web proxy squid update from version 3 to 4 breaks the cache database. To repair go to "Services: Web Proxy: Administration" tab "Support" and click "Reset".
o Web proxy login privilege is no longer available. Access may be restricted by a group selector instead.
o Nano images require a reinstall using the latest image to avoid inode shortage which makes the system appear to run out of space during recent 19.1.x updates.
o OpenVPN no longer supports listening on gateway groups. Use localhost paired with port forwards instead.

The public key for the 19.7 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv2syLqN/IMuADI42aTXx
HRbX3YljURN1dhhjYoqOc/7uZKVc7UJk79q49x8VZmC0edhHiNKfrhj5g3htsPgu
N/eFsc1MZv+J2rfSF7L5NV3D5dU9nuBc75wb9SRIXm7XiiiuInMNRBlJsiFeiuJm
oaE/zqgr75m+cc7sdNQnQQk9+APr4LdksX0bllRmxfhLjDKgiSVe+Yq9kje/JHyf
je5i3MI9WT80o46IZc/oN4q9RG7n6gaIFBVckCwCKsnNZlDCvb1Sr0tdKs58fswj
fxMvouMBf+Jk/0dOEZnoIFYb436H2CUfabiPX3Vm4r3MU4dr5m41WlCH/984cBKy
QSM8h4nSAs/naj5c5YDe4qmwUBxwPIvJPVC/vuWLusyg1gYbloj3EIc1uv2YCkKw
0ra7Hocln3+7Jf2Yn/yn6yaCNdoJY2Blvo84giuklDqdBIKggDHSxGrLKDBshSR3
hapkFRoR7BhnoT14E8DMgD23g9tcwce1AJJ6mZ/DraBx5l11P1ZXLqnyCpvOt5oV
HmMZ9/Xu0naPUC8IxVSNew8j3liPbc5oKV0kQ/TRQTevOBLJ8QA7Y5YdPu0cS4qw
Jq3fGnsRt/0+i1Vs7q51KJLNECHyhWm6zYAfST22ohTUgo2ByoM8r0aRslmiG6JS
+ancHD4lnnHRd+4ybevUft0CAwEAAQ==
-----END PUBLIC KEY-----

Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/pull/1347
[3] https://github.com/opnsense/plugins/pull/1408
[4] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:11.cd_ioctl.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:10.ufs.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:09.iconv.asc
[7] https://github.com/oetiker/rrdtool-1.x/releases/tag/v1.7.2

SHA256 (OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2) = e022217d367abaf4fd1360f83e4664d28b3f37932dfe720974b9d7dc33bf50f7
SHA256 (OPNsense-19.7-OpenSSL-nano-amd64.img.bz2) = 6fffefa0b09daea397e83f67bf730392125b720043c455597c05d3d80c2baa29
SHA256 (OPNsense-19.7-OpenSSL-serial-amd64.img.bz2) = 98854d5a0a03850273aa2ebdd7e7b095dfec6a1e6b57341817bb5f5ffab2ca7b
SHA256 (OPNsense-19.7-OpenSSL-vga-amd64.img.bz2) = 523e924586e431ccd421bb85ba1245ce4c8f3a6141b59623f5083d3e36bac592

SHA256 (OPNsense-19.7-OpenSSL-dvd-i386.iso.bz2) = 64c4e58966ab373a0aa6a544b020a39c5b86ecb79cb2988ac1f74b382c7d4765
SHA256 (OPNsense-19.7-OpenSSL-nano-i386.img.bz2) = 3fa6af965f5996a718982617b5a13199747d237a669867b1ffecc951c3ebe455
SHA256 (OPNsense-19.7-OpenSSL-serial-i386.img.bz2) = f0c76142f83b4988defa3fddc7a4cf2d930cbb0aee623d7b064462e25e146297
SHA256 (OPNsense-19.7-OpenSSL-vga-i386.img.bz2) = b425882604886a395730abeaa6a26b8805647609712f61c342cee29f58160006

Announcements / OPNsense 19.1.10 released

« on: July 03, 2019, 11:12:40 am »

Good morning everyone,

Small update as we are nearing the end of the 19.1 series. Yes, it is that time of the year again with a release candidate only a few days away and a final release date set to July 17.

Here are the full patch notes:

o system: change certificate manager actions to POST
o system: fix account removal with missing "-g" option
o system: add dashboard widgets to XMLRPC sync
o firewall: fix live log rule label mismatch caused by optimisation
o firewall: fix alias import with alias references included
o firewall: change default sorting of aliases to names
o firmware: add homelab.no mirror (contributed by Thomas Jensen)
o intrusion detection: when toggling rules keep the current action
o intrusion detection: suppress mystery PHP 7.2+ warning in API
o intrusion detection: show SID in alert view
o web proxy: add cache reset button
o web proxy: correct syslog export
o plugins: os-dyndns 1.6 DigitalOcean support (contributed by Dune Heishman)
o plugins: os-etpro-telemetry Python 3 support
o plugins: os-frr 1.11[1]
o plugins: os-nginx 1.14[2]
o plugins: os-rspamd 1.7[3]
o plugins: os-tinc Python 3 support
o ports: ca_root_nss 3.44.1
o ports: curl 7.65.1[4]
o ports: libevent 2.1.10[5]
o ports: libxml 2.9.9[6]
o ports: libressl 2.9.2[7][8]
o ports: phalcon 3.4.4[9]
o ports: strongswan 5.8.0[10]
o ports: unbound 1.9.2[11]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr
[4] https://curl.haxx.se/changes.html
[5] https://github.com/libevent/libevent/releases/tag/release-2.1.10-stable
[6] https://mail.gnome.org/archives/xml/2019-January/msg00000.html
[7] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.9.1-relnotes.txt
[8] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.9.2-relnotes.txt
[9] https://github.com/phalcon/cphalcon/releases/tag/v3.4.4
[10] https://wiki.strongswan.org/versions/73
[11] https://nlnetlabs.nl/projects/unbound/download/

Pages: [1] 2 3 ... 16