Topics

1

Announcements / OPNsense 19.7.4 released

« on: September 11, 2019, 03:00:07 pm »

A good day to you all,

A wee bit of updates for you... nothing overly exciting. On the other hand, we have updated the roadmap page to include 20.1 if you want to take a closer look[1]. More exciting for sure.

Here are the full patch notes:

o system: fix legacy remote logging with custom port
o system: regenerate CA bundle when modifying trusted authorities
o system: fix translation order of tunables description
o system: fix CARP maintenance mode bootup
o firewall: missing daily refresh on GeoIP type
o firewall: fix fetch of GeoIP alias if its name is same as its country
o reporting: auto-load required kernel modules for NetFlow
o reporting: allow setting NetFlow active/inactive timeout (contributed by Frank Brendel)
o captive portal: optimise ipfw rule parsing
o firmware: Homelab.no has been superseded by TerraHost mirror (contributed by Thomas Jensen)
o unbound: support file-based custom includes
o unbound: set absolute path to root.hints (contributed by h-town)
o plugins: os-bind 1.8[2] (contributed by ErikJStaab)
o plugins: os-dnscrypt-proxy 1.6[3] (contributed by ErikJStaab)
o plugins: os-etpro-telemetry 1.4[4]
o plugins: os-theme-cicada 1.20 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.20 (contributed by Team Rebellion)
o ports: ca_root_nss 3.46
o ports: ldns 1.7.1[5]
o ports: pcre2 10.33[6]
o ports: php 7.2.22[7]
o ports: phpseclib 2.0.21[8]
o ports: unbound 1.9.3[9]


Stay safe,
Your OPNsense team

--
[1] https://opnsense.org/about/road-map/
[2] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr
[4] https://docs.opnsense.org/manual/etpro_telemetry.html
[5] https://raw.githubusercontent.com/NLnetLabs/ldns/release-1.7.1/Changelog
[6] https://www.pcre.org/changelog.txt
[7] https://www.php.net/ChangeLog-7.php#7.2.22
[8] https://github.com/phpseclib/phpseclib/releases
[9] https://nlnetlabs.nl/projects/unbound/download

2

Announcements / OPNsense 19.7.3 released

« on: August 28, 2019, 03:15:57 pm »

Hello,

Please enjoy this release with improved CARP utility and a number of smaller fixes and updates for the operating system and third party tools. You can now also toggle logging directly from the rule overview to make debugging easier.

Here is the full list of changes:

o system: try all backups for automatic revert when config.xml is damaged
o system: do a system reset if all config.xml files are damaged
o system: only show tunables reboot hint when applying tunables (contributed by Northguy)
o system: use FQDN in system log remote messages
o system: add defunct gateways to GUI in disabled state
o interfaces: only allow VLAN parents that will work as VLAN parents
o interfaces: optionally promote/demote CARP on service status
o interfaces: CARP status page report with demotion level to avoid ambiguity
o firewall: revert problematic 19.7.2 change "unhide automatic interface-based output rules"
o firewall: restore automatic outbound NAT pre-19.7 behaviour which excludes gateways not configured and not dynamic
o firewall: add logging toggle to rules overview (contributed by johnaheadley)
o firewall: DHCPv6 relay would generate rules even if not enabled
o firmware: only do single-repository fingerprint verify defaulting to our OPNsense repository
o firmware: fix base and kernel package listing
o intrusion detection: show change message after toggle or save
o intrusion detection: rule download fix
o monit: add parent devices to interface list (contributed by Frank Brendel)
o monit: fix standard configuration migration (contributed by Frank Brendel)
o reporting: skip illegal NetFlow records in flow parser
o opendns: migrate update hook from DynDNS plugin to core to make it fully automatic
o backend: fix exception message string handling in Python 3
o backend: add help to pluginctl utility
o backend: configctl event handler support
o mvc: log API key when authentication failed
o ui:  more consistent HTML (contributed by gisforgirard)
o ui: sidebar bug fix (contributed by Team Rebellion)
o ui: fix initFormAdvancedUI() on initial load
o plugins: os-acme-client 1.25[1]
o plugins: os-bind 1.7[2]
o plugins: os-dyndns 1.17 removes OpenDNS and fixes DyNS
o plugins: os-haproxy 2.18[3]
o plugins: os-maltrail 1.1[4]
o plugins: os-nginx log rotation fix (contributed by Fabian Franz)
o plugins: os-postfix 1.10[5]
o plugins: os-smart 2.1 fixes widget status and adds NVMe disk support (contributed by nhirokinet and ATL)
o plugins: os-theme-cicada 1.19 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.19 (contributed by Team Rebellion)
o plugins: os-wireguard 1.1[6]
o src: fix incorrect exception handling in libunwind[7]
o src: fix multiple vulnerabilities in bzip2[8]
o src: fix ICMPv6 / MLDv2 out-of-bounds memory access[9]
o src: fix insufficient message length validation in bsnmp library[10]
o src: fix insufficient validation of guest-supplied data (e1000 device)[11]
o src: fix IPv6 remote denial of service[12]
o src: fix kernel memory disclosure from /dev/midistat[13]
o src: fix reference count overflow in mqueuefs[14]
o ports: hostapd 2.9[15]
o ports: nghttp2 1.39.2[16]
o ports: openldap 2.4.48[17]
o ports: perl 5.30.0[18]
o ports: php 7.2.21[19]
o ports: py-openssl 19.0.0[20]
o ports: syslog-ng 3.22.1[21]
o ports: wpa_supplicant 2.9[22]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1452
[2] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/pull/1453
[4] https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr
[5] https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr
[6] https://github.com/opnsense/plugins/blob/master/net/wireguard/pkg-descr
[7] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:15.libunwind.asc
[8] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:18.bzip2.asc
[9] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:19.mldv2.asc
[10] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:20.bsnmp.asc
[11] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:21.bhyve.asc
[12] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:22.mbuf.asc
[13] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:23.midi.asc
[14] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:24.mqueuefs.asc
[15] https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
[16] https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2
[17] https://www.openldap.org/software/release/announce.html
[18] https://metacpan.org/pod/release/XSAWYERX/perl-5.30.0/pod/perldelta.pod
[19] https://www.php.net/ChangeLog-7.php#7.2.21
[20] https://www.pyopenssl.org/en/stable/changelog.html
[21] https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.22.1
[22] https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog

3

Announcements / OPNsense 19.7.2 released

« on: August 05, 2019, 12:04:19 pm »

Hi there,

This update ships the latest FreeBSD security advisories along with several smaller improvements and fixes. Sunny Valley Networks is the first vendor to introduce additional software to the plugin framework in the form of the Sensei plugin.

Here are the full patch notes:

o system: missing "<PRI>" in legacy output via Syslog-ng
o system: fix writing gateway information for DNS servers
o system: allow gateway to work in DHCPv6 WAN when no router solicitation is available
o firewall: unhide automatic interface-based output rules
o firewall: unhide automatic non-interface-based floating rules
o firewall: lift length restriction in NAT rule description
o firewall: avoid newlines in rule descriptions
o firewall: only show usable addresses in NAT outbound rules
o interfaces: fix extended CARP output when parsing interface information
o interfaces: add more outputs to overview page to increase usefulness
o interfaces: use shared DHCP lease reader for ARP list
o captive portal: fix binary read issue in Python 3
o dhcp: fix DHCPv4 relay interface selection (contributed by jayantsahtoe)
o firmware: handle file signature verify correctly with multiple fingerprint repositories
o firmware: Aivian mirror is no longer active
o firmware: Cloudfence mirror in Brazil added
o plugins: os-acme-client 1.24[1]
o plugins: os-bind 1.6 (contributed by crazy-max)
o plugins: os-dnscrypt-proxy 1.5 (contributed by crazy-max)
o plugins: os-grid_example 1.0[2]
o plugins: os-helloworld Python 3 compatibility[3]
o plugins: os-nut 1.5 adds Riello driver (contributed by Michael Muenz)
o plugins: os-sunnyvalley 1.0[4][5]
o src: fix panic from Intel CPU vulnerability mitigation[6]
o src: fix multiple telnet client vulnerabilities[7]
o src: fix pts write-after-free[8]
o src: fix kernel memory disclosure in freebsd32_ioctl[9]
o src: fix reference count overflow in mqueuefs[10]
o src: fix byhve out-of-bounds read in XHCI device[11]
o src: fix file descriptor reference count leak[12]
o ports: libevent 2.1.11[13]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1399
[2] https://docs.opnsense.org/development/examples/using_grids.html
[3] https://docs.opnsense.org/development/examples/helloworld.html
[4] https://docs.opnsense.org/third_party_plugins.html
[5] https://www.sunnyvalley.io/sensei
[6] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:13.mds.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:12.telnet.asc
[8] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:13.pts.asc
[9] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:14.freebsd32.asc
[10] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:15.mqueuefs.asc
[11] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:16.bhyve.asc
[12] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:17.fd.asc
[13] https://raw.githubusercontent.com/libevent/libevent/release-2.1.11-stable/ChangeLog

4

Announcements / OPNsense 19.7.1 released

« on: July 25, 2019, 04:28:59 pm »

Dear all,

We do not wish to keep you from enjoying your summer time, but this is a recommended security update enriched with reliability fixes for the new 19.7 series. Of special note are performance improvements as well as a fix for a longstanding NAT before IPsec limitation.

Here are the full patch notes:

o system: do not create automatic copies of existing gateways
o system: do not translate empty tunables descriptions
o system: remove unwanted form action tags
o system: do not include Syslog-ng in rc.freebsd handler
o system: fix manual system log stop/start/restart
o system: scoped IPv6 "%" could confuse mwexecf(), use plain mwexec() instead
o system: allow curl-based downloads to use both trusted and local authorities
o system: fix group privilege print and correctly redirect after edit
o system: use cached address list in referrer check
o system: fix Syslog-ng search stats
o firewall: HTML-escape dynamic entries to display aliases
o firewall: display correct IP version in automatic rules
o firewall: fix a warning while reading empty outbound rules configuration
o firewall: skip illegal log lines in live log
o interfaces: performance improvements for configurations with hundreds of interfaces
o reporting: performance improvements for Python 3 NetFlow aggregator rewrite
o dhcp: move advanced router advertisement options to correct config section
o ipsec: replace global array access with function to ensure side-effect free boot
o ipsec: change DPD action on start to "dpdaction = restart"
o ipsec: remove already default "dpdaction = none" if not set
o ipsec: use interface IP address in local ID when doing NAT before IPsec
o web proxy: fix database reset for Squid 4 by replacing use of ssl_crtd with security_file_certgen
o plugins: os-acme-client 1.24[1]
o plugins: os-bind 1.6[2]
o plugins: os-dnscrypt-proxy 1.5[3]
o plugins: os-frr now restricts characters BGP prefix-list and route-maps[4]
o plugins: os-google-cloud-sdk 1.0[5]
o ports: curl 7.65.3[6]
o ports: monit 5.26.0[7]
o ports: openssh 8.0p1[8]
o ports: php 7.2.20[9]
o ports: python 3.7.4[10]
o ports: sqlite 3.29.0[11]
o ports: squid 4.8[12]


Stay safe and hydrated,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1399
[2] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[5] https://github.com/opnsense/plugins/pull/1392
[6] https://curl.haxx.se/changes.html
[7] https://mmonit.com/monit/changes/
[8] https://www.openssh.com/txt/release-8.0
[9] https://www.php.net/ChangeLog-7.php#7.2.20
[10] https://www.python.org/downloads/release/python-374/
[11] https://sqlite.org/releaselog/3_29_0.html
[12] http://lists.squid-cache.org/pipermail/squid-announce/2019-July/000100.html

5

Announcements / OPNsense 19.7 released

« on: July 17, 2019, 11:03:29 am »

Hi there,

For four and a half years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

19.7, nicknamed "Jazzy Jaguar", embodies an iteration of what should be considered enjoyable user experience for firewalls in general: improved statistics and visibility of rules, reliable and consistent live logging and alias utility improvements.  Apart from the usual upgrades of third party software to up-to-date releases, OPNsense now also offers built-in remote system logging through Syslog-ng, route-based IPsec, updated translations with Spanish as a brand new and already fully translated language and newer Netmap code with VirtIO, VLAN child and vmxnet support.

Last but not least we would like to thank m.a.x. it for their sponsorship of the default gateway priority switching feature and their continued work of writing and maintaining plenty of community plugins.  This time around, Maltrail, Netdata and WireGuard VPN have been freshly added to the mix.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/19.7/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.7/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.7/
o South America: http://mirror.upb.edu.co/opnsense/releases/19.7/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.7/
o Full mirror list: https://opnsense.org/download/

These are the most prominent changes since version 19.1:

o List automatic firewall rules
o Statistics for all firewall rules
o Alias JSON import / export
o Optional statistics for aliases
o Firewall rule locator for live log and automatic rules
o Rewritten gateway handling and switching
o Remote logging via Syslog-ng
o LDAP group sync support
o Support certificate signing requests
o Route-based IPsec support (VTI)
o XMLRPC sync support for alias, VHID, widgets
o Unbound host overrides alias support
o Web proxy and IPsec authentication using PAM
o Parent web proxy support
o Web proxy login privilege via group
o Improved reliability and utility of opnsense-patch
o Dpinger and DHCP servers ported to plugin framework
o Language updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
o Spanish as a new language
o Netdata, WireGuard, Maltrail and Mail-Backup (PGP) plugin
o Netmap update for VirtIO, VLAN child and vmxnet support
o Bootstrap 3.4, LibreSSL 2.9, Unbound 1.9, PHP 7.2, Python 3.7, Squid 4

And here are the full changes against version 19.7-RC1:

o system: lower automatic gateway priority for tunnel interfaces
o system: only show enabled interfaces on gateway edit
o system: speed up console banner interface print
o interfaces: typo in default WAN selection for packet capture
o interfaces: support multiple interfaces for packet capture
o interfaces: fix ambiguity in get_parent_interface()
o firewall: restart filterlog with every filter reload
o firmware: add update syshook
o ipsec: phase2 IP type selector using the wrong class
o reporting: fix Insight bug not processing top port and address statistics
o ui: window_highlight_table_option() fix for Safari
o wizard: improve logo contrast in welcome message
o plugins: os-frr redistribute configuration fix (contributed by Cedric Vanet)
o plugins: os-intrusion-detection-content-et-pro 1.0.1 now uses suricata-4.0 rulesets
o plugins: os-haproxy 2.17[2][3]
o plugins: os-mail-backup 1.0 (contributed by Joao Vilaca)
o plugins: os-maltrail 1.0 (contributed by Michael Muenz)
o plugins os-smart 2.0 MVC conversion (contributed by Smart-Soft)
o plugins: os-tinc chroot setup with resolv.conf
o plugins: os-wireguard 1.0 (contributed by Michael Muenz)
o plugins: os-wol 2.2 fixes byte conversion
o src: bump netmap ring size, still too small in FreeBSD
o src: add FCC6_FCCA regulatory domain to ath_hal(4)
o src: restore IPV6_NEXTHOP option support
o src: fix privilege escalation in cd(4) driver[4]
o src: fix kernel stack disclosure in UFS/FFS[5]
o src: fix iconv buffer overflow[6]
o src: import tzdata 2019b
o ports: ca_root_nss 3.45
o ports: filterlog 0.3 will not print to console and lowercase IPv6 protocol output
o ports: postfix update is now non-interactive to prevent stalls
o ports: rrdtool 1.7.2[7]

Known issues and limitations:

o Web proxy squid update from version 3 to 4 breaks the cache database.  To repair go to "Services: Web Proxy: Administration" tab "Support" and click "Reset".
o Web proxy login privilege is no longer available.  Access may be restricted by a group selector instead.
o Nano images require a reinstall using the latest image to avoid inode shortage which makes the system appear to run out of space during recent 19.1.x updates.
o OpenVPN no longer supports listening on gateway groups.  Use localhost paired with port forwards instead.

The public key for the 19.7 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv2syLqN/IMuADI42aTXx
HRbX3YljURN1dhhjYoqOc/7uZKVc7UJk79q49x8VZmC0edhHiNKfrhj5g3htsPgu
N/eFsc1MZv+J2rfSF7L5NV3D5dU9nuBc75wb9SRIXm7XiiiuInMNRBlJsiFeiuJm
oaE/zqgr75m+cc7sdNQnQQk9+APr4LdksX0bllRmxfhLjDKgiSVe+Yq9kje/JHyf
je5i3MI9WT80o46IZc/oN4q9RG7n6gaIFBVckCwCKsnNZlDCvb1Sr0tdKs58fswj
fxMvouMBf+Jk/0dOEZnoIFYb436H2CUfabiPX3Vm4r3MU4dr5m41WlCH/984cBKy
QSM8h4nSAs/naj5c5YDe4qmwUBxwPIvJPVC/vuWLusyg1gYbloj3EIc1uv2YCkKw
0ra7Hocln3+7Jf2Yn/yn6yaCNdoJY2Blvo84giuklDqdBIKggDHSxGrLKDBshSR3
hapkFRoR7BhnoT14E8DMgD23g9tcwce1AJJ6mZ/DraBx5l11P1ZXLqnyCpvOt5oV
HmMZ9/Xu0naPUC8IxVSNew8j3liPbc5oKV0kQ/TRQTevOBLJ8QA7Y5YdPu0cS4qw
Jq3fGnsRt/0+i1Vs7q51KJLNECHyhWm6zYAfST22ohTUgo2ByoM8r0aRslmiG6JS
+ancHD4lnnHRd+4ybevUft0CAwEAAQ==
-----END PUBLIC KEY-----

Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/pull/1347
[3] https://github.com/opnsense/plugins/pull/1408
[4] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:11.cd_ioctl.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:10.ufs.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:09.iconv.asc
[7] https://github.com/oetiker/rrdtool-1.x/releases/tag/v1.7.2

SHA256 (OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2) = e022217d367abaf4fd1360f83e4664d28b3f37932dfe720974b9d7dc33bf50f7
SHA256 (OPNsense-19.7-OpenSSL-nano-amd64.img.bz2) = 6fffefa0b09daea397e83f67bf730392125b720043c455597c05d3d80c2baa29
SHA256 (OPNsense-19.7-OpenSSL-serial-amd64.img.bz2) = 98854d5a0a03850273aa2ebdd7e7b095dfec6a1e6b57341817bb5f5ffab2ca7b
SHA256 (OPNsense-19.7-OpenSSL-vga-amd64.img.bz2) = 523e924586e431ccd421bb85ba1245ce4c8f3a6141b59623f5083d3e36bac592

SHA256 (OPNsense-19.7-OpenSSL-dvd-i386.iso.bz2) = 64c4e58966ab373a0aa6a544b020a39c5b86ecb79cb2988ac1f74b382c7d4765
SHA256 (OPNsense-19.7-OpenSSL-nano-i386.img.bz2) = 3fa6af965f5996a718982617b5a13199747d237a669867b1ffecc951c3ebe455
SHA256 (OPNsense-19.7-OpenSSL-serial-i386.img.bz2) = f0c76142f83b4988defa3fddc7a4cf2d930cbb0aee623d7b064462e25e146297
SHA256 (OPNsense-19.7-OpenSSL-vga-i386.img.bz2) = b425882604886a395730abeaa6a26b8805647609712f61c342cee29f58160006

6

Announcements / OPNsense 19.1.10 released

« on: July 03, 2019, 11:12:40 am »

Good morning everyone,

Small update as we are nearing the end of the 19.1 series. Yes, it is that time of the year again with a release candidate only a few days away and a final release date set to July 17.

Here are the full patch notes:

o system: change certificate manager actions to POST
o system: fix account removal with missing "-g" option
o system: add dashboard widgets to XMLRPC sync
o firewall: fix live log rule label mismatch caused by optimisation
o firewall: fix alias import with alias references included
o firewall: change default sorting of aliases to names
o firmware: add homelab.no mirror (contributed by Thomas Jensen)
o intrusion detection: when toggling rules keep the current action
o intrusion detection: suppress mystery PHP 7.2+ warning in API
o intrusion detection: show SID in alert view
o web proxy: add cache reset button
o web proxy: correct syslog export
o plugins: os-dyndns 1.6 DigitalOcean support (contributed by Dune Heishman)
o plugins: os-etpro-telemetry Python 3 support
o plugins: os-frr 1.11[1]
o plugins: os-nginx 1.14[2]
o plugins: os-rspamd 1.7[3]
o plugins: os-tinc Python 3 support
o ports: ca_root_nss 3.44.1
o ports: curl 7.65.1[4]
o ports: libevent 2.1.10[5]
o ports: libxml 2.9.9[6]
o ports: libressl 2.9.2[7][8]
o ports: phalcon 3.4.4[9]
o ports: strongswan 5.8.0[10]
o ports: unbound 1.9.2[11]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr
[4] https://curl.haxx.se/changes.html
[5] https://github.com/libevent/libevent/releases/tag/release-2.1.10-stable
[6] https://mail.gnome.org/archives/xml/2019-January/msg00000.html
[7] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.9.1-relnotes.txt
[8] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.9.2-relnotes.txt
[9] https://github.com/phalcon/cphalcon/releases/tag/v3.4.4
[10] https://wiki.strongswan.org/versions/73
[11] https://nlnetlabs.nl/projects/unbound/download/

7

Announcements / OPNsense 19.1.9 released

« on: June 06, 2019, 04:39:50 pm »

Hi there,

Small 19.1 series update mainly focusing on LDAP group synchronisation and assorted OpenVPN improvements. Two regressions of previous versions have been fixed as well.

Here are the full patch notes:

o system: add LDAP group synchronisation feature
o system: allow an arbitrary group for sudo like ssh login
o system: stop using a lock around resolv.conf handling
o system: rename a number of service-related functions
o system: login not using cache-safe image yet
o system: add pluginctl -s support
o system: restyle config backup page
o system: fix log split view regression of 19.1.8
o interfaces: remove DHCPv6 on delete and clear config on IPsec assignment
o interfaces: small VIP restructure and IPv6 alias to IPv6 device
o interfaces: subtle changes in IPv6 and variable naming
o interfaces: add missing does_interface_exist() checks
o firewall: support multiple interfaces per NAT port forward rule
o captive portal: use "onestop" to stop service
o intrusion detection: missing header ID in alerts tab
o ipsec: remove remnants of gateway group interface selection
o ipsec: use indirect plugin calls in interface code
o openvpn: add live-search to longer lists in server page
o openvpn: support --cryptoapicert export (sponsored by m.a.x it)
o opnevpn: correctly check for translation in get_carp_interface_status()
o openvpn: use waitforpid() to properly wait for instanes to come up
o openvpn: translate GUI error values when returning them
o openvpn: revamp status page
o unbound: leases watcher file rotation issue
o web proxy: squid log in readable date format (contributed by nhirokinet)
o web proxy: fix non-local authentication regression of 19.1.7
o plugins: os-bind 1.5[1]
o plugins: os-clamav 1.7[2]
o plugins: os-dnscrypt-proxy 1.4[3]
o plugins: os-dyndns clouldflare wildcard domain support
o plugins: os-nginx 1.13[4]
o plugins: os-openconnect 1.4.0[5]
o plugins: os-redis 1.1[6]
o plugins: os-rspamd 1.6[7]
o plugins: os-theme-cicada 1.18 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.18 (contributed by Team Rebellion)
o ports: curl 7.65.0[8]
o ports: lighttpd 1.4.54[9]
o ports: python 3.7.3[10]
o ports: openssl 1.0.2s[11]
o ports: php 7.2.19[12]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/security/clamav/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[5] https://github.com/opnsense/plugins/blob/master/security/openconnect/pkg-descr
[6] https://github.com/opnsense/plugins/blob/master/databases/redis/pkg-descr
[7] https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr
[8] https://curl.haxx.se/changes.html
[9] https://www.lighttpd.net/2019/5/27/1.4.54/
[10] https://www.python.org/downloads/release/python-373/
[11] https://www.openssl.org/news/cl102.txt
[12] https://www.php.net/ChangeLog-7.php#7.2.19

8

Announcements / OPNsense 19.1.8 released

« on: May 20, 2019, 12:09:17 pm »

Good day to you all,

This update addresses several privilege escalation issues in the access control implementation and new memory disclosure issues in Intel CPUs. We would like to thank Arnaud Cordier and Bill Marquette for the top-notch reports and coordination.

Here are the full patch notes:

o system: address CVE-2019-11816 privilege escalation bugs[1] (reported by Arnaud Cordier)
o system: /etc/hosts generation without interface_has_gateway()
o system: show correct timestamp in config restore save message (contributed by nhirokinet)
o system: list the commands for the pluginctl utility when no argument is given
o system: introduce and use userIsAdmin() helper function instead of checking for 'page-all' privilege directly
o system: use absolute path in widget ACLs (reported by Netgate)
o system: RRD-related cleanups for less code exposure
o interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion)
o interfaces: replace legacy_getall_interface_addresses() usage
o firewall: fix port validation in aliases with leading / trailing spaces
o firewall: fix outbound NAT translation display in overview page
o firewall: prevent CARP outgoing packets from using the configured gateway
o firewall: use CARP net.inet.carp.demotion to control current demotion in status page
o firewall: stop live log poller on error result
o dhcpd: change rule priority to 1 to avoid bogon clash
o dnsmasq: only admins may edit custom options field
o firmware: use insecure mode for base and kernel sets when package fingerprints are disabled
o firmware: add optional device support for base and kernel sets
o firmware: add Hostcentral mirror (HTTP, Melbourne, Australia)
o ipsec: always reset rightallowany to default when writing configuration
o lang: say "hola" to Spanish as the newest available GUI language
o lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
o network time: only admins may edit custom options field
o openvpn: call openvpn_refresh_crls() indirectly via plugin_configure() for less code exposure
o openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette)
o openvpn: remove custom options field from wizard
o unbound: only admins may edit custom options field
o wizard: translate typehint as well
o plugins: os-freeradius 1.9.3 fixes string interpolation in LDAP filters (contributed by theq86)
o plugins: os-nginx 1.12[2]
o plugins: os-theme-cicada 1.17 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.17 (contributed by Team Rebellion)
o src: timezone database information update[3]
o src: install(1) broken with partially matching relative paths[4]
o src: microarchitectural Data Sampling (MDS) mitigation[5]
o ports: ca_root_nss 3.44
o ports: php 7.2.18[6]
o ports: sqlite 3.28.0[7]
o ports: strongswan custom XAuth generic patch removed


Stay safe,
Your OPNsense team

--
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11816
[2] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[3] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:08.tzdata.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:09.xinstall.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:07.mds.asc
[6] https://www.php.net/ChangeLog-7.php#7.2.18
[7] https://www.sqlite.org/changes.html

9

19.1 Legacy Series / [CALL FOR TESTING] Microarchitectural Data Sampling (MDS) patch

« on: May 17, 2019, 10:01:23 am »

Hi everyone,

I'm sure you've heard another Intel CPU bug class is making its rounds. Amongst them is https://zombieloadattack.com/

We would like to get your early feedback for Monday's patching using this call for testing for the to be shipped operating system update. To apply the upcoming patch you can use the following commands from the shell which will install both the base (-b) and kernel (-k) to be included in 19.1.8 (-r):

# opnsense-update -r 19.1.8 -b -k
# opnsense-shell reboot

All feedback for amd64 and i386 architectures is appreciated. Let us know you're running the patch under what architecture and possibly hardware even if it works fine. You can check the install state with the uname utility after reboot:

# uname -a
FreeBSD host.domain 11.2-RELEASE-p10-HBSD FreeBSD 11.2-RELEASE-p10-HBSD  5e5adf26fc3(stable/19.1)  amd64

Read more about the MDS patch and subsequent microcode updates via FreeBSD's security advisory:

https://www.freebsd.org/security/advisories/FreeBSD-SA-19:07.mds.asc


Thank you,
Franco

10

Documentation and Translation / Translation project update for upcoming 19.7

« on: May 06, 2019, 08:49:06 am »

Hi all,

First of all thanks to the many contributors to our translations. Thanks to you OPNsense is available in 10 languages all around the globe!

There will be a language pack update for 19.1.8. Yet the larger point is that the strings were regenerated using the latest source code and so 7000+ possible translations turned into over 9000+, which requires new attention in every language to get back to 100%.

For more info or an account see https://translate.opnsense.org

If you have any questions please let us know.


Cheers,
Franco

11

Announcements / OPNsense 19.1.7 released

« on: May 02, 2019, 02:05:06 pm »

Hello, hello!

This update features a number of improvements such as link-local support for bridges, HA sync consolidation, adding local CAs to the trusted SSL certificates for most of the system download capabilities, plugin-based PAM authentication rework for IPsec and the web proxy as well as third party fixes for hostapd / wpa_supplicant 2.8 and Suricata 4.1.4.

Python 3 migration is also underway now which requires to pull in both Python versions which may be heavy on embedded Nano installs, but we cannot see another way for this tedious task which will probably stretch into 19.7 to be fully carried out in 20.1.

And speaking of 20.1: This is the first of many reminders that 20.1 will discontinue the i386 (Intel 32 Bit) franchise as discussed a number of times within the community over the years. Our hope is that ARM64 will make a viable replacement. But that is for another time.

As you may have noticed the project has not been delivering releases every other week and there are a number of reasons for it:

Security-wise we have not had a lot of necessary third-party software updates. Feature-wise we are sitting on a number of improvements for the upcoming 19.7 series that will trickle into 19.1.x now, but that have also required larger preparations and testing in the meantime. On the community side of the spectrum, sponsored by our partner m.a.x. it, we have started to work on better default gateway switching which led to an overall gateway integration rework and then quickly to interface handling restructuring, which in turn led to improving plugin capabilities of core services (OpenVPN, IPsec, Unbound, Dnsmasq, DHCPD, Dpinger). Looking at it now it has been the largest rework so far on code established many years ago and only occasionally patched. We hope this shows our dedication to the code base even when things are not always 100% bug free. If you feel like pitching in now is a good time to try the development version and let us know about how it performs.

Without further ado, here are the full patch notes:

o system: HA sync cleanup removes opportunistic syncs in random GUI pages (use HA status page to sync and restart remote services)
o system: support for syncing alias and VHID to the slave
o system: cleanly rewrite CA root files and add local trusted CAs as well
o system: disable backup cron job when no backup is enabled
o system: more reliable load and sync for LDAP attributes (contributed by Indrajit Raychaudhuri)
o system: migrate health graph scripts to Python 3.6
o interfaces: properly add and remove IPv6 trackers after interface apply
o interfaces: validate prefix ID of IPv6 trackers so that each ID is unique
o interfaces: display "0x" in prefix ID field so that it is clear that value is in hex
o interfaces: fix passing VLAN name in interface_virtual_create()
o interfaces: fix group-related bugs and allow digits and underscores in name, but no more than 15 characters
o interfaces: allow link-local address on bridges via optional setting
o interfaces: PPP-related code cleanups
o firewall: prevent double-escaping of text in rules page
o firewall: handle IDNA encode failures in aliases
o firewall: alias import / export option
o captive portal: update to bootstrap 3.4.1
o captive portal: fix a race in directory creation and listClients()
o dhcp: fix TFTP boot file name usage (contributed by Bjorn Kalkbrenner)
o dhcp: merge static mac addresses with leases
o dhcp: prevent double-escaping of text in leases page
o firmware: add private log file for major upgrade package install step
o firmware: use a safer major upgrade package install mode
o firmware: retain /etc/motd on base updates
o ipsec: implemented wildcard includes (contributed by Mark Plomer)
o ipsec: only apply mobile PFS to mobile phase 2
o ipsec: restyle mobile settings a little
o ipsec: switch XAuth to PAM
o ipsec: partial fix for static routes on routed tunnels during boot
o network time: reload RRD since NTP has a setting for it
o web proxy: fix PAC weekday match labels (contributed by Mohammed Sadiq)
o web proxy: switch authentication to PAM
o backend: treat non existing key as empty string in sortDictList()
o mvc: pluggable PAM-based authentication framework
o mvc: add filter closure to searchBase()
o plugins: introduce plugins_run() for collecting structured data from plugins
o plugins: os-clamav 1.6[1]
o plugins: os-dyndns 1.5 fixes CloudFlare zone ID lookup behaviour (contributed by George Johnson)
o plugins: os-frr 1.10[2]
o plugins: os-netdata 1.0 (contributed by Michael Muenz)
o plugins: os-nginx 1.11_2 fixes ACME support (contributed by Frank Wall)
o plugins: os-rfc2136 1.5 removes unused gateway group related code
o src: move invoking of callout_stop(&lle->lle_timer) into llentry_free()
o src: ensure that IP addresses match in ICMP error packets in pf(4)
o src: add bsdinstall utility for upcoming 19.7 installer replacement
o ports: dhcp6c v20190419 fixes raw options segfaults (contributed by Franck78)
o ports: hostapd / wpa_supplicant 2.8[3]
o ports: perl 5.28.2[4]
o ports: py-yaml 5.1[5]
o ports: suricata 4.1.4[6]
o ports: sqlite 3.27.2[7]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/security/clamav/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[3] https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
[4] https://perldoc.pl/5.28.2/perldelta
[5] https://github.com/yaml/pyyaml/blob/master/CHANGES
[6] https://suricata-ids.org/2019/04/30/suricata-4-1-4-released/
[7] https://www.sqlite.org/changes.html

12

Announcements / OPNsense 19.1.6 released

« on: April 11, 2019, 04:02:30 pm »

Hi there,

This update brings a smaller number of fixes and improvements as well as the latest PHP version update.

With a heavy heart we disable E_WARNING messages in the PHP error reporting. It was been implemented in 2015 to improve code quality and it did just that, but with the latest PHP 7.2 jump in 19.1.5 it causes problems around the newly added count() usage warning messages. We plan to bring back E_WARNING usage in 19.7.

Here are the full patch notes:

o system: let dashboard only accept its own POST requests
o system: remove obsolete symlink to opnsense-auth
o system: skip PHP E_WARNING log level until 19.7
o system: numerous PHP 7.2 warning fixes
o dhcp: DHCPD server check in relay only if interface is active
o dnsmasq: skip empty custom options
o intrusion prevention: do not drop flowbits:noalert rules
o unbound: add ACL entries for OpenVPN by default
o mvc: controller cleanups in firewall shaper, web proxy and captive portal
o plugins: numerous PHP 7.2 warning fixes
o plugins: os-freeradius 1.9.2 fixes LDAP group filter and EAP certificates write (contributed by Alexander Harm)
o plugins: os-nginx 1.11[1]
o ports: php 7.2.17[2]
o ports: py-certifi 2019.3.9[3]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[2] https://www.php.net/ChangeLog-7.php#7.2.17
[3] https://pypi.org/project/certifi/2019.3.9/

13

Announcements / OPNsense 19.1.5 released

« on: April 05, 2019, 11:55:18 am »

Hi all,

After a longer pause we are back with considerable upgrades for IPsec, a new CSR feature for local CAs, PHP 7.2 migration and a number of other considerable third party updates.

These are the full patch notes:

o system: improve gateway status return when monitoring is off
o system: warn user about future deprecation of "user-config-readonly" privilege
o system: support certificate signing requests (contributed by nhirokinet)
o system: syslog does not need to do a background startup since it backgrounds itself
o system: invalidate Nextcloud URL with trailing slash (contributed by Fabian Franz)
o system: avoid double encoding cert name (contributed by Indrajit Raychaudhuri)
o interfaces: fix facility for rtsold log about dhcp6c (contributed by Thomas du Boys)
o interfaces: take all unknown arguments as real interfaces in interfaces_addresses()
o interfaces: optionally allow interfaces_addresses() to emit subnets instead of addresses
o interfaces: move mpd.script to new location (may require interface reconfigure)
o firewall: proper locking of aliases before config action on delete
o firewall: correctly set outbound NAT destination as network
o firewall: add support for DSCP in shaper (contributed by Michael Muenz)
o firewall: add support for IDN in aliases (contributed by Smart-Soft)
o captive portal: allow access to this host (contributed by Fredrik Ronnvall)
o firmware: fix parsing of packages in multi-repo env and revoked fingerprint message
o firmware: add University of Kent to the firmware mirrors
o ipsec: only use explicit reqid when using route-based interfaces
o ipsec: correctly set install policy option on newly created phase 1 entries
o ipsec: improve split DNS and INTERNAL_DNS_DOMAIN configuration
o ipsec: added IKEv2 DH group 31 / curve 25519 (contributed by Peter Stehlin)
o ipsec: properly quote UNITY_BANNER for multi-line support
o ipsec: support for dynamic remote gateways
o monit: add migration/validation for service/test type dependency (contributed by Frank Brendel)
o monit: added missing "not on" label
o openvpn: support static-challenge formatted password
o openvpn: properly load custom config field in exporter
o openvpn: cleanups in listening address handling
o web proxy: IP address not available when address set to none
o web proxy: add sortable support for PAC proxy lists (contributed by Fabian Franz)
o web proxy: add dash to allowed characters in description (contributed by Fabian Franz)
o backend: python 2->3 iteritems() conversion in core templates
o mvc: migrate  config backup rotation to handle static and MVC pages (contributed by Smart-Soft)
o mvc: controller cleanups in cron, intrusion detection, routes
o mvc: obey "user-config-readonly" privilege in mutable controllers
o mvc: support overlays in setBase() / addBase()
o ui: remove jquery-bootgrid converters which are now included in the library
o plugins: os-acmle-client 1.23[1][2][3]
o plugins: os-dyndns 1.14 supports wildcards for Google Domains
o plugins: os-etpro-telemetry 1.3 uses HOME_NET to anonymization
o plugins: os-freeradius 19.1.0[4]
o plugins: os-frr 1.9[5]
o plugins: os-nginx 1.10[6]
o plugins: os-postfix 1.9[7]
o plugins: os-rspamd 1.5[8]
o plugins: os-telegraf 1.7.5[9]
o plugins: os-theme-cicada 1.15 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.14 (contributed by Team Rebellion)
o plugins: os-zabbix-agent 1.5[10]
o ports: ca_root_nss 3.43
o ports: curl 7.64.1
o ports: libucl 0.8.1
o ports: pcre 8.43
o ports: php 7.2.16
o ports: py-cryptography 2.6.1
o ports: phpseclib 2.0.15
o ports: python 2.7.16
o ports: unbound 1.9.1


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1166
[2] https://github.com/opnsense/plugins/pull/1212
[3] https://github.com/opnsense/plugins/pull/1263
[4] https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr
[5] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[6] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[7] https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr
[8] https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr
[9] https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr
[10] https://github.com/opnsense/plugins/pull/1262

14

Announcements / OPNsense 19.1.4 image refresh

« on: March 29, 2019, 12:54:40 pm »

Dear friends and followers,

For more than four years now, OPNsense is driving innovation through modularising and hardening the code base, quick and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We are happy to announce the immediate availability of the renewed OPNsense 19.1 images based on version 19.1.4. Apart from the numerous improvements since the initial release, the images contain four relevant fixes:

o src: revert upstream commit "protect the kernel text, data, and BSS" to fix certain UEFI boots
o installer: revert to use network connection to allow CTRL+C and resume
o interfaces: 6RD interface naming 18.7 behaviour
o interfaces: DHCP override MTU option

The full list of changes of the OPNsense 19.1 series can be reviewed using their original announcements:

o 19.1: https://forum.opnsense.org/index.php?topic=11398.0
o 19.1.1: https://forum.opnsense.org/index.php?topic=11469.0
o 19.1.2: https://forum.opnsense.org/index.php?topic=11849.0
o 19.1.3: https://forum.opnsense.org/index.php?topic=11941.0
o 19.1.4: https://forum.opnsense.org/index.php?topic=12013.0

We would also like to use this opportunity to remind everyone that OPNsense is and always will be free software. All of its source code and associated build tools can be found here:

https://github.com/opnsense

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/19.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
o South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
o Full mirror list: https://opnsense.org/download/

The public key for the 19.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
-----END PUBLIC KEY-----


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html

SHA256 (OPNsense-19.1.4-OpenSSL-dvd-amd64.iso.bz2) = 5f2e64797fce03d4d47050894c38e8e176fda6281009abd36f60d788d3e29d42
SHA256 (OPNsense-19.1.4-OpenSSL-nano-amd64.img.bz2) = ee5171fb837884fffd29c6e75cb089dc4020fb89459143bd9e7b859b1da3fd89
SHA256 (OPNsense-19.1.4-OpenSSL-serial-amd64.img.bz2) = 07868978903220bf9dee26c936d25140df07ec9c02cb8c480bd8619e69c562a0
SHA256 (OPNsense-19.1.4-OpenSSL-vga-amd64.img.bz2) = e473bc645778c95596639056ecc8ef92a12a7fd1cdc52cd0b1f6294a64561311

SHA256 (OPNsense-19.1.4-OpenSSL-dvd-i386.iso.bz2) = 9f40b591c27d90a86c60ec0b539f228999953f947573e2e575c2936c3993d7c0
SHA256 (OPNsense-19.1.4-OpenSSL-nano-i386.img.bz2) = c624d50b19f2ae4d471076c53f5c516e3a523ff41b69d0bfa779b5fff6415f81
SHA256 (OPNsense-19.1.4-OpenSSL-serial-i386.img.bz2) = 62bff974ae4238dfc2e830a32fbf4bd357ff418d15be99b89ac129f839e10eaf
SHA256 (OPNsense-19.1.4-OpenSSL-vga-i386.img.bz2) = ca893277a02b93129e6a30125107f7ad4fc01673b722f54ce6e5cb7eb438cae4

15

Announcements / OPNsense 19.1.4 released

« on: March 12, 2019, 12:01:21 pm »

Howdy,

An UEFI boot panic scenario was debugged last week with the help of the community. This update includes a fix that will allow the ones affected by this 19.1 issue to upgrade or install (and boot of course) correctly. We are also including the IPsec VTI support and the latest Suricata 4.1.3 with stability and compatibility fixes.

Due to the severity of the UEFI boot panic 19.1.4 will be the new initial release for all upgrades from 18.7 within a day or two depending on additional testing and confirmation. Last but not least there will be new images some time next week to put this fully behind us. Thank you for your patience and understanding. 

Special thanks go to the team of Synacktiv for reporting a packet filter IPv6 vulnerability for which a patch was included as well.

Here are the full patch notes:

o system: remove erroneously translated hostname example (contributed by nhirokinet)
o firewall: fix validation regression in outbound NAT introduced in 19.1.3
o firewall: mock labels for NAT rules in live log as pf does not offer label support
o interfaces: do not background LAGG ifconfig destroy
o installer: revert to use network connection to allow CTRL+C and resume
o ipsec: added Virtual Tunnel Interface (VTI) support
o unbound: fix nested statistics items read
o mvc: remove old Phalcon volt template workarounds from when scopes were broken
o mvc: fix bug in model relation field values merge
o plugins: os-zabbix4-proxy PSK directory fix (contributed by Michael Muenz)
o plugins: os-telegraf missed invoke of setup.sh
o plugins: os-frr adds validator to OSPF prefix lists (contributed by Michael Muenz)
o plugins: os-dmidecode 1.1 fixes data parsing (contributed by Smart-Soft)
o plugins: os-nginx 1.9[1]
o src: do not pass pf(4) IPv6 fragments with malformed extension headers (reported by Synacktiv)
o src: revert upstream commit "protect the kernel text, data, and BSS" to fix certain UEFI boots
o ports: monit 5.25.3[2]
o ports: ntp 4.2.8p13[3]
o ports: php 7.1.27[4]
o ports: suricata 4.1.3[5]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[2] https://mmonit.com/monit/changes/
[3] http://support.ntp.org/bin/view/Main/NtpBug3565
[4] http://php.net/ChangeLog-7.php#7.1.27
[5] https://suricata-ids.org/2019/03/07/suricata-4-1-3-released/