OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of franco »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - franco

Pages: [1] 2 3 ... 15
1
Announcements / OPNsense 19.1.8 released
« on: May 20, 2019, 12:09:17 pm »
Good day to you all,

This update addresses several privilege escalation issues in the access control implementation and new memory disclosure issues in Intel CPUs. We would like to thank Arnaud Cordier and Bill Marquette for the top-notch reports and coordination.

Here are the full patch notes:

o system: address CVE-2019-11816 privilege escalation bugs[1] (reported by Arnaud Cordier)
o system: /etc/hosts generation without interface_has_gateway()
o system: show correct timestamp in config restore save message (contributed by nhirokinet)
o system: list the commands for the pluginctl utility when no argument is given
o system: introduce and use userIsAdmin() helper function instead of checking for 'page-all' privilege directly
o system: use absolute path in widget ACLs (reported by Netgate)
o system: RRD-related cleanups for less code exposure
o interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion)
o interfaces: replace legacy_getall_interface_addresses() usage
o firewall: fix port validation in aliases with leading / trailing spaces
o firewall: fix outbound NAT translation display in overview page
o firewall: prevent CARP outgoing packets from using the configured gateway
o firewall: use CARP net.inet.carp.demotion to control current demotion in status page
o firewall: stop live log poller on error result
o dhcpd: change rule priority to 1 to avoid bogon clash
o dnsmasq: only admins may edit custom options field
o firmware: use insecure mode for base and kernel sets when package fingerprints are disabled
o firmware: add optional device support for base and kernel sets
o firmware: add Hostcentral mirror (HTTP, Melbourne, Australia)
o ipsec: always reset rightallowany to default when writing configuration
o lang: say "hola" to Spanish as the newest available GUI language
o lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
o network time: only admins may edit custom options field
o openvpn: call openvpn_refresh_crls() indirectly via plugin_configure() for less code exposure
o openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette)
o openvpn: remove custom options field from wizard
o unbound: only admins may edit custom options field
o wizard: translate typehint as well
o plugins: os-freeradius 1.9.3 fixes string interpolation in LDAP filters (contributed by theq86)
o plugins: os-nginx 1.12[2]
o plugins: os-theme-cicada 1.17 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.17 (contributed by Team Rebellion)
o src: timezone database information update[3]
o src: install(1) broken with partially matching relative paths[4]
o src: microarchitectural Data Sampling (MDS) mitigation[5]
o ports: ca_root_nss 3.44
o ports: php 7.2.18[6]
o ports: sqlite 3.28.0[7]
o ports: strongswan custom XAuth generic patch removed


Stay safe,
Your OPNsense team

--
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11816
[2] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[3] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:08.tzdata.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:09.xinstall.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:07.mds.asc
[6] https://www.php.net/ChangeLog-7.php#7.2.18
[7] https://www.sqlite.org/changes.html

2
19.1 Production Series / [CALL FOR TESTING] Microarchitectural Data Sampling (MDS) patch
« on: May 17, 2019, 10:01:23 am »
Hi everyone,

I'm sure you've heard another Intel CPU bug class is making its rounds. Amongst them is https://zombieloadattack.com/

We would like to get your early feedback for Monday's patching using this call for testing for the to be shipped operating system update. To apply the upcoming patch you can use the following commands from the shell which will install both the base (-b) and kernel (-k) to be included in 19.1.8 (-r):

# opnsense-update -r 19.1.8 -b -k
# opnsense-shell reboot

All feedback for amd64 and i386 architectures is appreciated. Let us know you're running the patch under what architecture and possibly hardware even if it works fine. You can check the install state with the uname utility after reboot:

# uname -a
FreeBSD host.domain 11.2-RELEASE-p10-HBSD FreeBSD 11.2-RELEASE-p10-HBSD  5e5adf26fc3(stable/19.1)  amd64

Read more about the MDS patch and subsequent microcode updates via FreeBSD's security advisory:

https://www.freebsd.org/security/advisories/FreeBSD-SA-19:07.mds.asc


Thank you,
Franco

3
Documentation and Translation / Translation project update for upcoming 19.7
« on: May 06, 2019, 08:49:06 am »
Hi all,

First of all thanks to the many contributors to our translations. Thanks to you OPNsense is available in 10 languages all around the globe!

There will be a language pack update for 19.1.8. Yet the larger point is that the strings were regenerated using the latest source code and so 7000+ possible translations turned into over 9000+, which requires new attention in every language to get back to 100%.

For more info or an account see https://translate.opnsense.org

If you have any questions please let us know. :)


Cheers,
Franco

4
Announcements / OPNsense 19.1.7 released
« on: May 02, 2019, 02:05:06 pm »
Hello, hello!

This update features a number of improvements such as link-local support for bridges, HA sync consolidation, adding local CAs to the trusted SSL certificates for most of the system download capabilities, plugin-based PAM authentication rework for IPsec and the web proxy as well as third party fixes for hostapd / wpa_supplicant 2.8 and Suricata 4.1.4.

Python 3 migration is also underway now which requires to pull in both Python versions which may be heavy on embedded Nano installs, but we cannot see another way for this tedious task which will probably stretch into 19.7 to be fully carried out in 20.1.

And speaking of 20.1: This is the first of many reminders that 20.1 will discontinue the i386 (Intel 32 Bit) franchise as discussed a number of times within the community over the years. Our hope is that ARM64 will make a viable replacement. But that is for another time.

As you may have noticed the project has not been delivering releases every other week and there are a number of reasons for it:

Security-wise we have not had a lot of necessary third-party software updates. Feature-wise we are sitting on a number of improvements for the upcoming 19.7 series that will trickle into 19.1.x now, but that have also required larger preparations and testing in the meantime. On the community side of the spectrum, sponsored by our partner m.a.x. it, we have started to work on better default gateway switching which led to an overall gateway integration rework and then quickly to interface handling restructuring, which in turn led to improving plugin capabilities of core services (OpenVPN, IPsec, Unbound, Dnsmasq, DHCPD, Dpinger). Looking at it now it has been the largest rework so far on code established many years ago and only occasionally patched. We hope this shows our dedication to the code base even when things are not always 100% bug free. If you feel like pitching in now is a good time to try the development version and let us know about how it performs.

Without further ado, here are the full patch notes:

o system: HA sync cleanup removes opportunistic syncs in random GUI pages (use HA status page to sync and restart remote services)
o system: support for syncing alias and VHID to the slave
o system: cleanly rewrite CA root files and add local trusted CAs as well
o system: disable backup cron job when no backup is enabled
o system: more reliable load and sync for LDAP attributes (contributed by Indrajit Raychaudhuri)
o system: migrate health graph scripts to Python 3.6
o interfaces: properly add and remove IPv6 trackers after interface apply
o interfaces: validate prefix ID of IPv6 trackers so that each ID is unique
o interfaces: display "0x" in prefix ID field so that it is clear that value is in hex
o interfaces: fix passing VLAN name in interface_virtual_create()
o interfaces: fix group-related bugs and allow digits and underscores in name, but no more than 15 characters
o interfaces: allow link-local address on bridges via optional setting
o interfaces: PPP-related code cleanups
o firewall: prevent double-escaping of text in rules page
o firewall: handle IDNA encode failures in aliases
o firewall: alias import / export option
o captive portal: update to bootstrap 3.4.1
o captive portal: fix a race in directory creation and listClients()
o dhcp: fix TFTP boot file name usage (contributed by Bjorn Kalkbrenner)
o dhcp: merge static mac addresses with leases
o dhcp: prevent double-escaping of text in leases page
o firmware: add private log file for major upgrade package install step
o firmware: use a safer major upgrade package install mode
o firmware: retain /etc/motd on base updates
o ipsec: implemented wildcard includes (contributed by Mark Plomer)
o ipsec: only apply mobile PFS to mobile phase 2
o ipsec: restyle mobile settings a little
o ipsec: switch XAuth to PAM
o ipsec: partial fix for static routes on routed tunnels during boot
o network time: reload RRD since NTP has a setting for it
o web proxy: fix PAC weekday match labels (contributed by Mohammed Sadiq)
o web proxy: switch authentication to PAM
o backend: treat non existing key as empty string in sortDictList()
o mvc: pluggable PAM-based authentication framework
o mvc: add filter closure to searchBase()
o plugins: introduce plugins_run() for collecting structured data from plugins
o plugins: os-clamav 1.6[1]
o plugins: os-dyndns 1.5 fixes CloudFlare zone ID lookup behaviour (contributed by George Johnson)
o plugins: os-frr 1.10[2]
o plugins: os-netdata 1.0 (contributed by Michael Muenz)
o plugins: os-nginx 1.11_2 fixes ACME support (contributed by Frank Wall)
o plugins: os-rfc2136 1.5 removes unused gateway group related code
o src: move invoking of callout_stop(&lle->lle_timer) into llentry_free()
o src: ensure that IP addresses match in ICMP error packets in pf(4)
o src: add bsdinstall utility for upcoming 19.7 installer replacement
o ports: dhcp6c v20190419 fixes raw options segfaults (contributed by Franck78)
o ports: hostapd / wpa_supplicant 2.8[3]
o ports: perl 5.28.2[4]
o ports: py-yaml 5.1[5]
o ports: suricata 4.1.4[6]
o ports: sqlite 3.27.2[7]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/security/clamav/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[3] https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog
[4] https://perldoc.pl/5.28.2/perldelta
[5] https://github.com/yaml/pyyaml/blob/master/CHANGES
[6] https://suricata-ids.org/2019/04/30/suricata-4-1-4-released/
[7] https://www.sqlite.org/changes.html

5
Announcements / OPNsense 19.1.6 released
« on: April 11, 2019, 04:02:30 pm »
Hi there,

This update brings a smaller number of fixes and improvements as well as the latest PHP version update.

With a heavy heart we disable E_WARNING messages in the PHP error reporting. It was been implemented in 2015 to improve code quality and it did just that, but with the latest PHP 7.2 jump in 19.1.5 it causes problems around the newly added count() usage warning messages. We plan to bring back E_WARNING usage in 19.7.

Here are the full patch notes:

o system: let dashboard only accept its own POST requests
o system: remove obsolete symlink to opnsense-auth
o system: skip PHP E_WARNING log level until 19.7
o system: numerous PHP 7.2 warning fixes
o dhcp: DHCPD server check in relay only if interface is active
o dnsmasq: skip empty custom options
o intrusion prevention: do not drop flowbits:noalert rules
o unbound: add ACL entries for OpenVPN by default
o mvc: controller cleanups in firewall shaper, web proxy and captive portal
o plugins: numerous PHP 7.2 warning fixes
o plugins: os-freeradius 1.9.2 fixes LDAP group filter and EAP certificates write (contributed by Alexander Harm)
o plugins: os-nginx 1.11[1]
o ports: php 7.2.17[2]
o ports: py-certifi 2019.3.9[3]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[2] https://www.php.net/ChangeLog-7.php#7.2.17
[3] https://pypi.org/project/certifi/2019.3.9/

6
Announcements / OPNsense 19.1.5 released
« on: April 05, 2019, 11:55:18 am »
Hi all,

After a longer pause we are back with considerable upgrades for IPsec, a new CSR feature for local CAs, PHP 7.2 migration and a number of other considerable third party updates.

These are the full patch notes:

o system: improve gateway status return when monitoring is off
o system: warn user about future deprecation of "user-config-readonly" privilege
o system: support certificate signing requests (contributed by nhirokinet)
o system: syslog does not need to do a background startup since it backgrounds itself
o system: invalidate Nextcloud URL with trailing slash (contributed by Fabian Franz)
o system: avoid double encoding cert name (contributed by Indrajit Raychaudhuri)
o interfaces: fix facility for rtsold log about dhcp6c (contributed by Thomas du Boys)
o interfaces: take all unknown arguments as real interfaces in interfaces_addresses()
o interfaces: optionally allow interfaces_addresses() to emit subnets instead of addresses
o interfaces: move mpd.script to new location (may require interface reconfigure)
o firewall: proper locking of aliases before config action on delete
o firewall: correctly set outbound NAT destination as network
o firewall: add support for DSCP in shaper (contributed by Michael Muenz)
o firewall: add support for IDN in aliases (contributed by Smart-Soft)
o captive portal: allow access to this host (contributed by Fredrik Ronnvall)
o firmware: fix parsing of packages in multi-repo env and revoked fingerprint message
o firmware: add University of Kent to the firmware mirrors
o ipsec: only use explicit reqid when using route-based interfaces
o ipsec: correctly set install policy option on newly created phase 1 entries
o ipsec: improve split DNS and INTERNAL_DNS_DOMAIN configuration
o ipsec: added IKEv2 DH group 31 / curve 25519 (contributed by Peter Stehlin)
o ipsec: properly quote UNITY_BANNER for multi-line support
o ipsec: support for dynamic remote gateways
o monit: add migration/validation for service/test type dependency (contributed by Frank Brendel)
o monit: added missing "not on" label
o openvpn: support static-challenge formatted password
o openvpn: properly load custom config field in exporter
o openvpn: cleanups in listening address handling
o web proxy: IP address not available when address set to none
o web proxy: add sortable support for PAC proxy lists (contributed by Fabian Franz)
o web proxy: add dash to allowed characters in description (contributed by Fabian Franz)
o backend: python 2->3 iteritems() conversion in core templates
o mvc: migrate  config backup rotation to handle static and MVC pages (contributed by Smart-Soft)
o mvc: controller cleanups in cron, intrusion detection, routes
o mvc: obey "user-config-readonly" privilege in mutable controllers
o mvc: support overlays in setBase() / addBase()
o ui: remove jquery-bootgrid converters which are now included in the library
o plugins: os-acmle-client 1.23[1][2][3]
o plugins: os-dyndns 1.14 supports wildcards for Google Domains
o plugins: os-etpro-telemetry 1.3 uses HOME_NET to anonymization
o plugins: os-freeradius 19.1.0[4]
o plugins: os-frr 1.9[5]
o plugins: os-nginx 1.10[6]
o plugins: os-postfix 1.9[7]
o plugins: os-rspamd 1.5[8]
o plugins: os-telegraf 1.7.5[9]
o plugins: os-theme-cicada 1.15 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.14 (contributed by Team Rebellion)
o plugins: os-zabbix-agent 1.5[10]
o ports: ca_root_nss 3.43
o ports: curl 7.64.1
o ports: libucl 0.8.1
o ports: pcre 8.43
o ports: php 7.2.16
o ports: py-cryptography 2.6.1
o ports: phpseclib 2.0.15
o ports: python 2.7.16
o ports: unbound 1.9.1


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/1166
[2] https://github.com/opnsense/plugins/pull/1212
[3] https://github.com/opnsense/plugins/pull/1263
[4] https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr
[5] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[6] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[7] https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr
[8] https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr
[9] https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr
[10] https://github.com/opnsense/plugins/pull/1262

7
Announcements / OPNsense 19.1.4 image refresh
« on: March 29, 2019, 12:54:40 pm »
Dear friends and followers,

For more than four years now, OPNsense is driving innovation through modularising and hardening the code base, quick and reliable firmware upgrades, multi-language support, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We are happy to announce the immediate availability of the renewed OPNsense 19.1 images based on version 19.1.4. Apart from the numerous improvements since the initial release, the images contain four relevant fixes:

o src: revert upstream commit "protect the kernel text, data, and BSS" to fix certain UEFI boots
o installer: revert to use network connection to allow CTRL+C and resume
o interfaces: 6RD interface naming 18.7 behaviour
o interfaces: DHCP override MTU option

The full list of changes of the OPNsense 19.1 series can be reviewed using their original announcements:

o 19.1: https://forum.opnsense.org/index.php?topic=11398.0
o 19.1.1: https://forum.opnsense.org/index.php?topic=11469.0
o 19.1.2: https://forum.opnsense.org/index.php?topic=11849.0
o 19.1.3: https://forum.opnsense.org/index.php?topic=11941.0
o 19.1.4: https://forum.opnsense.org/index.php?topic=12013.0

We would also like to use this opportunity to remind everyone that OPNsense is and always will be free software. All of its source code and associated build tools can be found here:

https://github.com/opnsense

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/19.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
o South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
o Full mirror list: https://opnsense.org/download/

The public key for the 19.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
-----END PUBLIC KEY-----


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html

SHA256 (OPNsense-19.1.4-OpenSSL-dvd-amd64.iso.bz2) = 5f2e64797fce03d4d47050894c38e8e176fda6281009abd36f60d788d3e29d42
SHA256 (OPNsense-19.1.4-OpenSSL-nano-amd64.img.bz2) = ee5171fb837884fffd29c6e75cb089dc4020fb89459143bd9e7b859b1da3fd89
SHA256 (OPNsense-19.1.4-OpenSSL-serial-amd64.img.bz2) = 07868978903220bf9dee26c936d25140df07ec9c02cb8c480bd8619e69c562a0
SHA256 (OPNsense-19.1.4-OpenSSL-vga-amd64.img.bz2) = e473bc645778c95596639056ecc8ef92a12a7fd1cdc52cd0b1f6294a64561311

SHA256 (OPNsense-19.1.4-OpenSSL-dvd-i386.iso.bz2) = 9f40b591c27d90a86c60ec0b539f228999953f947573e2e575c2936c3993d7c0
SHA256 (OPNsense-19.1.4-OpenSSL-nano-i386.img.bz2) = c624d50b19f2ae4d471076c53f5c516e3a523ff41b69d0bfa779b5fff6415f81
SHA256 (OPNsense-19.1.4-OpenSSL-serial-i386.img.bz2) = 62bff974ae4238dfc2e830a32fbf4bd357ff418d15be99b89ac129f839e10eaf
SHA256 (OPNsense-19.1.4-OpenSSL-vga-i386.img.bz2) = ca893277a02b93129e6a30125107f7ad4fc01673b722f54ce6e5cb7eb438cae4

8
Announcements / OPNsense 19.1.4 released
« on: March 12, 2019, 12:01:21 pm »
Howdy,

An UEFI boot panic scenario was debugged last week with the help of the community. This update includes a fix that will allow the ones affected by this 19.1 issue to upgrade or install (and boot of course) correctly. We are also including the IPsec VTI support and the latest Suricata 4.1.3 with stability and compatibility fixes.

Due to the severity of the UEFI boot panic 19.1.4 will be the new initial release for all upgrades from 18.7 within a day or two depending on additional testing and confirmation. Last but not least there will be new images some time next week to put this fully behind us. Thank you for your patience and understanding.  :)

Special thanks go to the team of Synacktiv for reporting a packet filter IPv6 vulnerability for which a patch was included as well.

Here are the full patch notes:

o system: remove erroneously translated hostname example (contributed by nhirokinet)
o firewall: fix validation regression in outbound NAT introduced in 19.1.3
o firewall: mock labels for NAT rules in live log as pf does not offer label support
o interfaces: do not background LAGG ifconfig destroy
o installer: revert to use network connection to allow CTRL+C and resume
o ipsec: added Virtual Tunnel Interface (VTI) support
o unbound: fix nested statistics items read
o mvc: remove old Phalcon volt template workarounds from when scopes were broken
o mvc: fix bug in model relation field values merge
o plugins: os-zabbix4-proxy PSK directory fix (contributed by Michael Muenz)
o plugins: os-telegraf missed invoke of setup.sh
o plugins: os-frr adds validator to OSPF prefix lists (contributed by Michael Muenz)
o plugins: os-dmidecode 1.1 fixes data parsing (contributed by Smart-Soft)
o plugins: os-nginx 1.9[1]
o src: do not pass pf(4) IPv6 fragments with malformed extension headers (reported by Synacktiv)
o src: revert upstream commit "protect the kernel text, data, and BSS" to fix certain UEFI boots
o ports: monit 5.25.3[2]
o ports: ntp 4.2.8p13[3]
o ports: php 7.1.27[4]
o ports: suricata 4.1.3[5]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[2] https://mmonit.com/monit/changes/
[3] http://support.ntp.org/bin/view/Main/NtpBug3565
[4] http://php.net/ChangeLog-7.php#7.1.27
[5] https://suricata-ids.org/2019/03/07/suricata-4-1-3-released/

9
19.1 Production Series / [CALL FOR TESTING] Suricata 4.1.3
« on: March 08, 2019, 12:24:27 pm »
Dear all,

Suricata 4.1.3 was released yesterday with the following changes:

https://suricata-ids.org/2019/03/07/suricata-4-1-3-released/

Three of those issues have had impact on OPNsense, namely:

Bug #2811: netmap/afpacket IPS: stream.inline: auto broken (worked around in OPNsense 19.1.2)

Bug #2842: IPS mode crash under load (no workaround existed, regression since Suricata 4.1)

Bug #2855: Suricata does not bridge host <-> hw rings (Affects FreeBSD 11-STABLE, FreeBSD 12 and FreeBSD 13-CURRENT) (Sensei authors provided a patch for us in OPNsense 19.1)

You can manually install the latest version using (amd64 ONLY!):

# pkg add -f https://pkg.opnsense.org/FreeBSD:11:amd64/snapshots/suricata-4.1.3.txz

And restart the service.

To go back to the last release version use:

# opnsense-revert suricata

Happy to hear feedback even if it simply continues to work ok.


Thank you,
Franco

10
Announcements / OPNsense 19.1.3 released
« on: March 07, 2019, 09:44:43 pm »
Hi all,

This is a smaller stable update consisting of LDAPS authentication server improvements, Unbound host overrides alias support, OpenSSL 1.0.2r security update and the recent PAM rework for better privilege separation.

We are currently focusing on IPsec VTI, third-party service PAM integration and investigating kernel boot crashes. In the latter case we are aware of the update issues some people are having and recommend running 18.7 until this is taken care of. Above all, please be patient. New images and seamless upgrade paths will be provided as soon as the problems have been pinned down.

Here are the full patch notes:

o system: improve LDAPS mode and related authentication cleanups
o system: move enable checkbox to the top in remote logging settings
o system: allow reset of tunables to to factory defaults
o system: new tunables factory default to prevent ICMP redirects being sent (net.inet.icmp.drop_redirect=1)
o firewall: allow explicitly setting source hash key in outbound NAT (Fredrik Ronnvall)
o interfaces: probe media before applying new settings
o interfaces: correctly compare MAC addresses
o dhcp: added TFTP bootfile-name (contributed by Bjorn Kalkbrenner)
o firmware: move duty to return the correct set name / ID to opnsense-version
o firmware: finally revoke 18.7 fingerprint
o intrusion detection: minor template cleanups using helpers.empty()
o ipsec: peer identifier can now fall back to remote-gateway in manual SPD entries
o ipsec: allow easier override of colours in widget (contributed by Fabian Franz)
o monit: add validation for test type (contributed by Frank Brendel)
o openvpn: add auth-nocache option in exporter
o openvpn: validate certificate type for servers
o unbound: add host overrides alias support
o web proxy: add auth to parent proxy (contributed by Michael Muenz)
o backend: add helpers.empty() in configd
o mvc: simplify save / close / cancel button labels
o mvc: add sorting for field list types
o rc: move all template generation to early stage
o ui: improve escaping of displayed data in static pages
o ui: escape button values in static pages
o ui: avoid short PHP tags
o plugins: os-dnscrypt-proxy 1.3[1]
o plugins: os-frr brings in missing area range code[2]
o plugins: os-postfix log file ACL and wrapper mode typo fix (contributed by Michael Muenz)
o plugins: os-theme-cicada IPsec widget colour fix (contributed by Team Rebellion)
o plugins: os-theme-tukan IPsec widget colour fix (contributed by Team Rebellion)
o plugins: os-vnstat /var MFS fix[3]
o plugins: os-zabbix4-proxy 1.0 (contributed by Michael Muenz)
o ports: openssl 1.0.2r[4]
o ports: pam_opnsense 19.1.3 uses setuid for privilege separation
o ports: phalcon 3.4.3[5]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr
[4] https://www.openssl.org/news/secadv/20190226.txt
[5] https://github.com/phalcon/cphalcon/releases/tag/v3.4.3

11
Announcements / OPNsense 19.1.2 released
« on: February 28, 2019, 08:30:36 pm »
Good evening,

This update is the sum of a few weeks of intense testing and debugging in areas such as WAN DHCP with very short lease times, Suricata IPS not working as expected, stacked 6RD setups that have overly long device names amongst others.

The update may be a bit bumpy this time since the web GUI session directory will be moved to a safer location. You will be logged out during the update and the system will reboot due to the included operating system update. As soon as it is back you will be able to log in as usual.

LibreSSL received a major upgrade from 2.7 to 2.8. If you are using LibreSSL and see any issues please do let us know because it sadly looks like third party projects such as OpenVPN, Squid, StrongSwan and NTP leave the use of LibreSSL to the few users who are able to fix the source code builds on their own and we want to ideally avoid having to patch other software.

Here are the full patch notes:

o system: move session files into their own directory (forces the current sessions to expire)
o system: add validation check for time period for Dpinger (contributed by Team Rebellion)
o system: hide "show certificate info" button of pending CSR (contributed by nhirokinet)
o system: move opnsense-auth to libexec, but keep a symlink in sbin directory
o system: escaping issue in gateway edit page
o system: fix ACL for halt and reboot pages
o firewall: fix alias entry replacement in utility page
o firewall: prevent new alias creation when adding an address
o firewall: capture "nat" traffic like we do for "rdr" in live log
o firewall: escaping issues in schedule edit page
o interfaces: push dhclient and dhcp6c log messages to system log
o interfaces: write all nameservers via dhclient-script in multi WAN scenarios
o interfaces: check for valid alias IP in dhclient-script
o interfaces: 6RD interface naming back to 18.7 to sidestep character limits on stacked setups
o interfaces: avoid reading empty interface configurations
o firmware: bootstrap rework for HTTPS repository URL
o firmware: patch cache and assorted improvements
o firmware: minor update utility cleanups
o firmware: remove compatibility stubs for pre-19.1 version reads
o firmware: show revoked package mirror error in GUI if applicable
o firmware: bump RageNetwork mirror to HTTPS
o firmware: be more careful about parsing version info
o dhcp: fix behaviour of determining primary/secondary (contributed by Fredrik Ronnvall)
o intrusion detection: set stream.inline: true as an IPS workaround for a Suricata 4.1 regression[1]
o intrusion detection: support required rules/files in metadata package
o intrusion detection: less extensive logging
o ipsec: fix escaping issue in mobile page
o monit: fix address validation
o openvpn: obey verify-x509-name for remote access (user auth)
o openvpn: proper daemonize instead of background job
o openvpn: extract full CA chain for setup
o openvpn: missing "port" in protocol export
o mvc: fix port validation on whitespace input
o mvc: fix compare constraint (contributed by Fabian Franz)
o mvc: fix read-only access on config.xml during locked runs
o mvc: prevent UserException from being pushed to PHP error log
o ui: legacy browsers accommodation (contributed by NOYB)
o ui: update to Tokenize2 1.3 plus additional escaping patches
o ui: add support for Tokenize2 sortable tag
o ui: hardening of gettext() invokes in HTML tags
o ui: fix setFormData() HTML decode
o plugins: os-bind safe search google domain updates (contributed by Michael Muenz)
o plugins: os-dnscrypt-proxy 1.2[2]
o plugins: os-dyndns 1.13 IPv6 device lookup fix
o plugins: os-etpro-telemetry 1.2 reduces telemetry data collection
o plugins: os-frr 1.8 adds route summarization via area range (contributed by Michael Muenz)
o plugins: os-haproxy 2.15[3][4]
o plugins: os-nginx 1.8[5]
o plugins: os-ntopng 1.2[6]
o src: clear callee-preserved registers on amd64 syscall exit[7]
o ports: cpdup 1.20
o ports: curl 7.64.0[8]
o ports: libressl 2.8.3[9]
o ports: openvpn 2.4.7[10]
o ports: pam_opnsense manual page addition
o ports: sqlite 3.27.1[11]
o ports: squid forgery check avoidance[12]
o ports: strongswan 5.7.2[13]
o ports: unbound 1.9.0[14]


Stay safe,
Your OPNsense team

--
[1] https://redmine.openinfosecfoundation.org/issues/2811
[2] https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr
[3] https://github.com/opnsense/plugins/pull/1167
[4] https://github.com/opnsense/plugins/pull/1209
[5] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[6] https://github.com/opnsense/plugins/blob/master/net/ntopng/pkg-descr
[7] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:01.syscall.asc
[8] https://curl.haxx.se/changes.html
[9] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.8.3-relnotes.txt
[10] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[11] https://www.sqlite.org/releaselog/3_27_1.html
[12] https://github.com/opnsense/ports/issues/66
[13] https://wiki.strongswan.org/versions/72
[14] https://nlnetlabs.nl/projects/unbound/download/

12
Announcements / OPNsense 19.1.1 released
« on: February 05, 2019, 03:28:53 pm »
Hello,

This is a security and reliability release: WAN DHCP will no longer trust the server MTU given. Uncoordinated cross site scripting issues have been fixed. And the Python request library was patched due to CVE 2018-18074.

Here are the full patch notes:

o system: address XSS-prone escaping issues[1]
o firewall: add port range validation to shaper inputs
o firewall: drop description validation constraints
o interfaces: DHCP override MTU option (contributed by Team Rebellion)
o interfaces: properly configure SIM PIN on custom modems
o reporting: prevent cleanup from deleting current data when future data exists
o ipsec: allow same local subnet if used in different phase 1 (contributed by Max Weller)
o openvpn: multiple client export fixes
o web proxy: add ESD files to Windows cache option (contributed by R-Adrian)
o plugins: os-acme-client 1.20[2]
o plugins: os-dyndns fix for themed colours (contributed by Team Rebellion)
o plugins: os-etpro-telemetry 1.1 adds random delay to telemetry data send
o plugins: os-nginx 1.7[3]
o plugins: os-rspamd reads DKIM keys via Redis (contributed by Garrod Alwood)
o plugins: os-theme-cicada 1.14 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.13 (contributed by Team Rebellion)
o ports: ca_root_nss 3.42.1
o ports: lighttpd 1.4.53[4]
o ports: py-request 2.21.0[5]


Stay safe,
Your OPNsense team

--
[1] https://packetstormsecurity.com/files/151381/OPNsense-18.7-Cross-Site-Scripting.html
[2] https://github.com/opnsense/plugins/pull/1157
[3] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[4] https://www.lighttpd.net/2019/1/27/1.4.53/
[5] https://vuxml.freebsd.org/freebsd/50ad9a9a-1e28-11e9-98d7-0050562a4d7b.html

13
Announcements / OPNsense 19.1 released
« on: January 31, 2019, 05:40:12 pm »
Hi there,

For more than four years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

The 19.1 release, nicknamed "Inspiring Iguana", consists of a total of 620 individual changes since 18.7 came out 6 months ago, spread out over 12 intermediate releases including the recent release candidates. That is the average of 2 stable releases per month, security updates and important bug fixes included! If we had to pick a few highlights it would be: The firewall alias API is finally in place. The migration to HardenedBSD 11.2 has been completed. 2FA now works with a remote LDAP / local TOTP combination. And the OpenVPN client export was rewritten for full API support as well.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/19.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
o South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
o Full mirror list: https://opnsense.org/download/

These are the most prominent changes since version 18.7:

o fully functional firewall alias API
o PIE firewall shaper support
o firewall NAT rule logging support
o 2FA via LDAP-TOTP combination
o WPAD / PAC and parent proxy support in the web proxy
o P12 certificate export with custom passwords
o Dpinger is now the default gateway monitor
o ET Pro Telemetry edition plugin[2]
o extended IPv6 DUID support
o Dnsmasq DNSSEC support
o OpenVPN client export API
o Realtek NIC driver version 1.95
o HardenedBSD 11.2, LibreSSL 2.7
o Unbound 1.8, Suricata 4.1
o Phalcon 3.4, Perl 5.28
o firmware health check extended to cover all OS files, HTTPS mirror default
o updates are browser cache-safe regarding CSS and JavaScript assets
o collapsible side bar menu in the default theme
o language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
o API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat and Dnscrypt-proxy plugins

Here are the full changes against version 19.1-RC2:

o ipsec: add firewall interface as soon as phase 1 is enabled
o ipsec: phase 1 selection GUI JavaScript compatibility fix
o monit: widget improvements and bug fix (contributed by Frank Brendel)
o ui: fix regression in single host or network subnet select in static pages
o plugins: os-frr 1.7 updates OSFP outbound rules (contributed by Fabian Franz)
o plugins: os-telegraf 1.7.4 fixes packet filter input
o plugins: os-theme-rebellion 1.8.2 adds image colour invert
o plugins: os-vnstat 1.1[3]
o plugins: os-zabbix-agent now uses Zabbix version 4.0
o src: revert mmc_calculate_clock() as HS200/HS400 support breaks legacy support
o src: update sqlite3-3.20.0 to sqlite3-3.26.0[4]
o src: import tzdata 2018h, 2018i[5]
o src: avoid unsynchronized updates to kn_status[6]
o ports: ca_root_nss 3.42
o ports: dhcp6c 20190128 prevent rawops double-free (contributed by Team Rebellion)
o ports: sudo patch to fix listpw=never[7]

Migration notes and minor incompatibilities to look out for:

o Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration. Apinger is no longer available.
o Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.
o Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being.
o Please read the FRR documentation with regard to the required system tunables[8].
o Bhyve UEFI boot may fail as a guest. The problem is being investigated.
o SNMP plugin has been superseded by Net-SNMP plugin.

The public key for the 19.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
-----END PUBLIC KEY-----


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://docs.opnsense.org/manual/etpro_telemetry.html
[3] https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:03.sqlite.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:04.tzdata.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:05.kqueue.asc
[7] https://bugzilla.sudo.ws/show_bug.cgi?id=869
[8] https://docs.opnsense.org/manual/dynamic_routing.html

SHA256 (OPNsense-19.1-OpenSSL-dvd-amd64.iso.bz2) = 0a9e02954da1ddd1f0b7673394bbf81cfa74a1d5378600a87d3a9e6a26d3104d
SHA256 (OPNsense-19.1-OpenSSL-nano-amd64.img.bz2) = 2c4b0056ca26053c8d5e4efe196e512af618bad4fa136ba0e2528083a6263528
SHA256 (OPNsense-19.1-OpenSSL-serial-amd64.img.bz2) = c71274cea2b910cd4b3454b4ad29f7f70503fcb52ffa5b7f65ea96a27ac9e10d
SHA256 (OPNsense-19.1-OpenSSL-vga-amd64.img.bz2) = 37164481a413716d8786676d30bb709f8b967e53a47a36d10118214304d14bb9

SHA256 (OPNsense-19.1-OpenSSL-dvd-i386.iso.bz2) = 17d0aadf671bc2d99b57f0371e4fadfca0e2e9c8d27d6545674a610fc1f59c7a
SHA256 (OPNsense-19.1-OpenSSL-nano-i386.img.bz2) = 0c4e7616c93f14f5988df84b9b620543cb23a89c1f91505527b6c999d2dc7889
SHA256 (OPNsense-19.1-OpenSSL-serial-i386.img.bz2) = 93306e5349c7448ad3fdc03d9349ebf98e4d7c677201dcbec111f917c72dca24
SHA256 (OPNsense-19.1-OpenSSL-vga-i386.img.bz2) = 03d21319a784f93a7940d35168a35d15005e6f4579ac5b1c7a6ff606beb062a6

14
Announcements / OPNsense 19.1-RC2 released
« on: January 23, 2019, 10:45:49 am »
Hi there,

Small online update issued to fix known and subsequently patched issues. If you use Insight and flowd_aggregate service refuses to start go to System: Firmware: Packages and reinstall the "flowd" package.

These are the changes in detail:

o firmware: fix invisible error in health check
o intrusion detection: avoid spurious migration error on factor reset
o monit: fix dashboard widget display and general settings save
o plugins: os-telegraf fixes checkbox for CPU time collect (contributed by chaispaquichui)
o ports: flowd Python bindings runtime fix


Stay safe,
Your OPNsense team

15
Announcements / OPNsense 19.1-RC1 released
« on: January 21, 2019, 02:46:08 pm »
Hi there,

For almost four years now, OPNsense is driving innovation through modularising and hardening the open source firewall, with simple and reliable firmware upgrades, multi-language support, HardenedBSD security, fast adoption of upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project! We know it would not be the same without you.

Download links, an installation guide[1] and the checksums for the images can be found below as well.

o Europe: https://opnsense.c0urier.net/releases/19.1/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
o US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
o South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
o South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
o Full mirror list: https://opnsense.org/download/

Here are the full changes against version 18.7.10:

o system: console port assignment can now assign OPT without LAN
o system: anti-lockout will use OPT1 if LAN is not present
o system: allow creation of combined client/server SSL certificate
o system: gateway monitoring switches to Dpinger with Apinger removed
o system: detect unassigned gateways in static address setups
o system: more advanced gateway monitoring options for Dpinger (contributed by Team Rebellion)
o system: removal of the old notification system in favour of Monit
o system: only allow syslog remote binding to assigned interfaces
o system: disable IP aliases configured with VHID on temporary disable
o system: remove AHCI MSI disable workaround used in FreeBSD 11.1
o system: default gateway switching moves back to general settings
o system: beep sound notification setting moves to misc. settings
o system: limit log line length in log widget
o interfaces: change 6RD/6to4 interface prefix from internal name to physical device
o interfaces: prohibit tracking on 6RD with /64 upstream prefix
o interfaces: remove unneeded use of potentially clashing fe80::1:1 addresses for IPv6 tracking
o interfaces: clear an apparently faulty system DUID when no manual DUID is set
o interfaces: updated custom dhclient-script used for DHCPv4
o interfaces: VIP support for GRE devices
o interfaces: simplify find_interface_ip* functions
o interfaces: remove get_interface_subnet* functions
o interfaces: remove unused get_possible_listen_ips function
o interfaces: link status indicator on assignments page
o interfaces: unify interface removal code
o firewall: switch GeoIP database download to HTTPS
o firewall: find IP reference tool for aliases
o firewall: improve alias page responsiveness with large number of addresses
o firewall: show system errors when reloading aliases
o firewall: NAT port forward logging option and live view support
o firewall: optionally resolve all host names in live view
o firewall: not all states could be removed in diagnostics page
o firewall: clean up unused NAT rule association code
o reporting: improve handling of empty Insight datasets
o reporting: prepare for Python 3 conversion
o firmware: switch default mirror location to HTTPS
o firmware: health check for base and kernel files including version check
o firmware: support base and kernel file size in packages overview
o firmware: /var MFS compatibility on base installation when reboot is deferred
o firmware: command line core lock feature prevents package upgrades
o firmware: internally remember plugins installed or removed in the GUI
o firmware: show last known update log on page open
o firmware: show untrusted repository error in GUI
o firmware: separate chanelogs tab for clarity
o dhcp: refuse setup of instances that have no associated IP address
o dhcp: fix lease time local vs. UTC display in IPv6 leases
o installer: change communication from TCP to named pipes
o installer: fix sporadic segmentation faults in frontend code
o installer: allow config import from ZFS pools
o installer: allow password reset on ZFS pools
o installer: removed a number of unused modules
o ipsec: generate correct config for "Hybrid-RSA + XAuth" (contributed by Max Weller)
o ipsec: reworked strongswan.conf generation
o ipsec: use new interface subnet retrieval code
o monit: support declaring dependencies (contributed by Alexander Werner)
o monit: add Service/Test type relation (contributed by Frank Brendel)
o monit: add CARP status to standard services
o monit: add gateway alerts to standard services
o monit: backend rework to simplify the service
o intrusion detection: support base ruleset overlays and improve logging
o intrusion detection: GeoIP feature in user-defined rules has been removed
o intrusion detection: obey Content-Disposition header
o openvpn: client export rewrite, new export option for The Green Bow
o unbound: reworked slab calculation
o unbound: added statistics page
o unbound: only bind to interfaces or OpenVPN instances, always bind to loopback
o unbound: fix ACL subnet calculation for OpenVPN instances
o unbound: do not generate host entries for OpenVPN instances
o unbound: improve help text wording and general settings layout
o web proxy: parent proxy support (contributed by Michael Muenz)
o wizard: fix checkbox label styling
o mvc: converted reboot, halt and license page to MVC
o mvc: compared-to-field constraint (contributed by Fabian Franz)
o mvc: external clients which set Authorization header now receive raw JSON responses
o mvc: fix empty value check in grid (contributed by Smart-Soft)
o mvc: globally lock config when multiple items are deleted at once
o mvc: volt template JavaScript cleanups
o ui: updated bootstrap-select to version 1.13.3
o ui: collapsible sidebar support in default theme (contributed by Team Rebellion)
o plugins: os-acme-client 1.19[2]
o plugins: os-c-icap 1.7 adds template support (contributed by Michael Muenz)
o plugins: os-dmidecode 1.0 hardware information widget (contributed by Smart-Soft)
o plugins: os-dyndns 1.12 changes HE tunnel broker to newer API (contributed by Dusan Dragic)
o plugins: os-frr switches to FRR 5.0.2, please see below
o plugins: os-l2tp 1.8 interface now selects reachable server address
o plugins: os-pptp 1.8 interface now selects reachable server address
o plugins: os-openconnect 1.3.3[3]
o plugins: os-quagga removed, please use os-frr instead
o plugins: os-nginx 1.6[4]
o plugins: os-rspamd 1.4 allows to set manual spam scores and subject (contributed by Michael Muenz and Fabian Franz)
o plugins: os-snmp removed, please use os-net-snmp instead
o plugins: os-theme-cicada 1.13
o plugins: os-theme-tukan 1.12
o plugins: os-wol 2.1 fixes widget link (contributed by Fabian Franz)
o src: HardenedBSD 11.2-RELEASE-p7[5][6][7]
o src: fix missing transmit visibility for BPF-based listeners in native netmap mode
o src: limit the maximum number of fragments per packet in pf
o src: replace rwlock on PF_RULES_LOCK with rmlock in pf
o src: do not discard UDP6 traffic in Hyper-V adaptors
o src: fix state sync during initial bulk update in pfsync
o src: unbreak dhclient(8) option 26 processing
o src: import APU 1-3 LED kernel module
o ports: krb5 1.17[8]
o ports: php 7.1.26[9]
o ports: sudo 1.8.27[10]
o ports: perl 5.28.1[11]
o ports: suricata netmap forward-compatibility patch (contributed by Sunny Valley Networks)

Known issues and limitations:

o Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration.
o Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.
o Monit general settings do not save. A patch exists[12] to remedy this problem: opnsense-patch a2899594
o Issue with IDS migration code creating a spurious crash report. Patch already done for the final 19.1.
o Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being.
o Please read the FRR documentation with regard to the required system tunables[13].
o SNMP plugin has been superseded by Net-SNMP plugin.
o ZFS guided installation pending.

The public key for the 19.1 series is:

-----BEGIN PUBLIC KEY-----
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
-----END PUBLIC KEY-----

Please let us know about your experience!


Stay safe,
Your OPNsense team

--
[1] https://docs.opnsense.org/manual/install.html
[2] https://github.com/opnsense/plugins/pull/1134
[3] https://github.com/opnsense/plugins/blob/master/security/openconnect/pkg-descr
[4] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[5] https://hardenedbsd.org/content/easy-feature-comparison
[6] https://www.freebsd.org/releases/11.2R/relnotes.html
[7] https://www.freebsd.org/releases/11.2R/errata.html
[8] https://web.mit.edu/kerberos/krb5-1.17/
[9] http://php.net/ChangeLog-7.php#7.1.26
[10] https://www.sudo.ws/stable.html#1.8.27
[11] https://metacpan.org/changes/release/SHAY/perl-5.28.1
[12] https://github.com/opnsense/core/commit/a2899594
[13] https://docs.opnsense.org/manual/dynamic_routing.html

SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-amd64.iso.bz2) = 7c0c6cf529cb2f8aa9c29b3645b4ec1e218c292f722941ae9880b009c93e6364
SHA256 (OPNsense-19.1.r1-OpenSSL-nano-amd64.img.bz2) = b355355fc6d10475af2b1c22daa2fd5f5ab78bb375aaf8100a51f087d2447289
SHA256 (OPNsense-19.1.r1-OpenSSL-serial-amd64.img.bz2) = f4d40b1ece162aac97505f8ad1e16271126df11fb1a317a9f431ff4737fe5da8
SHA256 (OPNsense-19.1.r1-OpenSSL-vga-amd64.img.bz2) = f8c860a7e3eb9be61d33da92b021a0f337ad50e00a6ffc1cca793277f1890b63

SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-i386.iso.bz2) = c7b5ced64623416bd56e5337d5212c9af25292a48eb1bb298321e4bb79056c94
SHA256 (OPNsense-19.1.r1-OpenSSL-nano-i386.img.bz2) = 1313645407d810dd7a5dedf4978deaa7c14f4655dee679de572d7a9e853749c0
SHA256 (OPNsense-19.1.r1-OpenSSL-serial-i386.img.bz2) = f44203f5bb6e2dbfe5b524b37e9e53baab0665684cbc215bdc3015e11a79c2bd
SHA256 (OPNsense-19.1.r1-OpenSSL-vga-i386.img.bz2) = a6cfc14b9675563053d6e7733011c381f39e8fb2e10a8a64d60cc7de421ac2db

Pages: [1] 2 3 ... 15
OPNsense is an OSS project © Deciso B.V. 2015 - 2019 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2