Messages

Mod note: Deleted the spam account and related messages.

https://github.com/opnsense/core/commit/6e10711078 addresses this validation gap as discussed.


Cheers,
Franco

A hotfix release was issued as 26.1.7_2:

o system: fix missing base64_decode() in JsonField which prevented user settings from saving

I agree. I'll try to extract this from the original commit stream and directly commit it with the original authorship.

One of the many reasons why small PRs make more sense.


Cheers,
Franco

Thanks, I hope you had a nice one too.

> so as example on 25.10 , we can on the cli /shell opnsense-patch , as example the sctp cve ?

No, opnsense-patch can do core, plugins, update and installer hotfixing since these use scripting languages.

Ports and src need to be rebuilt, which takes a long time on top of managing historic branches, which is one of the reasons we're not attempting that.

In the average case you can get away with running a newer kernel from e.g. the 26.4 series in 25.10, but we tend not to recommend it for the off-chance that something is wrong since we don't have that in our test rotation. It's even possible to use community kernels in business versions as long as you make sure you're not loading a kernel that has less security issues patches than the business one.


Cheers,
Franco

opnsense-patch usually works for core/plugins. but older OS builds and ports updates are not supplied because in the past the tree moves too fast so things break when freezing repo state and building takes too long.


Cheers,
Franco

Taken care of in 26.4_6.


Cheers,
Franco

A hotfix release was issued as 26.4_6:

o system: protect popen() with exec_safe()[34]
o system: lockout bypass fix[35] (contributed by Konstantinos Spartalis)
o system: allow gateway load balance weights from 1 to 10 for more flexibility (contributed by Matthew Hall)
o system: add "nosync" option to gateway configuration
o firewall: fix typo in alias update error log and make parser a bit more resilient
o firmware: opnsense-update: handle FreeBSD.conf disable internally
o plugins: os-acme-client 4.16[36]
o src: vm_fault: reset m_needs_zeroing properly[37]
o src: timerfd: Fix interval callout scheduling[38]
o src: tty: avoid leaving dangling pointers in tty_drop_ctty()[39]
o src: pkru: fix handling of 1GB largepage mappings[40]
o src: contrib/tzdata: import tzdata 2025c, 2026a and 2026b[41]
o src: amd64: fix INVLPGB range invalidation[42]
o src: pf: improve SCTP validation[43]
o src: execve: fix an operator precedence bug[44]
o src: dhclient: check for unexpected characters in some DHCP server options[45]
o src: dhclient: fix reallocation of dhclient script environments[46]
o src: libnv: switch fd_wait() from select(2) to poll(2)[47]
o src: libnv: fix heap overflow in nvlist_recv()[48]
o src: libpcap: update to 1.10.6
o src: ipfw_nptv6: fix handling the ifaddr removal event
o src: if_tuntap: make SIOCIFDESTROY interruptible
o src: pfctl: parser must not ignore error from pfctl_optimize_ruleset()
o src: pf: fix duplicate rule detection for automatic tables
o src: openssl: update from 3.0.16 to 3.0.20
o src: routing: fix use-after-free in finalize_nhop
o src: ixgbe: fix MRQC register value
o src: in_mcast: Fix a lock leak in inp_set_source_filters()
o src: linuxkpi: fix an off-by-one error in the kfifo implementation
o src: sctp: fix so_proto when peeling off a socket
o ports: expat 2.8.0[49]
o ports: openvpn 2.6.20[50]
o ports: strongswan 6.0.6[51]


--
[34] https://www.cve.org/cverecord?id=CVE-2026-44193
[35] https://www.cve.org/cverecord?id=CVE-2026-44195
[36] https://github.com/opnsense/plugins/blob/stable/26.1/security/acme-client/pkg-descr
[37] https://www.freebsd.org/security/advisories/FreeBSD-EN-26:05.vm.asc
[38] https://www.freebsd.org/security/advisories/FreeBSD-EN-26:06.timerfd.asc
[39] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:10.tty.asc
[40] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:11.amd64.asc
[41] https://www.freebsd.org/security/advisories/FreeBSD-EN-26:09.tzdata.asc
[42] https://www.freebsd.org/security/advisories/FreeBSD-EN-26:10.amd64.asc
[43] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:14.pf.asc
[44] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:13.exec.asc
[45] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:12.dhclient.asc
[46] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:15.dhclient.asc
[47] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:16.libnv.asc
[48] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:17.libnv.asc
[49] https://github.com/libexpat/libexpat/blob/R_2_8_0/expat/Changes
[50] https://github.com/OpenVPN/openvpn/blob/v2.6.20/Changes.rst
[51] https://github.com/strongswan/strongswan/releases/tag/6.0.6

All of the above. Also https://github.com/opnsense/core/pull/10237 / https://github.com/opnsense/core/issues/9677

I feel like there is vital context missing?

A hotfix release was issued as 26.1.7_1:

o system: fix missing newline when generating cron jobs due to a regression

If the day had 32 hours things would be different but for now we have to settle for a business fix for tomorrow.

This is our usual strategy to start fixing community and then move to business and due to surprise timing coupled with lots of changes in critical areas (OS in particular) it isn't good to not follow the good strategy.


Cheers,
Franco

That was quick!

This includes all very recent FreeBSD SA/EN patches, a number of system
improvements (how are you doing, Kea!) and third party updates for OpenVPN
and StrongSwan.

It also includes one high and one medium advisory for our code.  GitHub
has not issued a CVE for this yet, unfortunately, but this announcement
will be updated as soon as that happens.  See below for details.

Here are the full patch notes:

o system: protect popen() with exec_safe()[1]
o system: lockout bypass fix[2] (contributed by Konstantinos Spartalis)
o system: refactor dashboard to use User model instead of direct config access
o system: throw UserException when dashboard size limit was reached on save
o system: add notes dashboard widget (contributed by Konstantinos Spartalis)
o system: allow gateway load balance weights from 1 to 10 for more flexibility (contributed by Matthew Hall)
o system: fix traffic dashboard widget initialization race condition (contributed by Greelan)
o system: avoid side effect rendering sysctl item in config.xml during console assignment
o system: improve cron command and parameter escaping
o system: add "nosync" option to gateway configuration
o system: support RADIUS NAS-IP-Address attribute for authentication
o system: add compatibility layer to future route disable/enable migration
o system: only split first colon when reading sysctls
o system: revisit snapshot name validation (partially contributed by Konstantinos Spartalis)
o interfaces: refactor bridge reconfigure script
o firewall: live view: decode HTML where necessary to aid filtering
o firewall: fix typo in alias update error log and make parser a bit more resilient
o firmware: opnsense-update: handle FreeBSD.conf disable internally
o kea: fix "Delegated length must be longer than or equal to prefix length" validation
o kea: add ddns-override-no-update, ddns-override-client-update and ddns-update-on-renew per subnet
o kea: DDNS DNS server port can now be specified
o kea: add explicit reverse DDNS zones support (contributed by XtraLarge)
o kea: add DDNS manual config override
o kea: remove depend constraint of ddns_reverse_zone
o radvd: allow user controlled hop limit (contributed by BPplays)
o unbound: improve hostname/domain override validation
o backend: configctl: properly quote parameters to avoid skipping empty ones (contributed by Majx)
o lang: numerous updates and fixes in existing languages
o mvc: introduce JSON field type and refactor dashboard to use it
o mvc: fixed a number of class import statements
o shell: config access refactor in password and setaddr scripts
o ui: generalize placeholders between controllers and JS
o ui: simplify and clean up debounce() usage
o ui: trap generic error popup for specific API URLs such as /api/core/firmware/upgradestatus when it adds no value and known to be unstable
o plugins: os-acme-client 4.16[3]
o plugins: os-zabbix-agent 1.9[4]
o plugins: os-zabbix-proxy 1.7[5]
o src: vm_fault: reset m_needs_zeroing properly[6]
o src: timerfd: Fix interval callout scheduling[7]
o src: tty: avoid leaving dangling pointers in tty_drop_ctty()[8]
o src: pkru: fix handling of 1GB largepage mappings[9]
o src: contrib/tzdata: import tzdata 2025c, 2026a and 2026b[10]
o src: amd64: fix INVLPGB range invalidation[11]
o src: pf: improve SCTP validation[12]
o src: execve: fix an operator precedence bug[13]
o src: dhclient: check for unexpected characters in some DHCP server options[14]
o src: dhclient: fix reallocation of dhclient script environments[15]
o src: libnv: switch fd_wait() from select(2) to poll(2)[16]
o src: libnv: fix heap overflow in nvlist_recv()[17]
o src: libpcap: update to 1.10.6
o src: ipfw_nptv6: fix handling the ifaddr removal event
o src: if_tuntap: make SIOCIFDESTROY interruptible
o src: pfctl: parser must not ignore error from pfctl_optimize_ruleset()
o src: pf: fix duplicate rule detection for automatic tables
o src: openssl: update from 3.0.16 to 3.0.20
o src: routing: fix use-after-free in finalize_nhop
o src: ixgbe: fix MRQC register value
o src: in_mcast: Fix a lock leak in inp_set_source_filters()
o src: linuxkpi: fix an off-by-one error in the kfifo implementation
o src: sctp: fix so_proto when peeling off a socket
o ports: expat 2.8.0[18]
o ports: openvpn 2.6.20[19]
o ports: phpseclib 3.0.52[20]
o ports: strongswan 6.0.6[21]


Stay safe,
Your OPNsense team

--
[1] https://www.cve.org/cverecord?id=CVE-2026-44193
[2] https://www.cve.org/cverecord?id=CVE-2026-44195
[3] https://github.com/opnsense/plugins/blob/stable/26.1/security/acme-client/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/26.1/net-mgmt/zabbix-agent/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/26.1/net-mgmt/zabbix-proxy/pkg-descr
[6] https://www.freebsd.org/security/advisories/FreeBSD-EN-26:05.vm.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-EN-26:06.timerfd.asc
[8] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:10.tty.asc
[9] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:11.amd64.asc
[10] https://www.freebsd.org/security/advisories/FreeBSD-EN-26:09.tzdata.asc
[11] https://www.freebsd.org/security/advisories/FreeBSD-EN-26:10.amd64.asc
[12] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:14.pf.asc
[13] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:13.exec.asc
[14] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:12.dhclient.asc
[15] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:15.dhclient.asc
[16] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:16.libnv.asc
[17] https://www.freebsd.org/security/advisories/FreeBSD-SA-26:17.libnv.asc
[18] https://github.com/libexpat/libexpat/blob/R_2_8_0/expat/Changes
[19] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.20
[20] https://github.com/phpseclib/phpseclib/releases/tag/3.0.52
[21] https://github.com/strongswan/strongswan/releases/tag/6.0.6

Thanks, it's actually a bit of a rabbit hole.  I ended up improving the IPsec connections page as it needed more attention for this particular topic and in general. Maybe someone will find it useful too.  :)


Cheers,
Franco

> A lingering banner is not on the list though, since that would need to keep track of a dirty or clean system state.

The apply message and colour will now linger actually, but not across page loads.  But it is being considered for a future improvement.


Cheers,
Franco