24.10.1 business edition released

[franco]

This business release is based on the OPNsense 24.7.9 community version
with additional reliability improvements.

Here are the full patch notes:

o system: remove obsolete banners from static pages
o system: address CRL/cert subject hash mismatch during trust store rehash
o system: add missing MinProtocol in OpenSSL config template from trust settings
o system: add SignatureAlgorithms option and fix minor form glitch in trust settings
o system: sync certctl to FreeBSD 14.1 base code et al
o system: migrate authoritative bundle location to /usr/local/etc/ssl/cert.pem
o system: flush the global OpenSSL configuration to /etc/ssl/openssl.cnf as well
o system: ignore gateway monitor status on boot when setting up routes
o system: fix IP address validation not being displayed in the gateway form
o reporting: refactor existing RRD backend code
o reporting: isset() vs. empty() on RRD enable
o reporting: fix regression in RRD temperature readings
o reporting: ISO dates and logical ranges in health graphs (contributed by Roy Orbitson)
o interfaces: fix VXLAN interface being busy when vxlanlocal or vxlanremote is changed
o interfaces: 6RD/6to4 route creation should be limited to IPv6
o interfaces: parse part of SFP module information in legacy_interfaces_details()
o interfaces: kill defunct route-to states with the stale gateway IP
o firewall: add a note about stateless TCP during syncookie use
o firewall: enhance validation that group name can not start or end with a digit
o firewall: make loopback traffic stateful again to fix its use with syncookie option
o firewall: add 'Action' property to list of retrieved rules
o firewall: use UUIDs as rule labels to ease tracking
o firmware: remove escaped slashes workaround on mirror/flavour write
o firmware: introduce config.sh and use it in launcher.sh and connection.sh
o firmware: restart cron on updates
o firmware: improve health script and use config.sh
o firmware: rework CRL check in config.sh
o firmware: use the trust store for CRL verification
o firmware: refactor for generic config.sh use and related code audit
o firmware: move the bogons update script to the firmware scripts, improve logging messages and use config.sh
o firmware: opnsense-version: restored pre-2019 default output format (contributed by TotalGriffLock)
o firmware: use REQUEST to print a TLS/CRL usage hint
o firmware: force CRL check on development deployment
o intrusion detection: reorganise settings page with headers
o intrusion detection: support configuration of eve-log for HTTP and TLS (contributed by Toby Chen)
o ipsec: add swanctl.conf download button to settings page
o ipsec: add description field to pre-shared-keys
o isc-dhcp: safeguard output type for json_decode() in leases page
o openvpn: add Require Client Provisioning option for instances
o unbound: allow RFC 2181 compatible names in overrides
o backend: correct template helper exists() return type (contributed by kumy)
o backend: add 'configd environment' debug action
o lang: update available translations
o mvc: extend sanity checks in isIPInCIDR()
o mvc: fix UpdateOnlyTextField incompatibility with DependConstraint (contributed by kumy)
o mvc: always do stop/start on forced restart
o mvc: remove obsolete sessionClose() use in Base, Firmware, Unbound and WireGuard controllers
o ui: fix tree view style targeting elements outside this view
o plugins: enforce defaults on devices
o plugins: os-bind 1.33[1]
o plugins: os-caddy 1.7.4[2]
o plugins: os-ddclient 1.25[3]
o plugins: os-debug 1.6
o plugins: os-etpro-telemetry lowers log level of collection invoke (contributed by doktornotor)
o plugins: os-freeradius 1.9.26[4]
o plugins: os-frr 1.42[5]
o plugins: os-iperf fixes JS TypeError when parsing result (contributed by Leo Huang)
o plugins: os-lldpd 1.2[6]
o plugins: os-ndproxy 1.0 adds an IPv6 Neighbour Discovery proxy
o plugins: os-net-snmp 1.6[7]
o plugins: os-tinc removes "pipes" Python module dependency (contributed by andrewhotlab)
o plugins: os-upnp 1.7[8]
o plugins: os-wazuh-agent 1.2[9]
o src: multiple issues in the bhyve hypervisor[10]
o src: unbounded allocation in ctl(4) CAM Target Layer[11]
o src: XDG runtime directory file descriptor leak at login[12]
o src: assorted FreeBSD stable patches for Intel ixgbe, igb, igc and e1000 drivers
o src: cxgb: register ifmedia callbacks before ether_ifattach
o src: enc: use new KPI to create enc interface
o src: ifconfig: fix wrong indentation for the status of pfsync
o src: iflib: simplify iflib_legacy_setup
o src: iflib: use if_alloc_dev() to allocate the ifnet
o src: netmap: make memory pools NUMA-aware
o src: vlan: handle VID conflicts
o ports: libpfctl 0.14
o ports: monit 5.34.2[13]
o ports: nss 3.106[14]
o ports: openssh 9.9.p1[15]
o ports: php 8.2.25[16]
o ports: py-duckdb 1.1.3[17]
o ports: syslog-ng 4.8.1[18]
o ports: unbound 1.22.0[19]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/24.7/dns/bind/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/24.7/dns/ddclient/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/24.7/net/freeradius/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/24.7/net/frr/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/24.7/net-mgmt/lldpd/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/24.7/net-mgmt/net-snmp/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/24.7/net/upnp/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/24.7/security/wazuh-agent/pkg-descr
[10] https://www.freebsd.org/security/advisories/FreeBSD-SA-24:17.bhyve.asc
[11] https://www.freebsd.org/security/advisories/FreeBSD-SA-24:18.ctl.asc
[12] https://www.freebsd.org/security/advisories/FreeBSD-EN-24:17.pam_xdg.asc
[13] https://mmonit.com/monit/changes/
[14] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_105.html
[15] https://www.openssh.com/txt/release-9.9
[16] https://www.php.net/ChangeLog-8.php#8.2.25
[17] https://github.com/duckdb/duckdb/releases/tag/v1.1.3
[18] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.8.1
[19] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-22-0

[franco]

We subsequently republished the images as 24.10.1 due to CRL verification
issues in the initial 24.10 version which were quickly hotfixed, but could
not easily be fixed in the existing images.

SHA256 (OPNsense-business-24.10.1-dvd-amd64.iso.bz2) = 9ced7c07d7d1c1a09995158f7c0184493e56c1fcae0ddefcbc7803320dd7bf4a
SHA256 (OPNsense-business-24.10.1-nano-amd64.img.bz2) = 074e89625ba5e15dfa180594243d6a8390d7183e2cc50baf0989218f9f5b19f5
SHA256 (OPNsense-business-24.10.1-serial-amd64.img.bz2) = 64d55fa0b71b5d13845e35ee8c234b879d7d99d1abc3291054dca6d01194613a
SHA256 (OPNsense-business-24.10.1-vga-amd64.img.bz2) = 80d81ba9bc4455e5fe08b20276bd4ddc52c082ea40dd55ccfc7b3d7ba4b0fab5