OPNsense business edition 23.4.2 released

[franco]

This business release is based on the OPNsense 23.1.11 community version
with additional reliability improvements.

Here are the full patch notes:

o system: improve RRD collector PID/service handling
o system: do not touch /var/run/booting if it exists (contributed by William Desportes)
o system: do a full transition on gateway group apply
o system: automatically create core dump with installed debug kernel
o system: add RADIUS authentication support for MSCHAPv2 using Crypt_CHAP_MSv2()
o system: propagate error in rc.syshook scripts
o system: use parse_url() to validate if the provided login redirect string is actually parseable to prevent redirect
o system: fix assorted permission-after-write problems
o system: add opnsense-crypt utility to encrypt/decrypt a config.xml
o system: call opnsense-crypt from opnsense-import to deal with encrypted imports
o system: do not allow state modification on GET for power off and reboot actions
o system: better validation and escaping for cron commands
o system: better validation for logging user input
o system: mute openssl errors pushed to stderr
o system: name unknown tunables as "environment" as they could still be supported by e.g. the boot loader
o system: sanitize $act parameter in trust pages
o interfaces: minor fixes in IP address status read
o interfaces: additions for legacy_interface_stats()
o interfaces: use interfaces_primary_address() during IPv4 renewal
o interfaces: allow manual protocol selection for VLANs
o interfaces: remove null_service toggle as empty service name in PPPoE works fine
o interfaces: fix bug with reported number of flapping LAGG ports (contributed by Neil Greatorex)
o interfaces: introduce a lock and DAD timer into newwanip for IPv6
o firewall: remove duplicate table definitions
o firewall: prevent VIP address adding /32 on IPv6 rule selection
o firewall: align rule validation with port forward validation
o firewall: move all automatic rules for interface connectivity to priority 1
o firewall: "kill states in selection" button was hidden when selecting only a rule for state search
o captive portal: safeguard template overlay distribution
o dhcp: fix IPv6 lease page undefined vars and other issues
o dhcp: share DUID parsing code via dhcpd_parse_duid()
o dhcp: revamp the prefix route handling also adding support for statically mapped downstream routers
o dhcp: validate client hostnames in Dnsmasq/Unbound lease watchers
o dhcp: fix validation for static entry requirement
o firmware: opnsense-update: move -K option to -x
o firmware: opnsense-update: support deferred kernel set install
o firmware: opnsense-update: use -w option with -a option in fetch(1)
o firmware: opnsense-update: ensure kernel directory consistency
o firmware: shift subscription key extract to "-x" option
o firmware: use post-upgrade hook and stage kernel as well for clean abort
o firmware: sort plugins before store
o firmware: automatic kernel upgrade after reboot like base and package stages
o firmware: sticky advanced mode if flavour is set to non-default
o firmware: properly escape crash reports shown
o firmware: fix a faulty JSON construction during partial upgrade check
o intrusion detection: add missing typecast in getAlertLogsAction()
o ipsec: add missing config section for HA sync
o ipsec: add passthrough networks when specified to prevent overlapping "connections" missing them
o ipsec: add RADIUS server selection for "Connections" when RADIUS is not defined in legacy tunnel configuration
o ipsec: fix RSA key pair generation with size other than 2048
o openvpn: fix typo in widget for client timestamp display
o unbound: move unbound-blocklists.conf to configuration location
o backend: minor regression in deeper nested command structures in configd
o mvc: fix locking regression that caused bulk changes to not being rendered correctly
o mvc: properly support multi clause search phrases
o mvc: fill missing keys when sorting in searchRecordsetBase()
o mvc: fix empty item selection issue in BaseListField
o ui: remove noodp and noydir from HTML meta robots tag (contributed by William Desportes)
o plugins: os-crowdsec 1.0.6[1]
o plugins: os-nginx 1.32.1[2]
o plugins: os-zabbix-agent plugin variant for Zabbix 6.4
o plugins: os-zabbix-proxy plugin variant for Zabbix 6.4
o src: axgbe: account for 4 SFP ports during GPIO expander check
o src: ipsec: make algorithm tables read-only
o src: mpr: fix copying of event_mask[3]
o src: pam_krb5: fix spoofing vulnerability[4]
o src: loader: comconsole: do not unconditionally wipe out hw.uart.console[5]
o src: contrib/tzdata: import tzdata 2023c[6]
o src: ixgbe: change if condition for RSS and rxcsum
o src: pf: fix pf_nv##_array() size check
o src: e1000: fix VLAN 0
o ports: curl 8.1.2[7]
o ports: krb5 1.21[8]
o ports: nss 3.90[9]
o ports: ntp 4.2.8p17[10]
o ports: openssh 9.3p2[11]
o ports: openssl 1.1.1v[12]
o ports: openvpn 2.6.5[13]
o ports: phalcon 5.2.2[14]
o ports: php 8.1.20[15]
o ports: py-setuptools fix for CVE-2022-40897
o ports: python 3.9.17[16]
o ports: squid 5.9[17]
o ports: strongswan upstream fix for VICI stalls[18]
o ports: suricata 6.0.13[19]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/23.1/security/crowdsec/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/23.1/www/nginx/pkg-descr
[3] https://www.freebsd.org/security/advisories/FreeBSD-EN-23:07.mpr.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-SA-23:04.pam_krb5.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-23:06.loader.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-EN-23:05.tzdata.asc
[7] https://curl.se/changes.html#8_1_2
[8] https://web.mit.edu/kerberos/krb5-1.21/
[9] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_90.html
[10] https://www.ntp.org/support/securitynotice/
[11] https://www.openssh.com/txt/release-9.3p2
[12] https://www.openssl.org/news/openssl-1.1.1-notes.html
[13] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.5
[14] https://github.com/phalcon/cphalcon/releases/tag/v5.2.2
[15] https://www.php.net/ChangeLog-8.php#8.1.20
[16] https://docs.python.org/release/3.9.17/whatsnew/changelog.html
[17] http://www.squid-cache.org/Versions/v5/squid-5.9-RELEASENOTES.html
[18] https://github.com/opnsense/core/issues/6308
[19] https://suricata.io/2023/06/15/suricata-6-0-13-released/

[franco]

A hotfix release was issued as 23.4.2_1:

o system: fix data cleansing issue in "column_count" and "sequence" values on dashboard
o ports: krb5 1.21.2[8]
o ports: python 3.9.18[20]

--
[20] https://docs.python.org/release/3.9.18/whatsnew/changelog.html