OPNsense business edition 23.10.1 released

[franco]

This business release is based on the OPNsense 23.7.9 community version
with additional reliability improvements.

Here are the full patch notes:

o system: rewrite trust integration for certctl use
o system: improve UX on new configuration history page
o system: update recovery pattern for /etc/ttys
o system: improve service sync UX on high availability settings page
o system: migrate gateways to model representation
o system: improve backup restore area selection
o system: keep polling if watcher cannot load a class to fetch status
o system: add "Constraint groups" option to LDAP authentication
o system: minor changes related to recent Gateway class refactoring
o system: use unified style for "return preg_match" idiom so the caller receives a boolean
o system: provide mismatching interface logic without reboot on configuration restore
o system: allow new backup API to download latest configuration directly via /api/core/backup/download/this
o system: extend restore to be able to migrate older configurations cleanly
o system: make trust store reload conditional
o system: add SHA-512 password hash compliance option
o system: allow special selector for plugins_configure()
o system: handle broken menu XML files more gracefully
o system: fix PHP warnings and SSH fail on empty "ssh" XML node
o system: fix a couple of PHP warnings in auth server pages
o system: add support for Google Shared drives backup (contributed by Jeremy Huylebroeck)
o system: change wait time to 1 second per round, total of 7 in console prompts
o system: update syslog model
o system: improve config revision audit ability
o system: cleanse system_get_language_code() output
o system: safeguard /tmp/PHP_errors.log file before usage
o reporting: refactor RRD data retrieval and simplify health page UX
o interfaces: make link-local VIPs unique per interface
o interfaces: make VIPs sortable and searchable
o interfaces: improve assignments page UX and simplify its bridge validation
o interfaces: allow multiple IP addresses in DHCP reject clause (contributed by Csaba Kos)
o interfaces: enable IPv6 early on trackers
o interfaces: do not reload filter in rc.linkup
o interfaces: add input validations to VXLAN model (contributed by Monviech)
o interfaces: add NO_DAD flag to static IPv6 configurations
o interfaces: fix config locking when deleting a VIP node
o interfaces: assorted bridge handling improvements
o interfaces: prefer GUAs over ULAs when returning addresses
o interfaces: improve wireless channel parsing
o interfaces: mark WireGuard devices as virtual
o interfaces: update LAGG and loopback models
o interfaces: improve VIP validation, fix broadcast generation
o interfaces: add validation for proxy ARP strict subnet use
o interfaces: move interface list widget link to assignments page
o firewall: fix regression in BaseContentParser throwing an error
o firewall: keep filtered items available longer in live log
o firewall: port can be zero in automatic rule so render it accordingly
o firewall: minor update to shaper model
o firewall: make sure firewall log reading always emits a label
o firewall: fix business bogons set fetch
o firewall: add section for automatic rules being added at the end of the ruleset
o firewall: allow multiple networks given to wrap in the GUI
o captive portal: fix log target
o firmware: stop using the "pkg+http(s)" scheme which breaks using newer pkg 1.20
o firmware: invalidate GUI caches earlier since certctl blocks this longer now
o firmware: add root file system to health audit
o firmware: stop manually adjusting firmware config structure during factory reset
o firmware: clear stray "pkgsave" and "pkgtemp" pkg-upgrade leftovers
o firmware: changed LeaseWeb and NYC BUG mirrors to use HTTPS (contributed by jeremiah-rs)
o firmware: opnsense-update: new "-X" mode for canonical bogons/changelog set fetch URL
o firmware: opnsense-version: support base/kernel hash info
o ipsec: count user in "Overview" tab and improve "Mobile Users" tab (contributed by Monviech)
o ipsec: make description in connections required (contributed by Michael Muenz)
o ipsec: connection proposal sorting and additions
o ipsec: mute ipsec.conf related load errors
o ipsec: fix typo in VTI protocol family parsing
o ipsec: add secondary tunnel address pair for VTI dual-stack purposes
o ipsec: add "aes256-sha256" proposal option (no PFS)
o ipsec: move save button on mobile page into its own container
o lang: assorted updates and completed French translation
o lang: update Chinese, Czech, Italian, Korean, Polish and Spanish
o monit: minor update to model
o openvpn: change verify-client-cert to a server only setting and fix validation
o openvpn: do not flush state table on linkdown
o openvpn: host bits must not be set for IPv4 server directive in instances
o openvpn: obey username_as_common_name setting
o unbound: avoid dynamic reloads when possible
o unbound: improved UX of the overrides page
o unbound: minor update to model
o unbound: remove localhost from automatically created ACL
o web proxy: handle the major update to version 6 and update model
o web proxy: fix setting unknown language directory
o backend: pluginctl: improve listing plugins of selected type
o backend: add physical_interface and physical_interfaces as template helper function
o backend: add file_exists as template helper function
o mvc: add hasChanged() to detect changes to the config file
o mvc: allow empty value in UniqueConstraint if not required by field
o mvc: improve field validation message handling
o mvc: fix regression in PortField with setEnableAlias() that would lowercase alias names
o mvc: style update in diagnostics, firewall, intrusion detection and ipsec models
o mvc: enforce uniqueness and remove validation message in UnqiueIdField
o mvc: config should be locked before calling checkAndThrowSafeDelete()
o mvc: instead of failing invalidate a non-match in CSVListField
o mvc: split tree-view template and javascript and hook via controllers
o ui: fix the styling of the base form button when overriding the label
o ui: trigger change message on toggle and delete
o ui: prevent form submit for MVC pages
o ui: improve default modal padding
o ui: upgrade bootstrap-select to v1.13.18
o ui: improve saveFormToEndpoint() UX
o plugins: os-OPNBEcore configuration merge improvements
o plugins: os-OPNProxy adds TLS client certificate validation
o plugins: os-OPNcentral now passes "impersonated_by" revision attribute to connected node
o plugins: os-bind 1.28[1]
o plugins: os-c-icap fix for upstream update syntax error (contributed by Andy Binder)
o plugins: os-ddclient 1.17[2]
o plugins: os-frr 1.37[3]
o plugins: os-net-snmp fix for directory setup (contributed by doktornotor)
o plugins: os-nginx 1.32.2[4]
o plugins: os-openconnect 1.4.5[5]
o plugins: os-rspamd 1.13[6]
o plugins: os-squid adds a meta package for web proxy core removal in 24.1
o plugins: os-theme-ciada fix for previous regression
o plugins: os-wireguard 2.5[7]
o plugins: os-wireguard-go fix for device registration
o src: pf: enable the syncookie feature for IPv6
o src: pflog: log packet dropped by default rule with drop
o src: re: add Realtek Killer Ethernet E2600 IDs
o src: libnetmap: fix interface name parsing restriction
o src: tun/tap: correct ref count on cloned cdevs
o src: bpf: fix writing of buffer bigger than PAGESIZE
o src: net: check per-flow priority code point for untagged traffic
o src: libpfctl: implement status counter accessor functions
o src: pf: expose syncookie active/inactive status
o src: iavf: add explicit ifdi_needs_reset for VLAN changes
o src: vmxnet3: do restart on VLAN changes
o src: iflib: invert default restart on VLAN changes
o src: pf: fix state leak
o src: pfctl: fix incorrect mask on dynamic address
o src: libpfctl: assorted improvements
o src: msdosfs: zero partially valid extended cluster[8]
o src: copy_file_range: require CAP_SEEK capability[9]
o src: fflush: correct buffer handling in __sflush[10]
o src: cap_net: correct capability name from addr2name to name2addr[11]
o src: regcomp: use unsigned char when testing for escapes[12]
o src: clang: sanitizer failure with ASLR enabled[13]
o src: dhclient: do not add 0.0.0.0 interface alias
o src: ice: match irdma interface changes
o src: ixv: separate VFTA table for each interface
o src: pf: expose more syncookie state information to userspace
o src: pf: fix mem leaks upon vnet destroy
o src: pf: remove incorrect fragmentation check[14]
o src: rc: fix restart _precmd issue with _setup
o src: re: add support for 8168FP HW rev
o src: zfs: check dnode and its data for dirtiness in dnode_is_dirty()[15]
o ports: curl 8.4.0[16]
o ports: lighttpd 1.4.73[17]
o ports: nss 3.94[18]
o ports: openssl111 supersedes openssl package
o ports: openvpn 2.6.8[19]
o ports: perl 5.36.1[20]
o ports: php 8.2.12[21]
o ports: sqlite 3.44.0[22]
o ports: squid 6.5[23]
o ports: strongswan 5.9.13[24]
o ports: sudo 1.9.15p2[25]
o ports: suricata 6.0.15[26]
o ports: unbound 1.19.0[27]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/23.7/dns/bind/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/23.7/dns/ddclient/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/23.7/net/frr/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/23.7/www/nginx/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/23.7/security/openconnect/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/23.7/mail/rspamd/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/23.7/net/wireguard/pkg-descr
[8] https://www.freebsd.org/security/advisories/FreeBSD-SA-23:12.msdosfs.asc
[9] https://www.freebsd.org/security/advisories/FreeBSD-SA-23:13.capsicum.asc
[10] https://www.freebsd.org/security/advisories/FreeBSD-SA-23:15.stdio.asc
[11] https://www.freebsd.org/security/advisories/FreeBSD-SA-23:16.cap_net.asc
[12] https://www.freebsd.org/security/advisories/FreeBSD-EN-23:14.regcomp.asc
[13] https://www.freebsd.org/security/advisories/FreeBSD-EN-23:15.sanitizer.asc
[14] https://www.freebsd.org/security/advisories/FreeBSD-SA-23:17.pf.asc
[15] https://www.freebsd.org/security/advisories/FreeBSD-EN-23:16.openzfs.asc
[16] https://curl.se/changes.html#8_4_0
[17] https://www.lighttpd.net/2023/10/30/1.4.73/
[18] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_94.html
[19] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.8
[20] https://perldoc.perl.org/5.36.1/perldelta
[21] https://www.php.net/ChangeLog-8.php#8.2.12
[22] https://sqlite.org/releaselog/3_44_0.html
[23] http://www.squid-cache.org/Versions/v6/squid-6.5-RELEASENOTES.html
[24] https://github.com/strongswan/strongswan/releases/tag/5.9.13
[25] https://www.sudo.ws/stable.html#1.9.15p2
[26] https://suricata.io/2023/10/19/suricata-6-0-15-released/
[27] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-0

[franco]

A hotfix release was issued as 23.10.1_2:

o firewall: fix traceback in OpenVPN group alias due to wrong return type
o firewall: fix missing physical_interface() in shaper template
o ports: openssh 9.6p1[28]

[28] https://www.openssh.com/txt/release-9.6