Archive > 16.1 Legacy Series
16.1 Development Milestones
franco:
Why hello there,
It's almost time. A lot has happened. We are super excited. And we're definitely on time with 16.1. :)
Most of the additions have already been rolled out, while some have not. The menu and layout rework has been carried out and moved to 15.7 for early access. It's been a tremendous switch from the previous major release in terms of look and feel, moving through the GUI is way more consistent and efficent. One could say the GUI got out of the way to enable users to do what they want. There's also firmware plugin management support now. And probably something important that we forget.
On the other hand, the captive portal implementation switch is imminent and FreeBSD 10.2 underneath will help newer hardware to run more smoothly. Translations diverged and progressed quite a bit in the development version, it was impossible to merge it back into 15.7 without losing half of it, but it'll be worth the wait with many additions for German and French.
And here is a thorough list of key points:
o switched to FreeBSD 10.2 for latest driver support
o seamless firmware transition from OpenSSL to LibreSSL and back
o use the more flexible tmpfs instead of mfs for memory disk mode
o fine-grained firmware packages and plugins management
o parallel opnsense-devel package for development previews
o redesigned the menu presentation for clarity and consistency (almost no more tabs, status and diagnostic settings merged into their respective place in system, vpn, firewall and services)
o layout: reduced the previously excessive padding and removed spurious container wrappings from forms
o log pages usability has been improved by providing a useful tag type search filter to drill down into the log contents
o firmware mirror selection support
o revised LDAP bindings and user import
o improved the crash reporter to be a general tool for direct bug submission
o revised and refreshed all System, Interfaces, VPN and Firewall pages
o only 3 images for all of 15.7 instead of one per minor release (3 images vs. 26 releases total says a lot about stability and security in 6 months, maybe we can get this down to 1 image in all of 16.1)
o added hotplug support for the menu and page access control
o replaced RRD graph frontend with a modern and flexible D3.js alternative
o greatly improved the usability of the translation
o added a central hub for translation contributions at https://translate.opnsense.org
o improved overall security of the code e.g. by fixing https://www.exploit-db.com/exploits/39038/ a few months earlier than announced
o rewrote the captive portal using new components and better sandboxing + authentication/accounting
o plugins for VMware and Xen for seamless guest integration
o added the simple rc.syshook framework for persistent service start/stop and custom scripting
o introduced a pluggable authentication backend for easier integration of new methods
o steady stream of French and German language updates
o the API gained a machine key authentication mechanism
o new IPS support using FreeBDS's netmap and the latest and greatest Suricata 3.0
o introduced the opnsense-bootstrap utility which can transform a stock FreeBSD securely into OPNsense
o assorted user experience treatments in the firewall section
o introduced opnsense-sign and opnsense-verify to tie arbitrary file signing directly to FreeBSD's pkg readily available key store mechanisms
o rolled out opnsense-update using the new fingerprint verification for kernel and base upgrades
o the nifty quick search feature! (<tab> -- type -- <enter> -- done)
o unbound DNS resolver now supports MX records
o automatic PHP extensions detection for plugins or custom additions
o compressed blacklist support for the proxy server
Feel free to discuss, comment or ask questions. We'd love to hear what you think (and still miss). :)
Cheers,
Ad, Franco and Jos
fabian:
I would like to say thanks for your great work.
interfaSys:
I'm confused by this:
--- Quote --- improved overall security of the code e.g. by fixing https://www.exploit-db.com/exploits/39038/ a few months earlier than announced
--- End quote ---
There is an exploit in the wild and the current release version hasn't been patched, but the dev version has? And the original plan was to wait a few months?
I'm new to the project and trying to understand how I would patch our instance against 0days.
Aadolf:
Great Work...
Thanks.
franco:
--- Quote from: interfaSys on January 11, 2016, 11:58:42 pm ---There is an exploit in the wild and the current release version hasn't been patched, but the dev version has? And the original plan was to wait a few months?
I'm new to the project and trying to understand how I would patch our instance against 0days.
--- End quote ---
Well, there are two types of releases... one is the development release, the other one is the stable release. When a stable release is out, the development version is updated as well. This gives us the opportunity to try new features or tricky patches without jeopardising the stable version. Usually, after a release or two, the changes from the development version are moved to the stable version as well. The list you're seeing here is partially integrated in the 15.7 series for this reason.
For security and bug fixes we go straight for the release version so simply staying up to date with 15.7.x (or 16.1.x soon enough) will be all one has to do as a user in order to stay safe.
With that being said since we are a pfSense fork we shared a lot of the same code base at one point, so generally this LFI vulnerability must be checked against in our code. However, the vulnerability in question was released in December and has since been fixed by pfSense, but was fixed in OPNsense in June and September, respectively, as part of general sanity cleanups.
https://github.com/opnsense/core/commit/43ae21efc3cfff404
https://github.com/opnsense/core/commit/f5eb5ea80e27a79
It stands as a good example for the how we've cleaned up the code since we've forked. There have been many more such cases, too many to track or tie to explicit vulnerabilities.
I hope this helps. :)
Navigation
[0] Message Index
[#] Next page
Go to full version