Administrative > Announcements

OPNsense business edition 21.4.3 released

(1/1)

franco:
This business release is based on the OPNsense 21.1.8 community version
with additional reliability improvements.

The OpenVPN advisory tracked as CVE-2020-15078 does not affect the provided
version 2.4.11, but the security audit will falsely flag it as vulnerable
because the source of the audit is FreeBSD where OpenVPN was migrated to 2.5
series already.

API errors during the update can appear but are a harmless side effect of
the MVC framework major version transition to Phalcon 4.  The system will
reboot as normal.  Make sure to clear your browser cache if the check for
updates does not seem to work afterwards and/or double-check with a different
browser.

Here are the full patch notes:

o system: use ifinfo counters instead of pfctl in interface widget
o system: prevent excessive config writes on LDAP import
o system: do not split XMLRPC password into multiple pieces
o system: fix IPv4 /31 assignment address assignment in shell
o system: raised PHP memory limit to 1G
o system: enable group sync for LDAP servers that do not return memberOf (contributed by rdd2)
o system: isvalidpid() is not required for a single killbypid()
o system: hide far gateway option for IPv6
o system: Norwegian translation (contributed by Stein-Aksel Basma)
o system: add HA sync entry for live log templates
o system: add shell inactivity timeout feature for csh/tcsh
o system: add Syslog-ng TLS transport options
o system: remove unrelated service restarts from filter_configure_xmlrpc()
o system: rotate interface statistics widget (contributed by FingerlessGloves)
o interfaces: clear PPPoE SLAAC addresses on linkdown
o interfaces: do not check for existing CARP interfaces midstream
o interfaces: refactor IP address removal on configure
o interfaces: set tunnel flag for IPv4 tunnel plus cleanups
o interfaces: interface_configure() checks for enabled already
o firewall: make sure net.pf.request_maxcount and table-entries are always aligned
o firewall: add live log support for new filterlog format
o firewall: set label for obsolete rule in live log (contributed by kulikov-a)
o firewall: let live log use the newly provided rule log label instead of guessing it
o firewall: calculate wildcard netmasks in aliases
o dhcp: fix processing domain search list on static IPv6
o dhcp: support ignore-client-uids in DHCPv4 (contributed by Kacper Why)
o firmware: mask subscription in GUI output
o firmware: add version/date header into check script as well
o firmware: show update pending hint in system widget
o firmware: add "-q" option for in-place opnsense-bootstrap run
o firmware: fix grep call on FreeBSD 13 (contributed by Mariusz Zaborski)
o firmware: correct return code on type change in opnsense-update
o firmware: fix opnsense-code pull when ABI configuration is no longer there
o firmware: fix upgrade with multiple repositories enabled
o installer: assorted wording improvements
o openvpn: fix invalid rules generated by wizard (contributed by kulikov-a)
o openvpn: return empty list when /api/openvpn/export/accounts/ is called without parameters
o console: throw error when opnsense-importer encounters an encrypted config.xml
o mvc: catch all errors including syntax and class not found errors
o mvc: bring back bind_textdomain_codeset() to fix possible faulty page rendering
o mvc: migrated framework to Phalcon 4
o mvc: return UUID in ApiMutableModelControllerBase::validateAndSave() if applicable
o plugins: added variants support to share plugin code over different third-party software versions
o plugins: added NO_ABI marker to themes
o plugins: remove the use of $main_buttons in relevant code
o plugins: compatibility fixes with Phalcon 4
o plugins: os-acme-client 2.6[1]
o plugins: os-etpro-telemetry 1.5 exclude stale data from telemetry upload
o plugins: os-freeradius 1.9.15[2]
o plugins: os-haproxy 3.4[3]
o plugins: os-maltrail 1.8[4]
o plugins: os-nut 1.8[5]
o plugins: os-telegraf 1.11.0[6]
o plugins: os-zabbix-agent 1.9[7]
o plugins: os-zabbix4-proxy is now a plugin variant
o plugins: os-zabbix5-proxy is now a plugin variant
o src: axgbe: make sure driver works on V1000 platform and remove unnecessary reset
o src: axgbe: remove unneccesary packet length check
o ports: clog 1.0.2 fixes garbage header write on init
o ports: curl 7.78.0[8]
o ports: filterlog adds CARP IPv6 support and moves label to previously reserved spot
o ports: isc-dhcp 4.4.2-P1[9]
o ports: libxml 2.9.12[10]
o ports: nss 3.67[11]
o ports: openldap 2.4.59[12]
o ports: pcre2 10.37[13]
o ports: phalcon 4.1.2[14]
o ports: php 7.4.20[15]
o ports: sudo 1.9.7p1[16]
o ports: suricata 5.0.7[17]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/21.1/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/21.1/net/freeradius/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/21.1/net/haproxy/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/21.1/security/maltrail/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/21.1/sysutils/nut/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/telegraf/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/zabbix-agent/pkg-descr
[8] https://curl.se/changes.html#7_78_0
[9] https://downloads.isc.org/isc/dhcp/4.4.2-P1/dhcp-4.4.2-P1-RELNOTES
[10] http://www.xmlsoft.org/news.html
[11] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.67_release_notes
[12] https://www.openldap.org/software/release/changes.html
[13] https://www.pcre.org/changelog.txt
[14] https://github.com/phalcon/cphalcon/releases/tag/v4.1.2
[15] https://www.php.net/ChangeLog-7.php#7.4.20
[16] https://www.sudo.ws/stable.html#1.9.7p1
[17] https://redmine.openinfosecfoundation.org/versions/166

franco:
Today the following hotfix was published:

o ports: openssl 1.1.1l[1]

[1] https://www.openssl.org/news/openssl-1.1.1-notes.html

franco:
A hotfix release was issued as 21.4.3_8:

o system: prevent expired or intermediate CA certificates from being added to trust store by default
o system: fix unescaped source field used for password in backup plugins
o firewall: fix long comment preventing IPFW reload (contributed by Robin Schneider)
o firmware: enable upgrade path to 21.10
o firmware: undo masking vulnerability URLs in FreeBSD due to UUID use
o firmware: correctly announce major upgrade reboot in status return
o firmware: do not fetch GeoIP database from business mirrors without a subscription
o backend: catch broken pipe on event handler (contributed by kulikov-a)

Navigation

[0] Message Index