OPNsense 23.7.7 released

[franco]

Good morning from Europe,

The user experience of several pages has been improved.  And this update is
also shipping several FreeBSD-based changes for further reliability as well
as core fixes and improvements as they came up on GitHub or the forum in the
last weeks.

A word of caution for third party repository users.  FreeBSD currently changes
a number of things in their ecosystem.  The first change is the move of the
"openssl" package to "openssl111" since the former is now based on version 3.
This can and likely will disrupt updates of third party packages not having
followed this change.  While we want to use OpenSSL 3 eventually being in
the middle of a stable run is not the time and place to do it.  Secondly,
FreeBSD makes its port stop relying on ca_root_nss package trust store
provided by Mozilla which introduces technical barriers for integration of
our own trust store.  This update changes curl to not use the old bundle
files, but then also ensures that the base system will register all CA
certificates brought in by our trust store as well.  The biggest caveat at
the moment is that this process is slower than before and may end up
untrusting user CAs if they happen to be on the FreeBSD-provided untrusted
list.  During upgrades you will see when it writes the trust files and bundles
and if any errors occur.

In both instances we feel nothing can be gained in postponing these changes
so we are carrying them out swiftly after ensuring they do the right thing for
our user base and voicing our reservations where it matters.

You can also find and follow us on Bluesky now:

https://bsky.app/profile/opnsense.org

Here are the full patch notes:

o system: rewrite trust integration for certctl use
o system: improve UX on new configuration history page
o system: update recovery pattern for /etc/ttys
o system: improve service sync UX on high availability settings page
o system: migrate gateways to model representation
o system: detect a on/off password shift when syncing user accounts
o system: improve backup restore area selection
o system: keep polling if watcher cannot load a class to fetch status
o system: add "Constraint groups" option to LDAP authentication
o reporting: refactor RRD data retrieval and simplify health page UX
o interfaces: make link-local VIPs unique per interface
o interfaces: make VIPs sortable and searchable
o interfaces: improve assignments page UX and simplify its bridge validation
o interfaces: allow multiple IP addresses in DHCP reject clause (contributed by Csaba Kos)
o interfaces: enable IPv6 early on trackers
o interfaces: do not reload filter in rc.linkup
o interfaces: add input validations to VXLAN model (contributed by Monviech)
o interfaces: add NO_DAD flag to static IPv6 configurations
o interfaces: fix config locking when deleting a VIP node
o firewall: sort auto-generated rules by priority set
o firewall: fix regression in BaseContentParser throwing an error
o firmware: stop using the "pkg+http(s)" scheme which breaks using newer pkg 1.20
o ipsec: count user in "Overview" tab and improve "Mobile Users" tab (contributed by Monviech)
o ipsec: make description in connections required (contributed by Michael Muenz)
o ipsec: connection proposal sorting and additions
o lang: assorted updates and completed French translation
o openvpn: change verify-client-cert to a server only setting and fix validation
o openvpn: do not flush state table on linkdown
o unbound: avoid dynamic reloads when possible
o unbound: add support for wildcard domain lists
o unbound: improved UX of the overrides page
o backend: pluginctl: improve listing plugins of selected type
o mvc: add hasChanged() to detect changes to the config file
o mvc: allow empty value in UniqueConstraint if not required by field
o mvc: improve field validation message handling
o mvc: fix regression in PortField with setEnableAlias() that would lowercase alias names
o mvc: style update in diagnostics, firewall, intrusion detection and ipsec models
o ui: fix the styling of the base form button when overriding the label
o ui: trigger change message on toggle and delete
o plugins: os-nginx 1.32.2[1]
o plugins: os-radsecproxy fixes for stale rc script / pidfile issues
o plugins: os-rspamd 1.13[2]
o plugins: os-theme-ciada fix for previous regression
o plugins: os-wireguard 2.4[3]
o src: pf: enable the syncookie feature for IPv6
o src: pflog: log packet dropped by default rule with drop
o src: re: add Realtek Killer Ethernet E2600 IDs
o src: libnetmap: fix interface name parsing restriction
o src: tun/tap: correct ref count on cloned cdevs
o src: bpf: fix writing of buffer bigger than PAGESIZE
o src: net: check per-flow priority code point for untagged traffic
o src: libpfctl: implement status counter accessor functions
o src: pf: expose syncookie active/inactive status
o src: iavf: add explicit ifdi_needs_reset for VLAN changes
o src: vmxnet3: do restart on VLAN changes
o src: iflib: invert default restart on VLAN changes
o src: pf: fix state leak
o ports: curl 8.4.0[4]
o ports: lighttpd 1.4.72[5]
o ports: nss 3.94[6]
o ports: openssl111 supersedes openssl package
o ports: perl 5.36.1[7]
o ports: suricata 6.0.15[8]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/23.7/www/nginx/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/23.7/mail/rspamd/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/23.7/net/wireguard/pkg-descr
[4] https://curl.se/changes.html#8_4_0
[5] https://www.lighttpd.net/2023/10/6/1.4.72/
[6] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_94.html
[7] https://perldoc.perl.org/5.36.1/perldelta
[8] https://suricata.io/2023/10/19/suricata-6-0-15-released/

[franco]

A hotfix release was issued as 23.7.7_1:

o firmware: speed up saving the firmware settings by avoiding the newly extended trust store rewrite
o firmware: opnsense-update: fix mirror replacement broken by pkg 1.20 compatibility effort

A hotfix release was issued as 23.7.7_3:

o reporting: fix regression in single measurement RRD data reads
o ipsec: re-add previously missing PRF hashing options to GCM cipher selection