OPNsense 24.7.5 released

[franco]

A good day to you all,

This release removes significant processing overhead from larger setups
due to being able to coalesce parallel configuration requests for the same
component instead of iterating over the list of selected interfaces one
by one.  A number of third party software updates and FreeBSD security
advisories are included as well.

This update also disables NUMA by default which can bring a boost in
network throughput on affected systems.  And of course we are still
working on dashboard improvements so now the treasured picture widget
is back with a better integration approach.

Also take note that the NTP default changes to "restrict noquery" so that
the system cannot externally be queried for revealing system internals
anymore unless explicitly allowed.

The technical stuff out of the way we would simply like to add that we
had a great time at EuroBSDCon in Dublin over the weekend.  Lots of good
and productive conversations.  Looking forward to more of those!  :)

Here are the full patch notes:

o system: update default dashboard layout and include the services widget
o system: render header for failed active widgets to allow identification and removal
o system: add ability for widget referral links
o system: cleaned up ACL definitions and use thereof
o system: add a picture widget
o system: default to vm.numa.disabled=1
o system: handle log lines with no timestamp (contributed by Iain MacDonnell)
o system: use interface maps in system_routing_configure() and dpinger_configure_do()
o system: when only selecting TLS1.3 ciphers make sure to only allow 1.3 as well in web GUI
o system: move web GUI restart to newwanip_map / plugins_argument_map() use
o interfaces: move compatible event listeners to newwanip_map
o interfaces: decouple PPP configure/reset from IPv4/IPv6 modes
o interfaces: move legacy RFC2136 invoke to plugin hook
o interfaces: add "spoofmac" device option and enforce it
o interfaces: prevent CARP VIP removal when VHID group is in use by IP aliases
o interfaces: routing configuration on changed interfaces only during apply
o firmware: opnsense-update: support unescaped mirror input (contributed by Michael Gmelin)
o firmware: opnsense-verify: show repository priority while listing active repositories
o ipsec: convert to vpn_map event invoke and plugins_argument_map() use
o monit: fix undefined function error in CARP script
o network time: enable "restrict noquery" by default (contributed by doktornotor)
o openssh: port to plugins_argument_map()
o openvpn: validate "Auth Token Lifetime" to require a non-zero renegotiate time in instances
o openvpn: convert to vpn_map event invoke and plugins_argument_map() use
o wireguard: convert to vpn_map event invoke
o ui: refine cookie policies and make them explicit
o plugins: add plugins_argument_map() helper
o plugins: os-caddy 1.7.1[1]
o src: bhyve: improve input validation in pci_xhci[2]
o src: libnv: correct the calculation of the size of the structure[3]
o src: ifnet: Remove if_getamcount()
o src: ifnet: Add handling for toggling IFF_ALLMULTI in ifhwioctl()
o src: ifconfig: Add an allmulti verb
o src: date: include old and new time in audit log
o src: bpf: Add IfAPI analogue for bpf_peers_present()
o src: pf: use AF_INET6 when comparing IPv6 addresses
o src: if_ovpn: ensure it is safe to modify the mbuf
o src: if_ovpn: declare our dependency on the crypto module
o ports: curl 8.10.0[4]
o ports: dhcp6c 20240919 reintroduced fixed arc4random() usage
o ports: expat 2.6.3[5]
o ports: libpfctl 0.13
o ports: libxml 2.11.9[6]
o ports: nss 3.104[7]
o ports: python 3.11.10[8]
o ports: sudo 1.9.16[9]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-24:15.bhyve.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-SA-24:16.libnv.asc
[4] https://curl.se/changes.html#8_10_0
[5] https://github.com/libexpat/libexpat/blob/R_2_6_3/expat/Changes
[6] https://gitlab.gnome.org/GNOME/libxml2/-/blob/master/NEWS
[7] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_104.html
[8] https://docs.python.org/release/3.11.10/whatsnew/changelog.html
[9] https://www.sudo.ws/stable.html#1.9.16

[franco]

A hotfix release was issued as 24.7.5_3:

o system: due to observed timing issues avoid the use of closelog()
o openvpn: fix "auth-gen-token" being supplied in server mode