OPNsense 24.7.10 released

[franco]

Hi there,

This ships a number of base system changes, kernel fixes and driver
updates.  The time-loop authentication change is back with the fixed
TOTP case and the Unbound domain overrides are now found in query
forwarding since this offers the same functionality anyway.

With the year almost over we are shifting focus to finishing the items
on the roadmap and it is nice to note that the MVC/API conversions are
already over 75% complete.  That means it will not take another decade
to migrate the other 25%. 

Here are the full patch notes:

o system: readd a "time-loop" around authentication for failed attempts
o system: remove the SSL bundles in default locations
o system: prevent JS crashing out when dashboard widget title is not set
o system: use system instead of sample defaults when reverting tunables
o system: report actual LAN address being used after factory reset
o interfaces: use Autoconf class to avoid raw ifctl file access
o interfaces: remove ancient MAC address trickery to unbreak hostapd
o interfaces: add missing neighbor and DNS lookup page ACL entries
o interfaces: PPP device page ACL missed getserviceproviders.php
o firmware: force CRL check on development deployment
o firmware: use REQUEST to print a TLS/CRL usage hint
o firmware: improved output helpers and associated cleanup in audit scripts
o firmware: opnsense-update: add support for regression tests set
o intrusion detection: limit stats.log logging (contributed by doktornotor)
o kea-dhcp: add dhcp-socket-type option (contributed by Till Niederauer)
o kea-dhcp: add MAC formatter to leases page (contributed by cpalv)
o openvpn: support case-insensitive strict user CN matching for instances
o unbound: move domain overrides to query forwarding
o mvc: let JsonKeyValueStoreField cache configd call for the duration of the session
o mvc: another batch of sessionClose() cleanups in controllers
o mvc: cleanup in ApiMutableServiceControllerBase
o mvc: fix hint display for "0"
o ui: restore right tab border in standard theme
o plugins: os-caddy 1.7.5[1]
o plugins: os-debug 1.7[2]
o src: atf/kyua: ship regression tests runtime support
o src: if_bridge: mask MEXTPG if some members do not support it
o src: if_tuntap: enable MEXTPG support
o src: ice: update to 1.43.2-k et al
o src: ipsec: fix IPv6 over IPv4 tunneling
o src: ixgbe: add support for 1Gbit (active) DAC links
o src: ixgbe: sysctl for TCP flag handling during TSO
o src: jail: expose children.max and children.cur via sysctl
o src: libfetch: add the error number to verify callback failure case
o src: netlink: assorted stable backports
o src: pf: prevent SCTP-based NULL dereference in pfi_kkif_match()
o src: pf: let rdr rules modify the src port if doing so would avoid a conflict
o src: pf: make pf_get_translation() more expressive
o src: pf: let pf_state_insert() handle redirect state conflicts
o src: pf: fix wrong pflog action in NAT rule
o src: pf: fix potential state key leak
o src: rc: ignore INSYDE BIOS placeholder UUID for /etc/hostid
o src: route: fix failure to add an interface prefix route when route with the same prefix is already presented in the routing table
o src: route: route: avoid overlapping strcpy
o src: sfxge: defer ether_ifattach to when ifmedia_init is done
o ports: curl 8.11.0[3]
o ports: expat 2.6.4[4]
o ports: nss 3.107[5]
o ports: openldap 2.6.9[6]
o ports: php 8.2.26[7]
o ports: sudo 1.9.16p2[8]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/24.7/devel/debug/pkg-descr
[3] https://curl.se/changes.html#8_11_0
[4] https://github.com/libexpat/libexpat/blob/R_2_6_4/expat/Changes
[5] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_107.html
[6] https://www.openldap.org/software/release/changes.html
[7] https://www.php.net/ChangeLog-8.php#8.2.26
[8] https://www.sudo.ws/stable.html#1.9.16p2

[franco]

A hotfix release was issued as 24.7.10_1:

o unbound: use tls-cert-bundle to point to remaining valid bundle

[franco]

Please note we had to hotfix the kernel which will not reinstall
automatically if you caught the bad version.  If you experience
panics on 24.7.10 relating to pf(4) please reinstall from the GUI
(which includes an automatic reboot) or run "opnsense-update -fk"
from the shell followed by a manual reboot.  The correct kernel
identifies itself as "stable/24.7-n267981-8375762712f" using
"uname -v".

A hotfix release was issued as 24.7.10_2:

o system: fix TOTP regression when used with LDAP
o src: reverted "pf: fix potential state key leak" due to reported panics
o src: netlink: allow force remove on pinned delete from route binary