OPNsense 24.10.2 business edition released

[franco]

This business release is based on the OPNsense 24.7.12 community version
with additional reliability improvements.

Here are the full patch notes:

o system: add a "time-loop" around authentication for failed attempts
o system: remove the SSL bundles in default locations
o system: prevent JS crashing out when dashboard widget title is not set
o system: use system instead of sample defaults when reverting tunables
o system: report actual LAN address being used after factory reset
o system: fix TOTP regression when used with LDAP
o system: show multiple SAN entries when supplied by the certificate
o system: traffic dashboard widget should persist interface identifiers
o system: reset dashboard widget options to the default if none of the options match
o system: mismatch in returned "change" attribute for route toggle
o system: suppress XML parse errors in announcement widget when forum is unreachable
o system: catch PHP errors for Google Drive backups
o system: ignore plugins_interfaces() errors in write_config()
o system: fix snapshot ACL
o system: re-enable support for subjectAltName when creating CSRs
o system: remove spurious backup() during config revert
o reporting: add daemon -f parameter to close file descriptors for NetFlow local capture (contributed by Ben Smithurst)
o interfaces: use Autoconf class to avoid raw ifctl file access
o interfaces: remove ancient MAC address trickery to unbreak hostapd
o interfaces: add missing neighbor and DNS lookup page ACL entries
o interfaces: PPP device page ACL missed getserviceproviders.php
o interfaces: reload GUI in the background
o dhcp: allow radvd to use /128 CARP VIP as source
o firewall: remove faulty PPP exclusion in scrubbing rule creation
o firmware: improved output helpers and associated cleanup in audit scripts
o firmware: opnsense-update: add support for regression tests set
o firmware: add "configctl firmware changelog current" backend command
o firmware: refactor lock/unlock scripts using new output helpers
o firmware: opnsense-code: support for origin selection during upgrade mode
o firmware: opnsense-patch: improve patch behaviour for non-default account/repositories combinations
o firmware: fix the return value handling in the firmware option of the console menu
o firmware: use output_cmd/output_txt helpers in remaining scripts
o firmware: disable duckdb migration for stable transition again
o intrusion detection: limit stats.log logging (contributed by doktornotor)
o ipsec: remove hashing algorithm from null cipher
o ipsec: fix mobile clients reload missing system.inc
o isc-dhcp: IPv6 prefixes script can fail to restart (contributed by Ben Smithurst)
o kea-dhcp: add dhcp-socket-type option (contributed by Till Niederauer)
o kea-dhcp: add MAC formatter to leases page (contributed by cpalv)
o kea-dhcp: align hostname validation with manual host entries
o kea-dhcp: add "match-client-id" in subnet definitions
o openvpn: support case-insensitive strict user CN matching for instances
o unbound: move domain overrides to query forwarding
o unbound: use tls-cert-bundle to point to remaining valid bundle
o unbound: fixup permission on copy
o mvc: let JsonKeyValueStoreField cache configd call for the duration of the session
o mvc: another batch of sessionClose() cleanups in controllers
o mvc: cleanup in ApiMutableServiceControllerBase
o mvc: fix hint display for "0"
o mvc: last batch of sessionClose() cleanups in controllers
o mvc: call initialize() after authentication
o mvc: normalize multiple slashes in paths
o mvc: fix a regression in "normalize multiple slashes in paths"
o mvc: add serialNumber and issuer in Store::parseX509()
o mvc: restore support for JSON input data without configd callout in JsonKeyValueStoreField
o mvc: fix NetworkValidator for IPv4-mapped addresses with netmask (contributed by John Fieber)
o ui: restore right tab border in standard theme
o ui: add classes to system history diff content so themes can override the defaults
o ui: load CSV as text to prevent encoding issues in SimpleFileUploadDlg()
o plugins: turning binary data into JSON may fail globally
o plugins: os-acme-client 4.7[1]
o plugins: os-caddy 1.8.0[2]
o plugins: os-ddclient 1.26[3]
o plugins: os-debug 1.7[4]
o plugins: os-freeradius 1.9.27[5]
o plugins: os-haproxy 4.4[6]
o plugins: os-mdns-repeater 1.2[7]
o plugins: os-nut 1.9[8]
o plugins: os-qemu-guest-agent 1.3[9]
o plugins: os-squid 1.1[10]
o plugins: os-tailscale 1.1[11] (contributed by Sheridan Computers)
o plugins: os-telegraf 1.12.12[12]
o plugins: os-theme-rebellion 1.9.2 (contributed by Team Rebellion)
o src: atf/kyua: ship regression tests runtime support
o src: if_bridge: mask MEXTPG if some members do not support it
o src: if_tuntap: enable MEXTPG support
o src: ice: update to 1.43.2-k et al
o src: ipsec: fix IPv6 over IPv4 tunneling
o src: ixgbe: add support for 1Gbit (active) DAC links
o src: ixgbe: sysctl for TCP flag handling during TSO
o src: jail: expose children.max and children.cur via sysctl
o src: libfetch: add the error number to verify callback failure case
o src: netlink: assorted stable backports
o src: pf: prevent SCTP-based NULL dereference in pfi_kkif_match()
o src: pf: let rdr rules modify the src port if doing so would avoid a conflict
o src: pf: make pf_get_translation() more expressive
o src: pf: let pf_state_insert() handle redirect state conflicts
o src: pf: fix wrong pflog action in NAT rule
o src: rc: ignore INSYDE BIOS placeholder UUID for /etc/hostid
o src: route: fix failure to add an interface prefix route when route with the same prefix is already presented in the routing table
o src: route: route: avoid overlapping strcpy
o src: sfxge: defer ether_ifattach to when ifmedia_init is done
o src: netlink: allow force remove on pinned delete from route binary
o src: if_ovpn: improve reconnect handling
o src: iflib: set the NUMA domain in receive packet headers
o src: ip: defer checks for an unspecified dstaddr until after pfil hooks
o src: ice_ddp: update to 1.3.41.0
o src: p9fs: add an implementation of the 9P filesystem
o src: tarfs: fix the size of struct tarfs_fid and add a static assert
o src: ext2fs: fix the size of struct ufid and add a static assert
o src: cd9660: make sure that struct ifid fits in generic filehandle structure
o src: audit: fix short-circuiting in syscallenter()
o src: svc.c: check for a non-NULL xp_socket
o src: carp: do npt unintentionally revert to multicast mode
o src: netinet: enter epoch in garp_rexmit()
o ports: curl 8.11.1[13]
o ports: expat 2.6.4[14]
o ports: libpfctl 0.15
o ports: monit 5.34.3[15]
o ports: nss 3.107[16]
o ports: openldap 2.6.9[17]
o ports: openvpn 2.6.13[18]
o ports: php 8.2.27[19]
o ports: python 3.11.11[20]
o ports: sudo 1.9.16p2[21]
o ports: suricata 7.0.8[22]


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/24.7/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/24.7/www/caddy/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/24.7/dns/ddclient/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/24.7/devel/debug/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/24.7/net/freeradius/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/24.7/net/haproxy/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/24.7/net/mdns-repeater/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/24.7/sysutils/nut/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/24.7/emulators/qemu-guest-agent/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/24.7/www/squid/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/24.7/security/tailscale/pkg-descr
[12] https://github.com/opnsense/plugins/blob/stable/24.7/net-mgmt/telegraf/pkg-descr
[13] https://curl.se/changes.html#8_11_1
[14] https://github.com/libexpat/libexpat/blob/R_2_6_4/expat/Changes
[15] https://mmonit.com/monit/changes/
[16] https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_107.html
[17] https://www.openldap.org/software/release/changes.html
[18] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.13
[19] https://www.php.net/ChangeLog-8.php#8.2.27
[20] https://docs.python.org/release/3.11.11/whatsnew/changelog.html
[21] https://www.sudo.ws/stable.html#1.9.16p2
[22] https://suricata.io/2024/12/12/suricata-7-0-8-released/