OPNsense 25.4.3 business edition released

[franco]

This business release is based on the OPNsense 25.4.2 business version
with additional reliability improvements and adds Dnsmasq DHCP support.

A new US-based business mirror has been added.  To accommodate upcoming
certificate renewals our behaviour of libfetch CRL checking was slightly
changed to omit a missing CRL warning on leaf certificates that certificate
vendors do not typically offer in the first place.  When certificates are
going to be replaced on the business mirrors in October due to pending
renewal all versions prior to 25.4.3 will print the spurious warning that
no CRL was provided for the leaf certificate but CRL checking will still be
carried out as usual and the warning will still be printed when a signing
CA certificate does not publicly provide its CRL to check against.

Here are the full patch notes:

o system: increase log file download timeout to prevent exit before data has returned
o system: prevent misconfigurations with the "Automatic user creation" authentication option
o system: prevent the root user from changing its name
o interfaces: capture netmap ring when listening on interfaces in netmap mode
o dnsmasq: add full DHCP/RA support
o firmware: abort on what appear to be partial updates due to obscure file errors
o firmware: add US east coast mirror for business edition
o ipsec: passthrough networks setting missed "allow new" flag
o kea-dhcp: ignore encoding errors in lease parser
o src: libfetch: ignore leaf certificates missing CRL which in practice is not offered by most authorities
o src: libarchive: update to 3.8.1 to fix integer overflow leading to double free[1]
o src: route: fix "route -n monitor" when its output is redirected[2]


Stay safe,
Your OPNsense team

--
[1] https://www.freebsd.org/security/advisories/FreeBSD-SA-25:07.libarchive.asc
[2] https://www.freebsd.org/security/advisories/FreeBSD-EN-25:14.route.asc