Hi everyone,
This update brings several reliability and security improvements as usual. Our LibreSSL fans will notice the version 2.3 has finally been replaced with 2.4 and we switched to position independent executables in our base system to make good use of HardenedBSD ASLR.
Another hot topic is the addition of a Czech translation into the release. Many thanks to pavelb for making that happen!
Overall progress towards OPNsense 17.1 is steady: native PAM support is through the testing phase and major FreeBSD upgrade support is already enclosed within this very update. Our next step is the release of beta images some time during November.
Here are the full patch notes:
- captive portal: add expire voucher option
- intrusion detection: added support for compressed rule files
- web proxy: basic auth support for remote ACLs
- web proxy: fix ICAP config write for MIME-types (contributed by Fabian Franz)
- ipsec: fix spacing and type for shared secrets on Windows 7+
- ipsec: restart must only restart, not completely reconfigure
- ipsec: correctly set 28673 option to “yes”
- openvpn: reintroduce zip usage instead of 7z
- interfaces: fix performance issues on status page
- interfaces: fix ARP and NDP to show all entries
- rc: revamp the handling of /boot/loader.conf to be fully pluggable
- firmware: opnsense-update can now perform major FreeBSD updates
- plugins: multiple fixes for HAProxy plugin (contributed by Frank Wall)
- plugins: new PT research rule set intrusion detection plugin
- lang: new language Czech at 54% completed (contributed by pavelb)
- lang: updates for German and French
- ports: libressl 2.4.3[1]
- ports: isc-dhcp 4.3.5[2]
- ports: php 5.6.27[3]
- ports: lighttpd 1.4.42[4]
- src: base system now uses position independent executables
- src: tzdata updated to version 2016h[5]
- src: revised dummynet patches for NAT, also includes IPv6 support
- src: Fix bspatch heap overflow vulnerability[6]
- src: Fix multiple libarchive vulnerabilities[7]
- src: Fix virtual memory subsystem bugs[8]
- src: Fix incorrect argument validation in sysarch(2)[9]
Stay safe,
Your OPNsense team
—
[1] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.4.3-relnotes.txt
[2] https://kb.isc.org/article/AA-01430/82/DHCP-4.3.5-Release-Notes.html
[3] http://php.net/ChangeLog-5.php#5.6.27
[4] https://www.lighttpd.net/2016/10/16/1.4.42/
[5] http://mm.icann.org/pipermail/tz-announce/2016-October/000042.html
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:29.bspatch.asc
[7] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:31.libarchive.asc
[8] https://www.freebsd.org/security/advisories/FreeBSD-EN-16:17.vm.asc
[9] https://www.freebsd.org/security/advisories/FreeBSD-SA-16:15.sysarch.asc