OPNsense 17.1.7 released
Hi there,
OpenVPN released version 2.4.2 and also 2.3.15 which come with two high profile fixes addressing CVE-2017-7479 and CVE-2017-7478. While we still aim for OpenVPN 2.4 adoption during the 17.1 series, we have deferred updating the release version from 2.3 to 2.4 at this point to be able to respond more quickly.
Here are the full patch notes:
o system: fix gateway failover edge cases missed in 17.1.6
o system: fix default route display in diagnostics page
o system: consistent precision display in gateway monitoring loss and RTT
o system: correctly restart cron via backend call
o system: use the internal RC script name instead file name to load its variables
o system: keep WAN DHCPv6 configuration option on console port reassign
o system: unify the console yes/no prompts to indicate their default behaviour
o system: separate row and unhide button for 2FA OTP QR code display
o system: prevent stripping of migrated configuration during factory reset
o firmware: opnsense-bootstrap bare-mode addition for installing repository metadata only
o firmware: opnsense-bootstrap will never be deleted in case it is required for recovery
o firmware: opnsense-revert now always properly reverts the core package
o firmware: fix argument parsing in all update and development utilities
o firewall: do not save range when end port is empty
o firewall: do not automatically reload filter after alias delete
o firewall: skip well-known ports for ranges
o firewall: fetching bogon files should not use fetch internal auto-retry
o interfaces: fix bug that prevented creation of IPv6 cache IP files (contributed by @theq89)
o interfaces: defer reload of the filter on IPv6 renewal and keep it local
o interfaces: avoid potential configure loops in IPv4 renewal
o interfaces: improve diagnostic messages on boot
o interfaces: correct usage of interface cache files and properly clear them during boot
o ipsec: enable CA field for hybrid and mutual RSA Xauth
o dynamic dns: fix prototype declaration (contributed by Evgeny Bevz)
o dynamic dns: add support for STRATO
o mvc: fix iteration over several config nodes to avoid “Node no longer exists” type warnings
o plugins: quagga 1.1.1 fixes reload of BGPv4 tables and modal closing (contributed by Fabian Franz)
o plugins: monit 1.1 fixes import sender address and validation (contributed by Frank Brendel)
o src: removed duplicate unbound from FreeBSD base system
o src: added locales to e.g. allow tmux to start up correctly
o src: Xen migration enhancements[1]
o src: allow TOS value zero and add extended DSCP support
o ports: openvpn 2.3.15[2]
o ports: php 7.0.19[3]
o ports: squid 3.5.25[4]
o ports: sudo 1.8.20[5]
Stay safe,
Your OPNsense team
—
[1] https://www.freebsd.org/security/advisories/FreeBSD-EN-17:05.xen.asc
[2] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
[3] http://php.net/ChangeLog-7.php#7.0.19
[4] http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5.25-RELEASENOTES.html
[5] https://www.sudo.ws/stable.html