New OPNsense Release

OPNsense 17.1.8 released


Hello again,

It is with pleasure that we announce the availability of SafeStack in the OPNsense ports tree as our latest addition via our valued HardenendBSD friendship. While SafeStack is already deployed for the base operating system, it had not previously been applied to the ports tree.

SafeStack is an exploit mitigation developed by clang/llvm. It helps mitigate stack-based buffer overflows. SafeStack depends on Address Space Layout Randomization (ASLR) in order to be effective. OPNsense fulfils that dependency by including the HardenedBSD ASLR implementation, which follows the original PaX design. Without ASLR, SafeStack is ineffective as an attacker would know where the SafeStack lies in memory and could use that information to her advantage.

It is still rather quiet security-wise. Despite updating OpenSSL, it does not contain any security updates this time.

Here are the full patch notes:

o system: tweak the HTTP_REFERER error message (contributed by Michael Muenz)
o system: IPv6 SSL cipher selection fix (contributed by Alexander Graf)
o system: only probe gateway monitor when it is running
o system: move web GUI to plugin framework
o system: improve ssh key newline write
o system: allow up to 8 name servers
o firewall: add CARP option “Disable preempt”
o firewall: move CARP preempt to later boot stage
o firewall: allow port ranges in the form of “80-100” in addition to “80:100”
o interfaces: track6 edge case requires HUP for either reload or linkup
o ipsec: fix widget count after strongSwan 5.5.2 update
o intrusion detection: add advanced feature default-packet-size
o firmware: new mirror for Dept. of CSE, Yuan Ze University, Taiwan[1]
o rc: advertise live mode just above the login prompt
o rc: improve the set IP menu option with far gateway selection, DHCP, DNS, track6, etc.
o mvc: send forms as type-safe JSON data
o mvc: correct multi-value sort in template helper
o mvc: fix validation issue when storing a value for the first time
o lang: minor updates for Chinese (contributed by Tianmo)
o lang: Japanese 100% completed (contributed by Chie and Takeshi Taguchi)
o plugins: quagga 1.2 with initial BGP support (contributed by Fabian Franz and Michael Muenz)
o plugins: zabbix-agent 1.0 (contributed by Frank Wall)
o plugins: haproxy 1.15 (contributed by Fabian Franz and Frank Wall)
o ports: enabled SafeStack for applicable amd64 packages, ported over by HardenedBSD
o ports: openssl 1.0.2l[2]

Stay safe,
Your OPNsense team


[1] https://www.cse.yzu.edu.tw
[2] https://www.openssl.org/news/cl102.txt