New OPNsense Release

OPNsense 17.7.8 released


Hi everyone,

A shiny new update is available, addressing the recent security advisories from FreeBSD, OpenSSL, Sudo and a number of minor bugs.

To all our 18.1-BETA testers we say this: thank you! The results have been thoroughly positive. If you would like to participate as well, please take a closer look:

https://forum.opnsense.org/index.php?topic=6257.0

And here are the full patch notes:

  • firewall: when CARP is disabled it should enable the “Block CARP traffic”
  • firewall: isAlias() should return false when an empty name is provided
  • firewall: support non-whitespace field separators for URL table alias (contributed by shonjir)
  • firewall: table plugin support (contributed by Evgeny Bevz)
  • firewall: properly skip L2TP and PPTP interfaces in IPFW
  • firmware: add mirror courtesy of Ventura Systems, Columbia
  • firmware: crash report file size limit for upload
  • interfaces: prevent reconfigure of wireless device on rc.linkup
  • reporting: clear tooltip in health graphs
  • intrusion detection: prevent UI lockups by closing server sessions early
  • intrusion detection: add advanced payload log option
  • intrusion detection: improved alert inspection dialog
  • ipsec: add passthrough networks support
  • ipsec: add support for elliptical curve DH groups
  • router advertisements: fix DHCPv6 start in “unmanaged” mode
  • installer: limit swap partition size to 8 GB (contributed by Frank Wall)
  • web proxy: add update cache support for Linux and Windows (contributed by Fabian Franz)
  • web proxy: add support UTF-8 domain names (contributed by Alexander Shursha)
  • web proxy: improved IPv6 alias support
  • ui: make “full help” state sticky in client session
  • lang: Japanese updates (contributed by Chie and Takeshi Taguchi)
  • lang: German updates (contributed by Fabian Franz)
  • lang: Russian updates (contributed by Smart-Soft)
  • lang: Czech updates (contributed by Pavel Borecki)
  • plugins: os-siproxd 1.2.1 with fix for RTP high port (contributed by mrpace2)
  • plugins: os-smart 1.2 now indicates if no devices have been found (contributed by Larry Meaney)
  • plugins: os-telegraf 1.1 adds network input setting (contributed by nycaleksey)
  • plugins: os-tor 1.2 adds hidden service onion service client support (contributed by Fabian Franz)
  • plugins: os-web-proxy 2.1 makes Kerberos hostname configurable (contributed by Evgeny Bevz)
  • src: properly bzero kldstat structure to prevent information leak [1]
  • src: fix kernel data leak via ptrace(PT_LWPINFO) [2]
  • src: only refresh bsnmpd device table on a device add or remove event
  • src: unclog reply-to to avoid default route in shared forwarding
  • src: update timezone database information
  • ports: phalcon 3.2.4[3]
  • ports: php 7.0.25[4]
  • ports: sqlite 3.21.0[5]
  • ports: openssl 1.0.2m[6]
  • ports: ca_root_nss 3.34
  • ports: sudo 1.8.21p2_1[7]

Stay safe,
Your OPNsense team


[1] https://www.freebsd.org/security/advisories/FreeBSD-SA-17:10.kldstat.asc
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-17:08.ptrace.asc
[3] https://github.com/phalcon/cphalcon/releases/tag/v3.2.4
[4] http://de2.php.net/ChangeLog-7.php#7.0.25
[5] https://sqlite.org/changes.html
[6] https://www.openssl.org/news/secadv/20171102.txt
[7] https://bugzilla.sudo.ws/show_bug.cgi?id=807