OPNsense 17.7.8 released
Hi everyone,
A shiny new update is available, addressing the recent security advisories from FreeBSD, OpenSSL, Sudo and a number of minor bugs.
To all our 18.1-BETA testers we say this: thank you! The results have been thoroughly positive. If you would like to participate as well, please take a closer look:
https://forum.opnsense.org/index.php?topic=6257.0
And here are the full patch notes:
- firewall: when CARP is disabled it should enable the “Block CARP traffic”
- firewall: isAlias() should return false when an empty name is provided
- firewall: support non-whitespace field separators for URL table alias (contributed by shonjir)
- firewall: table plugin support (contributed by Evgeny Bevz)
- firewall: properly skip L2TP and PPTP interfaces in IPFW
- firmware: add mirror courtesy of Ventura Systems, Columbia
- firmware: crash report file size limit for upload
- interfaces: prevent reconfigure of wireless device on rc.linkup
- reporting: clear tooltip in health graphs
- intrusion detection: prevent UI lockups by closing server sessions early
- intrusion detection: add advanced payload log option
- intrusion detection: improved alert inspection dialog
- ipsec: add passthrough networks support
- ipsec: add support for elliptical curve DH groups
- router advertisements: fix DHCPv6 start in “unmanaged” mode
- installer: limit swap partition size to 8 GB (contributed by Frank Wall)
- web proxy: add update cache support for Linux and Windows (contributed by Fabian Franz)
- web proxy: add support UTF-8 domain names (contributed by Alexander Shursha)
- web proxy: improved IPv6 alias support
- ui: make “full help” state sticky in client session
- lang: Japanese updates (contributed by Chie and Takeshi Taguchi)
- lang: German updates (contributed by Fabian Franz)
- lang: Russian updates (contributed by Smart-Soft)
- lang: Czech updates (contributed by Pavel Borecki)
- plugins: os-siproxd 1.2.1 with fix for RTP high port (contributed by mrpace2)
- plugins: os-smart 1.2 now indicates if no devices have been found (contributed by Larry Meaney)
- plugins: os-telegraf 1.1 adds network input setting (contributed by nycaleksey)
- plugins: os-tor 1.2 adds hidden service onion service client support (contributed by Fabian Franz)
- plugins: os-web-proxy 2.1 makes Kerberos hostname configurable (contributed by Evgeny Bevz)
- src: properly bzero kldstat structure to prevent information leak [1]
- src: fix kernel data leak via ptrace(PT_LWPINFO) [2]
- src: only refresh bsnmpd device table on a device add or remove event
- src: unclog reply-to to avoid default route in shared forwarding
- src: update timezone database information
- ports: phalcon 3.2.4[3]
- ports: php 7.0.25[4]
- ports: sqlite 3.21.0[5]
- ports: openssl 1.0.2m[6]
- ports: ca_root_nss 3.34
- ports: sudo 1.8.21p2_1[7]
Stay safe,
Your OPNsense team
—
[1] https://www.freebsd.org/security/advisories/FreeBSD-SA-17:10.kldstat.asc
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-17:08.ptrace.asc
[3] https://github.com/phalcon/cphalcon/releases/tag/v3.2.4
[4] http://de2.php.net/ChangeLog-7.php#7.0.25
[5] https://sqlite.org/changes.html
[6] https://www.openssl.org/news/secadv/20171102.txt
[7] https://bugzilla.sudo.ws/show_bug.cgi?id=807