New OPNsense Release

OPNsense Business Edition 21.10.1 released

December 2, 2021

OPNsense business edition 21.10.1 released

This business release is based on the OPNsense 21.7.5 community version
with additional reliability improvements.

Please note that OpenSSH was updated to version 8.8 which deprecates ssh-rsa
usage which is mainly an issue for client access from the OPNsense system to
the outside and can be amended as per the suggestions in the respective
release notes.

Here are the full patch notes:

o system: prevent expired or intermediate CA certificates from being added to trust store by default
o system: prevent XSS in LDAP attribute return in authentication tester (reported by Orange CERT-CC)
o system: add product title to auth pages
o system: fix log search ignoring first character
o system: add xc0 entry video console entry if node exists
o system: add automatic outbound NAT logging option
o system: remove support for obsolete "local" syslog socket plugin request
o system: prevent setup wizard error in WAN-only configuration
o system: properly extract keyid string (contributed by kulikov-a)
o system: show all threads and correct WCPU in activity (contributed by kulikov-a)
o system: fix display and sorting in activity (contributed by kulikov-a)
o system: escape shell parameters in cron jobs
o interfaces: remove obsolete link_interface_to_vlans() function
o interfaces: inline legacy_interface_rename() function
o interfaces: verbose output on test port (contributed by kulikov-a)
o interfaces: let guess_interface_from_ip() find the best match on overlapping subnets (contributed by Jason Crowley)
o interfaces: improve configurability with LAGG devices
o firewall: fix non-sticky rule association in port forward
o firewall: switch failover peer address acquire away from deprecated function
o firewall: specify overload table on maximum new connections
o firewall: add loaded item count and last update to aliases page
o firewall: refactor getInterfaceGateway() to eliminate edge cases with IPsec route-to behaviour
o firewall: allow alias to skip entry on EmptyLabel (contributed by James Golovich)
o firewall: improve resolve performance by implementing asynchronous DNS lookups
o firewall: add live view templates page to respective ACL (contributed by kulikov-a)
o firewall: replace pfInfo with statistics page
o firewall: add rules to statistics page (contributed by kulikov-a)
o firewall: remove defunct "block carp from self" CARP rule
o dhcp: automatically set AdvRASrcAddress for link-local CARP address
o dhcp: exclude link-local subnet router advertisements
o dhcp: show static leases without IP address assignments in the lease pages
o firmware: do not remove obsolete base files on major upgrades
o firmware: opnsense-code utility fix for "-d" option (contributed by Patrick M. Hausen)
o firmware: opnsense-code utility now supports "-u" mode for automatic upgrade after fetch
o firmware: opnsense-update utility adds separate clean option for obsolete base files
o firmware: opnsense-update utility is now able to bootstrap its own configuration in "-d" mode
o firmware: opnsense-update utility no longer assumes "-bkp" by default
o firmware: opnsense-update utility now supports "-ct package-name" check for type change
o firmware: opnsense-update utility assorted cleanups
o firmware: opnsense-update: replace -A before -M and handle single directory -M independently
o firmware: opnsense-verify: disable verification for repositories without signatures
o firmware: opnsense-verify: let -l option properly discard duplicate repositories
o firmware: opnsense-version: support -x effective ABI probing
o firmware: support ABI hints in the file "firmware-upgrade"
o ipsec: add charon.max_ikev1_exchanges parameter
o ipsec: add closeaction parameter (contributed by Patrick M. Hausen)
o ipsec: add sha256_96 flag (contributed by Patrick M. Hausen)
o ipsec: rewrite netmask calculation for VTI tunnel setup
o monit: add link event to alert settings (contributed by Frank Brendel)
o monit: add polltime to service settings (contributed by Frank Brendel)
o openvpn: remove obsolete remnants of tun-ipv6
o unbound: add Abuse.ch ThreatFox list
o unbound: make so-reuseport conditional upon RSS status
o backend: static parameters ignored when no dynamic ones exist
o mvc: replace __toString() calls with string casts
o ui: prevent event propagation to avoid click() events being forwarded
o plugins: os-acme-client 3.4[1]
o plugins: os-bind 1.19[2]
o plugins: os-c-icap log file fix (contributed by Michael Muenz)
o plugins: os-dnscrypt-proxy 1.10[3]
o plugins: os-dyndns 1.26[4]
o plugins: os-freeradius 1.9.17[5]
o plugins: os-frr 1.23[6]
o plugins: os-haproxy 3.7[7]
o plugins: os-lldpd will now identify itself as Network Connectivity Device (contributed by Xeroxxx)
o plugins: os-nut 1.8.1[8]
o plugins: os-openconnect 1.4.1[9]
o plugins: os-puppet-agent 1.0[10]
o plugins: os-qemu-guest-agent 1.1[11]
o plugins: os-relayd 2.6[12]
o plugins: os-telegraf 1.12.2[13]
o plugins: os-theme-rebellion 1.8.8 (contributed by Team Rebellion)
o plugins: os-vnstat 1.3[14]
o plugins: os-wireguard 1.8[15]
o src: include RSS kernel support defaulting to off
o src: axgbe: properly multiplex on reading module signals
o src: libnetmap: reset errno in nmreq_register_decode()
o src: pf: remove side effect from nat logging patch
o src: dummynet: fix mbuf tag allocation failure handling
o src: aesni: avoid a potential out-of-bounds load in aes_encrypt_icm()
o src: axgbe: correctly enable RSS driver support by default
o src: ixgbe: prevent subsequent I2C bus read timeouts
o src: fix kernel panic in vmci driver initialization[16]
o src: timezone database information update[17]
o ports: dnspython 2.1.0[18]
o ports: jinja 3.0.1[19]
o ports: lighttpd 1.4.61[20]
o ports: nss 3.72[21]
o ports: openssh 8.8p1[22]
o ports: openvpn 2.5.4[23]
o ports: pcre2 10.39[24]
o ports: php 7.4.25[25]
o ports: phpseclib 2.0.34[26]
o ports: strongswan 5.9.4[27]
o ports: sudo 1.9.8p2[28]

Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/blob/stable/21.7/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/21.7/dns/bind/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/21.7/dns/dnscrypt-proxy/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/21.7/dns/dyndns/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/21.7/net/freeradius/pkg-descr
[6] https://github.com/opnsense/plugins/blob/stable/21.7/net/frr/pkg-descr
[7] https://github.com/opnsense/plugins/blob/stable/21.7/net/haproxy/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/21.7/sysutils/nut/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/21.7/security/openconnect/pkg-descr
[10] https://github.com/opnsense/plugins/blob/stable/21.7/sysutils/puppet-agent/pkg-descr
[11] https://github.com/opnsense/plugins/blob/stable/21.7/emulators/qemu-guest-agent/pkg-descr
[12] https://github.com/opnsense/plugins/pull/2391
[13] https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/telegraf/pkg-descr
[14] https://github.com/opnsense/plugins/blob/stable/21.7/net/vnstat/pkg-descr
[15] https://github.com/opnsense/plugins/blob/stable/21.7/net/wireguard/pkg-descr
[16] https://www.freebsd.org/security/advisories/FreeBSD-EN-21:28.vmci.asc
[17] https://www.freebsd.org/security/advisories/FreeBSD-EN-21:29.tzdata.asc
[18] https://dnspython.readthedocs.io/en/stable/whatsnew.html
[19] https://jinja.palletsprojects.com/en/3.0.x/changes/#version-3-0-1
[20] https://www.lighttpd.net/2021/10/28/1.4.61/
[21] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.72_release_notes
[22] https://www.openssh.com/txt/release-8.8
[23] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.4
[24] https://www.pcre.org/changelog.txt
[25] https://www.php.net/ChangeLog-7.php#7.4.25
[26] https://github.com/phpseclib/phpseclib/releases/tag/2.0.34
[27] https://github.com/strongswan/strongswan/releases/tag/5.9.4
[28] https://www.sudo.ws/stable.html#1.9.8p2