Hello everyone,
we are saddened by the news of Leonard Nimoy passing away. He has been an inspiration for many of us ever since Star Trek first flickered over the TV screens and all the years thereafter. What a strange world we’d live in if it weren’t for him? Thank you, Leonard, 15.1.7 is being released in your honour.
As we move forward, we’ve found that 15.1.6.1’s new tool opnsense-update works really well for everybody and thus we are very happy with the new live upgrade path. To show you that we are super serious we are shipping the latest FreeBSD 10.1 release engineering and security advisories and encourage you to try it out. We also have numerous tweaks with regard to tightening security in Bind, OpenSSL, StrongSwan, OpenSSH as well as needed GUI fixes thanks to the steady stream of incoming reports. If you encounter an issue or even a slight hiccup, please let us know through any of the available channels.
The images can be found here:
https://sourceforge.net/projects/opnsense/files/15.1.7/
How to upgrade:
Always backup your config. Do not try to go from the LibreSSL snapshot to OpenSSL. The parallel LibreSSL snapshot will be out by tomorrow.
Do a clean install using the desired install media. You can always import the old configuration from the installer if you already have an older installation.
Alternatively and experimentally, upgrade using the firmware update, then drop to a root shell and issue the following commands.
# opnsense-update && reboot
At this point, using any of the two methods, you should be on OPNsense 15.1.7-78bdb9aef FreeBSD 10.1-RELEASE-p6.
This is the official change log:
- Merged the latest FreeBSD 10.1-p6 patches:
- Disabled OpenSSH’s High Performance SSH/SCP and None-Cipher extensions to follow up on several security-related discussions.
- Switched from a heavy Bind installation to a lightweight one to reduce attack surface.
- Removed and replaced the legacy `check_reload_status’ daemon with a Python-based rewrite.
- Fixed the auto-login console lockout regression introduced in 15.1.6.1.
- Fixed a problem associated with OpenVPN not being able to read passwords from files.
- Notable ports upgrades: bind-tools 9.10.2, strongswan 5.2.2_1, curl 7.41 plus our LibreSSL fixes for mpd4/mpd5/libpdel.
- Removed PHP-FPM remnants from IPv6 and OpenVPN scripts.
- Fixed several OpenSSL invokes to use the latest port version as opposed to the base version.
- Improved memory/disc/swap usage on the dashboard.
- Properly set DNS Resolver Advanced defaults.
- Fixed append of custom Unbound scrips.
- Modified the root menu shell to pass through to a real shell when arguments are given.
- Zapped the spurious “Array” prefix in user-defined aliases.
- Moved the bogons files fetch location to a local mirror.
- The core.git development boot hook has been improved to properly include /usr/local/etc/rc changes.
- All of our packages are now annotated as coming from our mirror as well as additional safeguards potentially allowing you to use additional FreeBSD packages on top of OPNsense.
- —Fix integer overflow in IGMP protocol. (SA-15:04)
- —Fix vt(4) crash with improper ioctl parameters. (EN-15:01)
- —Updated base system OpenSSL to 1.0.1l. (EN-15:02)
- —Fix freebsd-update libraries update ordering issue. (EN-15:03)
Live long and prosper,
The OPNsense team