opensense-docs/source/releases/BE_20.7.rst

===========================================================================================
20.7  "Legendary Lion" Series
===========================================================================================



For five and a half years, OPNsense is driving innovation through modularising
and hardening the open source firewall, with simple and reliable firmware
upgrades, multi-language support, HardenedBSD security, fast adoption of
upstream software updates as well as clear and stable 2-Clause BSD licensing.

20.7, nicknamed "Legendary Lion", is a major operating system jump forward on
a sustainable firewall experience.  This release adds DHCPv6 multi-WAN, custom
error pages for the web proxy, Suricata 5, HardenedBSD 12.1, netstat tree view,
basic firewall API support (via plugin) and extended live log filtering amongst
others.

Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__  and the checksums for the images
can be found below as well.

* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
* Full mirror list: https://opnsense.org/download/


--------------------------------------------------------------------------
20.7.8 (January 19, 2021)
--------------------------------------------------------------------------


The particular volume of this stable update foreshadows the end of the 20.7
series in less than two weeks.

One longstanding issue with radvd on FreeBSD 12.1 has been resolved according
to multiple user feedback.

The mailing lists have been archived and will no longer be used.

And before there are questions: yes, consumers of the development version are
now able to upgrade to 21.1-RC1.

Here are the full patch notes:

* system: allow to recover from bad TLS certificate and/or bad settings in console interface assign
* system: display destination port number in firewall log widget (contributed by Team Rebellion)
* system: keep compatible TLS 1 defaults for web GUI on 20.7 series
* system: set default certificate lifetime to 397 days
* firewall: add type 128 to outgoing IPv6 RFC4890 requirements
* firewall: add manual refresh button to live log
* firewall: fix typo in ICMPv6 validation
* firewall: fix minor regression in maintaining target alias file
* firewall: fix all state value in pfTop (contributed by Lucas Held)
* firewall: remove duplicated destination field in live log
* firewall: add read-only actions to aliases permission (contributed by Manuel Faux)
* firewall: category selector missing caption
* reporting: add top talkers to revamped traffic graph page
* reporting: fix name resolution filter change in insight
* reporting: persist interface selection on traffic graph page
* captive portal: disable faulty TLS on HTTP since lighttpd 1.4.56
* dhcp: fix sorting of IPv6 static mappings (contributed by vnxme)
* dhcp: fix incorrect parsing of DUID (contributed by Matt Holgate)
* firmware: opnsense-code now updates the current directory if nothing was specified
* firmware: opnsense-code now uses flexible make.conf target from tools.git
* firmware: opnsense-update now supports snapshot access via -z option
* firmware: opnsense-update now fixes missing dependencies on the fly
* firmware: fix some issues with missing repository on server
* firmware: add version output and date to audit logs
* ipsec: display remote host in status overview (contributed by garlic17)
* opendns: add standalone mode
* openssh: honour MAX_LISTEN_SOCKS
* openvpn: set default certificate lifetime to 397 days in wizard
* unbound: generate all configuration files in service controller
* unbound: fix broken lines in large files (contributed by kulikov-a)
* web proxy: lock ACL download to prevent duplicate execution
* mvc: allow underscore in filter string (contributed by kulikov-a)
* plugins: os-haproxy 2.26 `[1] <https://github.com/opnsense/plugins/blob/stable/20.7/net/haproxy/pkg-descr>`__ 
* plugins: os-hw-probe 1.0 (contributed by Michael Muenz)
* plugins: os-maltrail fixes sensor start without server (contributed by Julio Camargo)
* plugins: os-nginx 1.20 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/www/nginx/pkg-descr>`__ 
* plugins: os-tinc fixes for latest version (contributed by vnxme)
* src: fix OpenSSL NULL pointer de-reference `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:33.openssl.asc>`__ 
* src: fix partial scrub of multicast packages
* src: free full mbuf chains in iflib when draining transmit queues
* src: initialize oifp to avoid bogus results/panics in edge cases
* src: 10Gigabit Ethernet driver for AMD SoC
* ports: libressl 3.2.3 `[4] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.2-relnotes.txt>`__  `[5] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.3-relnotes.txt>`__ 
* ports: nss 3.60.1
* ports: php 7.3.26 `[6] <https://www.php.net/ChangeLog-7.php#7.3.26>`__ 
* ports: pkg fix for shell keyword by opening root file descriptor
* ports: radvd 2.19 `[7] <https://radvd.litech.org/CHANGES.txt>`__ 
* ports: sudo 1.9.5p1 `[8] <https://www.sudo.ws/stable.html#1.9.5p1>`__ 

A hotfix release was issued as 20.7.8_4:

* firmware: enable upgrade path to 21.1
* ports: sudo 1.9.5p2 `[9] <https://www.sudo.ws/stable.html#1.9.5p2>`__ 



--------------------------------------------------------------------------
20.7.7 (December 17, 2020)
--------------------------------------------------------------------------


Important security updates inside.  Also: happy holidays!

Here are the full patch notes:

* reporting: fix traffic graph widget link issue
* system: simplify log format parsing
* interfaces: fix DUID LL description (contributed by Gabriel Mazzocato)
* unbound: fix dnsbl not reloading after update
* plugins: os-acme-client 2.2 `[1] <https://github.com/opnsense/plugins/blob/stable/20.7/security/acme-client/pkg-descr>`__ 
* plugins: os-freeradius 1.9.9 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/net/freeradius/pkg-descr>`__ 
* plugins: os-frr 1.20 `[3] <https://github.com/opnsense/plugins/blob/stable/20.7/net/frr/pkg-descr>`__ 
* plugins: os-tinc 1.6 enables multiple addresses per host (contributed by ElNounch)
* plugins: os-wireguard 1.4 `[4] <https://github.com/opnsense/plugins/blob/stable/20.7/net/wireguard/pkg-descr>`__ 
* ports: curl 7.74.0 `[5] <https://curl.se/changes.html#7_74_0>`__ 
* ports: dhcp6c ignores advertise messages with none of requested data and missed status codes
* ports: libressl 3.1.5 `[6] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.5-relnotes.txt>`__ 
* ports: lighttpd 1.4.56 `[7] <https://www.lighttpd.net/2020/11/29/1.4.56/>`__ 
* ports: nss 3.60 `[8] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_60.html>`__ 
* ports: openssl 1.1.1i `[9] <https://www.openssl.org/news/secadv/20201208.txt>`__ 
* ports: pcre2 10.36 `[10] <https://github.com/PCRE2Project/pcre2/releases/tag/pcre2-10.36>`__ 
* ports: sudo 1.9.4 `[11] <https://www.sudo.ws/stable.html#1.9.4>`__ 
* ports: sqlite 3.34.0 `[12] <https://sqlite.org/releaselog/3_34_0.html>`__ 
* ports: unbound 1.13.0 `[13] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-13-0>`__ 

A hotfix release was issued as 20.7.7_1:

* system: disable TLS on plain HTTP redirect for new lighttpd version
* ports: unbound fix for segmentation fault (restart service to activate)
* ports: lighttpd 1.4.58 `[14] <https://www.lighttpd.net/2020/12/27/1.4.58/>`__ 



--------------------------------------------------------------------------
20.7.6 (December 08, 2020)
--------------------------------------------------------------------------


This update brings the usual mix of reliability fixes, plugin and third party
software updates: FreeBSD, HardenedBSD, PHP, OpenSSH, StrongSwan, Suricata and
Syslog-ng amongst others.

Please note that Let's Encrypt users need to reissue their certificates
manually after upgrading to this version to fix the embedded certificate chain
issue with the current signing CA switch going on.

The mail backup plugin is currently not available pending a response from
the maintainer.  Users are advised to avoid using it for the moment.

Here are the full patch notes:

* system: no longer enforce alias names in gateways
* system: add "step into" icon on log lines when filtering
* system: add current CPU load progress bar (contributed by kulikov-a)
* firewall: allow larger selection in live log
* firewall: correctly select current IPv6 field in getInterfaceGateway()
* firewall: add validation for ipv6-icmp combined with inet
* reporting: traffic graph replacement using iftop
* openvpn: calculate first network address as gateway address when only ifconfig_local is given
* web proxy: throw startup error to user
* plugins: os-acme-client 2.1 `[1] <https://github.com/opnsense/plugins/blob/stable/20.7/security/acme-client/pkg-descr>`__ 
* plugins: os-frr 1.19 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/net/frr/pkg-descr>`__ 
* plugins: os-mail-backup not available due to unaddressed security concerns
* src: fix parsing of netmap legacy nmr->nr_ringid
* src: fix mutex double unlock bug in netmap
* src: minor misc netmap improvements
* src: improve netmap(4) and vale(4) man pages
* src: IPV6_PKTINFO support for v4-mapped IPv6 sockets
* src: zero-initialize variables in HBSD PaX SEGVGUARD
* src: fix execve/fexecve system call auditing `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:19.audit.asc>`__ 
* src: fix uninitialized variable in ipfw `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:21.ipfw.asc>`__ 
* src: fix race condition in callout CPU migration `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:22.callout.asc>`__ 
* src: fix ICMPv6 use-after-free in error message handling `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:31.icmp6.asc>`__ 
* src: fix multiple vulnerabilities in rtsold `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:32.rtsold.asc>`__ 
* src: update timezone database information `[8] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:20.tzdata.asc>`__ 
* ports: krb5 1.18.3 `[9] <https://web.mit.edu/kerberos/krb5-1.18/>`__ 
* ports: nss 3.59 `[10] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_59.html>`__ 
* ports: openldap 2.4.56 `[11] <https://www.openldap.org/software/release/changes.html>`__ 
* ports: openssh 8.4p1 `[12] <https://www.openssh.com/txt/release-8.4>`__ 
* ports: php 7.3.25 `[13] <https://www.php.net/ChangeLog-7.php#7.3.25>`__ 
* ports: strongswan 5.9.1 `[14] <https://wiki.strongswan.org/versions/79>`__ 
* ports: suricata 5.0.5 `[15] <https://suricata-ids.org/2020/12/04/suricata-6-0-1-5-0-5-and-4-1-10-released/>`__ 
* ports: syslog-ng 3.30.1 `[16] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.30.1>`__ 



--------------------------------------------------------------------------
20.7.5 (November 20, 2020)
--------------------------------------------------------------------------


We return briefly for a small patch set and plan to pin the 20.1 upgrade
path to this particular version to avoid unnecessary stepping stones.  We
wish you all a healthy Friday.  And of course: patch responsibly!

Here are the full patch notes:

* system: syslog-ng related fixes during package management based restart
* system: change dpinger syslog message to reflect correct RTT and RTTd unit (contributed by fhloston)
* web proxy: add toggle for pinger service (contributed by nowyouseeit)
* web proxy: add missing X-Forwarded-For header option
* mvc: new Base64Field type
* mvc: new VirtualIPField type
* plugins: os-acme-client 2.0 `[1] <https://github.com/opnsense/plugins/blob/stable/20.7/security/acme-client/pkg-descr>`__ 
* plugins: os-bind 1.14 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/dns/bind/pkg-descr>`__ 
* plugins: os-chrony 1.1 `[3] <https://github.com/opnsense/plugins/blob/stable/20.7/net/chrony/pkg-descr>`__ 
* ports: monit 5.27.1 `[4] <https://mmonit.com/monit/changes/>`__ 
* ports: php 7.3.24 `[5] <https://www.php.net/ChangeLog-7.php#7.3.24>`__ 
* ports: pkg upstream fix for upgrade script hang `[6] <https://github.com/freebsd/pkg/pull/1893>`__ 
* ports: strongswan 5.9.0 `[7] <https://www.strongswan.org/blog/2020/07/29/strongswan-5.9.0-released.html>`__ 



--------------------------------------------------------------------------
20.7.4 (October 22, 2020)
--------------------------------------------------------------------------


This release finally wraps up the recent Netmap kernel changes and tests.
The Realtek vendor driver was updated as well as third party software cURL,
libxml, OpenSSL, PHP, Suricata, Syslog-ng and Unbound just to name a couple
of them.

We would like to thank Sunny Valley Networks for their relentless efforts
to bring said Netmap fixes and improvements into FreeBSD.

If you are having trouble with a stuck update try the command sequence below
from the root shell or simply reboot from the GUI and rerun the update in
case it was not fully carried out yet.

.. code-block::

    # pkill syslog-ng
    # service syslog-ng restart

Here are the full patch notes:

* system: switch web GUI address selection to avoid server.bind in IPv6 first case
* system: fix defunct "use default" button on web GUI listen interfaces
* system: signal "auth user changed" when a user is modified via web GUI
* system: replace gateway widget and add proper API endpoint for it
* system: fix reading displayName attribute on LDAP search (contributed by ServiusHack)
* interfaces: change maximum MTU value to 65535 in accordance with RFC 791
* interfaces: update wireless device detection prefixes
* interfaces: lexical sort interface keys for assignments
* firewall: add support for network exclusions in network alias type
* firewall: add NAT information to pfInfo page (contributed by kulikov-a)
* firewall: associated NAT rules missed state keyword
* firewall: allow "or" conditions in live log
* firewall: use pfctl for alias IP check (contributed by kulikov-a)
* dnsmasq: regenerate resolv.conf on save
* dnsmasq: log queries option
* intrusion detection: ignore pkill exit status when performing update
* ipsec: add description to reconfigure action (contributed by Frank Wall)
* unbound: rebuild unbound blacklist download
* unbound: restructure reconfigure so that we always flush config
* backend: add new "config changed" event using syshook structure (sponsored by Modirum)
* mvc: add a few missing control widgets from log pages
* ui: upgrade moment.js to 2.27.0
* plugins: os-freeradius 1.9.8 `[1] <https://github.com/opnsense/plugins/blob/stable/20.7/net/freeradius/pkg-descr>`__ 
* plugins: os-git-backup 1.0 `[2] <https://github.com/opnsense/plugins/issues/2049>`__  (sponsored by Modirum)
* plugins: os-haproxy 2.25 `[3] <https://curl.se/changes.html#7_73_0>`__ 
* plugins: os-stunnel 1.0.2 adds service protocol selector (contributed by fhloston)
* src: extended netmap update and driver fixes
* src: netmap tun and lagg support (contributed by Sunny Valley Networks)
* src: update Realtek re driver to upstream version 1.96.04 (contributed by Laurent Dinclaux)
* ports: curl 7.73.0 `[3] <https://curl.se/changes.html#7_73_0>`__ 
* ports: libxml fixes for CVE-2019-20388, CVE-2020-7595 and CVE-2020-24977
* ports: nss 3.58 `[4] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_58.html>`__ 
* ports: openssl 1.1.1h `[5] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__ 
* ports: php 7.3.23 `[6] <https://www.php.net/ChangeLog-7.php#7.3.23>`__ 
* ports: pkg 1.15.10
* ports: radvd patch for dynamic interface shifting index
* ports: sudo 1.9.3p1 `[7] <https://www.sudo.ws/stable.html#1.9.3p1>`__ 
* ports: suricata 5.0.4 `[8] <https://suricata-ids.org/2020/10/08/suricata-4-1-9-and-5-0-4-released/>`__ 
* ports: syslog-ng 3.29.1 `[9] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.29.1>`__ 
* ports: unbound 1.12.0 `[10] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-12-0>`__ 



--------------------------------------------------------------------------
20.7.3 (September 24, 2020)
--------------------------------------------------------------------------


Today is the day for a number of FreeBSD security advisories and a few
reliability fixes.

We are still testing a batch of Netmap improvement patches with a separate
kernel.  This and the Realtek vendor driver update will likely follow in
the next kernel update.  All feedback is welcome.

Here are the full patch notes:

* system: use different shell gateway name to appease wizard
* system: simplify CARP hook
* interfaces: phase out netaddr.eui.ieee.OUI_REGISTRY_PATH usage
* firewall: add MAC type to top right filter selection
* firewall: fix two scrub rule parsing bugs
* firewall: omit group type interfaces in filter selection
* intrusion detection: re-create rule cache after rule deployment
* unbound: add "unbound-plus" section to XMLRPC sync
* dhcp: adding DDNS values of each additional pool to the $ddns_zones array (contributed by Mathieu St-Pierre)
* dhcp: add static interface mode to router advertisements
* rc: fix ssh key permissions on MSDOS import
* rc: support service identifier in pluginctl -s mode
* plugins: os-bind download link changes (contributed by gap579137)
* plugins: os-chrony 1.0 (contributed by Michael Muenz)
* plugins: os-dnscrypt-proxy blocklist script fixes (contributed by Mark Keisler)
* plugins: os-frr 1.17 `[1] <https://github.com/opnsense/plugins/blob/stable/20.7/net/frr/pkg-descr>`__ 
* plugins: os-postfix 1.17 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/mail/postfix/pkg-descr>`__ 
* plugins: os-rspamd 1.10 `[3] <https://github.com/opnsense/plugins/blob/stable/20.7/mail/rspamd/pkg-descr>`__ 
* plugins: os-theme-cicada 1.25 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.23 (contributed by Team Rebellion)
* plugins: os-theme-vicuna 1.1 (contributed by Team Rebellion)
* plugins: os-wireguard 1.3 `[4] <https://github.com/opnsense/plugins/blob/stable/20.7/net/wireguard/pkg-descr>`__ 
* plugins: os-zabbix-agent 1.8 `[5] <https://github.com/opnsense/plugins/blob/stable/20.7/net-mgmt/zabbix-agent/pkg-descr>`__ 
* src: fix FreeBSD Linux ABI kernel panic `[6] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:17.linuxthread.asc>`__ 
* src: fix SCTP socket use-after-free `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:25.sctp.asc>`__ 
* src: fix dhclient heap overflow `[8] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc>`__ 
* src: fix ure device driver susceptible to packet-in-packet attack `[9] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:27.ure.asc>`__ 
* src: fix bhyve privilege escalation via VMCS access `[10] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc>`__ 
* src: fix bhyve SVM guest escape `[11] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc>`__ 
* src: fix ftpd privilege escalation via ftpchroot `[12] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:30.ftpd.asc>`__ 
* src: set PAX_HARDENING_NOSHLIBRANDOM in the RTLD by default
* src: fix kernel panic while trying to read multicast stream
* ports: mpd 5.9 `[13] <http://mpd.sourceforge.net/doc5/mpd4.html#4>`__ 
* ports: nss 3.57 `[14] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_57.html>`__ 
* ports: php 7.3.22 `[15] <https://www.php.net/ChangeLog-7.php#7.3.22>`__ 
* ports: pkg 1.15.6 `[16] <https://github.com/freebsd/freebsd-ports/commit/fd4f5566aea>`__ 



--------------------------------------------------------------------------
20.7.2 (September 02, 2020)
--------------------------------------------------------------------------


While we are still looking closer at netmap/iflib performance on 12.1 we
are rolling out a kernel with Intel em/igb updates that should avoid bad
packet counts in the default installation.  Syslog-ng received a workaround
for the diagnosed startup issue and alias now supports MAC address content
similar to how host content works.

Here are the full patch notes:

* system: set REQUESTS_CA_BUNDLE in environments
* system: improve parsing for temperature sensors
* system: add "new-password" hint for Chrome on login form
* system: rename syslog services description and hide legacy mode when not enabled
* system: force syslog-ng restart after boot sequence
* system: properly read new style logging directories
* reporting: replace line endings when sending traceback to syslog in flowd_aggregate
* reporting: add traffic graph filter for private IPv4 networks (contributed by kcaj-burr)
* firewall: add MAC address alias type
* firewall: be more verbose when fetching alias remote content
* firewall: prevent pfctl error messages from being suppressed
* firewall: exclude all reserved pf.conf keywords from alias name
* firewall: bogons not loaded on initial load
* firewall: reset damaged bogons files on startup
* interfaces: add listen-queue-sizes in socket diagnostics
* firmware: properly report an unsigned repository
* firmware: revoke 20.1 fingerprint
* intrusion detection: rule cache parse error on invalid metadata
* intrusion detection: allow search for status enabled/disabled
* web proxy: correct template replacement during build time
* web proxy: bugfix in JSON access log
* unbound: updated project block lists links (contributed by gap579137)
* backend: add regex_replace template support
* plugins: os-acme-client 1.36 `[1] <https://github.com/opnsense/plugins/pull/1974>`__ 
* plugins: os-dyndns 1.23 adds Gandi LiveDNS support (contributed by vizion8-dan)
* plugins: os-haproxy 2.24 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/net/haproxy/pkg-descr>`__ 
* plugins: os-stunnel 1.0.1 includes performance tweaks
* plugins: os-telegraf 1.8.2 `[3] <https://github.com/opnsense/plugins/blob/stable/20.7/net-mgmt/telegraf/pkg-descr>`__ 
* plugins: os-tinc fixes cipher parsing on 20.7
* src: remove ACPI workaround for serial console on AMD EPYC
* src: Make pf.conf ":0" ignore link-local v6 addresses too
* src: default "show bad packets" tunable to off in e100 driver
* src: fix unsolicited promisc mode in e1000 driver
* src: add valectl to the system commands
* ports: ca_root_nss/nss 3.56 `[4] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_56.html>`__ 
* ports: curl 7.72.0 `[5] <https://curl.se/changes.html#7_72_0>`__ 
* ports: libressl 3.1.4 `[6] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.4-relnotes.txt>`__ 
* ports: openldap 2.4.51 `[7] <https://www.openldap.org/software/release/changes.html>`__ 
* ports: php 7.3.21 `[8] <https://www.php.net/ChangeLog-7.php#7.3.21>`__ 
* ports: python 3.7.9 `[9] <https://docs.python.org/release/3.7.9/whatsnew/changelog.html>`__ 
* ports: sqlite 3.33.0 `[10] <https://sqlite.org/releaselog/3_33_0.html>`__ 
* ports: squid 4.13 `[11] <http://www.squid-cache.org/Versions/v4/squid-4.13-RELEASENOTES.html>`__ 
* ports: syslog-ng dlsym() workaround
* ports: unbound 1.11.0 `[12] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-11-0>`__ 



--------------------------------------------------------------------------
20.7.1 (August 13, 2020)
--------------------------------------------------------------------------


Small update here with security advisories, multicast fixes and logging
reliability patches amongst others.

Overall, the jump to HardenedBSD 12.1 is looking promising from our end.
From the reported issues we still have more logging quirks to investigate
and especially Netmap support (used in IPS and Sensei) is lacking in some
areas that were previously working. Patches are being worked on already
so we shall get there soon enough.  Stay tuned.

Here are the full patch notes:

* system: split log process name into separate column
* system: filter new style log directories accordingly
* system: add delay to improve syslog-ng startup
* system: properly switch login page to latest jQuery 3.5.1
* firewall: add select boxes for static filters in live log
* firmware: ignore mandoc.db files in health output as the system will regenerate them weekly
* firmware: bring back Chinese Aivian mirror
* firmware: remove defunct opn.sense.nz and RageNetwork mirrors
* web proxy: add JSON output following Elastic Common Schema (sponsored by Incenter Technology)
* backend: cap log messages to 4000 characters to prevent longer messages from vanishing
* plugins: os-acme-client 1.35 `[1] <https://github.com/opnsense/plugins/pull/1950>`__ 
* plugins: os-frr 1.15 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/net/frr/pkg-descr>`__ 
* plugins: os-postfix 1.15 `[3] <https://github.com/opnsense/plugins/blob/stable/20.7/mail/postfix/pkg-descr>`__ 
* plugins: os-udpbroadcastrelay 1.0 (contributed by Team Rebellion)
* src: set the current VNET before calling netisr_dispatch() in ng_iface(4)
* src: assorted multicast group join/leave corrections
* src: fix vmx driver packet loss and degraded performance `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:16.vmx.asc>`__ 
* src: fix memory corruption in USB network device driver `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:21.usb_net.asc>`__ 
* src: fix multiple vulnerabilities in sqlite `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:22.sqlite.asc>`__ 
* src: fix sendmsg(2) privilege escalation `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:23.sendmsg.asc>`__ 
* ports: perl 5.32.0 `[8] <https://perldoc.perl.org/5.32.0/perldelta>`__ 
* ports: squid 4.12 `[9] <http://www.squid-cache.org/Versions/v4/squid-4.12-RELEASENOTES.html>`__ 



--------------------------------------------------------------------------
20.7 (July 30, 2020)
--------------------------------------------------------------------------


For five and a half years, OPNsense is driving innovation through modularising
and hardening the open source firewall, with simple and reliable firmware
upgrades, multi-language support, HardenedBSD security, fast adoption of
upstream software updates as well as clear and stable 2-Clause BSD licensing.

20.7, nicknamed "Legendary Lion", is a major operating system jump forward on
a sustainable firewall experience.  This release adds DHCPv6 multi-WAN, custom
error pages for the web proxy, Suricata 5, HardenedBSD 12.1, netstat tree view,
basic firewall API support (via plugin) and extended live log filtering amongst
others.

Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__  and the checksums for the images
can be found below as well.

* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
* Full mirror list: https://opnsense.org/download/

Here are the full patch notes against version 20.7-RC1:

* system: syslog-ng RFC5424 on FreeBSD 12 needs flags(syslog-protocol)
* installer: welcome users as genuine 20.7 installer
* web proxy: do not try to force cachemanager access to use ICAP
* plugins: os-collectd 1.3 `[2] <https://github.com/opnsense/plugins/blob/stable/20.7/net-mgmt/collectd/pkg-descr>`__ 
* plugins: os-zabbix5-proxy 1.3 `[3] <https://github.com/opnsense/plugins/blob/stable/20.7/net-mgmt/zabbix5-proxy/pkg-descr>`__ 
* src: prevent netgraph page fault for LTE usage
* ports: dnsmasq 2.82 `[4] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__ 
* ports: monit 5.27.0 `[5] <https://mmonit.com/monit/changes/>`__ 
* ports: nss 3.55 `[6] <https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_55.html>`__ 
* ports: sudo 1.9.2 `[7] <https://www.sudo.ws/stable.html#1.9.2>`__ 

Known issues and limitations:

* legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp are no longer available
* i386 architecture builds are no longer available

The public key for the 20.7 series is:

.. code-block::

    # -----BEGIN PUBLIC KEY-----
    # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAngIbBcRin9AmDSOsjpft
    # 7aK52TLkOzRc94NqKKnn6ALd6poEuFqYl1tfNT6XumBJDsRL1s56UYfjS8zpvFW3
    # HdzKOv4YtIln6qUuC1w8TXYNprasB/laYoBn2xeCGX5L6carlujQ+h0rsj+kpawr
    # E0/d6oRzR69cxQyoDQHD559Wv4nA795M6QGDhhl3dDq/92gzrrq3C5gJ7ldHi13c
    # inM2Fw+oPUfEIWUt/sqUTZheEk0Df3LSiJlgjQDhjh5uujTLgvX8IzfYAb8clgY3
    # DplgOh4ReoFnx6XVERSPa91ZJGeCV4dTGD2hU40rzU1lkQaiVUITLsfjrYUsNMEo
    # jdG+ndGIPTOrwXH4yGRZuUZZ612ALtO6bd4V1kAOLOS07mo4JB4poEbbB0lvZJSG
    # iTmU9od8zutnLkD66Q/qI8e6OcL0yqjwwG9DzCKg23M6cVWfyBTJhKoqQyhNWnzZ
    # bzvgOXfhOA8jn8FPChaU5OiIrv+g56pQrWKcQsvgQMqlyR+/AFSIrrqprCjDkfOG
    # bxFqTGkPb1n32nbnXJOA5Z43G9/PtBV8lvaEzli6Vehh+Zrcuy8yupbiVWSqTOfp
    # E5cYAmrlDkxKyAlZQtH6EhMF1VBQRrlqGhss5XYoE3DQDqWdhUbGv8Qiiv7ROCza
    # SIMuSzc6u35MooDRDZF4Ba0CAwEAAQ==
    # -----END PUBLIC KEY-----



.. code-block::

    # SHA256 (OPNsense-20.7-OpenSSL-dvd-amd64.iso.bz2) = 580070a3a0533418d58eaeb78122f804f2df7081c929288e1dccee34c4bf763a
    # SHA256 (OPNsense-20.7-OpenSSL-nano-amd64.img.bz2) = 6deb370c2a64fa6c60b7f59a4afb31b2dd28b812f5fcd59eaa6d458938d45630
    # SHA256 (OPNsense-20.7-OpenSSL-serial-amd64.img.bz2) = 1276cddd5f7b89aa54fc4a1517cb0686efe94f672627243c5b34d93340441d60
    # SHA256 (OPNsense-20.7-OpenSSL-vga-amd64.img.bz2) = 72cbffe3bba4884586c8ded8dbca4cf30fb34a094602e5f681efde2deea595c6

--------------------------------------------------------------------------
20.7.r1 (July 21, 2020)
--------------------------------------------------------------------------


For five and a half years, OPNsense is driving innovation through modularising
and hardening the open source firewall, with simple and reliable firmware
upgrades, multi-language support, HardenedBSD security, fast adoption of
upstream software updates as well as clear and stable 2-Clause BSD licensing.

We thank all of you for helping test, shape and contribute to the project!
We know it would not be the same without you.  <3

Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__  and the checksums for the images
can be found below as well.

* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
* Full mirror list: https://opnsense.org/download/

Here are the full patch notes against 20.1.8_1:

* system: allow to optionally disable legacy logging (clog)
* system: do not allow login redirects to visit external pages
* system: add new "auth user changed" config event and hook it into LDAP updatePolicies()
* system: adapt to 3wire serial console setting
* system: figure out which sysctls are writeable before attempting to write them
* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by Alphakilo)
* system: disable PCRE JIT in PHP config
* system: clean up start / stop beep handler
* interfaces: improved VLAN handling and defaults for more stable netmap use on 12.1
* interfaces: support DHCPv6 multi-WAN (contributed by Team Rebellion)
* interfaces: show delegated prefix in overview (contributed by Team Rebellion)
* interfaces: DHCPv4 no-release and debug options moved to global interface settings
* interfaces: automatically register loopback device lo0
* firewall: handle new net.pf.request_maxcount system limit accordingly
* firewall: properly evaluate and execute gateway monitoring kill states feature
* firewall: add the iplen option to shaper rules (contributed by Maxfield Allison)
* firewall: show partial alias content in tooltip
* firewall: translated static log overview page to MVC
* firewall: aliases now show internal aliases
* firewall: validate if NAT destination contains a port
* firewall: prevent config_read_array() from adding an empty lo0
* firmware: added fingerprint for 20.7 series
* firmware: hint at missing plugins and request to install or dismiss
* intrusion detection: extend rule search with metadata and show results on rule info
* intrusion detection: updated pattern options (contributed by Xeroxxx)
* intrusion detection: synchronize suricata.yaml with default template
* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by mikahe)
* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by mikahe)
* unbound: integrate functionality formerly known as "unbound-plus" plugin (contributed by Michael Muenz)
* web proxy: support for custom error pages (sponsored by Incenter Technology)
* web proxy: add connect_timeout (contributed by Michael Muenz)
* web proxy: allow PURGE on cache (contributed by sazb)
* web proxy: add missing IPv6 listener
* mvc: add "S" option for AllowDynamic in InterfaceField type
* mvc: LegacyLinkField not allowed to return null in __toString()
* backend: add safeguard for illegal configd settings leading to overrides on the same command leaf
* backend: emove undocumented and unused alias support
* mvc: support virtual nodes in model instances
* rc: implement inline variables for skip and defer service start
* ui: unify edit dialog and add onBeforeRenderDialog event deferrable
* ui: use firewall groups to group interfaces menu accordingly
* ui: moved virtual IP menu entry to interfaces
* ui: jQuery 3.5.1
* plugins: os-dyndns 1.22 `[2] <https://github.com/opnsense/plugins/pull/1654>`__ 
* plugins: os-intrusion-detection-content-et-pro 1.0.2 switches to Suricata 5 rules
* plugins: os-telegraf 1.8.1 `[3] <https://github.com/opnsense/plugins/blob/stable/20.7/net-mgmt/telegraf/pkg-descr>`__ 
* plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion)
* plugins: os-tinc fixes switch mode `[4] <https://github.com/opnsense/plugins/pull/1733>`__ 
* plugins: os-wireguard 1.2 `[5] <https://github.com/opnsense/plugins/pull/1865>`__ 
* src: HardenedBSD 12.1-p7
* ports: ca_root_nss 3.54
* ports: curl 7.71.1 `[6] <https://curl.se/changes.html#7_71_1>`__ 
* ports: php 7.3.20 `[7] <https://www.php.net/ChangeLog-7.php#7.3.20>`__ 
* ports: python 3.7.8 `[8] <https://docs.python.org/release/3.7.8/whatsnew/changelog.html>`__ 
* ports: sqlite 3.32.3 `[9] <https://sqlite.org/releaselog/3_32_3.html>`__ 
* ports: suricata 5.0.3 `[10] <https://suricata-ids.org/2020/04/28/suricata-5-0-3-released/>`__ 

Known issues and limitations:

* Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp will no longer be available
* i386 architecture builds will no longer be available
* Installer still advertises 20.1

The public key for the 20.7 series is:

.. code-block::

    # -----BEGIN PUBLIC KEY-----
    # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAngIbBcRin9AmDSOsjpft
    # 7aK52TLkOzRc94NqKKnn6ALd6poEuFqYl1tfNT6XumBJDsRL1s56UYfjS8zpvFW3
    # HdzKOv4YtIln6qUuC1w8TXYNprasB/laYoBn2xeCGX5L6carlujQ+h0rsj+kpawr
    # E0/d6oRzR69cxQyoDQHD559Wv4nA795M6QGDhhl3dDq/92gzrrq3C5gJ7ldHi13c
    # inM2Fw+oPUfEIWUt/sqUTZheEk0Df3LSiJlgjQDhjh5uujTLgvX8IzfYAb8clgY3
    # DplgOh4ReoFnx6XVERSPa91ZJGeCV4dTGD2hU40rzU1lkQaiVUITLsfjrYUsNMEo
    # jdG+ndGIPTOrwXH4yGRZuUZZ612ALtO6bd4V1kAOLOS07mo4JB4poEbbB0lvZJSG
    # iTmU9od8zutnLkD66Q/qI8e6OcL0yqjwwG9DzCKg23M6cVWfyBTJhKoqQyhNWnzZ
    # bzvgOXfhOA8jn8FPChaU5OiIrv+g56pQrWKcQsvgQMqlyR+/AFSIrrqprCjDkfOG
    # bxFqTGkPb1n32nbnXJOA5Z43G9/PtBV8lvaEzli6Vehh+Zrcuy8yupbiVWSqTOfp
    # E5cYAmrlDkxKyAlZQtH6EhMF1VBQRrlqGhss5XYoE3DQDqWdhUbGv8Qiiv7ROCza
    # SIMuSzc6u35MooDRDZF4Ba0CAwEAAQ==
    # -----END PUBLIC KEY-----

Please let us know about your experience!



.. code-block::

    # SHA256 (OPNsense-20.7.r1-OpenSSL-dvd-amd64.iso.bz2) = d54dca6390497d45b831f68f352fccf84881aac78a360247965e5c9b36fbfded
    # SHA256 (OPNsense-20.7.r1-OpenSSL-nano-amd64.img.bz2) = f78d51d53bf663df2d49a3724812893d8c55234ab8d4a9232663fa581496edbe
    # SHA256 (OPNsense-20.7.r1-OpenSSL-serial-amd64.img.bz2) = 984f8c9d63598f061cc8995245dea73703532c1bb688ac87cdb1e510fb53b80e
    # SHA256 (OPNsense-20.7.r1-OpenSSL-vga-amd64.img.bz2) = 711811e0a7d37d323a060c52590daa9f024e77c6da627530c6596367a09b412d