diff --git a/source/CE_releases.rst b/source/CE_releases.rst index 6335b368..4b91b5cd 100644 --- a/source/CE_releases.rst +++ b/source/CE_releases.rst @@ -8,7 +8,7 @@ Community Edition :width: 600px :align: center -As of January 2015 there have been *233* releases leading to the latest version *22.7.2* +As of January 2015 there have been *237* releases leading to the latest version *22.7.6* named "Powerful Panther". diff --git a/source/releases/BE_20.7.rst b/source/releases/BE_20.7.rst index 26153224..cd35c0d8 100644 --- a/source/releases/BE_20.7.rst +++ b/source/releases/BE_20.7.rst @@ -122,7 +122,7 @@ Here are the full patch notes: * ports: dhcp6c ignores advertise messages with none of requested data and missed status codes * ports: libressl 3.1.5 `[6] `__ * ports: lighttpd 1.4.56 `[7] `__ -* ports: nss 3.60 `[8] `__ +* ports: nss 3.60 `[8] `__ * ports: openssl 1.1.1i `[9] `__ * ports: pcre2 10.36 `[10] `__ * ports: sudo 1.9.4 `[11] `__ @@ -180,7 +180,7 @@ Here are the full patch notes: * src: fix multiple vulnerabilities in rtsold `[7] `__ * src: update timezone database information `[8] `__ * ports: krb5 1.18.3 `[9] `__ -* ports: nss 3.59 `[10] `__ +* ports: nss 3.59 `[10] `__ * ports: openldap 2.4.56 `[11] `__ * ports: openssh 8.4p1 `[12] `__ * ports: php 7.3.25 `[13] `__ @@ -272,7 +272,7 @@ Here are the full patch notes: * src: update Realtek re driver to upstream version 1.96.04 (contributed by Laurent Dinclaux) * ports: curl 7.73.0 `[3] `__ * ports: libxml fixes for CVE-2019-20388, CVE-2020-7595 and CVE-2020-24977 -* ports: nss 3.58 `[4] `__ +* ports: nss 3.58 `[4] `__ * ports: openssl 1.1.1h `[5] `__ * ports: php 7.3.23 `[6] `__ * ports: pkg 1.15.10 @@ -331,7 +331,7 @@ Here are the full patch notes: * src: set PAX_HARDENING_NOSHLIBRANDOM in the RTLD by default * src: fix kernel panic while trying to read multicast stream * ports: mpd 5.9 `[13] `__ -* ports: nss 3.57 `[14] `__ +* ports: nss 3.57 `[14] `__ * ports: php 7.3.22 `[15] `__ * ports: pkg 1.15.6 `[16] `__ @@ -384,7 +384,7 @@ Here are the full patch notes: * src: default "show bad packets" tunable to off in e100 driver * src: fix unsolicited promisc mode in e1000 driver * src: add valectl to the system commands -* ports: ca_root_nss/nss 3.56 `[4] `__ +* ports: ca_root_nss/nss 3.56 `[4] `__ * ports: curl 7.72.0 `[5] `__ * ports: libressl 3.1.4 `[6] `__ * ports: openldap 2.4.51 `[7] `__ @@ -474,7 +474,7 @@ Here are the full patch notes against version 20.7-RC1: * src: prevent netgraph page fault for LTE usage * ports: dnsmasq 2.82 `[4] `__ * ports: monit 5.27.0 `[5] `__ -* ports: nss 3.55 `[6] `__ +* ports: nss 3.55 `[6] `__ * ports: sudo 1.9.2 `[7] `__ Known issues and limitations: diff --git a/source/releases/BE_21.10.rst b/source/releases/BE_21.10.rst index 38cfbd8b..7307409e 100644 --- a/source/releases/BE_21.10.rst +++ b/source/releases/BE_21.10.rst @@ -54,7 +54,7 @@ Here are the full patch notes: * ports: flock 2.37.2 * ports: hostapd 2.10 `[12] `__ * ports: lighttpd 1.4.63 `[13] `__ -* ports: nss 3.74 `[14] `__ +* ports: nss 3.74 `[14] `__ * ports: openssl 1.1.1m `[15] `__ * ports: openvpn 2.5.5 `[16] `__ * ports: php 7.4.27 `[17] `__ @@ -130,7 +130,7 @@ Here are the full patch notes: * plugins: os-zabbix-proxy 1.6 `[10] `__ * ports: curl 7.80.0 `[11] `__ * ports: dnsmasq fixes multiple regressions -* ports: nss 3.73 `[12] `__ +* ports: nss 3.73 `[12] `__ * ports: php 7.4.26 `[13] `__ * ports: phpseclib 2.0.35 `[14] `__ * ports: suricata 6.0.4 `[15] `__ @@ -238,7 +238,7 @@ Here are the full patch notes: * ports: dnspython 2.1.0 `[18] `__ * ports: jinja 3.0.1 `[19] `__ * ports: lighttpd 1.4.61 `[20] `__ -* ports: nss 3.72 `[21] `__ +* ports: nss 3.72 `[21] `__ * ports: openssh 8.8p1 `[22] `__ * ports: openvpn 2.5.4 `[23] `__ * ports: pcre2 10.39 `[24] `__ @@ -403,7 +403,7 @@ Here are the full patch notes: * ports: monit 5.29.0 `[21] `__ * ports: mpd5 adds L2TP interoperability fix from upstream * ports: nettle 3.7.3 -* ports: nss 3.70 `[22] `__ +* ports: nss 3.70 `[22] `__ * ports: openvpn 2.5.3 `[23] `__ * ports: pcre 8.45 `[24] `__ * ports: php 7.4.23 `[25] `__ diff --git a/source/releases/BE_21.4.rst b/source/releases/BE_21.4.rst index 737646a3..f065d995 100644 --- a/source/releases/BE_21.4.rst +++ b/source/releases/BE_21.4.rst @@ -97,7 +97,7 @@ Here are the full patch notes: * ports: filterlog adds CARP IPv6 support and moves label to previously reserved spot * ports: isc-dhcp 4.4.2-P1 `[9] `__ * ports: libxml 2.9.12 `[10] `__ -* ports: nss 3.67 `[11] `__ +* ports: nss 3.67 `[11] `__ * ports: openldap 2.4.59 `[12] `__ * ports: openssl 1.1.1l `[13] `__ * ports: pcre2 10.37 `[14] `__ @@ -200,7 +200,7 @@ Here are the full patch notes: * src: linux: prevent integer overflow in futex_requeue `[15] `__ * ports: filterlog 0.4 adds label support to output if applicable * ports: libxml fix for CVE-2021-3541 -* ports: nss 3.65 `[16] `__ +* ports: nss 3.65 `[16] `__ * ports: openssh 8.6p1 `[17] `__ * ports: php 7.3.28 `[18] `__ * ports: py-yaml 5.4.1 @@ -510,7 +510,7 @@ Here are the full patch notes: * src: arp: avoid segfaulting due to out-of-bounds memory access * src: fix multiple OpenSSL vulnerabilities `[24] `__ * src: axgbe: enable receive all mode to bypass the MAC filter to avoid dropping CARP MAC addresses -* ports: ca_root_nss / nss 3.63 `[25] `__ +* ports: ca_root_nss / nss 3.63 `[25] `__ * ports: curl 7.75.0 `[26] `__ * ports: dnsmasq 2.84 `[27] `__ * ports: igmpproxy 0.3 `[28] `__ diff --git a/source/releases/BE_22.4.rst b/source/releases/BE_22.4.rst index 9cbd419c..0ebee77e 100644 --- a/source/releases/BE_22.4.rst +++ b/source/releases/BE_22.4.rst @@ -51,11 +51,12 @@ Here are the full patch notes: * plugins: os-postfix 1.23 `[2] `__ * plugins: os-stunnel 1.0.5 adds intermediates to server chain (contributed by Johnny S. Lee) * plugins: os-telegraf 1.12.5 `[3] `__ -* ports: nss 3.80 `[4] `__ +* ports: nss 3.80 `[4] `__ * ports: py-vici 5.9.3 * ports: python 3.9.13 `[5] `__ * ports: sudo 1.9.11p3 `[6] `__ * ports: syslog-ng 3.37.1 `[7] `__ +* ports: unbound 1.16.2 `[8] `__ A hotfix release was issued as 22.4.3_1: @@ -117,7 +118,7 @@ Here are the full patch notes: * ports: curl 7.84.0 `[7] `__ * ports: krb5 1.20 `[8] `__ * ports: lighttpd 1.4.65 `[9] `__ -* ports: nss 3.79 `[10] `__ +* ports: nss 3.79 `[10] `__ * ports: openssl 1.1.1q `[11] `__ * ports: openvpn 2.5.7 `[12] `__ * ports: php 7.4.30 `[13] `__ @@ -196,7 +197,7 @@ Here are the full patch notes: * ports: expat 2.4.8 `[11] `__ * ports: libxml 2.9.13 `[12] `__ * ports: monit 5.32.0 `[13] `__ -* ports: nss 3.78 `[14] `__ +* ports: nss 3.78 `[14] `__ * ports: pcre2 10.40 `[15] `__ * ports: php 7.4.29 `[16] `__ * ports: phpseclib 2.0.37 `[17] `__ @@ -486,7 +487,7 @@ Here are the full patch notes: * ports: krb5 1.19.3 `[26] `__ * ports: lighttpd 1.4.64 `[27] `__ * ports: monit 5.30.0 `[28] `__ -* ports: nss 3.76 `[29] `__ +* ports: nss 3.76 `[29] `__ * ports: openssh 8.9p1 `[30] `__ * ports: openssl 1.1.1n `[31] `__ * ports: openvpn 2.5.6 `[32] `__ diff --git a/source/releases/CE_16.7.rst b/source/releases/CE_16.7.rst index bc169199..db683a80 100644 --- a/source/releases/CE_16.7.rst +++ b/source/releases/CE_16.7.rst @@ -448,7 +448,7 @@ Here are the full patch notes: * dns: improve forwarder interface listening generation * rc: silence backup warnings about stripped leading slashes * ports: bind 9.10.4-P3 `[2] `__ -* ports: ca_root_nss 3.27.1 `[3] `__ +* ports: ca_root_nss 3.27.1 `[3] `__ * ports: libressl 2.3.8 `[4] `__ * ports: unbound 1.5.10 `[5] `__ diff --git a/source/releases/CE_20.7.rst b/source/releases/CE_20.7.rst index 26153224..cd35c0d8 100644 --- a/source/releases/CE_20.7.rst +++ b/source/releases/CE_20.7.rst @@ -122,7 +122,7 @@ Here are the full patch notes: * ports: dhcp6c ignores advertise messages with none of requested data and missed status codes * ports: libressl 3.1.5 `[6] `__ * ports: lighttpd 1.4.56 `[7] `__ -* ports: nss 3.60 `[8] `__ +* ports: nss 3.60 `[8] `__ * ports: openssl 1.1.1i `[9] `__ * ports: pcre2 10.36 `[10] `__ * ports: sudo 1.9.4 `[11] `__ @@ -180,7 +180,7 @@ Here are the full patch notes: * src: fix multiple vulnerabilities in rtsold `[7] `__ * src: update timezone database information `[8] `__ * ports: krb5 1.18.3 `[9] `__ -* ports: nss 3.59 `[10] `__ +* ports: nss 3.59 `[10] `__ * ports: openldap 2.4.56 `[11] `__ * ports: openssh 8.4p1 `[12] `__ * ports: php 7.3.25 `[13] `__ @@ -272,7 +272,7 @@ Here are the full patch notes: * src: update Realtek re driver to upstream version 1.96.04 (contributed by Laurent Dinclaux) * ports: curl 7.73.0 `[3] `__ * ports: libxml fixes for CVE-2019-20388, CVE-2020-7595 and CVE-2020-24977 -* ports: nss 3.58 `[4] `__ +* ports: nss 3.58 `[4] `__ * ports: openssl 1.1.1h `[5] `__ * ports: php 7.3.23 `[6] `__ * ports: pkg 1.15.10 @@ -331,7 +331,7 @@ Here are the full patch notes: * src: set PAX_HARDENING_NOSHLIBRANDOM in the RTLD by default * src: fix kernel panic while trying to read multicast stream * ports: mpd 5.9 `[13] `__ -* ports: nss 3.57 `[14] `__ +* ports: nss 3.57 `[14] `__ * ports: php 7.3.22 `[15] `__ * ports: pkg 1.15.6 `[16] `__ @@ -384,7 +384,7 @@ Here are the full patch notes: * src: default "show bad packets" tunable to off in e100 driver * src: fix unsolicited promisc mode in e1000 driver * src: add valectl to the system commands -* ports: ca_root_nss/nss 3.56 `[4] `__ +* ports: ca_root_nss/nss 3.56 `[4] `__ * ports: curl 7.72.0 `[5] `__ * ports: libressl 3.1.4 `[6] `__ * ports: openldap 2.4.51 `[7] `__ @@ -474,7 +474,7 @@ Here are the full patch notes against version 20.7-RC1: * src: prevent netgraph page fault for LTE usage * ports: dnsmasq 2.82 `[4] `__ * ports: monit 5.27.0 `[5] `__ -* ports: nss 3.55 `[6] `__ +* ports: nss 3.55 `[6] `__ * ports: sudo 1.9.2 `[7] `__ Known issues and limitations: diff --git a/source/releases/CE_21.1.rst b/source/releases/CE_21.1.rst index 9725d54b..f6169369 100644 --- a/source/releases/CE_21.1.rst +++ b/source/releases/CE_21.1.rst @@ -66,7 +66,7 @@ Here are the full patch notes: * plugins: os-zabbix-agent 1.9 `[4] `__ * ports: curl 7.78.0 `[5] `__ * ports: filterlog adds CARP IPv6 support and moves label to previously reserved spot -* ports: nss 3.68 `[6] `__ +* ports: nss 3.68 `[6] `__ * ports: php 7.4.21 `[7] `__ * ports: python 3.7.11 `[8] `__ * ports: syslog-ng 3.33.2 `[9] `__ @@ -127,7 +127,7 @@ Here are the full patch notes: * ports: clog 1.0.2 fixes garbage header write on init * ports: libxml 2.9.12 `[7] `__ * ports: nettle 3.7.3 -* ports: nss 3.67 `[8] `__ +* ports: nss 3.67 `[8] `__ * ports: openvpn 2.5.3 `[9] `__ * ports: php 7.4.20 `[10] `__ * ports: phpseclib 2.0.32 `[11] `__ @@ -191,7 +191,7 @@ Here are the full patch notes: * src: pms data corruption `[6] `__ * ports: curl 7.77.0 `[7] `__ * ports: isc-dhcp 4.4.2-P1 `[8] `__ -* ports: nss 3.66 `[9] `__ +* ports: nss 3.66 `[9] `__ * ports: openldap 2.4.59 `[10] `__ * ports: pcre2 10.37 `[11] `__ * ports: phalcon 4.1.2 `[12] `__ @@ -268,7 +268,7 @@ Here are the full patch notes: * ports: filterlog 0.4 adds label support to output if applicable * ports: libressl 3.3.3 `[12] `__ * ports: libxml fix for CVE-2021-3541 -* ports: nss 3.65 `[13] `__ +* ports: nss 3.65 `[13] `__ * ports: openssh 8.6p1 `[14] `__ * ports: openvpn 2.4.11 `[15] `__ * ports: php 7.3.28 `[16] `__ @@ -420,7 +420,7 @@ Here are the full patch notes: * plugins: os-wireguard 1.5 `[5] `__ * plugins: os-wol 2.4 fixes dashboard widget (contributed by kulikov-a) * src: fix multiple OpenSSL vulnerabilities `[6] `__ -* ports: ca_root_nss / nss 3.63 `[7] `__ +* ports: ca_root_nss / nss 3.63 `[7] `__ * ports: libressl 3.2.5 `[8] `__ * ports: openldap 2.4.58 `[9] `__ * ports: openssh fix for double free in ssh-agent `[10] `__ @@ -492,7 +492,7 @@ Here are the full patch notes: * src: arp: avoid segfaulting due to out-of-bounds memory access * ports: cpdup 1.22 `[8] `__ * ports: krb5 1.19.1 `[9] `__ -* ports: nss 3.62 `[10] `__ +* ports: nss 3.62 `[10] `__ * ports: pkg now provides fallback for version mismatch on pkg-add * ports: python 3.7.10 `[11] `__ * ports: syslog-ng 3.31.1 `[12] `__ @@ -731,7 +731,7 @@ Here are the full patch notes against 20.7.8: * src: fix traffic graph not showing bandwidth when IPS is enabled * ports: dnsmasq 2.83 `[9] `__ * ports: igmpproxy 0.3 `[10] `__ -* ports: nss 3.61 `[11] `__ +* ports: nss 3.61 `[11] `__ * ports: openldap 2.4.57 `[12] `__ * ports: py-netaddr 0.8.0 `[13] `__ * ports: sudo 1.9.5p2 `[14] `__ diff --git a/source/releases/CE_21.7.rst b/source/releases/CE_21.7.rst index 8a5bec2a..88106b58 100644 --- a/source/releases/CE_21.7.rst +++ b/source/releases/CE_21.7.rst @@ -76,7 +76,7 @@ Here are the full patch notes: * ports: flock 2.37.2 * ports: hostapd 2.10 `[12] `__ * ports: lighttpd 1.4.63 `[13] `__ -* ports: nss 3.74 `[14] `__ +* ports: nss 3.74 `[14] `__ * ports: openssl 1.1.1m `[15] `__ * ports: openvpn 2.5.5 `[16] `__ * ports: php 7.4.27 `[17] `__ @@ -124,7 +124,7 @@ Here are the full patch notes: * src: axgbe: log GPIO signals on EEPROM read fails * ports: curl 7.80.0 `[3] `__ * ports: dnsmasq fixes multiple regressions -* ports: nss 3.73 `[4] `__ +* ports: nss 3.73 `[4] `__ * ports: php 7.4.26 `[5] `__ * ports: phpseclib 2.0.35 `[6] `__ * ports: suricata disables Netmap API version 14 introduced in 21.7.6 @@ -257,7 +257,7 @@ Here are the full patch notes for version 21.7.5: * src: fix kernel panic in vmci driver initialization `[13] `__ * src: timezone database information update `[14] `__ * ports: lighttpd 1.4.61 `[15] `__ -* ports: nss 3.72 `[16] `__ +* ports: nss 3.72 `[16] `__ * ports: openssh 8.8p1 `[17] `__ * ports: pcre2 10.39 `[18] `__ * ports: php 7.4.25 `[19] `__ @@ -340,7 +340,7 @@ Here are the full patch notes: * ports: jinja 3.0.1 `[8] `__ * ports: libressl 3.3.5 `[9] `__ * ports: lighttpd 1.4.60 `[10] `__ -* ports: nss 3.71 `[11] `__ +* ports: nss 3.71 `[11] `__ * ports: openvpn 2.5.4 `[12] `__ * ports: php 7.4.24 `[13] `__ * ports: strongswan 5.9.4 `[14] `__ @@ -388,7 +388,7 @@ Here are the full patch notes: * plugins: os-telegraf 1.12.1 `[6] `__ * ports: dnsmasq 2.86 `[7] `__ * ports: filterlog 0.5 removes unused IPv6 options support -* ports: nss 3.70 `[8] `__ +* ports: nss 3.70 `[8] `__ * ports: pcre 8.45 `[9] `__ * ports: python 3.8.12 `[10] `__ * ports: sudo 1.9.8p1 `[11] `__ @@ -477,7 +477,7 @@ Here are the full patch notes: * src: fix multiple OpenSSL vulnerabilities `[6] `__ `[7] `__ * ports: ifinfo 13.0 * ports: libressl 3.3.4 `[8] `__ -* ports: nss 3.69 `[9] `__ +* ports: nss 3.69 `[9] `__ * ports: monit 5.29.0 `[10] `__ * ports: mpd5 adds L2TP interoperability fix from upstream * ports: openssl 1.1.1l `[11] `__ @@ -693,7 +693,7 @@ Here are the full patch notes: * ports: filterlog adds CARP IPv6 support and moves label to previously reserved spot * ports: libxml 2.9.12 `[15] `__ * ports: nettle 3.7.3 -* ports: nss 3.68 `[16] `__ +* ports: nss 3.68 `[16] `__ * ports: openvpn 2.5.3 `[17] `__ * ports: php 7.4.21 `[18] `__ * ports: phpseclib 2.0.32 `[19] `__ @@ -885,7 +885,7 @@ Here are the full patch notes against 21.1.7: * ports: drop hardening options to ease migration to FreeBSD ports tree * ports: libxml 2.9.12 `[6] `__ * ports: nettle 3.7.3 -* ports: nss 3.67 `[7] `__ +* ports: nss 3.67 `[7] `__ * ports: openvpn 2.5.3 `[8] `__ * ports: php 7.4.20 `[9] `__ * ports: phpseclib 2.0.32 `[10] `__ diff --git a/source/releases/CE_22.1.rst b/source/releases/CE_22.1.rst index b4c85616..dd639e62 100644 --- a/source/releases/CE_22.1.rst +++ b/source/releases/CE_22.1.rst @@ -73,7 +73,7 @@ Here are the full patch notes: * plugins: os-stunnel 1.0.5 adds intermediates to server chain (contributed by Johnny S. Lee) * plugins: os-telegraf 1.12.5 `[3] `__ * ports: curl 7.84.0 `[4] `__ -* ports: nss 3.80 `[5] `__ +* ports: nss 3.80 `[5] `__ * ports: openssl 1.1.1q `[6] `__ * ports: phalcon 5.0.0RC2 `[7] `__ * ports: py-vici 5.9.3 @@ -134,7 +134,7 @@ Here are the full patch notes: * src: assorted non-functional cleanups and typo corrections * ports: krb5 1.20 `[5] `__ * ports: lighttpd 1.4.65 `[6] `__ -* ports: nss 3.79 `[7] `__ +* ports: nss 3.79 `[7] `__ * ports: openvpn 2.5.7 `[8] `__ * ports: php 7.4.30 `[9] `__ * ports: py-certifi 2022.5.18.1 @@ -238,7 +238,7 @@ Here are the full patch notes: * plugins: os-zabbix-agent 1.12 `[5] `__ * plugins: os-zabbix-proxy 1.8 `[6] `__ * ports: curl 7.83.0 `[7] `__ -* ports: nss 3.78 `[8] `__ +* ports: nss 3.78 `[8] `__ * ports: openssl 1.1.1o `[9] `__ * ports: pcre2 10.40 `[10] `__ * ports: php 7.4.29 `[11] `__ @@ -324,7 +324,7 @@ Here are the full patch notes: * ports: expat 2.4.8 `[11] `__ * ports: libxml 2.9.13 `[12] `__ * ports: monit 5.32.0 `[13] `__ -* ports: nss 3.77 `[14] `__ +* ports: nss 3.77 `[14] `__ * ports: python 3.8.13 `[15] `__ @@ -416,7 +416,7 @@ Here are the full patch notes: * ports: dpinger 3.2 `[3] `__ * ports: expat 2.4.7 `[4] `__ * ports: krb5 1.19.3 `[5] `__ -* ports: nss 3.76 `[6] `__ +* ports: nss 3.76 `[6] `__ * ports: openssh 8.9p1 `[7] `__ * ports: sudo 1.9.10 `[8] `__ * ports: syslog-ng 3.36.1 `[9] `__ @@ -576,7 +576,7 @@ Here are the full patch notes: * ports: expat 2.4.4 `[9] `__ * ports: lighttpd 1.4.64 `[10] `__ * ports: monit 5.30.0 `[11] `__ -* ports: nss 3.75 `[12] `__ +* ports: nss 3.75 `[12] `__ * ports: pcre / pcre2 enable JIT support * ports: phpseclib 2.0.36 `[13] `__ * ports: strongswan 5.9.5 `[14] `__ @@ -769,7 +769,7 @@ Here are the full patch notes against version 21.7.7: * ports: flock 2.37.2 * ports: hostapd 2.10 `[15] `__ * ports: lighttpd 1.4.63 `[16] `__ -* ports: nss 3.74 `[17] `__ +* ports: nss 3.74 `[17] `__ * ports: openssl 1.1.1m `[18] `__ * ports: openvpn 2.5.5 `[19] `__ * ports: pecl-psr 1.2.0 `[20] `__ @@ -875,7 +875,7 @@ Here are the full patch notes: * src: revert upstream permission change for /root directory * src: fix kernel build creating wrong linkers.hint file * ports: hostapd 2.10 `[3] `__ -* ports: nss 3.74 `[4] `__ +* ports: nss 3.74 `[4] `__ * ports: pecl-psr 1.2.0 `[5] `__ * ports: pkg fixes validation failures on HTTPS fetch in static binary `[6] `__ * ports: sqlite 3.37.2 `[7] `__ @@ -1006,7 +1006,7 @@ Here are the full patch notes against 21.7.7: * ports: filterlog 0.6 `[12] `__ * ports: flock 2.37.2 * ports: lighttpd 1.4.63 `[13] `__ -* ports: nss 3.73.1 `[14] `__ +* ports: nss 3.73.1 `[14] `__ * ports: openssl 1.1.1m `[15] `__ * ports: openvpn 2.5.5 `[16] `__ * ports: phalcon 4.1.3 `[17] `__ diff --git a/source/releases/CE_22.7.rst b/source/releases/CE_22.7.rst index 255ea21a..18b037ee 100644 --- a/source/releases/CE_22.7.rst +++ b/source/releases/CE_22.7.rst @@ -34,6 +34,244 @@ can be found below as well. * Full mirror list: https://opnsense.org/download/ +-------------------------------------------------------------------------- +22.7.6 (October 12, 2022) +-------------------------------------------------------------------------- + + +This update fixes CRL code handling with third party software and sandboxes +the code to avoid dealing with boot-time issues ever again. However, due to +the nature of the sandboxing no automatic fix can be made for the following +case: + +Creating and using an empty CRL in OpenVPN broke in 22.7.5 due to an ancient +bug not populating the empty CRL in binary format: the side effect "correcting" +this at runtime was removed. 22.7.6 will now correctly populate the binary +format of the empty CRL upon creation in the config.xml as originally intended. + +The options to manually fix existing empty CRLs are as follows: + +* Remove the CRL from OpenVPN as it is unused anyway, or +* Add a dummy certificate to it to populate the CRL properly, or +* Add and remove a random existing certificate to populate an empty CRL. + +These fixes can be carried out on older installation without a problem as well +prior to upgrading to avoid OpenVPN from not working post-upgrade. + +Here are the full patch notes: + +* system: fix inconsistent is_crl_internal() implementation +* system: make sure we always generate a CRL when saved +* system: sandbox code handling CRL manipulation in the CRL manager page +* system: wrap global product information handling into a singleton +* system: move get_nameservers() to ifctl use +* reporting: traffic graph polling interval selection and UX tweaks +* interfaces: port 6RD/6to4 to ifctl use +* interfaces: optionally use reverse DNS resolution for ARP table hostnames (contributed by soif) +* interfaces: allow user-configurable VLAN device names with certain restrictions `[1] `__ +* interfaces: small cleanup on get_real_interface() +* firewall: simplify port forward rule logic for delete and toggle and make sure to toggle firewall rule as well +* firewall: various performance and usability improvements in live log +* firewall: extend all firewall rules with a UUID to align with MVC code upon edit +* firmware: display license validity when applicable in business edition +* ipsec: ACL fix for sessions users +* unbound: support setting type value for DNS over TLS/Query Forwarding API (contributed by kulikov-a) +* unbound: convert advanced settings to MVC/API +* mvc: remove "clear all", "copy" and "paste" options when only a single entry is allowed +* mvc: fix typo in searchRecordsetBase() +* ports: isc-dhcp 4.4.3P1 `[2] `__ +* ports: phalcon 5.0.3 `[3] `__ +* ports: php 8.0.24 `[4] `__ +* ports: squid no-forgery patch fix +* ports: strongswan 5.9.8 `[5] `__ + + + +-------------------------------------------------------------------------- +22.7.5 (October 05, 2022) +-------------------------------------------------------------------------- + + +Today we are fixing a security issue involving the "installer" user and +kernel-based TCP panics that some have been fighting with since FreeBSD 13. +Some ports and plugins have also been updated now that the holiday season +is coming to its inevitable end. + +The security issue arises on fresh 22.7 installs only due to a boot-time +optimization of user account handling since 22.1.8. Users are not reset +on each boot anymore which improved boot times with many users but also made +the "installer" user stick with the default password in this situation. +Physical access to the console with this user was possible under these +conditions even after installation and updates were completed. SSH access +was also possible when both not restricting login to keys and allowing root +login manually. The mandatory reboot after the update to 22.7.5 or higher +remedies this problem. + +In a default install the issue could only be exploited by manual console +access. In general we want to advise users not to yield shell/console +access to non-administrators, restrict physical access if applicable, and +not offer SSH access based on user accounts, especially when SSH is accessible +from the WAN side without a VPN. + +In any case we recommend all users of 22.7.x to update immediately or +take the necessary precautions to avoid the "installer" user from being +accessed in an unauthorized fashion. + +Here are the full patch notes: + +* system: remove stray installer account from fresh 22.7 installations +* system: only use withPadding() for RSA based public keys in CRL code +* system: remove unnecessary crl_update() calls in CRL code +* system: extend pool options support in gateway groups +* system: move get_searchdomains() to ifctl use and allow FQDN +* system: add replacement hook for rc.resolv_conf_generate script +* system: replace "dns reload" backend call with portable alternative +* system: remove obsolete rc.resolv_conf_generate script +* system: bring back the buttons action in OpenVPN dashboard widget (contributed by kulikov-a) +* system: assorted cleanups for IXR library used for XMLRPC +* system: catch errors in RSS dashboard widget +* system: stop reading product info from global $g variable in system information dashboard widget +* system: structurally improve boot sequence with regard to hosts/resolv.conf generation +* system: add keyUsage extension and follow RFC on basicConstraints in CA config (contributed by kulikov-a) +* interfaces: migrate wireless creation to legacy_interface_listget() +* firewall: support TOS/DSCP matching in firewall rules +* firewall: add os-firewall alias paths in getAliasSource() to prevent removal when being used +* firewall: get lockout interface from get_primary_interface_from_list() +* firewall: fix PHP 8 error in port forwarding page +* firewall: fix PHP 8 error in aliases (contributed by kulikov-a) +* firewall: parse pftop internal data conversion (contributed by kulikov-a) +* firmware: opnsense-update: return subscription key via -K if it exists +* ipsec: allow to set rightca in mobile phase 1 with EAP-TLS +* ipsec: fix multiple phase 2 IP addresses on the same interface (contributed by Wagner Sartori Junior) +* unbound: account for hostname during PTR creation +* unbound: maintain a consistent dnsbl cache state +* unbound: reduce blocklist read timeout (contributed by kulikov-a) +* web proxy: update pattern to zst for the Arch packages (contributed by gacekjk) +* plugins: os-crowdsec 1.0.1 `[1] `__ +* plugins: os-ddclient 1.9 `[2] `__ +* plugins: os-freeradius 1.9.21 `[3] `__ +* plugins: os-nginx 1.30 `[4] `__ +* src: ifconfig: print interface name on SIOCIFCREATE2 error +* src: igc: do not start in promiscuous mode by default +* src: tcp: correctly compute the retransmit length for all 64-bit platforms +* src: tcp: fix cwnd restricted SACK retransmission loop +* src: tcp: fix computation of offset +* src: tcp: send ACKs when requested +* ports: dnsmasq 2.87 `[5] `__ +* ports: expat 2.4.9 `[6] `__ +* ports: lighttpd 1.4.67 `[7] `__ +* ports: nss 3.83 `[8] `__ +* ports: phalcon 5.0.2 `[9] `__ +* ports: php 8.0.23 `[10] `__ +* ports: phpseclib 3.0.16 `[11] `__ +* ports: python 3.9.14 `[12] `__ +* ports: sqlite 3.39.3 `[13] `__ +* ports: squid 5.7 `[14] `__ +* ports: suricata 6.0.8 `[15] `__ +* ports: unbound 1.16.3 `[16] `__ + + +-------------------------------------------------------------------------- +22.7.4 (September 07, 2022) +-------------------------------------------------------------------------- + + +This update addresses more issues with the somewhat unfortunate phpseclib 3 +migration. WAN IPv6 SLAAC mode now works more reliably and TLS 1.3 web GUI +configurations will enforce the expectations by software clients regarding +interoperability. + +Last but not least the "assign VLAN parent and enable" migration note from +22.1 is no longer required as the boot will attempt to configure all existing +hardware devices once with the selected defaults. + +Here are the full patch notes: + +* system: enforce RFC 8446 by requiring TLS_AES_128_GCM_SHA256 for TLS 1.3 +* system: consider CRL end dates after 2050 as "lifetime" in GeneralizedTime format +* system: revert the default CRL hashing back to what it was in phpseclib 2 +* system: match TLS cipher suites and commands in web GUI settings (contributed by kulikov-a) +* system: improve error message of CRL validation failure (contributed by kulikov-a) +* system: fix phpseclib 3 use for CSR parsing on certificates page +* system: add the default "-c" option to backend pluginctl invokes for consistency +* system: rework console port assignment regarding wireless handling +* interfaces: configure all hardware features for present devices +* interfaces: bring up IPv6 device manually since SLAAC will not do that automatically +* interfaces: merge DHCPv4 / DHCPv6 buttons on overview page (contributed by Maurice Walker) +* interfaces: add support for requesting DNS info via stateless DHCPv6 (contributed by Maurice Walker) +* dnsmasq: restart during "newwanip" event +* ports: curl 7.85.0 `[1] `__ +* ports: libxml 2.10.2 `[2] `__ +* ports: sqlite 3.39.2 `[3] `__ +* ports: syslog-ng 3.38.1 `[4] `__ + + + +-------------------------------------------------------------------------- +22.7.3 (September 01, 2022) +-------------------------------------------------------------------------- + + +Pick up the new FreeBSD security advisories while also introducing assorted +reliability improvements. CRL now works again for elliptic curve with the +adoption of version 3 of phpseclib. Wireless handling was improved due to +PHP 8 errors and coding style issues. It is also the subject of further work +for 23.1. + +Here are the full patch notes: + +* system: migrate CRL handling to phpseclib 3 +* system: run monitor reload inside system_routing_configure() +* system: fix IPv6 link-local HTTP_REFERER check (contributed by Maurice Walker) +* system: fix assorted PHP 8 warnings in the codebase +* system: extend nameservers script return for debugging purposes, i.e. "configctl system list nameservers debug" +* system: lighttpd obsoletion of server listing directive, disabled by default +* system: decode stored CRL data before display (contributed by kulikov-a) +* interfaces: update link-local matching pattern +* interfaces: PPP is an exception, only created after interface configuration +* interfaces: only remove known primary addresses in interface_bring_down() +* interfaces: improve shell banner address return in prefix-only IPv6 case +* interfaces: improve problematic node handling +* interfaces: DHCP does not signal RELEASE +* interfaces: web GUI locale sorts files differently when invoking ifctl +* interfaces: improve legacy_interface_listget() +* interfaces: only parse actual options in legacy_interfaces_details(), not nd6 options +* firewall: implement a router file read fallback for new ifctl :slaac suffix +* firewall: stick-address only in effect with pool option and multiple routers +* firewall: remove dead pptpd server code +* captive portal: lighttpd deprecation of legacy SSL options, disabled by default +* dhcp: allow rapid-commit message exchange in IPv6 server (contributed by Maurice Walker) +* firmware: major upgrade "pkgs" set was still unknown to plugin sync +* intrusion detection: fix enable rule button and present active detail overwrite if present +* ipsec: fixed widget link (contributed by Patrik Kernstock) +* unbound: improve FQDN handling when address is moving in DHCP watcher +* unbound: prevent DNS rebinding check and DNSSEC validation on explicit forwarded domains +* unbound: restrict creation of PTR records for both the system domain and host overrides +* unbound: add AAAA-only mode (contributed by Maurice Walker) +* lang: fix syntax errors in French translation (contributed by kulikov-a) +* ui: fix type cast issue in Bootgrid +* plugins: os-ddclient relaxes validation of description field +* plugins: os-frr 1.30 `[1] `__ +* plugins: os-nginx now uses simplified NAME_setup service handling +* plugins: os-wireguard 1.12 `[2] `__ +* plugins: os-zabbix-agent 1.13 `[3] `__ +* plugins: os-zabbix-proxy 1.9 `[4] `__ +* src: rc: improve NAME_setup integration +* src: zlib: fix a bug when getting a gzip header extra field with inflate() `[5] `__ +* src: tzdata: import tzdata 2022b and 2022c `[6] `__ +* ports: ldns 1.8.3 `[7] `__ +* ports: liblz4 1.9.4 +* ports: libxml 2.10.1 `[8] `__ +* ports: nss 3.82 `[9] `__ +* ports: phpseclib 3.0.14 `[10] `__ + +A hotfix release was issued as 22.7.3_2: + +* system: work around phpseclib 3 flagging RSA-PSS as an invalid key alogrithm +* system: check for existing X509 class before doing CRL update + + + -------------------------------------------------------------------------- 22.7.2 (August 17, 2022) -------------------------------------------------------------------------- @@ -117,7 +355,7 @@ Here are the full patch notes: * plugins: os-netdata 1.2 `[5] `__ * plugins: os-nginx 1.29 `[6] `__ * ports: libxml 2.9.14 `[7] `__ -* ports: nss 3.81 `[8] `__ +* ports: nss 3.81 `[8] `__ * ports: rrdtool 1.8.0 `[9] `__ * ports: unbound 1.16.2 `[10] `__