mirror of https://github.com/opnsense/docs
update changelogs
parent
ea214e1ab0
commit
0c2af65e75
@ -0,0 +1,27 @@
|
||||
====================================
|
||||
Business Edition
|
||||
====================================
|
||||
|
||||
|
||||
|
||||
.. image:: images/architecture-blue-sky-business-2599538.jpg
|
||||
:width: 600px
|
||||
:align: center
|
||||
|
||||
OPNsense Business Edition is intended for companies, enterprises and professionals looking for a more
|
||||
selective upgrade path (lags behind the community edition), additional commercial features and who want to
|
||||
support the project in a more commercial way compared to donating.
|
||||
|
||||
|
||||
|
||||
The list below contains all releases, ordered by version number categorized by major version.
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 2
|
||||
:titlesonly:
|
||||
:glob:
|
||||
|
||||
releases/BE_20.7
|
||||
releases/BE_20.1
|
||||
releases/BE_19.7
|
||||
releases/BE_19.1
|
@ -0,0 +1,35 @@
|
||||
====================================
|
||||
Community Edition
|
||||
====================================
|
||||
|
||||
|
||||
|
||||
.. image:: /development/images/ideas_join_the_development.jpg
|
||||
:width: 600px
|
||||
:align: center
|
||||
|
||||
As of January 2015 there have been *195* releases leading to the latest version *21.1*
|
||||
named "Marvelous Meerkat".
|
||||
|
||||
|
||||
|
||||
The list below contains all releases, ordered by version number categorized by major version.
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 2
|
||||
:titlesonly:
|
||||
:glob:
|
||||
|
||||
releases/CE_21.1
|
||||
releases/CE_20.7
|
||||
releases/CE_20.1
|
||||
releases/CE_19.7
|
||||
releases/CE_19.1
|
||||
releases/CE_18.7
|
||||
releases/CE_18.1
|
||||
releases/CE_17.7
|
||||
releases/CE_17.1
|
||||
releases/CE_16.7
|
||||
releases/CE_16.1
|
||||
releases/CE_15.7
|
||||
releases/CE_15.1
|
@ -0,0 +1,986 @@
|
||||
===========================================================================================
|
||||
19.1 "Inspiring Iguana" Series
|
||||
===========================================================================================
|
||||
|
||||
|
||||
|
||||
For more than four years now, OPNsense is driving innovation through
|
||||
modularising and hardening the open source firewall, with simple and
|
||||
reliable firmware upgrades, multi-language support, HardenedBSD security,
|
||||
fast adoption of upstream software updates as well as clear and stable
|
||||
2-Clause BSD licensing.
|
||||
|
||||
The 19.1 release, nicknamed "Inspiring Iguana", consists of a total of
|
||||
620 individual changes since 18.7 came out 6 months ago, spread out over
|
||||
12 intermediate releases including the recent release candidates. That is
|
||||
the average of 2 stable releases per month, security updates and important
|
||||
bug fixes included! If we had to pick a few highlights it would be: The
|
||||
firewall alias API is finally in place. The migration to HardenedBSD 11.2
|
||||
has been completed. 2FA now works with a remote LDAP / local TOTP
|
||||
combination. And the OpenVPN client export was rewritten for full API
|
||||
support as well.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://opnsense.c0urier.net/releases/19.1/
|
||||
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
|
||||
* South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
|
||||
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.1.10 (July 03, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Small update as we are nearing the end of the 19.1 series. Yes, it is
|
||||
that time of the year again with a release candidate only a few days
|
||||
away and a final release date set to July 17.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: change certificate manager actions to POST
|
||||
* system: fix account removal with missing "-g" option
|
||||
* system: add dashboard widgets to XMLRPC sync
|
||||
* firewall: fix live log rule label mismatch caused by optimisation
|
||||
* firewall: fix alias import with alias references included
|
||||
* firewall: change default sorting of aliases to names
|
||||
* firmware: add homelab.no mirror (contributed by Thomas Jensen)
|
||||
* intrusion detection: when toggling rules keep the current action
|
||||
* intrusion detection: suppress mystery PHP 7.2+ warning in API
|
||||
* intrusion detection: show SID in alert view
|
||||
* web proxy: add cache reset button
|
||||
* web proxy: correct syslog export
|
||||
* plugins: os-dyndns 1.6 DigitalOcean support (contributed by Dune Heishman)
|
||||
* plugins: os-etpro-telemetry Python 3 support
|
||||
* plugins: os-frr 1.11 `[1] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
|
||||
* plugins: os-nginx 1.14 `[2] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
||||
* plugins: os-rspamd 1.7 `[3] <https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr>`__
|
||||
* plugins: os-tinc Python 3 support
|
||||
* ports: ca_root_nss 3.44.1
|
||||
* ports: curl 7.65.1 `[4] <https://curl.haxx.se/changes.html>`__
|
||||
* ports: libevent 2.1.10 `[5] <https://github.com/libevent/libevent/releases/tag/release-2.1.10-stable>`__
|
||||
* ports: libxml 2.9.9 `[6] <https://mail.gnome.org/archives/xml/2019-January/msg00000.html>`__
|
||||
* ports: libressl 2.9.2 `[7] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.9.1-relnotes.txt>`__ `[8] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.9.2-relnotes.txt>`__
|
||||
* ports: phalcon 3.4.4 `[9] <https://github.com/phalcon/cphalcon/releases/tag/v3.4.4>`__
|
||||
* ports: strongswan 5.8.0 `[10] <https://wiki.strongswan.org/versions/73>`__
|
||||
* ports: unbound 1.9.2 `[11] <https://nlnetlabs.nl/projects/unbound/download/>`__
|
||||
|
||||
A hotfix release was issued as 19.1.10_1:
|
||||
|
||||
* firmware: enable upgrade path to 19.7
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.1.9 (June 06, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Small 19.1 series update mainly focusing on LDAP group synchronisation
|
||||
and assorted OpenVPN improvements. Two regressions of previous versions
|
||||
have been fixed as well.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: add LDAP group synchronisation feature
|
||||
* system: allow an arbitrary group for sudo like ssh login
|
||||
* system: stop using a lock around resolv.conf handling
|
||||
* system: rename a number of service-related functions
|
||||
* system: login not using cache-safe image yet
|
||||
* system: add pluginctl -s support
|
||||
* system: restyle config backup page
|
||||
* system: fix log split view regression of 19.1.8
|
||||
* interfaces: remove DHCPv6 on delete and clear config on IPsec assignment
|
||||
* interfaces: small VIP restructure and IPv6 alias to IPv6 device
|
||||
* interfaces: subtle changes in IPv6 and variable naming
|
||||
* interfaces: add missing does_interface_exist() checks
|
||||
* firewall: support multiple interfaces per NAT port forward rule
|
||||
* captive portal: use "onestop" to stop service
|
||||
* intrusion detection: missing header ID in alerts tab
|
||||
* ipsec: remove remnants of gateway group interface selection
|
||||
* ipsec: use indirect plugin calls in interface code
|
||||
* openvpn: add live-search to longer lists in server page
|
||||
* openvpn: support --cryptoapicert export (sponsored by m.a.x. it `[1] <https://www.max-it.de/>`__ )
|
||||
* opnevpn: correctly check for translation in get_carp_interface_status()
|
||||
* openvpn: use waitforpid() to properly wait for instanes to come up
|
||||
* openvpn: translate GUI error values when returning them
|
||||
* openvpn: revamp status page
|
||||
* unbound: leases watcher file rotation issue
|
||||
* web proxy: squid log in readable date format (contributed by nhirokinet)
|
||||
* web proxy: fix non-local authentication regression of 19.1.7
|
||||
* plugins: os-bind 1.5 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
|
||||
* plugins: os-clamav 1.7 `[3] <https://github.com/opnsense/plugins/blob/master/security/clamav/pkg-descr>`__
|
||||
* plugins: os-dnscrypt-proxy 1.4 `[4] <https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr>`__
|
||||
* plugins: os-dyndns clouldflare wildcard domain support
|
||||
* plugins: os-nginx 1.13 `[5] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
||||
* plugins: os-openconnect 1.4.0 `[6] <https://github.com/opnsense/plugins/blob/master/security/openconnect/pkg-descr>`__
|
||||
* plugins: os-redis 1.1 `[7] <https://github.com/opnsense/plugins/blob/master/databases/redis/pkg-descr>`__
|
||||
* plugins: os-rspamd 1.6 `[8] <https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr>`__
|
||||
* plugins: os-theme-cicada 1.18 (contributed by Team Rebellion)
|
||||
* plugins: os-theme-tukan 1.18 (contributed by Team Rebellion)
|
||||
* ports: curl 7.65.0 `[9] <https://curl.haxx.se/changes.html>`__
|
||||
* ports: lighttpd 1.4.54 `[10] <https://www.lighttpd.net/2019/5/27/1.4.54/>`__
|
||||
* ports: python 3.7.3 `[11] <https://www.python.org/downloads/release/python-373/>`__
|
||||
* ports: openssl 1.0.2s `[12] <https://www.openssl.org/news/cl102.txt>`__
|
||||
* ports: php 7.2.19 `[13] <https://www.php.net/ChangeLog-7.php#7.2.19>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.1.8 (May 20, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
This update addresses several privilege escalation issues in the access
|
||||
control implementation and new memory disclosure issues in Intel CPUs.
|
||||
We would like to thank Arnaud Cordier and Bill Marquette for the top-notch
|
||||
reports and coordination.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: address CVE-2019-11816 privilege escalation bugs `[1] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11816>`__ (reported by Arnaud Cordier)
|
||||
* system: /etc/hosts generation without interface_has_gateway()
|
||||
* system: show correct timestamp in config restore save message (contributed by nhirokinet)
|
||||
* system: list the commands for the pluginctl utility when no argument is given
|
||||
* system: introduce and use userIsAdmin() helper function instead of checking for "page-all" privilege directly
|
||||
* system: use absolute path in widget ACLs (reported by Netgate)
|
||||
* system: RRD-related cleanups for less code exposure
|
||||
* interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion)
|
||||
* interfaces: replace legacy_getall_interface_addresses() usage
|
||||
* firewall: fix port validation in aliases with leading / trailing spaces
|
||||
* firewall: fix outbound NAT translation display in overview page
|
||||
* firewall: prevent CARP outgoing packets from using the configured gateway
|
||||
* firewall: use CARP net.inet.carp.demotion to control current demotion in status page
|
||||
* firewall: stop live log poller on error result
|
||||
* dhcp: change rule priority to 1 to avoid IPv6 bogon clash
|
||||
* dnsmasq: only admins may edit custom options field
|
||||
* firmware: use insecure mode for base and kernel sets when package fingerprints are disabled
|
||||
* firmware: add optional device support for base and kernel sets
|
||||
* firmware: add Hostcentral mirror (HTTP, Melbourne, Australia)
|
||||
* ipsec: always reset rightallowany to default when writing configuration
|
||||
* lang: say "hola" to Spanish as the newest available GUI language
|
||||
* lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
|
||||
* network time: only admins may edit custom options field
|
||||
* openvpn: call openvpn_refresh_crls() indirectly via plugin_configure() for less code exposure
|
||||
* openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette)
|
||||
* openvpn: remove custom options field from wizard
|
||||
* unbound: only admins may edit custom options field
|
||||
* wizard: translate typehint as well
|
||||
* plugins: os-freeradius 1.9.3 fixes string interpolation in LDAP filters (contributed by theq86)
|
||||
* plugins: os-nginx 1.12 `[2] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
||||
* plugins: os-theme-cicada 1.17 (contributed by Team Rebellion)
|
||||
* plugins: os-theme-tukan 1.17 (contributed by Team Rebellion)
|
||||
* src: timezone database information update `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-19:08.tzdata.asc>`__
|
||||
* src: install(1) broken with partially matching relative paths `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-19:09.xinstall.asc>`__
|
||||
* src: microarchitectural Data Sampling (MDS) mitigation `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:07.mds.asc>`__
|
||||
* ports: ca_root_nss 3.44
|
||||
* ports: php 7.2.18 `[6] <https://www.php.net/ChangeLog-7.php#7.2.18>`__
|
||||
* ports: sqlite 3.28.0 `[7] <https://www.sqlite.org/changes.html>`__
|
||||
* ports: strongswan custom XAuth generic patch removed
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.1.7 (May 02, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
This update features a number of improvements such as link-local support
|
||||
for bridges, HA sync consolidation, adding local CAs to the trusted SSL
|
||||
certificates for most of the system download capabilities, plugin-based
|
||||
PAM authentication rework for IPsec and the web proxy as well as third
|
||||
party fixes for hostapd / wpa_supplicant 2.8 and Suricata 4.1.4.
|
||||
|
||||
Python 3 migration is also underway now which requires to pull in both
|
||||
Python versions which may be heavy on embedded Nano installs, but we
|
||||
cannot see another way for this tedious task which will probably stretch
|
||||
into 19.7 to be fully carried out in 20.1.
|
||||
|
||||
And speaking of 20.1: This is the first of many reminders that 20.1 will
|
||||
discontinue the i386 (Intel 32 Bit) franchise as discussed a number of
|
||||
times within the community over the years. Our hope is that ARM64 will
|
||||
make a viable replacement. But that is for another time.
|
||||
|
||||
As you may have noticed the project has not been delivering releases every
|
||||
other week and there are a number of reasons for it:
|
||||
|
||||
Security-wise we have not had a lot of necessary third-party software
|
||||
updates. Feature-wise we are sitting on a number of improvements for the
|
||||
upcoming 19.7 series that will trickle into 19.1.x now, but that have also
|
||||
required larger preparations and testing in the meantime. On the community
|
||||
side of the spectrum, sponsored by our partner m.a.x. it, we have started
|
||||
to work on better default gateway switching which led to an overall gateway
|
||||
integration rework and then quickly to interface handling restructuring,
|
||||
which in turn led to improving plugin capabilities of core services
|
||||
(OpenVPN, IPsec, Unbound, Dnsmasq, DHCPD, Dpinger). Looking at it now it
|
||||
has been the largest rework so far on code established many years ago and
|
||||
only occasionally patched. We hope this shows our dedication to the code
|
||||
base even when things are not always 100% bug free. If you feel like
|
||||
pitching in now is a good time to try the development version and let us
|
||||
know about how it performs.
|
||||
|
||||
Without further ado, here are the full patch notes:
|
||||
|
||||
* system: HA sync cleanup removes opportunistic syncs in random GUI pages (use HA status page to sync and restart remote services)
|
||||
* system: support for syncing alias and VHID to the slave
|
||||
* system: cleanly rewrite CA root files and add local trusted CAs as well
|
||||
* system: disable backup cron job when no backup is enabled
|
||||
* system: more reliable load and sync for LDAP attributes (contributed by Indrajit Raychaudhuri)
|
||||
* system: migrate health graph scripts to Python 3.6
|
||||
* interfaces: properly add and remove IPv6 trackers after interface apply
|
||||
* interfaces: validate prefix ID of IPv6 trackers so that each ID is unique
|
||||
* interfaces: display "0x" in prefix ID field so that it is clear that value is in hex
|
||||
* interfaces: fix passing VLAN name in interface_virtual_create()
|
||||
* interfaces: fix group-related bugs and allow digits and underscores in name, but no more than 15 characters
|
||||
* interfaces: allow link-local address on bridges via optional setting
|
||||
* interfaces: PPP-related code cleanups
|
||||
* firewall: prevent double-escaping of text in rules page
|
||||
* firewall: handle IDNA encode failures in aliases
|
||||
* firewall: alias import / export option
|
||||
* captive portal: update to bootstrap 3.4.1
|
||||
* captive portal: fix a race in directory creation and listClients()
|
||||
* dhcp: fix TFTP boot file name usage (contributed by Bjorn Kalkbrenner)
|
||||
* dhcp: merge static mac addresses with leases
|
||||
* dhcp: prevent double-escaping of text in leases page
|
||||
* firmware: add private log file for major upgrade package install step
|
||||
* firmware: use a safer major upgrade package install mode
|
||||
* firmware: retain /etc/motd on base updates
|
||||
* ipsec: implemented wildcard includes (contributed by Mark Plomer)
|
||||
* ipsec: only apply mobile PFS to mobile phase 2
|
||||
* ipsec: restyle mobile settings a little
|
||||
* ipsec: switch XAuth to PAM
|
||||
* ipsec: partial fix for static routes on routed tunnels during boot
|
||||
* network time: reload RRD since NTP has a setting for it
|
||||
* web proxy: fix PAC weekday match labels (contributed by Mohammed Sadiq)
|
||||
* web proxy: switch authentication to PAM
|
||||
* backend: treat non existing key as empty string in sortDictList()
|
||||
* mvc: pluggable PAM-based authentication framework
|
||||
* mvc: add filter closure to searchBase()
|
||||
* plugins: introduce plugins_run() for collecting structured data from plugins
|
||||
* plugins: os-clamav 1.6 `[1] <https://github.com/opnsense/plugins/blob/master/security/clamav/pkg-descr>`__
|
||||
* plugins: os-dyndns 1.5 fixes CloudFlare zone ID lookup behaviour (contributed by George Johnson)
|
||||
* plugins: os-frr 1.10 `[2] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
|
||||
* plugins: os-netdata 1.0 (contributed by Michael Muenz)
|
||||
* plugins: os-nginx 1.11_2 fixes ACME support (contributed by Frank Wall)
|
||||
* plugins: os-rfc2136 1.5 removes unused gateway group related code
|
||||
* src: move invoking of callout_stop(&lle->lle_timer) into llentry_free()
|
||||
* src: ensure that IP addresses match in ICMP error packets in pf(4)
|
||||
* src: add bsdinstall utility for upcoming 19.7 installer replacement
|
||||
* ports: dhcp6c v20190419 fixes raw options segfaults (contributed by Franck78)
|
||||
* ports: hostapd / wpa_supplicant 2.8 `[3] <https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog>`__
|
||||
* ports: perl 5.28.2 `[4] <https://perldoc.pl/5.28.2/perldelta>`__
|
||||
* ports: py-yaml 5.1 `[5] <https://github.com/yaml/pyyaml/blob/master/CHANGES>`__
|
||||
* ports: suricata 4.1.4 `[6] <https://suricata-ids.org/2019/04/30/suricata-4-1-4-released/>`__
|
||||
* ports: sqlite 3.27.2 `[7] <https://www.sqlite.org/changes.html>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.1.6 (April 11, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
This update brings a smaller number of fixes and improvements as well as
|
||||
the latest PHP version update.
|
||||
|
||||
With a heavy heart we disable E_WARNING messages in the PHP error reporting.
|
||||
It has been implemented in 2015 to improve code quality and it did just that,
|
||||
but with the latest PHP 7.2 jump in 19.1.5 it causes problems around the
|
||||
newly added count() usage warning messages. We plan to bring back E_WARNING
|
||||
usage in 19.7.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: let dashboard only accept its own POST requests
|
||||
* system: remove obsolete symlink to opnsense-auth
|
||||
* system: skip PHP E_WARNING log level until 19.7
|
||||
* system: numerous PHP 7.2 warning fixes
|
||||
* dhcp: DHCPD server check in relay only if interface is active
|
||||
* dnsmasq: skip empty custom options
|
||||
* intrusion prevention: do not drop flowbits:noalert rules
|
||||
* unbound: add ACL entries for OpenVPN by default
|
||||
* mvc: controller cleanups in firewall shaper, web proxy and captive portal
|
||||
* plugins: numerous PHP 7.2 warning fixes
|
||||
* plugins: os-freeradius 1.9.2 fixes LDAP group filter and EAP certificates write (contributed by Alexander Harm)
|
||||
* plugins: os-nginx 1.11 `[1] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
||||
* ports: php 7.2.17 `[2] <https://php.net/ChangeLog-7.php#7.2.17>`__
|
||||
* ports: py-certifi 2019.3.9 `[3] <https://pypi.org/project/certifi/2019.3.9/>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.1.5 (April 05, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
After a longer pause we are back with considerable upgrades for IPsec,
|
||||
a new CSR feature for local CAs, PHP 7.2 migration and a number of other
|
||||
considerable third party updates.
|
||||
|
||||
These are the full patch notes:
|
||||
|
||||
* system: improve gateway status return when monitoring is off
|
||||
* system: warn user about future deprecation of "user-config-readonly" privilege
|
||||
* system: support certificate signing requests (contributed by nhirokinet)
|
||||
* system: syslog does not need to do a background startup since it backgrounds itself
|
||||
* system: invalidate Nextcloud URL with trailing slash (contributed by Fabian Franz)
|
||||
* system: avoid double encoding cert name (contributed by Indrajit Raychaudhuri)
|
||||
* interfaces: fix facility for rtsold log about dhcp6c (contributed by Thomas du Boys)
|
||||
* interfaces: take all unknown arguments as real interfaces in interfaces_addresses()
|
||||
* interfaces: optionally allow interfaces_addresses() to emit subnets instead of addresses
|
||||
* interfaces: move mpd.script to new location (may require interface reconfigure)
|
||||
* firewall: proper locking of aliases before config action on delete
|
||||
* firewall: correctly set outbound NAT destination as network
|
||||
* firewall: add support for DSCP in shaper (contributed by Michael Muenz)
|
||||
* firewall: add support for IDN in aliases (contributed by Smart-Soft)
|
||||
* captive portal: allow access to this host (contributed by Fredrik Ronnvall)
|
||||
* firmware: fix parsing of packages in multi-repo env and revoked fingerprint message
|
||||
* firmware: add University of Kent to the firmware mirrors
|
||||
* ipsec: only use explicit reqid when using route-based interfaces
|
||||
* ipsec: correctly set install policy option on newly created phase 1 entries
|
||||
* ipsec: improve split DNS and INTERNAL_DNS_DOMAIN configuration
|
||||
* ipsec: added IKEv2 DH group 31 / curve 25519 (contributed by Peter Stehlin)
|
||||
* ipsec: properly quote UNITY_BANNER for multi-line support
|
||||
* ipsec: support for dynamic remote gateways
|
||||
* monit: add migration/validation for service/test type dependency (contributed by Frank Brendel)
|
||||
* monit: added missing "not on" label
|
||||
* openvpn: support static-challenge formatted password
|
||||
* openvpn: properly load custom config field in exporter
|
||||
* openvpn: cleanups in listening address handling
|
||||
* web proxy: IP address not available when address set to none
|
||||
* web proxy: add sortable support for PAC proxy lists (contributed by Fabian Franz)
|
||||
* web proxy: add dash to allowed characters in description (contributed by Fabian Franz)
|
||||
* backend: python 2->3 iteritems() conversion in core templates
|
||||
* mvc: migrate config backup rotation to handle static and MVC pages (contributed by Smart-Soft)
|
||||
* mvc: controller cleanups in cron, intrusion detection, routes
|
||||
* mvc: obey "user-config-readonly" privilege in mutable controllers
|
||||
* mvc: support overlays in setBase() / addBase()
|
||||
* ui: remove jquery-bootgrid converters which are now included in the library
|
||||
* plugins: os-acmle-client 1.23 `[1] <https://github.com/opnsense/plugins/pull/1166>`__ `[2] <https://github.com/opnsense/plugins/pull/1212>`__ `[3] <https://github.com/opnsense/plugins/pull/1263>`__
|
||||
* plugins: os-dyndns 1.14 supports wildcards for Google Domains
|
||||
* plugins: os-etpro-telemetry 1.3 uses HOME_NET to anonymization
|
||||
* plugins: os-freeradius 19.1.0 `[4] <https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr>`__
|
||||
* plugins: os-frr 1.9 `[5] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
|
||||
* plugins: os-nginx 1.10 `[6] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
||||
* plugins: os-postfix 1.9 `[7] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
|
||||
* plugins: os-rspamd 1.5 `[8] <https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr>`__
|
||||
* plugins: os-telegraf 1.7.5 `[9] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__
|
||||
* plugins: os-theme-cicada 1.15 (contributed by Team Rebellion)
|
||||
* plugins: os-theme-tukan 1.14 (contributed by Team Rebellion)
|
||||
* plugins: os-zabbix-agent 1.5 `[10] <https://github.com/opnsense/plugins/pull/1262>`__
|
||||
* ports: ca_root_nss 3.43
|
||||
* ports: curl 7.64.1
|
||||
* ports: libucl 0.8.1
|
||||
* ports: pcre 8.43
|
||||
* ports: php 7.2.16
|
||||
* ports: py-cryptography 2.6.1
|
||||
* ports: phpseclib 2.0.15
|
||||
* ports: python 2.7.16
|
||||
* ports: unbound 1.9.1
|
||||
|
||||
A hotfix release was issued as 19.1.5_1:
|
||||
|
||||
* mvc: sync missing hasPrivilege()
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.1.4 (March 12, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
An UEFI boot panic scenario was debugged last week with the help of the
|
||||
community. This update includes a fix that will allow the ones affected
|
||||
by this 19.1 issue to upgrade or install (and boot of course) correctly.
|
||||
We are also including the IPsec VTI support and the latest Suricata 4.1.3
|
||||
with stability and compatibility fixes.
|
||||
|
||||
Due to the severity of the UEFI boot panic 19.1.4 will be the new initial
|
||||
release for all upgrades from 18.7 within a day or two depending on
|
||||
additional testing and confirmation. Last but not least there will be
|
||||
new images some time next week to put this fully behind us. Thank you
|
||||
for your patience and understanding. :)
|
||||
|
||||
Special thanks go to the team of Synacktiv for reporting a packet filter
|
||||
IPv6 vulnerability for which a patch was included as well.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: remove erroneously translated hostname example (contributed by nhirokinet)
|
||||
* firewall: fix validation regression in outbound NAT introduced in 19.1.3
|
||||
* firewall: mock labels for NAT rules in live log as pf does not offer label support
|
||||
* interfaces: do not background LAGG ifconfig destroy
|
||||
* installer: revert to use network connection to allow CTRL+C and resume
|
||||
* ipsec: added Virtual Tunnel Interface (VTI) support
|
||||
* unbound: fix nested statistics items read
|
||||
* mvc: remove old Phalcon volt template workarounds from when scopes were broken
|
||||
* mvc: fix bug in model relation field values merge
|
||||
* plugins: os-zabbix4-proxy PSK directory fix (contributed by Michael Muenz)
|
||||
* plugins: os-telegraf missed invoke of setup.sh
|
||||
* plugins: os-frr adds validator to OSPF prefix lists (contributed by Michael Muenz)
|
||||
* plugins: os-dmidecode 1.1 fixes data parsing (contributed by Smart-Soft)
|
||||
* plugins: os-nginx 1.9 `[1] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
||||
* src: do not pass pf(4) IPv6 fragments with malformed extension headers (reported by Synacktiv)
|
||||
* src: revert upstream commit "protect the kernel text, data, and BSS" to fix certain UEFI boots
|
||||
* ports: monit 5.25.3 `[2] <https://mmonit.com/monit/changes/>`__
|
||||
* ports: ntp 4.2.8p13 `[3] <http://support.ntp.org/bin/view/Main/NtpBug3565>`__
|
||||
* ports: php 7.1.27 `[4] <https://php.net/ChangeLog-7.php#7.1.27>`__
|
||||
* ports: suricata 4.1.3 `[5] <https://suricata-ids.org/2019/03/07/suricata-4-1-3-released/>`__
|
||||
|
||||
The full list of changes of the OPNsense 19.1 series can be reviewed using
|
||||
their original announcements:
|
||||
|
||||
* 19.1: https://forum.opnsense.org/index.php?topic=11398.0
|
||||
* 19.1.1: https://forum.opnsense.org/index.php?topic=11469.0
|
||||
* 19.1.2: https://forum.opnsense.org/index.php?topic=11849.0
|
||||
* 19.1.3: https://forum.opnsense.org/index.php?topic=11941.0
|
||||
|
||||
We would also like to use this opportunity to remind everyone that OPNsense
|
||||
is and always will be free software. All of its source code and associated
|
||||
build tools can be found here:
|
||||
|
||||
https://github.com/opnsense
|
||||
|
||||
Download links, an installation guide `[6] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://opnsense.c0urier.net/releases/19.1/
|
||||
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
|
||||
* South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
|
||||
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
The public key for the 19.1 series is:
|
||||
|
||||
.. code-block::
|
||||
|
||||
# -----BEGIN PUBLIC KEY-----
|
||||
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
|
||||
# ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
|
||||
# QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
|
||||
# GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
|
||||
# pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
|
||||
# Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
|
||||
# NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
|
||||
# 1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
|
||||
# Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
|
||||
# Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
|
||||
# C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
|
||||
# zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
|
||||
# -----END PUBLIC KEY-----
|
||||
|
||||
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-19.1.4-OpenSSL-dvd-amd64.iso.bz2) = 5f2e64797fce03d4d47050894c38e8e176fda6281009abd36f60d788d3e29d42
|
||||
# SHA256 (OPNsense-19.1.4-OpenSSL-nano-amd64.img.bz2) = ee5171fb837884fffd29c6e75cb089dc4020fb89459143bd9e7b859b1da3fd89
|
||||
# SHA256 (OPNsense-19.1.4-OpenSSL-serial-amd64.img.bz2) = 07868978903220bf9dee26c936d25140df07ec9c02cb8c480bd8619e69c562a0
|
||||
# SHA256 (OPNsense-19.1.4-OpenSSL-vga-amd64.img.bz2) = e473bc645778c95596639056ecc8ef92a12a7fd1cdc52cd0b1f6294a64561311
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-19.1.4-OpenSSL-dvd-i386.iso.bz2) = 9f40b591c27d90a86c60ec0b539f228999953f947573e2e575c2936c3993d7c0
|
||||
# SHA256 (OPNsense-19.1.4-OpenSSL-nano-i386.img.bz2) = c624d50b19f2ae4d471076c53f5c516e3a523ff41b69d0bfa779b5fff6415f81
|
||||
# SHA256 (OPNsense-19.1.4-OpenSSL-serial-i386.img.bz2) = 62bff974ae4238dfc2e830a32fbf4bd357ff418d15be99b89ac129f839e10eaf
|
||||
# SHA256 (OPNsense-19.1.4-OpenSSL-vga-i386.img.bz2) = ca893277a02b93129e6a30125107f7ad4fc01673b722f54ce6e5cb7eb438cae4
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.1.3 (March 07, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
This is a smaller stable update consisting of LDAPS authentication
|
||||
server improvements, Unbound host overrides alias support, OpenSSL
|
||||
1.0.2r security update and the recent PAM rework for better privilege
|
||||
separation.
|
||||
|
||||
We are currently focusing on IPsec VTI, third-party service PAM
|
||||
integration and investigating kernel boot crashes. In the latter
|
||||
case we are aware of the update issues some people are having and
|
||||
recommend running 18.7 until this is taken care of. Above all,
|
||||
please be patient. New images and seamless upgrade paths will be
|
||||
provided as soon as the problems have been pinned down.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: improve LDAPS mode and related authentication cleanups
|
||||
* system: move enable checkbox to the top in remote logging settings
|
||||
* system: allow reset of tunables to to factory defaults
|
||||
* system: new tunables factory default to prevent ICMP redirects being sent (net.inet.icmp.drop_redirect=1)
|
||||
* firewall: allow explicitly setting source hash key in outbound NAT (Fredrik Ronnvall)
|
||||
* interfaces: probe media before applying new settings
|
||||
* interfaces: correctly compare MAC addresses
|
||||
* dhcp: added TFTP bootfile-name (contributed by Bjorn Kalkbrenner)
|
||||
* firmware: move duty to return the correct set name / ID to opnsense-version
|
||||
* firmware: finally revoke 18.7 fingerprint
|
||||
* intrusion detection: minor template cleanups using helpers.empty()
|
||||
* ipsec: peer identifier can now fall back to remote-gateway in manual SPD entries
|
||||
* ipsec: allow easier override of colours in widget (contributed by Fabian Franz)
|
||||
* monit: add validation for test type (contributed by Frank Brendel)
|
||||
* openvpn: add auth-nocache option in exporter
|
||||
* openvpn: validate certificate type for servers
|
||||
* unbound: add host overrides alias support
|
||||
* web proxy: add auth to parent proxy (contributed by Michael Muenz)
|
||||
* backend: add helpers.empty() in configd
|
||||
* mvc: simplify save / close / cancel button labels
|
||||
* mvc: add sorting for field list types
|
||||
* rc: move all template generation to early stage
|
||||
* ui: improve escaping of displayed data in static pages
|
||||
* ui: escape button values in static pages
|
||||
* ui: avoid short PHP tags
|
||||
* plugins: os-dnscrypt-proxy 1.3 `[1] <https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr>`__
|
||||
* plugins: os-frr brings in missing area range code `[2] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
|
||||
* plugins: os-postfix log file ACL and wrapper mode typo fix (contributed by Michael Muenz)
|
||||
* plugins: os-theme-cicada IPsec widget colour fix (contributed by Team Rebellion)
|
||||
* plugins: os-theme-tukan IPsec widget colour fix (contributed by Team Rebellion)
|
||||
* plugins: os-vnstat /var MFS fix `[3] <https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr>`__
|
||||
* plugins: os-zabbix4-proxy 1.0 (contributed by Michael Muenz)
|
||||
* ports: openssl 1.0.2r `[4] <https://www.openssl.org/news/secadv/20190226.txt>`__
|
||||
* ports: pam_opnsense 19.1.3 uses setuid for privilege separation
|
||||
* ports: phalcon 3.4.3 `[5] <https://github.com/phalcon/cphalcon/releases/tag/v3.4.3>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.1.2 (February 28, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
This update is the sum of a few weeks of intense testing and debugging
|
||||
in areas such as WAN DHCP with very short lease times, Suricata IPS not
|
||||
working as expected, stacked 6RD setups that have overly long device names
|
||||
amongst others.
|
||||
|
||||
The update may be a bit bumpy this time since the web GUI session directory
|
||||
will be moved to a safer location. You will be logged out during the update
|
||||
and the system will reboot due to the included operating system update. As
|
||||
soon as it is back you will be able to log in as usual.
|
||||
|
||||
LibreSSL received a major upgrade from 2.7 to 2.8. If you are using LibreSSL
|
||||
and see any issues please do let us know because it sadly looks like third
|
||||
party projects such as OpenVPN, Squid, StrongSwan and NTP leave the use of
|
||||
LibreSSL to the few users who are able to fix the source code builds on their
|
||||
own and we want to ideally avoid having to patch third party software.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: move session files into their own directory (forces the current sessions to expire)
|
||||
* system: add validation check for time period for Dpinger (contributed by Team Rebellion)
|
||||
* system: hide "show certificate info" button of pending CSR (contributed by nhirokinet)
|
||||
* system: move opnsense-auth to libexec, but keep a symlink in sbin directory
|
||||
* system: escaping issue in gateway edit page
|
||||
* system: fix ACL for halt and reboot pages
|
||||
* firewall: fix alias entry replacement in utility page
|
||||
* firewall: prevent new alias creation when adding an address
|
||||
* firewall: capture "nat" traffic like we do for "rdr" in live log
|
||||
* firewall: escaping issues in schedule edit page
|
||||
* interfaces: push dhclient and dhcp6c log messages to system log
|
||||
* interfaces: write all nameservers via dhclient-script in multi WAN scenarios
|
||||
* interfaces: check for valid alias IP in dhclient-script
|
||||
* interfaces: 6RD interface naming back to 18.7 to sidestep character limits on stacked setups
|
||||
* interfaces: avoid reading empty interface configurations
|
||||
* firmware: bootstrap rework for HTTPS repository URL
|
||||
* firmware: patch cache and assorted improvements
|
||||
* firmware: minor update utility cleanups
|
||||
* firmware: remove compatibility stubs for pre-19.1 version reads
|
||||
* firmware: show revoked package mirror error in GUI if applicable
|
||||
* firmware: bump RageNetwork mirror to HTTPS
|
||||
* firmware: be more careful about parsing version info
|
||||
* dhcp: fix behaviour of determining primary/secondary (contributed by Fredrik Ronnvall)
|
||||
* intrusion detection: set stream.inline: true as an IPS workaround for a Suricata 4.1 regression `[1] <https://redmine.openinfosecfoundation.org/issues/2811>`__
|
||||
* intrusion detection: support required rules/files in metadata package
|
||||
* intrusion detection: less extensive logging
|
||||
* ipsec: fix escaping issue in mobile page
|
||||
* monit: fix address validation
|
||||
* openvpn: obey verify-x509-name for remote access (user auth)
|
||||
* openvpn: proper daemonize instead of background job
|
||||
* openvpn: extract full CA chain for setup
|
||||
* openvpn: missing "port" in protocol export
|
||||
* mvc: fix port validation on whitespace input
|
||||
* mvc: fix compare constraint (contributed by Fabian Franz)
|
||||
* mvc: fix read-only access on config.xml during locked runs
|
||||
* mvc: prevent UserException from being pushed to PHP error log
|
||||
* ui: legacy browsers accommodation (contributed by NOYB)
|
||||
* ui: update to Tokenize2 1.3 plus additional escaping patches
|
||||
* ui: add support for Tokenize2 sortable tag
|
||||
* ui: hardening of gettext() invokes in HTML tags
|
||||
* ui: fix setFormData() HTML decode
|
||||
* plugins: os-bind safe search google domain updates (contributed by Michael Muenz)
|
||||
* plugins: os-dnscrypt-proxy 1.2 `[2] <https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr>`__
|
||||
* plugins: os-dyndns 1.13 IPv6 device lookup fix
|
||||
* plugins: os-etpro-telemetry 1.2 reduces telemetry data collection
|
||||
* plugins: os-frr 1.8 adds route summarization via area range (contributed by Michael Muenz)
|
||||
* plugins: os-haproxy 2.15 `[3] <https://github.com/opnsense/plugins/pull/1167>`__ `[4] <https://github.com/opnsense/plugins/pull/1209>`__
|
||||
* plugins: os-nginx 1.8 `[5] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
||||
* plugins: os-ntopng 1.2 `[6] <https://github.com/opnsense/plugins/blob/master/net/ntopng/pkg-descr>`__
|
||||
* src: clear callee-preserved registers on amd64 syscall exit `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:01.syscall.asc>`__
|
||||
* ports: cpdup 1.20
|
||||
* ports: curl 7.64.0 `[8] <https://curl.haxx.se/changes.html>`__
|
||||
* ports: libressl 2.8.3 `[9] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.8.3-relnotes.txt>`__
|
||||
* ports: openvpn 2.4.7 `[10] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>`__
|
||||
* ports: pam_opnsense manual page addition
|
||||
* ports: sqlite 3.27.1 `[11] <https://www.sqlite.org/releaselog/3_27_1.html>`__
|
||||
* ports: squid forgery check avoidance `[12] <https://github.com/opnsense/ports/issues/66>`__
|
||||
* ports: strongswan 5.7.2 `[13] <https://wiki.strongswan.org/versions/72>`__
|
||||
* ports: unbound 1.9.0 `[14] <https://nlnetlabs.nl/projects/unbound/download/>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.1.1 (February 05, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
This is a security and reliability release: WAN DHCP will no longer trust
|
||||
the server MTU given. Uncoordinated cross site scripting issues have been
|
||||
fixed. And the Python request library was patched due to CVE 2018-18074.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: address XSS-prone escaping issues `[1] <https://packetstormsecurity.com/files/151381/OPNsense-18.7-Cross-Site-Scripting.html>`__
|
||||
* firewall: add port range validation to shaper inputs
|
||||
* firewall: drop description validation constraints
|
||||
* interfaces: DHCP override MTU option (contributed by Team Rebellion)
|
||||
* interfaces: properly configure SIM PIN on custom modems
|
||||
* reporting: prevent cleanup from deleting current data when future data exists
|
||||
* ipsec: allow same local subnet if used in different phase 1 (contributed by Max Weller)
|
||||
* openvpn: multiple client export fixes
|
||||
* web proxy: add ESD files to Windows cache option (contributed by R-Adrian)
|
||||
* plugins: os-acme-client 1.20 `[2] <https://github.com/opnsense/plugins/pull/1157>`__
|
||||
* plugins: os-dyndns fix for themed colours (contributed by Team Rebellion)
|
||||
* plugins: os-etpro-telemetry 1.1 adds random delay to telemetry data send
|
||||
* plugins: os-nginx 1.7 `[3] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
||||
* plugins: os-rspamd reads DKIM keys via Redis (contributed by Garrod Alwood)
|
||||
* plugins: os-theme-cicada 1.14 (contributed by Team Rebellion)
|
||||
* plugins: os-theme-tukan 1.13 (contributed by Team Rebellion)
|
||||
* ports: ca_root_nss 3.42.1
|
||||
* ports: lighttpd 1.4.53 `[4] <https://www.lighttpd.net/2019/1/27/1.4.53/>`__
|
||||
* ports: py-request 2.21.0 `[5] <https://vuxml.freebsd.org/freebsd/50ad9a9a-1e28-11e9-98d7-0050562a4d7b.html>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.1 (January 31, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
For more than four years now, OPNsense is driving innovation through
|
||||
modularising and hardening the open source firewall, with simple and
|
||||
reliable firmware upgrades, multi-language support, HardenedBSD security,
|
||||
fast adoption of upstream software updates as well as clear and stable
|
||||
2-Clause BSD licensing.
|
||||
|
||||
The 19.1 release, nicknamed "Inspiring Iguana", consists of a total of
|
||||
620 individual changes since 18.7 came out 6 months ago, spread out over
|
||||
12 intermediate releases including the recent release candidates. That is
|
||||
the average of 2 stable releases per month, security updates and important
|
||||
bug fixes included! If we had to pick a few highlights it would be: The
|
||||
firewall alias API is finally in place. The migration to HardenedBSD 11.2
|
||||
has been completed. 2FA now works with a remote LDAP / local TOTP
|
||||
combination. And the OpenVPN client export was rewritten for full API
|
||||
support as well.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://opnsense.c0urier.net/releases/19.1/
|
||||
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
|
||||
* South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
|
||||
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
These are the most prominent changes since version 18.7:
|
||||
|
||||
* fully functional firewall alias API
|
||||
* PIE firewall shaper support
|
||||
* firewall NAT rule logging support
|
||||
* 2FA via LDAP-TOTP combination
|
||||
* WPAD / PAC and parent proxy support in the web proxy
|
||||
* P12 certificate export with custom passwords
|
||||
* Dpinger is now the default gateway monitor
|
||||
* ET Pro Telemetry edition plugin `[2] <https://docs.opnsense.org/manual/etpro_telemetry.html>`__
|
||||
* extended IPv6 DUID support
|
||||
* Dnsmasq DNSSEC support
|
||||
* OpenVPN client export API
|
||||
* Realtek NIC driver version 1.95
|
||||
* HardenedBSD 11.2, LibreSSL 2.7
|
||||
* Unbound 1.8, Suricata 4.1
|
||||
* Phalcon 3.4, Perl 5.28
|
||||
* firmware health check extended to cover all OS files, HTTPS mirror default
|
||||
* updates are browser cache-safe regarding CSS and JavaScript assets
|
||||
* collapsible side bar menu in the default theme
|
||||
* language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
|
||||
* new plugins for API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat, Dnscrypt-proxy
|
||||
|
||||
Here are the full changes against version 19.1-RC2:
|
||||
|
||||
* ipsec: add firewall interface as soon as phase 1 is enabled
|
||||
* ipsec: phase 1 selection GUI JavaScript compatibility fix
|
||||
* monit: widget improvements and bug fix (contributed by Frank Brendel)
|
||||
* ui: fix regression in single host or network subnet select in static pages
|
||||
* plugins: os-frr 1.7 updates OSPF outbound rules (contributed by Fabian Franz)
|
||||
* plugins: os-telegraf 1.7.4 fixes packet filter input
|
||||
* plugins: os-theme-rebellion 1.8.2 adds image colour invert
|
||||
* plugins: os-vnstat 1.1 `[3] <https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr>`__
|
||||
* plugins: os-zabbix-agent now uses Zabbix version 4.0
|
||||
* src: revert mmc_calculate_clock() as HS200/HS400 support breaks legacy support
|
||||
* src: update sqlite3-3.20.0 to sqlite3-3.26.0 `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-19:03.sqlite.asc>`__
|
||||
* src: import tzdata 2018h, 2018i `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-19:04.tzdata.asc>`__
|
||||
* src: avoid unsynchronized updates to kn_status `[6] <https://www.freebsd.org/security/advisories/FreeBSD-EN-19:05.kqueue.asc>`__
|
||||
* ports: ca_root_nss 3.42
|
||||
* ports: dhcp6c 20190128 prevent rawops double-free (contributed by Team Rebellion)
|
||||
* ports: sudo patch to fix listpw=never `[7] <https://bugzilla.sudo.ws/show_bug.cgi?id=869>`__
|
||||
|
||||
Migration notes and minor incompatibilities to look out for:
|
||||
|
||||
* Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration. Apinger is no longer available.
|
||||
* Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.
|
||||
* Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being.
|
||||
* Please read the FRR documentation with regard to the required system tunables `[8] <https://docs.opnsense.org/manual/dynamic_routing.html>`__ .
|
||||
* Bhyve VM boot may fail as a guest. Use the "-w" parameter `[9] <https://forum.opnsense.org/index.php?topic=11492.0>`__ to boot.
|
||||
* Boot may fail due to Meltdown/Spectre mitigation. A workaround `[10] <https://github.com/opnsense/core/issues/3177>`__ exists.
|
||||
* SNMP plugin has been superseded by Net-SNMP plugin.
|
||||
|
||||
The public key for the 19.1 series is:
|
||||
|
||||
.. code-block::
|
||||
|
||||
# -----BEGIN PUBLIC KEY-----
|
||||
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
|
||||
# ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
|
||||
# QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
|
||||
# GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
|
||||
# pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
|
||||
# Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
|
||||
# NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
|
||||
# 1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
|
||||
# Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
|
||||
# Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
|
||||
# C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
|
||||
# zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
|
||||
# -----END PUBLIC KEY-----
|
||||
|
||||
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-19.1-OpenSSL-dvd-amd64.iso.bz2) = 0a9e02954da1ddd1f0b7673394bbf81cfa74a1d5378600a87d3a9e6a26d3104d
|
||||
# SHA256 (OPNsense-19.1-OpenSSL-nano-amd64.img.bz2) = 2c4b0056ca26053c8d5e4efe196e512af618bad4fa136ba0e2528083a6263528
|
||||
# SHA256 (OPNsense-19.1-OpenSSL-serial-amd64.img.bz2) = c71274cea2b910cd4b3454b4ad29f7f70503fcb52ffa5b7f65ea96a27ac9e10d
|
||||
# SHA256 (OPNsense-19.1-OpenSSL-vga-amd64.img.bz2) = 37164481a413716d8786676d30bb709f8b967e53a47a36d10118214304d14bb9
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-19.1-OpenSSL-dvd-i386.iso.bz2) = 17d0aadf671bc2d99b57f0371e4fadfca0e2e9c8d27d6545674a610fc1f59c7a
|
||||
# SHA256 (OPNsense-19.1-OpenSSL-nano-i386.img.bz2) = 0c4e7616c93f14f5988df84b9b620543cb23a89c1f91505527b6c999d2dc7889
|
||||
# SHA256 (OPNsense-19.1-OpenSSL-serial-i386.img.bz2) = 93306e5349c7448ad3fdc03d9349ebf98e4d7c677201dcbec111f917c72dca24
|
||||
# SHA256 (OPNsense-19.1-OpenSSL-vga-i386.img.bz2) = 03d21319a784f93a7940d35168a35d15005e6f4579ac5b1c7a6ff606beb062a6
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.1.r2 (January 23, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Small online update issued to fix known and subsequently patched issues.
|
||||
If you use Insight and flowd_aggregate service refuses to start go to
|
||||
System: Firmware: Packages and reinstall the "flowd" package.
|
||||
|
||||
These are the changes in detail:
|
||||
|
||||
* firmware: fix invisible error in health check
|
||||
* intrusion detection: avoid spurious migration error on factor reset
|
||||
* monit: fix dashboard widget display and general settings save
|
||||
* plugins: os-telegraf fixes checkbox for CPU time collect (contributed by chaispaquichui)
|
||||
* ports: flowd Python bindings runtime fix
|
||||
|
||||
|
||||
Stay safe,
|
||||
Your OPNsense team
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.1.r1 (January 21, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
For almost four years now, OPNsense is driving innovation through
|
||||
modularising and hardening the open source firewall, with simple
|
||||
and reliable firmware upgrades, multi-language support, HardenedBSD
|
||||
security, fast adoption of upstream software updates as well as clear
|
||||
and stable 2-Clause BSD licensing.
|
||||
|
||||
We thank all of you for helping test, shape and contribute to the project!
|
||||
We know it would not be the same without you.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://opnsense.c0urier.net/releases/19.1/
|
||||
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
|
||||
* South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
|
||||
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
Here are the full changes against version 18.7.10:
|
||||
|
||||
* system: console port assignment can now assign OPT without LAN
|
||||
* system: anti-lockout will use OPT1 if LAN is not present
|
||||
* system: allow creation of combined client/server SSL certificate
|
||||
* system: gateway monitoring switches to Dpinger with Apinger removed
|
||||
* system: detect unassigned gateways in static address setups
|
||||
* system: more advanced gateway monitoring options for Dpinger (contributed by Team Rebellion)
|
||||
* system: removal of the old notification system in favour of Monit
|
||||
* system: only allow syslog remote binding to assigned interfaces
|
||||
* system: disable IP aliases configured with VHID on temporary disable
|
||||
* system: remove AHCI MSI disable workaround used in FreeBSD 11.1
|
||||
* system: default gateway switching moves back to general settings
|
||||
* system: beep sound notification setting moves to misc. settings
|
||||
* system: limit log line length in log widget
|
||||
* interfaces: change 6RD/6to4 interface prefix from internal name to physical device
|
||||
* interfaces: prohibit tracking on 6RD with /64 upstream prefix
|
||||
* interfaces: remove unneeded use of potentially clashing fe80::1:1 addresses for IPv6 tracking
|
||||
* interfaces: clear an apparently faulty system DUID when no manual DUID is set
|
||||
* interfaces: updated custom dhclient-script used for DHCPv4
|
||||
* interfaces: VIP support for GRE devices
|
||||
* interfaces: simplify find_interface_ip\* functions
|
||||
* interfaces: remove get_interface_subnet\* functions
|
||||
* interfaces: remove unused get_possible_listen_ips function
|
||||
* interfaces: link status indicator on assignments page
|
||||
* interfaces: unify interface removal code
|
||||
* firewall: switch GeoIP database download to HTTPS
|
||||
* firewall: find IP reference tool for aliases
|
||||
* firewall: improve alias page responsiveness with large number of addresses
|
||||
* firewall: show system errors when reloading aliases
|
||||
* firewall: NAT port forward logging option and live view support
|
||||
* firewall: optionally resolve all host names in live view
|
||||
* firewall: not all states could be removed in diagnostics page
|
||||
* firewall: clean up unused NAT rule association code
|
||||
* reporting: improve handling of empty Insight datasets
|
||||
* reporting: prepare for Python 3 conversion
|
||||
* firmware: switch default mirror location to HTTPS
|
||||
* firmware: health check for base and kernel files including version check
|
||||
* firmware: support base and kernel file size in packages overview
|
||||
* firmware: /var MFS compatibility on base installation when reboot is deferred
|
||||
* firmware: command line core lock feature prevents package upgrades
|
||||
* firmware: internally remember plugins installed or removed in the GUI
|
||||
* firmware: show last known update log on page open
|
||||
* firmware: show untrusted repository error in GUI
|
||||
* firmware: separate chanelogs tab for clarity
|
||||
* dhcp: refuse setup of instances that have no associated IP address
|
||||
* dhcp: fix lease time local vs. UTC display in IPv6 leases
|
||||
* installer: change communication from TCP to named pipes
|
||||
* installer: fix sporadic segmentation faults in frontend code
|
||||
* installer: allow config import from ZFS pools
|
||||
* installer: allow password reset on ZFS pools
|
||||
* installer: removed a number of unused modules
|
||||
* ipsec: generate correct config for "Hybrid-RSA + XAuth" (contributed by Max Weller)
|
||||
* ipsec: reworked strongswan.conf generation
|
||||
* ipsec: use new interface subnet retrieval code
|
||||
* monit: support declaring dependencies (contributed by Alexander Werner)
|
||||
* monit: add Service/Test type relation (contributed by Frank Brendel)
|
||||
* monit: add CARP status to standard services
|
||||
* monit: add gateway alerts to standard services
|
||||
* monit: backend rework to simplify the service
|
||||
* intrusion detection: support base ruleset overlays and improve logging
|
||||
* intrusion detection: GeoIP feature in user-defined rules has been removed
|
||||
* intrusion detection: obey Content-Disposition header
|
||||
* openvpn: client export rewrite, new export option for The Green Bow
|
||||
* unbound: reworked slab calculation
|
||||
* unbound: added statistics page
|
||||
* unbound: only bind to interfaces or OpenVPN instances, always bind to loopback
|
||||
* unbound: fix ACL subnet calculation for OpenVPN instances
|
||||
* unbound: do not generate host entries for OpenVPN instances
|
||||
* unbound: improve help text wording and general settings layout
|
||||
* web proxy: parent proxy support (contributed by Michael Muenz)
|
||||
* wizard: fix checkbox label styling
|
||||
* mvc: converted reboot, halt and license page to MVC
|
||||
* mvc: compared-to-field constraint (contributed by Fabian Franz)
|
||||
* mvc: external clients which set Authorization header now receive raw JSON responses
|
||||
* mvc: fix empty value check in grid (contributed by Smart-Soft)
|
||||
* mvc: globally lock config when multiple items are deleted at once
|
||||
* mvc: volt template JavaScript cleanups
|
||||
* ui: updated bootstrap-select to version 1.13.3
|
||||
* ui: collapsible sidebar support in default theme (contributed by Team Rebellion)
|
||||
* plugins: os-acme-client 1.19 `[2] <https://github.com/opnsense/plugins/pull/1134>`__
|
||||
* plugins: os-c-icap 1.7 adds template support (contributed by Michael Muenz)
|
||||
* plugins: os-dmidecode 1.0 hardware information widget (contributed by Smart-Soft)
|
||||
* plugins: os-dyndns 1.12 changes HE tunnel broker to newer API (contributed by Dusan Dragic)
|
||||
* plugins: os-frr switches to FRR 5.0.2, please see below
|
||||
* plugins: os-l2tp 1.8 interface now selects reachable server address
|
||||
* plugins: os-pptp 1.8 interface now selects reachable server address
|
||||
* plugins: os-openconnect 1.3.3 `[3] <https://github.com/opnsense/plugins/blob/master/security/openconnect/pkg-descr>`__
|
||||
* plugins: os-quagga removed, please use os-frr instead
|
||||
* plugins: os-nginx 1.6 `[4] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
||||
* plugins: os-rspamd 1.4 allows to set manual spam scores and subject (contributed by Michael Muenz and Fabian Franz)
|
||||
* plugins: os-snmp removed, please use os-net-snmp instead
|
||||
* plugins: os-theme-cicada 1.13
|
||||
* plugins: os-theme-tukan 1.12
|
||||
* plugins: os-wol 2.1 fixes widget link (contributed by Fabian Franz)
|
||||
* src: HardenedBSD 11.2-RELEASE-p7 `[5] <https://hardenedbsd.org/content/easy-feature-comparison>`__ `[6] <https://www.freebsd.org/releases/11.2R/relnotes.html>`__ `[7] <https://www.freebsd.org/releases/11.2R/errata.html>`__
|
||||
* src: fix missing transmit visibility for BPF-based listeners in native netmap mode
|
||||
* src: limit the maximum number of fragments per packet in pf
|
||||
* src: replace rwlock on PF_RULES_LOCK with rmlock in pf
|
||||
* src: do not discard UDP6 traffic in Hyper-V adaptors
|
||||
* src: fix state sync during initial bulk update in pfsync
|
||||
* src: unbreak dhclient(8) option 26 processing
|
||||
* src: import APU 1-3 LED kernel module
|
||||
* ports: krb5 1.17 `[8] <https://web.mit.edu/kerberos/krb5-1.17/>`__
|
||||
* ports: php 7.1.26 `[9] <https://php.net/ChangeLog-7.php#7.1.26>`__
|
||||
* ports: sudo 1.8.27 `[10] <https://www.sudo.ws/stable.html#1.8.27>`__
|
||||
* ports: perl 5.28.1 `[11] <https://metacpan.org/changes/release/SHAY/perl-5.28.1>`__
|
||||
* ports: suricata netmap forward-compatibility patch (contributed by Sunny Valley Networks)
|
||||
|
||||
Known issues and limitations:
|
||||
|
||||
* Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration.
|
||||
* Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.
|
||||
* Monit general settings do not save. A patch exists `[12] <https://github.com/opnsense/core/commit/a2899594>`__ to remedy this problem: opnsense-patch a2899594
|
||||
* Issue with IDS migration code creating a spurious crash report. Patch already done for the final 19.1.
|
||||
* Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being.
|
||||
* Please read the FRR documentation with regard to the required system tunables `[13] <https://docs.opnsense.org/manual/dynamic_routing.html>`__ .
|
||||
* SNMP plugin has been superseded by Net-SNMP plugin.
|
||||
* ZFS guided installation pending.
|
||||
|
||||
The public key for the 19.1 series is:
|
||||
|
||||
.. code-block::
|
||||
|
||||
# -----BEGIN PUBLIC KEY-----
|
||||
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
|
||||
# ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
|
||||
# QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
|
||||
# GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
|
||||
# pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
|
||||
# Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
|
||||
# NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
|
||||
# 1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
|
||||
# Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
|
||||
# Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
|
||||
# C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
|
||||
# zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
|
||||
# -----END PUBLIC KEY-----
|
||||
|
||||
Please let us know about your experience!
|
||||
|
||||
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-amd64.iso.bz2) = 7c0c6cf529cb2f8aa9c29b3645b4ec1e218c292f722941ae9880b009c93e6364
|
||||
# SHA256 (OPNsense-19.1.r1-OpenSSL-nano-amd64.img.bz2) = b355355fc6d10475af2b1c22daa2fd5f5ab78bb375aaf8100a51f087d2447289
|
||||
# SHA256 (OPNsense-19.1.r1-OpenSSL-serial-amd64.img.bz2) = f4d40b1ece162aac97505f8ad1e16271126df11fb1a317a9f431ff4737fe5da8
|
||||
# SHA256 (OPNsense-19.1.r1-OpenSSL-vga-amd64.img.bz2) = f8c860a7e3eb9be61d33da92b021a0f337ad50e00a6ffc1cca793277f1890b63
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-i386.iso.bz2) = c7b5ced64623416bd56e5337d5212c9af25292a48eb1bb298321e4bb79056c94
|
||||
# SHA256 (OPNsense-19.1.r1-OpenSSL-nano-i386.img.bz2) = 1313645407d810dd7a5dedf4978deaa7c14f4655dee679de572d7a9e853749c0
|
||||
# SHA256 (OPNsense-19.1.r1-OpenSSL-serial-i386.img.bz2) = f44203f5bb6e2dbfe5b524b37e9e53baab0665684cbc215bdc3015e11a79c2bd
|
||||
# SHA256 (OPNsense-19.1.r1-OpenSSL-vga-i386.img.bz2) = a6cfc14b9675563053d6e7733011c381f39e8fb2e10a8a64d60cc7de421ac2db
|
@ -0,0 +1,813 @@
|
||||
===========================================================================================
|
||||
19.7 "Jazzy Jaguar" Series
|
||||
===========================================================================================
|
||||
|
||||
|
||||
|
||||
For four and a half years now, OPNsense is driving innovation through
|
||||
modularising and hardening the open source firewall, with simple
|
||||
and reliable firmware upgrades, multi-language support, HardenedBSD
|
||||
security, fast adoption of upstream software updates as well as clear
|
||||
and stable 2-Clause BSD licensing.
|
||||
|
||||
19.7, nicknamed "Jazzy Jaguar", embodies an iteration of what should be
|
||||
considered enjoyable user experience for firewalls in general: improved
|
||||
statistics and visibility of rules, reliable and consistent live logging
|
||||
and alias utility improvements. Apart from the usual upgrades of third
|
||||
party software to up-to-date releases, OPNsense now also offers built-in
|
||||
remote system logging through Syslog-ng, route-based IPsec, updated
|
||||
translations with Spanish as a brand new and already fully translated
|
||||
language and newer Netmap code with VirtIO, VLAN child and vmxnet support.
|
||||
|
||||
Last but not least we would like to thank m.a.x. it for their sponsorship
|
||||
of the default gateway priority switching feature and their continued work
|
||||
of writing and maintaining plenty of community plugins. This time around,
|
||||
Maltrail, Netdata and WireGuard VPN have been freshly added to the mix.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://opnsense.c0urier.net/releases/19.7/
|
||||
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.7/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.7/
|
||||
* South America: http://mirror.upb.edu.co/opnsense/releases/19.7/
|
||||
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.7/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.7.10 (January 27, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
As Thursday nears the last preparations for 20.1 are underway. As a quick
|
||||
relief here is the End-Of-Life release of the 19.7 series with a tiny number
|
||||
of updates.
|
||||
|
||||
Remember that when 20.1 is available it will take up to a day before we
|
||||
release the hotfix with the major upgrade path enabled. Please be patient
|
||||
as we simply want to ensure that upgrades will not be bumpy affair. :)
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* firewall: fix a typo in CARP validation
|
||||
* firmware: revoke 19.1 fingerprint
|
||||
* ipsec: add configurable dpdaction (contributed by Marcel Menzel)
|
||||
* mvc: BaseListField ignoring empty selected field
|
||||
* plugins: os-haproxy 2.20 `[1] <https://github.com/opnsense/plugins/pull/1646>`__
|
||||
* plugins: os-mail-backup 1.1 `[2] <https://github.com/opnsense/plugins/pull/1671>`__
|
||||
* plugins: os-nrpe 1.0 (contributed by Michael Muenz)
|
||||
* plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)
|
||||
* plugins: os-vnstat 1.2 `[3] <https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr>`__
|
||||
* plugins: zabbix4-proxy 1.2 `[4] <https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix4-proxy/pkg-descr>`__
|
||||
* ports: ca_root_nss 3.49.1
|
||||
* ports: curl 7.68.0 `[5] <https://curl.haxx.se/changes.html>`__
|
||||
* ports: isc-dhcp 4.4.2 `[6] <https://downloads.isc.org/isc/dhcp/4.4.2/dhcp-4.4.2-RELNOTES>`__
|
||||
* ports: urllib3 1.27.7 `[7] <https://github.com/urllib3/urllib3/blob/master/CHANGES.rst#1257-2019-11-11>`__
|
||||
|
||||
A hotfix release was issued as 19.7.10_1:
|
||||
|
||||
* firmware: enable upgrade path to 20.1
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.7.9 (January 09, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
As 20.1 nears we will be making adjustments to the scope of the release
|
||||
with an announcement following shortly.
|
||||
|
||||
For now, this update brings you a GeoIP database configuration page for
|
||||
aliases which is now required due to upstream database policy changes and
|
||||
a number of prominent third-party software updates we are happy to see
|
||||
included.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: use 825 days as the default maximum certificate lifetime
|
||||
* system: hide leaking hostname on SSH password auth (contributed by sooslaca)
|
||||
* system: remove unused "lifetime" parameter from user manager page
|
||||
* firewall: new GeoIP settings page to allow continued use of upstream database `[1] <https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html>`__
|
||||
* firewall: log when alias could not resolve a hostname
|
||||
* firewall: translate pfInfo page tabs (contributed by Smart-Soft)
|
||||
* firmware: add mirror MARWAN (Moroccan Academic & Research Wide Area Network)
|
||||
* dhcp: replace killbyname() usage which should not have killed both services
|
||||
* dhcp: auto-replace windows DUID dashes (contributed by Team Rebellion)
|
||||
* mvc: PSR12 code style updates
|
||||
* plugins: os-acme-client 1.29 `[2] <https://github.com/opnsense/plugins/pull/1638>`__
|
||||
* plugins: os-bind 1.12 `[3] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
|
||||
* plugins: os-dyndns must use dyndns_failover_interface() to translate gateway group
|
||||
* plugins: os-frr 1.14 `[4] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
|
||||
* plugins: os-maltrail 1.3 `[5] <https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr>`__
|
||||
* plugins: os-nginx 1.17 `[6] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
||||
* plugins: os-nut fixes validation and snmp-ups selection (contributed by Michael Muenz)
|
||||
* plugins: os-theme-cicada 1.24 (contributed by Team Rebellion)
|
||||
* plugins: os-zabbix4-proxy 1.1 `[7] <https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix4-proxy/pkg-descr>`__
|
||||
* ports: openssh 8.1p1 `[8] <https://www.openssh.com/txt/release-8.1>`__
|
||||
* ports: openssl 1.0.2u `[9] <https://www.openssl.org/news/openssl-1.0.2-notes.html>`__
|
||||
* ports: php 7.2.26 `[10] <https://www.php.net/ChangeLog-7.php#7.2.26>`__
|
||||
* ports: phpseclib 2.0.23 `[11] <https://github.com/phpseclib/phpseclib/releases/tag/2.0.23>`__
|
||||
* ports: python 3.7.6 `[12] <https://www.python.org/downloads/release/python-376/>`__
|
||||
* ports: strongswan 5.8.2 `[13] <https://wiki.strongswan.org/versions/75>`__
|
||||
* ports: sudo 1.8.30 `[14] <https://www.sudo.ws/stable.html#1.8.30>`__
|
||||
* ports: unbound 1.9.6 `[15] <https://nlnetlabs.nl/projects/unbound/download/>`__
|
||||
|
||||
A hotfix release was issued as 19.7.9_1:
|
||||
|
||||
* firewall: automatic business addition GeoIP feed
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.7.8 (December 18, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
A number of updates including security and reliability fixes inside. Of
|
||||
note is the new elliptic curve certificate creation support and better
|
||||
firmware health check and recovery methods.
|
||||
|
||||
We are almost at the point of a 20.1-BETA release with an isolated images
|
||||
for early bird testing as a special present at this time of year. Stay
|
||||
tuned. :)
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: "Mark Gateway as Down" also means exclude from default gateway selection
|
||||
* system: fix PHP warning on gateways list due to wrong variable scope
|
||||
* system: support elliptic curve TLS certificate creation (contributed by johnaheadley)
|
||||
* system: remove unused current directory PHP include
|
||||
* system: fix XSS in backup page and static menu pages
|
||||
* firewall: use referential integrity check for model data
|
||||
* reporting: improve NetFlow error handling (contributed by Frank Brendel)
|
||||
* dhcp: always add dhcp6.domain-search and dhcp6.name-servers (contributed by maurice-w)
|
||||
* dhcp: fix range check for advanced router advertisement options (contributed by maurice-w)
|
||||
* dhcp: improve help texts for router advertisement modes (contributed by maurice-w)
|
||||
* dhcp: replace defunct IPv6 domain name option with domain search list option (contributed by maurice-w)
|
||||
* dhcp: fix storing advanced IPv6 options
|
||||
* firmware: add "copy to clipboard" button in update text box
|
||||
* firmware: use opnsense-revert in GUI reinstall package case
|
||||
* firmware: when storing installed plugin names remove their development counterparts
|
||||
* firmware: improved health check scope to include direct core package dependencies
|
||||
* openvpn: fix Firefox "nowrap" issue in client export page
|
||||
* backend: improve error handling while configd is either not active or not functional
|
||||
* mvc: route to default page when controller or action not found
|
||||
* mvc: field type refactor and unit tests
|
||||
* mvc: added opt-in referential integrity check for models
|
||||
* mvc: countless PSR12 style updates
|
||||
* mvc: add "NetMaskAllowed" option to validate on single addresses in NetworkField
|
||||
* plugins: os-bind 1.11 `[1] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
|
||||
* plugins: os-dyndns 1.18 adds Linode support (contributed by eAndrew Gunnerson)
|
||||
* plugins: os-freeradius 1.9.5 `[2] <https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr>`__
|
||||
* plugins: os-frr 1.13 `[3] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
|
||||
* plugins: os-ftp-proxy style updates only
|
||||
* plugins: os-postfix 1.13 `[4] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
|
||||
* plugins: os-rspamd 1.9 `[5] <https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr>`__
|
||||
* plugins: os-theme-cicada 1.23 (contributed by Team Rebellion)
|
||||
* plugins: os-theme-tukan 1.22 (contributed by Team Rebellion)
|
||||
* ports: ca_root_nss 3.48
|
||||
* ports: krb5 1.17.1 `[6] <https://web.mit.edu/kerberos/krb5-1.17/>`__
|
||||
* ports: php 7.2.25 `[7] <https://www.php.net/ChangeLog-7.php#7.2.25>`__
|
||||
* ports: suricata 4.1.6 `[8] <https://suricata-ids.org/2019/12/13/suricata-4-1-6-released/>`__
|
||||
* ports: unbound 1.9.5 `[9] <https://nlnetlabs.nl/projects/unbound/download/>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.7.7 (November 21, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Lots of small improvements. Of note are Eve JSON payload syslog export
|
||||
now works for 4 kb payload blobs. The outdated Google API PHP client
|
||||
was replaced. LibreSSL is now at version 3.0.2. Plus another Intel SA
|
||||
advisory via FreeBSD.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: generate self-signed server certificate for web GUI by default
|
||||
* system: let net.local.dgram.maxdgram default to 8192 bytes
|
||||
* system: spawn Dpinger process in background to avoid hangs
|
||||
* system: switch backup to Google API PHP client v2
|
||||
* system: add interface groups to HA sync
|
||||
* interfaces: remove the "Directly send SOLICIT" option
|
||||
* firewall: fix issue with label parsing when "tag" keyword was involved
|
||||
* firewall: skip empty lines in rule statistics parsing
|
||||
* firmware: add /etc/remote to whitelist, NTP GPS uses it
|
||||
* reporting: empty NetFlow egress default passes validation
|
||||
* reporting: show dialog when RRD is disabled
|
||||
* dhcp: fix for domain-search option in DHCPv6 (contributed by maurice-w)
|
||||
* dnsmasq: fix storing settings when no settings exist yet
|
||||
* intrusion detection: lower payload-buffer-size to prevent syslog size limit
|
||||
* intrusion detection: fix issue with escaped file name during rules download
|
||||
* unbound: exit wrapper when process not running
|
||||
* web proxy: added check on SNI field checkbox (contributed by Northguy)
|
||||
* mvc: fix forceReload()
|
||||
* plugins: os-acme-client 1.28 `[1] <https://github.com/opnsense/plugins/pull/1565>`__
|
||||
* plugins: os-bind 1.10 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
|
||||
* plugins: os-nginx 1.16 `[3] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
||||
* plugins: os-nut 1.6 `[4] <https://github.com/opnsense/plugins/blob/master/sysutils/nut/pkg-descr>`__
|
||||
* plugins: os-postfix 1.12 `[5] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
|
||||
* src: fix machine check exception on page size change `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:25.mcepsc.asc>`__
|
||||
* src: bump libc syslog line size to 8k
|
||||
* src: import tzdata 2019c `[7] <https://www.freebsd.org/security/advisories/FreeBSD-EN-19:18.tzdata.asc>`__
|
||||
* ports: curl 7.67.0 `[8] <https://curl.haxx.se/changes.html>`__
|
||||
* ports: libressl 3.0.2 `[9] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.0.2-relnotes.txt>`__
|
||||
* ports: openvpn 2.4.8 `[10] <https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-248>`__
|
||||
* ports: perl 5.30.1 `[11] <https://metacpan.org/pod/release/SHAY/perl-5.30.1/pod/perldelta.pod>`__
|
||||
* ports: phalcon 3.4.5 `[12] <https://github.com/phalcon/cphalcon/releases/tag/v3.4.5>`__
|
||||
* ports: sqlite 3.30.1 `[13] <https://sqlite.org/releaselog/3_30_1.html>`__
|
||||
* ports: squid 4.9 `[14] <https://github.com/squid-cache/squid/blob/master/ChangeLog>`__
|
||||
* ports: syslog-ng 3.24.1 `[15] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.24.1>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.7.6 (November 01, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
As we are experiencing the Suricata community first hand in Amsterdam
|
||||
we though to release this version a bit earlier than planned. Included
|
||||
is the latest Suricata 5.0.0 release in the development version. That
|
||||
means later this November we will releasing version 5 to the production
|
||||
version as we finish up tweaking the integration and maybe pick up 5.0.1
|
||||
as it becomes available.
|
||||
|
||||
LDAP TLS connectivity is now integrated into the system trust store,
|
||||
which ensures that all required root and intermediate certificates will
|
||||
be seen by the connection setup when they have been added to the authorities
|
||||
section. The same is true for trusting self-signed certificates. On top
|
||||
of this, IPsec now supports public key authentication as contributed by
|
||||
Pascal Mathis.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: hook LDAP TLS support into system-wide trust file
|
||||
* system: fix dpinger custom parameters not being honoured
|
||||
* system: fix PHP core loop fail in tunables overview
|
||||
* system: only allow P12 export if password confirmation matches
|
||||
* interfaces: change PCAP download to binary file stream
|
||||
* firewall: store reference to outbound NAT address instead of literal address
|
||||
* firewall: add log message for scheduled firewall reload
|
||||
* firmware: tie pkg dependency to core
|
||||
* ipsec: allow EC keys for certificate-based secrets (contributed by Martin Strigl)
|
||||
* ipsec: add support for public key authentication (contributed by Pascal Mathis)
|
||||
* openvpn: server wizard existing CA use and server cert check (contributed by johnaheadley)
|
||||
* backend: add run mode to pluginctl using JSON-based output
|
||||
* ui: fix tokenizer reorder on multiple saves, second try
|
||||
* plugins: os-acme-client 1.27 `[1] <https://github.com/opnsense/plugins/pull/1536>`__
|
||||
* plugins: os-bind 1.9 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
|
||||
* plugins: os-nginx 1.15 `[3] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
||||
* plugins: os-relayd 2.4 fixes protocol option migration (contributed by Frank Brendel)
|
||||
* plugins: os-theme-cicada 1.22 (contributed by Team Rebellion)
|
||||
* ports: ca_root_nss 3.47
|
||||
* ports: php 7.2.24 `[4] <https://www.php.net/ChangeLog-7.php#7.2.24>`__
|
||||
* ports: python 3.7.5 `[5] <https://www.python.org/downloads/release/python-375/>`__
|
||||
* ports: sudo 1.8.29 `[6] <https://www.sudo.ws/stable.html#1.8.29>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.7.5 (October 11, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Lots of plugin and ports updates this time with a few minor improvements
|
||||
in all core areas.
|
||||
|
||||
Behind the scenes we are starting to migrate the base system to version
|
||||
12.1 which is supposed to hit the next 20.1 release. Stay tuned for more
|
||||
infos in the next month or so.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: show all swap partitions in system information widget
|
||||
* system: flatten services_get() in preparation for removal
|
||||
* system: pin Syslog-ng version to specific package name
|
||||
* system: fix LDAP/StartTLS with user import page
|
||||
* system: fix a PHP warning on authentication server page
|
||||
* system: replace most subprocess.call use
|
||||
* interfaces: fix devd handling of carp devices (contributed by stumbaumr)
|
||||
* firewall: improve firewall rules inline toggles
|
||||
* firewall: only allow TCP flags on TCP protocol
|
||||
* firewall: simplify help text for direction setting
|
||||
* firewall: make protocol log summary case insensitive
|
||||
* reporting: ignore malformed flow records
|
||||
* captive portal: fix type mismatch for timeout read
|
||||
* dhcp: add note for static lease limitation with lease registration (contributed by Northguy)
|
||||
* ipsec: add margintime and rekeyfuzz options
|
||||
* ipsec: clear $dpdline correctly if not set
|
||||
* ui: fix tokenizer reorder on multiple saves
|
||||
* plugins: os-acme-client 1.26 `[1] <https://github.com/opnsense/plugins/pull/1499>`__
|
||||
* plugins: os-bind will reload bind on record change (contributed by blablup)
|
||||
* plugins: os-etpro-telemetry minor subprocess.call replacement
|
||||
* plugins: os-freeradius 1.9.4 `[2] <https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr>`__
|
||||
* plugins: os-frr 1.12 `[3] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
|
||||
* plugins: os-haproxy 2.19 `[4] <https://github.com/opnsense/plugins/pull/1498>`__
|
||||
* plugins: os-mailtrail 1.2 `[5] <https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr>`__
|
||||
* plugins: os-postfix 1.11 `[6] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
|
||||
* plugins: os-rspamd 1.8 `[7] <https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr>`__
|
||||
* plugins: os-sunnyvalley LibreSSL support (contributed by Sunny Valley Networks)
|
||||
* plugins: os-telegraf 1.7.6 `[8] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__
|
||||
* plugins: os-theme-cicada 1.21 (contributed by Team Rebellion)
|
||||
* plugins: os-theme-tukan 1.21 (contributed by Team Rebellion)
|
||||
* plugins: os-tinc minor subprocess.call replacement
|
||||
* plugins: os-tor 1.8 adds dormant mode disable option (contributed by Fabian Franz)
|
||||
* plugins: os-virtualbox 1.0 (contributed by andrewhotlab)
|
||||
* ports: expat 2.2.8 `[10] <https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes>`__
|
||||
* ports: ca_root_nss 3.46.1
|
||||
* ports: curl 7.66.0 `[9] <https://curl.haxx.se/changes.html#7_66_0>`__
|
||||
* ports: openssl 1.0.2t `[11] <https://www.openssl.org/news/secadv/20190910.txt>`__
|
||||
* ports: php 7.2.23 `[12] <https://www.php.net/ChangeLog-7.php#7.2.23>`__
|
||||
* ports: pkg 1.12.0 `[13] <https://github.com/freebsd/freebsd-ports/commit/95ac8ad2>`__ `[14] <https://github.com/freebsd/freebsd-ports/commit/5a06e26ff>`__ `[15] <https://github.com/freebsd/freebsd-ports/commit/77d4a311e>`__
|
||||
* ports: strongswan 5.8.1 `[16] <https://wiki.strongswan.org/versions/74>`__
|
||||
* ports: suricata 4.1.5 `[17] <https://suricata-ids.org/2019/09/24/suricata-4-1-5-released/>`__
|
||||
* ports: syslog-ng 3.23.1 `[18] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.23.1>`__
|
||||
* ports: unbound 1.9.4 `[19] <https://nlnetlabs.nl/projects/unbound/download/>`__
|
||||
|
||||
A hotfix release was issued as 19.7.5_5:
|
||||
|
||||
* ui: revert fix for tokenizer reorder on multiple saves for now
|
||||
* system: replace services_get() with plugins_services()
|
||||
* system: verbose print on "pluginctl -s" actions
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.7.4 (September 11, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
A wee bit of updates for you... nothing overly exciting. On the other
|
||||
hand, we have updated the roadmap page to include 20.1 if you want to
|
||||
take a closer look `[1] <https://opnsense.org/about/road-map/>`__ . More exciting for sure. :)
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: fix legacy remote logging with custom port
|
||||
* system: regenerate CA bundle when modifying trusted authorities
|
||||
* system: fix translation order of tunables description
|
||||
* system: fix CARP maintenance mode bootup
|
||||
* firewall: missing daily refresh on GeoIP type
|
||||
* firewall: fix fetch of GeoIP alias if its name is same as its country
|
||||
* reporting: auto-load required kernel modules for NetFlow
|
||||
* reporting: allow setting NetFlow active/inactive timeout (contributed by Frank Brendel)
|
||||
* captive portal: optimise ipfw rule parsing
|
||||
* firmware: Homelab.no has been superseded by TerraHost mirror (contributed by Thomas Jensen)
|
||||
* unbound: support file-based custom includes
|
||||
* unbound: set absolute path to root.hints (contributed by h-town)
|
||||
* plugins: os-bind 1.8 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__ (contributed by ErikJStaab)
|
||||
* plugins: os-dnscrypt-proxy 1.6 `[3] <https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr>`__ (contributed by ErikJStaab)
|
||||
* plugins: os-etpro-telemetry 1.4 `[4] <https://docs.opnsense.org/manual/etpro_telemetry.html>`__
|
||||
* plugins: os-theme-cicada 1.20 (contributed by Team Rebellion)
|
||||
* plugins: os-theme-tukan 1.20 (contributed by Team Rebellion)
|
||||
* ports: ca_root_nss 3.46
|
||||
* ports: ldns 1.7.1 `[5] <https://raw.githubusercontent.com/NLnetLabs/ldns/release-1.7.1/Changelog>`__
|
||||
* ports: pcre2 10.33 `[6] <https://www.pcre.org/changelog.txt>`__
|
||||
* ports: php 7.2.22 `[7] <https://www.php.net/ChangeLog-7.php#7.2.22>`__
|
||||
* ports: phpseclib 2.0.21 `[8] <https://github.com/phpseclib/phpseclib/releases>`__
|
||||
* ports: unbound 1.9.3 `[9] <https://nlnetlabs.nl/projects/unbound/download/>`__
|
||||
|
||||
A hotfix release was issued as 19.7.4_1:
|
||||
|
||||
* captive portal: fix merge conflict in optimisation
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.7.3 (August 28, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Please enjoy this release with improved CARP utility and a number of
|
||||
smaller fixes and updates for the operating system and third party tools.
|
||||
You can now also toggle logging directly from the rule overview to make
|
||||
debugging easier.
|
||||
|
||||
Here is the full list of changes:
|
||||
|
||||
* system: try all backups for automatic revert when config.xml is damaged
|
||||
* system: do a system reset if all config.xml files are damaged
|
||||
* system: only show tunables reboot hint when applying tunables (contributed by Northguy)
|
||||
* system: use FQDN in system log remote messages
|
||||
* system: add defunct gateways to GUI in disabled state
|
||||
* interfaces: only allow VLAN parents that will work as VLAN parents
|
||||
* interfaces: optionally promote/demote CARP on service status
|
||||
* interfaces: CARP status page report with demotion level to avoid ambiguity
|
||||
* firewall: revert problematic 19.7.2 change "unhide automatic interface-based output rules"
|
||||
* firewall: restore automatic outbound NAT pre-19.7 behaviour which excludes gateways not configured and not dynamic
|
||||
* firewall: add logging toggle to rules overview (contributed by johnaheadley)
|
||||
* firewall: DHCPv6 relay would generate rules even if not enabled
|
||||
* firmware: only do single-repository fingerprint verify defaulting to our OPNsense repository
|
||||
* firmware: fix base and kernel package listing
|
||||
* intrusion detection: show change message after toggle or save
|
||||
* intrusion detection: rule download fix
|
||||
* monit: add parent devices to interface list (contributed by Frank Brendel)
|
||||
* monit: fix standard configuration migration (contributed by Frank Brendel)
|
||||
* reporting: skip illegal NetFlow records in flow parser
|
||||
* opendns: migrate update hook from DynDNS plugin to core to make it fully automatic
|
||||
* backend: fix exception message string handling in Python 3
|
||||
* backend: add help to pluginctl utility
|
||||
* backend: configctl event handler support
|
||||
* mvc: log API key when authentication failed
|
||||
* ui: more consistent HTML (contributed by gisforgirard)
|
||||
* ui: sidebar bug fix (contributed by Team Rebellion)
|
||||
* ui: fix initFormAdvancedUI() on initial load
|
||||
* plugins: os-acme-client 1.25 `[1] <https://github.com/opnsense/plugins/pull/1452>`__
|
||||
* plugins: os-bind 1.7 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
|
||||
* plugins: os-dyndns 1.17 removes OpenDNS and fixes DyNS
|
||||
* plugins: os-haproxy 2.18 `[3] <https://github.com/opnsense/plugins/pull/1453>`__
|
||||
* plugins: os-maltrail 1.1 `[4] <https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr>`__
|
||||
* plugins: os-nginx log rotation fix (contributed by Fabian Franz)
|
||||
* plugins: os-postfix 1.10 `[5] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
|
||||
* plugins: os-smart 2.1 fixes widget status and adds NVMe disk support (contributed by nhirokinet and ATL)
|
||||
* plugins: os-theme-cicada 1.19 (contributed by Team Rebellion)
|
||||
* plugins: os-theme-tukan 1.19 (contributed by Team Rebellion)
|
||||
* plugins: os-wireguard 1.1 `[6] <https://github.com/opnsense/plugins/blob/master/net/wireguard/pkg-descr>`__
|
||||
* src: fix incorrect exception handling in libunwind `[7] <https://www.freebsd.org/security/advisories/FreeBSD-EN-19:15.libunwind.asc>`__
|
||||
* src: fix multiple vulnerabilities in bzip2 `[8] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:18.bzip2.asc>`__
|
||||
* src: fix ICMPv6 / MLDv2 out-of-bounds memory access `[9] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:19.mldv2.asc>`__
|
||||
* src: fix insufficient message length validation in bsnmp library `[10] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:20.bsnmp.asc>`__
|
||||
* src: fix insufficient validation of guest-supplied data (e1000 device) `[11] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:21.bhyve.asc>`__
|
||||
* src: fix IPv6 remote denial of service `[12] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:22.mbuf.asc>`__
|
||||
* src: fix kernel memory disclosure from /dev/midistat `[13] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:23.midi.asc>`__
|
||||
* src: fix reference count overflow in mqueuefs `[14] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:24.mqueuefs.asc>`__
|
||||
* ports: hostapd 2.9 `[15] <https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog>`__
|
||||
* ports: nghttp2 1.39.2 `[16] <https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2>`__
|
||||
* ports: openldap 2.4.48 `[17] <https://www.openldap.org/software/release/changes.html>`__
|
||||
* ports: perl 5.30.0 `[18] <https://metacpan.org/pod/release/XSAWYERX/perl-5.30.0/pod/perldelta.pod>`__
|
||||
* ports: php 7.2.21 `[19] <https://www.php.net/ChangeLog-7.php#7.2.21>`__
|
||||
* ports: py-openssl 19.0.0 `[20] <https://www.pyopenssl.org/en/stable/changelog.html>`__
|
||||
* ports: syslog-ng 3.22.1 `[21] <https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.22.1>`__
|
||||
* ports: wpa_supplicant 2.9 `[22] <https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.7.2 (August 05, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
This update ships the latest FreeBSD security advisories along with several
|
||||
smaller improvements and fixes. Sunny Valley Networks is the first vendor
|
||||
to introduce additional software to the plugin framework in the form of the
|
||||
Sensei plugin.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: missing "<PRI>" in legacy output via Syslog-ng
|
||||
* system: fix writing gateway information for DNS servers
|
||||
* system: allow gateway to work in DHCPv6 WAN when no router solicitation is available
|
||||
* firewall: unhide automatic interface-based output rules
|
||||
* firewall: unhide automatic non-interface-based floating rules
|
||||
* firewall: lift length restriction in NAT rule description
|
||||
* firewall: avoid newlines in rule descriptions
|
||||
* firewall: only show usable addresses in NAT outbound rules
|
||||
* interfaces: fix extended CARP output when parsing interface information
|
||||
* interfaces: add more outputs to overview page to increase usefulness
|
||||
* interfaces: use shared DHCP lease reader for ARP list
|
||||
* captive portal: fix binary read issue in Python 3
|
||||
* dhcp: fix DHCPv4 relay interface selection (contributed by jayantsahtoe)
|
||||
* firmware: handle file signature verify correctly with multiple fingerprint repositories
|
||||
* firmware: Aivian mirror is no longer active
|
||||
* firmware: Cloudfence mirror in Brazil added
|
||||
* plugins: os-acme-client 1.24 `[1] <https://github.com/opnsense/plugins/pull/1399>`__
|
||||
* plugins: os-bind 1.6 (contributed by crazy-max)
|
||||
* plugins: os-dnscrypt-proxy 1.5 (contributed by crazy-max)
|
||||
* plugins: os-grid_example 1.0 `[2] <https://docs.opnsense.org/development/examples/using_grids.html>`__
|
||||
* plugins: os-helloworld Python 3 compatibility `[3] <https://docs.opnsense.org/development/examples/helloworld.html>`__
|
||||
* plugins: os-nut 1.5 adds Riello driver (contributed by Michael Muenz)
|
||||
* plugins: os-sunnyvalley 1.0 `[4] <https://docs.opnsense.org/third_party_plugins.html>`__ `[5] <https://www.sunnyvalley.io/sensei>`__
|
||||
* src: fix panic from Intel CPU vulnerability mitigation `[6] <https://www.freebsd.org/security/advisories/FreeBSD-EN-19:13.mds.asc>`__
|
||||
* src: fix multiple telnet client vulnerabilities `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:12.telnet.asc>`__
|
||||
* src: fix pts write-after-free `[8] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:13.pts.asc>`__
|
||||
* src: fix kernel memory disclosure in freebsd32_ioctl `[9] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:14.freebsd32.asc>`__
|
||||
* src: fix reference count overflow in mqueuefs `[10] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:15.mqueuefs.asc>`__
|
||||
* src: fix byhve out-of-bounds read in XHCI device `[11] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:16.bhyve.asc>`__
|
||||
* src: fix file descriptor reference count leak `[12] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:17.fd.asc>`__
|
||||
* ports: libevent 2.1.11 `[13] <https://raw.githubusercontent.com/libevent/libevent/release-2.1.11-stable/ChangeLog>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.7.1 (July 25, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
We do not wish to keep you from enjoying your summer time, but this
|
||||
is a recommended security update enriched with reliability fixes for the
|
||||
new 19.7 series. Of special note are performance improvements as well
|
||||
as a fix for a longstanding NAT before IPsec limitation.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: do not create automatic copies of existing gateways
|
||||
* system: do not translate empty tunables descriptions
|
||||
* system: remove unwanted form action tags
|
||||
* system: do not include Syslog-ng in rc.freebsd handler
|
||||
* system: fix manual system log stop/start/restart
|
||||
* system: scoped IPv6 "%" could confuse mwexecf(), use plain mwexec() instead
|
||||
* system: allow curl-based downloads to use both trusted and local authorities
|
||||
* system: fix group privilege print and correctly redirect after edit
|
||||
* system: use cached address list in referrer check
|
||||
* system: fix Syslog-ng search stats
|
||||
* firewall: HTML-escape dynamic entries to display aliases
|
||||
* firewall: display correct IP version in automatic rules
|
||||
* firewall: fix a warning while reading empty outbound rules configuration
|
||||
* firewall: skip illegal log lines in live log
|
||||
* interfaces: performance improvements for configurations with hundreds of interfaces
|
||||
* reporting: performance improvements for Python 3 NetFlow aggregator rewrite
|
||||
* dhcp: move advanced router advertisement options to correct config section
|
||||
* ipsec: replace global array access with function to ensure side-effect free boot
|
||||
* ipsec: change DPD action on start to "dpdaction = restart"
|
||||
* ipsec: remove already default "dpdaction = none" if not set
|
||||
* ipsec: use interface IP address in local ID when doing NAT before IPsec
|
||||
* web proxy: fix database reset for Squid 4 by replacing use of ssl_crtd with security_file_certgen
|
||||
* plugins: os-acme-client 1.24 `[1] <https://github.com/opnsense/plugins/pull/1399>`__
|
||||
* plugins: os-bind 1.6 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
|
||||
* plugins: os-dnscrypt-proxy 1.5 `[3] <https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr>`__
|
||||
* plugins: os-frr now restricts characters BGP prefix-list and route-maps `[4] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
|
||||
* plugins: os-google-cloud-sdk 1.0 `[5] <https://github.com/opnsense/plugins/pull/1392>`__
|
||||
* ports: curl 7.65.3 `[6] <https://curl.haxx.se/changes.html>`__
|
||||
* ports: monit 5.26.0 `[7] <https://mmonit.com/monit/changes/>`__
|
||||
* ports: openssh 8.0p1 `[8] <https://www.openssh.com/txt/release-8.0>`__
|
||||
* ports: php 7.2.20 `[9] <https://www.php.net/ChangeLog-7.php#7.2.20>`__
|
||||
* ports: python 3.7.4 `[10] <https://www.python.org/downloads/release/python-374/>`__
|
||||
* ports: sqlite 3.29.0 `[11] <https://sqlite.org/releaselog/3_29_0.html>`__
|
||||
* ports: squid 4.8 `[12] <http://lists.squid-cache.org/pipermail/squid-announce/2019-July/000100.html>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.7 (July 17, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
For four and a half years now, OPNsense is driving innovation through
|
||||
modularising and hardening the open source firewall, with simple
|
||||
and reliable firmware upgrades, multi-language support, HardenedBSD
|
||||
security, fast adoption of upstream software updates as well as clear
|
||||
and stable 2-Clause BSD licensing.
|
||||
|
||||
19.7, nicknamed "Jazzy Jaguar", embodies an iteration of what should be
|
||||
considered enjoyable user experience for firewalls in general: improved
|
||||
statistics and visibility of rules, reliable and consistent live logging
|
||||
and alias utility improvements. Apart from the usual upgrades of third
|
||||
party software to up-to-date releases, OPNsense now also offers built-in
|
||||
remote system logging through Syslog-ng, route-based IPsec, updated
|
||||
translations with Spanish as a brand new and already fully translated
|
||||
language and newer Netmap code with VirtIO, VLAN child and vmxnet support.
|
||||
|
||||
Last but not least we would like to thank m.a.x. it for their sponsorship
|
||||
of the default gateway priority switching feature and their continued work
|
||||
of writing and maintaining plenty of community plugins. This time around,
|
||||
Maltrail, Netdata and WireGuard VPN have been freshly added to the mix.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://opnsense.c0urier.net/releases/19.7/
|
||||
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.7/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.7/
|
||||
* South America: http://mirror.upb.edu.co/opnsense/releases/19.7/
|
||||
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.7/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
These are the most prominent changes since version 19.1:
|
||||
|
||||
* List automatic firewall rules
|
||||
* Statistics for all firewall rules
|
||||
* Alias JSON import / export
|
||||
* Optional statistics for aliases
|
||||
* Firewall rule locator for live log and automatic rules
|
||||
* Rewritten gateway handling and switching
|
||||
* Remote logging via Syslog-ng
|
||||
* LDAP group sync support
|
||||
* Support certificate signing requests
|
||||
* Route-based IPsec support (VTI)
|
||||
* XMLRPC sync support for alias, VHID, widgets
|
||||
* Unbound host overrides alias support
|
||||
* Web proxy and IPsec authentication using PAM
|
||||
* Parent web proxy support
|
||||
* Web proxy login privilege via group
|
||||
* Improved reliability and utility of opnsense-patch
|
||||
* Dpinger and DHCP servers ported to plugin framework
|
||||
* Language updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
|
||||
* Spanish as a new language
|
||||
* Netdata, WireGuard, Maltrail and Mail-Backup (PGP) plugin
|
||||
* Netmap update for VirtIO, VLAN child and vmxnet support
|
||||
* Bootstrap 3.4, LibreSSL 2.9, Unbound 1.9, PHP 7.2, Python 3.7, Squid 4
|
||||
|
||||
And here are the full changes against version 19.7-RC1:
|
||||
|
||||
* system: lower automatic gateway priority for tunnel interfaces
|
||||
* system: only show enabled interfaces on gateway edit
|
||||
* system: speed up console banner interface print
|
||||
* interfaces: typo in default WAN selection for packet capture
|
||||
* interfaces: support multiple interfaces for packet capture
|
||||
* interfaces: fix ambiguity in get_parent_interface()
|
||||
* firewall: restart filterlog with every filter reload
|
||||
* firmware: add update syshook
|
||||
* ipsec: phase2 IP type selector using the wrong class
|
||||
* reporting: fix Insight bug not processing top port and address statistics
|
||||
* ui: window_highlight_table_option() fix for Safari
|
||||
* wizard: improve logo contrast in welcome message
|
||||
* plugins: os-frr redistribute configuration fix (contributed by Cedric Vanet)
|
||||
* plugins: os-intrusion-detection-content-et-pro 1.0.1 now uses suricata-4.0 rulesets
|
||||
* plugins: os-haproxy 2.17 `[2] <https://github.com/opnsense/plugins/pull/1347>`__ `[3] <https://github.com/opnsense/plugins/pull/1408>`__
|
||||
* plugins: os-mail-backup 1.0 (contributed by Joao Vilaca)
|
||||
* plugins: os-maltrail 1.0 (contributed by Michael Muenz)
|
||||
* plugins os-smart 2.0 MVC conversion (contributed by Smart-Soft)
|
||||
* plugins: os-tinc chroot setup with resolv.conf
|
||||
* plugins: os-wireguard 1.0 (contributed by Michael Muenz)
|
||||
* plugins: os-wol 2.2 fixes byte conversion
|
||||
* src: bump netmap ring size, still too small in FreeBSD
|
||||
* src: add FCC6_FCCA regulatory domain to ath_hal(4)
|
||||
* src: restore IPV6_NEXTHOP option support
|
||||
* src: fix privilege escalation in cd(4) driver `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:11.cd_ioctl.asc>`__
|
||||
* src: fix kernel stack disclosure in UFS/FFS `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:10.ufs.asc>`__
|
||||
* src: fix iconv buffer overflow `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:09.iconv.asc>`__
|
||||
* src: import tzdata 2019b
|
||||
* ports: ca_root_nss 3.45
|
||||
* ports: filterlog 0.3 will not print to console and lowercase IPv6 protocol output
|
||||
* ports: postfix update is now non-interactive to prevent stalls
|
||||
* ports: rrdtool 1.7.2 `[7] <https://github.com/oetiker/rrdtool-1.x/releases/tag/v1.7.2>`__
|
||||
|
||||
Known issues and limitations:
|
||||
|
||||
* Web proxy squid update from version 3 to 4 breaks the cache database. To repair go to "Services: Web Proxy: Administration" tab "Support" and click "Reset".
|
||||
* Web proxy login privilege is no longer available. Access may be restricted by a group selector instead.
|
||||
* Nano images require a reinstall using the latest image to avoid inode shortage which makes the system appear to run out of space during recent 19.1.x updates.
|
||||
* OpenVPN no longer supports listening on gateway groups. Use localhost paired with port forwards instead.
|
||||
|
||||
The public key for the 19.7 series is:
|
||||
|
||||
.. code-block::
|
||||
|
||||
# -----BEGIN PUBLIC KEY-----
|
||||
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv2syLqN/IMuADI42aTXx
|
||||
# HRbX3YljURN1dhhjYoqOc/7uZKVc7UJk79q49x8VZmC0edhHiNKfrhj5g3htsPgu
|
||||
# N/eFsc1MZv+J2rfSF7L5NV3D5dU9nuBc75wb9SRIXm7XiiiuInMNRBlJsiFeiuJm
|
||||
# oaE/zqgr75m+cc7sdNQnQQk9+APr4LdksX0bllRmxfhLjDKgiSVe+Yq9kje/JHyf
|
||||
# je5i3MI9WT80o46IZc/oN4q9RG7n6gaIFBVckCwCKsnNZlDCvb1Sr0tdKs58fswj
|
||||
# fxMvouMBf+Jk/0dOEZnoIFYb436H2CUfabiPX3Vm4r3MU4dr5m41WlCH/984cBKy
|
||||
# QSM8h4nSAs/naj5c5YDe4qmwUBxwPIvJPVC/vuWLusyg1gYbloj3EIc1uv2YCkKw
|
||||
# 0ra7Hocln3+7Jf2Yn/yn6yaCNdoJY2Blvo84giuklDqdBIKggDHSxGrLKDBshSR3
|
||||
# hapkFRoR7BhnoT14E8DMgD23g9tcwce1AJJ6mZ/DraBx5l11P1ZXLqnyCpvOt5oV
|
||||
# HmMZ9/Xu0naPUC8IxVSNew8j3liPbc5oKV0kQ/TRQTevOBLJ8QA7Y5YdPu0cS4qw
|
||||
# Jq3fGnsRt/0+i1Vs7q51KJLNECHyhWm6zYAfST22ohTUgo2ByoM8r0aRslmiG6JS
|
||||
# +ancHD4lnnHRd+4ybevUft0CAwEAAQ==
|
||||
# -----END PUBLIC KEY-----
|
||||
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2) = e022217d367abaf4fd1360f83e4664d28b3f37932dfe720974b9d7dc33bf50f7
|
||||
# SHA256 (OPNsense-19.7-OpenSSL-nano-amd64.img.bz2) = 6fffefa0b09daea397e83f67bf730392125b720043c455597c05d3d80c2baa29
|
||||
# SHA256 (OPNsense-19.7-OpenSSL-serial-amd64.img.bz2) = 98854d5a0a03850273aa2ebdd7e7b095dfec6a1e6b57341817bb5f5ffab2ca7b
|
||||
# SHA256 (OPNsense-19.7-OpenSSL-vga-amd64.img.bz2) = 523e924586e431ccd421bb85ba1245ce4c8f3a6141b59623f5083d3e36bac592
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-19.7-OpenSSL-dvd-i386.iso.bz2) = 64c4e58966ab373a0aa6a544b020a39c5b86ecb79cb2988ac1f74b382c7d4765
|
||||
# SHA256 (OPNsense-19.7-OpenSSL-nano-i386.img.bz2) = 3fa6af965f5996a718982617b5a13199747d237a669867b1ffecc951c3ebe455
|
||||
# SHA256 (OPNsense-19.7-OpenSSL-serial-i386.img.bz2) = f0c76142f83b4988defa3fddc7a4cf2d930cbb0aee623d7b064462e25e146297
|
||||
# SHA256 (OPNsense-19.7-OpenSSL-vga-i386.img.bz2) = b425882604886a395730abeaa6a26b8805647609712f61c342cee29f58160006
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
19.7.r1 (July 09, 2019)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
For four and a half years now, OPNsense is driving innovation through
|
||||
modularising and hardening the open source firewall, with simple
|
||||
and reliable firmware upgrades, multi-language support, HardenedBSD
|
||||
security, fast adoption of upstream software updates as well as clear
|
||||
and stable 2-Clause BSD licensing.
|
||||
|
||||
We thank all of you for helping test, shape and contribute to the project!
|
||||
We know it would not be the same without you.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://opnsense.c0urier.net/releases/19.7/
|
||||
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.7/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.7/
|
||||
* South America: http://mirror.upb.edu.co/opnsense/releases/19.7/
|
||||
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.7/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
Here are the full changes against version 19.1.10:
|
||||
|
||||
* system: new remote syslog setup via Syslog-ng
|
||||
* system: gateway handling rewrite
|
||||
* system: default gateway switching priority control (sponsored by m.a.x. it `[2] <https://www.max-it.de/>`__ )
|
||||
* system: dpinger ported to plugin framework
|
||||
* system: bring back PHP warning log level
|
||||
* system: use authentication factory for user import
|
||||
* interfaces: VLAN, bridge, LAGG, GRE, GIF setup refactor
|
||||
* interfaces: improve load sequence to allow DHCPv6 on bridges
|
||||
* interfaces: GIF, GRE, IPsec and OpenVPN will no longer accept IP configuration
|
||||
* interfaces: speed up get_real_interface() by assuming interfaces exist
|
||||
* interfaces: sort interface groups and require rules apply if necessary (contributed by Robin Schneider)
|
||||
* interfaces: background PPPoE connect and disconnect
|
||||
* interfaces: only IP-address allowed in PPP gateway (contributed by Smart-Soft)
|
||||
* interfaces: simplified linking VIPs to interfaces
|
||||
* interfaces: removed interface_has_gateway()
|
||||
* interfaces: removed interface_has_gatewayv6()
|
||||
* interfaces: removed get_failover_interface()
|
||||
* interfaces: removed rc.kill_states
|
||||
* firewall: ability to view automatic rules
|
||||
* firewall: rule origin locator in live log and automatic rules listing
|
||||
* firewall: show statistics for all active rules including automatic ones
|
||||
* firewall: optional statistics for alias tables
|
||||
* firewall: fix translation of shaper mask "none" value
|
||||
* firewall: add ipv6-icmp type selection
|
||||
* firewall: rule listing layout update
|
||||
* reporting: new NetFlow reader in Python 3
|
||||
* reporting: validate that NetFlow WAN interfaces are also added to listening interfaces
|
||||
* dhcp: ported to plugin framework
|
||||
* dhcp: added failover split to DHCPv4 (contributed by Wolfgang Pedot)
|
||||
* dhcp: fix ddnsdomainprimary setting validation
|
||||
* dhcp: added advanced options for router advertisements
|
||||
* dhcp: removed remove rasend/ranosend checkbox
|
||||
* dhcp: simplify DHCPv4 interface lookup on lease page
|
||||
* dhcp: use AdvDefaultLifetime 0 when default route shall not be advertised
|
||||
* firmware: support reading package repository and origin
|
||||
* firmware: warn on third party package installation
|
||||
* firmware: synchronise update checks to avoid "not responding" errors
|
||||
* firmware: fix empty update list on release type change
|
||||
* images: nano image now supports future-proof number of inodes
|
||||
* installer: support password reset in opnsense-importer
|
||||
* intrusion detection: allow rule action bulk changes
|
||||
* intrusion detection: minor usability improvements
|
||||
* intrusion detection: support eve system log output
|
||||
* openvpn: removed gateway group listening support
|
||||
* openvpn: no longer restart servers on CARP events
|
||||
* openvpn: reduced complexity in service handling
|
||||
* web proxy: replace proxy login privilege "user-proxy-auth" with group selector
|
||||
* backend: ported remaining scripts to Python 3
|
||||
* backend: add helpers.glob() to enable template traversal
|
||||
* backend: new "monitor" hook for rc.syshook
|
||||
* mvc: do not add "none" in AuthGroupField if multiple select
|
||||
* mvc: allow sorting JsonKeyValueStoreField by value
|
||||
* ui: remember previous selected columns and row count on several MVC pages
|
||||
* ui: apply alert reminders for several MVC pages
|
||||
* ui: add failed callback to saveFormToEndpoint()
|
||||
* ui: core theme color update
|
||||
* ui: fix file size suffix (contributed by Fabian Franz)
|
||||
* ui: add useRequestHandlerOnGet option
|
||||
* ui: bootstrap 3.4.1 `[3] <https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/>`__
|
||||
* src: netmap VirtIO, VLAN child and vmxnet support
|
||||
* src: fix races in tun(4)/tap(4) drivers
|
||||
* ports: squid 4.7 `[4] <http://squid.mirror.colo-serv.net/archive/4/squid-4.0.7-RELEASENOTES.html>`__
|
||||
* ports: syslog-ng 3.21.1 `[5] <https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.21.1>`__
|
||||
|
||||
Known issues and limitations:
|
||||
|
||||
* Filterlog spamming console due to new Syslog-ng integration. Temporary workaround is stopping filterlog via "pkill filterlog".
|
||||
* OpenVPN no longer supports listening on gateway groups. Use localhost paired with port forwards instead.
|
||||
* The web proxy login privilege is no longer available. Access may be restricted by a group selector instead.
|
||||
* Web proxy squid update from version 3 to 4 breaks the cache database. To repair go to "Services: Web Proxy: Administration" tab "Support" and click "Reset".
|
||||
* Nano images require a reinstall using the latest image to avoid inode shortage which makes the system appear to run out of space during recent 19.1.x updates.
|
||||
|
||||
The public key for the 19.7 series is:
|
||||
|
||||
.. code-block::
|
||||
|
||||
# -----BEGIN PUBLIC KEY-----
|
||||
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv2syLqN/IMuADI42aTXx
|
||||
# HRbX3YljURN1dhhjYoqOc/7uZKVc7UJk79q49x8VZmC0edhHiNKfrhj5g3htsPgu
|
||||
# N/eFsc1MZv+J2rfSF7L5NV3D5dU9nuBc75wb9SRIXm7XiiiuInMNRBlJsiFeiuJm
|
||||
# oaE/zqgr75m+cc7sdNQnQQk9+APr4LdksX0bllRmxfhLjDKgiSVe+Yq9kje/JHyf
|
||||
# je5i3MI9WT80o46IZc/oN4q9RG7n6gaIFBVckCwCKsnNZlDCvb1Sr0tdKs58fswj
|
||||
# fxMvouMBf+Jk/0dOEZnoIFYb436H2CUfabiPX3Vm4r3MU4dr5m41WlCH/984cBKy
|
||||
# QSM8h4nSAs/naj5c5YDe4qmwUBxwPIvJPVC/vuWLusyg1gYbloj3EIc1uv2YCkKw
|
||||
# 0ra7Hocln3+7Jf2Yn/yn6yaCNdoJY2Blvo84giuklDqdBIKggDHSxGrLKDBshSR3
|
||||
# hapkFRoR7BhnoT14E8DMgD23g9tcwce1AJJ6mZ/DraBx5l11P1ZXLqnyCpvOt5oV
|
||||
# HmMZ9/Xu0naPUC8IxVSNew8j3liPbc5oKV0kQ/TRQTevOBLJ8QA7Y5YdPu0cS4qw
|
||||
# Jq3fGnsRt/0+i1Vs7q51KJLNECHyhWm6zYAfST22ohTUgo2ByoM8r0aRslmiG6JS
|
||||
# +ancHD4lnnHRd+4ybevUft0CAwEAAQ==
|
||||
# -----END PUBLIC KEY-----
|
||||
|
||||
Please let us know about your experience!
|
||||
|
||||
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-19.7.r1-OpenSSL-dvd-amd64.iso.bz2) = 5014dba896a425d15fbedcb44f2deec7fb5aee6a1b7c95833b819f8d352de6a1
|
||||
# SHA256 (OPNsense-19.7.r1-OpenSSL-nano-amd64.img.bz2) = b9d6ccbfdcb88f813a6494efb13647d1715500551c7dc51f632766b19189c6bc
|
||||
# SHA256 (OPNsense-19.7.r1-OpenSSL-serial-amd64.img.bz2) = 86050bffa626247cfe0374d28994a52f9e10490b20a81539f5d2784676280c17
|
||||
# SHA256 (OPNsense-19.7.r1-OpenSSL-vga-amd64.img.bz2) = 3a7ae31f6429e519060a717b6248d13620a1e5caba43f44afaf4a7dd4e6634e6
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-19.7.r1-OpenSSL-dvd-i386.iso.bz2) = 4c0e54982d92279e7273c74cac183290e89219f75b4c1f55a42bad0331bdf321
|
||||
# SHA256 (OPNsense-19.7.r1-OpenSSL-nano-i386.img.bz2) = 5db5dfc0bfb15a593dae689b58e65d556e935c326741729ad37507a952a51426
|
||||
# SHA256 (OPNsense-19.7.r1-OpenSSL-serial-i386.img.bz2) = a20422c81c62c79264aec2cf83cb8734e2e0c954881200e6bc46d372f2432cf9
|
||||
# SHA256 (OPNsense-19.7.r1-OpenSSL-vga-i386.img.bz2) = f6ba92f987c024697e6599b72d905ac9a4fdcfe61c71e3f060dccf1efccd6d82
|
@ -0,0 +1,628 @@
|
||||
===========================================================================================
|
||||
20.1 "Keen Kingfisher" Series
|
||||
===========================================================================================
|
||||
|
||||
|
||||
|
||||
For over 5 years now, OPNsense is driving innovation through modularising
|
||||
and hardening the open source firewall, with simple and reliable firmware
|
||||
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
||||
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
||||
|
||||
20.1, nicknamed "Keen Kingfisher", is a subtle improvement on sustainable
|
||||
firewall experience. This release adds VXLAN and additional loopback device
|
||||
support, IPsec public key authentication and elliptic curve TLS certificate
|
||||
creation amongst others. Third party software has been updated to their
|
||||
latest versions. The logging frontend was rewritten for MVC with seamless
|
||||
API support. On the far side the documentation increased in quality as well
|
||||
as quantity and now presents itself in a familiar menu layout.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://opnsense.c0urier.net/releases/20.1/
|
||||
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/
|
||||
* South America: http://mirror.upb.edu.co/opnsense/releases/20.1/
|
||||
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.1.9 (July 23, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
20.7-RC1 is already available and the final release of 20.7 is scheduled
|
||||
for July 30. A hotfix release for 20.1.9 will enable the upgrade path
|
||||
some hours after the initial 20.7 announcement is out, but please note
|
||||
that updated 32-bit builds (also known as i386) will no longer be available
|
||||
from this day forward.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo)
|
||||
* firewall: validate if NAT destination contains a port
|
||||
* firewall: prevent config_read_array() from adding an empty lo0
|
||||
* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe)
|
||||
* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe)
|
||||
* mvc: LegacyLinkField not allowed to return null in __toString()
|
||||
* plugins: os-collectd 1.3 `[1] <https://github.com/opnsense/plugins/blob/master/net-mgmt/collectd/pkg-descr>`__
|
||||
* plugins: os-dyndns 1.22 `[2] <https://github.com/opnsense/plugins/pull/1654>`__
|
||||
* plugins: os-telegraf 1.8.1 `[3] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__
|
||||
* plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion)
|
||||
* plugins: os-tinc fixes switch mode `[4] <https://github.com/opnsense/plugins/pull/1733>`__
|
||||
* plugins: os-wireguard 1.2 `[5] <https://github.com/opnsense/plugins/pull/1865>`__
|
||||
* ports: ca_root_nss 3.54
|
||||
* ports: curl 7.71.1 `[6] <https://curl.haxx.se/changes.html>`__
|
||||
* ports: dnsmasq 2.82 `[7] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
|
||||
* ports: monit 5.27.0 `[8] <https://mmonit.com/monit/changes/>`__
|
||||
* ports: php 7.3.20 `[9] <https://www.php.net/ChangeLog-7.php#7.3.20>`__
|
||||
* ports: python 3.7.8 `[10] <https://www.python.org/downloads/release/python-378/>`__
|
||||
* ports: sqlite 3.32.3 `[11] <https://www.sqlite.org/changes.html>`__
|
||||
* ports: syslog-ng 3.27.1 `[12] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.27.1>`__
|
||||
|
||||
A hotfix release was issued as 20.1.9_1:
|
||||
|
||||
* firmware: enable upgrade path to 20.7 (amd64 only)
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.1.8 (July 02, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Sorry about the delay while we chased a race condition in the updates back
|
||||
to an issue with the latest FreeBSD package manager updates. For now we
|
||||
reverted to our current version but all relevant third party packages have
|
||||
been updated as updates became available over the last weeks, e.g. cURL and
|
||||
Python, and hostapd / wpa_supplicant amongst others.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: simpler get_interface_ip() usage in IPv4 renewal
|
||||
* system: allow HA sync of network time settings
|
||||
* system: download all filtered items in log export
|
||||
* system: add support for upstream LDAP accounts in Nextcloud backup (contributed by Fabian Franz)
|
||||
* interfaces: fix stateless DHCPv6 for track6 interfaces (contributed by Maurice Walker)
|
||||
* firewall: fix missing address filter error by moving NAT targets to runtime resolve
|
||||
* firewall: prevent gateway protocol mismatch from breaking the ruleset
|
||||
* firewall: work around categories typeahead issue with recent jQuery libraries
|
||||
* firewall: improve alias help text (contributed by Team Rebellion)
|
||||
* firewall: switch from single log filter to one per attribute
|
||||
* intrusion detection: when enabling rules prefixed with "# " consume the extra space (contributed by Tra5is)
|
||||
* intrusion detection: less sensitive rule parsing
|
||||
* intrusion detection: compress stats.log backups
|
||||
* ipsec: valid IPSec Phase 2 hash config warning raises GUI alert (contributed by Brett Merrick)
|
||||
* unbound: add DNS64 support (contributed by Maurice Walker)
|
||||
* web proxy: fix wrong button label for Download ACLs (contributed by 90er)
|
||||
* mvc: add sort_flags optional parameter support (contributed by NOYB)
|
||||
* rc: add full PATH to rc.syshook invoke
|
||||
* plugins: os-acme-client `[1] <https://github.com/opnsense/plugins/pull/1851>`__ `[2] <https://github.com/opnsense/plugins/pull/1880>`__
|
||||
* plugins: os-dnscrypt-proxy 1.8 `[3] <https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr>`__
|
||||
* plugins: os-dyndns 1.21 improves Cloudflare support (contributed by Andreas Rupper)
|
||||
* plugins: os-freeradius 1.9.7 `[4] <https://github.com/opnsense/plugins/pull/1726>`__
|
||||
* plugins: os-haproxy 2.23 `[5] <https://github.com/opnsense/plugins/pull/1883>`__
|
||||
* plugins: os-intrusion-detection-content-snort-vrt 1.1
|
||||
* plugins: os-stunnel 1.0 `[6] <https://docs.opnsense.org/manual/how-tos/stunnel.html>`__ (sponsored by Incenter Technology)
|
||||
* plugins: os-tayga 1.1 `[7] <https://github.com/opnsense/plugins/pull/1826>`__
|
||||
* plugins: os-theme-rebellion 1.8.4 `[8] <https://github.com/opnsense/plugins/pull/1892>`__
|
||||
* ports: ca_root_nss 3.53
|
||||
* ports: curl 7.71.0 `[9] <https://curl.haxx.se/changes.html>`__
|
||||
* ports: hostapd / wpa_supplicant UPnP SUBSCRIBE advisory `[10] <https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt>`__
|
||||
* ports: krb5 1.18.2 `[11] <https://web.mit.edu/kerberos/krb5-1.18/>`__
|
||||
* ports: ntp 4.2.8p15 `[12] <http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities>`__
|
||||
* ports: pcre 8.44 `[13] <https://www.pcre.org/original/changelog.txt>`__
|
||||
* ports: perl 5.30.3 `[14] <https://perldoc.perl.org/5.30.3/perldelta.html>`__
|
||||
* ports: php 7.3.19 `[15] <https://www.php.net/ChangeLog-7.php#7.3.19>`__
|
||||
* ports: python CVE-2019-18348 and CVE-2020-8492
|
||||
* ports: sqlite 3.32.2 `[16] <https://www.sqlite.org/changes.html>`__
|
||||
* ports: sudo 1.9.1 `[17] <https://www.sudo.ws/stable.html#1.9.1>`__
|
||||
* ports: unbound 1.10.1 `[18] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-10-1>`__
|
||||
|
||||
A hotfix release was issued as 20.1.8_1:
|
||||
|
||||
* ipsec: fix status page display after third party library update
|
||||
* plugins: os-dyndns fix for TTL validation (contributed by Andreas Rupper)
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.1.7 (May 20, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Today we move to PHP 7.3 in order to be able to complete testing for the
|
||||
20.7-BETA online upgrades. Also included is a patch for the packet filter
|
||||
kernel code which could crash with shared forwarding when interfaces
|
||||
disappeared due to use after free in the default network stack path.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: default net.inet.icmp.reply_from_interface to 1
|
||||
* system: fix static gateway wizard handing
|
||||
* firewall: allow outbound NAT source and destination port ranges
|
||||
* interfaces: use interfaces_primary_address6() inside get_interface_ipv6()
|
||||
* dhcp: add AdvLinkMTU to router advertisements settings (contributed by Ilteris Eroglu)
|
||||
* unbound: prevent wildcard domains for the local system domain
|
||||
* backend: suppress inconsequential IDNA warnings for aliases
|
||||
* backend: add option to return a key value list for TLS ciphers
|
||||
* mvc: reference constraint pointing validation results to the wrong field
|
||||
* plugins: os-acme-client 1.32 adds Acmeproxy DNS support (contributed by Maarten den Braber)
|
||||
* src: added Novatel Wireless MiFi 8800/8000 support (contributed by rootless4real)
|
||||
* src: fix pf shared forwarding on non-existing interfaces
|
||||
* src: patch in tty 3wire autologin support
|
||||
* src: fix insufficient packet length validation in libalias `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:12.libalias.asc>`__
|
||||
* src: fix memory disclosure vulnerability in libalias `[2] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:13.libalias.asc>`__
|
||||
* src: fix improper checking in SCTP-AUTH shared key update `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:14.sctp.asc>`__
|
||||
* src: fix use after free in cryptodev module `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:15.cryptodev.asc>`__
|
||||
* src: update to tzdata 2020a `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:08.tzdata.asc>`__
|
||||
* ports: ca_root_nss 3.52
|
||||
* ports: curl 7.70.0 `[6] <https://curl.haxx.se/changes.html>`__
|
||||
* ports: dhcp6c v20200512
|
||||
* ports: hyperscan 5.2.1 `[7] <https://github.com/intel/hyperscan/releases/tag/v5.2.1>`__
|
||||
* ports: openldap 2.4.50 `[8] <https://www.openldap.org/software/release/changes.html>`__
|
||||
* ports: pcre2 10.35 `[9] <https://www.pcre.org/changelog.txt>`__
|
||||
* ports: php 7.3.18 `[10] <https://www.php.net/ChangeLog-7.php#7.3.18>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.1.6 (April 30, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Quick update as planned. Here are the full patch notes:
|
||||
|
||||
* system: add data length option to gateway monitor settings
|
||||
* firewall: avoid greedy matching with live log parsing regression from 20.1.5
|
||||
* firmware: detect runtime defaults when using "make upgrade" with core.git
|
||||
* firmware: clean up packaging code and support ".link" file extension
|
||||
* firmware: use CORE_FLAVOUR instead of FLAVOUR when using opnsense-bootstrap
|
||||
* firmware: enable to optionally reach master branch when using opnsense-boostrap
|
||||
* firmware: allow overriding CORE_ABI when using opnsense-bootstrap
|
||||
* firmware: copy make.conf instead of linking when using opnsense-code
|
||||
* firmware: always fetch tools.git when using opnsense-code
|
||||
* rc: use "onifexists" for VGA TTY instead of "on"
|
||||
* rc: missing ntpd user on 20.7 / 12.1
|
||||
* plugins: os-unbound-plus DoT validation fix (contributed by Michael Muenz)
|
||||
* src: fix ipfw invalid mbuf handling `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:10.ipfw.asc>`__
|
||||
* ports: libyaml 0.2.4 `[2] <https://raw.githubusercontent.com/yaml/libyaml/master/Changes>`__
|
||||
* ports: openssl 1.1.1g `[3] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
|
||||
* ports: py-yaml 5.3.1 `[4] <https://raw.githubusercontent.com/yaml/pyyaml/master/CHANGES>`__
|
||||
* ports: radvd 2.18 `[5] <http://www.litech.org/radvd/CHANGES.txt>`__
|
||||
* ports: sqlite 3.31.1 `[6] <https://www.sqlite.org/changes.html>`__
|
||||
* ports: squid 4.11 `[7] <http://ftp.meisei-u.ac.jp/mirror/squid/squid-4.11-RELEASENOTES.html>`__
|
||||
* ports: suricata 4.1.8 `[8] <https://suricata-ids.org/2020/04/28/suricata-4-1-8-released/>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.1.5 (April 23, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Today ships the first release version of the supplemental firewall rule
|
||||
API via plugin, a new firewall shaper statistics GUI and API and the usual
|
||||
number of improvements and third party updates.
|
||||
|
||||
Note that this version does not ship OpenSSL 1.1.1g as at this point our
|
||||
release decision would have been to push 20.1.5 to next week or do a
|
||||
smaller 20.1.6 next week on top.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: support configuration for SSH HostKeyAlgorithms, KexAlgorithms, Ciphers and MACs
|
||||
* system: simplify validations in gateway monitor settings
|
||||
* interfaces: mark VXLAN and loopback devices as configurable
|
||||
* interfaces: validation typo caused failure to communicate unassignable targets
|
||||
* interfaces: netstat tree view GUI and API
|
||||
* interfaces: use libxo to extract ARP data
|
||||
* firewall: checkbox selection ignores visibility setting
|
||||
* firewall: add network group type to combine aliases cleanly
|
||||
* firewall: IPv6 essential icmpv6 allow for ::
|
||||
* firewall: new shaper statistics GUI and API
|
||||
* firewall: support filter log messages with PID
|
||||
* reporting: when flow times are not returned stick to receive timestamp
|
||||
* openvpn: use multihome when selecting "any" interface with UDP
|
||||
* unbound: create shared startup script for background task
|
||||
* mvc: also store "" field value as initial state to prevent empty fields as being marked as changed
|
||||
* mvc: firewall source NAT ranges support in plugins
|
||||
* mvc: keep options in static set for PortField
|
||||
* mvc: support interface targets without addresses
|
||||
* mvc. add "migration_prefix" attribute to model
|
||||
* mvc: catch ArgumentCountError
|
||||
* mvc: skip empty gateway artefact
|
||||
* plugins: os-acme-client 1.31 `[1] <https://github.com/opnsense/plugins/pull/1784>`__
|
||||
* plugins: os-firewall 1.0 API supplemental package
|
||||
* plugins: os-haproxy 2.22 `[2] <https://github.com/opnsense/plugins/pull/1783>`__
|
||||
* plugins: os-unbound-plus 1.1 `[3] <https://github.com/opnsense/plugins/blob/master/dns/unbound-plus/pkg-descr>`__
|
||||
* plugins: os-wol 2.3 adds case insensitive matching in widget (contributed by Gauss23)
|
||||
* ports: ca_root_nss 3.51.1
|
||||
* ports: dnsmasq 2.81 `[4] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
|
||||
* ports: krb5 1.18.1 `[5] <https://web.mit.edu/kerberos/krb5-1.18/>`__
|
||||
* ports: openvpn 2.4.9 `[6] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9>`__
|
||||
* ports: php 7.2.30 `[7] <https://www.php.net/ChangeLog-7.php#7.2.30>`__
|
||||
* ports: py-certifi 2020.4.5.1
|
||||
* ports: strongswan 5.8.4 `[8] <https://wiki.strongswan.org/versions/77>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.1.4 (April 08, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
It almost looks like business as usual. But we all know it is not.
|
||||
We will get through this together.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: add missing strtolower() in LDAP sync response
|
||||
* system: fix /var/run/legacy_log socket creation race with Syslog-ng
|
||||
* system: add info button to display privilege / ACL endpoints
|
||||
* system: make IPsec tap tunables overwriteable
|
||||
* firewall: floating means either all interfaces or more than one selected
|
||||
* firewall: simplify group maintenance by only applying them on filter reload
|
||||
* interfaces: use primary IPv6 and support VIP tracking
|
||||
* interfaces: multiple changes in radvd.conf setup (contributed by maurice-w)
|
||||
* dhcp: fix DDNS support in DHCPv6 (contributed by Wagner Sartori Junior)
|
||||
* firmware: mirror opnsense.ieji.de renamed to opn.sense.nz
|
||||
* openvpn: improve openvpn_port_used() logic
|
||||
* unbound: minor cleanup in /api/unbound/diagnostics/stats endpoint
|
||||
* unbound: remove 192.0.0.0/24 from rebinding prevention list (contributed by maurice-w)
|
||||
* mvc: simplify reload of captive portal, cron, IDS, alias, loopback, VXLAN, web proxy, routes, syslog and shaper
|
||||
* mvc: limit dropdown size to 10 if not specified
|
||||
* mvc: support inheritance of the ArrayField type
|
||||
* mvc: synchronize backup timestamps with revisions
|
||||
* mvc: fixed width for timestamp column in logging
|
||||
* mvc: init errorMessage to prevent crash reports
|
||||
* shell: use interfaces_primary_address6() for correct IPv6 display
|
||||
* shell: append a newline in pluginctl -g mode
|
||||
* plugins: os-acme-client 1.30 `[1] <https://github.com/opnsense/plugins/pull/1753>`__
|
||||
* plugins: os-bind 1.13 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
|
||||
* plugins: os-freeradius 1.9.6 `[3] <https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr>`__
|
||||
* plugins: os-haproxy 2.21 `[4] <https://github.com/opnsense/plugins/pull/1755>`__
|
||||
* plugins: os-maltrail 1.5 `[5] <https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr>`__
|
||||
* plugins: os-nginx 1.19 `[6] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
||||
* plugins: os-nut 1.7 `[7] <https://github.com/opnsense/plugins/blob/master/sysutils/nut/pkg-descr>`__
|
||||
* plugins: os-postfix 1.14 `[8] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
|
||||
* plugins: os-tayga 1.0 (contributed by Michael Muenz)
|
||||
* plugins: os-telegraf 1.7.7 `[9] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__
|
||||
* plugins: os-unbound-plus 1.0 (contributed by Michael Muenz and Petr Kejval)
|
||||
* lang: multiple updates to supported languages
|
||||
* lang: new Turkish translation (contributed by Aydin Yakar)
|
||||
* src: work around PCI devices which return all zeros for reads of existing MSI-X table VCTRL registers
|
||||
* src: fix incorrect checksum calculations with IPv6 extension headers `[10] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:06.ipv6.asc>`__
|
||||
* src: fix TCP IPv6 SYN cache kernel information disclosure `[11] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:04.tcp.asc>`__
|
||||
* src: fix insufficient oce(4) ioctl(2) privilege checking `[12] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:05.if_oce_ioctl.asc>`__
|
||||
* src: fix incorrect user-controlled pointer use in epair `[13] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:07.epair.asc>`__
|
||||
* src: fix kernel memory disclosure with nested jails `[14] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:08.jail.asc>`__
|
||||
* ports: curl 7.69.1 `[15] <https://curl.haxx.se/changes.html>`__
|
||||
* ports: krb5 1.18 `[16] <https://web.mit.edu/kerberos/krb5-1.18/>`__
|
||||
* ports: openssh 8.2p1 `[17] <https://www.openssh.com/txt/release-8.2>`__
|
||||
* ports: openssl 1.1.1f `[18] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
|
||||
* ports: perl 5.30.2 `[19] <https://metacpan.org/pod/release/SHAY/perl-5.30.2/pod/perldelta.pod>`__
|
||||
* ports: php 7.2.29 `[20] <https://www.php.net/ChangeLog-7.php#7.2.29>`__
|
||||
* ports: python 3.7.7 `[21] <https://www.python.org/downloads/release/python-377/>`__
|
||||
* ports: strongswan 5.8.3 `[22] <https://wiki.strongswan.org/versions/76>`__
|
||||
* ports: sudo 1.8.31p1 `[23] <https://www.sudo.ws/stable.html>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.1.3 (March 18, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Quick reliability release for all of you out there doing the impossible
|
||||
providing VPN for road warriors and what not. Keep it up! :)
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: match group CN case-insensitive
|
||||
* system: added pluggable log format parsing facility
|
||||
* system: update nsComment in OpenSSL config (contributed by vnxme)
|
||||
* interfaces: fix missing default gateway switch on linkup event
|
||||
* firewall: properly lock alias_util API (contributed by Cedric Deconinck)
|
||||
* firewall: flush priority sections to /tmp/rules.debug
|
||||
* firewall: do not escape internal URLs
|
||||
* firmware: revoke 19.7 fingerprint
|
||||
* ipsec: add virtual IPv6 pool for mobile clients (contributed by vnxme)
|
||||
* ipsec: add MVC service control API
|
||||
* monit: simplify Monit reload
|
||||
* openvpn: properly swapped help texts regarding routes
|
||||
* unbound: multiple fixes in DHCP watcher
|
||||
* mvc: fix CountryField for static options
|
||||
* mvc: extend PortField to support multiple items
|
||||
* mvc: BaseListField plus PortField now use getValidationMessage() to bootstrap defaults
|
||||
* mvc: add NetworkAliasField, ProtocolField and LegacyLinkField types
|
||||
* mvc: apply PSR12 style as found on master
|
||||
* ui: add jQuery plugin to support a simple service reload/action button
|
||||
* ui: hook bootgrid javascript texts
|
||||
* plugins: os-munin-node 1.0 (contributed by Michael Muenz)
|
||||
* plugins: os-sunnyvalley 1.2 (contributed by Sunny Valley
|
||||
* plugins: os-wol: relax MAC address validation (contributed by Mikael Falkvidd)
|
||||
* ports: ca_root_nss 3.51
|
||||
* ports: ntp 4.2.8p14 `[1] <https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable>`__
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.1.2 (March 05, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Today we pick up the recent FreeBSD security advisories as well as
|
||||
the usual noise in bugfixes and third party updates. We are also at
|
||||
the brink of a first HardenedBSD 12.1 based image so stay tuned.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: fix leap year issue in new log reader
|
||||
* system: add valid from and to dates to user certs display
|
||||
* system: drop unused services.inc and diag_logs_template.inc
|
||||
* interfaces: make sure descriptions are properly cleansed
|
||||
* interfaces: introduce interfaces_primary_address6()
|
||||
* interfaces: validate interface input in packet capture
|
||||
* firewall: immediately download GeoIP if not already found
|
||||
* firewall: improve performance when working with large number of aliases
|
||||
* firewall: fix visibility on internal CARP rules
|
||||
* captive portal: fix expiry and validity for vouchers (contributed by xx4h)
|
||||
* dhcp: fix DNS registration for DHCPv6 static mappings (contributed by maurice-w)
|
||||
* dhcp: add icons next to online/offline lease status (contributed by Tyler Ham)
|
||||
* ipsec: allow configuration of inactivity parameter (contributed by Marcel Menzel)
|
||||
* unbound: minor changes while scanning ACL subnets
|
||||
* web proxy: work around to skip passing additional auth properties
|
||||
* backend: allow pluginctl to return config.xml values
|
||||
* console: improve type checks in set address function
|
||||
* rc: join CARP early startup scripts
|
||||
* plugins: os-dnscrypt-proxy fix for setup.sh on reboot
|
||||
* plugins: os-dyndns 1.20 fixes verify restrictions, GratisDNS and missing break for Linode (contributed by NOYB, Johan Pramming, Andrew Gunnerson)
|
||||
* plugins: os-maltrail 1.4 `[1] <https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr>`__
|
||||
* plugins: os-nrpe fix for setup.sh on reboot
|
||||
* plugins: os-tinc 1.5 fixes bug in IPv6 support (contributed by vnxme)
|
||||
* src: fix imprecise ordering of SSP canary initialization `[2] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:01.ssp.asc>`__
|
||||
* src: fix nmount invalid pointer dereference `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:02.nmount.asc>`__
|
||||
* src: fix libfetch buffer overflow `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:01.libfetch.asc>`__
|
||||
* src: fix kernel stack data disclosure `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:03.thrmisc.asc>`__
|
||||
* ports: ca_root_nss 3.50
|
||||
* ports: php 7.2.28 `[6] <https://www.php.net/ChangeLog-7.php#7.2.28>`__
|
||||
* ports: squid 4.10 `[7] <http://squid.mirror.colo-serv.net/archive/4/squid-4.10-RELEASENOTES.html>`__
|
||||
* ports: suricata 4.1.7 `[8] <https://suricata-ids.org/2020/02/13/suricata-4-1-7-released/>`__
|
||||
* ports: syslog-ng 3.25.1 `[9] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.25.1>`__
|
||||
* ports: unbound 1.10.0 `[10] <https://nlnetlabs.nl/projects/unbound/download/>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.1.1 (February 13, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
A tiny update to keep everyone happy. :)
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: increase size of user SSH key input box
|
||||
* system: fix faulty PPP log link in the menu
|
||||
* system: fix a PHP warning on the general settings page
|
||||
* interfaces: update maximum MTU for 10Gb NICs (contributed by Len White)
|
||||
* firewall: fix rule statistics display for rules using tagging
|
||||
* reporting: fix missing separator in NetFlow configuration
|
||||
* firmware: add Quantum mirror in Hungary
|
||||
* openvpn: fix ifconfig-ipv6-push format
|
||||
* plugins: os-dnscrypt-proxy 1.7 `[1] <https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr>`__
|
||||
* plugins: os-net-snmp 1.4 `[2] <https://github.com/opnsense/plugins/blob/master/net-mgmt/net-snmp/pkg-descr>`__
|
||||
* plugins: os-nginx 1.18 `[3] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
||||
* plugins: os-theme-vicuna 1.0 (contributed by Team Rebellion)
|
||||
* ports: lighttpd 1.4.55 `[4] <https://www.lighttpd.net/2020/1/31/1.4.55/>`__
|
||||
* ports: openldap 2.4.49 `[5] <https://www.openldap.org/software/release/changes.html>`__
|
||||
* ports: pkg libfetch security fix `[6] <https://github.com/freebsd/freebsd-ports/commit/eec0b5c>`__
|
||||
* ports: sudo 1.8.31 `[7] <https://www.sudo.ws/stable.html#1.8.31>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.1 (January 30, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
For over 5 years now, OPNsense is driving innovation through modularising
|
||||
and hardening the open source firewall, with simple and reliable firmware
|
||||
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
||||
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
||||
|
||||
20.1, nicknamed "Keen Kingfisher", is a subtle improvement on sustainable
|
||||
firewall experience. This release adds VXLAN and additional loopback device
|
||||
support, IPsec public key authentication and elliptic curve TLS certificate
|
||||
creation amongst others. Third party software has been updated to their
|
||||
latest versions. The logging frontend was rewritten for MVC with seamless
|
||||
API support. On the far side the documentation increased in quality as well
|
||||
as quantity and now presents itself in a familiar menu layout.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://opnsense.c0urier.net/releases/20.1/
|
||||
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/
|
||||
* South America: http://mirror.upb.edu.co/opnsense/releases/20.1/
|
||||
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
These are the most prominent changes since version 19.7:
|
||||
|
||||
* Captive portal performance improvements
|
||||
* IPsec public key authentication support
|
||||
* Elliptic curve TLS certificate creation
|
||||
* CARP service demotion hook
|
||||
* VXLAN device support
|
||||
* Loopback device support
|
||||
* Extended firmware health audit checks
|
||||
* Support direction and non-quick on interface rules
|
||||
* Logging frontend migrated to MVC / API
|
||||
* PSR 12 coding style
|
||||
* Documentation for all core components
|
||||
* Python 3.7 is now the default Python version
|
||||
* LibreSSL 3.0 and OpenSSL 1.1.1
|
||||
* Google Backup API 2.4
|
||||
* jQuery 3.4.1
|
||||
|
||||
And here are the full patch notes against version 20.1-RC1:
|
||||
|
||||
* installer: welcome users as genuine 20.1 installer
|
||||
* rc: revert growfs change since Nano does not grow anymore
|
||||
* plugins: os-mail-backup 1.1 `[2] <https://github.com/opnsense/plugins/pull/1671>`__
|
||||
* plugins: os-nrpe 1.0 (contributed by Michael Muenz)
|
||||
* plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)
|
||||
* plugins: os-vnstat 1.2 `[3] <https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr>`__
|
||||
* plugins: zabbix4-proxy 1.2 `[4] <https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix4-proxy/pkg-descr>`__
|
||||
* ports: ca_root_nss 3.49.2
|
||||
* ports: curl 7.68.0 `[5] <https://curl.haxx.se/changes.html>`__
|
||||
* ports: isc-dhcp 4.4.2 `[6] <https://downloads.isc.org/isc/dhcp/4.4.2/dhcp-4.4.2-RELNOTES>`__
|
||||
* ports: php 7.2.27 `[7] <https://www.php.net/ChangeLog-7.php#7.2.27>`__
|
||||
* ports: urllib3 1.27.7 `[8] <https://github.com/urllib3/urllib3/blob/master/CHANGES.rst#1257-2019-11-11>`__
|
||||
|
||||
Known issues and limitations:
|
||||
|
||||
* HardenedBSD 12.1 has been postponed to the next major release
|
||||
* Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates
|
||||
* To prevent stale configuration files for remote syslog we advise to setup the new targets first `[9] <https://docs.opnsense.org/manual/settingsmenu.html#logging-targets>`__ and disable the old ones under System: Settings: Logging
|
||||
* i386 has not been deprecated for the time being ;)
|
||||
|
||||
The public key for the 20.1 series is:
|
||||
|
||||
.. code-block::
|
||||
|
||||
# -----BEGIN PUBLIC KEY-----
|
||||
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oYxXjva1d2TC/jQ/ygT
|
||||
# GNB2QM2Flhq1CKwYKioT6kuKCelmG/vDRVYGs2VwBeshl53qnnob3rrCVtuS84VG
|
||||
# C8n0i7bWsVWuOCaPzVCOua7MyxQNDItwA5D18SrmDbs07JE9XD30cX36Lvyq8GvZ
|
||||
# bjk3AnHHqefR6F7fMGjDNPE3JofyLXEXN7TiH/Wk1MmBm3TXMJ4q63qa/clbY5zT
|
||||
# jd2k1dtKWy23CcBKfxplu8HycqdQLCRl4o9+qdq7OQ8v9VT5dPIJcJodCvX9hAf7
|
||||
# AUAMqsP3e6AyDM7iQcEkJiwAiytFAawyEIVOECxhEA+NpXHykd4G/00f5jGB259X
|
||||
# /A8ARhjyT3zadjgXTIcEEBe5YTmxZrrKvWud4PguBTQOo9+XpI0H8A+IcoZ9AXQT
|
||||
# J/IDBZJjsdSLspLPzLiwVQk9JrVylMLeyXCbtGCBZ8FOXyffceNQQl119ubkAZkx
|
||||
# +NvioMIYQ+8rX0vn0njJfot+GQh0ezadlzuAmBBsGD8EtMCj92l/7zOyGucG+dCW
|
||||
# kIv1yX0IOKeaNBZR3GDJJoyj5hFnoxkj2aNbuWjetg5MvpjBMl/h44brjL93m8PK
|
||||
# GUhwcEPqcwu4ngu12O6vEeJW4vAbFlEznvgxmwJhMQf1/R8SUmKmAiprWKnY/w0E
|
||||
# VHzlx7aRoGcRnnPs71DeloMCAwEAAQ==
|
||||
# -----END PUBLIC KEY-----
|
||||
|
||||
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-20.1-OpenSSL-dvd-amd64.iso.bz2) = 4b15e9b3d72732d325c5eaf46ba34575d4de8cdc3e3ac1b10666c7372563be6d
|
||||
# SHA256 (OPNsense-20.1-OpenSSL-nano-amd64.img.bz2) = 27544a78ae03d480a483cfd2e7cfa703b60e50938a1ed188ec3ccde6c426fefe
|
||||
# SHA256 (OPNsense-20.1-OpenSSL-serial-amd64.img.bz2) = f93bbcbe92059c5de49f22d485da292952b48658a28d1cdaf83191e8c95c03c2
|
||||
# SHA256 (OPNsense-20.1-OpenSSL-vga-amd64.img.bz2) = 019a877c4b4cb96cfda62d041774a91c030c5a8ecd58f8c3fd0067c7ac392982
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-20.1-OpenSSL-dvd-i386.iso.bz2) = 36146d0a066d9d696433599487e2a538ee5575a6b3d631293ad9e14e5fbbc6e0
|
||||
# SHA256 (OPNsense-20.1-OpenSSL-nano-i386.img.bz2) = 0980f49d1b3445505fd1db27ab070886a706388d3aa16d7c8d953f279b7e3b11
|
||||
# SHA256 (OPNsense-20.1-OpenSSL-serial-i386.img.bz2) = 322adbafe331ef7232c08d839a6f355ee633f5a662009b1801ebad0edab03d73
|
||||
# SHA256 (OPNsense-20.1-OpenSSL-vga-i386.img.bz2) = 8bdd109015d7d54d382c7293bdf8fac6397a6c2e37662b73647c276e98c19d64
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.1.r1 (January 24, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
For over 5 years now, OPNsense is driving innovation through modularising
|
||||
and hardening the open source firewall, with simple and reliable firmware
|
||||
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
||||
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
||||
|
||||
We thank all of you for helping test, shape and contribute to the project!
|
||||
We know it would not be the same without you.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://opnsense.c0urier.net/releases/20.1/
|
||||
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/
|
||||
* South America: http://mirror.upb.edu.co/opnsense/releases/20.1/
|
||||
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
Here are the full patch notes against 19.7.9_1:
|
||||
|
||||
* system: support for manually removing static route entries
|
||||
* system: migrated logging to MVC
|
||||
* system: regenerate default DH parameters
|
||||
* system: randomize session ID in test cookie
|
||||
* system: remove legacy XMLRPC push on changes
|
||||
* system: deprecate the use of services.inc
|
||||
* system: opt-out on "Allow DNS server list to be overridden by DHCP/PPP on WAN" for selected interfaces
|
||||
* system: increase PHP memory limit to 512 MB
|
||||
* system: opnsense-auth can now respond with extended properties in JSON on successful authentication
|
||||
* interfaces: loopback device support
|
||||
* interfaces: VXLAN device support
|
||||
* interfaces: first steps toward fully pluggable device infrastructure
|
||||
* interfaces: remove default load of netgraph framework on bootup
|
||||
* interfaces: interfaces: move description into top block and rename titles
|
||||
* interfaces: only trigger newwanip event for affected interfaces
|
||||
* firmware: revoke 19.1, trust 20.1 fingerprint
|
||||
* firmware: new mirror in Zurich, CH contributed by ServerBase AG
|
||||
* firmware: add live search to mirror selection
|
||||
* dhcp: add OMAPI configuration support (contributed by Yuri Moens)
|
||||
* ipsec: add configurable dpdaction (contributed by Marcel Menzel)
|
||||
* ipsec: refactor tunnel settings page
|
||||
* unbound: add options for logging queries and extended statistics (contributed by Flightkick)
|
||||
* mvc: BaseListField ignoring empty selected field
|
||||
* ui: jQuery 3.4.1
|
||||
* plugins: os-dyndns 1.19 adds dynv6 and Azure DNS support (contributed by Ralf Zerres and martgras)
|
||||
* plugins: os-haproxy 2.20 `[2] <https://github.com/opnsense/plugins/pull/1646>`__
|
||||
* plugins: os-zabbix-agent 1.7 `[3] <https://github.com/opnsense/plugins/pull/1578>`__ `[4] <https://github.com/opnsense/plugins/pull/1618>`__
|
||||
* ports: ca_root_nss 3.49.1
|
||||
* ports: curl 7.68.0 `[5] <https://curl.haxx.se/changes.html>`__
|
||||
* ports: openssl 1.1.1d `[6] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
|
||||
|
||||
Known issues and limitations:
|
||||
|
||||
* HardenedBSD 12.1 has been postponed to the next major release
|
||||
* Nano growfs does not work on this release candidate, but a fix for 20.1 already exists
|
||||
* Installer still advertises 19.7, but a fix for 20.1 already exists
|
||||
* Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates
|
||||
* i386 has not been deprecated for the time being ;)
|
||||
|
||||
The public key for the 20.1 series is:
|
||||
|
||||
.. code-block::
|
||||
|
||||
# -----BEGIN PUBLIC KEY-----
|
||||
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oYxXjva1d2TC/jQ/ygT
|
||||
# GNB2QM2Flhq1CKwYKioT6kuKCelmG/vDRVYGs2VwBeshl53qnnob3rrCVtuS84VG
|
||||
# C8n0i7bWsVWuOCaPzVCOua7MyxQNDItwA5D18SrmDbs07JE9XD30cX36Lvyq8GvZ
|
||||
# bjk3AnHHqefR6F7fMGjDNPE3JofyLXEXN7TiH/Wk1MmBm3TXMJ4q63qa/clbY5zT
|
||||
# jd2k1dtKWy23CcBKfxplu8HycqdQLCRl4o9+qdq7OQ8v9VT5dPIJcJodCvX9hAf7
|
||||
# AUAMqsP3e6AyDM7iQcEkJiwAiytFAawyEIVOECxhEA+NpXHykd4G/00f5jGB259X
|
||||
# /A8ARhjyT3zadjgXTIcEEBe5YTmxZrrKvWud4PguBTQOo9+XpI0H8A+IcoZ9AXQT
|
||||
# J/IDBZJjsdSLspLPzLiwVQk9JrVylMLeyXCbtGCBZ8FOXyffceNQQl119ubkAZkx
|
||||
# +NvioMIYQ+8rX0vn0njJfot+GQh0ezadlzuAmBBsGD8EtMCj92l/7zOyGucG+dCW
|
||||
# kIv1yX0IOKeaNBZR3GDJJoyj5hFnoxkj2aNbuWjetg5MvpjBMl/h44brjL93m8PK
|
||||
# GUhwcEPqcwu4ngu12O6vEeJW4vAbFlEznvgxmwJhMQf1/R8SUmKmAiprWKnY/w0E
|
||||
# VHzlx7aRoGcRnnPs71DeloMCAwEAAQ==
|
||||
# -----END PUBLIC KEY-----
|
||||
|
||||
Please let us know about your experience!
|
||||
|
||||
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-20.1.r1-OpenSSL-dvd-amd64.iso.bz2) = fed43e5cc5092da5adcfcb2ccdddf51a1cea6a69f06b764fcd9c3d36e0705d4a
|
||||
# SHA256 (OPNsense-20.1.r1-OpenSSL-nano-amd64.img.bz2) = bf825455cc09e2a410cbe702a0c1c5b454546c476c7e90ae87ab64fc3eee6a78
|
||||
# SHA256 (OPNsense-20.1.r1-OpenSSL-serial-amd64.img.bz2) = 906103fb4cc3e573a9e2d560a6365baa7162077b8933a253bb45fd23a154dd87
|
||||
# SHA256 (OPNsense-20.1.r1-OpenSSL-vga-amd64.img.bz2) = 3308412597f5b95f9b9e854ddbeb5f49735109d846af553dbe2553dedf73cb9b
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-20.1.r1-OpenSSL-dvd-i386.iso.bz2) = a110e2ed48228d918909daca5d93d8acafccdc4426e3e928d8561f7ad4180289
|
||||
# SHA256 (OPNsense-20.1.r1-OpenSSL-nano-i386.img.bz2) = 201b757b0d719e8f3c4aa473b414005a5544a4b1553ca9d79c1743610d67b460
|
||||
# SHA256 (OPNsense-20.1.r1-OpenSSL-serial-i386.img.bz2) = 74a8f6bc5cdf885f5ff906ad2dfd05584f8e217212f90cd2e3a3269a5a9b604a
|
||||
# SHA256 (OPNsense-20.1.r1-OpenSSL-vga-i386.img.bz2) = 1779ca5aeb37d2d97bd7e053421d64206b27189db74711600b93e458d858caff
|
@ -0,0 +1,629 @@
|
||||
===========================================================================================
|
||||
20.7 "Legendary Lion" Series
|
||||
===========================================================================================
|
||||
|
||||
|
||||
|
||||
For five and a half years, OPNsense is driving innovation through modularising
|
||||
and hardening the open source firewall, with simple and reliable firmware
|
||||
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
||||
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
||||
|
||||
20.7, nicknamed "Legendary Lion", is a major operating system jump forward on
|
||||
a sustainable firewall experience. This release adds DHCPv6 multi-WAN, custom
|
||||
error pages for the web proxy, Suricata 5, HardenedBSD 12.1, netstat tree view,
|
||||
basic firewall API support (via plugin) and extended live log filtering amongst
|
||||
others.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
|
||||
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
|
||||
* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
|
||||
* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.7.8 (January 19, 2021)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
The particular volume of this stable update foreshadows the end of the 20.7
|
||||
series in less than two weeks.
|
||||
|
||||
One longstanding issue with radvd on FreeBSD 12.1 has been resolved according
|
||||
to multiple user feedback.
|
||||
|
||||
The mailing lists have been archived and will no longer be used.
|
||||
|
||||
And before there are questions: yes, consumers of the development version are
|
||||
now able to upgrade to 21.1-RC1.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: allow to recover from bad TLS certificate and/or bad settings in console interface assign
|
||||
* system: display destination port number in firewall log widget (contributed by Team Rebellion)
|
||||
* system: keep compatible TLS 1 defaults for web GUI on 20.7 series
|
||||
* system: set default certificate lifetime to 397 days
|
||||
* firewall: add type 128 to outgoing IPv6 RFC4890 requirements
|
||||
* firewall: add manual refresh button to live log
|
||||
* firewall: fix typo in ICMPv6 validation
|
||||
* firewall: fix minor regression in maintaining target alias file
|
||||
* firewall: fix all state value in pfTop (contributed by Lucas Held)
|
||||
* firewall: remove duplicated destination field in live log
|
||||
* firewall: add read-only actions to aliases permission (contributed by Manuel Faux)
|
||||
* firewall: category selector missing caption
|
||||
* reporting: add top talkers to revamped traffic graph page
|
||||
* reporting: fix name resolution filter change in insight
|
||||
* reporting: persist interface selection on traffic graph page
|
||||
* captive portal: disable faulty TLS on HTTP since lighttpd 1.4.56
|
||||
* dhcp: fix sorting of IPv6 static mappings (contributed by vnxme)
|
||||
* dhcp: fix incorrect parsing of DUID (contributed by Matt Holgate)
|
||||
* firmware: opnsense-code now updates the current directory if nothing was specified
|
||||
* firmware: opnsense-code now uses flexible make.conf target from tools.git
|
||||
* firmware: opnsense-update now supports snapshot access via -z option
|
||||
* firmware: opnsense-update now fixes missing dependencies on the fly
|
||||
* firmware: fix some issues with missing repository on server
|
||||
* firmware: add version output and date to audit logs
|
||||
* ipsec: display remote host in status overview (contributed by garlic17)
|
||||
* opendns: add standalone mode
|
||||
* openssh: honour MAX_LISTEN_SOCKS
|
||||
* openvpn: set default certificate lifetime to 397 days in wizard
|
||||
* unbound: generate all configuration files in service controller
|
||||
* unbound: fix broken lines in large files (contributed by kulikov-a)
|
||||
* web proxy: lock ACL download to prevent duplicate execution
|
||||
* mvc: allow underscore in filter string (contributed by kulikov-a)
|
||||
* plugins: os-haproxy 2.26 `[1] <https://github.com/opnsense/plugins/blob/master/net/haproxy/pkg-descr>`__
|
||||
* plugins: os-hw-probe 1.0 (contributed by Michael Muenz)
|
||||
* plugins: os-maltrail fixes sensor start without server (contributed by Julio Camargo)
|
||||
* plugins: os-nginx 1.20 `[2] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
||||
* plugins: os-tinc fixes for latest version (contributed by vnxme)
|
||||
* src: fix OpenSSL NULL pointer de-reference `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:33.openssl.asc>`__
|
||||
* src: fix partial scrub of multicast packages
|
||||
* src: free full mbuf chains in iflib when draining transmit queues
|
||||
* src: initialize oifp to avoid bogus results/panics in edge cases
|
||||
* src: 10Gigabit Ethernet driver for AMD SoC
|
||||
* ports: libressl 3.2.3 `[4] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.2-relnotes.txt>`__ `[5] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.3-relnotes.txt>`__
|
||||
* ports: nss 3.60.1
|
||||
* ports: php 7.3.26 `[6] <https://www.php.net/ChangeLog-7.php#7.3.26>`__
|
||||
* ports: pkg fix for shell keyword by opening root file descriptor
|
||||
* ports: radvd 2.19 `[7] <https://radvd.litech.org/CHANGES.txt>`__
|
||||
* ports: sudo 1.9.5p1 `[8] <https://www.sudo.ws/stable.html#1.9.5p1>`__
|
||||
|
||||
A hotfix release was issued as 20.7.8_4:
|
||||
|
||||
* firmware: enable upgrade path to 21.1
|
||||
* ports: sudo 1.9.5p2 `[9] <https://www.sudo.ws/stable.html#1.9.5p2>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.7.7 (December 17, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Important security updates inside. Also: happy holidays!
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* reporting: fix traffic graph widget link issue
|
||||
* system: simplify log format parsing
|
||||
* interfaces: fix DUID LL description (contributed by Gabriel Mazzocato)
|
||||
* unbound: fix dnsbl not reloading after update
|
||||
* plugins: os-acme-client 2.2 `[1] <https://github.com/opnsense/plugins/blob/master/security/acme-client/pkg-descr>`__
|
||||
* plugins: os-freeradius 1.9.9 `[2] <https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr>`__
|
||||
* plugins: os-frr 1.20 `[3] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
|
||||
* plugins: os-tinc 1.6 enables multiple addresses per host (contributed by ElNounch)
|
||||
* plugins: os-wireguard 1.4 `[4] <https://github.com/opnsense/plugins/blob/master/net/wireguard/pkg-descr>`__
|
||||
* ports: curl 7.74.0 `[5] <https://curl.se/changes.html>`__
|
||||
* ports: dhcp6c ignores advertise messages with none of requested data and missed status codes
|
||||
* ports: libressl 3.1.5 `[6] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.5-relnotes.txt>`__
|
||||
* ports: lighttpd 1.4.56 `[7] <https://www.lighttpd.net/2020/11/29/1.4.56/>`__
|
||||
* ports: nss 3.60 `[8] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.60_release_notes>`__
|
||||
* ports: openssl 1.1.1i `[9] <https://www.openssl.org/news/secadv/20201208.txt>`__
|
||||
* ports: pcre2 10.36 `[10] <https://www.pcre.org/changelog.txt>`__
|
||||
* ports: sudo 1.9.4 `[11] <https://www.sudo.ws/stable.html#1.9.4>`__
|
||||
* ports: sqlite 3.34.0 `[12] <https://sqlite.org/changes.html>`__
|
||||
* ports: unbound 1.13.0 `[13] <https://nlnetlabs.nl/projects/unbound/download/>`__
|
||||
|
||||
A hotfix release was issued as 20.7.7_1:
|
||||
|
||||
* system: disable TLS on plain HTTP redirect for new lighttpd version
|
||||
* ports: unbound fix for segmentation fault (restart service to activate)
|
||||
* ports: lighttpd 1.4.58 `[14] <https://www.lighttpd.net/2020/12/27/1.4.58/>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.7.6 (December 08, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
This update brings the usual mix of reliability fixes, plugin and third party
|
||||
software updates: FreeBSD, HardenedBSD, PHP, OpenSSH, StrongSwan, Suricata and
|
||||
Syslog-ng amongst others.
|
||||
|
||||
Please note that Let's Encrypt users need to reissue their certificates
|
||||
manually after upgrading to this version to fix the embedded certificate chain
|
||||
issue with the current signing CA switch going on.
|
||||
|
||||
The mail backup plugin is currently not available pending a response from
|
||||
the maintainer. Users are advised to avoid using it for the moment.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: no longer enforce alias names in gateways
|
||||
* system: add "step into" icon on log lines when filtering
|
||||
* system: add current CPU load progress bar (contributed by kulikov-a)
|
||||
* firewall: allow larger selection in live log
|
||||
* firewall: correctly select current IPv6 field in getInterfaceGateway()
|
||||
* firewall: add validation for ipv6-icmp combined with inet
|
||||
* reporting: traffic graph replacement using iftop
|
||||
* openvpn: calculate first network address as gateway address when only ifconfig_local is given
|
||||
* web proxy: throw startup error to user
|
||||
* plugins: os-acme-client 2.1 `[1] <https://github.com/opnsense/plugins/blob/master/security/acme-client/pkg-descr>`__
|
||||
* plugins: os-frr 1.19 `[2] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
|
||||
* plugins: os-mail-backup not available due to unaddressed security concerns
|
||||
* src: fix parsing of netmap legacy nmr->nr_ringid
|
||||
* src: fix mutex double unlock bug in netmap
|
||||
* src: minor misc netmap improvements
|
||||
* src: improve netmap(4) and vale(4) man pages
|
||||
* src: IPV6_PKTINFO support for v4-mapped IPv6 sockets
|
||||
* src: zero-initialize variables in HBSD PaX SEGVGUARD
|
||||
* src: fix execve/fexecve system call auditing `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:19.audit.asc>`__
|
||||
* src: fix uninitialized variable in ipfw `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:21.ipfw.asc>`__
|
||||
* src: fix race condition in callout CPU migration `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:22.callout.asc>`__
|
||||
* src: fix ICMPv6 use-after-free in error message handling `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:31.icmp6.asc>`__
|
||||
* src: fix multiple vulnerabilities in rtsold `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:32.rtsold.asc>`__
|
||||
* src: update timezone database information `[8] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:20.tzdata.asc>`__
|
||||
* ports: krb5 1.18.3 `[9] <https://web.mit.edu/kerberos/krb5-1.18/>`__
|
||||
* ports: nss 3.59 `[10] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.59_release_notes>`__
|
||||
* ports: openldap 2.4.56 `[11] <https://www.openldap.org/software/release/changes.html>`__
|
||||
* ports: openssh 8.4p1 `[12] <https://www.openssh.com/txt/release-8.4>`__
|
||||
* ports: php 7.3.25 `[13] <https://www.php.net/ChangeLog-7.php#7.3.25>`__
|
||||
* ports: strongswan 5.9.1 `[14] <https://wiki.strongswan.org/versions/79>`__
|
||||
* ports: suricata 5.0.5 `[15] <https://suricata-ids.org/2020/12/04/suricata-6-0-1-5-0-5-and-4-1-10-released/>`__
|
||||
* ports: syslog-ng 3.30.1 `[16] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.30.1>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.7.5 (November 20, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
We return briefly for a small patch set and plan to pin the 20.1 upgrade
|
||||
path to this particular version to avoid unnecessary stepping stones. We
|
||||
wish you all a healthy Friday. And of course: patch responsibly!
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: syslog-ng related fixes during package management based restart
|
||||
* system: change dpinger syslog message to reflect correct RTT and RTTd unit (contributed by fhloston)
|
||||
* web proxy: add toggle for pinger service (contributed by nowyouseeit)
|
||||
* web proxy: add missing X-Forwarded-For header option
|
||||
* mvc: new Base64Field type
|
||||
* mvc: new VirtualIPField type
|
||||
* plugins: os-acme-client 2.0 `[1] <https://github.com/opnsense/plugins/blob/master/security/acme-client/pkg-descr>`__
|
||||
* plugins: os-bind 1.14 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
|
||||
* plugins: os-chrony 1.1 `[3] <https://github.com/opnsense/plugins/blob/master/net/chrony/pkg-descr>`__
|
||||
* ports: monit 5.27.1 `[4] <https://mmonit.com/monit/changes/>`__
|
||||
* ports: php 7.3.24 `[5] <https://www.php.net/ChangeLog-7.php#7.3.24>`__
|
||||
* ports: pkg upstream fix for upgrade script hang `[6] <https://github.com/freebsd/pkg/pull/1893>`__
|
||||
* ports: strongswan 5.9.0 `[7] <https://www.strongswan.org/blog/2020/07/29/strongswan-5.9.0-released.html>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.7.4 (October 22, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
This release finally wraps up the recent Netmap kernel changes and tests.
|
||||
The Realtek vendor driver was updated as well as third party software cURL,
|
||||
libxml2, OpenSSL, PHP, Suricata, Syslog-ng and Unbound just to name a couple
|
||||
of them.
|
||||
|
||||
We would like to thank Sunny Valley Networks for their relentless efforts
|
||||
to bring said Netmap fixes and improvements into FreeBSD.
|
||||
|
||||
If you are having trouble with a stuck update try the command sequence below
|
||||
from the root shell or simply reboot from the GUI and rerun the update in
|
||||
case it was not fully carried out yet.
|
||||
|
||||
.. code-block::
|
||||
|
||||
# pkill syslog-ng
|
||||
# service syslog-ng restart
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: switch web GUI address selection to avoid server.bind in IPv6 first case
|
||||
* system: fix defunct "use default" button on web GUI listen interfaces
|
||||
* system: signal "auth user changed" when a user is modified via web GUI
|
||||
* system: replace gateway widget and add proper API endpoint for it
|
||||
* system: fix reading displayName attribute on LDAP search (contributed by ServiusHack)
|
||||
* interfaces: change maximum MTU value to 65535 in accordance with RFC 791
|
||||
* interfaces: update wireless device detection prefixes
|
||||
* interfaces: lexical sort interface keys for assignments
|
||||
* firewall: add support for network exclusions in network alias type
|
||||
* firewall: add NAT information to pfInfo page (contributed by kulikov-a)
|
||||
* firewall: associated NAT rules missed state keyword
|
||||
* firewall: allow "or" conditions in live log
|
||||
* firewall: use pfctl for alias IP check (contributed by kulikov-a)
|
||||
* dnsmasq: regenerate resolv.conf on save
|
||||
* dnsmasq: log queries option
|
||||
* intrusion detection: ignore pkill exit status when performing update
|
||||
* ipsec: add description to reconfigure action (contributed by Frank Wall)
|
||||
* unbound: rebuild unbound blacklist download
|
||||
* unbound: restructure reconfigure so that we always flush config
|
||||
* backend: add new "config changed" event using syshook structure (sponsored by Modirum)
|
||||
* mvc: add a few missing control widgets from log pages
|
||||
* ui: upgrade moment.js to 2.27.0
|
||||
* plugins: os-freeradius 1.9.8 `[1] <https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr>`__
|
||||
* plugins: os-git-backup 1.0 `[2] <https://github.com/opnsense/plugins/issues/2049>`__ (sponsored by Modirum)
|
||||
* plugins: os-haproxy 2.25 `[3] <https://curl.haxx.se/changes.html>`__
|
||||
* plugins: os-stunnel 1.0.2 adds service protocol selector (contributed by fhloston)
|
||||
* src: extended netmap update and driver fixes
|
||||
* src: netmap tun and lagg support (contributed by Sunny Valley Networks)
|
||||
* src: update Realtek re driver to upstream version 1.96.04 (contributed by Laurent Dinclaux)
|
||||
* ports: curl 7.73.0 `[3] <https://curl.haxx.se/changes.html>`__
|
||||
* ports: libxml2 fixes for CVE-2019-20388, CVE-2020-7595 and CVE-2020-24977
|
||||
* ports: nss 3.58 `[4] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes>`__
|
||||
* ports: openssl 1.1.1h `[5] <https://www.openssl.org/news/changelog.html#openssl-111>`__
|
||||
* ports: php 7.3.23 `[6] <https://www.php.net/ChangeLog-7.php#7.3.23>`__
|
||||
* ports: pkg 1.15.10
|
||||
* ports: radvd patch for dynamic interface shifting index
|
||||
* ports: sudo 1.9.3p1 `[7] <https://www.sudo.ws/stable.html#1.9.3p1>`__
|
||||
* ports: suricata 5.0.4 `[8] <https://suricata-ids.org/2020/10/08/suricata-4-1-9-and-5-0-4-released/>`__
|
||||
* ports: syslog-ng 3.29.1 `[9] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.29.1>`__
|
||||
* ports: unbound 1.12.0 `[10] <https://nlnetlabs.nl/projects/unbound/download/>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.7.3 (September 24, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Today is the day for a number of FreeBSD security advisories and a few
|
||||
reliability fixes.
|
||||
|
||||
We are still testing a batch of Netmap improvement patches with a separate
|
||||
kernel. This and the Realtek vendor driver update will likely follow in
|
||||
the next kernel update. All feedback is welcome.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: use different shell gateway name to appease wizard
|
||||
* system: simplify CARP hook
|
||||
* interfaces: phase out netaddr.eui.ieee.OUI_REGISTRY_PATH usage
|
||||
* firewall: add MAC type to top right filter selection
|
||||
* firewall: fix two scrub rule parsing bugs
|
||||
* firewall: omit group type interfaces in filter selection
|
||||
* intrusion detection: re-create rule cache after rule deployment
|
||||
* unbound: add "unbound-plus" section to XMLRPC sync
|
||||
* dhcp: adding DDNS values of each additional pool to the $ddns_zones array (contributed by Mathieu St-Pierre)
|
||||
* dhcp: add static interface mode to router advertisements
|
||||
* rc: fix ssh key permissions on MSDOS import
|
||||
* rc: support service identifier in pluginctl -s mode
|
||||
* plugins: os-bind download link changes (contributed by gap579137)
|
||||
* plugins: os-chrony 1.0 (contributed by Michael Muenz)
|
||||
* plugins: os-dnscrypt-proxy blocklist script fixes (contributed by Mark Keisler)
|
||||
* plugins: os-frr 1.17 `[1] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
|
||||
* plugins: os-postfix 1.17 `[2] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
|
||||
* plugins: os-rspamd 1.10 `[3] <https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr>`__
|
||||
* plugins: os-theme-cicada 1.25 (contributed by Team Rebellion)
|
||||
* plugins: os-theme-tukan 1.23 (contributed by Team Rebellion)
|
||||
* plugins: os-theme-vicuna 1.1 (contributed by Team Rebellion)
|
||||
* plugins: os-wireguard 1.3 `[4] <https://github.com/opnsense/plugins/blob/master/net/wireguard/pkg-descr>`__
|
||||
* plugins: os-zabbix-agent 1.8 `[5] <https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix-agent/pkg-descr>`__
|
||||
* src: fix FreeBSD Linux ABI kernel panic `[6] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:17.linuxthread.asc>`__
|
||||
* src: fix SCTP socket use-after-free `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:25.sctp.asc>`__
|
||||
* src: fix dhclient heap overflow `[8] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc>`__
|
||||
* src: fix ure device driver susceptible to packet-in-packet attack `[9] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:27.ure.asc>`__
|
||||
* src: fix bhyve privilege escalation via VMCS access `[10] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc>`__
|
||||
* src: fix bhyve SVM guest escape `[11] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc>`__
|
||||
* src: fix ftpd privilege escalation via ftpchroot `[12] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:30.ftpd.asc>`__
|
||||
* src: set PAX_HARDENING_NOSHLIBRANDOM in the RTLD by default
|
||||
* src: fix kernel panic while trying to read multicast stream
|
||||
* ports: mpd 5.9 `[13] <http://mpd.sourceforge.net/doc5/mpd4.html#4>`__
|
||||
* ports: nss 3.57 `[14] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes>`__
|
||||
* ports: php 7.3.22 `[15] <https://www.php.net/ChangeLog-7.php#7.3.22>`__
|
||||
* ports: pkg 1.15.6 `[16] <https://github.com/freebsd/freebsd-ports/commit/fd4f5566aea>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.7.2 (September 02, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
While we are still looking closer at netmap/iflib performance on 12.1 we
|
||||
are rolling out a kernel with Intel em/igb updates that should avoid bad
|
||||
packet counts in the default installation. Syslog-ng received a workaround
|
||||
for the diagnosed startup issue and alias now supports MAC address content
|
||||
similar to how host content works.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: set REQUESTS_CA_BUNDLE in environments
|
||||
* system: improve parsing for temperature sensors
|
||||
* system: add "new-password" hint for Chrome on login form
|
||||
* system: rename syslog services description and hide legacy mode when not enabled
|
||||
* system: force syslog-ng restart after boot sequence
|
||||
* system: properly read new style logging directories
|
||||
* reporting: replace line endings when sending traceback to syslog in flowd_aggregate
|
||||
* reporting: add traffic graph filter for private IPv4 networks (contributed by kcaj-burr)
|
||||
* firewall: add MAC address alias type
|
||||
* firewall: be more verbose when fetching alias remote content
|
||||
* firewall: prevent pfctl error messages from being suppressed
|
||||
* firewall: exclude all reserved pf.conf keywords from alias name
|
||||
* firewall: bogons not loaded on initial load
|
||||
* firewall: reset damaged bogons files on startup
|
||||
* interfaces: add listen-queue-sizes in socket diagnostics
|
||||
* firmware: properly report an unsigned repository
|
||||
* firmware: revoke 20.1 fingerprint
|
||||
* intrusion detection: rule cache parse error on invalid metadata
|
||||
* intrusion detection: allow search for status enabled/disabled
|
||||
* web proxy: correct template replacement during build time
|
||||
* web proxy: bugfix in JSON access log
|
||||
* unbound: updated project block lists links (contributed by gap579137)
|
||||
* backend: add regex_replace template support
|
||||
* plugins: os-acme-client 1.36 `[1] <https://github.com/opnsense/plugins/pull/1974>`__
|
||||
* plugins: os-dyndns 1.23 adds Gandi LiveDNS support (contributed by vizion8-dan)
|
||||
* plugins: os-haproxy 2.24 `[2] <https://github.com/opnsense/plugins/blob/master/net/haproxy/pkg-descr>`__
|
||||
* plugins: os-stunnel 1.0.1 includes performance tweaks
|
||||
* plugins: os-telegraf 1.8.2 `[3] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__
|
||||
* plugins: os-tinc fixes cipher parsing on 20.7
|
||||
* src: remove ACPI workaround for serial console on AMD EPYC
|
||||
* src: Make pf.conf ":0" ignore link-local v6 addresses too
|
||||
* src: default "show bad packets" tunable to off in e100 driver
|
||||
* src: fix unsolicited promisc mode in e1000 driver
|
||||
* src: add valectl to the system commands
|
||||
* ports: ca_root_nss/nss 3.56 `[4] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.56_release_notes>`__
|
||||
* ports: curl 7.72.0 `[5] <https://curl.haxx.se/changes.html#7_72_0>`__
|
||||
* ports: libressl 3.1.4 `[6] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.4-relnotes.txt>`__
|
||||
* ports: openldap 2.4.51 `[7] <https://www.openldap.org/software/release/changes.html>`__
|
||||
* ports: php 7.3.21 `[8] <https://www.php.net/ChangeLog-7.php#7.3.21>`__
|
||||
* ports: python 3.7.9 `[9] <https://www.python.org/downloads/release/python-379/>`__
|
||||
* ports: sqlite 3.33.0 `[10] <https://sqlite.org/changes.html>`__
|
||||
* ports: squid 4.13 `[11] <http://www.squid-cache.org/Versions/v4/squid-4.13-RELEASENOTES.html>`__
|
||||
* ports: syslog-ng dlsym() workaround
|
||||
* ports: unbound 1.11.0 `[12] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-11-0>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.7.1 (August 13, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
Small update here with security advisories, multicast fixes and logging
|
||||
reliability patches amongst others.
|
||||
|
||||
Overall, the jump to HardenedBSD 12.1 is looking promising from our end.
|
||||
From the reported issues we still have more logging quirks to investigate
|
||||
and especially Netmap support (used in IPS and Sensei) is lacking in some
|
||||
areas that were previously working. Patches are being worked on already
|
||||
so we shall get there soon enough. Stay tuned.
|
||||
|
||||
Here are the full patch notes:
|
||||
|
||||
* system: split log process name into separate column
|
||||
* system: filter new style log directories accordingly
|
||||
* system: add delay to improve syslog-ng startup
|
||||
* system: properly switch login page to latest jQuery 3.5.1
|
||||
* firewall: add select boxes for static filters in live log
|
||||
* firmware: ignore mandoc.db files in health output as the system will regenerate them weekly
|
||||
* firmware: bring back Chinese Aivian mirror
|
||||
* firmware: remove defunct opn.sense.nz and RageNetwork mirrors
|
||||
* web proxy: add JSON output following Elastic Common Schema (sponsored by Incenter Technology)
|
||||
* backend: cap log messages to 4000 characters to prevent longer messages from vanishing
|
||||
* plugins: os-acme-client 1.35 `[1] <https://github.com/opnsense/plugins/pull/1950>`__
|
||||
* plugins: os-frr 1.15 `[2] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
|
||||
* plugins: os-postfix 1.15 `[3] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
|
||||
* plugins: os-udpbroadcastrelay 1.0 (contributed by Team Rebellion)
|
||||
* src: set the current VNET before calling netisr_dispatch() in ng_iface(4)
|
||||
* src: assorted multicast group join/leave corrections
|
||||
* src: fix vmx driver packet loss and degraded performance `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:16.vmx.asc>`__
|
||||
* src: fix memory corruption in USB network device driver `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:21.usb_net.asc>`__
|
||||
* src: fix multiple vulnerabilities in sqlite3 `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:22.sqlite.asc>`__
|
||||
* src: fix sendmsg(2) privilege escalation `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:23.sendmsg.asc>`__
|
||||
* ports: perl 5.32.0 `[8] <https://metacpan.org/changes/release/XSAWYERX/perl-5.32.0>`__
|
||||
* ports: squid 4.12 `[9] <http://www.squid-cache.org/Versions/v4/squid-4.12-RELEASENOTES.html>`__
|
||||
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.7 (July 30, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
For five and a half years, OPNsense is driving innovation through modularising
|
||||
and hardening the open source firewall, with simple and reliable firmware
|
||||
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
||||
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
||||
|
||||
20.7, nicknamed "Legendary Lion", is a major operating system jump forward on
|
||||
a sustainable firewall experience. This release adds DHCPv6 multi-WAN, custom
|
||||
error pages for the web proxy, Suricata 5, HardenedBSD 12.1, netstat tree view,
|
||||
basic firewall API support (via plugin) and extended live log filtering amongst
|
||||
others.
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
|
||||
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
|
||||
* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
|
||||
* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
Here are the full patch notes against version 20.7-RC1:
|
||||
|
||||
* system: syslog-ng RFC5424 on FreeBSD 12 needs flags(syslog-protocol)
|
||||
* installer: welcome users as genuine 20.7 installer
|
||||
* web proxy: do not try to force cachemanager access to use ICAP
|
||||
* plugins: os-collectd 1.3 `[2] <https://github.com/opnsense/plugins/blob/master/net-mgmt/collectd/pkg-descr>`__
|
||||
* plugins: os-zabbix5-proxy 1.3 `[3] <https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix5-proxy/pkg-descr>`__
|
||||
* src: prevent netgraph page fault for LTE usage
|
||||
* ports: dnsmasq 2.82 `[4] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
|
||||
* ports: monit 5.27.0 `[5] <https://mmonit.com/monit/changes/>`__
|
||||
* ports: nss 3.55 `[6] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes>`__
|
||||
* ports: sudo 1.9.2 `[7] <https://www.sudo.ws/stable.html#1.9.2>`__
|
||||
|
||||
Known issues and limitations:
|
||||
|
||||
* legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp are no longer available
|
||||
* i386 architecture builds are no longer available
|
||||
|
||||
The public key for the 20.7 series is:
|
||||
|
||||
.. code-block::
|
||||
|
||||
# -----BEGIN PUBLIC KEY-----
|
||||
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAngIbBcRin9AmDSOsjpft
|
||||
# 7aK52TLkOzRc94NqKKnn6ALd6poEuFqYl1tfNT6XumBJDsRL1s56UYfjS8zpvFW3
|
||||
# HdzKOv4YtIln6qUuC1w8TXYNprasB/laYoBn2xeCGX5L6carlujQ+h0rsj+kpawr
|
||||
# E0/d6oRzR69cxQyoDQHD559Wv4nA795M6QGDhhl3dDq/92gzrrq3C5gJ7ldHi13c
|
||||
# inM2Fw+oPUfEIWUt/sqUTZheEk0Df3LSiJlgjQDhjh5uujTLgvX8IzfYAb8clgY3
|
||||
# DplgOh4ReoFnx6XVERSPa91ZJGeCV4dTGD2hU40rzU1lkQaiVUITLsfjrYUsNMEo
|
||||
# jdG+ndGIPTOrwXH4yGRZuUZZ612ALtO6bd4V1kAOLOS07mo4JB4poEbbB0lvZJSG
|
||||
# iTmU9od8zutnLkD66Q/qI8e6OcL0yqjwwG9DzCKg23M6cVWfyBTJhKoqQyhNWnzZ
|
||||
# bzvgOXfhOA8jn8FPChaU5OiIrv+g56pQrWKcQsvgQMqlyR+/AFSIrrqprCjDkfOG
|
||||
# bxFqTGkPb1n32nbnXJOA5Z43G9/PtBV8lvaEzli6Vehh+Zrcuy8yupbiVWSqTOfp
|
||||
# E5cYAmrlDkxKyAlZQtH6EhMF1VBQRrlqGhss5XYoE3DQDqWdhUbGv8Qiiv7ROCza
|
||||
# SIMuSzc6u35MooDRDZF4Ba0CAwEAAQ==
|
||||
# -----END PUBLIC KEY-----
|
||||
|
||||
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-20.7-OpenSSL-dvd-amd64.iso.bz2) = 580070a3a0533418d58eaeb78122f804f2df7081c929288e1dccee34c4bf763a
|
||||
# SHA256 (OPNsense-20.7-OpenSSL-nano-amd64.img.bz2) = 6deb370c2a64fa6c60b7f59a4afb31b2dd28b812f5fcd59eaa6d458938d45630
|
||||
# SHA256 (OPNsense-20.7-OpenSSL-serial-amd64.img.bz2) = 1276cddd5f7b89aa54fc4a1517cb0686efe94f672627243c5b34d93340441d60
|
||||
# SHA256 (OPNsense-20.7-OpenSSL-vga-amd64.img.bz2) = 72cbffe3bba4884586c8ded8dbca4cf30fb34a094602e5f681efde2deea595c6
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
20.7.r1 (July 21, 2020)
|
||||
--------------------------------------------------------------------------
|
||||
|
||||
|
||||
For five and a half years, OPNsense is driving innovation through modularising
|
||||
and hardening the open source firewall, with simple and reliable firmware
|
||||
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
||||
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
||||
|
||||
We thank all of you for helping test, shape and contribute to the project!
|
||||
We know it would not be the same without you. <3
|
||||
|
||||
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
||||
can be found below as well.
|
||||
|
||||
* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
|
||||
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
|
||||
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
|
||||
* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
|
||||
* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
|
||||
* Full mirror list: https://opnsense.org/download/
|
||||
|
||||
Here are the full patch notes against 20.1.8_1:
|
||||
|
||||
* system: allow to optionally disable legacy logging (clog)
|
||||
* system: do not allow login redirects to visit external pages
|
||||
* system: add new "auth user changed" config event and hook it into LDAP updatePolicies()
|
||||
* system: adapt to 3wire serial console setting
|
||||
* system: figure out which sysctls are writeable before attempting to write them
|
||||
* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo)
|
||||
* system: disable PCRE JIT in PHP config
|
||||
* system: clean up start / stop beep handler
|
||||
* interfaces: improved VLAN handling and defaults for more stable netmap use on 12.1
|
||||
* interfaces: support DHCPv6 multi-WAN (contributed by Team Rebellion)
|
||||
* interfaces: show delegated prefix in overview (contributed by Team Rebellion)
|
||||
* interfaces: DHCPv4 no-release and debug options moved to global interface settings
|
||||
* interfaces: automatically register loopback device lo0
|
||||
* firewall: handle new net.pf.request_maxcount system limit accordingly
|
||||
* firewall: properly evaluate and execute gateway monitoring kill states feature
|
||||
* firewall: add the iplen option to shaper rules (contributed by Maxfield Allison)
|
||||
* firewall: show partial alias content in tooltip
|
||||
* firewall: translated static log overview page to MVC
|
||||
* firewall: aliases now show internal aliases
|
||||
* firewall: validate if NAT destination contains a port
|
||||
* firewall: prevent config_read_array() from adding an empty lo0
|
||||
* firmware: added fingerprint for 20.7 series
|
||||
* firmware: hint at missing plugins and request to install or dismiss
|
||||
* intrusion detection: extend rule search with metadata and show results on rule info
|
||||
* intrusion detection: updated pattern options (contributed by @Xeroxxx)
|
||||
* intrusion detection: synchronize suricata.yaml with default template
|
||||
* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe)
|
||||
* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe)
|
||||
* unbound: integrate functionality formerly known as "unbound-plus" plugin (contributed by Michael Muenz)
|
||||
* web proxy: support for custom error pages (sponsored by Incenter Technology)
|
||||
* web proxy: add connect_timeout (contributed by Michael Muenz)
|
||||
* web proxy: allow PURGE on cache (contributed by @sazb)
|
||||
* web proxy: add missing IPv6 listener
|
||||
* mvc: add "S" option for AllowDynamic in InterfaceField type
|
||||
* mvc: LegacyLinkField not allowed to return null in __toString()
|
||||
* backend: add safeguard for illegal configd settings leading to overrides on the same command leaf
|
||||
* backend: emove undocumented and unused alias support
|
||||
* mvc: support virtual nodes in model instances
|
||||
* rc: implement inline variables for skip and defer service start
|
||||
* ui: unify edit dialog and add onBeforeRenderDialog event deferrable
|
||||
* ui: use firewall groups to group interfaces menu accordingly
|
||||
* ui: moved virtual IP menu entry to interfaces
|
||||
* ui: jQuery 3.5.1
|
||||
* plugins: os-dyndns 1.22 `[2] <https://github.com/opnsense/plugins/pull/1654>`__
|
||||
* plugins: os-intrusion-detection-content-et-pro 1.0.2 switches to Suricata 5 rules
|
||||
* plugins: os-telegraf 1.8.1 `[3] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__
|
||||
* plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion)
|
||||
* plugins: os-tinc fixes switch mode `[4] <https://github.com/opnsense/plugins/pull/1733>`__
|
||||
* plugins: os-wireguard 1.2 `[5] <https://github.com/opnsense/plugins/pull/1865>`__
|
||||
* src: HardenedBSD 12.1-p7
|
||||
* ports: ca_root_nss 3.54
|
||||
* ports: curl 7.71.1 `[6] <https://curl.haxx.se/changes.html>`__
|
||||
* ports: php 7.3.20 `[7] <https://www.php.net/ChangeLog-7.php#7.3.20>`__
|
||||
* ports: python 3.7.8 `[8] <https://www.python.org/downloads/release/python-378/>`__
|
||||
* ports: sqlite 3.32.3 `[9] <https://www.sqlite.org/changes.html>`__
|
||||
* ports: suricata 5.0.3 `[10] <https://suricata-ids.org/2020/04/28/suricata-5-0-3-released/>`__
|
||||
|
||||
Known issues and limitations:
|
||||
|
||||
* Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp will no longer be available
|
||||
* i386 architecture builds will no longer be available
|
||||
* Installer still advertises 20.1
|
||||
|
||||
The public key for the 20.7 series is:
|
||||
|
||||
.. code-block::
|
||||
|
||||
# -----BEGIN PUBLIC KEY-----
|
||||
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAngIbBcRin9AmDSOsjpft
|
||||
# 7aK52TLkOzRc94NqKKnn6ALd6poEuFqYl1tfNT6XumBJDsRL1s56UYfjS8zpvFW3
|
||||
# HdzKOv4YtIln6qUuC1w8TXYNprasB/laYoBn2xeCGX5L6carlujQ+h0rsj+kpawr
|
||||
# E0/d6oRzR69cxQyoDQHD559Wv4nA795M6QGDhhl3dDq/92gzrrq3C5gJ7ldHi13c
|
||||
# inM2Fw+oPUfEIWUt/sqUTZheEk0Df3LSiJlgjQDhjh5uujTLgvX8IzfYAb8clgY3
|
||||
# DplgOh4ReoFnx6XVERSPa91ZJGeCV4dTGD2hU40rzU1lkQaiVUITLsfjrYUsNMEo
|
||||
# jdG+ndGIPTOrwXH4yGRZuUZZ612ALtO6bd4V1kAOLOS07mo4JB4poEbbB0lvZJSG
|
||||
# iTmU9od8zutnLkD66Q/qI8e6OcL0yqjwwG9DzCKg23M6cVWfyBTJhKoqQyhNWnzZ
|
||||
# bzvgOXfhOA8jn8FPChaU5OiIrv+g56pQrWKcQsvgQMqlyR+/AFSIrrqprCjDkfOG
|
||||
# bxFqTGkPb1n32nbnXJOA5Z43G9/PtBV8lvaEzli6Vehh+Zrcuy8yupbiVWSqTOfp
|
||||
# E5cYAmrlDkxKyAlZQtH6EhMF1VBQRrlqGhss5XYoE3DQDqWdhUbGv8Qiiv7ROCza
|
||||
# SIMuSzc6u35MooDRDZF4Ba0CAwEAAQ==
|
||||
# -----END PUBLIC KEY-----
|
||||
|
||||
Please let us know about your experience!
|
||||
|
||||
|
||||
|
||||
.. code-block::
|
||||
|
||||
# SHA256 (OPNsense-20.7.r1-OpenSSL-dvd-amd64.iso.bz2) = d54dca6390497d45b831f68f352fccf84881aac78a360247965e5c9b36fbfded
|
||||
# SHA256 (OPNsense-20.7.r1-OpenSSL-nano-amd64.img.bz2) = f78d51d53bf663df2d49a3724812893d8c55234ab8d4a9232663fa581496edbe
|
||||
# SHA256 (OPNsense-20.7.r1-OpenSSL-serial-amd64.img.bz2) = 984f8c9d63598f061cc8995245dea73703532c1bb688ac87cdb1e510fb53b80e
|
||||
# SHA256 (OPNsense-20.7.r1-OpenSSL-vga-amd64.img.bz2) = 711811e0a7d37d323a060c52590daa9f024e77c6da627530c6596367a09b412d
|
Loading…
Reference in New Issue