Archives
/
opensense-docs
mirror of https://github.com/opnsense/docs
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

update changelogs

Browse Source
pull/308/head
Ad Schellevis 3 years ago
parent ea214e1ab0
commit 0c2af65e75
20 changed files with 3120 additions and 17 deletions
Show Stats Download Patch File Download Diff File

27
source/BE_releases.rst
Unescape Escape View File

@ -0,0 +1,27 @@
====================================
Business Edition
====================================
.. image:: images/architecture-blue-sky-business-2599538.jpg
:width: 600px
:align: center
OPNsense Business Edition is intended for companies, enterprises and professionals looking for a more
selective upgrade path (lags behind the community edition), additional commercial features and who want to
support the project in a more commercial way compared to donating.
The list below contains all releases, ordered by version number categorized by major version.
.. toctree::
:maxdepth: 2
:titlesonly:
:glob:
releases/BE_20.7
releases/BE_20.1
releases/BE_19.7
releases/BE_19.1

35
source/CE_releases.rst
Unescape Escape View File

@ -0,0 +1,35 @@
====================================
Community Edition
====================================
.. image:: /development/images/ideas_join_the_development.jpg
:width: 600px
:align: center
As of January 2015 there have been *195* releases leading to the latest version *21.1*
named "Marvelous Meerkat".
The list below contains all releases, ordered by version number categorized by major version.
.. toctree::
:maxdepth: 2
:titlesonly:
:glob:
releases/CE_21.1
releases/CE_20.7
releases/CE_20.1
releases/CE_19.7
releases/CE_19.1
releases/CE_18.7
releases/CE_18.1
releases/CE_17.7
releases/CE_17.1
releases/CE_16.7
releases/CE_16.1
releases/CE_15.7
releases/CE_15.1

19
source/releases.rst
Unescape Escape View File

@ -6,26 +6,11 @@ Releases
:width: 600px
:align: center
As of January 2015 there have been *195* releases leading to the latest version *21.1*
named "Marvelous Meerkat".
The list below contains all releases, ordered by version number categorized by major version.
.. toctree::
:maxdepth: 2
:titlesonly:
:glob:
releases/21.1
releases/20.7
releases/20.1
releases/19.7
releases/19.1
releases/18.7
releases/18.1
releases/17.7
releases/17.1
releases/16.7
releases/16.1
releases/15.7
releases/15.1
CE_releases
BE_releases

0
source/releases/19.1.rst → source/releases/BE_19.1.rst
Unescape Escape View File

0
source/releases/19.7.rst → source/releases/BE_19.7.rst
Unescape Escape View File

0
source/releases/20.1.rst → source/releases/BE_20.1.rst
Unescape Escape View File

0
source/releases/20.7.rst → source/releases/BE_20.7.rst
Unescape Escape View File

0
source/releases/15.1.rst → source/releases/CE_15.1.rst
Unescape Escape View File

0
source/releases/15.7.rst → source/releases/CE_15.7.rst
Unescape Escape View File

0
source/releases/16.1.rst → source/releases/CE_16.1.rst
Unescape Escape View File

0
source/releases/16.7.rst → source/releases/CE_16.7.rst
Unescape Escape View File

0
source/releases/17.1.rst → source/releases/CE_17.1.rst
Unescape Escape View File

0
source/releases/17.7.rst → source/releases/CE_17.7.rst
Unescape Escape View File

0
source/releases/18.1.rst → source/releases/CE_18.1.rst
Unescape Escape View File

0
source/releases/18.7.rst → source/releases/CE_18.7.rst
Unescape Escape View File

986
source/releases/CE_19.1.rst
Unescape Escape View File

@ -0,0 +1,986 @@
===========================================================================================
19.1 "Inspiring Iguana" Series
===========================================================================================
For more than four years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple and
reliable firmware upgrades, multi-language support, HardenedBSD security,
fast adoption of upstream software updates as well as clear and stable
2-Clause BSD licensing.
The 19.1 release, nicknamed "Inspiring Iguana", consists of a total of
620 individual changes since 18.7 came out 6 months ago, spread out over
12 intermediate releases including the recent release candidates. That is
the average of 2 stable releases per month, security updates and important
bug fixes included! If we had to pick a few highlights it would be: The
firewall alias API is finally in place. The migration to HardenedBSD 11.2
has been completed. 2FA now works with a remote LDAP / local TOTP
combination. And the OpenVPN client export was rewritten for full API
support as well.
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
can be found below as well.
* Europe: https://opnsense.c0urier.net/releases/19.1/
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
* South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
* Full mirror list: https://opnsense.org/download/
--------------------------------------------------------------------------
19.1.10 (July 03, 2019)
--------------------------------------------------------------------------
Small update as we are nearing the end of the 19.1 series. Yes, it is
that time of the year again with a release candidate only a few days
away and a final release date set to July 17.
Here are the full patch notes:
* system: change certificate manager actions to POST
* system: fix account removal with missing "-g" option
* system: add dashboard widgets to XMLRPC sync
* firewall: fix live log rule label mismatch caused by optimisation
* firewall: fix alias import with alias references included
* firewall: change default sorting of aliases to names
* firmware: add homelab.no mirror (contributed by Thomas Jensen)
* intrusion detection: when toggling rules keep the current action
* intrusion detection: suppress mystery PHP 7.2+ warning in API
* intrusion detection: show SID in alert view
* web proxy: add cache reset button
* web proxy: correct syslog export
* plugins: os-dyndns 1.6 DigitalOcean support (contributed by Dune Heishman)
* plugins: os-etpro-telemetry Python 3 support
* plugins: os-frr 1.11 `[1] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
* plugins: os-nginx 1.14 `[2] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
* plugins: os-rspamd 1.7 `[3] <https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr>`__
* plugins: os-tinc Python 3 support
* ports: ca_root_nss 3.44.1
* ports: curl 7.65.1 `[4] <https://curl.haxx.se/changes.html>`__
* ports: libevent 2.1.10 `[5] <https://github.com/libevent/libevent/releases/tag/release-2.1.10-stable>`__
* ports: libxml 2.9.9 `[6] <https://mail.gnome.org/archives/xml/2019-January/msg00000.html>`__
* ports: libressl 2.9.2 `[7] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.9.1-relnotes.txt>`__ `[8] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.9.2-relnotes.txt>`__
* ports: phalcon 3.4.4 `[9] <https://github.com/phalcon/cphalcon/releases/tag/v3.4.4>`__
* ports: strongswan 5.8.0 `[10] <https://wiki.strongswan.org/versions/73>`__
* ports: unbound 1.9.2 `[11] <https://nlnetlabs.nl/projects/unbound/download/>`__
A hotfix release was issued as 19.1.10_1:
* firmware: enable upgrade path to 19.7
--------------------------------------------------------------------------
19.1.9 (June 06, 2019)
--------------------------------------------------------------------------
Small 19.1 series update mainly focusing on LDAP group synchronisation
and assorted OpenVPN improvements. Two regressions of previous versions
have been fixed as well.
Here are the full patch notes:
* system: add LDAP group synchronisation feature
* system: allow an arbitrary group for sudo like ssh login
* system: stop using a lock around resolv.conf handling
* system: rename a number of service-related functions
* system: login not using cache-safe image yet
* system: add pluginctl -s support
* system: restyle config backup page
* system: fix log split view regression of 19.1.8
* interfaces: remove DHCPv6 on delete and clear config on IPsec assignment
* interfaces: small VIP restructure and IPv6 alias to IPv6 device
* interfaces: subtle changes in IPv6 and variable naming
* interfaces: add missing does_interface_exist() checks
* firewall: support multiple interfaces per NAT port forward rule
* captive portal: use "onestop" to stop service
* intrusion detection: missing header ID in alerts tab
* ipsec: remove remnants of gateway group interface selection
* ipsec: use indirect plugin calls in interface code
* openvpn: add live-search to longer lists in server page
* openvpn: support --cryptoapicert export (sponsored by m.a.x. it `[1] <https://www.max-it.de/>`__ )
* opnevpn: correctly check for translation in get_carp_interface_status()
* openvpn: use waitforpid() to properly wait for instanes to come up
* openvpn: translate GUI error values when returning them
* openvpn: revamp status page
* unbound: leases watcher file rotation issue
* web proxy: squid log in readable date format (contributed by nhirokinet)
* web proxy: fix non-local authentication regression of 19.1.7
* plugins: os-bind 1.5 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
* plugins: os-clamav 1.7 `[3] <https://github.com/opnsense/plugins/blob/master/security/clamav/pkg-descr>`__
* plugins: os-dnscrypt-proxy 1.4 `[4] <https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr>`__
* plugins: os-dyndns clouldflare wildcard domain support
* plugins: os-nginx 1.13 `[5] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
* plugins: os-openconnect 1.4.0 `[6] <https://github.com/opnsense/plugins/blob/master/security/openconnect/pkg-descr>`__
* plugins: os-redis 1.1 `[7] <https://github.com/opnsense/plugins/blob/master/databases/redis/pkg-descr>`__
* plugins: os-rspamd 1.6 `[8] <https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr>`__
* plugins: os-theme-cicada 1.18 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.18 (contributed by Team Rebellion)
* ports: curl 7.65.0 `[9] <https://curl.haxx.se/changes.html>`__
* ports: lighttpd 1.4.54 `[10] <https://www.lighttpd.net/2019/5/27/1.4.54/>`__
* ports: python 3.7.3 `[11] <https://www.python.org/downloads/release/python-373/>`__
* ports: openssl 1.0.2s `[12] <https://www.openssl.org/news/cl102.txt>`__
* ports: php 7.2.19 `[13] <https://www.php.net/ChangeLog-7.php#7.2.19>`__
--------------------------------------------------------------------------
19.1.8 (May 20, 2019)
--------------------------------------------------------------------------
This update addresses several privilege escalation issues in the access
control implementation and new memory disclosure issues in Intel CPUs.
We would like to thank Arnaud Cordier and Bill Marquette for the top-notch
reports and coordination.
Here are the full patch notes:
* system: address CVE-2019-11816 privilege escalation bugs `[1] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11816>`__ (reported by Arnaud Cordier)
* system: /etc/hosts generation without interface_has_gateway()
* system: show correct timestamp in config restore save message (contributed by nhirokinet)
* system: list the commands for the pluginctl utility when no argument is given
* system: introduce and use userIsAdmin() helper function instead of checking for "page-all" privilege directly
* system: use absolute path in widget ACLs (reported by Netgate)
* system: RRD-related cleanups for less code exposure
* interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion)
* interfaces: replace legacy_getall_interface_addresses() usage
* firewall: fix port validation in aliases with leading / trailing spaces
* firewall: fix outbound NAT translation display in overview page
* firewall: prevent CARP outgoing packets from using the configured gateway
* firewall: use CARP net.inet.carp.demotion to control current demotion in status page
* firewall: stop live log poller on error result
* dhcp: change rule priority to 1 to avoid IPv6 bogon clash
* dnsmasq: only admins may edit custom options field
* firmware: use insecure mode for base and kernel sets when package fingerprints are disabled
* firmware: add optional device support for base and kernel sets
* firmware: add Hostcentral mirror (HTTP, Melbourne, Australia)
* ipsec: always reset rightallowany to default when writing configuration
* lang: say "hola" to Spanish as the newest available GUI language
* lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
* network time: only admins may edit custom options field
* openvpn: call openvpn_refresh_crls() indirectly via plugin_configure() for less code exposure
* openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette)
* openvpn: remove custom options field from wizard
* unbound: only admins may edit custom options field
* wizard: translate typehint as well
* plugins: os-freeradius 1.9.3 fixes string interpolation in LDAP filters (contributed by theq86)
* plugins: os-nginx 1.12 `[2] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
* plugins: os-theme-cicada 1.17 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.17 (contributed by Team Rebellion)
* src: timezone database information update `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-19:08.tzdata.asc>`__
* src: install(1) broken with partially matching relative paths `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-19:09.xinstall.asc>`__
* src: microarchitectural Data Sampling (MDS) mitigation `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:07.mds.asc>`__
* ports: ca_root_nss 3.44
* ports: php 7.2.18 `[6] <https://www.php.net/ChangeLog-7.php#7.2.18>`__
* ports: sqlite 3.28.0 `[7] <https://www.sqlite.org/changes.html>`__
* ports: strongswan custom XAuth generic patch removed
--------------------------------------------------------------------------
19.1.7 (May 02, 2019)
--------------------------------------------------------------------------
This update features a number of improvements such as link-local support
for bridges, HA sync consolidation, adding local CAs to the trusted SSL
certificates for most of the system download capabilities, plugin-based
PAM authentication rework for IPsec and the web proxy as well as third
party fixes for hostapd / wpa_supplicant 2.8 and Suricata 4.1.4.
Python 3 migration is also underway now which requires to pull in both
Python versions which may be heavy on embedded Nano installs, but we
cannot see another way for this tedious task which will probably stretch
into 19.7 to be fully carried out in 20.1.
And speaking of 20.1: This is the first of many reminders that 20.1 will
discontinue the i386 (Intel 32 Bit) franchise as discussed a number of
times within the community over the years. Our hope is that ARM64 will
make a viable replacement. But that is for another time.
As you may have noticed the project has not been delivering releases every
other week and there are a number of reasons for it:
Security-wise we have not had a lot of necessary third-party software
updates. Feature-wise we are sitting on a number of improvements for the
upcoming 19.7 series that will trickle into 19.1.x now, but that have also
required larger preparations and testing in the meantime. On the community
side of the spectrum, sponsored by our partner m.a.x. it, we have started
to work on better default gateway switching which led to an overall gateway
integration rework and then quickly to interface handling restructuring,
which in turn led to improving plugin capabilities of core services
(OpenVPN, IPsec, Unbound, Dnsmasq, DHCPD, Dpinger). Looking at it now it
has been the largest rework so far on code established many years ago and
only occasionally patched. We hope this shows our dedication to the code
base even when things are not always 100% bug free. If you feel like
pitching in now is a good time to try the development version and let us
know about how it performs.
Without further ado, here are the full patch notes:
* system: HA sync cleanup removes opportunistic syncs in random GUI pages (use HA status page to sync and restart remote services)
* system: support for syncing alias and VHID to the slave
* system: cleanly rewrite CA root files and add local trusted CAs as well
* system: disable backup cron job when no backup is enabled
* system: more reliable load and sync for LDAP attributes (contributed by Indrajit Raychaudhuri)
* system: migrate health graph scripts to Python 3.6
* interfaces: properly add and remove IPv6 trackers after interface apply
* interfaces: validate prefix ID of IPv6 trackers so that each ID is unique
* interfaces: display "0x" in prefix ID field so that it is clear that value is in hex
* interfaces: fix passing VLAN name in interface_virtual_create()
* interfaces: fix group-related bugs and allow digits and underscores in name, but no more than 15 characters
* interfaces: allow link-local address on bridges via optional setting
* interfaces: PPP-related code cleanups
* firewall: prevent double-escaping of text in rules page
* firewall: handle IDNA encode failures in aliases
* firewall: alias import / export option
* captive portal: update to bootstrap 3.4.1
* captive portal: fix a race in directory creation and listClients()
* dhcp: fix TFTP boot file name usage (contributed by Bjorn Kalkbrenner)
* dhcp: merge static mac addresses with leases
* dhcp: prevent double-escaping of text in leases page
* firmware: add private log file for major upgrade package install step
* firmware: use a safer major upgrade package install mode
* firmware: retain /etc/motd on base updates
* ipsec: implemented wildcard includes (contributed by Mark Plomer)
* ipsec: only apply mobile PFS to mobile phase 2
* ipsec: restyle mobile settings a little
* ipsec: switch XAuth to PAM
* ipsec: partial fix for static routes on routed tunnels during boot
* network time: reload RRD since NTP has a setting for it
* web proxy: fix PAC weekday match labels (contributed by Mohammed Sadiq)
* web proxy: switch authentication to PAM
* backend: treat non existing key as empty string in sortDictList()
* mvc: pluggable PAM-based authentication framework
* mvc: add filter closure to searchBase()
* plugins: introduce plugins_run() for collecting structured data from plugins
* plugins: os-clamav 1.6 `[1] <https://github.com/opnsense/plugins/blob/master/security/clamav/pkg-descr>`__
* plugins: os-dyndns 1.5 fixes CloudFlare zone ID lookup behaviour (contributed by George Johnson)
* plugins: os-frr 1.10 `[2] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
* plugins: os-netdata 1.0 (contributed by Michael Muenz)
* plugins: os-nginx 1.11_2 fixes ACME support (contributed by Frank Wall)
* plugins: os-rfc2136 1.5 removes unused gateway group related code
* src: move invoking of callout_stop(&lle->lle_timer) into llentry_free()
* src: ensure that IP addresses match in ICMP error packets in pf(4)
* src: add bsdinstall utility for upcoming 19.7 installer replacement
* ports: dhcp6c v20190419 fixes raw options segfaults (contributed by Franck78)
* ports: hostapd / wpa_supplicant 2.8 `[3] <https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog>`__
* ports: perl 5.28.2 `[4] <https://perldoc.pl/5.28.2/perldelta>`__
* ports: py-yaml 5.1 `[5] <https://github.com/yaml/pyyaml/blob/master/CHANGES>`__
* ports: suricata 4.1.4 `[6] <https://suricata-ids.org/2019/04/30/suricata-4-1-4-released/>`__
* ports: sqlite 3.27.2 `[7] <https://www.sqlite.org/changes.html>`__
--------------------------------------------------------------------------
19.1.6 (April 11, 2019)
--------------------------------------------------------------------------
This update brings a smaller number of fixes and improvements as well as
the latest PHP version update.
With a heavy heart we disable E_WARNING messages in the PHP error reporting.
It has been implemented in 2015 to improve code quality and it did just that,
but with the latest PHP 7.2 jump in 19.1.5 it causes problems around the
newly added count() usage warning messages. We plan to bring back E_WARNING
usage in 19.7.
Here are the full patch notes:
* system: let dashboard only accept its own POST requests
* system: remove obsolete symlink to opnsense-auth
* system: skip PHP E_WARNING log level until 19.7
* system: numerous PHP 7.2 warning fixes
* dhcp: DHCPD server check in relay only if interface is active
* dnsmasq: skip empty custom options
* intrusion prevention: do not drop flowbits:noalert rules
* unbound: add ACL entries for OpenVPN by default
* mvc: controller cleanups in firewall shaper, web proxy and captive portal
* plugins: numerous PHP 7.2 warning fixes
* plugins: os-freeradius 1.9.2 fixes LDAP group filter and EAP certificates write (contributed by Alexander Harm)
* plugins: os-nginx 1.11 `[1] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
* ports: php 7.2.17 `[2] <https://php.net/ChangeLog-7.php#7.2.17>`__
* ports: py-certifi 2019.3.9 `[3] <https://pypi.org/project/certifi/2019.3.9/>`__
--------------------------------------------------------------------------
19.1.5 (April 05, 2019)
--------------------------------------------------------------------------
After a longer pause we are back with considerable upgrades for IPsec,
a new CSR feature for local CAs, PHP 7.2 migration and a number of other
considerable third party updates.
These are the full patch notes:
* system: improve gateway status return when monitoring is off
* system: warn user about future deprecation of "user-config-readonly" privilege
* system: support certificate signing requests (contributed by nhirokinet)
* system: syslog does not need to do a background startup since it backgrounds itself
* system: invalidate Nextcloud URL with trailing slash (contributed by Fabian Franz)
* system: avoid double encoding cert name (contributed by Indrajit Raychaudhuri)
* interfaces: fix facility for rtsold log about dhcp6c (contributed by Thomas du Boys)
* interfaces: take all unknown arguments as real interfaces in interfaces_addresses()
* interfaces: optionally allow interfaces_addresses() to emit subnets instead of addresses
* interfaces: move mpd.script to new location (may require interface reconfigure)
* firewall: proper locking of aliases before config action on delete
* firewall: correctly set outbound NAT destination as network
* firewall: add support for DSCP in shaper (contributed by Michael Muenz)
* firewall: add support for IDN in aliases (contributed by Smart-Soft)
* captive portal: allow access to this host (contributed by Fredrik Ronnvall)
* firmware: fix parsing of packages in multi-repo env and revoked fingerprint message
* firmware: add University of Kent to the firmware mirrors
* ipsec: only use explicit reqid when using route-based interfaces
* ipsec: correctly set install policy option on newly created phase 1 entries
* ipsec: improve split DNS and INTERNAL_DNS_DOMAIN configuration
* ipsec: added IKEv2 DH group 31 / curve 25519 (contributed by Peter Stehlin)
* ipsec: properly quote UNITY_BANNER for multi-line support
* ipsec: support for dynamic remote gateways
* monit: add migration/validation for service/test type dependency (contributed by Frank Brendel)
* monit: added missing "not on" label
* openvpn: support static-challenge formatted password
* openvpn: properly load custom config field in exporter
* openvpn: cleanups in listening address handling
* web proxy: IP address not available when address set to none
* web proxy: add sortable support for PAC proxy lists (contributed by Fabian Franz)
* web proxy: add dash to allowed characters in description (contributed by Fabian Franz)
* backend: python 2->3 iteritems() conversion in core templates
* mvc: migrate config backup rotation to handle static and MVC pages (contributed by Smart-Soft)
* mvc: controller cleanups in cron, intrusion detection, routes
* mvc: obey "user-config-readonly" privilege in mutable controllers
* mvc: support overlays in setBase() / addBase()
* ui: remove jquery-bootgrid converters which are now included in the library
* plugins: os-acmle-client 1.23 `[1] <https://github.com/opnsense/plugins/pull/1166>`__ `[2] <https://github.com/opnsense/plugins/pull/1212>`__ `[3] <https://github.com/opnsense/plugins/pull/1263>`__
* plugins: os-dyndns 1.14 supports wildcards for Google Domains
* plugins: os-etpro-telemetry 1.3 uses HOME_NET to anonymization
* plugins: os-freeradius 19.1.0 `[4] <https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr>`__
* plugins: os-frr 1.9 `[5] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
* plugins: os-nginx 1.10 `[6] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
* plugins: os-postfix 1.9 `[7] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
* plugins: os-rspamd 1.5 `[8] <https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr>`__
* plugins: os-telegraf 1.7.5 `[9] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__
* plugins: os-theme-cicada 1.15 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.14 (contributed by Team Rebellion)
* plugins: os-zabbix-agent 1.5 `[10] <https://github.com/opnsense/plugins/pull/1262>`__
* ports: ca_root_nss 3.43
* ports: curl 7.64.1
* ports: libucl 0.8.1
* ports: pcre 8.43
* ports: php 7.2.16
* ports: py-cryptography 2.6.1
* ports: phpseclib 2.0.15
* ports: python 2.7.16
* ports: unbound 1.9.1
A hotfix release was issued as 19.1.5_1:
* mvc: sync missing hasPrivilege()
--------------------------------------------------------------------------
19.1.4 (March 12, 2019)
--------------------------------------------------------------------------
An UEFI boot panic scenario was debugged last week with the help of the
community. This update includes a fix that will allow the ones affected
by this 19.1 issue to upgrade or install (and boot of course) correctly.
We are also including the IPsec VTI support and the latest Suricata 4.1.3
with stability and compatibility fixes.
Due to the severity of the UEFI boot panic 19.1.4 will be the new initial
release for all upgrades from 18.7 within a day or two depending on
additional testing and confirmation. Last but not least there will be
new images some time next week to put this fully behind us. Thank you
for your patience and understanding. :)
Special thanks go to the team of Synacktiv for reporting a packet filter
IPv6 vulnerability for which a patch was included as well.
Here are the full patch notes:
* system: remove erroneously translated hostname example (contributed by nhirokinet)
* firewall: fix validation regression in outbound NAT introduced in 19.1.3
* firewall: mock labels for NAT rules in live log as pf does not offer label support
* interfaces: do not background LAGG ifconfig destroy
* installer: revert to use network connection to allow CTRL+C and resume
* ipsec: added Virtual Tunnel Interface (VTI) support
* unbound: fix nested statistics items read
* mvc: remove old Phalcon volt template workarounds from when scopes were broken
* mvc: fix bug in model relation field values merge
* plugins: os-zabbix4-proxy PSK directory fix (contributed by Michael Muenz)
* plugins: os-telegraf missed invoke of setup.sh
* plugins: os-frr adds validator to OSPF prefix lists (contributed by Michael Muenz)
* plugins: os-dmidecode 1.1 fixes data parsing (contributed by Smart-Soft)
* plugins: os-nginx 1.9 `[1] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
* src: do not pass pf(4) IPv6 fragments with malformed extension headers (reported by Synacktiv)
* src: revert upstream commit "protect the kernel text, data, and BSS" to fix certain UEFI boots
* ports: monit 5.25.3 `[2] <https://mmonit.com/monit/changes/>`__
* ports: ntp 4.2.8p13 `[3] <http://support.ntp.org/bin/view/Main/NtpBug3565>`__
* ports: php 7.1.27 `[4] <https://php.net/ChangeLog-7.php#7.1.27>`__
* ports: suricata 4.1.3 `[5] <https://suricata-ids.org/2019/03/07/suricata-4-1-3-released/>`__
The full list of changes of the OPNsense 19.1 series can be reviewed using
their original announcements:
* 19.1: https://forum.opnsense.org/index.php?topic=11398.0
* 19.1.1: https://forum.opnsense.org/index.php?topic=11469.0
* 19.1.2: https://forum.opnsense.org/index.php?topic=11849.0
* 19.1.3: https://forum.opnsense.org/index.php?topic=11941.0
We would also like to use this opportunity to remind everyone that OPNsense
is and always will be free software. All of its source code and associated
build tools can be found here:
https://github.com/opnsense
Download links, an installation guide `[6] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
can be found below as well.
* Europe: https://opnsense.c0urier.net/releases/19.1/
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
* South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
* Full mirror list: https://opnsense.org/download/
The public key for the 19.1 series is:
.. code-block::
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
# ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
# QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
# GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
# pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
# Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
# NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
# 1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
# Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
# Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
# C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
# zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
# -----END PUBLIC KEY-----
.. code-block::
# SHA256 (OPNsense-19.1.4-OpenSSL-dvd-amd64.iso.bz2) = 5f2e64797fce03d4d47050894c38e8e176fda6281009abd36f60d788d3e29d42
# SHA256 (OPNsense-19.1.4-OpenSSL-nano-amd64.img.bz2) = ee5171fb837884fffd29c6e75cb089dc4020fb89459143bd9e7b859b1da3fd89
# SHA256 (OPNsense-19.1.4-OpenSSL-serial-amd64.img.bz2) = 07868978903220bf9dee26c936d25140df07ec9c02cb8c480bd8619e69c562a0
# SHA256 (OPNsense-19.1.4-OpenSSL-vga-amd64.img.bz2) = e473bc645778c95596639056ecc8ef92a12a7fd1cdc52cd0b1f6294a64561311
.. code-block::
# SHA256 (OPNsense-19.1.4-OpenSSL-dvd-i386.iso.bz2) = 9f40b591c27d90a86c60ec0b539f228999953f947573e2e575c2936c3993d7c0
# SHA256 (OPNsense-19.1.4-OpenSSL-nano-i386.img.bz2) = c624d50b19f2ae4d471076c53f5c516e3a523ff41b69d0bfa779b5fff6415f81
# SHA256 (OPNsense-19.1.4-OpenSSL-serial-i386.img.bz2) = 62bff974ae4238dfc2e830a32fbf4bd357ff418d15be99b89ac129f839e10eaf
# SHA256 (OPNsense-19.1.4-OpenSSL-vga-i386.img.bz2) = ca893277a02b93129e6a30125107f7ad4fc01673b722f54ce6e5cb7eb438cae4
--------------------------------------------------------------------------
19.1.3 (March 07, 2019)
--------------------------------------------------------------------------
This is a smaller stable update consisting of LDAPS authentication
server improvements, Unbound host overrides alias support, OpenSSL
1.0.2r security update and the recent PAM rework for better privilege
separation.
We are currently focusing on IPsec VTI, third-party service PAM
integration and investigating kernel boot crashes. In the latter
case we are aware of the update issues some people are having and
recommend running 18.7 until this is taken care of. Above all,
please be patient. New images and seamless upgrade paths will be
provided as soon as the problems have been pinned down.
Here are the full patch notes:
* system: improve LDAPS mode and related authentication cleanups
* system: move enable checkbox to the top in remote logging settings
* system: allow reset of tunables to to factory defaults
* system: new tunables factory default to prevent ICMP redirects being sent (net.inet.icmp.drop_redirect=1)
* firewall: allow explicitly setting source hash key in outbound NAT (Fredrik Ronnvall)
* interfaces: probe media before applying new settings
* interfaces: correctly compare MAC addresses
* dhcp: added TFTP bootfile-name (contributed by Bjorn Kalkbrenner)
* firmware: move duty to return the correct set name / ID to opnsense-version
* firmware: finally revoke 18.7 fingerprint
* intrusion detection: minor template cleanups using helpers.empty()
* ipsec: peer identifier can now fall back to remote-gateway in manual SPD entries
* ipsec: allow easier override of colours in widget (contributed by Fabian Franz)
* monit: add validation for test type (contributed by Frank Brendel)
* openvpn: add auth-nocache option in exporter
* openvpn: validate certificate type for servers
* unbound: add host overrides alias support
* web proxy: add auth to parent proxy (contributed by Michael Muenz)
* backend: add helpers.empty() in configd
* mvc: simplify save / close / cancel button labels
* mvc: add sorting for field list types
* rc: move all template generation to early stage
* ui: improve escaping of displayed data in static pages
* ui: escape button values in static pages
* ui: avoid short PHP tags
* plugins: os-dnscrypt-proxy 1.3 `[1] <https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr>`__
* plugins: os-frr brings in missing area range code `[2] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
* plugins: os-postfix log file ACL and wrapper mode typo fix (contributed by Michael Muenz)
* plugins: os-theme-cicada IPsec widget colour fix (contributed by Team Rebellion)
* plugins: os-theme-tukan IPsec widget colour fix (contributed by Team Rebellion)
* plugins: os-vnstat /var MFS fix `[3] <https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr>`__
* plugins: os-zabbix4-proxy 1.0 (contributed by Michael Muenz)
* ports: openssl 1.0.2r `[4] <https://www.openssl.org/news/secadv/20190226.txt>`__
* ports: pam_opnsense 19.1.3 uses setuid for privilege separation
* ports: phalcon 3.4.3 `[5] <https://github.com/phalcon/cphalcon/releases/tag/v3.4.3>`__
--------------------------------------------------------------------------
19.1.2 (February 28, 2019)
--------------------------------------------------------------------------
This update is the sum of a few weeks of intense testing and debugging
in areas such as WAN DHCP with very short lease times, Suricata IPS not
working as expected, stacked 6RD setups that have overly long device names
amongst others.
The update may be a bit bumpy this time since the web GUI session directory
will be moved to a safer location. You will be logged out during the update
and the system will reboot due to the included operating system update. As
soon as it is back you will be able to log in as usual.
LibreSSL received a major upgrade from 2.7 to 2.8. If you are using LibreSSL
and see any issues please do let us know because it sadly looks like third
party projects such as OpenVPN, Squid, StrongSwan and NTP leave the use of
LibreSSL to the few users who are able to fix the source code builds on their
own and we want to ideally avoid having to patch third party software.
Here are the full patch notes:
* system: move session files into their own directory (forces the current sessions to expire)
* system: add validation check for time period for Dpinger (contributed by Team Rebellion)
* system: hide "show certificate info" button of pending CSR (contributed by nhirokinet)
* system: move opnsense-auth to libexec, but keep a symlink in sbin directory
* system: escaping issue in gateway edit page
* system: fix ACL for halt and reboot pages
* firewall: fix alias entry replacement in utility page
* firewall: prevent new alias creation when adding an address
* firewall: capture "nat" traffic like we do for "rdr" in live log
* firewall: escaping issues in schedule edit page
* interfaces: push dhclient and dhcp6c log messages to system log
* interfaces: write all nameservers via dhclient-script in multi WAN scenarios
* interfaces: check for valid alias IP in dhclient-script
* interfaces: 6RD interface naming back to 18.7 to sidestep character limits on stacked setups
* interfaces: avoid reading empty interface configurations
* firmware: bootstrap rework for HTTPS repository URL
* firmware: patch cache and assorted improvements
* firmware: minor update utility cleanups
* firmware: remove compatibility stubs for pre-19.1 version reads
* firmware: show revoked package mirror error in GUI if applicable
* firmware: bump RageNetwork mirror to HTTPS
* firmware: be more careful about parsing version info
* dhcp: fix behaviour of determining primary/secondary (contributed by Fredrik Ronnvall)
* intrusion detection: set stream.inline: true as an IPS workaround for a Suricata 4.1 regression `[1] <https://redmine.openinfosecfoundation.org/issues/2811>`__
* intrusion detection: support required rules/files in metadata package
* intrusion detection: less extensive logging
* ipsec: fix escaping issue in mobile page
* monit: fix address validation
* openvpn: obey verify-x509-name for remote access (user auth)
* openvpn: proper daemonize instead of background job
* openvpn: extract full CA chain for setup
* openvpn: missing "port" in protocol export
* mvc: fix port validation on whitespace input
* mvc: fix compare constraint (contributed by Fabian Franz)
* mvc: fix read-only access on config.xml during locked runs
* mvc: prevent UserException from being pushed to PHP error log
* ui: legacy browsers accommodation (contributed by NOYB)
* ui: update to Tokenize2 1.3 plus additional escaping patches
* ui: add support for Tokenize2 sortable tag
* ui: hardening of gettext() invokes in HTML tags
* ui: fix setFormData() HTML decode
* plugins: os-bind safe search google domain updates (contributed by Michael Muenz)
* plugins: os-dnscrypt-proxy 1.2 `[2] <https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr>`__
* plugins: os-dyndns 1.13 IPv6 device lookup fix
* plugins: os-etpro-telemetry 1.2 reduces telemetry data collection
* plugins: os-frr 1.8 adds route summarization via area range (contributed by Michael Muenz)
* plugins: os-haproxy 2.15 `[3] <https://github.com/opnsense/plugins/pull/1167>`__ `[4] <https://github.com/opnsense/plugins/pull/1209>`__
* plugins: os-nginx 1.8 `[5] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
* plugins: os-ntopng 1.2 `[6] <https://github.com/opnsense/plugins/blob/master/net/ntopng/pkg-descr>`__
* src: clear callee-preserved registers on amd64 syscall exit `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:01.syscall.asc>`__
* ports: cpdup 1.20
* ports: curl 7.64.0 `[8] <https://curl.haxx.se/changes.html>`__
* ports: libressl 2.8.3 `[9] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.8.3-relnotes.txt>`__
* ports: openvpn 2.4.7 `[10] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24>`__
* ports: pam_opnsense manual page addition
* ports: sqlite 3.27.1 `[11] <https://www.sqlite.org/releaselog/3_27_1.html>`__
* ports: squid forgery check avoidance `[12] <https://github.com/opnsense/ports/issues/66>`__
* ports: strongswan 5.7.2 `[13] <https://wiki.strongswan.org/versions/72>`__
* ports: unbound 1.9.0 `[14] <https://nlnetlabs.nl/projects/unbound/download/>`__
--------------------------------------------------------------------------
19.1.1 (February 05, 2019)
--------------------------------------------------------------------------
This is a security and reliability release: WAN DHCP will no longer trust
the server MTU given. Uncoordinated cross site scripting issues have been
fixed. And the Python request library was patched due to CVE 2018-18074.
Here are the full patch notes:
* system: address XSS-prone escaping issues `[1] <https://packetstormsecurity.com/files/151381/OPNsense-18.7-Cross-Site-Scripting.html>`__
* firewall: add port range validation to shaper inputs
* firewall: drop description validation constraints
* interfaces: DHCP override MTU option (contributed by Team Rebellion)
* interfaces: properly configure SIM PIN on custom modems
* reporting: prevent cleanup from deleting current data when future data exists
* ipsec: allow same local subnet if used in different phase 1 (contributed by Max Weller)
* openvpn: multiple client export fixes
* web proxy: add ESD files to Windows cache option (contributed by R-Adrian)
* plugins: os-acme-client 1.20 `[2] <https://github.com/opnsense/plugins/pull/1157>`__
* plugins: os-dyndns fix for themed colours (contributed by Team Rebellion)
* plugins: os-etpro-telemetry 1.1 adds random delay to telemetry data send
* plugins: os-nginx 1.7 `[3] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
* plugins: os-rspamd reads DKIM keys via Redis (contributed by Garrod Alwood)
* plugins: os-theme-cicada 1.14 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.13 (contributed by Team Rebellion)
* ports: ca_root_nss 3.42.1
* ports: lighttpd 1.4.53 `[4] <https://www.lighttpd.net/2019/1/27/1.4.53/>`__
* ports: py-request 2.21.0 `[5] <https://vuxml.freebsd.org/freebsd/50ad9a9a-1e28-11e9-98d7-0050562a4d7b.html>`__
--------------------------------------------------------------------------
19.1 (January 31, 2019)
--------------------------------------------------------------------------
For more than four years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple and
reliable firmware upgrades, multi-language support, HardenedBSD security,
fast adoption of upstream software updates as well as clear and stable
2-Clause BSD licensing.
The 19.1 release, nicknamed "Inspiring Iguana", consists of a total of
620 individual changes since 18.7 came out 6 months ago, spread out over
12 intermediate releases including the recent release candidates. That is
the average of 2 stable releases per month, security updates and important
bug fixes included! If we had to pick a few highlights it would be: The
firewall alias API is finally in place. The migration to HardenedBSD 11.2
has been completed. 2FA now works with a remote LDAP / local TOTP
combination. And the OpenVPN client export was rewritten for full API
support as well.
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
can be found below as well.
* Europe: https://opnsense.c0urier.net/releases/19.1/
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
* South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
* Full mirror list: https://opnsense.org/download/
These are the most prominent changes since version 18.7:
* fully functional firewall alias API
* PIE firewall shaper support
* firewall NAT rule logging support
* 2FA via LDAP-TOTP combination
* WPAD / PAC and parent proxy support in the web proxy
* P12 certificate export with custom passwords
* Dpinger is now the default gateway monitor
* ET Pro Telemetry edition plugin `[2] <https://docs.opnsense.org/manual/etpro_telemetry.html>`__
* extended IPv6 DUID support
* Dnsmasq DNSSEC support
* OpenVPN client export API
* Realtek NIC driver version 1.95
* HardenedBSD 11.2, LibreSSL 2.7
* Unbound 1.8, Suricata 4.1
* Phalcon 3.4, Perl 5.28
* firmware health check extended to cover all OS files, HTTPS mirror default
* updates are browser cache-safe regarding CSS and JavaScript assets
* collapsible side bar menu in the default theme
* language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian
* new plugins for API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat, Dnscrypt-proxy
Here are the full changes against version 19.1-RC2:
* ipsec: add firewall interface as soon as phase 1 is enabled
* ipsec: phase 1 selection GUI JavaScript compatibility fix
* monit: widget improvements and bug fix (contributed by Frank Brendel)
* ui: fix regression in single host or network subnet select in static pages
* plugins: os-frr 1.7 updates OSPF outbound rules (contributed by Fabian Franz)
* plugins: os-telegraf 1.7.4 fixes packet filter input
* plugins: os-theme-rebellion 1.8.2 adds image colour invert
* plugins: os-vnstat 1.1 `[3] <https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr>`__
* plugins: os-zabbix-agent now uses Zabbix version 4.0
* src: revert mmc_calculate_clock() as HS200/HS400 support breaks legacy support
* src: update sqlite3-3.20.0 to sqlite3-3.26.0 `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-19:03.sqlite.asc>`__
* src: import tzdata 2018h, 2018i `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-19:04.tzdata.asc>`__
* src: avoid unsynchronized updates to kn_status `[6] <https://www.freebsd.org/security/advisories/FreeBSD-EN-19:05.kqueue.asc>`__
* ports: ca_root_nss 3.42
* ports: dhcp6c 20190128 prevent rawops double-free (contributed by Team Rebellion)
* ports: sudo patch to fix listpw=never `[7] <https://bugzilla.sudo.ws/show_bug.cgi?id=869>`__
Migration notes and minor incompatibilities to look out for:
* Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration. Apinger is no longer available.
* Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.
* Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being.
* Please read the FRR documentation with regard to the required system tunables `[8] <https://docs.opnsense.org/manual/dynamic_routing.html>`__ .
* Bhyve VM boot may fail as a guest. Use the "-w" parameter `[9] <https://forum.opnsense.org/index.php?topic=11492.0>`__ to boot.
* Boot may fail due to Meltdown/Spectre mitigation. A workaround `[10] <https://github.com/opnsense/core/issues/3177>`__ exists.
* SNMP plugin has been superseded by Net-SNMP plugin.
The public key for the 19.1 series is:
.. code-block::
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
# ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
# QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
# GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
# pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
# Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
# NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
# 1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
# Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
# Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
# C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
# zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
# -----END PUBLIC KEY-----
.. code-block::
# SHA256 (OPNsense-19.1-OpenSSL-dvd-amd64.iso.bz2) = 0a9e02954da1ddd1f0b7673394bbf81cfa74a1d5378600a87d3a9e6a26d3104d
# SHA256 (OPNsense-19.1-OpenSSL-nano-amd64.img.bz2) = 2c4b0056ca26053c8d5e4efe196e512af618bad4fa136ba0e2528083a6263528
# SHA256 (OPNsense-19.1-OpenSSL-serial-amd64.img.bz2) = c71274cea2b910cd4b3454b4ad29f7f70503fcb52ffa5b7f65ea96a27ac9e10d
# SHA256 (OPNsense-19.1-OpenSSL-vga-amd64.img.bz2) = 37164481a413716d8786676d30bb709f8b967e53a47a36d10118214304d14bb9
.. code-block::
# SHA256 (OPNsense-19.1-OpenSSL-dvd-i386.iso.bz2) = 17d0aadf671bc2d99b57f0371e4fadfca0e2e9c8d27d6545674a610fc1f59c7a
# SHA256 (OPNsense-19.1-OpenSSL-nano-i386.img.bz2) = 0c4e7616c93f14f5988df84b9b620543cb23a89c1f91505527b6c999d2dc7889
# SHA256 (OPNsense-19.1-OpenSSL-serial-i386.img.bz2) = 93306e5349c7448ad3fdc03d9349ebf98e4d7c677201dcbec111f917c72dca24
# SHA256 (OPNsense-19.1-OpenSSL-vga-i386.img.bz2) = 03d21319a784f93a7940d35168a35d15005e6f4579ac5b1c7a6ff606beb062a6
--------------------------------------------------------------------------
19.1.r2 (January 23, 2019)
--------------------------------------------------------------------------
Small online update issued to fix known and subsequently patched issues.
If you use Insight and flowd_aggregate service refuses to start go to
System: Firmware: Packages and reinstall the "flowd" package.
These are the changes in detail:
* firmware: fix invisible error in health check
* intrusion detection: avoid spurious migration error on factor reset
* monit: fix dashboard widget display and general settings save
* plugins: os-telegraf fixes checkbox for CPU time collect (contributed by chaispaquichui)
* ports: flowd Python bindings runtime fix
Stay safe,
Your OPNsense team
--------------------------------------------------------------------------
19.1.r1 (January 21, 2019)
--------------------------------------------------------------------------
For almost four years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, HardenedBSD
security, fast adoption of upstream software updates as well as clear
and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project!
We know it would not be the same without you.
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
can be found below as well.
* Europe: https://opnsense.c0urier.net/releases/19.1/
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/
* South America: http://mirror.upb.edu.co/opnsense/releases/19.1/
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/
* Full mirror list: https://opnsense.org/download/
Here are the full changes against version 18.7.10:
* system: console port assignment can now assign OPT without LAN
* system: anti-lockout will use OPT1 if LAN is not present
* system: allow creation of combined client/server SSL certificate
* system: gateway monitoring switches to Dpinger with Apinger removed
* system: detect unassigned gateways in static address setups
* system: more advanced gateway monitoring options for Dpinger (contributed by Team Rebellion)
* system: removal of the old notification system in favour of Monit
* system: only allow syslog remote binding to assigned interfaces
* system: disable IP aliases configured with VHID on temporary disable
* system: remove AHCI MSI disable workaround used in FreeBSD 11.1
* system: default gateway switching moves back to general settings
* system: beep sound notification setting moves to misc. settings
* system: limit log line length in log widget
* interfaces: change 6RD/6to4 interface prefix from internal name to physical device
* interfaces: prohibit tracking on 6RD with /64 upstream prefix
* interfaces: remove unneeded use of potentially clashing fe80::1:1 addresses for IPv6 tracking
* interfaces: clear an apparently faulty system DUID when no manual DUID is set
* interfaces: updated custom dhclient-script used for DHCPv4
* interfaces: VIP support for GRE devices
* interfaces: simplify find_interface_ip\* functions
* interfaces: remove get_interface_subnet\* functions
* interfaces: remove unused get_possible_listen_ips function
* interfaces: link status indicator on assignments page
* interfaces: unify interface removal code
* firewall: switch GeoIP database download to HTTPS
* firewall: find IP reference tool for aliases
* firewall: improve alias page responsiveness with large number of addresses
* firewall: show system errors when reloading aliases
* firewall: NAT port forward logging option and live view support
* firewall: optionally resolve all host names in live view
* firewall: not all states could be removed in diagnostics page
* firewall: clean up unused NAT rule association code
* reporting: improve handling of empty Insight datasets
* reporting: prepare for Python 3 conversion
* firmware: switch default mirror location to HTTPS
* firmware: health check for base and kernel files including version check
* firmware: support base and kernel file size in packages overview
* firmware: /var MFS compatibility on base installation when reboot is deferred
* firmware: command line core lock feature prevents package upgrades
* firmware: internally remember plugins installed or removed in the GUI
* firmware: show last known update log on page open
* firmware: show untrusted repository error in GUI
* firmware: separate chanelogs tab for clarity
* dhcp: refuse setup of instances that have no associated IP address
* dhcp: fix lease time local vs. UTC display in IPv6 leases
* installer: change communication from TCP to named pipes
* installer: fix sporadic segmentation faults in frontend code
* installer: allow config import from ZFS pools
* installer: allow password reset on ZFS pools
* installer: removed a number of unused modules
* ipsec: generate correct config for "Hybrid-RSA + XAuth" (contributed by Max Weller)
* ipsec: reworked strongswan.conf generation
* ipsec: use new interface subnet retrieval code
* monit: support declaring dependencies (contributed by Alexander Werner)
* monit: add Service/Test type relation (contributed by Frank Brendel)
* monit: add CARP status to standard services
* monit: add gateway alerts to standard services
* monit: backend rework to simplify the service
* intrusion detection: support base ruleset overlays and improve logging
* intrusion detection: GeoIP feature in user-defined rules has been removed
* intrusion detection: obey Content-Disposition header
* openvpn: client export rewrite, new export option for The Green Bow
* unbound: reworked slab calculation
* unbound: added statistics page
* unbound: only bind to interfaces or OpenVPN instances, always bind to loopback
* unbound: fix ACL subnet calculation for OpenVPN instances
* unbound: do not generate host entries for OpenVPN instances
* unbound: improve help text wording and general settings layout
* web proxy: parent proxy support (contributed by Michael Muenz)
* wizard: fix checkbox label styling
* mvc: converted reboot, halt and license page to MVC
* mvc: compared-to-field constraint (contributed by Fabian Franz)
* mvc: external clients which set Authorization header now receive raw JSON responses
* mvc: fix empty value check in grid (contributed by Smart-Soft)
* mvc: globally lock config when multiple items are deleted at once
* mvc: volt template JavaScript cleanups
* ui: updated bootstrap-select to version 1.13.3
* ui: collapsible sidebar support in default theme (contributed by Team Rebellion)
* plugins: os-acme-client 1.19 `[2] <https://github.com/opnsense/plugins/pull/1134>`__
* plugins: os-c-icap 1.7 adds template support (contributed by Michael Muenz)
* plugins: os-dmidecode 1.0 hardware information widget (contributed by Smart-Soft)
* plugins: os-dyndns 1.12 changes HE tunnel broker to newer API (contributed by Dusan Dragic)
* plugins: os-frr switches to FRR 5.0.2, please see below
* plugins: os-l2tp 1.8 interface now selects reachable server address
* plugins: os-pptp 1.8 interface now selects reachable server address
* plugins: os-openconnect 1.3.3 `[3] <https://github.com/opnsense/plugins/blob/master/security/openconnect/pkg-descr>`__
* plugins: os-quagga removed, please use os-frr instead
* plugins: os-nginx 1.6 `[4] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
* plugins: os-rspamd 1.4 allows to set manual spam scores and subject (contributed by Michael Muenz and Fabian Franz)
* plugins: os-snmp removed, please use os-net-snmp instead
* plugins: os-theme-cicada 1.13
* plugins: os-theme-tukan 1.12
* plugins: os-wol 2.1 fixes widget link (contributed by Fabian Franz)
* src: HardenedBSD 11.2-RELEASE-p7 `[5] <https://hardenedbsd.org/content/easy-feature-comparison>`__ `[6] <https://www.freebsd.org/releases/11.2R/relnotes.html>`__ `[7] <https://www.freebsd.org/releases/11.2R/errata.html>`__
* src: fix missing transmit visibility for BPF-based listeners in native netmap mode
* src: limit the maximum number of fragments per packet in pf
* src: replace rwlock on PF_RULES_LOCK with rmlock in pf
* src: do not discard UDP6 traffic in Hyper-V adaptors
* src: fix state sync during initial bulk update in pfsync
* src: unbreak dhclient(8) option 26 processing
* src: import APU 1-3 LED kernel module
* ports: krb5 1.17 `[8] <https://web.mit.edu/kerberos/krb5-1.17/>`__
* ports: php 7.1.26 `[9] <https://php.net/ChangeLog-7.php#7.1.26>`__
* ports: sudo 1.8.27 `[10] <https://www.sudo.ws/stable.html#1.8.27>`__
* ports: perl 5.28.1 `[11] <https://metacpan.org/changes/release/SHAY/perl-5.28.1>`__
* ports: suricata netmap forward-compatibility patch (contributed by Sunny Valley Networks)
Known issues and limitations:
* Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration.
* Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP.
* Monit general settings do not save. A patch exists `[12] <https://github.com/opnsense/core/commit/a2899594>`__ to remedy this problem: opnsense-patch a2899594
* Issue with IDS migration code creating a spurious crash report. Patch already done for the final 19.1.
* Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being.
* Please read the FRR documentation with regard to the required system tunables `[13] <https://docs.opnsense.org/manual/dynamic_routing.html>`__ .
* SNMP plugin has been superseded by Net-SNMP plugin.
* ZFS guided installation pending.
The public key for the 19.1 series is:
.. code-block::
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc
# ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi
# QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/
# GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m
# pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6
# Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx
# NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj
# 1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD
# Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz
# Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH
# C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0
# zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ==
# -----END PUBLIC KEY-----
Please let us know about your experience!
.. code-block::
# SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-amd64.iso.bz2) = 7c0c6cf529cb2f8aa9c29b3645b4ec1e218c292f722941ae9880b009c93e6364
# SHA256 (OPNsense-19.1.r1-OpenSSL-nano-amd64.img.bz2) = b355355fc6d10475af2b1c22daa2fd5f5ab78bb375aaf8100a51f087d2447289
# SHA256 (OPNsense-19.1.r1-OpenSSL-serial-amd64.img.bz2) = f4d40b1ece162aac97505f8ad1e16271126df11fb1a317a9f431ff4737fe5da8
# SHA256 (OPNsense-19.1.r1-OpenSSL-vga-amd64.img.bz2) = f8c860a7e3eb9be61d33da92b021a0f337ad50e00a6ffc1cca793277f1890b63
.. code-block::
# SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-i386.iso.bz2) = c7b5ced64623416bd56e5337d5212c9af25292a48eb1bb298321e4bb79056c94
# SHA256 (OPNsense-19.1.r1-OpenSSL-nano-i386.img.bz2) = 1313645407d810dd7a5dedf4978deaa7c14f4655dee679de572d7a9e853749c0
# SHA256 (OPNsense-19.1.r1-OpenSSL-serial-i386.img.bz2) = f44203f5bb6e2dbfe5b524b37e9e53baab0665684cbc215bdc3015e11a79c2bd
# SHA256 (OPNsense-19.1.r1-OpenSSL-vga-i386.img.bz2) = a6cfc14b9675563053d6e7733011c381f39e8fb2e10a8a64d60cc7de421ac2db

813
source/releases/CE_19.7.rst
Unescape Escape View File

@ -0,0 +1,813 @@
===========================================================================================
19.7 "Jazzy Jaguar" Series
===========================================================================================
For four and a half years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, HardenedBSD
security, fast adoption of upstream software updates as well as clear
and stable 2-Clause BSD licensing.
19.7, nicknamed "Jazzy Jaguar", embodies an iteration of what should be
considered enjoyable user experience for firewalls in general: improved
statistics and visibility of rules, reliable and consistent live logging
and alias utility improvements. Apart from the usual upgrades of third
party software to up-to-date releases, OPNsense now also offers built-in
remote system logging through Syslog-ng, route-based IPsec, updated
translations with Spanish as a brand new and already fully translated
language and newer Netmap code with VirtIO, VLAN child and vmxnet support.
Last but not least we would like to thank m.a.x. it for their sponsorship
of the default gateway priority switching feature and their continued work
of writing and maintaining plenty of community plugins. This time around,
Maltrail, Netdata and WireGuard VPN have been freshly added to the mix.
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
can be found below as well.
* Europe: https://opnsense.c0urier.net/releases/19.7/
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.7/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.7/
* South America: http://mirror.upb.edu.co/opnsense/releases/19.7/
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.7/
* Full mirror list: https://opnsense.org/download/
--------------------------------------------------------------------------
19.7.10 (January 27, 2020)
--------------------------------------------------------------------------
As Thursday nears the last preparations for 20.1 are underway. As a quick
relief here is the End-Of-Life release of the 19.7 series with a tiny number
of updates.
Remember that when 20.1 is available it will take up to a day before we
release the hotfix with the major upgrade path enabled. Please be patient
as we simply want to ensure that upgrades will not be bumpy affair. :)
Here are the full patch notes:
* firewall: fix a typo in CARP validation
* firmware: revoke 19.1 fingerprint
* ipsec: add configurable dpdaction (contributed by Marcel Menzel)
* mvc: BaseListField ignoring empty selected field
* plugins: os-haproxy 2.20 `[1] <https://github.com/opnsense/plugins/pull/1646>`__
* plugins: os-mail-backup 1.1 `[2] <https://github.com/opnsense/plugins/pull/1671>`__
* plugins: os-nrpe 1.0 (contributed by Michael Muenz)
* plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)
* plugins: os-vnstat 1.2 `[3] <https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr>`__
* plugins: zabbix4-proxy 1.2 `[4] <https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix4-proxy/pkg-descr>`__
* ports: ca_root_nss 3.49.1
* ports: curl 7.68.0 `[5] <https://curl.haxx.se/changes.html>`__
* ports: isc-dhcp 4.4.2 `[6] <https://downloads.isc.org/isc/dhcp/4.4.2/dhcp-4.4.2-RELNOTES>`__
* ports: urllib3 1.27.7 `[7] <https://github.com/urllib3/urllib3/blob/master/CHANGES.rst#1257-2019-11-11>`__
A hotfix release was issued as 19.7.10_1:
* firmware: enable upgrade path to 20.1
--------------------------------------------------------------------------
19.7.9 (January 09, 2020)
--------------------------------------------------------------------------
As 20.1 nears we will be making adjustments to the scope of the release
with an announcement following shortly.
For now, this update brings you a GeoIP database configuration page for
aliases which is now required due to upstream database policy changes and
a number of prominent third-party software updates we are happy to see
included.
Here are the full patch notes:
* system: use 825 days as the default maximum certificate lifetime
* system: hide leaking hostname on SSH password auth (contributed by sooslaca)
* system: remove unused "lifetime" parameter from user manager page
* firewall: new GeoIP settings page to allow continued use of upstream database `[1] <https://docs.opnsense.org/manual/how-tos/maxmind_geo_ip.html>`__
* firewall: log when alias could not resolve a hostname
* firewall: translate pfInfo page tabs (contributed by Smart-Soft)
* firmware: add mirror MARWAN (Moroccan Academic & Research Wide Area Network)
* dhcp: replace killbyname() usage which should not have killed both services
* dhcp: auto-replace windows DUID dashes (contributed by Team Rebellion)
* mvc: PSR12 code style updates
* plugins: os-acme-client 1.29 `[2] <https://github.com/opnsense/plugins/pull/1638>`__
* plugins: os-bind 1.12 `[3] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
* plugins: os-dyndns must use dyndns_failover_interface() to translate gateway group
* plugins: os-frr 1.14 `[4] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
* plugins: os-maltrail 1.3 `[5] <https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr>`__
* plugins: os-nginx 1.17 `[6] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
* plugins: os-nut fixes validation and snmp-ups selection (contributed by Michael Muenz)
* plugins: os-theme-cicada 1.24 (contributed by Team Rebellion)
* plugins: os-zabbix4-proxy 1.1 `[7] <https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix4-proxy/pkg-descr>`__
* ports: openssh 8.1p1 `[8] <https://www.openssh.com/txt/release-8.1>`__
* ports: openssl 1.0.2u `[9] <https://www.openssl.org/news/openssl-1.0.2-notes.html>`__
* ports: php 7.2.26 `[10] <https://www.php.net/ChangeLog-7.php#7.2.26>`__
* ports: phpseclib 2.0.23 `[11] <https://github.com/phpseclib/phpseclib/releases/tag/2.0.23>`__
* ports: python 3.7.6 `[12] <https://www.python.org/downloads/release/python-376/>`__
* ports: strongswan 5.8.2 `[13] <https://wiki.strongswan.org/versions/75>`__
* ports: sudo 1.8.30 `[14] <https://www.sudo.ws/stable.html#1.8.30>`__
* ports: unbound 1.9.6 `[15] <https://nlnetlabs.nl/projects/unbound/download/>`__
A hotfix release was issued as 19.7.9_1:
* firewall: automatic business addition GeoIP feed
--------------------------------------------------------------------------
19.7.8 (December 18, 2019)
--------------------------------------------------------------------------
A number of updates including security and reliability fixes inside. Of
note is the new elliptic curve certificate creation support and better
firmware health check and recovery methods.
We are almost at the point of a 20.1-BETA release with an isolated images
for early bird testing as a special present at this time of year. Stay
tuned. :)
Here are the full patch notes:
* system: "Mark Gateway as Down" also means exclude from default gateway selection
* system: fix PHP warning on gateways list due to wrong variable scope
* system: support elliptic curve TLS certificate creation (contributed by johnaheadley)
* system: remove unused current directory PHP include
* system: fix XSS in backup page and static menu pages
* firewall: use referential integrity check for model data
* reporting: improve NetFlow error handling (contributed by Frank Brendel)
* dhcp: always add dhcp6.domain-search and dhcp6.name-servers (contributed by maurice-w)
* dhcp: fix range check for advanced router advertisement options (contributed by maurice-w)
* dhcp: improve help texts for router advertisement modes (contributed by maurice-w)
* dhcp: replace defunct IPv6 domain name option with domain search list option (contributed by maurice-w)
* dhcp: fix storing advanced IPv6 options
* firmware: add "copy to clipboard" button in update text box
* firmware: use opnsense-revert in GUI reinstall package case
* firmware: when storing installed plugin names remove their development counterparts
* firmware: improved health check scope to include direct core package dependencies
* openvpn: fix Firefox "nowrap" issue in client export page
* backend: improve error handling while configd is either not active or not functional
* mvc: route to default page when controller or action not found
* mvc: field type refactor and unit tests
* mvc: added opt-in referential integrity check for models
* mvc: countless PSR12 style updates
* mvc: add "NetMaskAllowed" option to validate on single addresses in NetworkField
* plugins: os-bind 1.11 `[1] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
* plugins: os-dyndns 1.18 adds Linode support (contributed by eAndrew Gunnerson)
* plugins: os-freeradius 1.9.5 `[2] <https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr>`__
* plugins: os-frr 1.13 `[3] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
* plugins: os-ftp-proxy style updates only
* plugins: os-postfix 1.13 `[4] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
* plugins: os-rspamd 1.9 `[5] <https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr>`__
* plugins: os-theme-cicada 1.23 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.22 (contributed by Team Rebellion)
* ports: ca_root_nss 3.48
* ports: krb5 1.17.1 `[6] <https://web.mit.edu/kerberos/krb5-1.17/>`__
* ports: php 7.2.25 `[7] <https://www.php.net/ChangeLog-7.php#7.2.25>`__
* ports: suricata 4.1.6 `[8] <https://suricata-ids.org/2019/12/13/suricata-4-1-6-released/>`__
* ports: unbound 1.9.5 `[9] <https://nlnetlabs.nl/projects/unbound/download/>`__
--------------------------------------------------------------------------
19.7.7 (November 21, 2019)
--------------------------------------------------------------------------
Lots of small improvements. Of note are Eve JSON payload syslog export
now works for 4 kb payload blobs. The outdated Google API PHP client
was replaced. LibreSSL is now at version 3.0.2. Plus another Intel SA
advisory via FreeBSD.
Here are the full patch notes:
* system: generate self-signed server certificate for web GUI by default
* system: let net.local.dgram.maxdgram default to 8192 bytes
* system: spawn Dpinger process in background to avoid hangs
* system: switch backup to Google API PHP client v2
* system: add interface groups to HA sync
* interfaces: remove the "Directly send SOLICIT" option
* firewall: fix issue with label parsing when "tag" keyword was involved
* firewall: skip empty lines in rule statistics parsing
* firmware: add /etc/remote to whitelist, NTP GPS uses it
* reporting: empty NetFlow egress default passes validation
* reporting: show dialog when RRD is disabled
* dhcp: fix for domain-search option in DHCPv6 (contributed by maurice-w)
* dnsmasq: fix storing settings when no settings exist yet
* intrusion detection: lower payload-buffer-size to prevent syslog size limit
* intrusion detection: fix issue with escaped file name during rules download
* unbound: exit wrapper when process not running
* web proxy: added check on SNI field checkbox (contributed by Northguy)
* mvc: fix forceReload()
* plugins: os-acme-client 1.28 `[1] <https://github.com/opnsense/plugins/pull/1565>`__
* plugins: os-bind 1.10 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
* plugins: os-nginx 1.16 `[3] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
* plugins: os-nut 1.6 `[4] <https://github.com/opnsense/plugins/blob/master/sysutils/nut/pkg-descr>`__
* plugins: os-postfix 1.12 `[5] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
* src: fix machine check exception on page size change `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:25.mcepsc.asc>`__
* src: bump libc syslog line size to 8k
* src: import tzdata 2019c `[7] <https://www.freebsd.org/security/advisories/FreeBSD-EN-19:18.tzdata.asc>`__
* ports: curl 7.67.0 `[8] <https://curl.haxx.se/changes.html>`__
* ports: libressl 3.0.2 `[9] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.0.2-relnotes.txt>`__
* ports: openvpn 2.4.8 `[10] <https://github.com/OpenVPN/openvpn/blob/release/2.4/Changes.rst#version-248>`__
* ports: perl 5.30.1 `[11] <https://metacpan.org/pod/release/SHAY/perl-5.30.1/pod/perldelta.pod>`__
* ports: phalcon 3.4.5 `[12] <https://github.com/phalcon/cphalcon/releases/tag/v3.4.5>`__
* ports: sqlite 3.30.1 `[13] <https://sqlite.org/releaselog/3_30_1.html>`__
* ports: squid 4.9 `[14] <https://github.com/squid-cache/squid/blob/master/ChangeLog>`__
* ports: syslog-ng 3.24.1 `[15] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.24.1>`__
--------------------------------------------------------------------------
19.7.6 (November 01, 2019)
--------------------------------------------------------------------------
As we are experiencing the Suricata community first hand in Amsterdam
we though to release this version a bit earlier than planned. Included
is the latest Suricata 5.0.0 release in the development version. That
means later this November we will releasing version 5 to the production
version as we finish up tweaking the integration and maybe pick up 5.0.1
as it becomes available.
LDAP TLS connectivity is now integrated into the system trust store,
which ensures that all required root and intermediate certificates will
be seen by the connection setup when they have been added to the authorities
section. The same is true for trusting self-signed certificates. On top
of this, IPsec now supports public key authentication as contributed by
Pascal Mathis.
Here are the full patch notes:
* system: hook LDAP TLS support into system-wide trust file
* system: fix dpinger custom parameters not being honoured
* system: fix PHP core loop fail in tunables overview
* system: only allow P12 export if password confirmation matches
* interfaces: change PCAP download to binary file stream
* firewall: store reference to outbound NAT address instead of literal address
* firewall: add log message for scheduled firewall reload
* firmware: tie pkg dependency to core
* ipsec: allow EC keys for certificate-based secrets (contributed by Martin Strigl)
* ipsec: add support for public key authentication (contributed by Pascal Mathis)
* openvpn: server wizard existing CA use and server cert check (contributed by johnaheadley)
* backend: add run mode to pluginctl using JSON-based output
* ui: fix tokenizer reorder on multiple saves, second try
* plugins: os-acme-client 1.27 `[1] <https://github.com/opnsense/plugins/pull/1536>`__
* plugins: os-bind 1.9 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
* plugins: os-nginx 1.15 `[3] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
* plugins: os-relayd 2.4 fixes protocol option migration (contributed by Frank Brendel)
* plugins: os-theme-cicada 1.22 (contributed by Team Rebellion)
* ports: ca_root_nss 3.47
* ports: php 7.2.24 `[4] <https://www.php.net/ChangeLog-7.php#7.2.24>`__
* ports: python 3.7.5 `[5] <https://www.python.org/downloads/release/python-375/>`__
* ports: sudo 1.8.29 `[6] <https://www.sudo.ws/stable.html#1.8.29>`__
--------------------------------------------------------------------------
19.7.5 (October 11, 2019)
--------------------------------------------------------------------------
Lots of plugin and ports updates this time with a few minor improvements
in all core areas.
Behind the scenes we are starting to migrate the base system to version
12.1 which is supposed to hit the next 20.1 release. Stay tuned for more
infos in the next month or so.
Here are the full patch notes:
* system: show all swap partitions in system information widget
* system: flatten services_get() in preparation for removal
* system: pin Syslog-ng version to specific package name
* system: fix LDAP/StartTLS with user import page
* system: fix a PHP warning on authentication server page
* system: replace most subprocess.call use
* interfaces: fix devd handling of carp devices (contributed by stumbaumr)
* firewall: improve firewall rules inline toggles
* firewall: only allow TCP flags on TCP protocol
* firewall: simplify help text for direction setting
* firewall: make protocol log summary case insensitive
* reporting: ignore malformed flow records
* captive portal: fix type mismatch for timeout read
* dhcp: add note for static lease limitation with lease registration (contributed by Northguy)
* ipsec: add margintime and rekeyfuzz options
* ipsec: clear $dpdline correctly if not set
* ui: fix tokenizer reorder on multiple saves
* plugins: os-acme-client 1.26 `[1] <https://github.com/opnsense/plugins/pull/1499>`__
* plugins: os-bind will reload bind on record change (contributed by blablup)
* plugins: os-etpro-telemetry minor subprocess.call replacement
* plugins: os-freeradius 1.9.4 `[2] <https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr>`__
* plugins: os-frr 1.12 `[3] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
* plugins: os-haproxy 2.19 `[4] <https://github.com/opnsense/plugins/pull/1498>`__
* plugins: os-mailtrail 1.2 `[5] <https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr>`__
* plugins: os-postfix 1.11 `[6] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
* plugins: os-rspamd 1.8 `[7] <https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr>`__
* plugins: os-sunnyvalley LibreSSL support (contributed by Sunny Valley Networks)
* plugins: os-telegraf 1.7.6 `[8] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__
* plugins: os-theme-cicada 1.21 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.21 (contributed by Team Rebellion)
* plugins: os-tinc minor subprocess.call replacement
* plugins: os-tor 1.8 adds dormant mode disable option (contributed by Fabian Franz)
* plugins: os-virtualbox 1.0 (contributed by andrewhotlab)
* ports: expat 2.2.8 `[10] <https://github.com/libexpat/libexpat/blob/R_2_2_8/expat/Changes>`__
* ports: ca_root_nss 3.46.1
* ports: curl 7.66.0 `[9] <https://curl.haxx.se/changes.html#7_66_0>`__
* ports: openssl 1.0.2t `[11] <https://www.openssl.org/news/secadv/20190910.txt>`__
* ports: php 7.2.23 `[12] <https://www.php.net/ChangeLog-7.php#7.2.23>`__
* ports: pkg 1.12.0 `[13] <https://github.com/freebsd/freebsd-ports/commit/95ac8ad2>`__ `[14] <https://github.com/freebsd/freebsd-ports/commit/5a06e26ff>`__ `[15] <https://github.com/freebsd/freebsd-ports/commit/77d4a311e>`__
* ports: strongswan 5.8.1 `[16] <https://wiki.strongswan.org/versions/74>`__
* ports: suricata 4.1.5 `[17] <https://suricata-ids.org/2019/09/24/suricata-4-1-5-released/>`__
* ports: syslog-ng 3.23.1 `[18] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.23.1>`__
* ports: unbound 1.9.4 `[19] <https://nlnetlabs.nl/projects/unbound/download/>`__
A hotfix release was issued as 19.7.5_5:
* ui: revert fix for tokenizer reorder on multiple saves for now
* system: replace services_get() with plugins_services()
* system: verbose print on "pluginctl -s" actions
--------------------------------------------------------------------------
19.7.4 (September 11, 2019)
--------------------------------------------------------------------------
A wee bit of updates for you... nothing overly exciting. On the other
hand, we have updated the roadmap page to include 20.1 if you want to
take a closer look `[1] <https://opnsense.org/about/road-map/>`__ . More exciting for sure. :)
Here are the full patch notes:
* system: fix legacy remote logging with custom port
* system: regenerate CA bundle when modifying trusted authorities
* system: fix translation order of tunables description
* system: fix CARP maintenance mode bootup
* firewall: missing daily refresh on GeoIP type
* firewall: fix fetch of GeoIP alias if its name is same as its country
* reporting: auto-load required kernel modules for NetFlow
* reporting: allow setting NetFlow active/inactive timeout (contributed by Frank Brendel)
* captive portal: optimise ipfw rule parsing
* firmware: Homelab.no has been superseded by TerraHost mirror (contributed by Thomas Jensen)
* unbound: support file-based custom includes
* unbound: set absolute path to root.hints (contributed by h-town)
* plugins: os-bind 1.8 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__ (contributed by ErikJStaab)
* plugins: os-dnscrypt-proxy 1.6 `[3] <https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr>`__ (contributed by ErikJStaab)
* plugins: os-etpro-telemetry 1.4 `[4] <https://docs.opnsense.org/manual/etpro_telemetry.html>`__
* plugins: os-theme-cicada 1.20 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.20 (contributed by Team Rebellion)
* ports: ca_root_nss 3.46
* ports: ldns 1.7.1 `[5] <https://raw.githubusercontent.com/NLnetLabs/ldns/release-1.7.1/Changelog>`__
* ports: pcre2 10.33 `[6] <https://www.pcre.org/changelog.txt>`__
* ports: php 7.2.22 `[7] <https://www.php.net/ChangeLog-7.php#7.2.22>`__
* ports: phpseclib 2.0.21 `[8] <https://github.com/phpseclib/phpseclib/releases>`__
* ports: unbound 1.9.3 `[9] <https://nlnetlabs.nl/projects/unbound/download/>`__
A hotfix release was issued as 19.7.4_1:
* captive portal: fix merge conflict in optimisation
--------------------------------------------------------------------------
19.7.3 (August 28, 2019)
--------------------------------------------------------------------------
Please enjoy this release with improved CARP utility and a number of
smaller fixes and updates for the operating system and third party tools.
You can now also toggle logging directly from the rule overview to make
debugging easier.
Here is the full list of changes:
* system: try all backups for automatic revert when config.xml is damaged
* system: do a system reset if all config.xml files are damaged
* system: only show tunables reboot hint when applying tunables (contributed by Northguy)
* system: use FQDN in system log remote messages
* system: add defunct gateways to GUI in disabled state
* interfaces: only allow VLAN parents that will work as VLAN parents
* interfaces: optionally promote/demote CARP on service status
* interfaces: CARP status page report with demotion level to avoid ambiguity
* firewall: revert problematic 19.7.2 change "unhide automatic interface-based output rules"
* firewall: restore automatic outbound NAT pre-19.7 behaviour which excludes gateways not configured and not dynamic
* firewall: add logging toggle to rules overview (contributed by johnaheadley)
* firewall: DHCPv6 relay would generate rules even if not enabled
* firmware: only do single-repository fingerprint verify defaulting to our OPNsense repository
* firmware: fix base and kernel package listing
* intrusion detection: show change message after toggle or save
* intrusion detection: rule download fix
* monit: add parent devices to interface list (contributed by Frank Brendel)
* monit: fix standard configuration migration (contributed by Frank Brendel)
* reporting: skip illegal NetFlow records in flow parser
* opendns: migrate update hook from DynDNS plugin to core to make it fully automatic
* backend: fix exception message string handling in Python 3
* backend: add help to pluginctl utility
* backend: configctl event handler support
* mvc: log API key when authentication failed
* ui: more consistent HTML (contributed by gisforgirard)
* ui: sidebar bug fix (contributed by Team Rebellion)
* ui: fix initFormAdvancedUI() on initial load
* plugins: os-acme-client 1.25 `[1] <https://github.com/opnsense/plugins/pull/1452>`__
* plugins: os-bind 1.7 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
* plugins: os-dyndns 1.17 removes OpenDNS and fixes DyNS
* plugins: os-haproxy 2.18 `[3] <https://github.com/opnsense/plugins/pull/1453>`__
* plugins: os-maltrail 1.1 `[4] <https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr>`__
* plugins: os-nginx log rotation fix (contributed by Fabian Franz)
* plugins: os-postfix 1.10 `[5] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
* plugins: os-smart 2.1 fixes widget status and adds NVMe disk support (contributed by nhirokinet and ATL)
* plugins: os-theme-cicada 1.19 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.19 (contributed by Team Rebellion)
* plugins: os-wireguard 1.1 `[6] <https://github.com/opnsense/plugins/blob/master/net/wireguard/pkg-descr>`__
* src: fix incorrect exception handling in libunwind `[7] <https://www.freebsd.org/security/advisories/FreeBSD-EN-19:15.libunwind.asc>`__
* src: fix multiple vulnerabilities in bzip2 `[8] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:18.bzip2.asc>`__
* src: fix ICMPv6 / MLDv2 out-of-bounds memory access `[9] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:19.mldv2.asc>`__
* src: fix insufficient message length validation in bsnmp library `[10] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:20.bsnmp.asc>`__
* src: fix insufficient validation of guest-supplied data (e1000 device) `[11] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:21.bhyve.asc>`__
* src: fix IPv6 remote denial of service `[12] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:22.mbuf.asc>`__
* src: fix kernel memory disclosure from /dev/midistat `[13] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:23.midi.asc>`__
* src: fix reference count overflow in mqueuefs `[14] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:24.mqueuefs.asc>`__
* ports: hostapd 2.9 `[15] <https://w1.fi/cgit/hostap/plain/hostapd/ChangeLog>`__
* ports: nghttp2 1.39.2 `[16] <https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2>`__
* ports: openldap 2.4.48 `[17] <https://www.openldap.org/software/release/changes.html>`__
* ports: perl 5.30.0 `[18] <https://metacpan.org/pod/release/XSAWYERX/perl-5.30.0/pod/perldelta.pod>`__
* ports: php 7.2.21 `[19] <https://www.php.net/ChangeLog-7.php#7.2.21>`__
* ports: py-openssl 19.0.0 `[20] <https://www.pyopenssl.org/en/stable/changelog.html>`__
* ports: syslog-ng 3.22.1 `[21] <https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.22.1>`__
* ports: wpa_supplicant 2.9 `[22] <https://w1.fi/cgit/hostap/plain/wpa_supplicant/ChangeLog>`__
--------------------------------------------------------------------------
19.7.2 (August 05, 2019)
--------------------------------------------------------------------------
This update ships the latest FreeBSD security advisories along with several
smaller improvements and fixes. Sunny Valley Networks is the first vendor
to introduce additional software to the plugin framework in the form of the
Sensei plugin.
Here are the full patch notes:
* system: missing "<PRI>" in legacy output via Syslog-ng
* system: fix writing gateway information for DNS servers
* system: allow gateway to work in DHCPv6 WAN when no router solicitation is available
* firewall: unhide automatic interface-based output rules
* firewall: unhide automatic non-interface-based floating rules
* firewall: lift length restriction in NAT rule description
* firewall: avoid newlines in rule descriptions
* firewall: only show usable addresses in NAT outbound rules
* interfaces: fix extended CARP output when parsing interface information
* interfaces: add more outputs to overview page to increase usefulness
* interfaces: use shared DHCP lease reader for ARP list
* captive portal: fix binary read issue in Python 3
* dhcp: fix DHCPv4 relay interface selection (contributed by jayantsahtoe)
* firmware: handle file signature verify correctly with multiple fingerprint repositories
* firmware: Aivian mirror is no longer active
* firmware: Cloudfence mirror in Brazil added
* plugins: os-acme-client 1.24 `[1] <https://github.com/opnsense/plugins/pull/1399>`__
* plugins: os-bind 1.6 (contributed by crazy-max)
* plugins: os-dnscrypt-proxy 1.5 (contributed by crazy-max)
* plugins: os-grid_example 1.0 `[2] <https://docs.opnsense.org/development/examples/using_grids.html>`__
* plugins: os-helloworld Python 3 compatibility `[3] <https://docs.opnsense.org/development/examples/helloworld.html>`__
* plugins: os-nut 1.5 adds Riello driver (contributed by Michael Muenz)
* plugins: os-sunnyvalley 1.0 `[4] <https://docs.opnsense.org/third_party_plugins.html>`__ `[5] <https://www.sunnyvalley.io/sensei>`__
* src: fix panic from Intel CPU vulnerability mitigation `[6] <https://www.freebsd.org/security/advisories/FreeBSD-EN-19:13.mds.asc>`__
* src: fix multiple telnet client vulnerabilities `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:12.telnet.asc>`__
* src: fix pts write-after-free `[8] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:13.pts.asc>`__
* src: fix kernel memory disclosure in freebsd32_ioctl `[9] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:14.freebsd32.asc>`__
* src: fix reference count overflow in mqueuefs `[10] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:15.mqueuefs.asc>`__
* src: fix byhve out-of-bounds read in XHCI device `[11] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:16.bhyve.asc>`__
* src: fix file descriptor reference count leak `[12] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:17.fd.asc>`__
* ports: libevent 2.1.11 `[13] <https://raw.githubusercontent.com/libevent/libevent/release-2.1.11-stable/ChangeLog>`__
--------------------------------------------------------------------------
19.7.1 (July 25, 2019)
--------------------------------------------------------------------------
We do not wish to keep you from enjoying your summer time, but this
is a recommended security update enriched with reliability fixes for the
new 19.7 series. Of special note are performance improvements as well
as a fix for a longstanding NAT before IPsec limitation.
Here are the full patch notes:
* system: do not create automatic copies of existing gateways
* system: do not translate empty tunables descriptions
* system: remove unwanted form action tags
* system: do not include Syslog-ng in rc.freebsd handler
* system: fix manual system log stop/start/restart
* system: scoped IPv6 "%" could confuse mwexecf(), use plain mwexec() instead
* system: allow curl-based downloads to use both trusted and local authorities
* system: fix group privilege print and correctly redirect after edit
* system: use cached address list in referrer check
* system: fix Syslog-ng search stats
* firewall: HTML-escape dynamic entries to display aliases
* firewall: display correct IP version in automatic rules
* firewall: fix a warning while reading empty outbound rules configuration
* firewall: skip illegal log lines in live log
* interfaces: performance improvements for configurations with hundreds of interfaces
* reporting: performance improvements for Python 3 NetFlow aggregator rewrite
* dhcp: move advanced router advertisement options to correct config section
* ipsec: replace global array access with function to ensure side-effect free boot
* ipsec: change DPD action on start to "dpdaction = restart"
* ipsec: remove already default "dpdaction = none" if not set
* ipsec: use interface IP address in local ID when doing NAT before IPsec
* web proxy: fix database reset for Squid 4 by replacing use of ssl_crtd with security_file_certgen
* plugins: os-acme-client 1.24 `[1] <https://github.com/opnsense/plugins/pull/1399>`__
* plugins: os-bind 1.6 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
* plugins: os-dnscrypt-proxy 1.5 `[3] <https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr>`__
* plugins: os-frr now restricts characters BGP prefix-list and route-maps `[4] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
* plugins: os-google-cloud-sdk 1.0 `[5] <https://github.com/opnsense/plugins/pull/1392>`__
* ports: curl 7.65.3 `[6] <https://curl.haxx.se/changes.html>`__
* ports: monit 5.26.0 `[7] <https://mmonit.com/monit/changes/>`__
* ports: openssh 8.0p1 `[8] <https://www.openssh.com/txt/release-8.0>`__
* ports: php 7.2.20 `[9] <https://www.php.net/ChangeLog-7.php#7.2.20>`__
* ports: python 3.7.4 `[10] <https://www.python.org/downloads/release/python-374/>`__
* ports: sqlite 3.29.0 `[11] <https://sqlite.org/releaselog/3_29_0.html>`__
* ports: squid 4.8 `[12] <http://lists.squid-cache.org/pipermail/squid-announce/2019-July/000100.html>`__
--------------------------------------------------------------------------
19.7 (July 17, 2019)
--------------------------------------------------------------------------
For four and a half years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, HardenedBSD
security, fast adoption of upstream software updates as well as clear
and stable 2-Clause BSD licensing.
19.7, nicknamed "Jazzy Jaguar", embodies an iteration of what should be
considered enjoyable user experience for firewalls in general: improved
statistics and visibility of rules, reliable and consistent live logging
and alias utility improvements. Apart from the usual upgrades of third
party software to up-to-date releases, OPNsense now also offers built-in
remote system logging through Syslog-ng, route-based IPsec, updated
translations with Spanish as a brand new and already fully translated
language and newer Netmap code with VirtIO, VLAN child and vmxnet support.
Last but not least we would like to thank m.a.x. it for their sponsorship
of the default gateway priority switching feature and their continued work
of writing and maintaining plenty of community plugins. This time around,
Maltrail, Netdata and WireGuard VPN have been freshly added to the mix.
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
can be found below as well.
* Europe: https://opnsense.c0urier.net/releases/19.7/
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.7/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.7/
* South America: http://mirror.upb.edu.co/opnsense/releases/19.7/
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.7/
* Full mirror list: https://opnsense.org/download/
These are the most prominent changes since version 19.1:
* List automatic firewall rules
* Statistics for all firewall rules
* Alias JSON import / export
* Optional statistics for aliases
* Firewall rule locator for live log and automatic rules
* Rewritten gateway handling and switching
* Remote logging via Syslog-ng
* LDAP group sync support
* Support certificate signing requests
* Route-based IPsec support (VTI)
* XMLRPC sync support for alias, VHID, widgets
* Unbound host overrides alias support
* Web proxy and IPsec authentication using PAM
* Parent web proxy support
* Web proxy login privilege via group
* Improved reliability and utility of opnsense-patch
* Dpinger and DHCP servers ported to plugin framework
* Language updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
* Spanish as a new language
* Netdata, WireGuard, Maltrail and Mail-Backup (PGP) plugin
* Netmap update for VirtIO, VLAN child and vmxnet support
* Bootstrap 3.4, LibreSSL 2.9, Unbound 1.9, PHP 7.2, Python 3.7, Squid 4
And here are the full changes against version 19.7-RC1:
* system: lower automatic gateway priority for tunnel interfaces
* system: only show enabled interfaces on gateway edit
* system: speed up console banner interface print
* interfaces: typo in default WAN selection for packet capture
* interfaces: support multiple interfaces for packet capture
* interfaces: fix ambiguity in get_parent_interface()
* firewall: restart filterlog with every filter reload
* firmware: add update syshook
* ipsec: phase2 IP type selector using the wrong class
* reporting: fix Insight bug not processing top port and address statistics
* ui: window_highlight_table_option() fix for Safari
* wizard: improve logo contrast in welcome message
* plugins: os-frr redistribute configuration fix (contributed by Cedric Vanet)
* plugins: os-intrusion-detection-content-et-pro 1.0.1 now uses suricata-4.0 rulesets
* plugins: os-haproxy 2.17 `[2] <https://github.com/opnsense/plugins/pull/1347>`__ `[3] <https://github.com/opnsense/plugins/pull/1408>`__
* plugins: os-mail-backup 1.0 (contributed by Joao Vilaca)
* plugins: os-maltrail 1.0 (contributed by Michael Muenz)
* plugins os-smart 2.0 MVC conversion (contributed by Smart-Soft)
* plugins: os-tinc chroot setup with resolv.conf
* plugins: os-wireguard 1.0 (contributed by Michael Muenz)
* plugins: os-wol 2.2 fixes byte conversion
* src: bump netmap ring size, still too small in FreeBSD
* src: add FCC6_FCCA regulatory domain to ath_hal(4)
* src: restore IPV6_NEXTHOP option support
* src: fix privilege escalation in cd(4) driver `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:11.cd_ioctl.asc>`__
* src: fix kernel stack disclosure in UFS/FFS `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:10.ufs.asc>`__
* src: fix iconv buffer overflow `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-19:09.iconv.asc>`__
* src: import tzdata 2019b
* ports: ca_root_nss 3.45
* ports: filterlog 0.3 will not print to console and lowercase IPv6 protocol output
* ports: postfix update is now non-interactive to prevent stalls
* ports: rrdtool 1.7.2 `[7] <https://github.com/oetiker/rrdtool-1.x/releases/tag/v1.7.2>`__
Known issues and limitations:
* Web proxy squid update from version 3 to 4 breaks the cache database. To repair go to "Services: Web Proxy: Administration" tab "Support" and click "Reset".
* Web proxy login privilege is no longer available. Access may be restricted by a group selector instead.
* Nano images require a reinstall using the latest image to avoid inode shortage which makes the system appear to run out of space during recent 19.1.x updates.
* OpenVPN no longer supports listening on gateway groups. Use localhost paired with port forwards instead.
The public key for the 19.7 series is:
.. code-block::
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv2syLqN/IMuADI42aTXx
# HRbX3YljURN1dhhjYoqOc/7uZKVc7UJk79q49x8VZmC0edhHiNKfrhj5g3htsPgu
# N/eFsc1MZv+J2rfSF7L5NV3D5dU9nuBc75wb9SRIXm7XiiiuInMNRBlJsiFeiuJm
# oaE/zqgr75m+cc7sdNQnQQk9+APr4LdksX0bllRmxfhLjDKgiSVe+Yq9kje/JHyf
# je5i3MI9WT80o46IZc/oN4q9RG7n6gaIFBVckCwCKsnNZlDCvb1Sr0tdKs58fswj
# fxMvouMBf+Jk/0dOEZnoIFYb436H2CUfabiPX3Vm4r3MU4dr5m41WlCH/984cBKy
# QSM8h4nSAs/naj5c5YDe4qmwUBxwPIvJPVC/vuWLusyg1gYbloj3EIc1uv2YCkKw
# 0ra7Hocln3+7Jf2Yn/yn6yaCNdoJY2Blvo84giuklDqdBIKggDHSxGrLKDBshSR3
# hapkFRoR7BhnoT14E8DMgD23g9tcwce1AJJ6mZ/DraBx5l11P1ZXLqnyCpvOt5oV
# HmMZ9/Xu0naPUC8IxVSNew8j3liPbc5oKV0kQ/TRQTevOBLJ8QA7Y5YdPu0cS4qw
# Jq3fGnsRt/0+i1Vs7q51KJLNECHyhWm6zYAfST22ohTUgo2ByoM8r0aRslmiG6JS
# +ancHD4lnnHRd+4ybevUft0CAwEAAQ==
# -----END PUBLIC KEY-----
.. code-block::
# SHA256 (OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2) = e022217d367abaf4fd1360f83e4664d28b3f37932dfe720974b9d7dc33bf50f7
# SHA256 (OPNsense-19.7-OpenSSL-nano-amd64.img.bz2) = 6fffefa0b09daea397e83f67bf730392125b720043c455597c05d3d80c2baa29
# SHA256 (OPNsense-19.7-OpenSSL-serial-amd64.img.bz2) = 98854d5a0a03850273aa2ebdd7e7b095dfec6a1e6b57341817bb5f5ffab2ca7b
# SHA256 (OPNsense-19.7-OpenSSL-vga-amd64.img.bz2) = 523e924586e431ccd421bb85ba1245ce4c8f3a6141b59623f5083d3e36bac592
.. code-block::
# SHA256 (OPNsense-19.7-OpenSSL-dvd-i386.iso.bz2) = 64c4e58966ab373a0aa6a544b020a39c5b86ecb79cb2988ac1f74b382c7d4765
# SHA256 (OPNsense-19.7-OpenSSL-nano-i386.img.bz2) = 3fa6af965f5996a718982617b5a13199747d237a669867b1ffecc951c3ebe455
# SHA256 (OPNsense-19.7-OpenSSL-serial-i386.img.bz2) = f0c76142f83b4988defa3fddc7a4cf2d930cbb0aee623d7b064462e25e146297
# SHA256 (OPNsense-19.7-OpenSSL-vga-i386.img.bz2) = b425882604886a395730abeaa6a26b8805647609712f61c342cee29f58160006
--------------------------------------------------------------------------
19.7.r1 (July 09, 2019)
--------------------------------------------------------------------------
For four and a half years now, OPNsense is driving innovation through
modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, HardenedBSD
security, fast adoption of upstream software updates as well as clear
and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project!
We know it would not be the same without you.
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
can be found below as well.
* Europe: https://opnsense.c0urier.net/releases/19.7/
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.7/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.7/
* South America: http://mirror.upb.edu.co/opnsense/releases/19.7/
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.7/
* Full mirror list: https://opnsense.org/download/
Here are the full changes against version 19.1.10:
* system: new remote syslog setup via Syslog-ng
* system: gateway handling rewrite
* system: default gateway switching priority control (sponsored by m.a.x. it `[2] <https://www.max-it.de/>`__ )
* system: dpinger ported to plugin framework
* system: bring back PHP warning log level
* system: use authentication factory for user import
* interfaces: VLAN, bridge, LAGG, GRE, GIF setup refactor
* interfaces: improve load sequence to allow DHCPv6 on bridges
* interfaces: GIF, GRE, IPsec and OpenVPN will no longer accept IP configuration
* interfaces: speed up get_real_interface() by assuming interfaces exist
* interfaces: sort interface groups and require rules apply if necessary (contributed by Robin Schneider)
* interfaces: background PPPoE connect and disconnect
* interfaces: only IP-address allowed in PPP gateway (contributed by Smart-Soft)
* interfaces: simplified linking VIPs to interfaces
* interfaces: removed interface_has_gateway()
* interfaces: removed interface_has_gatewayv6()
* interfaces: removed get_failover_interface()
* interfaces: removed rc.kill_states
* firewall: ability to view automatic rules
* firewall: rule origin locator in live log and automatic rules listing
* firewall: show statistics for all active rules including automatic ones
* firewall: optional statistics for alias tables
* firewall: fix translation of shaper mask "none" value
* firewall: add ipv6-icmp type selection
* firewall: rule listing layout update
* reporting: new NetFlow reader in Python 3
* reporting: validate that NetFlow WAN interfaces are also added to listening interfaces
* dhcp: ported to plugin framework
* dhcp: added failover split to DHCPv4 (contributed by Wolfgang Pedot)
* dhcp: fix ddnsdomainprimary setting validation
* dhcp: added advanced options for router advertisements
* dhcp: removed remove rasend/ranosend checkbox
* dhcp: simplify DHCPv4 interface lookup on lease page
* dhcp: use AdvDefaultLifetime 0 when default route shall not be advertised
* firmware: support reading package repository and origin
* firmware: warn on third party package installation
* firmware: synchronise update checks to avoid "not responding" errors
* firmware: fix empty update list on release type change
* images: nano image now supports future-proof number of inodes
* installer: support password reset in opnsense-importer
* intrusion detection: allow rule action bulk changes
* intrusion detection: minor usability improvements
* intrusion detection: support eve system log output
* openvpn: removed gateway group listening support
* openvpn: no longer restart servers on CARP events
* openvpn: reduced complexity in service handling
* web proxy: replace proxy login privilege "user-proxy-auth" with group selector
* backend: ported remaining scripts to Python 3
* backend: add helpers.glob() to enable template traversal
* backend: new "monitor" hook for rc.syshook
* mvc: do not add "none" in AuthGroupField if multiple select
* mvc: allow sorting JsonKeyValueStoreField by value
* ui: remember previous selected columns and row count on several MVC pages
* ui: apply alert reminders for several MVC pages
* ui: add failed callback to saveFormToEndpoint()
* ui: core theme color update
* ui: fix file size suffix (contributed by Fabian Franz)
* ui: add useRequestHandlerOnGet option
* ui: bootstrap 3.4.1 `[3] <https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/>`__
* src: netmap VirtIO, VLAN child and vmxnet support
* src: fix races in tun(4)/tap(4) drivers
* ports: squid 4.7 `[4] <http://squid.mirror.colo-serv.net/archive/4/squid-4.0.7-RELEASENOTES.html>`__
* ports: syslog-ng 3.21.1 `[5] <https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.21.1>`__
Known issues and limitations:
* Filterlog spamming console due to new Syslog-ng integration. Temporary workaround is stopping filterlog via "pkill filterlog".
* OpenVPN no longer supports listening on gateway groups. Use localhost paired with port forwards instead.
* The web proxy login privilege is no longer available. Access may be restricted by a group selector instead.
* Web proxy squid update from version 3 to 4 breaks the cache database. To repair go to "Services: Web Proxy: Administration" tab "Support" and click "Reset".
* Nano images require a reinstall using the latest image to avoid inode shortage which makes the system appear to run out of space during recent 19.1.x updates.
The public key for the 19.7 series is:
.. code-block::
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv2syLqN/IMuADI42aTXx
# HRbX3YljURN1dhhjYoqOc/7uZKVc7UJk79q49x8VZmC0edhHiNKfrhj5g3htsPgu
# N/eFsc1MZv+J2rfSF7L5NV3D5dU9nuBc75wb9SRIXm7XiiiuInMNRBlJsiFeiuJm
# oaE/zqgr75m+cc7sdNQnQQk9+APr4LdksX0bllRmxfhLjDKgiSVe+Yq9kje/JHyf
# je5i3MI9WT80o46IZc/oN4q9RG7n6gaIFBVckCwCKsnNZlDCvb1Sr0tdKs58fswj
# fxMvouMBf+Jk/0dOEZnoIFYb436H2CUfabiPX3Vm4r3MU4dr5m41WlCH/984cBKy
# QSM8h4nSAs/naj5c5YDe4qmwUBxwPIvJPVC/vuWLusyg1gYbloj3EIc1uv2YCkKw
# 0ra7Hocln3+7Jf2Yn/yn6yaCNdoJY2Blvo84giuklDqdBIKggDHSxGrLKDBshSR3
# hapkFRoR7BhnoT14E8DMgD23g9tcwce1AJJ6mZ/DraBx5l11P1ZXLqnyCpvOt5oV
# HmMZ9/Xu0naPUC8IxVSNew8j3liPbc5oKV0kQ/TRQTevOBLJ8QA7Y5YdPu0cS4qw
# Jq3fGnsRt/0+i1Vs7q51KJLNECHyhWm6zYAfST22ohTUgo2ByoM8r0aRslmiG6JS
# +ancHD4lnnHRd+4ybevUft0CAwEAAQ==
# -----END PUBLIC KEY-----
Please let us know about your experience!
.. code-block::
# SHA256 (OPNsense-19.7.r1-OpenSSL-dvd-amd64.iso.bz2) = 5014dba896a425d15fbedcb44f2deec7fb5aee6a1b7c95833b819f8d352de6a1
# SHA256 (OPNsense-19.7.r1-OpenSSL-nano-amd64.img.bz2) = b9d6ccbfdcb88f813a6494efb13647d1715500551c7dc51f632766b19189c6bc
# SHA256 (OPNsense-19.7.r1-OpenSSL-serial-amd64.img.bz2) = 86050bffa626247cfe0374d28994a52f9e10490b20a81539f5d2784676280c17
# SHA256 (OPNsense-19.7.r1-OpenSSL-vga-amd64.img.bz2) = 3a7ae31f6429e519060a717b6248d13620a1e5caba43f44afaf4a7dd4e6634e6
.. code-block::
# SHA256 (OPNsense-19.7.r1-OpenSSL-dvd-i386.iso.bz2) = 4c0e54982d92279e7273c74cac183290e89219f75b4c1f55a42bad0331bdf321
# SHA256 (OPNsense-19.7.r1-OpenSSL-nano-i386.img.bz2) = 5db5dfc0bfb15a593dae689b58e65d556e935c326741729ad37507a952a51426
# SHA256 (OPNsense-19.7.r1-OpenSSL-serial-i386.img.bz2) = a20422c81c62c79264aec2cf83cb8734e2e0c954881200e6bc46d372f2432cf9
# SHA256 (OPNsense-19.7.r1-OpenSSL-vga-i386.img.bz2) = f6ba92f987c024697e6599b72d905ac9a4fdcfe61c71e3f060dccf1efccd6d82

628
source/releases/CE_20.1.rst
Unescape Escape View File

@ -0,0 +1,628 @@
===========================================================================================
20.1 "Keen Kingfisher" Series
===========================================================================================
For over 5 years now, OPNsense is driving innovation through modularising
and hardening the open source firewall, with simple and reliable firmware
upgrades, multi-language support, HardenedBSD security, fast adoption of
upstream software updates as well as clear and stable 2-Clause BSD licensing.
20.1, nicknamed "Keen Kingfisher", is a subtle improvement on sustainable
firewall experience. This release adds VXLAN and additional loopback device
support, IPsec public key authentication and elliptic curve TLS certificate
creation amongst others. Third party software has been updated to their
latest versions. The logging frontend was rewritten for MVC with seamless
API support. On the far side the documentation increased in quality as well
as quantity and now presents itself in a familiar menu layout.
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
can be found below as well.
* Europe: https://opnsense.c0urier.net/releases/20.1/
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/
* South America: http://mirror.upb.edu.co/opnsense/releases/20.1/
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/
* Full mirror list: https://opnsense.org/download/
--------------------------------------------------------------------------
20.1.9 (July 23, 2020)
--------------------------------------------------------------------------
20.7-RC1 is already available and the final release of 20.7 is scheduled
for July 30. A hotfix release for 20.1.9 will enable the upgrade path
some hours after the initial 20.7 announcement is out, but please note
that updated 32-bit builds (also known as i386) will no longer be available
from this day forward.
Here are the full patch notes:
* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo)
* firewall: validate if NAT destination contains a port
* firewall: prevent config_read_array() from adding an empty lo0
* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe)
* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe)
* mvc: LegacyLinkField not allowed to return null in __toString()
* plugins: os-collectd 1.3 `[1] <https://github.com/opnsense/plugins/blob/master/net-mgmt/collectd/pkg-descr>`__
* plugins: os-dyndns 1.22 `[2] <https://github.com/opnsense/plugins/pull/1654>`__
* plugins: os-telegraf 1.8.1 `[3] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__
* plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion)
* plugins: os-tinc fixes switch mode `[4] <https://github.com/opnsense/plugins/pull/1733>`__
* plugins: os-wireguard 1.2 `[5] <https://github.com/opnsense/plugins/pull/1865>`__
* ports: ca_root_nss 3.54
* ports: curl 7.71.1 `[6] <https://curl.haxx.se/changes.html>`__
* ports: dnsmasq 2.82 `[7] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
* ports: monit 5.27.0 `[8] <https://mmonit.com/monit/changes/>`__
* ports: php 7.3.20 `[9] <https://www.php.net/ChangeLog-7.php#7.3.20>`__
* ports: python 3.7.8 `[10] <https://www.python.org/downloads/release/python-378/>`__
* ports: sqlite 3.32.3 `[11] <https://www.sqlite.org/changes.html>`__
* ports: syslog-ng 3.27.1 `[12] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.27.1>`__
A hotfix release was issued as 20.1.9_1:
* firmware: enable upgrade path to 20.7 (amd64 only)
--------------------------------------------------------------------------
20.1.8 (July 02, 2020)
--------------------------------------------------------------------------
Sorry about the delay while we chased a race condition in the updates back
to an issue with the latest FreeBSD package manager updates. For now we
reverted to our current version but all relevant third party packages have
been updated as updates became available over the last weeks, e.g. cURL and
Python, and hostapd / wpa_supplicant amongst others.
Here are the full patch notes:
* system: simpler get_interface_ip() usage in IPv4 renewal
* system: allow HA sync of network time settings
* system: download all filtered items in log export
* system: add support for upstream LDAP accounts in Nextcloud backup (contributed by Fabian Franz)
* interfaces: fix stateless DHCPv6 for track6 interfaces (contributed by Maurice Walker)
* firewall: fix missing address filter error by moving NAT targets to runtime resolve
* firewall: prevent gateway protocol mismatch from breaking the ruleset
* firewall: work around categories typeahead issue with recent jQuery libraries
* firewall: improve alias help text (contributed by Team Rebellion)
* firewall: switch from single log filter to one per attribute
* intrusion detection: when enabling rules prefixed with "# " consume the extra space (contributed by Tra5is)
* intrusion detection: less sensitive rule parsing
* intrusion detection: compress stats.log backups
* ipsec: valid IPSec Phase 2 hash config warning raises GUI alert (contributed by Brett Merrick)
* unbound: add DNS64 support (contributed by Maurice Walker)
* web proxy: fix wrong button label for Download ACLs (contributed by 90er)
* mvc: add sort_flags optional parameter support (contributed by NOYB)
* rc: add full PATH to rc.syshook invoke
* plugins: os-acme-client `[1] <https://github.com/opnsense/plugins/pull/1851>`__ `[2] <https://github.com/opnsense/plugins/pull/1880>`__
* plugins: os-dnscrypt-proxy 1.8 `[3] <https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr>`__
* plugins: os-dyndns 1.21 improves Cloudflare support (contributed by Andreas Rupper)
* plugins: os-freeradius 1.9.7 `[4] <https://github.com/opnsense/plugins/pull/1726>`__
* plugins: os-haproxy 2.23 `[5] <https://github.com/opnsense/plugins/pull/1883>`__
* plugins: os-intrusion-detection-content-snort-vrt 1.1
* plugins: os-stunnel 1.0 `[6] <https://docs.opnsense.org/manual/how-tos/stunnel.html>`__ (sponsored by Incenter Technology)
* plugins: os-tayga 1.1 `[7] <https://github.com/opnsense/plugins/pull/1826>`__
* plugins: os-theme-rebellion 1.8.4 `[8] <https://github.com/opnsense/plugins/pull/1892>`__
* ports: ca_root_nss 3.53
* ports: curl 7.71.0 `[9] <https://curl.haxx.se/changes.html>`__
* ports: hostapd / wpa_supplicant UPnP SUBSCRIBE advisory `[10] <https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt>`__
* ports: krb5 1.18.2 `[11] <https://web.mit.edu/kerberos/krb5-1.18/>`__
* ports: ntp 4.2.8p15 `[12] <http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities>`__
* ports: pcre 8.44 `[13] <https://www.pcre.org/original/changelog.txt>`__
* ports: perl 5.30.3 `[14] <https://perldoc.perl.org/5.30.3/perldelta.html>`__
* ports: php 7.3.19 `[15] <https://www.php.net/ChangeLog-7.php#7.3.19>`__
* ports: python CVE-2019-18348 and CVE-2020-8492
* ports: sqlite 3.32.2 `[16] <https://www.sqlite.org/changes.html>`__
* ports: sudo 1.9.1 `[17] <https://www.sudo.ws/stable.html#1.9.1>`__
* ports: unbound 1.10.1 `[18] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-10-1>`__
A hotfix release was issued as 20.1.8_1:
* ipsec: fix status page display after third party library update
* plugins: os-dyndns fix for TTL validation (contributed by Andreas Rupper)
--------------------------------------------------------------------------
20.1.7 (May 20, 2020)
--------------------------------------------------------------------------
Today we move to PHP 7.3 in order to be able to complete testing for the
20.7-BETA online upgrades. Also included is a patch for the packet filter
kernel code which could crash with shared forwarding when interfaces
disappeared due to use after free in the default network stack path.
Here are the full patch notes:
* system: default net.inet.icmp.reply_from_interface to 1
* system: fix static gateway wizard handing
* firewall: allow outbound NAT source and destination port ranges
* interfaces: use interfaces_primary_address6() inside get_interface_ipv6()
* dhcp: add AdvLinkMTU to router advertisements settings (contributed by Ilteris Eroglu)
* unbound: prevent wildcard domains for the local system domain
* backend: suppress inconsequential IDNA warnings for aliases
* backend: add option to return a key value list for TLS ciphers
* mvc: reference constraint pointing validation results to the wrong field
* plugins: os-acme-client 1.32 adds Acmeproxy DNS support (contributed by Maarten den Braber)
* src: added Novatel Wireless MiFi 8800/8000 support (contributed by rootless4real)
* src: fix pf shared forwarding on non-existing interfaces
* src: patch in tty 3wire autologin support
* src: fix insufficient packet length validation in libalias `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:12.libalias.asc>`__
* src: fix memory disclosure vulnerability in libalias `[2] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:13.libalias.asc>`__
* src: fix improper checking in SCTP-AUTH shared key update `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:14.sctp.asc>`__
* src: fix use after free in cryptodev module `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:15.cryptodev.asc>`__
* src: update to tzdata 2020a `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:08.tzdata.asc>`__
* ports: ca_root_nss 3.52
* ports: curl 7.70.0 `[6] <https://curl.haxx.se/changes.html>`__
* ports: dhcp6c v20200512
* ports: hyperscan 5.2.1 `[7] <https://github.com/intel/hyperscan/releases/tag/v5.2.1>`__
* ports: openldap 2.4.50 `[8] <https://www.openldap.org/software/release/changes.html>`__
* ports: pcre2 10.35 `[9] <https://www.pcre.org/changelog.txt>`__
* ports: php 7.3.18 `[10] <https://www.php.net/ChangeLog-7.php#7.3.18>`__
--------------------------------------------------------------------------
20.1.6 (April 30, 2020)
--------------------------------------------------------------------------
Quick update as planned. Here are the full patch notes:
* system: add data length option to gateway monitor settings
* firewall: avoid greedy matching with live log parsing regression from 20.1.5
* firmware: detect runtime defaults when using "make upgrade" with core.git
* firmware: clean up packaging code and support ".link" file extension
* firmware: use CORE_FLAVOUR instead of FLAVOUR when using opnsense-bootstrap
* firmware: enable to optionally reach master branch when using opnsense-boostrap
* firmware: allow overriding CORE_ABI when using opnsense-bootstrap
* firmware: copy make.conf instead of linking when using opnsense-code
* firmware: always fetch tools.git when using opnsense-code
* rc: use "onifexists" for VGA TTY instead of "on"
* rc: missing ntpd user on 20.7 / 12.1
* plugins: os-unbound-plus DoT validation fix (contributed by Michael Muenz)
* src: fix ipfw invalid mbuf handling `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:10.ipfw.asc>`__
* ports: libyaml 0.2.4 `[2] <https://raw.githubusercontent.com/yaml/libyaml/master/Changes>`__
* ports: openssl 1.1.1g `[3] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
* ports: py-yaml 5.3.1 `[4] <https://raw.githubusercontent.com/yaml/pyyaml/master/CHANGES>`__
* ports: radvd 2.18 `[5] <http://www.litech.org/radvd/CHANGES.txt>`__
* ports: sqlite 3.31.1 `[6] <https://www.sqlite.org/changes.html>`__
* ports: squid 4.11 `[7] <http://ftp.meisei-u.ac.jp/mirror/squid/squid-4.11-RELEASENOTES.html>`__
* ports: suricata 4.1.8 `[8] <https://suricata-ids.org/2020/04/28/suricata-4-1-8-released/>`__
--------------------------------------------------------------------------
20.1.5 (April 23, 2020)
--------------------------------------------------------------------------
Today ships the first release version of the supplemental firewall rule
API via plugin, a new firewall shaper statistics GUI and API and the usual
number of improvements and third party updates.
Note that this version does not ship OpenSSL 1.1.1g as at this point our
release decision would have been to push 20.1.5 to next week or do a
smaller 20.1.6 next week on top.
Here are the full patch notes:
* system: support configuration for SSH HostKeyAlgorithms, KexAlgorithms, Ciphers and MACs
* system: simplify validations in gateway monitor settings
* interfaces: mark VXLAN and loopback devices as configurable
* interfaces: validation typo caused failure to communicate unassignable targets
* interfaces: netstat tree view GUI and API
* interfaces: use libxo to extract ARP data
* firewall: checkbox selection ignores visibility setting
* firewall: add network group type to combine aliases cleanly
* firewall: IPv6 essential icmpv6 allow for ::
* firewall: new shaper statistics GUI and API
* firewall: support filter log messages with PID
* reporting: when flow times are not returned stick to receive timestamp
* openvpn: use multihome when selecting "any" interface with UDP
* unbound: create shared startup script for background task
* mvc: also store "" field value as initial state to prevent empty fields as being marked as changed
* mvc: firewall source NAT ranges support in plugins
* mvc: keep options in static set for PortField
* mvc: support interface targets without addresses
* mvc. add "migration_prefix" attribute to model
* mvc: catch ArgumentCountError
* mvc: skip empty gateway artefact
* plugins: os-acme-client 1.31 `[1] <https://github.com/opnsense/plugins/pull/1784>`__
* plugins: os-firewall 1.0 API supplemental package
* plugins: os-haproxy 2.22 `[2] <https://github.com/opnsense/plugins/pull/1783>`__
* plugins: os-unbound-plus 1.1 `[3] <https://github.com/opnsense/plugins/blob/master/dns/unbound-plus/pkg-descr>`__
* plugins: os-wol 2.3 adds case insensitive matching in widget (contributed by Gauss23)
* ports: ca_root_nss 3.51.1
* ports: dnsmasq 2.81 `[4] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
* ports: krb5 1.18.1 `[5] <https://web.mit.edu/kerberos/krb5-1.18/>`__
* ports: openvpn 2.4.9 `[6] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9>`__
* ports: php 7.2.30 `[7] <https://www.php.net/ChangeLog-7.php#7.2.30>`__
* ports: py-certifi 2020.4.5.1
* ports: strongswan 5.8.4 `[8] <https://wiki.strongswan.org/versions/77>`__
--------------------------------------------------------------------------
20.1.4 (April 08, 2020)
--------------------------------------------------------------------------
It almost looks like business as usual. But we all know it is not.
We will get through this together.
Here are the full patch notes:
* system: add missing strtolower() in LDAP sync response
* system: fix /var/run/legacy_log socket creation race with Syslog-ng
* system: add info button to display privilege / ACL endpoints
* system: make IPsec tap tunables overwriteable
* firewall: floating means either all interfaces or more than one selected
* firewall: simplify group maintenance by only applying them on filter reload
* interfaces: use primary IPv6 and support VIP tracking
* interfaces: multiple changes in radvd.conf setup (contributed by maurice-w)
* dhcp: fix DDNS support in DHCPv6 (contributed by Wagner Sartori Junior)
* firmware: mirror opnsense.ieji.de renamed to opn.sense.nz
* openvpn: improve openvpn_port_used() logic
* unbound: minor cleanup in /api/unbound/diagnostics/stats endpoint
* unbound: remove 192.0.0.0/24 from rebinding prevention list (contributed by maurice-w)
* mvc: simplify reload of captive portal, cron, IDS, alias, loopback, VXLAN, web proxy, routes, syslog and shaper
* mvc: limit dropdown size to 10 if not specified
* mvc: support inheritance of the ArrayField type
* mvc: synchronize backup timestamps with revisions
* mvc: fixed width for timestamp column in logging
* mvc: init errorMessage to prevent crash reports
* shell: use interfaces_primary_address6() for correct IPv6 display
* shell: append a newline in pluginctl -g mode
* plugins: os-acme-client 1.30 `[1] <https://github.com/opnsense/plugins/pull/1753>`__
* plugins: os-bind 1.13 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
* plugins: os-freeradius 1.9.6 `[3] <https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr>`__
* plugins: os-haproxy 2.21 `[4] <https://github.com/opnsense/plugins/pull/1755>`__
* plugins: os-maltrail 1.5 `[5] <https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr>`__
* plugins: os-nginx 1.19 `[6] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
* plugins: os-nut 1.7 `[7] <https://github.com/opnsense/plugins/blob/master/sysutils/nut/pkg-descr>`__
* plugins: os-postfix 1.14 `[8] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
* plugins: os-tayga 1.0 (contributed by Michael Muenz)
* plugins: os-telegraf 1.7.7 `[9] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__
* plugins: os-unbound-plus 1.0 (contributed by Michael Muenz and Petr Kejval)
* lang: multiple updates to supported languages
* lang: new Turkish translation (contributed by Aydin Yakar)
* src: work around PCI devices which return all zeros for reads of existing MSI-X table VCTRL registers
* src: fix incorrect checksum calculations with IPv6 extension headers `[10] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:06.ipv6.asc>`__
* src: fix TCP IPv6 SYN cache kernel information disclosure `[11] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:04.tcp.asc>`__
* src: fix insufficient oce(4) ioctl(2) privilege checking `[12] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:05.if_oce_ioctl.asc>`__
* src: fix incorrect user-controlled pointer use in epair `[13] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:07.epair.asc>`__
* src: fix kernel memory disclosure with nested jails `[14] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:08.jail.asc>`__
* ports: curl 7.69.1 `[15] <https://curl.haxx.se/changes.html>`__
* ports: krb5 1.18 `[16] <https://web.mit.edu/kerberos/krb5-1.18/>`__
* ports: openssh 8.2p1 `[17] <https://www.openssh.com/txt/release-8.2>`__
* ports: openssl 1.1.1f `[18] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
* ports: perl 5.30.2 `[19] <https://metacpan.org/pod/release/SHAY/perl-5.30.2/pod/perldelta.pod>`__
* ports: php 7.2.29 `[20] <https://www.php.net/ChangeLog-7.php#7.2.29>`__
* ports: python 3.7.7 `[21] <https://www.python.org/downloads/release/python-377/>`__
* ports: strongswan 5.8.3 `[22] <https://wiki.strongswan.org/versions/76>`__
* ports: sudo 1.8.31p1 `[23] <https://www.sudo.ws/stable.html>`__
--------------------------------------------------------------------------
20.1.3 (March 18, 2020)
--------------------------------------------------------------------------
Quick reliability release for all of you out there doing the impossible
providing VPN for road warriors and what not. Keep it up! :)
Here are the full patch notes:
* system: match group CN case-insensitive
* system: added pluggable log format parsing facility
* system: update nsComment in OpenSSL config (contributed by vnxme)
* interfaces: fix missing default gateway switch on linkup event
* firewall: properly lock alias_util API (contributed by Cedric Deconinck)
* firewall: flush priority sections to /tmp/rules.debug
* firewall: do not escape internal URLs
* firmware: revoke 19.7 fingerprint
* ipsec: add virtual IPv6 pool for mobile clients (contributed by vnxme)
* ipsec: add MVC service control API
* monit: simplify Monit reload
* openvpn: properly swapped help texts regarding routes
* unbound: multiple fixes in DHCP watcher
* mvc: fix CountryField for static options
* mvc: extend PortField to support multiple items
* mvc: BaseListField plus PortField now use getValidationMessage() to bootstrap defaults
* mvc: add NetworkAliasField, ProtocolField and LegacyLinkField types
* mvc: apply PSR12 style as found on master
* ui: add jQuery plugin to support a simple service reload/action button
* ui: hook bootgrid javascript texts
* plugins: os-munin-node 1.0 (contributed by Michael Muenz)
* plugins: os-sunnyvalley 1.2 (contributed by Sunny Valley
* plugins: os-wol: relax MAC address validation (contributed by Mikael Falkvidd)
* ports: ca_root_nss 3.51
* ports: ntp 4.2.8p14 `[1] <https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable>`__
--------------------------------------------------------------------------
20.1.2 (March 05, 2020)
--------------------------------------------------------------------------
Today we pick up the recent FreeBSD security advisories as well as
the usual noise in bugfixes and third party updates. We are also at
the brink of a first HardenedBSD 12.1 based image so stay tuned.
Here are the full patch notes:
* system: fix leap year issue in new log reader
* system: add valid from and to dates to user certs display
* system: drop unused services.inc and diag_logs_template.inc
* interfaces: make sure descriptions are properly cleansed
* interfaces: introduce interfaces_primary_address6()
* interfaces: validate interface input in packet capture
* firewall: immediately download GeoIP if not already found
* firewall: improve performance when working with large number of aliases
* firewall: fix visibility on internal CARP rules
* captive portal: fix expiry and validity for vouchers (contributed by xx4h)
* dhcp: fix DNS registration for DHCPv6 static mappings (contributed by maurice-w)
* dhcp: add icons next to online/offline lease status (contributed by Tyler Ham)
* ipsec: allow configuration of inactivity parameter (contributed by Marcel Menzel)
* unbound: minor changes while scanning ACL subnets
* web proxy: work around to skip passing additional auth properties
* backend: allow pluginctl to return config.xml values
* console: improve type checks in set address function
* rc: join CARP early startup scripts
* plugins: os-dnscrypt-proxy fix for setup.sh on reboot
* plugins: os-dyndns 1.20 fixes verify restrictions, GratisDNS and missing break for Linode (contributed by NOYB, Johan Pramming, Andrew Gunnerson)
* plugins: os-maltrail 1.4 `[1] <https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr>`__
* plugins: os-nrpe fix for setup.sh on reboot
* plugins: os-tinc 1.5 fixes bug in IPv6 support (contributed by vnxme)
* src: fix imprecise ordering of SSP canary initialization `[2] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:01.ssp.asc>`__
* src: fix nmount invalid pointer dereference `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:02.nmount.asc>`__
* src: fix libfetch buffer overflow `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:01.libfetch.asc>`__
* src: fix kernel stack data disclosure `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:03.thrmisc.asc>`__
* ports: ca_root_nss 3.50
* ports: php 7.2.28 `[6] <https://www.php.net/ChangeLog-7.php#7.2.28>`__
* ports: squid 4.10 `[7] <http://squid.mirror.colo-serv.net/archive/4/squid-4.10-RELEASENOTES.html>`__
* ports: suricata 4.1.7 `[8] <https://suricata-ids.org/2020/02/13/suricata-4-1-7-released/>`__
* ports: syslog-ng 3.25.1 `[9] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.25.1>`__
* ports: unbound 1.10.0 `[10] <https://nlnetlabs.nl/projects/unbound/download/>`__
--------------------------------------------------------------------------
20.1.1 (February 13, 2020)
--------------------------------------------------------------------------
A tiny update to keep everyone happy. :)
Here are the full patch notes:
* system: increase size of user SSH key input box
* system: fix faulty PPP log link in the menu
* system: fix a PHP warning on the general settings page
* interfaces: update maximum MTU for 10Gb NICs (contributed by Len White)
* firewall: fix rule statistics display for rules using tagging
* reporting: fix missing separator in NetFlow configuration
* firmware: add Quantum mirror in Hungary
* openvpn: fix ifconfig-ipv6-push format
* plugins: os-dnscrypt-proxy 1.7 `[1] <https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr>`__
* plugins: os-net-snmp 1.4 `[2] <https://github.com/opnsense/plugins/blob/master/net-mgmt/net-snmp/pkg-descr>`__
* plugins: os-nginx 1.18 `[3] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
* plugins: os-theme-vicuna 1.0 (contributed by Team Rebellion)
* ports: lighttpd 1.4.55 `[4] <https://www.lighttpd.net/2020/1/31/1.4.55/>`__
* ports: openldap 2.4.49 `[5] <https://www.openldap.org/software/release/changes.html>`__
* ports: pkg libfetch security fix `[6] <https://github.com/freebsd/freebsd-ports/commit/eec0b5c>`__
* ports: sudo 1.8.31 `[7] <https://www.sudo.ws/stable.html#1.8.31>`__
--------------------------------------------------------------------------
20.1 (January 30, 2020)
--------------------------------------------------------------------------
For over 5 years now, OPNsense is driving innovation through modularising
and hardening the open source firewall, with simple and reliable firmware
upgrades, multi-language support, HardenedBSD security, fast adoption of
upstream software updates as well as clear and stable 2-Clause BSD licensing.
20.1, nicknamed "Keen Kingfisher", is a subtle improvement on sustainable
firewall experience. This release adds VXLAN and additional loopback device
support, IPsec public key authentication and elliptic curve TLS certificate
creation amongst others. Third party software has been updated to their
latest versions. The logging frontend was rewritten for MVC with seamless
API support. On the far side the documentation increased in quality as well
as quantity and now presents itself in a familiar menu layout.
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
can be found below as well.
* Europe: https://opnsense.c0urier.net/releases/20.1/
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/
* South America: http://mirror.upb.edu.co/opnsense/releases/20.1/
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/
* Full mirror list: https://opnsense.org/download/
These are the most prominent changes since version 19.7:
* Captive portal performance improvements
* IPsec public key authentication support
* Elliptic curve TLS certificate creation
* CARP service demotion hook
* VXLAN device support
* Loopback device support
* Extended firmware health audit checks
* Support direction and non-quick on interface rules
* Logging frontend migrated to MVC / API
* PSR 12 coding style
* Documentation for all core components
* Python 3.7 is now the default Python version
* LibreSSL 3.0 and OpenSSL 1.1.1
* Google Backup API 2.4
* jQuery 3.4.1
And here are the full patch notes against version 20.1-RC1:
* installer: welcome users as genuine 20.1 installer
* rc: revert growfs change since Nano does not grow anymore
* plugins: os-mail-backup 1.1 `[2] <https://github.com/opnsense/plugins/pull/1671>`__
* plugins: os-nrpe 1.0 (contributed by Michael Muenz)
* plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)
* plugins: os-vnstat 1.2 `[3] <https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr>`__
* plugins: zabbix4-proxy 1.2 `[4] <https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix4-proxy/pkg-descr>`__
* ports: ca_root_nss 3.49.2
* ports: curl 7.68.0 `[5] <https://curl.haxx.se/changes.html>`__
* ports: isc-dhcp 4.4.2 `[6] <https://downloads.isc.org/isc/dhcp/4.4.2/dhcp-4.4.2-RELNOTES>`__
* ports: php 7.2.27 `[7] <https://www.php.net/ChangeLog-7.php#7.2.27>`__
* ports: urllib3 1.27.7 `[8] <https://github.com/urllib3/urllib3/blob/master/CHANGES.rst#1257-2019-11-11>`__
Known issues and limitations:
* HardenedBSD 12.1 has been postponed to the next major release
* Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates
* To prevent stale configuration files for remote syslog we advise to setup the new targets first `[9] <https://docs.opnsense.org/manual/settingsmenu.html#logging-targets>`__ and disable the old ones under System: Settings: Logging
* i386 has not been deprecated for the time being ;)
The public key for the 20.1 series is:
.. code-block::
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oYxXjva1d2TC/jQ/ygT
# GNB2QM2Flhq1CKwYKioT6kuKCelmG/vDRVYGs2VwBeshl53qnnob3rrCVtuS84VG
# C8n0i7bWsVWuOCaPzVCOua7MyxQNDItwA5D18SrmDbs07JE9XD30cX36Lvyq8GvZ
# bjk3AnHHqefR6F7fMGjDNPE3JofyLXEXN7TiH/Wk1MmBm3TXMJ4q63qa/clbY5zT
# jd2k1dtKWy23CcBKfxplu8HycqdQLCRl4o9+qdq7OQ8v9VT5dPIJcJodCvX9hAf7
# AUAMqsP3e6AyDM7iQcEkJiwAiytFAawyEIVOECxhEA+NpXHykd4G/00f5jGB259X
# /A8ARhjyT3zadjgXTIcEEBe5YTmxZrrKvWud4PguBTQOo9+XpI0H8A+IcoZ9AXQT
# J/IDBZJjsdSLspLPzLiwVQk9JrVylMLeyXCbtGCBZ8FOXyffceNQQl119ubkAZkx
# +NvioMIYQ+8rX0vn0njJfot+GQh0ezadlzuAmBBsGD8EtMCj92l/7zOyGucG+dCW
# kIv1yX0IOKeaNBZR3GDJJoyj5hFnoxkj2aNbuWjetg5MvpjBMl/h44brjL93m8PK
# GUhwcEPqcwu4ngu12O6vEeJW4vAbFlEznvgxmwJhMQf1/R8SUmKmAiprWKnY/w0E
# VHzlx7aRoGcRnnPs71DeloMCAwEAAQ==
# -----END PUBLIC KEY-----
.. code-block::
# SHA256 (OPNsense-20.1-OpenSSL-dvd-amd64.iso.bz2) = 4b15e9b3d72732d325c5eaf46ba34575d4de8cdc3e3ac1b10666c7372563be6d
# SHA256 (OPNsense-20.1-OpenSSL-nano-amd64.img.bz2) = 27544a78ae03d480a483cfd2e7cfa703b60e50938a1ed188ec3ccde6c426fefe
# SHA256 (OPNsense-20.1-OpenSSL-serial-amd64.img.bz2) = f93bbcbe92059c5de49f22d485da292952b48658a28d1cdaf83191e8c95c03c2
# SHA256 (OPNsense-20.1-OpenSSL-vga-amd64.img.bz2) = 019a877c4b4cb96cfda62d041774a91c030c5a8ecd58f8c3fd0067c7ac392982
.. code-block::
# SHA256 (OPNsense-20.1-OpenSSL-dvd-i386.iso.bz2) = 36146d0a066d9d696433599487e2a538ee5575a6b3d631293ad9e14e5fbbc6e0
# SHA256 (OPNsense-20.1-OpenSSL-nano-i386.img.bz2) = 0980f49d1b3445505fd1db27ab070886a706388d3aa16d7c8d953f279b7e3b11
# SHA256 (OPNsense-20.1-OpenSSL-serial-i386.img.bz2) = 322adbafe331ef7232c08d839a6f355ee633f5a662009b1801ebad0edab03d73
# SHA256 (OPNsense-20.1-OpenSSL-vga-i386.img.bz2) = 8bdd109015d7d54d382c7293bdf8fac6397a6c2e37662b73647c276e98c19d64
--------------------------------------------------------------------------
20.1.r1 (January 24, 2020)
--------------------------------------------------------------------------
For over 5 years now, OPNsense is driving innovation through modularising
and hardening the open source firewall, with simple and reliable firmware
upgrades, multi-language support, HardenedBSD security, fast adoption of
upstream software updates as well as clear and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project!
We know it would not be the same without you.
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
can be found below as well.
* Europe: https://opnsense.c0urier.net/releases/20.1/
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/
* South America: http://mirror.upb.edu.co/opnsense/releases/20.1/
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/
* Full mirror list: https://opnsense.org/download/
Here are the full patch notes against 19.7.9_1:
* system: support for manually removing static route entries
* system: migrated logging to MVC
* system: regenerate default DH parameters
* system: randomize session ID in test cookie
* system: remove legacy XMLRPC push on changes
* system: deprecate the use of services.inc
* system: opt-out on "Allow DNS server list to be overridden by DHCP/PPP on WAN" for selected interfaces
* system: increase PHP memory limit to 512 MB
* system: opnsense-auth can now respond with extended properties in JSON on successful authentication
* interfaces: loopback device support
* interfaces: VXLAN device support
* interfaces: first steps toward fully pluggable device infrastructure
* interfaces: remove default load of netgraph framework on bootup
* interfaces: interfaces: move description into top block and rename titles
* interfaces: only trigger newwanip event for affected interfaces
* firmware: revoke 19.1, trust 20.1 fingerprint
* firmware: new mirror in Zurich, CH contributed by ServerBase AG
* firmware: add live search to mirror selection
* dhcp: add OMAPI configuration support (contributed by Yuri Moens)
* ipsec: add configurable dpdaction (contributed by Marcel Menzel)
* ipsec: refactor tunnel settings page
* unbound: add options for logging queries and extended statistics (contributed by Flightkick)
* mvc: BaseListField ignoring empty selected field
* ui: jQuery 3.4.1
* plugins: os-dyndns 1.19 adds dynv6 and Azure DNS support (contributed by Ralf Zerres and martgras)
* plugins: os-haproxy 2.20 `[2] <https://github.com/opnsense/plugins/pull/1646>`__
* plugins: os-zabbix-agent 1.7 `[3] <https://github.com/opnsense/plugins/pull/1578>`__ `[4] <https://github.com/opnsense/plugins/pull/1618>`__
* ports: ca_root_nss 3.49.1
* ports: curl 7.68.0 `[5] <https://curl.haxx.se/changes.html>`__
* ports: openssl 1.1.1d `[6] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
Known issues and limitations:
* HardenedBSD 12.1 has been postponed to the next major release
* Nano growfs does not work on this release candidate, but a fix for 20.1 already exists
* Installer still advertises 19.7, but a fix for 20.1 already exists
* Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates
* i386 has not been deprecated for the time being ;)
The public key for the 20.1 series is:
.. code-block::
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oYxXjva1d2TC/jQ/ygT
# GNB2QM2Flhq1CKwYKioT6kuKCelmG/vDRVYGs2VwBeshl53qnnob3rrCVtuS84VG
# C8n0i7bWsVWuOCaPzVCOua7MyxQNDItwA5D18SrmDbs07JE9XD30cX36Lvyq8GvZ
# bjk3AnHHqefR6F7fMGjDNPE3JofyLXEXN7TiH/Wk1MmBm3TXMJ4q63qa/clbY5zT
# jd2k1dtKWy23CcBKfxplu8HycqdQLCRl4o9+qdq7OQ8v9VT5dPIJcJodCvX9hAf7
# AUAMqsP3e6AyDM7iQcEkJiwAiytFAawyEIVOECxhEA+NpXHykd4G/00f5jGB259X
# /A8ARhjyT3zadjgXTIcEEBe5YTmxZrrKvWud4PguBTQOo9+XpI0H8A+IcoZ9AXQT
# J/IDBZJjsdSLspLPzLiwVQk9JrVylMLeyXCbtGCBZ8FOXyffceNQQl119ubkAZkx
# +NvioMIYQ+8rX0vn0njJfot+GQh0ezadlzuAmBBsGD8EtMCj92l/7zOyGucG+dCW
# kIv1yX0IOKeaNBZR3GDJJoyj5hFnoxkj2aNbuWjetg5MvpjBMl/h44brjL93m8PK
# GUhwcEPqcwu4ngu12O6vEeJW4vAbFlEznvgxmwJhMQf1/R8SUmKmAiprWKnY/w0E
# VHzlx7aRoGcRnnPs71DeloMCAwEAAQ==
# -----END PUBLIC KEY-----
Please let us know about your experience!
.. code-block::
# SHA256 (OPNsense-20.1.r1-OpenSSL-dvd-amd64.iso.bz2) = fed43e5cc5092da5adcfcb2ccdddf51a1cea6a69f06b764fcd9c3d36e0705d4a
# SHA256 (OPNsense-20.1.r1-OpenSSL-nano-amd64.img.bz2) = bf825455cc09e2a410cbe702a0c1c5b454546c476c7e90ae87ab64fc3eee6a78
# SHA256 (OPNsense-20.1.r1-OpenSSL-serial-amd64.img.bz2) = 906103fb4cc3e573a9e2d560a6365baa7162077b8933a253bb45fd23a154dd87
# SHA256 (OPNsense-20.1.r1-OpenSSL-vga-amd64.img.bz2) = 3308412597f5b95f9b9e854ddbeb5f49735109d846af553dbe2553dedf73cb9b
.. code-block::
# SHA256 (OPNsense-20.1.r1-OpenSSL-dvd-i386.iso.bz2) = a110e2ed48228d918909daca5d93d8acafccdc4426e3e928d8561f7ad4180289
# SHA256 (OPNsense-20.1.r1-OpenSSL-nano-i386.img.bz2) = 201b757b0d719e8f3c4aa473b414005a5544a4b1553ca9d79c1743610d67b460
# SHA256 (OPNsense-20.1.r1-OpenSSL-serial-i386.img.bz2) = 74a8f6bc5cdf885f5ff906ad2dfd05584f8e217212f90cd2e3a3269a5a9b604a
# SHA256 (OPNsense-20.1.r1-OpenSSL-vga-i386.img.bz2) = 1779ca5aeb37d2d97bd7e053421d64206b27189db74711600b93e458d858caff

629
source/releases/CE_20.7.rst
Unescape Escape View File

@ -0,0 +1,629 @@
===========================================================================================
20.7 "Legendary Lion" Series
===========================================================================================
For five and a half years, OPNsense is driving innovation through modularising
and hardening the open source firewall, with simple and reliable firmware
upgrades, multi-language support, HardenedBSD security, fast adoption of
upstream software updates as well as clear and stable 2-Clause BSD licensing.
20.7, nicknamed "Legendary Lion", is a major operating system jump forward on
a sustainable firewall experience. This release adds DHCPv6 multi-WAN, custom
error pages for the web proxy, Suricata 5, HardenedBSD 12.1, netstat tree view,
basic firewall API support (via plugin) and extended live log filtering amongst
others.
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
can be found below as well.
* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
* Full mirror list: https://opnsense.org/download/
--------------------------------------------------------------------------
20.7.8 (January 19, 2021)
--------------------------------------------------------------------------
The particular volume of this stable update foreshadows the end of the 20.7
series in less than two weeks.
One longstanding issue with radvd on FreeBSD 12.1 has been resolved according
to multiple user feedback.
The mailing lists have been archived and will no longer be used.
And before there are questions: yes, consumers of the development version are
now able to upgrade to 21.1-RC1.
Here are the full patch notes:
* system: allow to recover from bad TLS certificate and/or bad settings in console interface assign
* system: display destination port number in firewall log widget (contributed by Team Rebellion)
* system: keep compatible TLS 1 defaults for web GUI on 20.7 series
* system: set default certificate lifetime to 397 days
* firewall: add type 128 to outgoing IPv6 RFC4890 requirements
* firewall: add manual refresh button to live log
* firewall: fix typo in ICMPv6 validation
* firewall: fix minor regression in maintaining target alias file
* firewall: fix all state value in pfTop (contributed by Lucas Held)
* firewall: remove duplicated destination field in live log
* firewall: add read-only actions to aliases permission (contributed by Manuel Faux)
* firewall: category selector missing caption
* reporting: add top talkers to revamped traffic graph page
* reporting: fix name resolution filter change in insight
* reporting: persist interface selection on traffic graph page
* captive portal: disable faulty TLS on HTTP since lighttpd 1.4.56
* dhcp: fix sorting of IPv6 static mappings (contributed by vnxme)
* dhcp: fix incorrect parsing of DUID (contributed by Matt Holgate)
* firmware: opnsense-code now updates the current directory if nothing was specified
* firmware: opnsense-code now uses flexible make.conf target from tools.git
* firmware: opnsense-update now supports snapshot access via -z option
* firmware: opnsense-update now fixes missing dependencies on the fly
* firmware: fix some issues with missing repository on server
* firmware: add version output and date to audit logs
* ipsec: display remote host in status overview (contributed by garlic17)
* opendns: add standalone mode
* openssh: honour MAX_LISTEN_SOCKS
* openvpn: set default certificate lifetime to 397 days in wizard
* unbound: generate all configuration files in service controller
* unbound: fix broken lines in large files (contributed by kulikov-a)
* web proxy: lock ACL download to prevent duplicate execution
* mvc: allow underscore in filter string (contributed by kulikov-a)
* plugins: os-haproxy 2.26 `[1] <https://github.com/opnsense/plugins/blob/master/net/haproxy/pkg-descr>`__
* plugins: os-hw-probe 1.0 (contributed by Michael Muenz)
* plugins: os-maltrail fixes sensor start without server (contributed by Julio Camargo)
* plugins: os-nginx 1.20 `[2] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
* plugins: os-tinc fixes for latest version (contributed by vnxme)
* src: fix OpenSSL NULL pointer de-reference `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:33.openssl.asc>`__
* src: fix partial scrub of multicast packages
* src: free full mbuf chains in iflib when draining transmit queues
* src: initialize oifp to avoid bogus results/panics in edge cases
* src: 10Gigabit Ethernet driver for AMD SoC
* ports: libressl 3.2.3 `[4] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.2-relnotes.txt>`__ `[5] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.3-relnotes.txt>`__
* ports: nss 3.60.1
* ports: php 7.3.26 `[6] <https://www.php.net/ChangeLog-7.php#7.3.26>`__
* ports: pkg fix for shell keyword by opening root file descriptor
* ports: radvd 2.19 `[7] <https://radvd.litech.org/CHANGES.txt>`__
* ports: sudo 1.9.5p1 `[8] <https://www.sudo.ws/stable.html#1.9.5p1>`__
A hotfix release was issued as 20.7.8_4:
* firmware: enable upgrade path to 21.1
* ports: sudo 1.9.5p2 `[9] <https://www.sudo.ws/stable.html#1.9.5p2>`__
--------------------------------------------------------------------------
20.7.7 (December 17, 2020)
--------------------------------------------------------------------------
Important security updates inside. Also: happy holidays!
Here are the full patch notes:
* reporting: fix traffic graph widget link issue
* system: simplify log format parsing
* interfaces: fix DUID LL description (contributed by Gabriel Mazzocato)
* unbound: fix dnsbl not reloading after update
* plugins: os-acme-client 2.2 `[1] <https://github.com/opnsense/plugins/blob/master/security/acme-client/pkg-descr>`__
* plugins: os-freeradius 1.9.9 `[2] <https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr>`__
* plugins: os-frr 1.20 `[3] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
* plugins: os-tinc 1.6 enables multiple addresses per host (contributed by ElNounch)
* plugins: os-wireguard 1.4 `[4] <https://github.com/opnsense/plugins/blob/master/net/wireguard/pkg-descr>`__
* ports: curl 7.74.0 `[5] <https://curl.se/changes.html>`__
* ports: dhcp6c ignores advertise messages with none of requested data and missed status codes
* ports: libressl 3.1.5 `[6] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.5-relnotes.txt>`__
* ports: lighttpd 1.4.56 `[7] <https://www.lighttpd.net/2020/11/29/1.4.56/>`__
* ports: nss 3.60 `[8] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.60_release_notes>`__
* ports: openssl 1.1.1i `[9] <https://www.openssl.org/news/secadv/20201208.txt>`__
* ports: pcre2 10.36 `[10] <https://www.pcre.org/changelog.txt>`__
* ports: sudo 1.9.4 `[11] <https://www.sudo.ws/stable.html#1.9.4>`__
* ports: sqlite 3.34.0 `[12] <https://sqlite.org/changes.html>`__
* ports: unbound 1.13.0 `[13] <https://nlnetlabs.nl/projects/unbound/download/>`__
A hotfix release was issued as 20.7.7_1:
* system: disable TLS on plain HTTP redirect for new lighttpd version
* ports: unbound fix for segmentation fault (restart service to activate)
* ports: lighttpd 1.4.58 `[14] <https://www.lighttpd.net/2020/12/27/1.4.58/>`__
--------------------------------------------------------------------------
20.7.6 (December 08, 2020)
--------------------------------------------------------------------------
This update brings the usual mix of reliability fixes, plugin and third party
software updates: FreeBSD, HardenedBSD, PHP, OpenSSH, StrongSwan, Suricata and
Syslog-ng amongst others.
Please note that Let's Encrypt users need to reissue their certificates
manually after upgrading to this version to fix the embedded certificate chain
issue with the current signing CA switch going on.
The mail backup plugin is currently not available pending a response from
the maintainer. Users are advised to avoid using it for the moment.
Here are the full patch notes:
* system: no longer enforce alias names in gateways
* system: add "step into" icon on log lines when filtering
* system: add current CPU load progress bar (contributed by kulikov-a)
* firewall: allow larger selection in live log
* firewall: correctly select current IPv6 field in getInterfaceGateway()
* firewall: add validation for ipv6-icmp combined with inet
* reporting: traffic graph replacement using iftop
* openvpn: calculate first network address as gateway address when only ifconfig_local is given
* web proxy: throw startup error to user
* plugins: os-acme-client 2.1 `[1] <https://github.com/opnsense/plugins/blob/master/security/acme-client/pkg-descr>`__
* plugins: os-frr 1.19 `[2] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
* plugins: os-mail-backup not available due to unaddressed security concerns
* src: fix parsing of netmap legacy nmr->nr_ringid
* src: fix mutex double unlock bug in netmap
* src: minor misc netmap improvements
* src: improve netmap(4) and vale(4) man pages
* src: IPV6_PKTINFO support for v4-mapped IPv6 sockets
* src: zero-initialize variables in HBSD PaX SEGVGUARD
* src: fix execve/fexecve system call auditing `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:19.audit.asc>`__
* src: fix uninitialized variable in ipfw `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:21.ipfw.asc>`__
* src: fix race condition in callout CPU migration `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:22.callout.asc>`__
* src: fix ICMPv6 use-after-free in error message handling `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:31.icmp6.asc>`__
* src: fix multiple vulnerabilities in rtsold `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:32.rtsold.asc>`__
* src: update timezone database information `[8] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:20.tzdata.asc>`__
* ports: krb5 1.18.3 `[9] <https://web.mit.edu/kerberos/krb5-1.18/>`__
* ports: nss 3.59 `[10] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.59_release_notes>`__
* ports: openldap 2.4.56 `[11] <https://www.openldap.org/software/release/changes.html>`__
* ports: openssh 8.4p1 `[12] <https://www.openssh.com/txt/release-8.4>`__
* ports: php 7.3.25 `[13] <https://www.php.net/ChangeLog-7.php#7.3.25>`__
* ports: strongswan 5.9.1 `[14] <https://wiki.strongswan.org/versions/79>`__
* ports: suricata 5.0.5 `[15] <https://suricata-ids.org/2020/12/04/suricata-6-0-1-5-0-5-and-4-1-10-released/>`__
* ports: syslog-ng 3.30.1 `[16] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.30.1>`__
--------------------------------------------------------------------------
20.7.5 (November 20, 2020)
--------------------------------------------------------------------------
We return briefly for a small patch set and plan to pin the 20.1 upgrade
path to this particular version to avoid unnecessary stepping stones. We
wish you all a healthy Friday. And of course: patch responsibly!
Here are the full patch notes:
* system: syslog-ng related fixes during package management based restart
* system: change dpinger syslog message to reflect correct RTT and RTTd unit (contributed by fhloston)
* web proxy: add toggle for pinger service (contributed by nowyouseeit)
* web proxy: add missing X-Forwarded-For header option
* mvc: new Base64Field type
* mvc: new VirtualIPField type
* plugins: os-acme-client 2.0 `[1] <https://github.com/opnsense/plugins/blob/master/security/acme-client/pkg-descr>`__
* plugins: os-bind 1.14 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
* plugins: os-chrony 1.1 `[3] <https://github.com/opnsense/plugins/blob/master/net/chrony/pkg-descr>`__
* ports: monit 5.27.1 `[4] <https://mmonit.com/monit/changes/>`__
* ports: php 7.3.24 `[5] <https://www.php.net/ChangeLog-7.php#7.3.24>`__
* ports: pkg upstream fix for upgrade script hang `[6] <https://github.com/freebsd/pkg/pull/1893>`__
* ports: strongswan 5.9.0 `[7] <https://www.strongswan.org/blog/2020/07/29/strongswan-5.9.0-released.html>`__
--------------------------------------------------------------------------
20.7.4 (October 22, 2020)
--------------------------------------------------------------------------
This release finally wraps up the recent Netmap kernel changes and tests.
The Realtek vendor driver was updated as well as third party software cURL,
libxml2, OpenSSL, PHP, Suricata, Syslog-ng and Unbound just to name a couple
of them.
We would like to thank Sunny Valley Networks for their relentless efforts
to bring said Netmap fixes and improvements into FreeBSD.
If you are having trouble with a stuck update try the command sequence below
from the root shell or simply reboot from the GUI and rerun the update in
case it was not fully carried out yet.
.. code-block::
# pkill syslog-ng
# service syslog-ng restart
Here are the full patch notes:
* system: switch web GUI address selection to avoid server.bind in IPv6 first case
* system: fix defunct "use default" button on web GUI listen interfaces
* system: signal "auth user changed" when a user is modified via web GUI
* system: replace gateway widget and add proper API endpoint for it
* system: fix reading displayName attribute on LDAP search (contributed by ServiusHack)
* interfaces: change maximum MTU value to 65535 in accordance with RFC 791
* interfaces: update wireless device detection prefixes
* interfaces: lexical sort interface keys for assignments
* firewall: add support for network exclusions in network alias type
* firewall: add NAT information to pfInfo page (contributed by kulikov-a)
* firewall: associated NAT rules missed state keyword
* firewall: allow "or" conditions in live log
* firewall: use pfctl for alias IP check (contributed by kulikov-a)
* dnsmasq: regenerate resolv.conf on save
* dnsmasq: log queries option
* intrusion detection: ignore pkill exit status when performing update
* ipsec: add description to reconfigure action (contributed by Frank Wall)
* unbound: rebuild unbound blacklist download
* unbound: restructure reconfigure so that we always flush config
* backend: add new "config changed" event using syshook structure (sponsored by Modirum)
* mvc: add a few missing control widgets from log pages
* ui: upgrade moment.js to 2.27.0
* plugins: os-freeradius 1.9.8 `[1] <https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr>`__
* plugins: os-git-backup 1.0 `[2] <https://github.com/opnsense/plugins/issues/2049>`__ (sponsored by Modirum)
* plugins: os-haproxy 2.25 `[3] <https://curl.haxx.se/changes.html>`__
* plugins: os-stunnel 1.0.2 adds service protocol selector (contributed by fhloston)
* src: extended netmap update and driver fixes
* src: netmap tun and lagg support (contributed by Sunny Valley Networks)
* src: update Realtek re driver to upstream version 1.96.04 (contributed by Laurent Dinclaux)
* ports: curl 7.73.0 `[3] <https://curl.haxx.se/changes.html>`__
* ports: libxml2 fixes for CVE-2019-20388, CVE-2020-7595 and CVE-2020-24977
* ports: nss 3.58 `[4] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes>`__
* ports: openssl 1.1.1h `[5] <https://www.openssl.org/news/changelog.html#openssl-111>`__
* ports: php 7.3.23 `[6] <https://www.php.net/ChangeLog-7.php#7.3.23>`__
* ports: pkg 1.15.10
* ports: radvd patch for dynamic interface shifting index
* ports: sudo 1.9.3p1 `[7] <https://www.sudo.ws/stable.html#1.9.3p1>`__
* ports: suricata 5.0.4 `[8] <https://suricata-ids.org/2020/10/08/suricata-4-1-9-and-5-0-4-released/>`__
* ports: syslog-ng 3.29.1 `[9] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.29.1>`__
* ports: unbound 1.12.0 `[10] <https://nlnetlabs.nl/projects/unbound/download/>`__
--------------------------------------------------------------------------
20.7.3 (September 24, 2020)
--------------------------------------------------------------------------
Today is the day for a number of FreeBSD security advisories and a few
reliability fixes.
We are still testing a batch of Netmap improvement patches with a separate
kernel. This and the Realtek vendor driver update will likely follow in
the next kernel update. All feedback is welcome.
Here are the full patch notes:
* system: use different shell gateway name to appease wizard
* system: simplify CARP hook
* interfaces: phase out netaddr.eui.ieee.OUI_REGISTRY_PATH usage
* firewall: add MAC type to top right filter selection
* firewall: fix two scrub rule parsing bugs
* firewall: omit group type interfaces in filter selection
* intrusion detection: re-create rule cache after rule deployment
* unbound: add "unbound-plus" section to XMLRPC sync
* dhcp: adding DDNS values of each additional pool to the $ddns_zones array (contributed by Mathieu St-Pierre)
* dhcp: add static interface mode to router advertisements
* rc: fix ssh key permissions on MSDOS import
* rc: support service identifier in pluginctl -s mode
* plugins: os-bind download link changes (contributed by gap579137)
* plugins: os-chrony 1.0 (contributed by Michael Muenz)
* plugins: os-dnscrypt-proxy blocklist script fixes (contributed by Mark Keisler)
* plugins: os-frr 1.17 `[1] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
* plugins: os-postfix 1.17 `[2] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
* plugins: os-rspamd 1.10 `[3] <https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr>`__
* plugins: os-theme-cicada 1.25 (contributed by Team Rebellion)
* plugins: os-theme-tukan 1.23 (contributed by Team Rebellion)
* plugins: os-theme-vicuna 1.1 (contributed by Team Rebellion)
* plugins: os-wireguard 1.3 `[4] <https://github.com/opnsense/plugins/blob/master/net/wireguard/pkg-descr>`__
* plugins: os-zabbix-agent 1.8 `[5] <https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix-agent/pkg-descr>`__
* src: fix FreeBSD Linux ABI kernel panic `[6] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:17.linuxthread.asc>`__
* src: fix SCTP socket use-after-free `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:25.sctp.asc>`__
* src: fix dhclient heap overflow `[8] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc>`__
* src: fix ure device driver susceptible to packet-in-packet attack `[9] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:27.ure.asc>`__
* src: fix bhyve privilege escalation via VMCS access `[10] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc>`__
* src: fix bhyve SVM guest escape `[11] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc>`__
* src: fix ftpd privilege escalation via ftpchroot `[12] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:30.ftpd.asc>`__
* src: set PAX_HARDENING_NOSHLIBRANDOM in the RTLD by default
* src: fix kernel panic while trying to read multicast stream
* ports: mpd 5.9 `[13] <http://mpd.sourceforge.net/doc5/mpd4.html#4>`__
* ports: nss 3.57 `[14] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes>`__
* ports: php 7.3.22 `[15] <https://www.php.net/ChangeLog-7.php#7.3.22>`__
* ports: pkg 1.15.6 `[16] <https://github.com/freebsd/freebsd-ports/commit/fd4f5566aea>`__
--------------------------------------------------------------------------
20.7.2 (September 02, 2020)
--------------------------------------------------------------------------
While we are still looking closer at netmap/iflib performance on 12.1 we
are rolling out a kernel with Intel em/igb updates that should avoid bad
packet counts in the default installation. Syslog-ng received a workaround
for the diagnosed startup issue and alias now supports MAC address content
similar to how host content works.
Here are the full patch notes:
* system: set REQUESTS_CA_BUNDLE in environments
* system: improve parsing for temperature sensors
* system: add "new-password" hint for Chrome on login form
* system: rename syslog services description and hide legacy mode when not enabled
* system: force syslog-ng restart after boot sequence
* system: properly read new style logging directories
* reporting: replace line endings when sending traceback to syslog in flowd_aggregate
* reporting: add traffic graph filter for private IPv4 networks (contributed by kcaj-burr)
* firewall: add MAC address alias type
* firewall: be more verbose when fetching alias remote content
* firewall: prevent pfctl error messages from being suppressed
* firewall: exclude all reserved pf.conf keywords from alias name
* firewall: bogons not loaded on initial load
* firewall: reset damaged bogons files on startup
* interfaces: add listen-queue-sizes in socket diagnostics
* firmware: properly report an unsigned repository
* firmware: revoke 20.1 fingerprint
* intrusion detection: rule cache parse error on invalid metadata
* intrusion detection: allow search for status enabled/disabled
* web proxy: correct template replacement during build time
* web proxy: bugfix in JSON access log
* unbound: updated project block lists links (contributed by gap579137)
* backend: add regex_replace template support
* plugins: os-acme-client 1.36 `[1] <https://github.com/opnsense/plugins/pull/1974>`__
* plugins: os-dyndns 1.23 adds Gandi LiveDNS support (contributed by vizion8-dan)
* plugins: os-haproxy 2.24 `[2] <https://github.com/opnsense/plugins/blob/master/net/haproxy/pkg-descr>`__
* plugins: os-stunnel 1.0.1 includes performance tweaks
* plugins: os-telegraf 1.8.2 `[3] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__
* plugins: os-tinc fixes cipher parsing on 20.7
* src: remove ACPI workaround for serial console on AMD EPYC
* src: Make pf.conf ":0" ignore link-local v6 addresses too
* src: default "show bad packets" tunable to off in e100 driver
* src: fix unsolicited promisc mode in e1000 driver
* src: add valectl to the system commands
* ports: ca_root_nss/nss 3.56 `[4] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.56_release_notes>`__
* ports: curl 7.72.0 `[5] <https://curl.haxx.se/changes.html#7_72_0>`__
* ports: libressl 3.1.4 `[6] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.4-relnotes.txt>`__
* ports: openldap 2.4.51 `[7] <https://www.openldap.org/software/release/changes.html>`__
* ports: php 7.3.21 `[8] <https://www.php.net/ChangeLog-7.php#7.3.21>`__
* ports: python 3.7.9 `[9] <https://www.python.org/downloads/release/python-379/>`__
* ports: sqlite 3.33.0 `[10] <https://sqlite.org/changes.html>`__
* ports: squid 4.13 `[11] <http://www.squid-cache.org/Versions/v4/squid-4.13-RELEASENOTES.html>`__
* ports: syslog-ng dlsym() workaround
* ports: unbound 1.11.0 `[12] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-11-0>`__
--------------------------------------------------------------------------
20.7.1 (August 13, 2020)
--------------------------------------------------------------------------
Small update here with security advisories, multicast fixes and logging
reliability patches amongst others.
Overall, the jump to HardenedBSD 12.1 is looking promising from our end.
From the reported issues we still have more logging quirks to investigate
and especially Netmap support (used in IPS and Sensei) is lacking in some
areas that were previously working. Patches are being worked on already
so we shall get there soon enough. Stay tuned.
Here are the full patch notes:
* system: split log process name into separate column
* system: filter new style log directories accordingly
* system: add delay to improve syslog-ng startup
* system: properly switch login page to latest jQuery 3.5.1
* firewall: add select boxes for static filters in live log
* firmware: ignore mandoc.db files in health output as the system will regenerate them weekly
* firmware: bring back Chinese Aivian mirror
* firmware: remove defunct opn.sense.nz and RageNetwork mirrors
* web proxy: add JSON output following Elastic Common Schema (sponsored by Incenter Technology)
* backend: cap log messages to 4000 characters to prevent longer messages from vanishing
* plugins: os-acme-client 1.35 `[1] <https://github.com/opnsense/plugins/pull/1950>`__
* plugins: os-frr 1.15 `[2] <https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr>`__
* plugins: os-postfix 1.15 `[3] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
* plugins: os-udpbroadcastrelay 1.0 (contributed by Team Rebellion)
* src: set the current VNET before calling netisr_dispatch() in ng_iface(4)
* src: assorted multicast group join/leave corrections
* src: fix vmx driver packet loss and degraded performance `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:16.vmx.asc>`__
* src: fix memory corruption in USB network device driver `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:21.usb_net.asc>`__
* src: fix multiple vulnerabilities in sqlite3 `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:22.sqlite.asc>`__
* src: fix sendmsg(2) privilege escalation `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:23.sendmsg.asc>`__
* ports: perl 5.32.0 `[8] <https://metacpan.org/changes/release/XSAWYERX/perl-5.32.0>`__
* ports: squid 4.12 `[9] <http://www.squid-cache.org/Versions/v4/squid-4.12-RELEASENOTES.html>`__
--------------------------------------------------------------------------
20.7 (July 30, 2020)
--------------------------------------------------------------------------
For five and a half years, OPNsense is driving innovation through modularising
and hardening the open source firewall, with simple and reliable firmware
upgrades, multi-language support, HardenedBSD security, fast adoption of
upstream software updates as well as clear and stable 2-Clause BSD licensing.
20.7, nicknamed "Legendary Lion", is a major operating system jump forward on
a sustainable firewall experience. This release adds DHCPv6 multi-WAN, custom
error pages for the web proxy, Suricata 5, HardenedBSD 12.1, netstat tree view,
basic firewall API support (via plugin) and extended live log filtering amongst
others.
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
can be found below as well.
* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
* Full mirror list: https://opnsense.org/download/
Here are the full patch notes against version 20.7-RC1:
* system: syslog-ng RFC5424 on FreeBSD 12 needs flags(syslog-protocol)
* installer: welcome users as genuine 20.7 installer
* web proxy: do not try to force cachemanager access to use ICAP
* plugins: os-collectd 1.3 `[2] <https://github.com/opnsense/plugins/blob/master/net-mgmt/collectd/pkg-descr>`__
* plugins: os-zabbix5-proxy 1.3 `[3] <https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix5-proxy/pkg-descr>`__
* src: prevent netgraph page fault for LTE usage
* ports: dnsmasq 2.82 `[4] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
* ports: monit 5.27.0 `[5] <https://mmonit.com/monit/changes/>`__
* ports: nss 3.55 `[6] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes>`__
* ports: sudo 1.9.2 `[7] <https://www.sudo.ws/stable.html#1.9.2>`__
Known issues and limitations:
* legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp are no longer available
* i386 architecture builds are no longer available
The public key for the 20.7 series is:
.. code-block::
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAngIbBcRin9AmDSOsjpft
# 7aK52TLkOzRc94NqKKnn6ALd6poEuFqYl1tfNT6XumBJDsRL1s56UYfjS8zpvFW3
# HdzKOv4YtIln6qUuC1w8TXYNprasB/laYoBn2xeCGX5L6carlujQ+h0rsj+kpawr
# E0/d6oRzR69cxQyoDQHD559Wv4nA795M6QGDhhl3dDq/92gzrrq3C5gJ7ldHi13c
# inM2Fw+oPUfEIWUt/sqUTZheEk0Df3LSiJlgjQDhjh5uujTLgvX8IzfYAb8clgY3
# DplgOh4ReoFnx6XVERSPa91ZJGeCV4dTGD2hU40rzU1lkQaiVUITLsfjrYUsNMEo
# jdG+ndGIPTOrwXH4yGRZuUZZ612ALtO6bd4V1kAOLOS07mo4JB4poEbbB0lvZJSG
# iTmU9od8zutnLkD66Q/qI8e6OcL0yqjwwG9DzCKg23M6cVWfyBTJhKoqQyhNWnzZ
# bzvgOXfhOA8jn8FPChaU5OiIrv+g56pQrWKcQsvgQMqlyR+/AFSIrrqprCjDkfOG
# bxFqTGkPb1n32nbnXJOA5Z43G9/PtBV8lvaEzli6Vehh+Zrcuy8yupbiVWSqTOfp
# E5cYAmrlDkxKyAlZQtH6EhMF1VBQRrlqGhss5XYoE3DQDqWdhUbGv8Qiiv7ROCza
# SIMuSzc6u35MooDRDZF4Ba0CAwEAAQ==
# -----END PUBLIC KEY-----
.. code-block::
# SHA256 (OPNsense-20.7-OpenSSL-dvd-amd64.iso.bz2) = 580070a3a0533418d58eaeb78122f804f2df7081c929288e1dccee34c4bf763a
# SHA256 (OPNsense-20.7-OpenSSL-nano-amd64.img.bz2) = 6deb370c2a64fa6c60b7f59a4afb31b2dd28b812f5fcd59eaa6d458938d45630
# SHA256 (OPNsense-20.7-OpenSSL-serial-amd64.img.bz2) = 1276cddd5f7b89aa54fc4a1517cb0686efe94f672627243c5b34d93340441d60
# SHA256 (OPNsense-20.7-OpenSSL-vga-amd64.img.bz2) = 72cbffe3bba4884586c8ded8dbca4cf30fb34a094602e5f681efde2deea595c6
--------------------------------------------------------------------------
20.7.r1 (July 21, 2020)
--------------------------------------------------------------------------
For five and a half years, OPNsense is driving innovation through modularising
and hardening the open source firewall, with simple and reliable firmware
upgrades, multi-language support, HardenedBSD security, fast adoption of
upstream software updates as well as clear and stable 2-Clause BSD licensing.
We thank all of you for helping test, shape and contribute to the project!
We know it would not be the same without you. <3
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
can be found below as well.
* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/
* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/
* Australia: http://mirror.as24220.net/opnsense/releases/20.7/
* Full mirror list: https://opnsense.org/download/
Here are the full patch notes against 20.1.8_1:
* system: allow to optionally disable legacy logging (clog)
* system: do not allow login redirects to visit external pages
* system: add new "auth user changed" config event and hook it into LDAP updatePolicies()
* system: adapt to 3wire serial console setting
* system: figure out which sysctls are writeable before attempting to write them
* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo)
* system: disable PCRE JIT in PHP config
* system: clean up start / stop beep handler
* interfaces: improved VLAN handling and defaults for more stable netmap use on 12.1
* interfaces: support DHCPv6 multi-WAN (contributed by Team Rebellion)
* interfaces: show delegated prefix in overview (contributed by Team Rebellion)
* interfaces: DHCPv4 no-release and debug options moved to global interface settings
* interfaces: automatically register loopback device lo0
* firewall: handle new net.pf.request_maxcount system limit accordingly
* firewall: properly evaluate and execute gateway monitoring kill states feature
* firewall: add the iplen option to shaper rules (contributed by Maxfield Allison)
* firewall: show partial alias content in tooltip
* firewall: translated static log overview page to MVC
* firewall: aliases now show internal aliases
* firewall: validate if NAT destination contains a port
* firewall: prevent config_read_array() from adding an empty lo0
* firmware: added fingerprint for 20.7 series
* firmware: hint at missing plugins and request to install or dismiss
* intrusion detection: extend rule search with metadata and show results on rule info
* intrusion detection: updated pattern options (contributed by @Xeroxxx)
* intrusion detection: synchronize suricata.yaml with default template
* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe)
* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe)
* unbound: integrate functionality formerly known as "unbound-plus" plugin (contributed by Michael Muenz)
* web proxy: support for custom error pages (sponsored by Incenter Technology)
* web proxy: add connect_timeout (contributed by Michael Muenz)
* web proxy: allow PURGE on cache (contributed by @sazb)
* web proxy: add missing IPv6 listener
* mvc: add "S" option for AllowDynamic in InterfaceField type
* mvc: LegacyLinkField not allowed to return null in __toString()
* backend: add safeguard for illegal configd settings leading to overrides on the same command leaf
* backend: emove undocumented and unused alias support
* mvc: support virtual nodes in model instances
* rc: implement inline variables for skip and defer service start
* ui: unify edit dialog and add onBeforeRenderDialog event deferrable
* ui: use firewall groups to group interfaces menu accordingly
* ui: moved virtual IP menu entry to interfaces
* ui: jQuery 3.5.1
* plugins: os-dyndns 1.22 `[2] <https://github.com/opnsense/plugins/pull/1654>`__
* plugins: os-intrusion-detection-content-et-pro 1.0.2 switches to Suricata 5 rules
* plugins: os-telegraf 1.8.1 `[3] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__
* plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion)
* plugins: os-tinc fixes switch mode `[4] <https://github.com/opnsense/plugins/pull/1733>`__
* plugins: os-wireguard 1.2 `[5] <https://github.com/opnsense/plugins/pull/1865>`__
* src: HardenedBSD 12.1-p7
* ports: ca_root_nss 3.54
* ports: curl 7.71.1 `[6] <https://curl.haxx.se/changes.html>`__
* ports: php 7.3.20 `[7] <https://www.php.net/ChangeLog-7.php#7.3.20>`__
* ports: python 3.7.8 `[8] <https://www.python.org/downloads/release/python-378/>`__
* ports: sqlite 3.32.3 `[9] <https://www.sqlite.org/changes.html>`__
* ports: suricata 5.0.3 `[10] <https://suricata-ids.org/2020/04/28/suricata-5-0-3-released/>`__
Known issues and limitations:
* Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp will no longer be available
* i386 architecture builds will no longer be available
* Installer still advertises 20.1
The public key for the 20.7 series is:
.. code-block::
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAngIbBcRin9AmDSOsjpft
# 7aK52TLkOzRc94NqKKnn6ALd6poEuFqYl1tfNT6XumBJDsRL1s56UYfjS8zpvFW3
# HdzKOv4YtIln6qUuC1w8TXYNprasB/laYoBn2xeCGX5L6carlujQ+h0rsj+kpawr
# E0/d6oRzR69cxQyoDQHD559Wv4nA795M6QGDhhl3dDq/92gzrrq3C5gJ7ldHi13c
# inM2Fw+oPUfEIWUt/sqUTZheEk0Df3LSiJlgjQDhjh5uujTLgvX8IzfYAb8clgY3
# DplgOh4ReoFnx6XVERSPa91ZJGeCV4dTGD2hU40rzU1lkQaiVUITLsfjrYUsNMEo
# jdG+ndGIPTOrwXH4yGRZuUZZ612ALtO6bd4V1kAOLOS07mo4JB4poEbbB0lvZJSG
# iTmU9od8zutnLkD66Q/qI8e6OcL0yqjwwG9DzCKg23M6cVWfyBTJhKoqQyhNWnzZ
# bzvgOXfhOA8jn8FPChaU5OiIrv+g56pQrWKcQsvgQMqlyR+/AFSIrrqprCjDkfOG
# bxFqTGkPb1n32nbnXJOA5Z43G9/PtBV8lvaEzli6Vehh+Zrcuy8yupbiVWSqTOfp
# E5cYAmrlDkxKyAlZQtH6EhMF1VBQRrlqGhss5XYoE3DQDqWdhUbGv8Qiiv7ROCza
# SIMuSzc6u35MooDRDZF4Ba0CAwEAAQ==
# -----END PUBLIC KEY-----
Please let us know about your experience!
.. code-block::
# SHA256 (OPNsense-20.7.r1-OpenSSL-dvd-amd64.iso.bz2) = d54dca6390497d45b831f68f352fccf84881aac78a360247965e5c9b36fbfded
# SHA256 (OPNsense-20.7.r1-OpenSSL-nano-amd64.img.bz2) = f78d51d53bf663df2d49a3724812893d8c55234ab8d4a9232663fa581496edbe
# SHA256 (OPNsense-20.7.r1-OpenSSL-serial-amd64.img.bz2) = 984f8c9d63598f061cc8995245dea73703532c1bb688ac87cdb1e510fb53b80e
# SHA256 (OPNsense-20.7.r1-OpenSSL-vga-amd64.img.bz2) = 711811e0a7d37d323a060c52590daa9f024e77c6da627530c6596367a09b412d

0
source/releases/21.1.rst → source/releases/CE_21.1.rst
Unescape Escape View File

Write Preview
Loading…
Cancel
Save