diff --git a/source/BE_releases.rst b/source/BE_releases.rst new file mode 100644 index 00000000..09cb8edf --- /dev/null +++ b/source/BE_releases.rst @@ -0,0 +1,27 @@ +==================================== +Business Edition +==================================== + + + +.. image:: images/architecture-blue-sky-business-2599538.jpg + :width: 600px + :align: center + +OPNsense Business Edition is intended for companies, enterprises and professionals looking for a more +selective upgrade path (lags behind the community edition), additional commercial features and who want to +support the project in a more commercial way compared to donating. + + + +The list below contains all releases, ordered by version number categorized by major version. + +.. toctree:: + :maxdepth: 2 + :titlesonly: + :glob: + + releases/BE_20.7 + releases/BE_20.1 + releases/BE_19.7 + releases/BE_19.1 \ No newline at end of file diff --git a/source/CE_releases.rst b/source/CE_releases.rst new file mode 100644 index 00000000..6ef4d648 --- /dev/null +++ b/source/CE_releases.rst @@ -0,0 +1,35 @@ +==================================== +Community Edition +==================================== + + + +.. image:: /development/images/ideas_join_the_development.jpg + :width: 600px + :align: center + +As of January 2015 there have been *195* releases leading to the latest version *21.1* +named "Marvelous Meerkat". + + + +The list below contains all releases, ordered by version number categorized by major version. + +.. toctree:: + :maxdepth: 2 + :titlesonly: + :glob: + + releases/CE_21.1 + releases/CE_20.7 + releases/CE_20.1 + releases/CE_19.7 + releases/CE_19.1 + releases/CE_18.7 + releases/CE_18.1 + releases/CE_17.7 + releases/CE_17.1 + releases/CE_16.7 + releases/CE_16.1 + releases/CE_15.7 + releases/CE_15.1 \ No newline at end of file diff --git a/source/releases.rst b/source/releases.rst index 6c05ab7f..e5e0c254 100644 --- a/source/releases.rst +++ b/source/releases.rst @@ -6,26 +6,11 @@ Releases :width: 600px :align: center -As of January 2015 there have been *195* releases leading to the latest version *21.1* -named "Marvelous Meerkat". - -The list below contains all releases, ordered by version number categorized by major version. .. toctree:: :maxdepth: 2 :titlesonly: :glob: - releases/21.1 - releases/20.7 - releases/20.1 - releases/19.7 - releases/19.1 - releases/18.7 - releases/18.1 - releases/17.7 - releases/17.1 - releases/16.7 - releases/16.1 - releases/15.7 - releases/15.1 \ No newline at end of file + CE_releases + BE_releases diff --git a/source/releases/19.1.rst b/source/releases/BE_19.1.rst similarity index 100% rename from source/releases/19.1.rst rename to source/releases/BE_19.1.rst diff --git a/source/releases/19.7.rst b/source/releases/BE_19.7.rst similarity index 100% rename from source/releases/19.7.rst rename to source/releases/BE_19.7.rst diff --git a/source/releases/20.1.rst b/source/releases/BE_20.1.rst similarity index 100% rename from source/releases/20.1.rst rename to source/releases/BE_20.1.rst diff --git a/source/releases/20.7.rst b/source/releases/BE_20.7.rst similarity index 100% rename from source/releases/20.7.rst rename to source/releases/BE_20.7.rst diff --git a/source/releases/15.1.rst b/source/releases/CE_15.1.rst similarity index 100% rename from source/releases/15.1.rst rename to source/releases/CE_15.1.rst diff --git a/source/releases/15.7.rst b/source/releases/CE_15.7.rst similarity index 100% rename from source/releases/15.7.rst rename to source/releases/CE_15.7.rst diff --git a/source/releases/16.1.rst b/source/releases/CE_16.1.rst similarity index 100% rename from source/releases/16.1.rst rename to source/releases/CE_16.1.rst diff --git a/source/releases/16.7.rst b/source/releases/CE_16.7.rst similarity index 100% rename from source/releases/16.7.rst rename to source/releases/CE_16.7.rst diff --git a/source/releases/17.1.rst b/source/releases/CE_17.1.rst similarity index 100% rename from source/releases/17.1.rst rename to source/releases/CE_17.1.rst diff --git a/source/releases/17.7.rst b/source/releases/CE_17.7.rst similarity index 100% rename from source/releases/17.7.rst rename to source/releases/CE_17.7.rst diff --git a/source/releases/18.1.rst b/source/releases/CE_18.1.rst similarity index 100% rename from source/releases/18.1.rst rename to source/releases/CE_18.1.rst diff --git a/source/releases/18.7.rst b/source/releases/CE_18.7.rst similarity index 100% rename from source/releases/18.7.rst rename to source/releases/CE_18.7.rst diff --git a/source/releases/CE_19.1.rst b/source/releases/CE_19.1.rst new file mode 100644 index 00000000..5497efb2 --- /dev/null +++ b/source/releases/CE_19.1.rst @@ -0,0 +1,986 @@ +=========================================================================================== +19.1 "Inspiring Iguana" Series +=========================================================================================== + + + +For more than four years now, OPNsense is driving innovation through +modularising and hardening the open source firewall, with simple and +reliable firmware upgrades, multi-language support, HardenedBSD security, +fast adoption of upstream software updates as well as clear and stable +2-Clause BSD licensing. + +The 19.1 release, nicknamed "Inspiring Iguana", consists of a total of +620 individual changes since 18.7 came out 6 months ago, spread out over +12 intermediate releases including the recent release candidates. That is +the average of 2 stable releases per month, security updates and important +bug fixes included! If we had to pick a few highlights it would be: The +firewall alias API is finally in place. The migration to HardenedBSD 11.2 +has been completed. 2FA now works with a remote LDAP / local TOTP +combination. And the OpenVPN client export was rewritten for full API +support as well. + +Download links, an installation guide `[1] `__ and the checksums for the images +can be found below as well. + +* Europe: https://opnsense.c0urier.net/releases/19.1/ +* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/ +* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/ +* South America: http://mirror.upb.edu.co/opnsense/releases/19.1/ +* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/ +* Full mirror list: https://opnsense.org/download/ + + +-------------------------------------------------------------------------- +19.1.10 (July 03, 2019) +-------------------------------------------------------------------------- + + +Small update as we are nearing the end of the 19.1 series. Yes, it is +that time of the year again with a release candidate only a few days +away and a final release date set to July 17. + +Here are the full patch notes: + +* system: change certificate manager actions to POST +* system: fix account removal with missing "-g" option +* system: add dashboard widgets to XMLRPC sync +* firewall: fix live log rule label mismatch caused by optimisation +* firewall: fix alias import with alias references included +* firewall: change default sorting of aliases to names +* firmware: add homelab.no mirror (contributed by Thomas Jensen) +* intrusion detection: when toggling rules keep the current action +* intrusion detection: suppress mystery PHP 7.2+ warning in API +* intrusion detection: show SID in alert view +* web proxy: add cache reset button +* web proxy: correct syslog export +* plugins: os-dyndns 1.6 DigitalOcean support (contributed by Dune Heishman) +* plugins: os-etpro-telemetry Python 3 support +* plugins: os-frr 1.11 `[1] `__ +* plugins: os-nginx 1.14 `[2] `__ +* plugins: os-rspamd 1.7 `[3] `__ +* plugins: os-tinc Python 3 support +* ports: ca_root_nss 3.44.1 +* ports: curl 7.65.1 `[4] `__ +* ports: libevent 2.1.10 `[5] `__ +* ports: libxml 2.9.9 `[6] `__ +* ports: libressl 2.9.2 `[7] `__ `[8] `__ +* ports: phalcon 3.4.4 `[9] `__ +* ports: strongswan 5.8.0 `[10] `__ +* ports: unbound 1.9.2 `[11] `__ + +A hotfix release was issued as 19.1.10_1: + +* firmware: enable upgrade path to 19.7 + + + +-------------------------------------------------------------------------- +19.1.9 (June 06, 2019) +-------------------------------------------------------------------------- + + +Small 19.1 series update mainly focusing on LDAP group synchronisation +and assorted OpenVPN improvements. Two regressions of previous versions +have been fixed as well. + +Here are the full patch notes: + +* system: add LDAP group synchronisation feature +* system: allow an arbitrary group for sudo like ssh login +* system: stop using a lock around resolv.conf handling +* system: rename a number of service-related functions +* system: login not using cache-safe image yet +* system: add pluginctl -s support +* system: restyle config backup page +* system: fix log split view regression of 19.1.8 +* interfaces: remove DHCPv6 on delete and clear config on IPsec assignment +* interfaces: small VIP restructure and IPv6 alias to IPv6 device +* interfaces: subtle changes in IPv6 and variable naming +* interfaces: add missing does_interface_exist() checks +* firewall: support multiple interfaces per NAT port forward rule +* captive portal: use "onestop" to stop service +* intrusion detection: missing header ID in alerts tab +* ipsec: remove remnants of gateway group interface selection +* ipsec: use indirect plugin calls in interface code +* openvpn: add live-search to longer lists in server page +* openvpn: support --cryptoapicert export (sponsored by m.a.x. it `[1] `__ ) +* opnevpn: correctly check for translation in get_carp_interface_status() +* openvpn: use waitforpid() to properly wait for instanes to come up +* openvpn: translate GUI error values when returning them +* openvpn: revamp status page +* unbound: leases watcher file rotation issue +* web proxy: squid log in readable date format (contributed by nhirokinet) +* web proxy: fix non-local authentication regression of 19.1.7 +* plugins: os-bind 1.5 `[2] `__ +* plugins: os-clamav 1.7 `[3] `__ +* plugins: os-dnscrypt-proxy 1.4 `[4] `__ +* plugins: os-dyndns clouldflare wildcard domain support +* plugins: os-nginx 1.13 `[5] `__ +* plugins: os-openconnect 1.4.0 `[6] `__ +* plugins: os-redis 1.1 `[7] `__ +* plugins: os-rspamd 1.6 `[8] `__ +* plugins: os-theme-cicada 1.18 (contributed by Team Rebellion) +* plugins: os-theme-tukan 1.18 (contributed by Team Rebellion) +* ports: curl 7.65.0 `[9] `__ +* ports: lighttpd 1.4.54 `[10] `__ +* ports: python 3.7.3 `[11] `__ +* ports: openssl 1.0.2s `[12] `__ +* ports: php 7.2.19 `[13] `__ + + + +-------------------------------------------------------------------------- +19.1.8 (May 20, 2019) +-------------------------------------------------------------------------- + + +This update addresses several privilege escalation issues in the access +control implementation and new memory disclosure issues in Intel CPUs. +We would like to thank Arnaud Cordier and Bill Marquette for the top-notch +reports and coordination. + +Here are the full patch notes: + +* system: address CVE-2019-11816 privilege escalation bugs `[1] `__ (reported by Arnaud Cordier) +* system: /etc/hosts generation without interface_has_gateway() +* system: show correct timestamp in config restore save message (contributed by nhirokinet) +* system: list the commands for the pluginctl utility when no argument is given +* system: introduce and use userIsAdmin() helper function instead of checking for "page-all" privilege directly +* system: use absolute path in widget ACLs (reported by Netgate) +* system: RRD-related cleanups for less code exposure +* interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion) +* interfaces: replace legacy_getall_interface_addresses() usage +* firewall: fix port validation in aliases with leading / trailing spaces +* firewall: fix outbound NAT translation display in overview page +* firewall: prevent CARP outgoing packets from using the configured gateway +* firewall: use CARP net.inet.carp.demotion to control current demotion in status page +* firewall: stop live log poller on error result +* dhcp: change rule priority to 1 to avoid IPv6 bogon clash +* dnsmasq: only admins may edit custom options field +* firmware: use insecure mode for base and kernel sets when package fingerprints are disabled +* firmware: add optional device support for base and kernel sets +* firmware: add Hostcentral mirror (HTTP, Melbourne, Australia) +* ipsec: always reset rightallowany to default when writing configuration +* lang: say "hola" to Spanish as the newest available GUI language +* lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese +* network time: only admins may edit custom options field +* openvpn: call openvpn_refresh_crls() indirectly via plugin_configure() for less code exposure +* openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette) +* openvpn: remove custom options field from wizard +* unbound: only admins may edit custom options field +* wizard: translate typehint as well +* plugins: os-freeradius 1.9.3 fixes string interpolation in LDAP filters (contributed by theq86) +* plugins: os-nginx 1.12 `[2] `__ +* plugins: os-theme-cicada 1.17 (contributed by Team Rebellion) +* plugins: os-theme-tukan 1.17 (contributed by Team Rebellion) +* src: timezone database information update `[3] `__ +* src: install(1) broken with partially matching relative paths `[4] `__ +* src: microarchitectural Data Sampling (MDS) mitigation `[5] `__ +* ports: ca_root_nss 3.44 +* ports: php 7.2.18 `[6] `__ +* ports: sqlite 3.28.0 `[7] `__ +* ports: strongswan custom XAuth generic patch removed + + + +-------------------------------------------------------------------------- +19.1.7 (May 02, 2019) +-------------------------------------------------------------------------- + + +This update features a number of improvements such as link-local support +for bridges, HA sync consolidation, adding local CAs to the trusted SSL +certificates for most of the system download capabilities, plugin-based +PAM authentication rework for IPsec and the web proxy as well as third +party fixes for hostapd / wpa_supplicant 2.8 and Suricata 4.1.4. + +Python 3 migration is also underway now which requires to pull in both +Python versions which may be heavy on embedded Nano installs, but we +cannot see another way for this tedious task which will probably stretch +into 19.7 to be fully carried out in 20.1. + +And speaking of 20.1: This is the first of many reminders that 20.1 will +discontinue the i386 (Intel 32 Bit) franchise as discussed a number of +times within the community over the years. Our hope is that ARM64 will +make a viable replacement. But that is for another time. + +As you may have noticed the project has not been delivering releases every +other week and there are a number of reasons for it: + +Security-wise we have not had a lot of necessary third-party software +updates. Feature-wise we are sitting on a number of improvements for the +upcoming 19.7 series that will trickle into 19.1.x now, but that have also +required larger preparations and testing in the meantime. On the community +side of the spectrum, sponsored by our partner m.a.x. it, we have started +to work on better default gateway switching which led to an overall gateway +integration rework and then quickly to interface handling restructuring, +which in turn led to improving plugin capabilities of core services +(OpenVPN, IPsec, Unbound, Dnsmasq, DHCPD, Dpinger). Looking at it now it +has been the largest rework so far on code established many years ago and +only occasionally patched. We hope this shows our dedication to the code +base even when things are not always 100% bug free. If you feel like +pitching in now is a good time to try the development version and let us +know about how it performs. + +Without further ado, here are the full patch notes: + +* system: HA sync cleanup removes opportunistic syncs in random GUI pages (use HA status page to sync and restart remote services) +* system: support for syncing alias and VHID to the slave +* system: cleanly rewrite CA root files and add local trusted CAs as well +* system: disable backup cron job when no backup is enabled +* system: more reliable load and sync for LDAP attributes (contributed by Indrajit Raychaudhuri) +* system: migrate health graph scripts to Python 3.6 +* interfaces: properly add and remove IPv6 trackers after interface apply +* interfaces: validate prefix ID of IPv6 trackers so that each ID is unique +* interfaces: display "0x" in prefix ID field so that it is clear that value is in hex +* interfaces: fix passing VLAN name in interface_virtual_create() +* interfaces: fix group-related bugs and allow digits and underscores in name, but no more than 15 characters +* interfaces: allow link-local address on bridges via optional setting +* interfaces: PPP-related code cleanups +* firewall: prevent double-escaping of text in rules page +* firewall: handle IDNA encode failures in aliases +* firewall: alias import / export option +* captive portal: update to bootstrap 3.4.1 +* captive portal: fix a race in directory creation and listClients() +* dhcp: fix TFTP boot file name usage (contributed by Bjorn Kalkbrenner) +* dhcp: merge static mac addresses with leases +* dhcp: prevent double-escaping of text in leases page +* firmware: add private log file for major upgrade package install step +* firmware: use a safer major upgrade package install mode +* firmware: retain /etc/motd on base updates +* ipsec: implemented wildcard includes (contributed by Mark Plomer) +* ipsec: only apply mobile PFS to mobile phase 2 +* ipsec: restyle mobile settings a little +* ipsec: switch XAuth to PAM +* ipsec: partial fix for static routes on routed tunnels during boot +* network time: reload RRD since NTP has a setting for it +* web proxy: fix PAC weekday match labels (contributed by Mohammed Sadiq) +* web proxy: switch authentication to PAM +* backend: treat non existing key as empty string in sortDictList() +* mvc: pluggable PAM-based authentication framework +* mvc: add filter closure to searchBase() +* plugins: introduce plugins_run() for collecting structured data from plugins +* plugins: os-clamav 1.6 `[1] `__ +* plugins: os-dyndns 1.5 fixes CloudFlare zone ID lookup behaviour (contributed by George Johnson) +* plugins: os-frr 1.10 `[2] `__ +* plugins: os-netdata 1.0 (contributed by Michael Muenz) +* plugins: os-nginx 1.11_2 fixes ACME support (contributed by Frank Wall) +* plugins: os-rfc2136 1.5 removes unused gateway group related code +* src: move invoking of callout_stop(&lle->lle_timer) into llentry_free() +* src: ensure that IP addresses match in ICMP error packets in pf(4) +* src: add bsdinstall utility for upcoming 19.7 installer replacement +* ports: dhcp6c v20190419 fixes raw options segfaults (contributed by Franck78) +* ports: hostapd / wpa_supplicant 2.8 `[3] `__ +* ports: perl 5.28.2 `[4] `__ +* ports: py-yaml 5.1 `[5] `__ +* ports: suricata 4.1.4 `[6] `__ +* ports: sqlite 3.27.2 `[7] `__ + + + +-------------------------------------------------------------------------- +19.1.6 (April 11, 2019) +-------------------------------------------------------------------------- + + +This update brings a smaller number of fixes and improvements as well as +the latest PHP version update. + +With a heavy heart we disable E_WARNING messages in the PHP error reporting. +It has been implemented in 2015 to improve code quality and it did just that, +but with the latest PHP 7.2 jump in 19.1.5 it causes problems around the +newly added count() usage warning messages. We plan to bring back E_WARNING +usage in 19.7. + +Here are the full patch notes: + +* system: let dashboard only accept its own POST requests +* system: remove obsolete symlink to opnsense-auth +* system: skip PHP E_WARNING log level until 19.7 +* system: numerous PHP 7.2 warning fixes +* dhcp: DHCPD server check in relay only if interface is active +* dnsmasq: skip empty custom options +* intrusion prevention: do not drop flowbits:noalert rules +* unbound: add ACL entries for OpenVPN by default +* mvc: controller cleanups in firewall shaper, web proxy and captive portal +* plugins: numerous PHP 7.2 warning fixes +* plugins: os-freeradius 1.9.2 fixes LDAP group filter and EAP certificates write (contributed by Alexander Harm) +* plugins: os-nginx 1.11 `[1] `__ +* ports: php 7.2.17 `[2] `__ +* ports: py-certifi 2019.3.9 `[3] `__ + + + +-------------------------------------------------------------------------- +19.1.5 (April 05, 2019) +-------------------------------------------------------------------------- + + +After a longer pause we are back with considerable upgrades for IPsec, +a new CSR feature for local CAs, PHP 7.2 migration and a number of other +considerable third party updates. + +These are the full patch notes: + +* system: improve gateway status return when monitoring is off +* system: warn user about future deprecation of "user-config-readonly" privilege +* system: support certificate signing requests (contributed by nhirokinet) +* system: syslog does not need to do a background startup since it backgrounds itself +* system: invalidate Nextcloud URL with trailing slash (contributed by Fabian Franz) +* system: avoid double encoding cert name (contributed by Indrajit Raychaudhuri) +* interfaces: fix facility for rtsold log about dhcp6c (contributed by Thomas du Boys) +* interfaces: take all unknown arguments as real interfaces in interfaces_addresses() +* interfaces: optionally allow interfaces_addresses() to emit subnets instead of addresses +* interfaces: move mpd.script to new location (may require interface reconfigure) +* firewall: proper locking of aliases before config action on delete +* firewall: correctly set outbound NAT destination as network +* firewall: add support for DSCP in shaper (contributed by Michael Muenz) +* firewall: add support for IDN in aliases (contributed by Smart-Soft) +* captive portal: allow access to this host (contributed by Fredrik Ronnvall) +* firmware: fix parsing of packages in multi-repo env and revoked fingerprint message +* firmware: add University of Kent to the firmware mirrors +* ipsec: only use explicit reqid when using route-based interfaces +* ipsec: correctly set install policy option on newly created phase 1 entries +* ipsec: improve split DNS and INTERNAL_DNS_DOMAIN configuration +* ipsec: added IKEv2 DH group 31 / curve 25519 (contributed by Peter Stehlin) +* ipsec: properly quote UNITY_BANNER for multi-line support +* ipsec: support for dynamic remote gateways +* monit: add migration/validation for service/test type dependency (contributed by Frank Brendel) +* monit: added missing "not on" label +* openvpn: support static-challenge formatted password +* openvpn: properly load custom config field in exporter +* openvpn: cleanups in listening address handling +* web proxy: IP address not available when address set to none +* web proxy: add sortable support for PAC proxy lists (contributed by Fabian Franz) +* web proxy: add dash to allowed characters in description (contributed by Fabian Franz) +* backend: python 2->3 iteritems() conversion in core templates +* mvc: migrate config backup rotation to handle static and MVC pages (contributed by Smart-Soft) +* mvc: controller cleanups in cron, intrusion detection, routes +* mvc: obey "user-config-readonly" privilege in mutable controllers +* mvc: support overlays in setBase() / addBase() +* ui: remove jquery-bootgrid converters which are now included in the library +* plugins: os-acmle-client 1.23 `[1] `__ `[2] `__ `[3] `__ +* plugins: os-dyndns 1.14 supports wildcards for Google Domains +* plugins: os-etpro-telemetry 1.3 uses HOME_NET to anonymization +* plugins: os-freeradius 19.1.0 `[4] `__ +* plugins: os-frr 1.9 `[5] `__ +* plugins: os-nginx 1.10 `[6] `__ +* plugins: os-postfix 1.9 `[7] `__ +* plugins: os-rspamd 1.5 `[8] `__ +* plugins: os-telegraf 1.7.5 `[9] `__ +* plugins: os-theme-cicada 1.15 (contributed by Team Rebellion) +* plugins: os-theme-tukan 1.14 (contributed by Team Rebellion) +* plugins: os-zabbix-agent 1.5 `[10] `__ +* ports: ca_root_nss 3.43 +* ports: curl 7.64.1 +* ports: libucl 0.8.1 +* ports: pcre 8.43 +* ports: php 7.2.16 +* ports: py-cryptography 2.6.1 +* ports: phpseclib 2.0.15 +* ports: python 2.7.16 +* ports: unbound 1.9.1 + +A hotfix release was issued as 19.1.5_1: + +* mvc: sync missing hasPrivilege() + + + +-------------------------------------------------------------------------- +19.1.4 (March 12, 2019) +-------------------------------------------------------------------------- + + +An UEFI boot panic scenario was debugged last week with the help of the +community. This update includes a fix that will allow the ones affected +by this 19.1 issue to upgrade or install (and boot of course) correctly. +We are also including the IPsec VTI support and the latest Suricata 4.1.3 +with stability and compatibility fixes. + +Due to the severity of the UEFI boot panic 19.1.4 will be the new initial +release for all upgrades from 18.7 within a day or two depending on +additional testing and confirmation. Last but not least there will be +new images some time next week to put this fully behind us. Thank you +for your patience and understanding. :) + +Special thanks go to the team of Synacktiv for reporting a packet filter +IPv6 vulnerability for which a patch was included as well. + +Here are the full patch notes: + +* system: remove erroneously translated hostname example (contributed by nhirokinet) +* firewall: fix validation regression in outbound NAT introduced in 19.1.3 +* firewall: mock labels for NAT rules in live log as pf does not offer label support +* interfaces: do not background LAGG ifconfig destroy +* installer: revert to use network connection to allow CTRL+C and resume +* ipsec: added Virtual Tunnel Interface (VTI) support +* unbound: fix nested statistics items read +* mvc: remove old Phalcon volt template workarounds from when scopes were broken +* mvc: fix bug in model relation field values merge +* plugins: os-zabbix4-proxy PSK directory fix (contributed by Michael Muenz) +* plugins: os-telegraf missed invoke of setup.sh +* plugins: os-frr adds validator to OSPF prefix lists (contributed by Michael Muenz) +* plugins: os-dmidecode 1.1 fixes data parsing (contributed by Smart-Soft) +* plugins: os-nginx 1.9 `[1] `__ +* src: do not pass pf(4) IPv6 fragments with malformed extension headers (reported by Synacktiv) +* src: revert upstream commit "protect the kernel text, data, and BSS" to fix certain UEFI boots +* ports: monit 5.25.3 `[2] `__ +* ports: ntp 4.2.8p13 `[3] `__ +* ports: php 7.1.27 `[4] `__ +* ports: suricata 4.1.3 `[5] `__ + +The full list of changes of the OPNsense 19.1 series can be reviewed using +their original announcements: + +* 19.1: https://forum.opnsense.org/index.php?topic=11398.0 +* 19.1.1: https://forum.opnsense.org/index.php?topic=11469.0 +* 19.1.2: https://forum.opnsense.org/index.php?topic=11849.0 +* 19.1.3: https://forum.opnsense.org/index.php?topic=11941.0 + +We would also like to use this opportunity to remind everyone that OPNsense +is and always will be free software. All of its source code and associated +build tools can be found here: + +https://github.com/opnsense + +Download links, an installation guide `[6] `__ and the checksums for the images +can be found below as well. + +* Europe: https://opnsense.c0urier.net/releases/19.1/ +* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/ +* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/ +* South America: http://mirror.upb.edu.co/opnsense/releases/19.1/ +* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/ +* Full mirror list: https://opnsense.org/download/ + +The public key for the 19.1 series is: + +.. code-block:: + + # -----BEGIN PUBLIC KEY----- + # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc + # ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi + # QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/ + # GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m + # pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6 + # Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx + # NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj + # 1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD + # Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz + # Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH + # C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0 + # zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ== + # -----END PUBLIC KEY----- + + + +.. code-block:: + + # SHA256 (OPNsense-19.1.4-OpenSSL-dvd-amd64.iso.bz2) = 5f2e64797fce03d4d47050894c38e8e176fda6281009abd36f60d788d3e29d42 + # SHA256 (OPNsense-19.1.4-OpenSSL-nano-amd64.img.bz2) = ee5171fb837884fffd29c6e75cb089dc4020fb89459143bd9e7b859b1da3fd89 + # SHA256 (OPNsense-19.1.4-OpenSSL-serial-amd64.img.bz2) = 07868978903220bf9dee26c936d25140df07ec9c02cb8c480bd8619e69c562a0 + # SHA256 (OPNsense-19.1.4-OpenSSL-vga-amd64.img.bz2) = e473bc645778c95596639056ecc8ef92a12a7fd1cdc52cd0b1f6294a64561311 + +.. code-block:: + + # SHA256 (OPNsense-19.1.4-OpenSSL-dvd-i386.iso.bz2) = 9f40b591c27d90a86c60ec0b539f228999953f947573e2e575c2936c3993d7c0 + # SHA256 (OPNsense-19.1.4-OpenSSL-nano-i386.img.bz2) = c624d50b19f2ae4d471076c53f5c516e3a523ff41b69d0bfa779b5fff6415f81 + # SHA256 (OPNsense-19.1.4-OpenSSL-serial-i386.img.bz2) = 62bff974ae4238dfc2e830a32fbf4bd357ff418d15be99b89ac129f839e10eaf + # SHA256 (OPNsense-19.1.4-OpenSSL-vga-i386.img.bz2) = ca893277a02b93129e6a30125107f7ad4fc01673b722f54ce6e5cb7eb438cae4 + +-------------------------------------------------------------------------- +19.1.3 (March 07, 2019) +-------------------------------------------------------------------------- + + +This is a smaller stable update consisting of LDAPS authentication +server improvements, Unbound host overrides alias support, OpenSSL +1.0.2r security update and the recent PAM rework for better privilege +separation. + +We are currently focusing on IPsec VTI, third-party service PAM +integration and investigating kernel boot crashes. In the latter +case we are aware of the update issues some people are having and +recommend running 18.7 until this is taken care of. Above all, +please be patient. New images and seamless upgrade paths will be +provided as soon as the problems have been pinned down. + +Here are the full patch notes: + +* system: improve LDAPS mode and related authentication cleanups +* system: move enable checkbox to the top in remote logging settings +* system: allow reset of tunables to to factory defaults +* system: new tunables factory default to prevent ICMP redirects being sent (net.inet.icmp.drop_redirect=1) +* firewall: allow explicitly setting source hash key in outbound NAT (Fredrik Ronnvall) +* interfaces: probe media before applying new settings +* interfaces: correctly compare MAC addresses +* dhcp: added TFTP bootfile-name (contributed by Bjorn Kalkbrenner) +* firmware: move duty to return the correct set name / ID to opnsense-version +* firmware: finally revoke 18.7 fingerprint +* intrusion detection: minor template cleanups using helpers.empty() +* ipsec: peer identifier can now fall back to remote-gateway in manual SPD entries +* ipsec: allow easier override of colours in widget (contributed by Fabian Franz) +* monit: add validation for test type (contributed by Frank Brendel) +* openvpn: add auth-nocache option in exporter +* openvpn: validate certificate type for servers +* unbound: add host overrides alias support +* web proxy: add auth to parent proxy (contributed by Michael Muenz) +* backend: add helpers.empty() in configd +* mvc: simplify save / close / cancel button labels +* mvc: add sorting for field list types +* rc: move all template generation to early stage +* ui: improve escaping of displayed data in static pages +* ui: escape button values in static pages +* ui: avoid short PHP tags +* plugins: os-dnscrypt-proxy 1.3 `[1] `__ +* plugins: os-frr brings in missing area range code `[2] `__ +* plugins: os-postfix log file ACL and wrapper mode typo fix (contributed by Michael Muenz) +* plugins: os-theme-cicada IPsec widget colour fix (contributed by Team Rebellion) +* plugins: os-theme-tukan IPsec widget colour fix (contributed by Team Rebellion) +* plugins: os-vnstat /var MFS fix `[3] `__ +* plugins: os-zabbix4-proxy 1.0 (contributed by Michael Muenz) +* ports: openssl 1.0.2r `[4] `__ +* ports: pam_opnsense 19.1.3 uses setuid for privilege separation +* ports: phalcon 3.4.3 `[5] `__ + + + +-------------------------------------------------------------------------- +19.1.2 (February 28, 2019) +-------------------------------------------------------------------------- + + +This update is the sum of a few weeks of intense testing and debugging +in areas such as WAN DHCP with very short lease times, Suricata IPS not +working as expected, stacked 6RD setups that have overly long device names +amongst others. + +The update may be a bit bumpy this time since the web GUI session directory +will be moved to a safer location. You will be logged out during the update +and the system will reboot due to the included operating system update. As +soon as it is back you will be able to log in as usual. + +LibreSSL received a major upgrade from 2.7 to 2.8. If you are using LibreSSL +and see any issues please do let us know because it sadly looks like third +party projects such as OpenVPN, Squid, StrongSwan and NTP leave the use of +LibreSSL to the few users who are able to fix the source code builds on their +own and we want to ideally avoid having to patch third party software. + +Here are the full patch notes: + +* system: move session files into their own directory (forces the current sessions to expire) +* system: add validation check for time period for Dpinger (contributed by Team Rebellion) +* system: hide "show certificate info" button of pending CSR (contributed by nhirokinet) +* system: move opnsense-auth to libexec, but keep a symlink in sbin directory +* system: escaping issue in gateway edit page +* system: fix ACL for halt and reboot pages +* firewall: fix alias entry replacement in utility page +* firewall: prevent new alias creation when adding an address +* firewall: capture "nat" traffic like we do for "rdr" in live log +* firewall: escaping issues in schedule edit page +* interfaces: push dhclient and dhcp6c log messages to system log +* interfaces: write all nameservers via dhclient-script in multi WAN scenarios +* interfaces: check for valid alias IP in dhclient-script +* interfaces: 6RD interface naming back to 18.7 to sidestep character limits on stacked setups +* interfaces: avoid reading empty interface configurations +* firmware: bootstrap rework for HTTPS repository URL +* firmware: patch cache and assorted improvements +* firmware: minor update utility cleanups +* firmware: remove compatibility stubs for pre-19.1 version reads +* firmware: show revoked package mirror error in GUI if applicable +* firmware: bump RageNetwork mirror to HTTPS +* firmware: be more careful about parsing version info +* dhcp: fix behaviour of determining primary/secondary (contributed by Fredrik Ronnvall) +* intrusion detection: set stream.inline: true as an IPS workaround for a Suricata 4.1 regression `[1] `__ +* intrusion detection: support required rules/files in metadata package +* intrusion detection: less extensive logging +* ipsec: fix escaping issue in mobile page +* monit: fix address validation +* openvpn: obey verify-x509-name for remote access (user auth) +* openvpn: proper daemonize instead of background job +* openvpn: extract full CA chain for setup +* openvpn: missing "port" in protocol export +* mvc: fix port validation on whitespace input +* mvc: fix compare constraint (contributed by Fabian Franz) +* mvc: fix read-only access on config.xml during locked runs +* mvc: prevent UserException from being pushed to PHP error log +* ui: legacy browsers accommodation (contributed by NOYB) +* ui: update to Tokenize2 1.3 plus additional escaping patches +* ui: add support for Tokenize2 sortable tag +* ui: hardening of gettext() invokes in HTML tags +* ui: fix setFormData() HTML decode +* plugins: os-bind safe search google domain updates (contributed by Michael Muenz) +* plugins: os-dnscrypt-proxy 1.2 `[2] `__ +* plugins: os-dyndns 1.13 IPv6 device lookup fix +* plugins: os-etpro-telemetry 1.2 reduces telemetry data collection +* plugins: os-frr 1.8 adds route summarization via area range (contributed by Michael Muenz) +* plugins: os-haproxy 2.15 `[3] `__ `[4] `__ +* plugins: os-nginx 1.8 `[5] `__ +* plugins: os-ntopng 1.2 `[6] `__ +* src: clear callee-preserved registers on amd64 syscall exit `[7] `__ +* ports: cpdup 1.20 +* ports: curl 7.64.0 `[8] `__ +* ports: libressl 2.8.3 `[9] `__ +* ports: openvpn 2.4.7 `[10] `__ +* ports: pam_opnsense manual page addition +* ports: sqlite 3.27.1 `[11] `__ +* ports: squid forgery check avoidance `[12] `__ +* ports: strongswan 5.7.2 `[13] `__ +* ports: unbound 1.9.0 `[14] `__ + + + +-------------------------------------------------------------------------- +19.1.1 (February 05, 2019) +-------------------------------------------------------------------------- + + +This is a security and reliability release: WAN DHCP will no longer trust +the server MTU given. Uncoordinated cross site scripting issues have been +fixed. And the Python request library was patched due to CVE 2018-18074. + +Here are the full patch notes: + +* system: address XSS-prone escaping issues `[1] `__ +* firewall: add port range validation to shaper inputs +* firewall: drop description validation constraints +* interfaces: DHCP override MTU option (contributed by Team Rebellion) +* interfaces: properly configure SIM PIN on custom modems +* reporting: prevent cleanup from deleting current data when future data exists +* ipsec: allow same local subnet if used in different phase 1 (contributed by Max Weller) +* openvpn: multiple client export fixes +* web proxy: add ESD files to Windows cache option (contributed by R-Adrian) +* plugins: os-acme-client 1.20 `[2] `__ +* plugins: os-dyndns fix for themed colours (contributed by Team Rebellion) +* plugins: os-etpro-telemetry 1.1 adds random delay to telemetry data send +* plugins: os-nginx 1.7 `[3] `__ +* plugins: os-rspamd reads DKIM keys via Redis (contributed by Garrod Alwood) +* plugins: os-theme-cicada 1.14 (contributed by Team Rebellion) +* plugins: os-theme-tukan 1.13 (contributed by Team Rebellion) +* ports: ca_root_nss 3.42.1 +* ports: lighttpd 1.4.53 `[4] `__ +* ports: py-request 2.21.0 `[5] `__ + + + +-------------------------------------------------------------------------- +19.1 (January 31, 2019) +-------------------------------------------------------------------------- + + +For more than four years now, OPNsense is driving innovation through +modularising and hardening the open source firewall, with simple and +reliable firmware upgrades, multi-language support, HardenedBSD security, +fast adoption of upstream software updates as well as clear and stable +2-Clause BSD licensing. + +The 19.1 release, nicknamed "Inspiring Iguana", consists of a total of +620 individual changes since 18.7 came out 6 months ago, spread out over +12 intermediate releases including the recent release candidates. That is +the average of 2 stable releases per month, security updates and important +bug fixes included! If we had to pick a few highlights it would be: The +firewall alias API is finally in place. The migration to HardenedBSD 11.2 +has been completed. 2FA now works with a remote LDAP / local TOTP +combination. And the OpenVPN client export was rewritten for full API +support as well. + +Download links, an installation guide `[1] `__ and the checksums for the images +can be found below as well. + +* Europe: https://opnsense.c0urier.net/releases/19.1/ +* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/ +* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/ +* South America: http://mirror.upb.edu.co/opnsense/releases/19.1/ +* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/ +* Full mirror list: https://opnsense.org/download/ + +These are the most prominent changes since version 18.7: + +* fully functional firewall alias API +* PIE firewall shaper support +* firewall NAT rule logging support +* 2FA via LDAP-TOTP combination +* WPAD / PAC and parent proxy support in the web proxy +* P12 certificate export with custom passwords +* Dpinger is now the default gateway monitor +* ET Pro Telemetry edition plugin `[2] `__ +* extended IPv6 DUID support +* Dnsmasq DNSSEC support +* OpenVPN client export API +* Realtek NIC driver version 1.95 +* HardenedBSD 11.2, LibreSSL 2.7 +* Unbound 1.8, Suricata 4.1 +* Phalcon 3.4, Perl 5.28 +* firmware health check extended to cover all OS files, HTTPS mirror default +* updates are browser cache-safe regarding CSS and JavaScript assets +* collapsible side bar menu in the default theme +* language updates for Chinese, Czech, French, German, Japanese, Portuguese and Russian +* new plugins for API backup export, Bind, Hardware widget, Nginx, Ntopng, VnStat, Dnscrypt-proxy + +Here are the full changes against version 19.1-RC2: + +* ipsec: add firewall interface as soon as phase 1 is enabled +* ipsec: phase 1 selection GUI JavaScript compatibility fix +* monit: widget improvements and bug fix (contributed by Frank Brendel) +* ui: fix regression in single host or network subnet select in static pages +* plugins: os-frr 1.7 updates OSPF outbound rules (contributed by Fabian Franz) +* plugins: os-telegraf 1.7.4 fixes packet filter input +* plugins: os-theme-rebellion 1.8.2 adds image colour invert +* plugins: os-vnstat 1.1 `[3] `__ +* plugins: os-zabbix-agent now uses Zabbix version 4.0 +* src: revert mmc_calculate_clock() as HS200/HS400 support breaks legacy support +* src: update sqlite3-3.20.0 to sqlite3-3.26.0 `[4] `__ +* src: import tzdata 2018h, 2018i `[5] `__ +* src: avoid unsynchronized updates to kn_status `[6] `__ +* ports: ca_root_nss 3.42 +* ports: dhcp6c 20190128 prevent rawops double-free (contributed by Team Rebellion) +* ports: sudo patch to fix listpw=never `[7] `__ + +Migration notes and minor incompatibilities to look out for: + +* Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration. Apinger is no longer available. +* Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP. +* Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being. +* Please read the FRR documentation with regard to the required system tunables `[8] `__ . +* Bhyve VM boot may fail as a guest. Use the "-w" parameter `[9] `__ to boot. +* Boot may fail due to Meltdown/Spectre mitigation. A workaround `[10] `__ exists. +* SNMP plugin has been superseded by Net-SNMP plugin. + +The public key for the 19.1 series is: + +.. code-block:: + + # -----BEGIN PUBLIC KEY----- + # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc + # ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi + # QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/ + # GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m + # pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6 + # Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx + # NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj + # 1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD + # Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz + # Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH + # C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0 + # zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ== + # -----END PUBLIC KEY----- + + + +.. code-block:: + + # SHA256 (OPNsense-19.1-OpenSSL-dvd-amd64.iso.bz2) = 0a9e02954da1ddd1f0b7673394bbf81cfa74a1d5378600a87d3a9e6a26d3104d + # SHA256 (OPNsense-19.1-OpenSSL-nano-amd64.img.bz2) = 2c4b0056ca26053c8d5e4efe196e512af618bad4fa136ba0e2528083a6263528 + # SHA256 (OPNsense-19.1-OpenSSL-serial-amd64.img.bz2) = c71274cea2b910cd4b3454b4ad29f7f70503fcb52ffa5b7f65ea96a27ac9e10d + # SHA256 (OPNsense-19.1-OpenSSL-vga-amd64.img.bz2) = 37164481a413716d8786676d30bb709f8b967e53a47a36d10118214304d14bb9 + +.. code-block:: + + # SHA256 (OPNsense-19.1-OpenSSL-dvd-i386.iso.bz2) = 17d0aadf671bc2d99b57f0371e4fadfca0e2e9c8d27d6545674a610fc1f59c7a + # SHA256 (OPNsense-19.1-OpenSSL-nano-i386.img.bz2) = 0c4e7616c93f14f5988df84b9b620543cb23a89c1f91505527b6c999d2dc7889 + # SHA256 (OPNsense-19.1-OpenSSL-serial-i386.img.bz2) = 93306e5349c7448ad3fdc03d9349ebf98e4d7c677201dcbec111f917c72dca24 + # SHA256 (OPNsense-19.1-OpenSSL-vga-i386.img.bz2) = 03d21319a784f93a7940d35168a35d15005e6f4579ac5b1c7a6ff606beb062a6 + +-------------------------------------------------------------------------- +19.1.r2 (January 23, 2019) +-------------------------------------------------------------------------- + + +Small online update issued to fix known and subsequently patched issues. +If you use Insight and flowd_aggregate service refuses to start go to +System: Firmware: Packages and reinstall the "flowd" package. + +These are the changes in detail: + +* firmware: fix invisible error in health check +* intrusion detection: avoid spurious migration error on factor reset +* monit: fix dashboard widget display and general settings save +* plugins: os-telegraf fixes checkbox for CPU time collect (contributed by chaispaquichui) +* ports: flowd Python bindings runtime fix + + +Stay safe, +Your OPNsense team + +-------------------------------------------------------------------------- +19.1.r1 (January 21, 2019) +-------------------------------------------------------------------------- + + +For almost four years now, OPNsense is driving innovation through +modularising and hardening the open source firewall, with simple +and reliable firmware upgrades, multi-language support, HardenedBSD +security, fast adoption of upstream software updates as well as clear +and stable 2-Clause BSD licensing. + +We thank all of you for helping test, shape and contribute to the project! +We know it would not be the same without you. + +Download links, an installation guide `[1] `__ and the checksums for the images +can be found below as well. + +* Europe: https://opnsense.c0urier.net/releases/19.1/ +* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.1/ +* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.1/ +* South America: http://mirror.upb.edu.co/opnsense/releases/19.1/ +* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.1/ +* Full mirror list: https://opnsense.org/download/ + +Here are the full changes against version 18.7.10: + +* system: console port assignment can now assign OPT without LAN +* system: anti-lockout will use OPT1 if LAN is not present +* system: allow creation of combined client/server SSL certificate +* system: gateway monitoring switches to Dpinger with Apinger removed +* system: detect unassigned gateways in static address setups +* system: more advanced gateway monitoring options for Dpinger (contributed by Team Rebellion) +* system: removal of the old notification system in favour of Monit +* system: only allow syslog remote binding to assigned interfaces +* system: disable IP aliases configured with VHID on temporary disable +* system: remove AHCI MSI disable workaround used in FreeBSD 11.1 +* system: default gateway switching moves back to general settings +* system: beep sound notification setting moves to misc. settings +* system: limit log line length in log widget +* interfaces: change 6RD/6to4 interface prefix from internal name to physical device +* interfaces: prohibit tracking on 6RD with /64 upstream prefix +* interfaces: remove unneeded use of potentially clashing fe80::1:1 addresses for IPv6 tracking +* interfaces: clear an apparently faulty system DUID when no manual DUID is set +* interfaces: updated custom dhclient-script used for DHCPv4 +* interfaces: VIP support for GRE devices +* interfaces: simplify find_interface_ip\* functions +* interfaces: remove get_interface_subnet\* functions +* interfaces: remove unused get_possible_listen_ips function +* interfaces: link status indicator on assignments page +* interfaces: unify interface removal code +* firewall: switch GeoIP database download to HTTPS +* firewall: find IP reference tool for aliases +* firewall: improve alias page responsiveness with large number of addresses +* firewall: show system errors when reloading aliases +* firewall: NAT port forward logging option and live view support +* firewall: optionally resolve all host names in live view +* firewall: not all states could be removed in diagnostics page +* firewall: clean up unused NAT rule association code +* reporting: improve handling of empty Insight datasets +* reporting: prepare for Python 3 conversion +* firmware: switch default mirror location to HTTPS +* firmware: health check for base and kernel files including version check +* firmware: support base and kernel file size in packages overview +* firmware: /var MFS compatibility on base installation when reboot is deferred +* firmware: command line core lock feature prevents package upgrades +* firmware: internally remember plugins installed or removed in the GUI +* firmware: show last known update log on page open +* firmware: show untrusted repository error in GUI +* firmware: separate chanelogs tab for clarity +* dhcp: refuse setup of instances that have no associated IP address +* dhcp: fix lease time local vs. UTC display in IPv6 leases +* installer: change communication from TCP to named pipes +* installer: fix sporadic segmentation faults in frontend code +* installer: allow config import from ZFS pools +* installer: allow password reset on ZFS pools +* installer: removed a number of unused modules +* ipsec: generate correct config for "Hybrid-RSA + XAuth" (contributed by Max Weller) +* ipsec: reworked strongswan.conf generation +* ipsec: use new interface subnet retrieval code +* monit: support declaring dependencies (contributed by Alexander Werner) +* monit: add Service/Test type relation (contributed by Frank Brendel) +* monit: add CARP status to standard services +* monit: add gateway alerts to standard services +* monit: backend rework to simplify the service +* intrusion detection: support base ruleset overlays and improve logging +* intrusion detection: GeoIP feature in user-defined rules has been removed +* intrusion detection: obey Content-Disposition header +* openvpn: client export rewrite, new export option for The Green Bow +* unbound: reworked slab calculation +* unbound: added statistics page +* unbound: only bind to interfaces or OpenVPN instances, always bind to loopback +* unbound: fix ACL subnet calculation for OpenVPN instances +* unbound: do not generate host entries for OpenVPN instances +* unbound: improve help text wording and general settings layout +* web proxy: parent proxy support (contributed by Michael Muenz) +* wizard: fix checkbox label styling +* mvc: converted reboot, halt and license page to MVC +* mvc: compared-to-field constraint (contributed by Fabian Franz) +* mvc: external clients which set Authorization header now receive raw JSON responses +* mvc: fix empty value check in grid (contributed by Smart-Soft) +* mvc: globally lock config when multiple items are deleted at once +* mvc: volt template JavaScript cleanups +* ui: updated bootstrap-select to version 1.13.3 +* ui: collapsible sidebar support in default theme (contributed by Team Rebellion) +* plugins: os-acme-client 1.19 `[2] `__ +* plugins: os-c-icap 1.7 adds template support (contributed by Michael Muenz) +* plugins: os-dmidecode 1.0 hardware information widget (contributed by Smart-Soft) +* plugins: os-dyndns 1.12 changes HE tunnel broker to newer API (contributed by Dusan Dragic) +* plugins: os-frr switches to FRR 5.0.2, please see below +* plugins: os-l2tp 1.8 interface now selects reachable server address +* plugins: os-pptp 1.8 interface now selects reachable server address +* plugins: os-openconnect 1.3.3 `[3] `__ +* plugins: os-quagga removed, please use os-frr instead +* plugins: os-nginx 1.6 `[4] `__ +* plugins: os-rspamd 1.4 allows to set manual spam scores and subject (contributed by Michael Muenz and Fabian Franz) +* plugins: os-snmp removed, please use os-net-snmp instead +* plugins: os-theme-cicada 1.13 +* plugins: os-theme-tukan 1.12 +* plugins: os-wol 2.1 fixes widget link (contributed by Fabian Franz) +* src: HardenedBSD 11.2-RELEASE-p7 `[5] `__ `[6] `__ `[7] `__ +* src: fix missing transmit visibility for BPF-based listeners in native netmap mode +* src: limit the maximum number of fragments per packet in pf +* src: replace rwlock on PF_RULES_LOCK with rmlock in pf +* src: do not discard UDP6 traffic in Hyper-V adaptors +* src: fix state sync during initial bulk update in pfsync +* src: unbreak dhclient(8) option 26 processing +* src: import APU 1-3 LED kernel module +* ports: krb5 1.17 `[8] `__ +* ports: php 7.1.26 `[9] `__ +* ports: sudo 1.8.27 `[10] `__ +* ports: perl 5.28.1 `[11] `__ +* ports: suricata netmap forward-compatibility patch (contributed by Sunny Valley Networks) + +Known issues and limitations: + +* Gateway health graphs may need a manual reset due to the Apinger to Dpinger migration. +* Intrusion detection GeoIP rules are automatically deactivated and need to be manually migrated to firewall alias GeoIP. +* Monit general settings do not save. A patch exists `[12] `__ to remedy this problem: opnsense-patch a2899594 +* Issue with IDS migration code creating a spurious crash report. Patch already done for the final 19.1. +* Quagga plugin has been superseded by FRR plugin. A binary quagga package has been conserved for the time being. +* Please read the FRR documentation with regard to the required system tunables `[13] `__ . +* SNMP plugin has been superseded by Net-SNMP plugin. +* ZFS guided installation pending. + +The public key for the 19.1 series is: + +.. code-block:: + + # -----BEGIN PUBLIC KEY----- + # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4NKHVbdmq9RN085Nfdyc + # ip5IMNwcc4QcvGIbN51+UiHh8+aj+JJSswHg5ZBwKk6bxt8kA1NAJQk5U6Qb/UXi + # QYt0zvN2ABrzBHq6WRE5WPzmQa1Raky4ChfQqorOFi3D96rMvI/Anm4OLllHcMX/ + # GKPA1XcODJTFQOjsAR+87V6Em+W0YX0lGLTmWdmwWfGeGQFJzA2A/Wxn3b0jDS9m + # pyHlj4jzat6032qs7Uxf+qWopj+d76ZyxedQVPswKa9o9qKF2iUoSSG/11kFpLi6 + # Y+gXCXZDL20GXsPuBi1hpPnkhBFI+WFlC1KiA8RRGMpDKGQFw/XYIwKvfdRw82Mx + # NkJYCiRNZxXnDzInTLuyEpS9yzQXdxa6YFR9USeFpjLaVUppT57M5xfdPFRdhImj + # 1crhMjQZWt+054JTadvEu4o1c+45damruqtQntvnF7h5vcNCjExlREKK32rMXbGD + # Fb19G/3x8UASqVslkXeNtTj0fVPN+78yVyqjWCBe2zHiBlnWBmRu6tlrEDl/MVAz + # Yk3rHMYdRpDYolWBD8bAzqohSatbrzWUjjF7GlLR6HfXsCYxPzGJb6Ed4We+ZjvH + # C3/LHyuZD6EmksSraJt8XeVvTQlPnPI+jVbqJERi/p3F9KRVy8mwEwk/4MDbPhZ0 + # zizSg7+Yn6Rac/F0QlvUPa8CAwEAAQ== + # -----END PUBLIC KEY----- + +Please let us know about your experience! + + + +.. code-block:: + + # SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-amd64.iso.bz2) = 7c0c6cf529cb2f8aa9c29b3645b4ec1e218c292f722941ae9880b009c93e6364 + # SHA256 (OPNsense-19.1.r1-OpenSSL-nano-amd64.img.bz2) = b355355fc6d10475af2b1c22daa2fd5f5ab78bb375aaf8100a51f087d2447289 + # SHA256 (OPNsense-19.1.r1-OpenSSL-serial-amd64.img.bz2) = f4d40b1ece162aac97505f8ad1e16271126df11fb1a317a9f431ff4737fe5da8 + # SHA256 (OPNsense-19.1.r1-OpenSSL-vga-amd64.img.bz2) = f8c860a7e3eb9be61d33da92b021a0f337ad50e00a6ffc1cca793277f1890b63 + +.. code-block:: + + # SHA256 (OPNsense-19.1.r1-OpenSSL-dvd-i386.iso.bz2) = c7b5ced64623416bd56e5337d5212c9af25292a48eb1bb298321e4bb79056c94 + # SHA256 (OPNsense-19.1.r1-OpenSSL-nano-i386.img.bz2) = 1313645407d810dd7a5dedf4978deaa7c14f4655dee679de572d7a9e853749c0 + # SHA256 (OPNsense-19.1.r1-OpenSSL-serial-i386.img.bz2) = f44203f5bb6e2dbfe5b524b37e9e53baab0665684cbc215bdc3015e11a79c2bd + # SHA256 (OPNsense-19.1.r1-OpenSSL-vga-i386.img.bz2) = a6cfc14b9675563053d6e7733011c381f39e8fb2e10a8a64d60cc7de421ac2db diff --git a/source/releases/CE_19.7.rst b/source/releases/CE_19.7.rst new file mode 100644 index 00000000..94ef5975 --- /dev/null +++ b/source/releases/CE_19.7.rst @@ -0,0 +1,813 @@ +=========================================================================================== +19.7 "Jazzy Jaguar" Series +=========================================================================================== + + + +For four and a half years now, OPNsense is driving innovation through +modularising and hardening the open source firewall, with simple +and reliable firmware upgrades, multi-language support, HardenedBSD +security, fast adoption of upstream software updates as well as clear +and stable 2-Clause BSD licensing. + +19.7, nicknamed "Jazzy Jaguar", embodies an iteration of what should be +considered enjoyable user experience for firewalls in general: improved +statistics and visibility of rules, reliable and consistent live logging +and alias utility improvements. Apart from the usual upgrades of third +party software to up-to-date releases, OPNsense now also offers built-in +remote system logging through Syslog-ng, route-based IPsec, updated +translations with Spanish as a brand new and already fully translated +language and newer Netmap code with VirtIO, VLAN child and vmxnet support. + +Last but not least we would like to thank m.a.x. it for their sponsorship +of the default gateway priority switching feature and their continued work +of writing and maintaining plenty of community plugins. This time around, +Maltrail, Netdata and WireGuard VPN have been freshly added to the mix. + +Download links, an installation guide `[1] `__ and the checksums for the images +can be found below as well. + +* Europe: https://opnsense.c0urier.net/releases/19.7/ +* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.7/ +* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.7/ +* South America: http://mirror.upb.edu.co/opnsense/releases/19.7/ +* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.7/ +* Full mirror list: https://opnsense.org/download/ + + +-------------------------------------------------------------------------- +19.7.10 (January 27, 2020) +-------------------------------------------------------------------------- + + +As Thursday nears the last preparations for 20.1 are underway. As a quick +relief here is the End-Of-Life release of the 19.7 series with a tiny number +of updates. + +Remember that when 20.1 is available it will take up to a day before we +release the hotfix with the major upgrade path enabled. Please be patient +as we simply want to ensure that upgrades will not be bumpy affair. :) + +Here are the full patch notes: + +* firewall: fix a typo in CARP validation +* firmware: revoke 19.1 fingerprint +* ipsec: add configurable dpdaction (contributed by Marcel Menzel) +* mvc: BaseListField ignoring empty selected field +* plugins: os-haproxy 2.20 `[1] `__ +* plugins: os-mail-backup 1.1 `[2] `__ +* plugins: os-nrpe 1.0 (contributed by Michael Muenz) +* plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion) +* plugins: os-vnstat 1.2 `[3] `__ +* plugins: zabbix4-proxy 1.2 `[4] `__ +* ports: ca_root_nss 3.49.1 +* ports: curl 7.68.0 `[5] `__ +* ports: isc-dhcp 4.4.2 `[6] `__ +* ports: urllib3 1.27.7 `[7] `__ + +A hotfix release was issued as 19.7.10_1: + +* firmware: enable upgrade path to 20.1 + + + +-------------------------------------------------------------------------- +19.7.9 (January 09, 2020) +-------------------------------------------------------------------------- + + +As 20.1 nears we will be making adjustments to the scope of the release +with an announcement following shortly. + +For now, this update brings you a GeoIP database configuration page for +aliases which is now required due to upstream database policy changes and +a number of prominent third-party software updates we are happy to see +included. + +Here are the full patch notes: + +* system: use 825 days as the default maximum certificate lifetime +* system: hide leaking hostname on SSH password auth (contributed by sooslaca) +* system: remove unused "lifetime" parameter from user manager page +* firewall: new GeoIP settings page to allow continued use of upstream database `[1] `__ +* firewall: log when alias could not resolve a hostname +* firewall: translate pfInfo page tabs (contributed by Smart-Soft) +* firmware: add mirror MARWAN (Moroccan Academic & Research Wide Area Network) +* dhcp: replace killbyname() usage which should not have killed both services +* dhcp: auto-replace windows DUID dashes (contributed by Team Rebellion) +* mvc: PSR12 code style updates +* plugins: os-acme-client 1.29 `[2] `__ +* plugins: os-bind 1.12 `[3] `__ +* plugins: os-dyndns must use dyndns_failover_interface() to translate gateway group +* plugins: os-frr 1.14 `[4] `__ +* plugins: os-maltrail 1.3 `[5] `__ +* plugins: os-nginx 1.17 `[6] `__ +* plugins: os-nut fixes validation and snmp-ups selection (contributed by Michael Muenz) +* plugins: os-theme-cicada 1.24 (contributed by Team Rebellion) +* plugins: os-zabbix4-proxy 1.1 `[7] `__ +* ports: openssh 8.1p1 `[8] `__ +* ports: openssl 1.0.2u `[9] `__ +* ports: php 7.2.26 `[10] `__ +* ports: phpseclib 2.0.23 `[11] `__ +* ports: python 3.7.6 `[12] `__ +* ports: strongswan 5.8.2 `[13] `__ +* ports: sudo 1.8.30 `[14] `__ +* ports: unbound 1.9.6 `[15] `__ + +A hotfix release was issued as 19.7.9_1: + +* firewall: automatic business addition GeoIP feed + + + +-------------------------------------------------------------------------- +19.7.8 (December 18, 2019) +-------------------------------------------------------------------------- + + +A number of updates including security and reliability fixes inside. Of +note is the new elliptic curve certificate creation support and better +firmware health check and recovery methods. + +We are almost at the point of a 20.1-BETA release with an isolated images +for early bird testing as a special present at this time of year. Stay +tuned. :) + +Here are the full patch notes: + +* system: "Mark Gateway as Down" also means exclude from default gateway selection +* system: fix PHP warning on gateways list due to wrong variable scope +* system: support elliptic curve TLS certificate creation (contributed by johnaheadley) +* system: remove unused current directory PHP include +* system: fix XSS in backup page and static menu pages +* firewall: use referential integrity check for model data +* reporting: improve NetFlow error handling (contributed by Frank Brendel) +* dhcp: always add dhcp6.domain-search and dhcp6.name-servers (contributed by maurice-w) +* dhcp: fix range check for advanced router advertisement options (contributed by maurice-w) +* dhcp: improve help texts for router advertisement modes (contributed by maurice-w) +* dhcp: replace defunct IPv6 domain name option with domain search list option (contributed by maurice-w) +* dhcp: fix storing advanced IPv6 options +* firmware: add "copy to clipboard" button in update text box +* firmware: use opnsense-revert in GUI reinstall package case +* firmware: when storing installed plugin names remove their development counterparts +* firmware: improved health check scope to include direct core package dependencies +* openvpn: fix Firefox "nowrap" issue in client export page +* backend: improve error handling while configd is either not active or not functional +* mvc: route to default page when controller or action not found +* mvc: field type refactor and unit tests +* mvc: added opt-in referential integrity check for models +* mvc: countless PSR12 style updates +* mvc: add "NetMaskAllowed" option to validate on single addresses in NetworkField +* plugins: os-bind 1.11 `[1] `__ +* plugins: os-dyndns 1.18 adds Linode support (contributed by eAndrew Gunnerson) +* plugins: os-freeradius 1.9.5 `[2] `__ +* plugins: os-frr 1.13 `[3] `__ +* plugins: os-ftp-proxy style updates only +* plugins: os-postfix 1.13 `[4] `__ +* plugins: os-rspamd 1.9 `[5] `__ +* plugins: os-theme-cicada 1.23 (contributed by Team Rebellion) +* plugins: os-theme-tukan 1.22 (contributed by Team Rebellion) +* ports: ca_root_nss 3.48 +* ports: krb5 1.17.1 `[6] `__ +* ports: php 7.2.25 `[7] `__ +* ports: suricata 4.1.6 `[8] `__ +* ports: unbound 1.9.5 `[9] `__ + + + +-------------------------------------------------------------------------- +19.7.7 (November 21, 2019) +-------------------------------------------------------------------------- + + +Lots of small improvements. Of note are Eve JSON payload syslog export +now works for 4 kb payload blobs. The outdated Google API PHP client +was replaced. LibreSSL is now at version 3.0.2. Plus another Intel SA +advisory via FreeBSD. + +Here are the full patch notes: + +* system: generate self-signed server certificate for web GUI by default +* system: let net.local.dgram.maxdgram default to 8192 bytes +* system: spawn Dpinger process in background to avoid hangs +* system: switch backup to Google API PHP client v2 +* system: add interface groups to HA sync +* interfaces: remove the "Directly send SOLICIT" option +* firewall: fix issue with label parsing when "tag" keyword was involved +* firewall: skip empty lines in rule statistics parsing +* firmware: add /etc/remote to whitelist, NTP GPS uses it +* reporting: empty NetFlow egress default passes validation +* reporting: show dialog when RRD is disabled +* dhcp: fix for domain-search option in DHCPv6 (contributed by maurice-w) +* dnsmasq: fix storing settings when no settings exist yet +* intrusion detection: lower payload-buffer-size to prevent syslog size limit +* intrusion detection: fix issue with escaped file name during rules download +* unbound: exit wrapper when process not running +* web proxy: added check on SNI field checkbox (contributed by Northguy) +* mvc: fix forceReload() +* plugins: os-acme-client 1.28 `[1] `__ +* plugins: os-bind 1.10 `[2] `__ +* plugins: os-nginx 1.16 `[3] `__ +* plugins: os-nut 1.6 `[4] `__ +* plugins: os-postfix 1.12 `[5] `__ +* src: fix machine check exception on page size change `[6] `__ +* src: bump libc syslog line size to 8k +* src: import tzdata 2019c `[7] `__ +* ports: curl 7.67.0 `[8] `__ +* ports: libressl 3.0.2 `[9] `__ +* ports: openvpn 2.4.8 `[10] `__ +* ports: perl 5.30.1 `[11] `__ +* ports: phalcon 3.4.5 `[12] `__ +* ports: sqlite 3.30.1 `[13] `__ +* ports: squid 4.9 `[14] `__ +* ports: syslog-ng 3.24.1 `[15] `__ + + + +-------------------------------------------------------------------------- +19.7.6 (November 01, 2019) +-------------------------------------------------------------------------- + + +As we are experiencing the Suricata community first hand in Amsterdam +we though to release this version a bit earlier than planned. Included +is the latest Suricata 5.0.0 release in the development version. That +means later this November we will releasing version 5 to the production +version as we finish up tweaking the integration and maybe pick up 5.0.1 +as it becomes available. + +LDAP TLS connectivity is now integrated into the system trust store, +which ensures that all required root and intermediate certificates will +be seen by the connection setup when they have been added to the authorities +section. The same is true for trusting self-signed certificates. On top +of this, IPsec now supports public key authentication as contributed by +Pascal Mathis. + +Here are the full patch notes: + +* system: hook LDAP TLS support into system-wide trust file +* system: fix dpinger custom parameters not being honoured +* system: fix PHP core loop fail in tunables overview +* system: only allow P12 export if password confirmation matches +* interfaces: change PCAP download to binary file stream +* firewall: store reference to outbound NAT address instead of literal address +* firewall: add log message for scheduled firewall reload +* firmware: tie pkg dependency to core +* ipsec: allow EC keys for certificate-based secrets (contributed by Martin Strigl) +* ipsec: add support for public key authentication (contributed by Pascal Mathis) +* openvpn: server wizard existing CA use and server cert check (contributed by johnaheadley) +* backend: add run mode to pluginctl using JSON-based output +* ui: fix tokenizer reorder on multiple saves, second try +* plugins: os-acme-client 1.27 `[1] `__ +* plugins: os-bind 1.9 `[2] `__ +* plugins: os-nginx 1.15 `[3] `__ +* plugins: os-relayd 2.4 fixes protocol option migration (contributed by Frank Brendel) +* plugins: os-theme-cicada 1.22 (contributed by Team Rebellion) +* ports: ca_root_nss 3.47 +* ports: php 7.2.24 `[4] `__ +* ports: python 3.7.5 `[5] `__ +* ports: sudo 1.8.29 `[6] `__ + + + +-------------------------------------------------------------------------- +19.7.5 (October 11, 2019) +-------------------------------------------------------------------------- + + +Lots of plugin and ports updates this time with a few minor improvements +in all core areas. + +Behind the scenes we are starting to migrate the base system to version +12.1 which is supposed to hit the next 20.1 release. Stay tuned for more +infos in the next month or so. + +Here are the full patch notes: + +* system: show all swap partitions in system information widget +* system: flatten services_get() in preparation for removal +* system: pin Syslog-ng version to specific package name +* system: fix LDAP/StartTLS with user import page +* system: fix a PHP warning on authentication server page +* system: replace most subprocess.call use +* interfaces: fix devd handling of carp devices (contributed by stumbaumr) +* firewall: improve firewall rules inline toggles +* firewall: only allow TCP flags on TCP protocol +* firewall: simplify help text for direction setting +* firewall: make protocol log summary case insensitive +* reporting: ignore malformed flow records +* captive portal: fix type mismatch for timeout read +* dhcp: add note for static lease limitation with lease registration (contributed by Northguy) +* ipsec: add margintime and rekeyfuzz options +* ipsec: clear $dpdline correctly if not set +* ui: fix tokenizer reorder on multiple saves +* plugins: os-acme-client 1.26 `[1] `__ +* plugins: os-bind will reload bind on record change (contributed by blablup) +* plugins: os-etpro-telemetry minor subprocess.call replacement +* plugins: os-freeradius 1.9.4 `[2] `__ +* plugins: os-frr 1.12 `[3] `__ +* plugins: os-haproxy 2.19 `[4] `__ +* plugins: os-mailtrail 1.2 `[5] `__ +* plugins: os-postfix 1.11 `[6] `__ +* plugins: os-rspamd 1.8 `[7] `__ +* plugins: os-sunnyvalley LibreSSL support (contributed by Sunny Valley Networks) +* plugins: os-telegraf 1.7.6 `[8] `__ +* plugins: os-theme-cicada 1.21 (contributed by Team Rebellion) +* plugins: os-theme-tukan 1.21 (contributed by Team Rebellion) +* plugins: os-tinc minor subprocess.call replacement +* plugins: os-tor 1.8 adds dormant mode disable option (contributed by Fabian Franz) +* plugins: os-virtualbox 1.0 (contributed by andrewhotlab) +* ports: expat 2.2.8 `[10] `__ +* ports: ca_root_nss 3.46.1 +* ports: curl 7.66.0 `[9] `__ +* ports: openssl 1.0.2t `[11] `__ +* ports: php 7.2.23 `[12] `__ +* ports: pkg 1.12.0 `[13] `__ `[14] `__ `[15] `__ +* ports: strongswan 5.8.1 `[16] `__ +* ports: suricata 4.1.5 `[17] `__ +* ports: syslog-ng 3.23.1 `[18] `__ +* ports: unbound 1.9.4 `[19] `__ + +A hotfix release was issued as 19.7.5_5: + +* ui: revert fix for tokenizer reorder on multiple saves for now +* system: replace services_get() with plugins_services() +* system: verbose print on "pluginctl -s" actions + + + +-------------------------------------------------------------------------- +19.7.4 (September 11, 2019) +-------------------------------------------------------------------------- + + +A wee bit of updates for you... nothing overly exciting. On the other +hand, we have updated the roadmap page to include 20.1 if you want to +take a closer look `[1] `__ . More exciting for sure. :) + +Here are the full patch notes: + +* system: fix legacy remote logging with custom port +* system: regenerate CA bundle when modifying trusted authorities +* system: fix translation order of tunables description +* system: fix CARP maintenance mode bootup +* firewall: missing daily refresh on GeoIP type +* firewall: fix fetch of GeoIP alias if its name is same as its country +* reporting: auto-load required kernel modules for NetFlow +* reporting: allow setting NetFlow active/inactive timeout (contributed by Frank Brendel) +* captive portal: optimise ipfw rule parsing +* firmware: Homelab.no has been superseded by TerraHost mirror (contributed by Thomas Jensen) +* unbound: support file-based custom includes +* unbound: set absolute path to root.hints (contributed by h-town) +* plugins: os-bind 1.8 `[2] `__ (contributed by ErikJStaab) +* plugins: os-dnscrypt-proxy 1.6 `[3] `__ (contributed by ErikJStaab) +* plugins: os-etpro-telemetry 1.4 `[4] `__ +* plugins: os-theme-cicada 1.20 (contributed by Team Rebellion) +* plugins: os-theme-tukan 1.20 (contributed by Team Rebellion) +* ports: ca_root_nss 3.46 +* ports: ldns 1.7.1 `[5] `__ +* ports: pcre2 10.33 `[6] `__ +* ports: php 7.2.22 `[7] `__ +* ports: phpseclib 2.0.21 `[8] `__ +* ports: unbound 1.9.3 `[9] `__ + +A hotfix release was issued as 19.7.4_1: + +* captive portal: fix merge conflict in optimisation + + + +-------------------------------------------------------------------------- +19.7.3 (August 28, 2019) +-------------------------------------------------------------------------- + + +Please enjoy this release with improved CARP utility and a number of +smaller fixes and updates for the operating system and third party tools. +You can now also toggle logging directly from the rule overview to make +debugging easier. + +Here is the full list of changes: + +* system: try all backups for automatic revert when config.xml is damaged +* system: do a system reset if all config.xml files are damaged +* system: only show tunables reboot hint when applying tunables (contributed by Northguy) +* system: use FQDN in system log remote messages +* system: add defunct gateways to GUI in disabled state +* interfaces: only allow VLAN parents that will work as VLAN parents +* interfaces: optionally promote/demote CARP on service status +* interfaces: CARP status page report with demotion level to avoid ambiguity +* firewall: revert problematic 19.7.2 change "unhide automatic interface-based output rules" +* firewall: restore automatic outbound NAT pre-19.7 behaviour which excludes gateways not configured and not dynamic +* firewall: add logging toggle to rules overview (contributed by johnaheadley) +* firewall: DHCPv6 relay would generate rules even if not enabled +* firmware: only do single-repository fingerprint verify defaulting to our OPNsense repository +* firmware: fix base and kernel package listing +* intrusion detection: show change message after toggle or save +* intrusion detection: rule download fix +* monit: add parent devices to interface list (contributed by Frank Brendel) +* monit: fix standard configuration migration (contributed by Frank Brendel) +* reporting: skip illegal NetFlow records in flow parser +* opendns: migrate update hook from DynDNS plugin to core to make it fully automatic +* backend: fix exception message string handling in Python 3 +* backend: add help to pluginctl utility +* backend: configctl event handler support +* mvc: log API key when authentication failed +* ui: more consistent HTML (contributed by gisforgirard) +* ui: sidebar bug fix (contributed by Team Rebellion) +* ui: fix initFormAdvancedUI() on initial load +* plugins: os-acme-client 1.25 `[1] `__ +* plugins: os-bind 1.7 `[2] `__ +* plugins: os-dyndns 1.17 removes OpenDNS and fixes DyNS +* plugins: os-haproxy 2.18 `[3] `__ +* plugins: os-maltrail 1.1 `[4] `__ +* plugins: os-nginx log rotation fix (contributed by Fabian Franz) +* plugins: os-postfix 1.10 `[5] `__ +* plugins: os-smart 2.1 fixes widget status and adds NVMe disk support (contributed by nhirokinet and ATL) +* plugins: os-theme-cicada 1.19 (contributed by Team Rebellion) +* plugins: os-theme-tukan 1.19 (contributed by Team Rebellion) +* plugins: os-wireguard 1.1 `[6] `__ +* src: fix incorrect exception handling in libunwind `[7] `__ +* src: fix multiple vulnerabilities in bzip2 `[8] `__ +* src: fix ICMPv6 / MLDv2 out-of-bounds memory access `[9] `__ +* src: fix insufficient message length validation in bsnmp library `[10] `__ +* src: fix insufficient validation of guest-supplied data (e1000 device) `[11] `__ +* src: fix IPv6 remote denial of service `[12] `__ +* src: fix kernel memory disclosure from /dev/midistat `[13] `__ +* src: fix reference count overflow in mqueuefs `[14] `__ +* ports: hostapd 2.9 `[15] `__ +* ports: nghttp2 1.39.2 `[16] `__ +* ports: openldap 2.4.48 `[17] `__ +* ports: perl 5.30.0 `[18] `__ +* ports: php 7.2.21 `[19] `__ +* ports: py-openssl 19.0.0 `[20] `__ +* ports: syslog-ng 3.22.1 `[21] `__ +* ports: wpa_supplicant 2.9 `[22] `__ + + + +-------------------------------------------------------------------------- +19.7.2 (August 05, 2019) +-------------------------------------------------------------------------- + + +This update ships the latest FreeBSD security advisories along with several +smaller improvements and fixes. Sunny Valley Networks is the first vendor +to introduce additional software to the plugin framework in the form of the +Sensei plugin. + +Here are the full patch notes: + +* system: missing "" in legacy output via Syslog-ng +* system: fix writing gateway information for DNS servers +* system: allow gateway to work in DHCPv6 WAN when no router solicitation is available +* firewall: unhide automatic interface-based output rules +* firewall: unhide automatic non-interface-based floating rules +* firewall: lift length restriction in NAT rule description +* firewall: avoid newlines in rule descriptions +* firewall: only show usable addresses in NAT outbound rules +* interfaces: fix extended CARP output when parsing interface information +* interfaces: add more outputs to overview page to increase usefulness +* interfaces: use shared DHCP lease reader for ARP list +* captive portal: fix binary read issue in Python 3 +* dhcp: fix DHCPv4 relay interface selection (contributed by jayantsahtoe) +* firmware: handle file signature verify correctly with multiple fingerprint repositories +* firmware: Aivian mirror is no longer active +* firmware: Cloudfence mirror in Brazil added +* plugins: os-acme-client 1.24 `[1] `__ +* plugins: os-bind 1.6 (contributed by crazy-max) +* plugins: os-dnscrypt-proxy 1.5 (contributed by crazy-max) +* plugins: os-grid_example 1.0 `[2] `__ +* plugins: os-helloworld Python 3 compatibility `[3] `__ +* plugins: os-nut 1.5 adds Riello driver (contributed by Michael Muenz) +* plugins: os-sunnyvalley 1.0 `[4] `__ `[5] `__ +* src: fix panic from Intel CPU vulnerability mitigation `[6] `__ +* src: fix multiple telnet client vulnerabilities `[7] `__ +* src: fix pts write-after-free `[8] `__ +* src: fix kernel memory disclosure in freebsd32_ioctl `[9] `__ +* src: fix reference count overflow in mqueuefs `[10] `__ +* src: fix byhve out-of-bounds read in XHCI device `[11] `__ +* src: fix file descriptor reference count leak `[12] `__ +* ports: libevent 2.1.11 `[13] `__ + + + +-------------------------------------------------------------------------- +19.7.1 (July 25, 2019) +-------------------------------------------------------------------------- + + +We do not wish to keep you from enjoying your summer time, but this +is a recommended security update enriched with reliability fixes for the +new 19.7 series. Of special note are performance improvements as well +as a fix for a longstanding NAT before IPsec limitation. + +Here are the full patch notes: + +* system: do not create automatic copies of existing gateways +* system: do not translate empty tunables descriptions +* system: remove unwanted form action tags +* system: do not include Syslog-ng in rc.freebsd handler +* system: fix manual system log stop/start/restart +* system: scoped IPv6 "%" could confuse mwexecf(), use plain mwexec() instead +* system: allow curl-based downloads to use both trusted and local authorities +* system: fix group privilege print and correctly redirect after edit +* system: use cached address list in referrer check +* system: fix Syslog-ng search stats +* firewall: HTML-escape dynamic entries to display aliases +* firewall: display correct IP version in automatic rules +* firewall: fix a warning while reading empty outbound rules configuration +* firewall: skip illegal log lines in live log +* interfaces: performance improvements for configurations with hundreds of interfaces +* reporting: performance improvements for Python 3 NetFlow aggregator rewrite +* dhcp: move advanced router advertisement options to correct config section +* ipsec: replace global array access with function to ensure side-effect free boot +* ipsec: change DPD action on start to "dpdaction = restart" +* ipsec: remove already default "dpdaction = none" if not set +* ipsec: use interface IP address in local ID when doing NAT before IPsec +* web proxy: fix database reset for Squid 4 by replacing use of ssl_crtd with security_file_certgen +* plugins: os-acme-client 1.24 `[1] `__ +* plugins: os-bind 1.6 `[2] `__ +* plugins: os-dnscrypt-proxy 1.5 `[3] `__ +* plugins: os-frr now restricts characters BGP prefix-list and route-maps `[4] `__ +* plugins: os-google-cloud-sdk 1.0 `[5] `__ +* ports: curl 7.65.3 `[6] `__ +* ports: monit 5.26.0 `[7] `__ +* ports: openssh 8.0p1 `[8] `__ +* ports: php 7.2.20 `[9] `__ +* ports: python 3.7.4 `[10] `__ +* ports: sqlite 3.29.0 `[11] `__ +* ports: squid 4.8 `[12] `__ + + + +-------------------------------------------------------------------------- +19.7 (July 17, 2019) +-------------------------------------------------------------------------- + + +For four and a half years now, OPNsense is driving innovation through +modularising and hardening the open source firewall, with simple +and reliable firmware upgrades, multi-language support, HardenedBSD +security, fast adoption of upstream software updates as well as clear +and stable 2-Clause BSD licensing. + +19.7, nicknamed "Jazzy Jaguar", embodies an iteration of what should be +considered enjoyable user experience for firewalls in general: improved +statistics and visibility of rules, reliable and consistent live logging +and alias utility improvements. Apart from the usual upgrades of third +party software to up-to-date releases, OPNsense now also offers built-in +remote system logging through Syslog-ng, route-based IPsec, updated +translations with Spanish as a brand new and already fully translated +language and newer Netmap code with VirtIO, VLAN child and vmxnet support. + +Last but not least we would like to thank m.a.x. it for their sponsorship +of the default gateway priority switching feature and their continued work +of writing and maintaining plenty of community plugins. This time around, +Maltrail, Netdata and WireGuard VPN have been freshly added to the mix. + +Download links, an installation guide `[1] `__ and the checksums for the images +can be found below as well. + +* Europe: https://opnsense.c0urier.net/releases/19.7/ +* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.7/ +* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.7/ +* South America: http://mirror.upb.edu.co/opnsense/releases/19.7/ +* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.7/ +* Full mirror list: https://opnsense.org/download/ + +These are the most prominent changes since version 19.1: + +* List automatic firewall rules +* Statistics for all firewall rules +* Alias JSON import / export +* Optional statistics for aliases +* Firewall rule locator for live log and automatic rules +* Rewritten gateway handling and switching +* Remote logging via Syslog-ng +* LDAP group sync support +* Support certificate signing requests +* Route-based IPsec support (VTI) +* XMLRPC sync support for alias, VHID, widgets +* Unbound host overrides alias support +* Web proxy and IPsec authentication using PAM +* Parent web proxy support +* Web proxy login privilege via group +* Improved reliability and utility of opnsense-patch +* Dpinger and DHCP servers ported to plugin framework +* Language updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese +* Spanish as a new language +* Netdata, WireGuard, Maltrail and Mail-Backup (PGP) plugin +* Netmap update for VirtIO, VLAN child and vmxnet support +* Bootstrap 3.4, LibreSSL 2.9, Unbound 1.9, PHP 7.2, Python 3.7, Squid 4 + +And here are the full changes against version 19.7-RC1: + +* system: lower automatic gateway priority for tunnel interfaces +* system: only show enabled interfaces on gateway edit +* system: speed up console banner interface print +* interfaces: typo in default WAN selection for packet capture +* interfaces: support multiple interfaces for packet capture +* interfaces: fix ambiguity in get_parent_interface() +* firewall: restart filterlog with every filter reload +* firmware: add update syshook +* ipsec: phase2 IP type selector using the wrong class +* reporting: fix Insight bug not processing top port and address statistics +* ui: window_highlight_table_option() fix for Safari +* wizard: improve logo contrast in welcome message +* plugins: os-frr redistribute configuration fix (contributed by Cedric Vanet) +* plugins: os-intrusion-detection-content-et-pro 1.0.1 now uses suricata-4.0 rulesets +* plugins: os-haproxy 2.17 `[2] `__ `[3] `__ +* plugins: os-mail-backup 1.0 (contributed by Joao Vilaca) +* plugins: os-maltrail 1.0 (contributed by Michael Muenz) +* plugins os-smart 2.0 MVC conversion (contributed by Smart-Soft) +* plugins: os-tinc chroot setup with resolv.conf +* plugins: os-wireguard 1.0 (contributed by Michael Muenz) +* plugins: os-wol 2.2 fixes byte conversion +* src: bump netmap ring size, still too small in FreeBSD +* src: add FCC6_FCCA regulatory domain to ath_hal(4) +* src: restore IPV6_NEXTHOP option support +* src: fix privilege escalation in cd(4) driver `[4] `__ +* src: fix kernel stack disclosure in UFS/FFS `[5] `__ +* src: fix iconv buffer overflow `[6] `__ +* src: import tzdata 2019b +* ports: ca_root_nss 3.45 +* ports: filterlog 0.3 will not print to console and lowercase IPv6 protocol output +* ports: postfix update is now non-interactive to prevent stalls +* ports: rrdtool 1.7.2 `[7] `__ + +Known issues and limitations: + +* Web proxy squid update from version 3 to 4 breaks the cache database. To repair go to "Services: Web Proxy: Administration" tab "Support" and click "Reset". +* Web proxy login privilege is no longer available. Access may be restricted by a group selector instead. +* Nano images require a reinstall using the latest image to avoid inode shortage which makes the system appear to run out of space during recent 19.1.x updates. +* OpenVPN no longer supports listening on gateway groups. Use localhost paired with port forwards instead. + +The public key for the 19.7 series is: + +.. code-block:: + + # -----BEGIN PUBLIC KEY----- + # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv2syLqN/IMuADI42aTXx + # HRbX3YljURN1dhhjYoqOc/7uZKVc7UJk79q49x8VZmC0edhHiNKfrhj5g3htsPgu + # N/eFsc1MZv+J2rfSF7L5NV3D5dU9nuBc75wb9SRIXm7XiiiuInMNRBlJsiFeiuJm + # oaE/zqgr75m+cc7sdNQnQQk9+APr4LdksX0bllRmxfhLjDKgiSVe+Yq9kje/JHyf + # je5i3MI9WT80o46IZc/oN4q9RG7n6gaIFBVckCwCKsnNZlDCvb1Sr0tdKs58fswj + # fxMvouMBf+Jk/0dOEZnoIFYb436H2CUfabiPX3Vm4r3MU4dr5m41WlCH/984cBKy + # QSM8h4nSAs/naj5c5YDe4qmwUBxwPIvJPVC/vuWLusyg1gYbloj3EIc1uv2YCkKw + # 0ra7Hocln3+7Jf2Yn/yn6yaCNdoJY2Blvo84giuklDqdBIKggDHSxGrLKDBshSR3 + # hapkFRoR7BhnoT14E8DMgD23g9tcwce1AJJ6mZ/DraBx5l11P1ZXLqnyCpvOt5oV + # HmMZ9/Xu0naPUC8IxVSNew8j3liPbc5oKV0kQ/TRQTevOBLJ8QA7Y5YdPu0cS4qw + # Jq3fGnsRt/0+i1Vs7q51KJLNECHyhWm6zYAfST22ohTUgo2ByoM8r0aRslmiG6JS + # +ancHD4lnnHRd+4ybevUft0CAwEAAQ== + # -----END PUBLIC KEY----- + + +.. code-block:: + + # SHA256 (OPNsense-19.7-OpenSSL-dvd-amd64.iso.bz2) = e022217d367abaf4fd1360f83e4664d28b3f37932dfe720974b9d7dc33bf50f7 + # SHA256 (OPNsense-19.7-OpenSSL-nano-amd64.img.bz2) = 6fffefa0b09daea397e83f67bf730392125b720043c455597c05d3d80c2baa29 + # SHA256 (OPNsense-19.7-OpenSSL-serial-amd64.img.bz2) = 98854d5a0a03850273aa2ebdd7e7b095dfec6a1e6b57341817bb5f5ffab2ca7b + # SHA256 (OPNsense-19.7-OpenSSL-vga-amd64.img.bz2) = 523e924586e431ccd421bb85ba1245ce4c8f3a6141b59623f5083d3e36bac592 + +.. code-block:: + + # SHA256 (OPNsense-19.7-OpenSSL-dvd-i386.iso.bz2) = 64c4e58966ab373a0aa6a544b020a39c5b86ecb79cb2988ac1f74b382c7d4765 + # SHA256 (OPNsense-19.7-OpenSSL-nano-i386.img.bz2) = 3fa6af965f5996a718982617b5a13199747d237a669867b1ffecc951c3ebe455 + # SHA256 (OPNsense-19.7-OpenSSL-serial-i386.img.bz2) = f0c76142f83b4988defa3fddc7a4cf2d930cbb0aee623d7b064462e25e146297 + # SHA256 (OPNsense-19.7-OpenSSL-vga-i386.img.bz2) = b425882604886a395730abeaa6a26b8805647609712f61c342cee29f58160006 + +-------------------------------------------------------------------------- +19.7.r1 (July 09, 2019) +-------------------------------------------------------------------------- + + +For four and a half years now, OPNsense is driving innovation through +modularising and hardening the open source firewall, with simple +and reliable firmware upgrades, multi-language support, HardenedBSD +security, fast adoption of upstream software updates as well as clear +and stable 2-Clause BSD licensing. + +We thank all of you for helping test, shape and contribute to the project! +We know it would not be the same without you. + +Download links, an installation guide `[1] `__ and the checksums for the images +can be found below as well. + +* Europe: https://opnsense.c0urier.net/releases/19.7/ +* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/19.7/ +* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/19.7/ +* South America: http://mirror.upb.edu.co/opnsense/releases/19.7/ +* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/19.7/ +* Full mirror list: https://opnsense.org/download/ + +Here are the full changes against version 19.1.10: + +* system: new remote syslog setup via Syslog-ng +* system: gateway handling rewrite +* system: default gateway switching priority control (sponsored by m.a.x. it `[2] `__ ) +* system: dpinger ported to plugin framework +* system: bring back PHP warning log level +* system: use authentication factory for user import +* interfaces: VLAN, bridge, LAGG, GRE, GIF setup refactor +* interfaces: improve load sequence to allow DHCPv6 on bridges +* interfaces: GIF, GRE, IPsec and OpenVPN will no longer accept IP configuration +* interfaces: speed up get_real_interface() by assuming interfaces exist +* interfaces: sort interface groups and require rules apply if necessary (contributed by Robin Schneider) +* interfaces: background PPPoE connect and disconnect +* interfaces: only IP-address allowed in PPP gateway (contributed by Smart-Soft) +* interfaces: simplified linking VIPs to interfaces +* interfaces: removed interface_has_gateway() +* interfaces: removed interface_has_gatewayv6() +* interfaces: removed get_failover_interface() +* interfaces: removed rc.kill_states +* firewall: ability to view automatic rules +* firewall: rule origin locator in live log and automatic rules listing +* firewall: show statistics for all active rules including automatic ones +* firewall: optional statistics for alias tables +* firewall: fix translation of shaper mask "none" value +* firewall: add ipv6-icmp type selection +* firewall: rule listing layout update +* reporting: new NetFlow reader in Python 3 +* reporting: validate that NetFlow WAN interfaces are also added to listening interfaces +* dhcp: ported to plugin framework +* dhcp: added failover split to DHCPv4 (contributed by Wolfgang Pedot) +* dhcp: fix ddnsdomainprimary setting validation +* dhcp: added advanced options for router advertisements +* dhcp: removed remove rasend/ranosend checkbox +* dhcp: simplify DHCPv4 interface lookup on lease page +* dhcp: use AdvDefaultLifetime 0 when default route shall not be advertised +* firmware: support reading package repository and origin +* firmware: warn on third party package installation +* firmware: synchronise update checks to avoid "not responding" errors +* firmware: fix empty update list on release type change +* images: nano image now supports future-proof number of inodes +* installer: support password reset in opnsense-importer +* intrusion detection: allow rule action bulk changes +* intrusion detection: minor usability improvements +* intrusion detection: support eve system log output +* openvpn: removed gateway group listening support +* openvpn: no longer restart servers on CARP events +* openvpn: reduced complexity in service handling +* web proxy: replace proxy login privilege "user-proxy-auth" with group selector +* backend: ported remaining scripts to Python 3 +* backend: add helpers.glob() to enable template traversal +* backend: new "monitor" hook for rc.syshook +* mvc: do not add "none" in AuthGroupField if multiple select +* mvc: allow sorting JsonKeyValueStoreField by value +* ui: remember previous selected columns and row count on several MVC pages +* ui: apply alert reminders for several MVC pages +* ui: add failed callback to saveFormToEndpoint() +* ui: core theme color update +* ui: fix file size suffix (contributed by Fabian Franz) +* ui: add useRequestHandlerOnGet option +* ui: bootstrap 3.4.1 `[3] `__ +* src: netmap VirtIO, VLAN child and vmxnet support +* src: fix races in tun(4)/tap(4) drivers +* ports: squid 4.7 `[4] `__ +* ports: syslog-ng 3.21.1 `[5] `__ + +Known issues and limitations: + +* Filterlog spamming console due to new Syslog-ng integration. Temporary workaround is stopping filterlog via "pkill filterlog". +* OpenVPN no longer supports listening on gateway groups. Use localhost paired with port forwards instead. +* The web proxy login privilege is no longer available. Access may be restricted by a group selector instead. +* Web proxy squid update from version 3 to 4 breaks the cache database. To repair go to "Services: Web Proxy: Administration" tab "Support" and click "Reset". +* Nano images require a reinstall using the latest image to avoid inode shortage which makes the system appear to run out of space during recent 19.1.x updates. + +The public key for the 19.7 series is: + +.. code-block:: + + # -----BEGIN PUBLIC KEY----- + # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv2syLqN/IMuADI42aTXx + # HRbX3YljURN1dhhjYoqOc/7uZKVc7UJk79q49x8VZmC0edhHiNKfrhj5g3htsPgu + # N/eFsc1MZv+J2rfSF7L5NV3D5dU9nuBc75wb9SRIXm7XiiiuInMNRBlJsiFeiuJm + # oaE/zqgr75m+cc7sdNQnQQk9+APr4LdksX0bllRmxfhLjDKgiSVe+Yq9kje/JHyf + # je5i3MI9WT80o46IZc/oN4q9RG7n6gaIFBVckCwCKsnNZlDCvb1Sr0tdKs58fswj + # fxMvouMBf+Jk/0dOEZnoIFYb436H2CUfabiPX3Vm4r3MU4dr5m41WlCH/984cBKy + # QSM8h4nSAs/naj5c5YDe4qmwUBxwPIvJPVC/vuWLusyg1gYbloj3EIc1uv2YCkKw + # 0ra7Hocln3+7Jf2Yn/yn6yaCNdoJY2Blvo84giuklDqdBIKggDHSxGrLKDBshSR3 + # hapkFRoR7BhnoT14E8DMgD23g9tcwce1AJJ6mZ/DraBx5l11P1ZXLqnyCpvOt5oV + # HmMZ9/Xu0naPUC8IxVSNew8j3liPbc5oKV0kQ/TRQTevOBLJ8QA7Y5YdPu0cS4qw + # Jq3fGnsRt/0+i1Vs7q51KJLNECHyhWm6zYAfST22ohTUgo2ByoM8r0aRslmiG6JS + # +ancHD4lnnHRd+4ybevUft0CAwEAAQ== + # -----END PUBLIC KEY----- + +Please let us know about your experience! + + + +.. code-block:: + + # SHA256 (OPNsense-19.7.r1-OpenSSL-dvd-amd64.iso.bz2) = 5014dba896a425d15fbedcb44f2deec7fb5aee6a1b7c95833b819f8d352de6a1 + # SHA256 (OPNsense-19.7.r1-OpenSSL-nano-amd64.img.bz2) = b9d6ccbfdcb88f813a6494efb13647d1715500551c7dc51f632766b19189c6bc + # SHA256 (OPNsense-19.7.r1-OpenSSL-serial-amd64.img.bz2) = 86050bffa626247cfe0374d28994a52f9e10490b20a81539f5d2784676280c17 + # SHA256 (OPNsense-19.7.r1-OpenSSL-vga-amd64.img.bz2) = 3a7ae31f6429e519060a717b6248d13620a1e5caba43f44afaf4a7dd4e6634e6 + +.. code-block:: + + # SHA256 (OPNsense-19.7.r1-OpenSSL-dvd-i386.iso.bz2) = 4c0e54982d92279e7273c74cac183290e89219f75b4c1f55a42bad0331bdf321 + # SHA256 (OPNsense-19.7.r1-OpenSSL-nano-i386.img.bz2) = 5db5dfc0bfb15a593dae689b58e65d556e935c326741729ad37507a952a51426 + # SHA256 (OPNsense-19.7.r1-OpenSSL-serial-i386.img.bz2) = a20422c81c62c79264aec2cf83cb8734e2e0c954881200e6bc46d372f2432cf9 + # SHA256 (OPNsense-19.7.r1-OpenSSL-vga-i386.img.bz2) = f6ba92f987c024697e6599b72d905ac9a4fdcfe61c71e3f060dccf1efccd6d82 diff --git a/source/releases/CE_20.1.rst b/source/releases/CE_20.1.rst new file mode 100644 index 00000000..cb7c9d92 --- /dev/null +++ b/source/releases/CE_20.1.rst @@ -0,0 +1,628 @@ +=========================================================================================== +20.1 "Keen Kingfisher" Series +=========================================================================================== + + + +For over 5 years now, OPNsense is driving innovation through modularising +and hardening the open source firewall, with simple and reliable firmware +upgrades, multi-language support, HardenedBSD security, fast adoption of +upstream software updates as well as clear and stable 2-Clause BSD licensing. + +20.1, nicknamed "Keen Kingfisher", is a subtle improvement on sustainable +firewall experience. This release adds VXLAN and additional loopback device +support, IPsec public key authentication and elliptic curve TLS certificate +creation amongst others. Third party software has been updated to their +latest versions. The logging frontend was rewritten for MVC with seamless +API support. On the far side the documentation increased in quality as well +as quantity and now presents itself in a familiar menu layout. + +Download links, an installation guide `[1] `__ and the checksums for the images +can be found below as well. + +* Europe: https://opnsense.c0urier.net/releases/20.1/ +* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/ +* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/ +* South America: http://mirror.upb.edu.co/opnsense/releases/20.1/ +* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/ +* Full mirror list: https://opnsense.org/download/ + + +-------------------------------------------------------------------------- +20.1.9 (July 23, 2020) +-------------------------------------------------------------------------- + + +20.7-RC1 is already available and the final release of 20.7 is scheduled +for July 30. A hotfix release for 20.1.9 will enable the upgrade path +some hours after the initial 20.7 announcement is out, but please note +that updated 32-bit builds (also known as i386) will no longer be available +from this day forward. + +Here are the full patch notes: + +* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo) +* firewall: validate if NAT destination contains a port +* firewall: prevent config_read_array() from adding an empty lo0 +* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe) +* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe) +* mvc: LegacyLinkField not allowed to return null in __toString() +* plugins: os-collectd 1.3 `[1] `__ +* plugins: os-dyndns 1.22 `[2] `__ +* plugins: os-telegraf 1.8.1 `[3] `__ +* plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion) +* plugins: os-tinc fixes switch mode `[4] `__ +* plugins: os-wireguard 1.2 `[5] `__ +* ports: ca_root_nss 3.54 +* ports: curl 7.71.1 `[6] `__ +* ports: dnsmasq 2.82 `[7] `__ +* ports: monit 5.27.0 `[8] `__ +* ports: php 7.3.20 `[9] `__ +* ports: python 3.7.8 `[10] `__ +* ports: sqlite 3.32.3 `[11] `__ +* ports: syslog-ng 3.27.1 `[12] `__ + +A hotfix release was issued as 20.1.9_1: + +* firmware: enable upgrade path to 20.7 (amd64 only) + + + +-------------------------------------------------------------------------- +20.1.8 (July 02, 2020) +-------------------------------------------------------------------------- + + +Sorry about the delay while we chased a race condition in the updates back +to an issue with the latest FreeBSD package manager updates. For now we +reverted to our current version but all relevant third party packages have +been updated as updates became available over the last weeks, e.g. cURL and +Python, and hostapd / wpa_supplicant amongst others. + +Here are the full patch notes: + +* system: simpler get_interface_ip() usage in IPv4 renewal +* system: allow HA sync of network time settings +* system: download all filtered items in log export +* system: add support for upstream LDAP accounts in Nextcloud backup (contributed by Fabian Franz) +* interfaces: fix stateless DHCPv6 for track6 interfaces (contributed by Maurice Walker) +* firewall: fix missing address filter error by moving NAT targets to runtime resolve +* firewall: prevent gateway protocol mismatch from breaking the ruleset +* firewall: work around categories typeahead issue with recent jQuery libraries +* firewall: improve alias help text (contributed by Team Rebellion) +* firewall: switch from single log filter to one per attribute +* intrusion detection: when enabling rules prefixed with "# " consume the extra space (contributed by Tra5is) +* intrusion detection: less sensitive rule parsing +* intrusion detection: compress stats.log backups +* ipsec: valid IPSec Phase 2 hash config warning raises GUI alert (contributed by Brett Merrick) +* unbound: add DNS64 support (contributed by Maurice Walker) +* web proxy: fix wrong button label for Download ACLs (contributed by 90er) +* mvc: add sort_flags optional parameter support (contributed by NOYB) +* rc: add full PATH to rc.syshook invoke +* plugins: os-acme-client `[1] `__ `[2] `__ +* plugins: os-dnscrypt-proxy 1.8 `[3] `__ +* plugins: os-dyndns 1.21 improves Cloudflare support (contributed by Andreas Rupper) +* plugins: os-freeradius 1.9.7 `[4] `__ +* plugins: os-haproxy 2.23 `[5] `__ +* plugins: os-intrusion-detection-content-snort-vrt 1.1 +* plugins: os-stunnel 1.0 `[6] `__ (sponsored by Incenter Technology) +* plugins: os-tayga 1.1 `[7] `__ +* plugins: os-theme-rebellion 1.8.4 `[8] `__ +* ports: ca_root_nss 3.53 +* ports: curl 7.71.0 `[9] `__ +* ports: hostapd / wpa_supplicant UPnP SUBSCRIBE advisory `[10] `__ +* ports: krb5 1.18.2 `[11] `__ +* ports: ntp 4.2.8p15 `[12] `__ +* ports: pcre 8.44 `[13] `__ +* ports: perl 5.30.3 `[14] `__ +* ports: php 7.3.19 `[15] `__ +* ports: python CVE-2019-18348 and CVE-2020-8492 +* ports: sqlite 3.32.2 `[16] `__ +* ports: sudo 1.9.1 `[17] `__ +* ports: unbound 1.10.1 `[18] `__ + +A hotfix release was issued as 20.1.8_1: + +* ipsec: fix status page display after third party library update +* plugins: os-dyndns fix for TTL validation (contributed by Andreas Rupper) + + + +-------------------------------------------------------------------------- +20.1.7 (May 20, 2020) +-------------------------------------------------------------------------- + + +Today we move to PHP 7.3 in order to be able to complete testing for the +20.7-BETA online upgrades. Also included is a patch for the packet filter +kernel code which could crash with shared forwarding when interfaces +disappeared due to use after free in the default network stack path. + +Here are the full patch notes: + +* system: default net.inet.icmp.reply_from_interface to 1 +* system: fix static gateway wizard handing +* firewall: allow outbound NAT source and destination port ranges +* interfaces: use interfaces_primary_address6() inside get_interface_ipv6() +* dhcp: add AdvLinkMTU to router advertisements settings (contributed by Ilteris Eroglu) +* unbound: prevent wildcard domains for the local system domain +* backend: suppress inconsequential IDNA warnings for aliases +* backend: add option to return a key value list for TLS ciphers +* mvc: reference constraint pointing validation results to the wrong field +* plugins: os-acme-client 1.32 adds Acmeproxy DNS support (contributed by Maarten den Braber) +* src: added Novatel Wireless MiFi 8800/8000 support (contributed by rootless4real) +* src: fix pf shared forwarding on non-existing interfaces +* src: patch in tty 3wire autologin support +* src: fix insufficient packet length validation in libalias `[1] `__ +* src: fix memory disclosure vulnerability in libalias `[2] `__ +* src: fix improper checking in SCTP-AUTH shared key update `[3] `__ +* src: fix use after free in cryptodev module `[4] `__ +* src: update to tzdata 2020a `[5] `__ +* ports: ca_root_nss 3.52 +* ports: curl 7.70.0 `[6] `__ +* ports: dhcp6c v20200512 +* ports: hyperscan 5.2.1 `[7] `__ +* ports: openldap 2.4.50 `[8] `__ +* ports: pcre2 10.35 `[9] `__ +* ports: php 7.3.18 `[10] `__ + + + +-------------------------------------------------------------------------- +20.1.6 (April 30, 2020) +-------------------------------------------------------------------------- + + +Quick update as planned. Here are the full patch notes: + +* system: add data length option to gateway monitor settings +* firewall: avoid greedy matching with live log parsing regression from 20.1.5 +* firmware: detect runtime defaults when using "make upgrade" with core.git +* firmware: clean up packaging code and support ".link" file extension +* firmware: use CORE_FLAVOUR instead of FLAVOUR when using opnsense-bootstrap +* firmware: enable to optionally reach master branch when using opnsense-boostrap +* firmware: allow overriding CORE_ABI when using opnsense-bootstrap +* firmware: copy make.conf instead of linking when using opnsense-code +* firmware: always fetch tools.git when using opnsense-code +* rc: use "onifexists" for VGA TTY instead of "on" +* rc: missing ntpd user on 20.7 / 12.1 +* plugins: os-unbound-plus DoT validation fix (contributed by Michael Muenz) +* src: fix ipfw invalid mbuf handling `[1] `__ +* ports: libyaml 0.2.4 `[2] `__ +* ports: openssl 1.1.1g `[3] `__ +* ports: py-yaml 5.3.1 `[4] `__ +* ports: radvd 2.18 `[5] `__ +* ports: sqlite 3.31.1 `[6] `__ +* ports: squid 4.11 `[7] `__ +* ports: suricata 4.1.8 `[8] `__ + + + +-------------------------------------------------------------------------- +20.1.5 (April 23, 2020) +-------------------------------------------------------------------------- + + +Today ships the first release version of the supplemental firewall rule +API via plugin, a new firewall shaper statistics GUI and API and the usual +number of improvements and third party updates. + +Note that this version does not ship OpenSSL 1.1.1g as at this point our +release decision would have been to push 20.1.5 to next week or do a +smaller 20.1.6 next week on top. + +Here are the full patch notes: + +* system: support configuration for SSH HostKeyAlgorithms, KexAlgorithms, Ciphers and MACs +* system: simplify validations in gateway monitor settings +* interfaces: mark VXLAN and loopback devices as configurable +* interfaces: validation typo caused failure to communicate unassignable targets +* interfaces: netstat tree view GUI and API +* interfaces: use libxo to extract ARP data +* firewall: checkbox selection ignores visibility setting +* firewall: add network group type to combine aliases cleanly +* firewall: IPv6 essential icmpv6 allow for :: +* firewall: new shaper statistics GUI and API +* firewall: support filter log messages with PID +* reporting: when flow times are not returned stick to receive timestamp +* openvpn: use multihome when selecting "any" interface with UDP +* unbound: create shared startup script for background task +* mvc: also store "" field value as initial state to prevent empty fields as being marked as changed +* mvc: firewall source NAT ranges support in plugins +* mvc: keep options in static set for PortField +* mvc: support interface targets without addresses +* mvc. add "migration_prefix" attribute to model +* mvc: catch ArgumentCountError +* mvc: skip empty gateway artefact +* plugins: os-acme-client 1.31 `[1] `__ +* plugins: os-firewall 1.0 API supplemental package +* plugins: os-haproxy 2.22 `[2] `__ +* plugins: os-unbound-plus 1.1 `[3] `__ +* plugins: os-wol 2.3 adds case insensitive matching in widget (contributed by Gauss23) +* ports: ca_root_nss 3.51.1 +* ports: dnsmasq 2.81 `[4] `__ +* ports: krb5 1.18.1 `[5] `__ +* ports: openvpn 2.4.9 `[6] `__ +* ports: php 7.2.30 `[7] `__ +* ports: py-certifi 2020.4.5.1 +* ports: strongswan 5.8.4 `[8] `__ + + + +-------------------------------------------------------------------------- +20.1.4 (April 08, 2020) +-------------------------------------------------------------------------- + + +It almost looks like business as usual. But we all know it is not. +We will get through this together. + +Here are the full patch notes: + +* system: add missing strtolower() in LDAP sync response +* system: fix /var/run/legacy_log socket creation race with Syslog-ng +* system: add info button to display privilege / ACL endpoints +* system: make IPsec tap tunables overwriteable +* firewall: floating means either all interfaces or more than one selected +* firewall: simplify group maintenance by only applying them on filter reload +* interfaces: use primary IPv6 and support VIP tracking +* interfaces: multiple changes in radvd.conf setup (contributed by maurice-w) +* dhcp: fix DDNS support in DHCPv6 (contributed by Wagner Sartori Junior) +* firmware: mirror opnsense.ieji.de renamed to opn.sense.nz +* openvpn: improve openvpn_port_used() logic +* unbound: minor cleanup in /api/unbound/diagnostics/stats endpoint +* unbound: remove 192.0.0.0/24 from rebinding prevention list (contributed by maurice-w) +* mvc: simplify reload of captive portal, cron, IDS, alias, loopback, VXLAN, web proxy, routes, syslog and shaper +* mvc: limit dropdown size to 10 if not specified +* mvc: support inheritance of the ArrayField type +* mvc: synchronize backup timestamps with revisions +* mvc: fixed width for timestamp column in logging +* mvc: init errorMessage to prevent crash reports +* shell: use interfaces_primary_address6() for correct IPv6 display +* shell: append a newline in pluginctl -g mode +* plugins: os-acme-client 1.30 `[1] `__ +* plugins: os-bind 1.13 `[2] `__ +* plugins: os-freeradius 1.9.6 `[3] `__ +* plugins: os-haproxy 2.21 `[4] `__ +* plugins: os-maltrail 1.5 `[5] `__ +* plugins: os-nginx 1.19 `[6] `__ +* plugins: os-nut 1.7 `[7] `__ +* plugins: os-postfix 1.14 `[8] `__ +* plugins: os-tayga 1.0 (contributed by Michael Muenz) +* plugins: os-telegraf 1.7.7 `[9] `__ +* plugins: os-unbound-plus 1.0 (contributed by Michael Muenz and Petr Kejval) +* lang: multiple updates to supported languages +* lang: new Turkish translation (contributed by Aydin Yakar) +* src: work around PCI devices which return all zeros for reads of existing MSI-X table VCTRL registers +* src: fix incorrect checksum calculations with IPv6 extension headers `[10] `__ +* src: fix TCP IPv6 SYN cache kernel information disclosure `[11] `__ +* src: fix insufficient oce(4) ioctl(2) privilege checking `[12] `__ +* src: fix incorrect user-controlled pointer use in epair `[13] `__ +* src: fix kernel memory disclosure with nested jails `[14] `__ +* ports: curl 7.69.1 `[15] `__ +* ports: krb5 1.18 `[16] `__ +* ports: openssh 8.2p1 `[17] `__ +* ports: openssl 1.1.1f `[18] `__ +* ports: perl 5.30.2 `[19] `__ +* ports: php 7.2.29 `[20] `__ +* ports: python 3.7.7 `[21] `__ +* ports: strongswan 5.8.3 `[22] `__ +* ports: sudo 1.8.31p1 `[23] `__ + + + +-------------------------------------------------------------------------- +20.1.3 (March 18, 2020) +-------------------------------------------------------------------------- + + +Quick reliability release for all of you out there doing the impossible +providing VPN for road warriors and what not. Keep it up! :) + +Here are the full patch notes: + +* system: match group CN case-insensitive +* system: added pluggable log format parsing facility +* system: update nsComment in OpenSSL config (contributed by vnxme) +* interfaces: fix missing default gateway switch on linkup event +* firewall: properly lock alias_util API (contributed by Cedric Deconinck) +* firewall: flush priority sections to /tmp/rules.debug +* firewall: do not escape internal URLs +* firmware: revoke 19.7 fingerprint +* ipsec: add virtual IPv6 pool for mobile clients (contributed by vnxme) +* ipsec: add MVC service control API +* monit: simplify Monit reload +* openvpn: properly swapped help texts regarding routes +* unbound: multiple fixes in DHCP watcher +* mvc: fix CountryField for static options +* mvc: extend PortField to support multiple items +* mvc: BaseListField plus PortField now use getValidationMessage() to bootstrap defaults +* mvc: add NetworkAliasField, ProtocolField and LegacyLinkField types +* mvc: apply PSR12 style as found on master +* ui: add jQuery plugin to support a simple service reload/action button +* ui: hook bootgrid javascript texts +* plugins: os-munin-node 1.0 (contributed by Michael Muenz) +* plugins: os-sunnyvalley 1.2 (contributed by Sunny Valley +* plugins: os-wol: relax MAC address validation (contributed by Mikael Falkvidd) +* ports: ca_root_nss 3.51 +* ports: ntp 4.2.8p14 `[1] `__ + + +-------------------------------------------------------------------------- +20.1.2 (March 05, 2020) +-------------------------------------------------------------------------- + + +Today we pick up the recent FreeBSD security advisories as well as +the usual noise in bugfixes and third party updates. We are also at +the brink of a first HardenedBSD 12.1 based image so stay tuned. + +Here are the full patch notes: + +* system: fix leap year issue in new log reader +* system: add valid from and to dates to user certs display +* system: drop unused services.inc and diag_logs_template.inc +* interfaces: make sure descriptions are properly cleansed +* interfaces: introduce interfaces_primary_address6() +* interfaces: validate interface input in packet capture +* firewall: immediately download GeoIP if not already found +* firewall: improve performance when working with large number of aliases +* firewall: fix visibility on internal CARP rules +* captive portal: fix expiry and validity for vouchers (contributed by xx4h) +* dhcp: fix DNS registration for DHCPv6 static mappings (contributed by maurice-w) +* dhcp: add icons next to online/offline lease status (contributed by Tyler Ham) +* ipsec: allow configuration of inactivity parameter (contributed by Marcel Menzel) +* unbound: minor changes while scanning ACL subnets +* web proxy: work around to skip passing additional auth properties +* backend: allow pluginctl to return config.xml values +* console: improve type checks in set address function +* rc: join CARP early startup scripts +* plugins: os-dnscrypt-proxy fix for setup.sh on reboot +* plugins: os-dyndns 1.20 fixes verify restrictions, GratisDNS and missing break for Linode (contributed by NOYB, Johan Pramming, Andrew Gunnerson) +* plugins: os-maltrail 1.4 `[1] `__ +* plugins: os-nrpe fix for setup.sh on reboot +* plugins: os-tinc 1.5 fixes bug in IPv6 support (contributed by vnxme) +* src: fix imprecise ordering of SSP canary initialization `[2] `__ +* src: fix nmount invalid pointer dereference `[3] `__ +* src: fix libfetch buffer overflow `[4] `__ +* src: fix kernel stack data disclosure `[5] `__ +* ports: ca_root_nss 3.50 +* ports: php 7.2.28 `[6] `__ +* ports: squid 4.10 `[7] `__ +* ports: suricata 4.1.7 `[8] `__ +* ports: syslog-ng 3.25.1 `[9] `__ +* ports: unbound 1.10.0 `[10] `__ + + + +-------------------------------------------------------------------------- +20.1.1 (February 13, 2020) +-------------------------------------------------------------------------- + + +A tiny update to keep everyone happy. :) + +Here are the full patch notes: + +* system: increase size of user SSH key input box +* system: fix faulty PPP log link in the menu +* system: fix a PHP warning on the general settings page +* interfaces: update maximum MTU for 10Gb NICs (contributed by Len White) +* firewall: fix rule statistics display for rules using tagging +* reporting: fix missing separator in NetFlow configuration +* firmware: add Quantum mirror in Hungary +* openvpn: fix ifconfig-ipv6-push format +* plugins: os-dnscrypt-proxy 1.7 `[1] `__ +* plugins: os-net-snmp 1.4 `[2] `__ +* plugins: os-nginx 1.18 `[3] `__ +* plugins: os-theme-vicuna 1.0 (contributed by Team Rebellion) +* ports: lighttpd 1.4.55 `[4] `__ +* ports: openldap 2.4.49 `[5] `__ +* ports: pkg libfetch security fix `[6] `__ +* ports: sudo 1.8.31 `[7] `__ + + + +-------------------------------------------------------------------------- +20.1 (January 30, 2020) +-------------------------------------------------------------------------- + + +For over 5 years now, OPNsense is driving innovation through modularising +and hardening the open source firewall, with simple and reliable firmware +upgrades, multi-language support, HardenedBSD security, fast adoption of +upstream software updates as well as clear and stable 2-Clause BSD licensing. + +20.1, nicknamed "Keen Kingfisher", is a subtle improvement on sustainable +firewall experience. This release adds VXLAN and additional loopback device +support, IPsec public key authentication and elliptic curve TLS certificate +creation amongst others. Third party software has been updated to their +latest versions. The logging frontend was rewritten for MVC with seamless +API support. On the far side the documentation increased in quality as well +as quantity and now presents itself in a familiar menu layout. + +Download links, an installation guide `[1] `__ and the checksums for the images +can be found below as well. + +* Europe: https://opnsense.c0urier.net/releases/20.1/ +* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/ +* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/ +* South America: http://mirror.upb.edu.co/opnsense/releases/20.1/ +* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/ +* Full mirror list: https://opnsense.org/download/ + +These are the most prominent changes since version 19.7: + +* Captive portal performance improvements +* IPsec public key authentication support +* Elliptic curve TLS certificate creation +* CARP service demotion hook +* VXLAN device support +* Loopback device support +* Extended firmware health audit checks +* Support direction and non-quick on interface rules +* Logging frontend migrated to MVC / API +* PSR 12 coding style +* Documentation for all core components +* Python 3.7 is now the default Python version +* LibreSSL 3.0 and OpenSSL 1.1.1 +* Google Backup API 2.4 +* jQuery 3.4.1 + +And here are the full patch notes against version 20.1-RC1: + +* installer: welcome users as genuine 20.1 installer +* rc: revert growfs change since Nano does not grow anymore +* plugins: os-mail-backup 1.1 `[2] `__ +* plugins: os-nrpe 1.0 (contributed by Michael Muenz) +* plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion) +* plugins: os-vnstat 1.2 `[3] `__ +* plugins: zabbix4-proxy 1.2 `[4] `__ +* ports: ca_root_nss 3.49.2 +* ports: curl 7.68.0 `[5] `__ +* ports: isc-dhcp 4.4.2 `[6] `__ +* ports: php 7.2.27 `[7] `__ +* ports: urllib3 1.27.7 `[8] `__ + +Known issues and limitations: + +* HardenedBSD 12.1 has been postponed to the next major release +* Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates +* To prevent stale configuration files for remote syslog we advise to setup the new targets first `[9] `__ and disable the old ones under System: Settings: Logging +* i386 has not been deprecated for the time being ;) + +The public key for the 20.1 series is: + +.. code-block:: + + # -----BEGIN PUBLIC KEY----- + # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oYxXjva1d2TC/jQ/ygT + # GNB2QM2Flhq1CKwYKioT6kuKCelmG/vDRVYGs2VwBeshl53qnnob3rrCVtuS84VG + # C8n0i7bWsVWuOCaPzVCOua7MyxQNDItwA5D18SrmDbs07JE9XD30cX36Lvyq8GvZ + # bjk3AnHHqefR6F7fMGjDNPE3JofyLXEXN7TiH/Wk1MmBm3TXMJ4q63qa/clbY5zT + # jd2k1dtKWy23CcBKfxplu8HycqdQLCRl4o9+qdq7OQ8v9VT5dPIJcJodCvX9hAf7 + # AUAMqsP3e6AyDM7iQcEkJiwAiytFAawyEIVOECxhEA+NpXHykd4G/00f5jGB259X + # /A8ARhjyT3zadjgXTIcEEBe5YTmxZrrKvWud4PguBTQOo9+XpI0H8A+IcoZ9AXQT + # J/IDBZJjsdSLspLPzLiwVQk9JrVylMLeyXCbtGCBZ8FOXyffceNQQl119ubkAZkx + # +NvioMIYQ+8rX0vn0njJfot+GQh0ezadlzuAmBBsGD8EtMCj92l/7zOyGucG+dCW + # kIv1yX0IOKeaNBZR3GDJJoyj5hFnoxkj2aNbuWjetg5MvpjBMl/h44brjL93m8PK + # GUhwcEPqcwu4ngu12O6vEeJW4vAbFlEznvgxmwJhMQf1/R8SUmKmAiprWKnY/w0E + # VHzlx7aRoGcRnnPs71DeloMCAwEAAQ== + # -----END PUBLIC KEY----- + + + +.. code-block:: + + # SHA256 (OPNsense-20.1-OpenSSL-dvd-amd64.iso.bz2) = 4b15e9b3d72732d325c5eaf46ba34575d4de8cdc3e3ac1b10666c7372563be6d + # SHA256 (OPNsense-20.1-OpenSSL-nano-amd64.img.bz2) = 27544a78ae03d480a483cfd2e7cfa703b60e50938a1ed188ec3ccde6c426fefe + # SHA256 (OPNsense-20.1-OpenSSL-serial-amd64.img.bz2) = f93bbcbe92059c5de49f22d485da292952b48658a28d1cdaf83191e8c95c03c2 + # SHA256 (OPNsense-20.1-OpenSSL-vga-amd64.img.bz2) = 019a877c4b4cb96cfda62d041774a91c030c5a8ecd58f8c3fd0067c7ac392982 + +.. code-block:: + + # SHA256 (OPNsense-20.1-OpenSSL-dvd-i386.iso.bz2) = 36146d0a066d9d696433599487e2a538ee5575a6b3d631293ad9e14e5fbbc6e0 + # SHA256 (OPNsense-20.1-OpenSSL-nano-i386.img.bz2) = 0980f49d1b3445505fd1db27ab070886a706388d3aa16d7c8d953f279b7e3b11 + # SHA256 (OPNsense-20.1-OpenSSL-serial-i386.img.bz2) = 322adbafe331ef7232c08d839a6f355ee633f5a662009b1801ebad0edab03d73 + # SHA256 (OPNsense-20.1-OpenSSL-vga-i386.img.bz2) = 8bdd109015d7d54d382c7293bdf8fac6397a6c2e37662b73647c276e98c19d64 + +-------------------------------------------------------------------------- +20.1.r1 (January 24, 2020) +-------------------------------------------------------------------------- + + +For over 5 years now, OPNsense is driving innovation through modularising +and hardening the open source firewall, with simple and reliable firmware +upgrades, multi-language support, HardenedBSD security, fast adoption of +upstream software updates as well as clear and stable 2-Clause BSD licensing. + +We thank all of you for helping test, shape and contribute to the project! +We know it would not be the same without you. + +Download links, an installation guide `[1] `__ and the checksums for the images +can be found below as well. + +* Europe: https://opnsense.c0urier.net/releases/20.1/ +* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/ +* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/ +* South America: http://mirror.upb.edu.co/opnsense/releases/20.1/ +* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/ +* Full mirror list: https://opnsense.org/download/ + +Here are the full patch notes against 19.7.9_1: + +* system: support for manually removing static route entries +* system: migrated logging to MVC +* system: regenerate default DH parameters +* system: randomize session ID in test cookie +* system: remove legacy XMLRPC push on changes +* system: deprecate the use of services.inc +* system: opt-out on "Allow DNS server list to be overridden by DHCP/PPP on WAN" for selected interfaces +* system: increase PHP memory limit to 512 MB +* system: opnsense-auth can now respond with extended properties in JSON on successful authentication +* interfaces: loopback device support +* interfaces: VXLAN device support +* interfaces: first steps toward fully pluggable device infrastructure +* interfaces: remove default load of netgraph framework on bootup +* interfaces: interfaces: move description into top block and rename titles +* interfaces: only trigger newwanip event for affected interfaces +* firmware: revoke 19.1, trust 20.1 fingerprint +* firmware: new mirror in Zurich, CH contributed by ServerBase AG +* firmware: add live search to mirror selection +* dhcp: add OMAPI configuration support (contributed by Yuri Moens) +* ipsec: add configurable dpdaction (contributed by Marcel Menzel) +* ipsec: refactor tunnel settings page +* unbound: add options for logging queries and extended statistics (contributed by Flightkick) +* mvc: BaseListField ignoring empty selected field +* ui: jQuery 3.4.1 +* plugins: os-dyndns 1.19 adds dynv6 and Azure DNS support (contributed by Ralf Zerres and martgras) +* plugins: os-haproxy 2.20 `[2] `__ +* plugins: os-zabbix-agent 1.7 `[3] `__ `[4] `__ +* ports: ca_root_nss 3.49.1 +* ports: curl 7.68.0 `[5] `__ +* ports: openssl 1.1.1d `[6] `__ + +Known issues and limitations: + +* HardenedBSD 12.1 has been postponed to the next major release +* Nano growfs does not work on this release candidate, but a fix for 20.1 already exists +* Installer still advertises 19.7, but a fix for 20.1 already exists +* Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates +* i386 has not been deprecated for the time being ;) + +The public key for the 20.1 series is: + +.. code-block:: + + # -----BEGIN PUBLIC KEY----- + # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oYxXjva1d2TC/jQ/ygT + # GNB2QM2Flhq1CKwYKioT6kuKCelmG/vDRVYGs2VwBeshl53qnnob3rrCVtuS84VG + # C8n0i7bWsVWuOCaPzVCOua7MyxQNDItwA5D18SrmDbs07JE9XD30cX36Lvyq8GvZ + # bjk3AnHHqefR6F7fMGjDNPE3JofyLXEXN7TiH/Wk1MmBm3TXMJ4q63qa/clbY5zT + # jd2k1dtKWy23CcBKfxplu8HycqdQLCRl4o9+qdq7OQ8v9VT5dPIJcJodCvX9hAf7 + # AUAMqsP3e6AyDM7iQcEkJiwAiytFAawyEIVOECxhEA+NpXHykd4G/00f5jGB259X + # /A8ARhjyT3zadjgXTIcEEBe5YTmxZrrKvWud4PguBTQOo9+XpI0H8A+IcoZ9AXQT + # J/IDBZJjsdSLspLPzLiwVQk9JrVylMLeyXCbtGCBZ8FOXyffceNQQl119ubkAZkx + # +NvioMIYQ+8rX0vn0njJfot+GQh0ezadlzuAmBBsGD8EtMCj92l/7zOyGucG+dCW + # kIv1yX0IOKeaNBZR3GDJJoyj5hFnoxkj2aNbuWjetg5MvpjBMl/h44brjL93m8PK + # GUhwcEPqcwu4ngu12O6vEeJW4vAbFlEznvgxmwJhMQf1/R8SUmKmAiprWKnY/w0E + # VHzlx7aRoGcRnnPs71DeloMCAwEAAQ== + # -----END PUBLIC KEY----- + +Please let us know about your experience! + + + +.. code-block:: + + # SHA256 (OPNsense-20.1.r1-OpenSSL-dvd-amd64.iso.bz2) = fed43e5cc5092da5adcfcb2ccdddf51a1cea6a69f06b764fcd9c3d36e0705d4a + # SHA256 (OPNsense-20.1.r1-OpenSSL-nano-amd64.img.bz2) = bf825455cc09e2a410cbe702a0c1c5b454546c476c7e90ae87ab64fc3eee6a78 + # SHA256 (OPNsense-20.1.r1-OpenSSL-serial-amd64.img.bz2) = 906103fb4cc3e573a9e2d560a6365baa7162077b8933a253bb45fd23a154dd87 + # SHA256 (OPNsense-20.1.r1-OpenSSL-vga-amd64.img.bz2) = 3308412597f5b95f9b9e854ddbeb5f49735109d846af553dbe2553dedf73cb9b + +.. code-block:: + + # SHA256 (OPNsense-20.1.r1-OpenSSL-dvd-i386.iso.bz2) = a110e2ed48228d918909daca5d93d8acafccdc4426e3e928d8561f7ad4180289 + # SHA256 (OPNsense-20.1.r1-OpenSSL-nano-i386.img.bz2) = 201b757b0d719e8f3c4aa473b414005a5544a4b1553ca9d79c1743610d67b460 + # SHA256 (OPNsense-20.1.r1-OpenSSL-serial-i386.img.bz2) = 74a8f6bc5cdf885f5ff906ad2dfd05584f8e217212f90cd2e3a3269a5a9b604a + # SHA256 (OPNsense-20.1.r1-OpenSSL-vga-i386.img.bz2) = 1779ca5aeb37d2d97bd7e053421d64206b27189db74711600b93e458d858caff diff --git a/source/releases/CE_20.7.rst b/source/releases/CE_20.7.rst new file mode 100644 index 00000000..3cc78704 --- /dev/null +++ b/source/releases/CE_20.7.rst @@ -0,0 +1,629 @@ +=========================================================================================== +20.7 "Legendary Lion" Series +=========================================================================================== + + + +For five and a half years, OPNsense is driving innovation through modularising +and hardening the open source firewall, with simple and reliable firmware +upgrades, multi-language support, HardenedBSD security, fast adoption of +upstream software updates as well as clear and stable 2-Clause BSD licensing. + +20.7, nicknamed "Legendary Lion", is a major operating system jump forward on +a sustainable firewall experience. This release adds DHCPv6 multi-WAN, custom +error pages for the web proxy, Suricata 5, HardenedBSD 12.1, netstat tree view, +basic firewall API support (via plugin) and extended live log filtering amongst +others. + +Download links, an installation guide `[1] `__ and the checksums for the images +can be found below as well. + +* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/ +* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/ +* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/ +* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/ +* Australia: http://mirror.as24220.net/opnsense/releases/20.7/ +* Full mirror list: https://opnsense.org/download/ + + +-------------------------------------------------------------------------- +20.7.8 (January 19, 2021) +-------------------------------------------------------------------------- + + +The particular volume of this stable update foreshadows the end of the 20.7 +series in less than two weeks. + +One longstanding issue with radvd on FreeBSD 12.1 has been resolved according +to multiple user feedback. + +The mailing lists have been archived and will no longer be used. + +And before there are questions: yes, consumers of the development version are +now able to upgrade to 21.1-RC1. + +Here are the full patch notes: + +* system: allow to recover from bad TLS certificate and/or bad settings in console interface assign +* system: display destination port number in firewall log widget (contributed by Team Rebellion) +* system: keep compatible TLS 1 defaults for web GUI on 20.7 series +* system: set default certificate lifetime to 397 days +* firewall: add type 128 to outgoing IPv6 RFC4890 requirements +* firewall: add manual refresh button to live log +* firewall: fix typo in ICMPv6 validation +* firewall: fix minor regression in maintaining target alias file +* firewall: fix all state value in pfTop (contributed by Lucas Held) +* firewall: remove duplicated destination field in live log +* firewall: add read-only actions to aliases permission (contributed by Manuel Faux) +* firewall: category selector missing caption +* reporting: add top talkers to revamped traffic graph page +* reporting: fix name resolution filter change in insight +* reporting: persist interface selection on traffic graph page +* captive portal: disable faulty TLS on HTTP since lighttpd 1.4.56 +* dhcp: fix sorting of IPv6 static mappings (contributed by vnxme) +* dhcp: fix incorrect parsing of DUID (contributed by Matt Holgate) +* firmware: opnsense-code now updates the current directory if nothing was specified +* firmware: opnsense-code now uses flexible make.conf target from tools.git +* firmware: opnsense-update now supports snapshot access via -z option +* firmware: opnsense-update now fixes missing dependencies on the fly +* firmware: fix some issues with missing repository on server +* firmware: add version output and date to audit logs +* ipsec: display remote host in status overview (contributed by garlic17) +* opendns: add standalone mode +* openssh: honour MAX_LISTEN_SOCKS +* openvpn: set default certificate lifetime to 397 days in wizard +* unbound: generate all configuration files in service controller +* unbound: fix broken lines in large files (contributed by kulikov-a) +* web proxy: lock ACL download to prevent duplicate execution +* mvc: allow underscore in filter string (contributed by kulikov-a) +* plugins: os-haproxy 2.26 `[1] `__ +* plugins: os-hw-probe 1.0 (contributed by Michael Muenz) +* plugins: os-maltrail fixes sensor start without server (contributed by Julio Camargo) +* plugins: os-nginx 1.20 `[2] `__ +* plugins: os-tinc fixes for latest version (contributed by vnxme) +* src: fix OpenSSL NULL pointer de-reference `[3] `__ +* src: fix partial scrub of multicast packages +* src: free full mbuf chains in iflib when draining transmit queues +* src: initialize oifp to avoid bogus results/panics in edge cases +* src: 10Gigabit Ethernet driver for AMD SoC +* ports: libressl 3.2.3 `[4] `__ `[5] `__ +* ports: nss 3.60.1 +* ports: php 7.3.26 `[6] `__ +* ports: pkg fix for shell keyword by opening root file descriptor +* ports: radvd 2.19 `[7] `__ +* ports: sudo 1.9.5p1 `[8] `__ + +A hotfix release was issued as 20.7.8_4: + +* firmware: enable upgrade path to 21.1 +* ports: sudo 1.9.5p2 `[9] `__ + + + +-------------------------------------------------------------------------- +20.7.7 (December 17, 2020) +-------------------------------------------------------------------------- + + +Important security updates inside. Also: happy holidays! + +Here are the full patch notes: + +* reporting: fix traffic graph widget link issue +* system: simplify log format parsing +* interfaces: fix DUID LL description (contributed by Gabriel Mazzocato) +* unbound: fix dnsbl not reloading after update +* plugins: os-acme-client 2.2 `[1] `__ +* plugins: os-freeradius 1.9.9 `[2] `__ +* plugins: os-frr 1.20 `[3] `__ +* plugins: os-tinc 1.6 enables multiple addresses per host (contributed by ElNounch) +* plugins: os-wireguard 1.4 `[4] `__ +* ports: curl 7.74.0 `[5] `__ +* ports: dhcp6c ignores advertise messages with none of requested data and missed status codes +* ports: libressl 3.1.5 `[6] `__ +* ports: lighttpd 1.4.56 `[7] `__ +* ports: nss 3.60 `[8] `__ +* ports: openssl 1.1.1i `[9] `__ +* ports: pcre2 10.36 `[10] `__ +* ports: sudo 1.9.4 `[11] `__ +* ports: sqlite 3.34.0 `[12] `__ +* ports: unbound 1.13.0 `[13] `__ + +A hotfix release was issued as 20.7.7_1: + +* system: disable TLS on plain HTTP redirect for new lighttpd version +* ports: unbound fix for segmentation fault (restart service to activate) +* ports: lighttpd 1.4.58 `[14] `__ + + + +-------------------------------------------------------------------------- +20.7.6 (December 08, 2020) +-------------------------------------------------------------------------- + + +This update brings the usual mix of reliability fixes, plugin and third party +software updates: FreeBSD, HardenedBSD, PHP, OpenSSH, StrongSwan, Suricata and +Syslog-ng amongst others. + +Please note that Let's Encrypt users need to reissue their certificates +manually after upgrading to this version to fix the embedded certificate chain +issue with the current signing CA switch going on. + +The mail backup plugin is currently not available pending a response from +the maintainer. Users are advised to avoid using it for the moment. + +Here are the full patch notes: + +* system: no longer enforce alias names in gateways +* system: add "step into" icon on log lines when filtering +* system: add current CPU load progress bar (contributed by kulikov-a) +* firewall: allow larger selection in live log +* firewall: correctly select current IPv6 field in getInterfaceGateway() +* firewall: add validation for ipv6-icmp combined with inet +* reporting: traffic graph replacement using iftop +* openvpn: calculate first network address as gateway address when only ifconfig_local is given +* web proxy: throw startup error to user +* plugins: os-acme-client 2.1 `[1] `__ +* plugins: os-frr 1.19 `[2] `__ +* plugins: os-mail-backup not available due to unaddressed security concerns +* src: fix parsing of netmap legacy nmr->nr_ringid +* src: fix mutex double unlock bug in netmap +* src: minor misc netmap improvements +* src: improve netmap(4) and vale(4) man pages +* src: IPV6_PKTINFO support for v4-mapped IPv6 sockets +* src: zero-initialize variables in HBSD PaX SEGVGUARD +* src: fix execve/fexecve system call auditing `[3] `__ +* src: fix uninitialized variable in ipfw `[4] `__ +* src: fix race condition in callout CPU migration `[5] `__ +* src: fix ICMPv6 use-after-free in error message handling `[6] `__ +* src: fix multiple vulnerabilities in rtsold `[7] `__ +* src: update timezone database information `[8] `__ +* ports: krb5 1.18.3 `[9] `__ +* ports: nss 3.59 `[10] `__ +* ports: openldap 2.4.56 `[11] `__ +* ports: openssh 8.4p1 `[12] `__ +* ports: php 7.3.25 `[13] `__ +* ports: strongswan 5.9.1 `[14] `__ +* ports: suricata 5.0.5 `[15] `__ +* ports: syslog-ng 3.30.1 `[16] `__ + + + +-------------------------------------------------------------------------- +20.7.5 (November 20, 2020) +-------------------------------------------------------------------------- + + +We return briefly for a small patch set and plan to pin the 20.1 upgrade +path to this particular version to avoid unnecessary stepping stones. We +wish you all a healthy Friday. And of course: patch responsibly! + +Here are the full patch notes: + +* system: syslog-ng related fixes during package management based restart +* system: change dpinger syslog message to reflect correct RTT and RTTd unit (contributed by fhloston) +* web proxy: add toggle for pinger service (contributed by nowyouseeit) +* web proxy: add missing X-Forwarded-For header option +* mvc: new Base64Field type +* mvc: new VirtualIPField type +* plugins: os-acme-client 2.0 `[1] `__ +* plugins: os-bind 1.14 `[2] `__ +* plugins: os-chrony 1.1 `[3] `__ +* ports: monit 5.27.1 `[4] `__ +* ports: php 7.3.24 `[5] `__ +* ports: pkg upstream fix for upgrade script hang `[6] `__ +* ports: strongswan 5.9.0 `[7] `__ + + + +-------------------------------------------------------------------------- +20.7.4 (October 22, 2020) +-------------------------------------------------------------------------- + + +This release finally wraps up the recent Netmap kernel changes and tests. +The Realtek vendor driver was updated as well as third party software cURL, +libxml2, OpenSSL, PHP, Suricata, Syslog-ng and Unbound just to name a couple +of them. + +We would like to thank Sunny Valley Networks for their relentless efforts +to bring said Netmap fixes and improvements into FreeBSD. + +If you are having trouble with a stuck update try the command sequence below +from the root shell or simply reboot from the GUI and rerun the update in +case it was not fully carried out yet. + +.. code-block:: + + # pkill syslog-ng + # service syslog-ng restart + +Here are the full patch notes: + +* system: switch web GUI address selection to avoid server.bind in IPv6 first case +* system: fix defunct "use default" button on web GUI listen interfaces +* system: signal "auth user changed" when a user is modified via web GUI +* system: replace gateway widget and add proper API endpoint for it +* system: fix reading displayName attribute on LDAP search (contributed by ServiusHack) +* interfaces: change maximum MTU value to 65535 in accordance with RFC 791 +* interfaces: update wireless device detection prefixes +* interfaces: lexical sort interface keys for assignments +* firewall: add support for network exclusions in network alias type +* firewall: add NAT information to pfInfo page (contributed by kulikov-a) +* firewall: associated NAT rules missed state keyword +* firewall: allow "or" conditions in live log +* firewall: use pfctl for alias IP check (contributed by kulikov-a) +* dnsmasq: regenerate resolv.conf on save +* dnsmasq: log queries option +* intrusion detection: ignore pkill exit status when performing update +* ipsec: add description to reconfigure action (contributed by Frank Wall) +* unbound: rebuild unbound blacklist download +* unbound: restructure reconfigure so that we always flush config +* backend: add new "config changed" event using syshook structure (sponsored by Modirum) +* mvc: add a few missing control widgets from log pages +* ui: upgrade moment.js to 2.27.0 +* plugins: os-freeradius 1.9.8 `[1] `__ +* plugins: os-git-backup 1.0 `[2] `__ (sponsored by Modirum) +* plugins: os-haproxy 2.25 `[3] `__ +* plugins: os-stunnel 1.0.2 adds service protocol selector (contributed by fhloston) +* src: extended netmap update and driver fixes +* src: netmap tun and lagg support (contributed by Sunny Valley Networks) +* src: update Realtek re driver to upstream version 1.96.04 (contributed by Laurent Dinclaux) +* ports: curl 7.73.0 `[3] `__ +* ports: libxml2 fixes for CVE-2019-20388, CVE-2020-7595 and CVE-2020-24977 +* ports: nss 3.58 `[4] `__ +* ports: openssl 1.1.1h `[5] `__ +* ports: php 7.3.23 `[6] `__ +* ports: pkg 1.15.10 +* ports: radvd patch for dynamic interface shifting index +* ports: sudo 1.9.3p1 `[7] `__ +* ports: suricata 5.0.4 `[8] `__ +* ports: syslog-ng 3.29.1 `[9] `__ +* ports: unbound 1.12.0 `[10] `__ + + + +-------------------------------------------------------------------------- +20.7.3 (September 24, 2020) +-------------------------------------------------------------------------- + + +Today is the day for a number of FreeBSD security advisories and a few +reliability fixes. + +We are still testing a batch of Netmap improvement patches with a separate +kernel. This and the Realtek vendor driver update will likely follow in +the next kernel update. All feedback is welcome. + +Here are the full patch notes: + +* system: use different shell gateway name to appease wizard +* system: simplify CARP hook +* interfaces: phase out netaddr.eui.ieee.OUI_REGISTRY_PATH usage +* firewall: add MAC type to top right filter selection +* firewall: fix two scrub rule parsing bugs +* firewall: omit group type interfaces in filter selection +* intrusion detection: re-create rule cache after rule deployment +* unbound: add "unbound-plus" section to XMLRPC sync +* dhcp: adding DDNS values of each additional pool to the $ddns_zones array (contributed by Mathieu St-Pierre) +* dhcp: add static interface mode to router advertisements +* rc: fix ssh key permissions on MSDOS import +* rc: support service identifier in pluginctl -s mode +* plugins: os-bind download link changes (contributed by gap579137) +* plugins: os-chrony 1.0 (contributed by Michael Muenz) +* plugins: os-dnscrypt-proxy blocklist script fixes (contributed by Mark Keisler) +* plugins: os-frr 1.17 `[1] `__ +* plugins: os-postfix 1.17 `[2] `__ +* plugins: os-rspamd 1.10 `[3] `__ +* plugins: os-theme-cicada 1.25 (contributed by Team Rebellion) +* plugins: os-theme-tukan 1.23 (contributed by Team Rebellion) +* plugins: os-theme-vicuna 1.1 (contributed by Team Rebellion) +* plugins: os-wireguard 1.3 `[4] `__ +* plugins: os-zabbix-agent 1.8 `[5] `__ +* src: fix FreeBSD Linux ABI kernel panic `[6] `__ +* src: fix SCTP socket use-after-free `[7] `__ +* src: fix dhclient heap overflow `[8] `__ +* src: fix ure device driver susceptible to packet-in-packet attack `[9] `__ +* src: fix bhyve privilege escalation via VMCS access `[10] `__ +* src: fix bhyve SVM guest escape `[11] `__ +* src: fix ftpd privilege escalation via ftpchroot `[12] `__ +* src: set PAX_HARDENING_NOSHLIBRANDOM in the RTLD by default +* src: fix kernel panic while trying to read multicast stream +* ports: mpd 5.9 `[13] `__ +* ports: nss 3.57 `[14] `__ +* ports: php 7.3.22 `[15] `__ +* ports: pkg 1.15.6 `[16] `__ + + + +-------------------------------------------------------------------------- +20.7.2 (September 02, 2020) +-------------------------------------------------------------------------- + + +While we are still looking closer at netmap/iflib performance on 12.1 we +are rolling out a kernel with Intel em/igb updates that should avoid bad +packet counts in the default installation. Syslog-ng received a workaround +for the diagnosed startup issue and alias now supports MAC address content +similar to how host content works. + +Here are the full patch notes: + +* system: set REQUESTS_CA_BUNDLE in environments +* system: improve parsing for temperature sensors +* system: add "new-password" hint for Chrome on login form +* system: rename syslog services description and hide legacy mode when not enabled +* system: force syslog-ng restart after boot sequence +* system: properly read new style logging directories +* reporting: replace line endings when sending traceback to syslog in flowd_aggregate +* reporting: add traffic graph filter for private IPv4 networks (contributed by kcaj-burr) +* firewall: add MAC address alias type +* firewall: be more verbose when fetching alias remote content +* firewall: prevent pfctl error messages from being suppressed +* firewall: exclude all reserved pf.conf keywords from alias name +* firewall: bogons not loaded on initial load +* firewall: reset damaged bogons files on startup +* interfaces: add listen-queue-sizes in socket diagnostics +* firmware: properly report an unsigned repository +* firmware: revoke 20.1 fingerprint +* intrusion detection: rule cache parse error on invalid metadata +* intrusion detection: allow search for status enabled/disabled +* web proxy: correct template replacement during build time +* web proxy: bugfix in JSON access log +* unbound: updated project block lists links (contributed by gap579137) +* backend: add regex_replace template support +* plugins: os-acme-client 1.36 `[1] `__ +* plugins: os-dyndns 1.23 adds Gandi LiveDNS support (contributed by vizion8-dan) +* plugins: os-haproxy 2.24 `[2] `__ +* plugins: os-stunnel 1.0.1 includes performance tweaks +* plugins: os-telegraf 1.8.2 `[3] `__ +* plugins: os-tinc fixes cipher parsing on 20.7 +* src: remove ACPI workaround for serial console on AMD EPYC +* src: Make pf.conf ":0" ignore link-local v6 addresses too +* src: default "show bad packets" tunable to off in e100 driver +* src: fix unsolicited promisc mode in e1000 driver +* src: add valectl to the system commands +* ports: ca_root_nss/nss 3.56 `[4] `__ +* ports: curl 7.72.0 `[5] `__ +* ports: libressl 3.1.4 `[6] `__ +* ports: openldap 2.4.51 `[7] `__ +* ports: php 7.3.21 `[8] `__ +* ports: python 3.7.9 `[9] `__ +* ports: sqlite 3.33.0 `[10] `__ +* ports: squid 4.13 `[11] `__ +* ports: syslog-ng dlsym() workaround +* ports: unbound 1.11.0 `[12] `__ + + + +-------------------------------------------------------------------------- +20.7.1 (August 13, 2020) +-------------------------------------------------------------------------- + + +Small update here with security advisories, multicast fixes and logging +reliability patches amongst others. + +Overall, the jump to HardenedBSD 12.1 is looking promising from our end. +From the reported issues we still have more logging quirks to investigate +and especially Netmap support (used in IPS and Sensei) is lacking in some +areas that were previously working. Patches are being worked on already +so we shall get there soon enough. Stay tuned. + +Here are the full patch notes: + +* system: split log process name into separate column +* system: filter new style log directories accordingly +* system: add delay to improve syslog-ng startup +* system: properly switch login page to latest jQuery 3.5.1 +* firewall: add select boxes for static filters in live log +* firmware: ignore mandoc.db files in health output as the system will regenerate them weekly +* firmware: bring back Chinese Aivian mirror +* firmware: remove defunct opn.sense.nz and RageNetwork mirrors +* web proxy: add JSON output following Elastic Common Schema (sponsored by Incenter Technology) +* backend: cap log messages to 4000 characters to prevent longer messages from vanishing +* plugins: os-acme-client 1.35 `[1] `__ +* plugins: os-frr 1.15 `[2] `__ +* plugins: os-postfix 1.15 `[3] `__ +* plugins: os-udpbroadcastrelay 1.0 (contributed by Team Rebellion) +* src: set the current VNET before calling netisr_dispatch() in ng_iface(4) +* src: assorted multicast group join/leave corrections +* src: fix vmx driver packet loss and degraded performance `[4] `__ +* src: fix memory corruption in USB network device driver `[5] `__ +* src: fix multiple vulnerabilities in sqlite3 `[6] `__ +* src: fix sendmsg(2) privilege escalation `[7] `__ +* ports: perl 5.32.0 `[8] `__ +* ports: squid 4.12 `[9] `__ + + + +-------------------------------------------------------------------------- +20.7 (July 30, 2020) +-------------------------------------------------------------------------- + + +For five and a half years, OPNsense is driving innovation through modularising +and hardening the open source firewall, with simple and reliable firmware +upgrades, multi-language support, HardenedBSD security, fast adoption of +upstream software updates as well as clear and stable 2-Clause BSD licensing. + +20.7, nicknamed "Legendary Lion", is a major operating system jump forward on +a sustainable firewall experience. This release adds DHCPv6 multi-WAN, custom +error pages for the web proxy, Suricata 5, HardenedBSD 12.1, netstat tree view, +basic firewall API support (via plugin) and extended live log filtering amongst +others. + +Download links, an installation guide `[1] `__ and the checksums for the images +can be found below as well. + +* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/ +* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/ +* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/ +* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/ +* Australia: http://mirror.as24220.net/opnsense/releases/20.7/ +* Full mirror list: https://opnsense.org/download/ + +Here are the full patch notes against version 20.7-RC1: + +* system: syslog-ng RFC5424 on FreeBSD 12 needs flags(syslog-protocol) +* installer: welcome users as genuine 20.7 installer +* web proxy: do not try to force cachemanager access to use ICAP +* plugins: os-collectd 1.3 `[2] `__ +* plugins: os-zabbix5-proxy 1.3 `[3] `__ +* src: prevent netgraph page fault for LTE usage +* ports: dnsmasq 2.82 `[4] `__ +* ports: monit 5.27.0 `[5] `__ +* ports: nss 3.55 `[6] `__ +* ports: sudo 1.9.2 `[7] `__ + +Known issues and limitations: + +* legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp are no longer available +* i386 architecture builds are no longer available + +The public key for the 20.7 series is: + +.. code-block:: + + # -----BEGIN PUBLIC KEY----- + # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAngIbBcRin9AmDSOsjpft + # 7aK52TLkOzRc94NqKKnn6ALd6poEuFqYl1tfNT6XumBJDsRL1s56UYfjS8zpvFW3 + # HdzKOv4YtIln6qUuC1w8TXYNprasB/laYoBn2xeCGX5L6carlujQ+h0rsj+kpawr + # E0/d6oRzR69cxQyoDQHD559Wv4nA795M6QGDhhl3dDq/92gzrrq3C5gJ7ldHi13c + # inM2Fw+oPUfEIWUt/sqUTZheEk0Df3LSiJlgjQDhjh5uujTLgvX8IzfYAb8clgY3 + # DplgOh4ReoFnx6XVERSPa91ZJGeCV4dTGD2hU40rzU1lkQaiVUITLsfjrYUsNMEo + # jdG+ndGIPTOrwXH4yGRZuUZZ612ALtO6bd4V1kAOLOS07mo4JB4poEbbB0lvZJSG + # iTmU9od8zutnLkD66Q/qI8e6OcL0yqjwwG9DzCKg23M6cVWfyBTJhKoqQyhNWnzZ + # bzvgOXfhOA8jn8FPChaU5OiIrv+g56pQrWKcQsvgQMqlyR+/AFSIrrqprCjDkfOG + # bxFqTGkPb1n32nbnXJOA5Z43G9/PtBV8lvaEzli6Vehh+Zrcuy8yupbiVWSqTOfp + # E5cYAmrlDkxKyAlZQtH6EhMF1VBQRrlqGhss5XYoE3DQDqWdhUbGv8Qiiv7ROCza + # SIMuSzc6u35MooDRDZF4Ba0CAwEAAQ== + # -----END PUBLIC KEY----- + + + +.. code-block:: + + # SHA256 (OPNsense-20.7-OpenSSL-dvd-amd64.iso.bz2) = 580070a3a0533418d58eaeb78122f804f2df7081c929288e1dccee34c4bf763a + # SHA256 (OPNsense-20.7-OpenSSL-nano-amd64.img.bz2) = 6deb370c2a64fa6c60b7f59a4afb31b2dd28b812f5fcd59eaa6d458938d45630 + # SHA256 (OPNsense-20.7-OpenSSL-serial-amd64.img.bz2) = 1276cddd5f7b89aa54fc4a1517cb0686efe94f672627243c5b34d93340441d60 + # SHA256 (OPNsense-20.7-OpenSSL-vga-amd64.img.bz2) = 72cbffe3bba4884586c8ded8dbca4cf30fb34a094602e5f681efde2deea595c6 + +-------------------------------------------------------------------------- +20.7.r1 (July 21, 2020) +-------------------------------------------------------------------------- + + +For five and a half years, OPNsense is driving innovation through modularising +and hardening the open source firewall, with simple and reliable firmware +upgrades, multi-language support, HardenedBSD security, fast adoption of +upstream software updates as well as clear and stable 2-Clause BSD licensing. + +We thank all of you for helping test, shape and contribute to the project! +We know it would not be the same without you. <3 + +Download links, an installation guide `[1] `__ and the checksums for the images +can be found below as well. + +* Europe: https://mirrors.dotsrc.org/opnsense/releases/20.7/ +* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.7/ +* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.7/ +* South America: https://mirror.venturasystems.tech/opnsense/releases/20.7/ +* Australia: http://mirror.as24220.net/opnsense/releases/20.7/ +* Full mirror list: https://opnsense.org/download/ + +Here are the full patch notes against 20.1.8_1: + +* system: allow to optionally disable legacy logging (clog) +* system: do not allow login redirects to visit external pages +* system: add new "auth user changed" config event and hook it into LDAP updatePolicies() +* system: adapt to 3wire serial console setting +* system: figure out which sysctls are writeable before attempting to write them +* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo) +* system: disable PCRE JIT in PHP config +* system: clean up start / stop beep handler +* interfaces: improved VLAN handling and defaults for more stable netmap use on 12.1 +* interfaces: support DHCPv6 multi-WAN (contributed by Team Rebellion) +* interfaces: show delegated prefix in overview (contributed by Team Rebellion) +* interfaces: DHCPv4 no-release and debug options moved to global interface settings +* interfaces: automatically register loopback device lo0 +* firewall: handle new net.pf.request_maxcount system limit accordingly +* firewall: properly evaluate and execute gateway monitoring kill states feature +* firewall: add the iplen option to shaper rules (contributed by Maxfield Allison) +* firewall: show partial alias content in tooltip +* firewall: translated static log overview page to MVC +* firewall: aliases now show internal aliases +* firewall: validate if NAT destination contains a port +* firewall: prevent config_read_array() from adding an empty lo0 +* firmware: added fingerprint for 20.7 series +* firmware: hint at missing plugins and request to install or dismiss +* intrusion detection: extend rule search with metadata and show results on rule info +* intrusion detection: updated pattern options (contributed by @Xeroxxx) +* intrusion detection: synchronize suricata.yaml with default template +* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe) +* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe) +* unbound: integrate functionality formerly known as "unbound-plus" plugin (contributed by Michael Muenz) +* web proxy: support for custom error pages (sponsored by Incenter Technology) +* web proxy: add connect_timeout (contributed by Michael Muenz) +* web proxy: allow PURGE on cache (contributed by @sazb) +* web proxy: add missing IPv6 listener +* mvc: add "S" option for AllowDynamic in InterfaceField type +* mvc: LegacyLinkField not allowed to return null in __toString() +* backend: add safeguard for illegal configd settings leading to overrides on the same command leaf +* backend: emove undocumented and unused alias support +* mvc: support virtual nodes in model instances +* rc: implement inline variables for skip and defer service start +* ui: unify edit dialog and add onBeforeRenderDialog event deferrable +* ui: use firewall groups to group interfaces menu accordingly +* ui: moved virtual IP menu entry to interfaces +* ui: jQuery 3.5.1 +* plugins: os-dyndns 1.22 `[2] `__ +* plugins: os-intrusion-detection-content-et-pro 1.0.2 switches to Suricata 5 rules +* plugins: os-telegraf 1.8.1 `[3] `__ +* plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion) +* plugins: os-tinc fixes switch mode `[4] `__ +* plugins: os-wireguard 1.2 `[5] `__ +* src: HardenedBSD 12.1-p7 +* ports: ca_root_nss 3.54 +* ports: curl 7.71.1 `[6] `__ +* ports: php 7.3.20 `[7] `__ +* ports: python 3.7.8 `[8] `__ +* ports: sqlite 3.32.3 `[9] `__ +* ports: suricata 5.0.3 `[10] `__ + +Known issues and limitations: + +* Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp will no longer be available +* i386 architecture builds will no longer be available +* Installer still advertises 20.1 + +The public key for the 20.7 series is: + +.. code-block:: + + # -----BEGIN PUBLIC KEY----- + # MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAngIbBcRin9AmDSOsjpft + # 7aK52TLkOzRc94NqKKnn6ALd6poEuFqYl1tfNT6XumBJDsRL1s56UYfjS8zpvFW3 + # HdzKOv4YtIln6qUuC1w8TXYNprasB/laYoBn2xeCGX5L6carlujQ+h0rsj+kpawr + # E0/d6oRzR69cxQyoDQHD559Wv4nA795M6QGDhhl3dDq/92gzrrq3C5gJ7ldHi13c + # inM2Fw+oPUfEIWUt/sqUTZheEk0Df3LSiJlgjQDhjh5uujTLgvX8IzfYAb8clgY3 + # DplgOh4ReoFnx6XVERSPa91ZJGeCV4dTGD2hU40rzU1lkQaiVUITLsfjrYUsNMEo + # jdG+ndGIPTOrwXH4yGRZuUZZ612ALtO6bd4V1kAOLOS07mo4JB4poEbbB0lvZJSG + # iTmU9od8zutnLkD66Q/qI8e6OcL0yqjwwG9DzCKg23M6cVWfyBTJhKoqQyhNWnzZ + # bzvgOXfhOA8jn8FPChaU5OiIrv+g56pQrWKcQsvgQMqlyR+/AFSIrrqprCjDkfOG + # bxFqTGkPb1n32nbnXJOA5Z43G9/PtBV8lvaEzli6Vehh+Zrcuy8yupbiVWSqTOfp + # E5cYAmrlDkxKyAlZQtH6EhMF1VBQRrlqGhss5XYoE3DQDqWdhUbGv8Qiiv7ROCza + # SIMuSzc6u35MooDRDZF4Ba0CAwEAAQ== + # -----END PUBLIC KEY----- + +Please let us know about your experience! + + + +.. code-block:: + + # SHA256 (OPNsense-20.7.r1-OpenSSL-dvd-amd64.iso.bz2) = d54dca6390497d45b831f68f352fccf84881aac78a360247965e5c9b36fbfded + # SHA256 (OPNsense-20.7.r1-OpenSSL-nano-amd64.img.bz2) = f78d51d53bf663df2d49a3724812893d8c55234ab8d4a9232663fa581496edbe + # SHA256 (OPNsense-20.7.r1-OpenSSL-serial-amd64.img.bz2) = 984f8c9d63598f061cc8995245dea73703532c1bb688ac87cdb1e510fb53b80e + # SHA256 (OPNsense-20.7.r1-OpenSSL-vga-amd64.img.bz2) = 711811e0a7d37d323a060c52590daa9f024e77c6da627530c6596367a09b412d diff --git a/source/releases/21.1.rst b/source/releases/CE_21.1.rst similarity index 100% rename from source/releases/21.1.rst rename to source/releases/CE_21.1.rst