From 606c0a35b0dd7338cfbc7a2619aeb28f00ddb5d7 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Thu, 8 Apr 2021 09:52:49 +0200 Subject: [PATCH] update changelogs. --- source/CE_releases.rst | 2 +- source/releases/BE_19.1.rst | 2 +- source/releases/BE_19.7.rst | 12 +-- source/releases/BE_20.1.rst | 12 +-- source/releases/BE_20.7.rst | 18 ++--- source/releases/CE_15.7.rst | 2 +- source/releases/CE_16.1.rst | 4 +- source/releases/CE_16.7.rst | 10 ++- source/releases/CE_18.1.rst | 2 +- source/releases/CE_19.1.rst | 2 +- source/releases/CE_19.7.rst | 12 +-- source/releases/CE_20.1.rst | 12 +-- source/releases/CE_20.7.rst | 18 ++--- source/releases/CE_21.1.rst | 147 ++++++++++++++++++++++++++++++++++++ 14 files changed, 202 insertions(+), 53 deletions(-) diff --git a/source/CE_releases.rst b/source/CE_releases.rst index af11977b..01943571 100644 --- a/source/CE_releases.rst +++ b/source/CE_releases.rst @@ -8,7 +8,7 @@ Community Edition :width: 600px :align: center -As of January 2015 there have been *197* releases leading to the latest version *21.1.2* +As of January 2015 there have been *199* releases leading to the latest version *21.1.4* named "Marvelous Meerkat". diff --git a/source/releases/BE_19.1.rst b/source/releases/BE_19.1.rst index 29e6e8b7..02e8978b 100644 --- a/source/releases/BE_19.1.rst +++ b/source/releases/BE_19.1.rst @@ -124,7 +124,7 @@ Here are the full patch notes: * plugins: os-theme-tukan 1.18 (contributed by Team Rebellion) * ports: curl 7.65.0 `[9] `__ * ports: lighttpd 1.4.54 `[10] `__ -* ports: python 3.7.3 `[11] `__ +* ports: python 3.7.3 `[11] `__ * ports: openssl 1.0.2s `[12] `__ * ports: php 7.2.19 `[13] `__ diff --git a/source/releases/BE_19.7.rst b/source/releases/BE_19.7.rst index d831ad54..b877e814 100644 --- a/source/releases/BE_19.7.rst +++ b/source/releases/BE_19.7.rst @@ -109,7 +109,7 @@ Here are the full patch notes: * ports: openssl 1.0.2u `[9] `__ * ports: php 7.2.26 `[10] `__ * ports: phpseclib 2.0.23 `[11] `__ -* ports: python 3.7.6 `[12] `__ +* ports: python 3.7.6 `[12] `__ * ports: strongswan 5.8.2 `[13] `__ * ports: sudo 1.8.30 `[14] `__ * ports: unbound 1.9.6 `[15] `__ @@ -259,14 +259,14 @@ Here are the full patch notes: * backend: add run mode to pluginctl using JSON-based output * ui: fix tokenizer reorder on multiple saves, second try * plugins: os-acme-client 1.27 `[1] `__ -* plugins: os-bind 1.9 `[2] `__ -* plugins: os-nginx 1.15 `[3] `__ +* plugins: os-bind 1.9 `[2] `__ +* plugins: os-nginx 1.15 `[3] `__ * plugins: os-relayd 2.4 fixes protocol option migration (contributed by Frank Brendel) * plugins: os-theme-cicada 1.22 (contributed by Team Rebellion) * ports: ca_root_nss 3.47 * ports: php 7.2.24 `[4] `__ -* ports: python 3.7.5 `[5] `__ -* ports: sudo 1.8.29 `[6] `__ +* ports: python 3.7.5 `[5] `__ +* ports: sudo 1.8.29 `[6] `__ @@ -535,7 +535,7 @@ Here are the full patch notes: * ports: monit 5.26.0 `[7] `__ * ports: openssh 8.0p1 `[8] `__ * ports: php 7.2.20 `[9] `__ -* ports: python 3.7.4 `[10] `__ +* ports: python 3.7.4 `[10] `__ * ports: sqlite 3.29.0 `[11] `__ * ports: squid 4.8 `[12] `__ diff --git a/source/releases/BE_20.1.rst b/source/releases/BE_20.1.rst index feeb7964..2549c167 100644 --- a/source/releases/BE_20.1.rst +++ b/source/releases/BE_20.1.rst @@ -47,18 +47,18 @@ Here are the full patch notes: * network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe) * network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe) * mvc: LegacyLinkField not allowed to return null in __toString() -* plugins: os-collectd 1.3 `[1] `__ +* plugins: os-collectd 1.3 `[1] `__ * plugins: os-dyndns 1.22 `[2] `__ -* plugins: os-telegraf 1.8.1 `[3] `__ +* plugins: os-telegraf 1.8.1 `[3] `__ * plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion) * plugins: os-tinc fixes switch mode `[4] `__ * plugins: os-wireguard 1.2 `[5] `__ * ports: ca_root_nss 3.54 -* ports: curl 7.71.1 `[6] `__ +* ports: curl 7.71.1 `[6] `__ * ports: dnsmasq 2.82 `[7] `__ * ports: monit 5.27.0 `[8] `__ * ports: php 7.3.20 `[9] `__ -* ports: python 3.7.8 `[10] `__ +* ports: python 3.7.8 `[10] `__ * ports: sqlite 3.32.3 `[11] `__ * ports: syslog-ng 3.27.1 `[12] `__ @@ -299,13 +299,13 @@ Here are the full patch notes: * src: fix insufficient oce(4) ioctl(2) privilege checking `[12] `__ * src: fix incorrect user-controlled pointer use in epair `[13] `__ * src: fix kernel memory disclosure with nested jails `[14] `__ -* ports: curl 7.69.1 `[15] `__ +* ports: curl 7.69.1 `[15] `__ * ports: krb5 1.18 `[16] `__ * ports: openssh 8.2p1 `[17] `__ * ports: openssl 1.1.1f `[18] `__ * ports: perl 5.30.2 `[19] `__ * ports: php 7.2.29 `[20] `__ -* ports: python 3.7.7 `[21] `__ +* ports: python 3.7.7 `[21] `__ * ports: strongswan 5.8.3 `[22] `__ * ports: sudo 1.8.31p1 `[23] `__ diff --git a/source/releases/BE_20.7.rst b/source/releases/BE_20.7.rst index 3c1b0f2c..91db7094 100644 --- a/source/releases/BE_20.7.rst +++ b/source/releases/BE_20.7.rst @@ -263,7 +263,7 @@ Here are the full patch notes: * backend: add new "config changed" event using syshook structure (sponsored by Modirum) * mvc: add a few missing control widgets from log pages * ui: upgrade moment.js to 2.27.0 -* plugins: os-freeradius 1.9.8 `[1] `__ +* plugins: os-freeradius 1.9.8 `[1] `__ * plugins: os-git-backup 1.0 `[2] `__ (sponsored by Modirum) * plugins: os-haproxy 2.25 `[3] `__ * plugins: os-stunnel 1.0.2 adds service protocol selector (contributed by fhloston) @@ -273,7 +273,7 @@ Here are the full patch notes: * ports: curl 7.73.0 `[3] `__ * ports: libxml2 fixes for CVE-2019-20388, CVE-2020-7595 and CVE-2020-24977 * ports: nss 3.58 `[4] `__ -* ports: openssl 1.1.1h `[5] `__ +* ports: openssl 1.1.1h `[5] `__ * ports: php 7.3.23 `[6] `__ * ports: pkg 1.15.10 * ports: radvd patch for dynamic interface shifting index @@ -375,9 +375,9 @@ Here are the full patch notes: * backend: add regex_replace template support * plugins: os-acme-client 1.36 `[1] `__ * plugins: os-dyndns 1.23 adds Gandi LiveDNS support (contributed by vizion8-dan) -* plugins: os-haproxy 2.24 `[2] `__ +* plugins: os-haproxy 2.24 `[2] `__ * plugins: os-stunnel 1.0.1 includes performance tweaks -* plugins: os-telegraf 1.8.2 `[3] `__ +* plugins: os-telegraf 1.8.2 `[3] `__ * plugins: os-tinc fixes cipher parsing on 20.7 * src: remove ACPI workaround for serial console on AMD EPYC * src: Make pf.conf ":0" ignore link-local v6 addresses too @@ -385,11 +385,11 @@ Here are the full patch notes: * src: fix unsolicited promisc mode in e1000 driver * src: add valectl to the system commands * ports: ca_root_nss/nss 3.56 `[4] `__ -* ports: curl 7.72.0 `[5] `__ +* ports: curl 7.72.0 `[5] `__ * ports: libressl 3.1.4 `[6] `__ * ports: openldap 2.4.51 `[7] `__ * ports: php 7.3.21 `[8] `__ -* ports: python 3.7.9 `[9] `__ +* ports: python 3.7.9 `[9] `__ * ports: sqlite 3.33.0 `[10] `__ * ports: squid 4.13 `[11] `__ * ports: syslog-ng dlsym() workaround @@ -469,8 +469,8 @@ Here are the full patch notes against version 20.7-RC1: * system: syslog-ng RFC5424 on FreeBSD 12 needs flags(syslog-protocol) * installer: welcome users as genuine 20.7 installer * web proxy: do not try to force cachemanager access to use ICAP -* plugins: os-collectd 1.3 `[2] `__ -* plugins: os-zabbix5-proxy 1.3 `[3] `__ +* plugins: os-collectd 1.3 `[2] `__ +* plugins: os-zabbix5-proxy 1.3 `[3] `__ * src: prevent netgraph page fault for LTE usage * ports: dnsmasq 2.82 `[4] `__ * ports: monit 5.27.0 `[5] `__ @@ -588,7 +588,7 @@ Here are the full patch notes against 20.1.8_1: * ports: ca_root_nss 3.54 * ports: curl 7.71.1 `[6] `__ * ports: php 7.3.20 `[7] `__ -* ports: python 3.7.8 `[8] `__ +* ports: python 3.7.8 `[8] `__ * ports: sqlite 3.32.3 `[9] `__ * ports: suricata 5.0.3 `[10] `__ diff --git a/source/releases/CE_15.7.rst b/source/releases/CE_15.7.rst index 829c3852..20bc6501 100644 --- a/source/releases/CE_15.7.rst +++ b/source/releases/CE_15.7.rst @@ -412,7 +412,7 @@ more roadmap items already finished for 16.1. Here are the full patch notes: -* ports: sudo 1.8.15 `[1] `__ , sqlite 3.9.2 `[2] `__ +* ports: sudo 1.8.15 `[1] `__ , sqlite 3.9.2 `[2] `__ * aliases: make url tables useable * interfaces: fix faulty GUI caching issues `[3] `__ * ipsec: obey force nat traversal diff --git a/source/releases/CE_16.1.rst b/source/releases/CE_16.1.rst index d980960b..ba158443 100644 --- a/source/releases/CE_16.1.rst +++ b/source/releases/CE_16.1.rst @@ -910,8 +910,8 @@ Enough with the announcing already, here are the full patch notes: * src: hyperv/kvp: wake up the daemon if it is sleeping due to poll() `[1] `__ * src: Use correct src/dst ports when removing states in pf `[2] `__ * src: finish the boot loader branding by adding a shiny logo -* ports: unbound 1.5.7 `[3] `__ , openldap 2.4.44 `[4] `__ , ca_root_nss 3.22, - php 5.7.18 `[5] `__ , phalcon 2.0.10 `[6] `__ , pkg 1.6.4 `[7] `__ `[8] `__ +* ports: unbound 1.5.7 `[3] `__ , openldap 2.4.44 `[4] `__ , ca_root_nss 3.22, + php 5.7.18 `[5] `__ , phalcon 2.0.10 `[6] `__ , pkg 1.6.4 `[7] `__ `[8] `__ * interfaces: collapsible overview for each interface * shaper: fix issue with model when not able to save an old config * health: added pages to ACL for configurable user access diff --git a/source/releases/CE_16.7.rst b/source/releases/CE_16.7.rst index 988f1702..7a690ab1 100644 --- a/source/releases/CE_16.7.rst +++ b/source/releases/CE_16.7.rst @@ -139,8 +139,8 @@ Here are the full patch notes: * plugins: compatibility fix for os-pptp, os-pppoe and os-l2tp * ports: openvpn `[1] `__ (reverted topology subnet fix) * ports: pkg (license viewer upstream fix) -* ports: sudo 1.8.19p1 `[2] `__ -* ports: php 5.6.29 `[3] `__ +* ports: sudo 1.8.19p1 `[2] `__ +* ports: php 5.6.29 `[3] `__ @@ -449,8 +449,10 @@ Here are the full patch notes: * intrusion detection: added syslog support * dns: improve forwarder interface listening generation * rc: silence backup warnings about stripped leading slashes -* ports: libressl 2.3.8 `[2] `__ , bind 9.10.4-P3 `[3] `__ -* ports: ca_root_nss 3.27.1 `[4] `__ , unbound 1.5.10 `[5] `__ +* ports: bind 9.10.4-P3 `[2] `__ +* ports: ca_root_nss 3.27.1 `[3] `__ +* ports: libressl 2.3.8 `[4] `__ +* ports: unbound 1.5.10 `[5] `__ diff --git a/source/releases/CE_18.1.rst b/source/releases/CE_18.1.rst index 07b39971..852c6676 100644 --- a/source/releases/CE_18.1.rst +++ b/source/releases/CE_18.1.rst @@ -477,7 +477,7 @@ Here are the full patch notes: * ports: openssh 7.7p1 `[4] `__ * ports: openvpn 2.4.6 `[5] `__ * ports: perl 5.26.2 `[6] `__ -* ports: php 7.1.17 `[7] `__ +* ports: php 7.1.17 `[7] `__ * ports: sqlite 3.23.0 `[8] `__ A hotfix release was issued as 18.1.7_1: diff --git a/source/releases/CE_19.1.rst b/source/releases/CE_19.1.rst index 29e6e8b7..02e8978b 100644 --- a/source/releases/CE_19.1.rst +++ b/source/releases/CE_19.1.rst @@ -124,7 +124,7 @@ Here are the full patch notes: * plugins: os-theme-tukan 1.18 (contributed by Team Rebellion) * ports: curl 7.65.0 `[9] `__ * ports: lighttpd 1.4.54 `[10] `__ -* ports: python 3.7.3 `[11] `__ +* ports: python 3.7.3 `[11] `__ * ports: openssl 1.0.2s `[12] `__ * ports: php 7.2.19 `[13] `__ diff --git a/source/releases/CE_19.7.rst b/source/releases/CE_19.7.rst index d831ad54..b877e814 100644 --- a/source/releases/CE_19.7.rst +++ b/source/releases/CE_19.7.rst @@ -109,7 +109,7 @@ Here are the full patch notes: * ports: openssl 1.0.2u `[9] `__ * ports: php 7.2.26 `[10] `__ * ports: phpseclib 2.0.23 `[11] `__ -* ports: python 3.7.6 `[12] `__ +* ports: python 3.7.6 `[12] `__ * ports: strongswan 5.8.2 `[13] `__ * ports: sudo 1.8.30 `[14] `__ * ports: unbound 1.9.6 `[15] `__ @@ -259,14 +259,14 @@ Here are the full patch notes: * backend: add run mode to pluginctl using JSON-based output * ui: fix tokenizer reorder on multiple saves, second try * plugins: os-acme-client 1.27 `[1] `__ -* plugins: os-bind 1.9 `[2] `__ -* plugins: os-nginx 1.15 `[3] `__ +* plugins: os-bind 1.9 `[2] `__ +* plugins: os-nginx 1.15 `[3] `__ * plugins: os-relayd 2.4 fixes protocol option migration (contributed by Frank Brendel) * plugins: os-theme-cicada 1.22 (contributed by Team Rebellion) * ports: ca_root_nss 3.47 * ports: php 7.2.24 `[4] `__ -* ports: python 3.7.5 `[5] `__ -* ports: sudo 1.8.29 `[6] `__ +* ports: python 3.7.5 `[5] `__ +* ports: sudo 1.8.29 `[6] `__ @@ -535,7 +535,7 @@ Here are the full patch notes: * ports: monit 5.26.0 `[7] `__ * ports: openssh 8.0p1 `[8] `__ * ports: php 7.2.20 `[9] `__ -* ports: python 3.7.4 `[10] `__ +* ports: python 3.7.4 `[10] `__ * ports: sqlite 3.29.0 `[11] `__ * ports: squid 4.8 `[12] `__ diff --git a/source/releases/CE_20.1.rst b/source/releases/CE_20.1.rst index feeb7964..2549c167 100644 --- a/source/releases/CE_20.1.rst +++ b/source/releases/CE_20.1.rst @@ -47,18 +47,18 @@ Here are the full patch notes: * network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe) * network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe) * mvc: LegacyLinkField not allowed to return null in __toString() -* plugins: os-collectd 1.3 `[1] `__ +* plugins: os-collectd 1.3 `[1] `__ * plugins: os-dyndns 1.22 `[2] `__ -* plugins: os-telegraf 1.8.1 `[3] `__ +* plugins: os-telegraf 1.8.1 `[3] `__ * plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion) * plugins: os-tinc fixes switch mode `[4] `__ * plugins: os-wireguard 1.2 `[5] `__ * ports: ca_root_nss 3.54 -* ports: curl 7.71.1 `[6] `__ +* ports: curl 7.71.1 `[6] `__ * ports: dnsmasq 2.82 `[7] `__ * ports: monit 5.27.0 `[8] `__ * ports: php 7.3.20 `[9] `__ -* ports: python 3.7.8 `[10] `__ +* ports: python 3.7.8 `[10] `__ * ports: sqlite 3.32.3 `[11] `__ * ports: syslog-ng 3.27.1 `[12] `__ @@ -299,13 +299,13 @@ Here are the full patch notes: * src: fix insufficient oce(4) ioctl(2) privilege checking `[12] `__ * src: fix incorrect user-controlled pointer use in epair `[13] `__ * src: fix kernel memory disclosure with nested jails `[14] `__ -* ports: curl 7.69.1 `[15] `__ +* ports: curl 7.69.1 `[15] `__ * ports: krb5 1.18 `[16] `__ * ports: openssh 8.2p1 `[17] `__ * ports: openssl 1.1.1f `[18] `__ * ports: perl 5.30.2 `[19] `__ * ports: php 7.2.29 `[20] `__ -* ports: python 3.7.7 `[21] `__ +* ports: python 3.7.7 `[21] `__ * ports: strongswan 5.8.3 `[22] `__ * ports: sudo 1.8.31p1 `[23] `__ diff --git a/source/releases/CE_20.7.rst b/source/releases/CE_20.7.rst index 3c1b0f2c..91db7094 100644 --- a/source/releases/CE_20.7.rst +++ b/source/releases/CE_20.7.rst @@ -263,7 +263,7 @@ Here are the full patch notes: * backend: add new "config changed" event using syshook structure (sponsored by Modirum) * mvc: add a few missing control widgets from log pages * ui: upgrade moment.js to 2.27.0 -* plugins: os-freeradius 1.9.8 `[1] `__ +* plugins: os-freeradius 1.9.8 `[1] `__ * plugins: os-git-backup 1.0 `[2] `__ (sponsored by Modirum) * plugins: os-haproxy 2.25 `[3] `__ * plugins: os-stunnel 1.0.2 adds service protocol selector (contributed by fhloston) @@ -273,7 +273,7 @@ Here are the full patch notes: * ports: curl 7.73.0 `[3] `__ * ports: libxml2 fixes for CVE-2019-20388, CVE-2020-7595 and CVE-2020-24977 * ports: nss 3.58 `[4] `__ -* ports: openssl 1.1.1h `[5] `__ +* ports: openssl 1.1.1h `[5] `__ * ports: php 7.3.23 `[6] `__ * ports: pkg 1.15.10 * ports: radvd patch for dynamic interface shifting index @@ -375,9 +375,9 @@ Here are the full patch notes: * backend: add regex_replace template support * plugins: os-acme-client 1.36 `[1] `__ * plugins: os-dyndns 1.23 adds Gandi LiveDNS support (contributed by vizion8-dan) -* plugins: os-haproxy 2.24 `[2] `__ +* plugins: os-haproxy 2.24 `[2] `__ * plugins: os-stunnel 1.0.1 includes performance tweaks -* plugins: os-telegraf 1.8.2 `[3] `__ +* plugins: os-telegraf 1.8.2 `[3] `__ * plugins: os-tinc fixes cipher parsing on 20.7 * src: remove ACPI workaround for serial console on AMD EPYC * src: Make pf.conf ":0" ignore link-local v6 addresses too @@ -385,11 +385,11 @@ Here are the full patch notes: * src: fix unsolicited promisc mode in e1000 driver * src: add valectl to the system commands * ports: ca_root_nss/nss 3.56 `[4] `__ -* ports: curl 7.72.0 `[5] `__ +* ports: curl 7.72.0 `[5] `__ * ports: libressl 3.1.4 `[6] `__ * ports: openldap 2.4.51 `[7] `__ * ports: php 7.3.21 `[8] `__ -* ports: python 3.7.9 `[9] `__ +* ports: python 3.7.9 `[9] `__ * ports: sqlite 3.33.0 `[10] `__ * ports: squid 4.13 `[11] `__ * ports: syslog-ng dlsym() workaround @@ -469,8 +469,8 @@ Here are the full patch notes against version 20.7-RC1: * system: syslog-ng RFC5424 on FreeBSD 12 needs flags(syslog-protocol) * installer: welcome users as genuine 20.7 installer * web proxy: do not try to force cachemanager access to use ICAP -* plugins: os-collectd 1.3 `[2] `__ -* plugins: os-zabbix5-proxy 1.3 `[3] `__ +* plugins: os-collectd 1.3 `[2] `__ +* plugins: os-zabbix5-proxy 1.3 `[3] `__ * src: prevent netgraph page fault for LTE usage * ports: dnsmasq 2.82 `[4] `__ * ports: monit 5.27.0 `[5] `__ @@ -588,7 +588,7 @@ Here are the full patch notes against 20.1.8_1: * ports: ca_root_nss 3.54 * ports: curl 7.71.1 `[6] `__ * ports: php 7.3.20 `[7] `__ -* ports: python 3.7.8 `[8] `__ +* ports: python 3.7.8 `[8] `__ * ports: sqlite 3.32.3 `[9] `__ * ports: suricata 5.0.3 `[10] `__ diff --git a/source/releases/CE_21.1.rst b/source/releases/CE_21.1.rst index f4e1a22b..134cba32 100644 --- a/source/releases/CE_21.1.rst +++ b/source/releases/CE_21.1.rst @@ -38,6 +38,153 @@ can be found below as well. * Full mirror list: https://opnsense.org/download/ +-------------------------------------------------------------------------- +21.1.4 (March 30, 2021) +-------------------------------------------------------------------------- + + +The third party crypto libraries need patching so here we go! The number of +user contributions and interaction regarding stability fixes and improvements +from the OPNsense side seems to be picking up as well and that is great to see. + +The development version includes an update of Suricata to version 6.0.2 +in case any of you want to try it out. Also, improvements in the DHCP +static mapping can now deal with IPv6 prefix merge for such deployments +using Unbound and Dnsmasq host registration. + +In the past 3 months we have also been working on a business edition relaunch +and now feel obligated to quickly present the results of these efforts: + +The upcoming release of the business edition will be versioned as 21.4 in +order to decouple it from the community release cycle. To that end--and +to stay true to open source--we have published the release engineering core +branch for said business release `[1] `__ . + +You will see more distinction between "community" and "business" in +communication, but the basic approach of a more conservative release +cycle in volume and timing for the business edition remains the same. +On top of this, the business edition also offers additional plugins, +e.g. for central management tasks. + +Here are the full patch notes: + +* system: add assorted missing configuration sections for high availability sync +* system: restart web GUI with delay from services to prevent session disconnect +* system: improve error reporting in LDAP authentication (contributed by kulikov-a) +* system: changed USB serial option to use "on" instead of problematic "onifconsole" +* system: ignore garbled data in log lines +* system: fix single core activity display +* interfaces: immediately enable SLAAC during IPv6 initiation +* interfaces: fix a typo in the GIF setup code +* firewall: allow to select rules with no category set +* firewall: sort pfTable results before slice (contributed by kulikov-a) +* firewall: make categories work with numbers only (contributed kulikov-a) +* reporting: skip damaged NetFlow records +* dhcp: correct help text for IPv6 ranges (contributed by Team Rebellion) +* dhcp: remove obsolete subnet validation for static entries +* firmware: refine missing/invalid signature message during health check (contributed by Erik Inge Bolso) +* firmware: zap changelog remove description (contributed by Jacek Tomasiak) +* firmware: make status API endpoint synchronous when using POST +* openvpn: remove checks for NTP servers 3 and 4 (contributed by Christian Brueffer) +* unbound: Fix PTR records for DHCP endpoints (contributed by Gareth Owen) +* ui: use HTTPS everywhere (contributed by Robin Schneider) +* ui: bootgrid translation compatibility with Internet Explorer 11 (contributed by kulikov-a) +* plugins: add service annotations to supported plugins +* plugins: os-freeradius 1.9.10 `[2] `__ +* plugins: os-haproxy 3.1 `[3] `__ +* plugins: os-stunnel 1.0.3 adds client mode (contributed by Nicola Bonavita) +* plugins: os-telegraf 1.9.0 `[4] `__ +* plugins: os-theme-cicada 1.28 (contributed by Team Rebellion) +* plugins: os-theme-tukan 1.25 (contributed by Team Rebellion) +* plugins: os-theme-vicuna 1.4 (contributed by Team Rebellion) +* plugins: os-wireguard 1.5 `[5] `__ +* plugins: os-wol 2.4 fixes dashboard widget (contributed by kulikov-a) +* src: fix multiple OpenSSL vulnerabilities `[6] `__ +* ports: ca_root_nss / nss 3.63 `[7] `__ +* ports: libressl 3.2.5 `[8] `__ +* ports: openldap 2.4.58 `[9] `__ +* ports: openssh fix for double free in ssh-agent `[10] `__ +* ports: openssl 1.1.1k `[11] `__ +* ports: sudo 1.9.6p1 `[12] `__ +* ports: suricata 5.0.6 `[13] `__ +* ports: syslog-ng 3.31.2 `[14] `__ +* ports: wpa_supplicant p2p vulnerability `[15] `__ + + +-------------------------------------------------------------------------- +21.1.3 (March 10, 2021) +-------------------------------------------------------------------------- + + +Today we move ahead with the firmware UI and API rework as we are happy +with the new user experience. You will also notice the new plugin conflict +dialog which will report that plugins have been installed previously but +not registered in the configuration. This can be easily amended by reseting +the local conflicts, which essentially accepts the current plugin +configuration as the new default. This necessary change introduces API +incompatibilities with existing external tools. + +The HAProxy plugin was updated to version 3.0. This release marks the +switch to the HAProxy 2.2 release series, which may result in incompatible +changes for some users. Many new features were also added, including the +possibility to update SSL certificates in runtime. These features should +be considered experimental. We encourage everyone to install this version +in a test environment before using it in production. As usual, please have +a look at the plugin changes `[1] `__ and report bugs on GitHub. + +Here are the full patch notes: + +* system: prevent duplicate dashboard traffic pollers mangling with the graphs +* system: added cron job "HA update and reconfigure backup" +* system: unify HA sync sections and remove legacy blocks +* system: adapt lighttpd ssl.privkey approach +* system: correctly remove routing entries directly connected to an interface +* interfaces: correct dhcp6c configuration issue on PPPoE link down (contributed by Team Rebellion) +* interfaces: better primary IPv6 address detection in diagnostic tools +* interfaces: handle disabled interfaces in overview +* interfaces: drop early return in PPPoE link down +* interfaces: remove unused global definitions +* firewall: typo in outbound alias use (contributed by kulikov-a) +* firewall: rules icon color after toggle fix (contributed by kulikov-a) +* reporting: prevent crash when NetFlow attributes are missing +* reporting: aggregate iftop results for traffic graphs +* firmware: opnsense-bootstrap shellcheck audit (contributed by Michael Adams) +* firmware: revamp the UI and API +* firmware: revoke old business key +* intrusion detection: add new Abuse.ch feed ThreatFox to detect indicators of compromise +* intrusion detection: make manual rule status boolean for policies (contributed by kulikov-a) +* ipsec: calculate netmask for provided tunnel addresses when using VTI +* ipsec: do not pin reqid in case of mobile connections +* openvpn: extend compression options (contributed by vnxme) +* unbound: handle DHCP client expiring and returning (contributed by Gareth Owen) +* ui: refactor bootgrid usage in ARP, NDP, captive portal session, system activity and routes +* ui: align layouts of select_multiple and dropdown types +* plugins: os-haproxy 3.0 `[1] `__ +* plugins: os-nginx 1.21 `[2] `__ +* plugins: os-node_exporter 1.1 `[3] `__ +* src: jail: Handle a possible race between jail_remove(2) and fork(2) `[4] `__ +* src: jail: Change both root and working directories in jail_attach(2) `[5] `__ +* src: x86: free microcode memory later `[6] `__ +* src: xen-blkback: fix leak of grant maps on ring setup failure `[7] `__ +* src: rtsold: auto-probe point to point interfaces +* src: growfs: update check-hash when doing large filesystem expansions +* src: axgbe: change default parameters to prevent manual tunable settings +* src: arp: avoid segfaulting due to out-of-bounds memory access +* ports: cpdup 1.22 `[8] `__ +* ports: krb5 1.19.1 `[9] `__ +* ports: nss 3.62 `[10] `__ +* ports: pkg now provides fallback for version mismatch on pkg-add +* ports: python 3.7.10 `[11] `__ +* ports: syslog-ng 3.31.1 `[12] `__ + +A hotfix release was issued as 21.1.3_3: + +* system: fix dashboard traffic widget load behaviour (contributed by kulikov-a) +* system: fix dashboard widget title regression +* firmware: fix compatibility regression with IE 11 + + + -------------------------------------------------------------------------- 21.1.2 (February 23, 2021) --------------------------------------------------------------------------