|
|
|
@ -13,6 +13,182 @@ the images can be found below as well.
|
|
|
|
|
https://downloads.opnsense.com/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
|
|
|
21.10.2 (January 13, 2022)
|
|
|
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
This business release is based on the OPNsense 21.7.7 community version
|
|
|
|
|
with additional reliability improvements.
|
|
|
|
|
|
|
|
|
|
A new plugin called OPNWAF `[1] <https://docs.opnsense.org/vendor/deciso/opnwaf.html>`__ is being added to this release to offer Apache
|
|
|
|
|
web server for simple setup of load balancing and reverse proxy scenarios.
|
|
|
|
|
It also offers ACME protocol support for Let's Encrypt with a single click.
|
|
|
|
|
|
|
|
|
|
Here are the full patch notes:
|
|
|
|
|
|
|
|
|
|
* system: move logging remnants of Relayd/HAProxy to plugin code
|
|
|
|
|
* system: support XMLRPC authentication using API keys
|
|
|
|
|
* system: system log widget auto-refresh (contributed by kulikov-a)
|
|
|
|
|
* system: fix /etc/ssl/cert.pem permission on backend call
|
|
|
|
|
* interfaces: make is_linklocal() properly detect all link-local addresses (contributed by Per von Zweigbergk)
|
|
|
|
|
* firewall: properly translate "any" port to upper or lower port bound
|
|
|
|
|
* firewall: support any-to-X ranges for rules port input (contributed by kulikov-a)
|
|
|
|
|
* firewall: drop policy based routing validation on interface rules
|
|
|
|
|
* firewall: typo in direction for session diagnostics (contributed by kulikov-a)
|
|
|
|
|
* firewall: fix address direction for states diagnostics (contributed by kulikov-a)
|
|
|
|
|
* firmware: added generic configuration support via opnsense-update.conf
|
|
|
|
|
* firmware: modify the launcher to support -r and -s options
|
|
|
|
|
* firmware: fix upgrade prompt hint
|
|
|
|
|
* firmware: simplify repo file flush
|
|
|
|
|
* captive portal: missing tooltip in session window
|
|
|
|
|
* captive portal: "connected since" malformed due to datetime already being converted
|
|
|
|
|
* dhcp: add current IPv4 address to static lease creation (contributed by Taneli Leppa)
|
|
|
|
|
* intrusion detection: switch to ET-Open Suricata 5 rulesets
|
|
|
|
|
* intrusion detection: support multiple policy property in metadata
|
|
|
|
|
* intrusion detection: update severity of ruleset download skipped log message (contributed by kulikov-a)
|
|
|
|
|
* intrusion detection: update embedded classification.config
|
|
|
|
|
* ipsec: inline only caller of get_configured_vips_list()
|
|
|
|
|
* ipsec: avoid VTI device recreation when using hostnames
|
|
|
|
|
* backend: add configctl "-d" and "-q" options for future use
|
|
|
|
|
* backend: configd profiler call fix
|
|
|
|
|
* ui: prevent browser auto-fill for username/password (contributed by NOYB)
|
|
|
|
|
* src: axgbe: fix I2C timeouts by reissuing command on errors
|
|
|
|
|
* src: axgbe: fix possbile link instabilities
|
|
|
|
|
* src: axgbe: log GPIO signals on EEPROM read fails
|
|
|
|
|
* plugins: os-OPNWAF 1.0 `[1] <https://docs.opnsense.org/vendor/deciso/opnwaf.html>`__
|
|
|
|
|
* plugins: os-acme-client 3.6 `[2] <https://github.com/opnsense/plugins/blob/stable/21.7/security/acme-client/pkg-descr>`__
|
|
|
|
|
* plugins: os-dyndns 1.27 `[3] <https://github.com/opnsense/plugins/blob/stable/21.7/dns/dyndns/pkg-descr>`__
|
|
|
|
|
* plugins: os-etpro-telemetry 1.6 switches to Suricata 5 rulesets
|
|
|
|
|
* plugins: os-fetchmail removed due to licensing restrictions
|
|
|
|
|
* plugins: os-firewall 1.1 adds "Do not NAT" option
|
|
|
|
|
* plugins: os-frr 1.24 `[4] <https://github.com/opnsense/plugins/blob/stable/21.7/net/frr/pkg-descr>`__
|
|
|
|
|
* plugins: os-haproxy 3.8 `[5] <https://github.com/opnsense/plugins/blob/stable/21.7/net/haproxy/pkg-descr>`__
|
|
|
|
|
* plugins: os-nginx 1.24 `[6] <https://github.com/opnsense/plugins/blob/stable/21.7/www/nginx/pkg-descr>`__
|
|
|
|
|
* plugins: os-telegraf 1.12.3 `[7] <https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/telegraf/pkg-descr>`__
|
|
|
|
|
* plugins: os-wireguard 1.9 `[8] <https://github.com/opnsense/plugins/blob/stable/21.7/net/wireguard/pkg-descr>`__
|
|
|
|
|
* plugins: os-zabbix-agent 1.10 `[9] <https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/zabbix-agent/pkg-descr>`__
|
|
|
|
|
* plugins: os-zabbix-proxy 1.6 `[10] <https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/zabbix-proxy/pkg-descr>`__
|
|
|
|
|
* ports: curl 7.80.0 `[11] <https://curl.se/changes.html#7_80_0>`__
|
|
|
|
|
* ports: dnsmasq fixes multiple regressions
|
|
|
|
|
* ports: nss 3.73 `[12] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.73_release_notes>`__
|
|
|
|
|
* ports: php 7.4.26 `[13] <https://www.php.net/ChangeLog-7.php#7.4.26>`__
|
|
|
|
|
* ports: phpseclib 2.0.35 `[14] <https://github.com/phpseclib/phpseclib/releases/tag/2.0.35>`__
|
|
|
|
|
* ports: suricata 6.0.4 `[15] <https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942>`__
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
|
|
|
21.10.1 (December 02, 2021)
|
|
|
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
|
|
This business release is based on the OPNsense 21.7.5 community version
|
|
|
|
|
with additional reliability improvements.
|
|
|
|
|
|
|
|
|
|
Please note that OpenSSH was updated to version 8.8 which deprecates ssh-rsa
|
|
|
|
|
usage which is mainly an issue for client access from the OPNsense system to
|
|
|
|
|
the outside and can be amended as per the suggestions in the respective
|
|
|
|
|
release notes.
|
|
|
|
|
|
|
|
|
|
Here are the full patch notes:
|
|
|
|
|
|
|
|
|
|
* system: prevent expired or intermediate CA certificates from being added to trust store by default
|
|
|
|
|
* system: prevent XSS in LDAP attribute return in authentication tester (reported by Orange CERT-CC)
|
|
|
|
|
* system: add product title to auth pages
|
|
|
|
|
* system: fix log search ignoring first character
|
|
|
|
|
* system: add xc0 entry video console entry if node exists
|
|
|
|
|
* system: add automatic outbound NAT logging option
|
|
|
|
|
* system: remove support for obsolete "local" syslog socket plugin request
|
|
|
|
|
* system: prevent setup wizard error in WAN-only configuration
|
|
|
|
|
* system: properly extract keyid string (contributed by kulikov-a)
|
|
|
|
|
* system: show all threads and correct WCPU in activity (contributed by kulikov-a)
|
|
|
|
|
* system: fix display and sorting in activity (contributed by kulikov-a)
|
|
|
|
|
* system: escape shell parameters in cron jobs
|
|
|
|
|
* interfaces: remove obsolete link_interface_to_vlans() function
|
|
|
|
|
* interfaces: inline legacy_interface_rename() function
|
|
|
|
|
* interfaces: verbose output on test port (contributed by kulikov-a)
|
|
|
|
|
* interfaces: let guess_interface_from_ip() find the best match on overlapping subnets (contributed by Jason Crowley)
|
|
|
|
|
* interfaces: improve configurability with LAGG devices
|
|
|
|
|
* firewall: fix non-sticky rule association in port forward
|
|
|
|
|
* firewall: switch failover peer address acquire away from deprecated function
|
|
|
|
|
* firewall: specify overload table on maximum new connections
|
|
|
|
|
* firewall: add loaded item count and last update to aliases page
|
|
|
|
|
* firewall: refactor getInterfaceGateway() to eliminate edge cases with IPsec route-to behaviour
|
|
|
|
|
* firewall: allow alias to skip entry on EmptyLabel (contributed by James Golovich)
|
|
|
|
|
* firewall: improve resolve performance by implementing asynchronous DNS lookups
|
|
|
|
|
* firewall: add live view templates page to respective ACL (contributed by kulikov-a)
|
|
|
|
|
* firewall: replace pfInfo with statistics page
|
|
|
|
|
* firewall: add rules to statistics page (contributed by kulikov-a)
|
|
|
|
|
* firewall: remove defunct "block carp from self" CARP rule
|
|
|
|
|
* dhcp: automatically set AdvRASrcAddress for link-local CARP address
|
|
|
|
|
* dhcp: exclude link-local subnet router advertisements
|
|
|
|
|
* dhcp: show static leases without IP address assignments in the lease pages
|
|
|
|
|
* firmware: do not remove obsolete base files on major upgrades
|
|
|
|
|
* firmware: opnsense-code utility fix for "-d" option (contributed by Patrick M. Hausen)
|
|
|
|
|
* firmware: opnsense-code utility now supports "-u" mode for automatic upgrade after fetch
|
|
|
|
|
* firmware: opnsense-update utility adds separate clean option for obsolete base files
|
|
|
|
|
* firmware: opnsense-update utility is now able to bootstrap its own configuration in "-d" mode
|
|
|
|
|
* firmware: opnsense-update utility no longer assumes "-bkp" by default
|
|
|
|
|
* firmware: opnsense-update utility now supports "-ct package-name" check for type change
|
|
|
|
|
* firmware: opnsense-update utility assorted cleanups
|
|
|
|
|
* firmware: opnsense-update: replace -A before -M and handle single directory -M independently
|
|
|
|
|
* firmware: opnsense-verify: disable verification for repositories without signatures
|
|
|
|
|
* firmware: opnsense-verify: let -l option properly discard duplicate repositories
|
|
|
|
|
* firmware: opnsense-version: support -x effective ABI probing
|
|
|
|
|
* firmware: support ABI hints in the file "firmware-upgrade"
|
|
|
|
|
* ipsec: add charon.max_ikev1_exchanges parameter
|
|
|
|
|
* ipsec: add closeaction parameter (contributed by Patrick M. Hausen)
|
|
|
|
|
* ipsec: add sha256_96 flag (contributed by Patrick M. Hausen)
|
|
|
|
|
* ipsec: rewrite netmask calculation for VTI tunnel setup
|
|
|
|
|
* monit: add link event to alert settings (contributed by Frank Brendel)
|
|
|
|
|
* monit: add polltime to service settings (contributed by Frank Brendel)
|
|
|
|
|
* openvpn: remove obsolete remnants of tun-ipv6
|
|
|
|
|
* unbound: add Abuse.ch ThreatFox list
|
|
|
|
|
* unbound: make so-reuseport conditional upon RSS status
|
|
|
|
|
* backend: static parameters ignored when no dynamic ones exist
|
|
|
|
|
* mvc: replace __toString() calls with string casts
|
|
|
|
|
* ui: prevent event propagation to avoid click() events being forwarded
|
|
|
|
|
* plugins: os-acme-client 3.4 `[1] <https://github.com/opnsense/plugins/blob/stable/21.7/security/acme-client/pkg-descr>`__
|
|
|
|
|
* plugins: os-bind 1.19 `[2] <https://github.com/opnsense/plugins/blob/stable/21.7/dns/bind/pkg-descr>`__
|
|
|
|
|
* plugins: os-c-icap log file fix (contributed by Michael Muenz)
|
|
|
|
|
* plugins: os-dnscrypt-proxy 1.10 `[3] <https://github.com/opnsense/plugins/blob/stable/21.7/dns/dnscrypt-proxy/pkg-descr>`__
|
|
|
|
|
* plugins: os-dyndns 1.26 `[4] <https://github.com/opnsense/plugins/blob/stable/21.7/dns/dyndns/pkg-descr>`__
|
|
|
|
|
* plugins: os-freeradius 1.9.17 `[5] <https://github.com/opnsense/plugins/blob/stable/21.7/net/freeradius/pkg-descr>`__
|
|
|
|
|
* plugins: os-frr 1.23 `[6] <https://github.com/opnsense/plugins/blob/stable/21.7/net/frr/pkg-descr>`__
|
|
|
|
|
* plugins: os-haproxy 3.7 `[7] <https://github.com/opnsense/plugins/blob/stable/21.7/net/haproxy/pkg-descr>`__
|
|
|
|
|
* plugins: os-lldpd will now identify itself as Network Connectivity Device (contributed by Xeroxxx)
|
|
|
|
|
* plugins: os-nut 1.8.1 `[8] <https://github.com/opnsense/plugins/blob/stable/21.7/sysutils/nut/pkg-descr>`__
|
|
|
|
|
* plugins: os-openconnect 1.4.1 `[9] <https://github.com/opnsense/plugins/blob/stable/21.7/security/openconnect/pkg-descr>`__
|
|
|
|
|
* plugins: os-puppet-agent 1.0 `[10] <https://github.com/opnsense/plugins/blob/stable/21.7/sysutils/puppet-agent/pkg-descr>`__
|
|
|
|
|
* plugins: os-qemu-guest-agent 1.1 `[11] <https://github.com/opnsense/plugins/blob/stable/21.7/emulators/qemu-guest-agent/pkg-descr>`__
|
|
|
|
|
* plugins: os-relayd 2.6 `[12] <https://github.com/opnsense/plugins/pull/2391>`__
|
|
|
|
|
* plugins: os-telegraf 1.12.2 `[13] <https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/telegraf/pkg-descr>`__
|
|
|
|
|
* plugins: os-theme-rebellion 1.8.8 (contributed by Team Rebellion)
|
|
|
|
|
* plugins: os-vnstat 1.3 `[14] <https://github.com/opnsense/plugins/blob/stable/21.7/net/vnstat/pkg-descr>`__
|
|
|
|
|
* plugins: os-wireguard 1.8 `[15] <https://github.com/opnsense/plugins/blob/stable/21.7/net/wireguard/pkg-descr>`__
|
|
|
|
|
* src: include RSS kernel support defaulting to off
|
|
|
|
|
* src: axgbe: properly multiplex on reading module signals
|
|
|
|
|
* src: libnetmap: reset errno in nmreq_register_decode()
|
|
|
|
|
* src: pf: remove side effect from nat logging patch
|
|
|
|
|
* src: dummynet: fix mbuf tag allocation failure handling
|
|
|
|
|
* src: aesni: avoid a potential out-of-bounds load in aes_encrypt_icm()
|
|
|
|
|
* src: axgbe: correctly enable RSS driver support by default
|
|
|
|
|
* src: ixgbe: prevent subsequent I2C bus read timeouts
|
|
|
|
|
* src: fix kernel panic in vmci driver initialization `[16] <FREEBSD:FreeBSD-EN-21:28.vmci>`__
|
|
|
|
|
* src: timezone database information update `[17] <FREEBSD:FreeBSD-EN-21:29.tzdata>`__
|
|
|
|
|
* ports: dnspython 2.1.0 `[18] <https://dnspython.readthedocs.io/en/stable/whatsnew.html>`__
|
|
|
|
|
* ports: jinja 3.0.1 `[19] <https://jinja.palletsprojects.com/en/3.0.x/changes/#version-3-0-1>`__
|
|
|
|
|
* ports: lighttpd 1.4.61 `[20] <https://www.lighttpd.net/2021/10/28/1.4.61/>`__
|
|
|
|
|
* ports: nss 3.72 `[21] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.72_release_notes>`__
|
|
|
|
|
* ports: openssh 8.8p1 `[22] <https://www.openssh.com/txt/release-8.8>`__
|
|
|
|
|
* ports: openvpn 2.5.4 `[23] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.4>`__
|
|
|
|
|
* ports: pcre2 10.39 `[24] <https://www.pcre.org/changelog.txt>`__
|
|
|
|
|
* ports: php 7.4.25 `[25] <https://www.php.net/ChangeLog-7.php#7.4.25>`__
|
|
|
|
|
* ports: phpseclib 2.0.34 `[26] <https://github.com/phpseclib/phpseclib/releases/tag/2.0.34>`__
|
|
|
|
|
* ports: strongswan 5.9.4 `[27] <https://github.com/strongswan/strongswan/releases/tag/5.9.4>`__
|
|
|
|
|
* ports: sudo 1.9.8p2 `[28] <https://www.sudo.ws/stable.html#1.9.8p2>`__
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
|
|
|
21.10 (October 14, 2021)
|
|
|
|
|
--------------------------------------------------------------------------
|
|
|
|
|