From bfa466904d20c866410e9ab42e24b677f663652c Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Tue, 23 Nov 2021 17:08:11 +0100 Subject: [PATCH] checkout changelogs --- source/CE_releases.rst | 2 +- source/releases/BE_20.1.rst | 6 +- source/releases/BE_20.7.rst | 10 +-- source/releases/BE_21.4.rst | 2 +- source/releases/CE_15.1.rst | 24 ++--- source/releases/CE_15.7.rst | 17 ++-- source/releases/CE_16.1.rst | 51 ++++------- source/releases/CE_16.7.rst | 8 +- source/releases/CE_17.1.rst | 27 ++---- source/releases/CE_20.1.rst | 6 +- source/releases/CE_20.7.rst | 10 +-- source/releases/CE_21.1.rst | 2 +- source/releases/CE_21.7.rst | 174 ++++++++++++++++++++++++++++++++++++ 13 files changed, 236 insertions(+), 103 deletions(-) diff --git a/source/CE_releases.rst b/source/CE_releases.rst index c0361b81..a33ae0b7 100644 --- a/source/CE_releases.rst +++ b/source/CE_releases.rst @@ -8,7 +8,7 @@ Community Edition :width: 600px :align: center -As of January 2015 there have been *210* releases leading to the latest version *21.7.3* +As of January 2015 there have been *212* releases leading to the latest version *21.7.5* named "Noble Nightingale". diff --git a/source/releases/BE_20.1.rst b/source/releases/BE_20.1.rst index 7be5f8b7..f3f660ce 100644 --- a/source/releases/BE_20.1.rst +++ b/source/releases/BE_20.1.rst @@ -41,11 +41,11 @@ from this day forward. Here are the full patch notes: -* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo) +* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by Alphakilo) * firewall: validate if NAT destination contains a port * firewall: prevent config_read_array() from adding an empty lo0 -* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe) -* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe) +* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by mikahe) +* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by mikahe) * mvc: LegacyLinkField not allowed to return null in __toString() * plugins: os-collectd 1.3 `[1] `__ * plugins: os-dyndns 1.22 `[2] `__ diff --git a/source/releases/BE_20.7.rst b/source/releases/BE_20.7.rst index 4a668c79..3315029f 100644 --- a/source/releases/BE_20.7.rst +++ b/source/releases/BE_20.7.rst @@ -540,7 +540,7 @@ Here are the full patch notes against 20.1.8_1: * system: add new "auth user changed" config event and hook it into LDAP updatePolicies() * system: adapt to 3wire serial console setting * system: figure out which sysctls are writeable before attempting to write them -* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo) +* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by Alphakilo) * system: disable PCRE JIT in PHP config * system: clean up start / stop beep handler * interfaces: improved VLAN handling and defaults for more stable netmap use on 12.1 @@ -559,14 +559,14 @@ Here are the full patch notes against 20.1.8_1: * firmware: added fingerprint for 20.7 series * firmware: hint at missing plugins and request to install or dismiss * intrusion detection: extend rule search with metadata and show results on rule info -* intrusion detection: updated pattern options (contributed by @Xeroxxx) +* intrusion detection: updated pattern options (contributed by Xeroxxx) * intrusion detection: synchronize suricata.yaml with default template -* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe) -* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe) +* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by mikahe) +* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by mikahe) * unbound: integrate functionality formerly known as "unbound-plus" plugin (contributed by Michael Muenz) * web proxy: support for custom error pages (sponsored by Incenter Technology) * web proxy: add connect_timeout (contributed by Michael Muenz) -* web proxy: allow PURGE on cache (contributed by @sazb) +* web proxy: allow PURGE on cache (contributed by sazb) * web proxy: add missing IPv6 listener * mvc: add "S" option for AllowDynamic in InterfaceField type * mvc: LegacyLinkField not allowed to return null in __toString() diff --git a/source/releases/BE_21.4.rst b/source/releases/BE_21.4.rst index 7423db32..96411813 100644 --- a/source/releases/BE_21.4.rst +++ b/source/releases/BE_21.4.rst @@ -201,7 +201,7 @@ Here are the full patch notes: * ports: filterlog 0.4 adds label support to output if applicable * ports: libxml2 fix for CVE-2021-3541 * ports: nss 3.65 `[16] `__ -* ports: openssh-portable 8.6p1 `[17] `__ +* ports: openssh 8.6p1 `[17] `__ * ports: php 7.3.28 `[18] `__ * ports: py-yaml 5.4.1 * ports: sqlite 3.35.5 `[19] `__ diff --git a/source/releases/CE_15.1.rst b/source/releases/CE_15.1.rst index dbff0f3f..700a1626 100644 --- a/source/releases/CE_15.1.rst +++ b/source/releases/CE_15.1.rst @@ -298,15 +298,12 @@ out tomorrow including wary tweaks related to Logjam. Here is the full list of changes for 15.1.11: -* core: removed unused package dependencies b42-fwcutter, bwi-firmware-kmod, - dmidecode, ifstated, pecl-ssh2 -* core: switched back from bind-tools to the latest full bind 9.10 package - due to various requests +* core: removed unused package dependencies b42-fwcutter, bwi-firmware-kmod, dmidecode, ifstated, pecl-ssh2 +* core: switched back from bind-tools to the latest full bind 9.10 package due to various requests * src: fix panic in pf(4) in conjunction with ALTQ `[3] `__ * src: updated to FreeBSD 10.0-RELEASE-p10 `[4] `__ `[5] `__ * src: reverted two more custom patches to align with FreeBSD -* ports: updated to ca_root_nss 3.19, sqlite 3.8.10.1, php 5.6.9 `[6] `__ , - openssh-portable 6.8p1_7 `[7] `__ +* ports: updated to ca_root_nss 3.19, sqlite 3.8.10.1, php 5.6.9 `[6] `__ , openssh 6.8p1_7 `[7] `__ * opnsense-update: exclude /etc/tty from the upgrade * bsdinstaller: reworked the internals to align to modern port standards * captive portal: switched rules generation to new template engine @@ -315,9 +312,7 @@ Here is the full list of changes for 15.1.11: * dashboard: fix disabled widgets dialog * nat: fixed delete of multiple item * nat: fix display of disabled rules -* queues: the legacy ALTQ traffic shaper is now found under - "Firewall: Queues" to make room for the upcoming traffic shaper - reimplementation based on IPFW/dummynet +* queues: the legacy ALTQ traffic shaper is now found under "Firewall: Queues" to make room for the upcoming traffic shaper reimplementation based on IPFW/dummynet * core: fix faulty read of /var/log/dmesg.boot The live upgrades are up for both LibreSSL and OpenSSL. Images will follow @@ -667,17 +662,14 @@ Here is the change log for 15.1.9: * tools: install media live images now use the more flexible tmpfs(5) * tools: cxgbe(4) is now compiled into the kernel -* ports: strongswan 5.3.0 `[1] `__ , openssh-portable 6.8p1 `[2] `__ , ntp 4.2.8p2 `[3] `__ -* src: reverted inconsistent carp(4) and pfsync(4) patches to retain - standard FreeBSD behaviour +* ports: strongswan 5.3.0 `[1] `__ , openssh 6.8p1 `[2] `__ , ntp 4.2.8p2 `[3] `__ +* src: reverted inconsistent carp(4) and pfsync(4) patches to retain standard FreeBSD behaviour * src: fix multiple vulnerabilities of ntp `[4] `__ * src: fix denial of service with IPv6 router advertisements `[5] `__ * core: console upgrade now also triggers the unused package removal -* core: fix regression that caused a faulty config.xml when applying limiter - settings +* core: fix regression that caused a faulty config.xml when applying limiter settings * core: refactored the configd command structure for clarity -* core: fix for SMTP notifications that broke due to PHP 5.6's new default - SSL behaviour +* core: fix for SMTP notifications that broke due to PHP 5.6's new default SSL behaviour * core: thorough unused java script purge under the hood * upnp: fix redeclaration error on main page shortcut click * user manager: consolidated the labels of all privileges, especially OpenVPN diff --git a/source/releases/CE_15.7.rst b/source/releases/CE_15.7.rst index 95ecee95..0be38550 100644 --- a/source/releases/CE_15.7.rst +++ b/source/releases/CE_15.7.rst @@ -110,15 +110,12 @@ Here are the full patch notes: * src: OpenSSH client information leak `[7] `__ * src: Invalid TCP checksums with pf(4) `[8] `__ * src: YP/NIS client library critical bug `[9] `__ -* ports: sqlite 3.10.0 `[10] `__ , easy-rsa 3.0.1 `[11] `__ , openssh-portable 7.1p2 `[12] `__ +* ports: sqlite 3.10.0 `[10] `__ , easy-rsa 3.0.1 `[11] `__ , openssh 7.1p2 `[12] `__ * traffic graphs: fix truncation of IP address to 14 characters -* firmware: EOL announcement for 15.7 added, ready for upgrading to - 16.1 on January 28 +* firmware: EOL announcement for 15.7 added, ready for upgrading to 16.1 on January 28 * firmware: added mirror provided by RageNetwork (Munich, DE) -* menu: fix navigation after editing IPsec mobile clients (contributed - by Manuel Faux) -* trust: properly reference CA in intermediate CAs (contributed by - Manuel Faux) +* menu: fix navigation after editing IPsec mobile clients (contributed by Manuel Faux) +* trust: properly reference CA in intermediate CAs (contributed by Manuel Faux) @@ -799,12 +796,10 @@ Here are the full patch notes: * src: Multiple integer overflows in expat (libbsdxml) XML parser `[1] `__ * src: bumped tzdata to 2015f `[2] `__ -* ports: curl 7.44.0 `[3] `__ , ca_root_nss 3.20, openssh-portable 7.1p1_1 `[4] `__ , - sqlite 3.8.11.1 `[5] `__ , phalcon 2.0.7 `[6] `__ , pcre 8.37_4 `[7] `__ +* ports: curl 7.44.0 `[3] `__ , ca_root_nss 3.20, openssh 7.1p1_1 `[4] `__ , sqlite 3.8.11.1 `[5] `__ , phalcon 2.0.7 `[6] `__ , pcre 8.37_4 `[7] `__ * crash reporter: create custom reports on demand * certificates: ca generation issues with recent LibreSSL -* dns resolver: switched to ports-based Unbound (1.5.4) as per - FreeBSD handbook +* dns resolver: switched to ports-based Unbound (1.5.4) as per FreeBSD handbook * menu: moved the crash reporter to system category for visibility * menu: added hot-plugging support for upcoming plugins * acl: added hot-plugging support for upcoming plugins diff --git a/source/releases/CE_16.1.rst b/source/releases/CE_16.1.rst index ba158443..17c04062 100644 --- a/source/releases/CE_16.1.rst +++ b/source/releases/CE_16.1.rst @@ -727,13 +727,10 @@ for our brave testers. More explanations will follow soon. Here are the full patch notes: -* ports: pecl-radius 1.3.0 `[1] `__ , bind 9.10.3-P4 `[2] `__ , bsnmp-ucd 0.4.2 `[3] `__ , - openssh-portable 7.2p2 `[4] `__ , sqlite 3.11.1 `[5] `__ +* ports: pecl-radius 1.3.0 `[1] `__ , bind 9.10.3-P4 `[2] `__ , bsnmp-ucd 0.4.2 `[3] `__ , openssh 7.2p2 `[4] `__ , sqlite 3.11.1 `[5] `__ * captive portal: add session timeout to status info -* firewall: fix non-report of errors when filter reload errors - could not be parsed -* pppoe server: make service control buttons work with multiple - instances +* firewall: fix non-report of errors when filter reload errors could not be parsed +* pppoe server: make service control buttons work with multiple instances * wake on lan: reworked pages for a polished look and feel * load balancer: reworked pages for a polished look and feel * dashboard: better colouring for widget status bars @@ -742,21 +739,16 @@ Here are the full patch notes: * igmp proxy: reworked pages for a polished look and feel * system: routes diagnostics page ported to MVC * proxy: adjust category visibility as not all of them were shown before -* firmware: fix an overzealous upgrade run when the package tool only - changes options -* firmware: fixed the binary upgrade patch from 15.7.x in FreeBSD's - package tool +* firmware: fix an overzealous upgrade run when the package tool only changes options +* firmware: fixed the binary upgrade patch from 15.7.x in FreeBSD's package tool * network time: reworked pages for a polished look and feel * system: removed NTP settings from general settings * snmp: refactored page for a polished look and feel * access: let only root access status.php as it leaks too much info * development: remove the automount features -* development: added in-place package upgrades using the upstream - repository -* development: addition of "opnsense-stable" package on our way to - nightly builds -* development: opnsense-update can now install locally available base - and kernel sets +* development: added in-place package upgrades using the upstream repository +* development: addition of "opnsense-stable" package on our way to nightly builds +* development: opnsense-update can now install locally available base and kernel sets @@ -781,33 +773,24 @@ Here are the full patch notes: * src: Fix multiple vulnerabilities of OpenSSL `[1] `__ * src: update tzdata to 2016a `[2] `__ -* ports: openssh-portable 7.2p1 `[3] `__ , isc-dhcp-43 4.3.3P1_1 `[4] `__ , - php 5.6.19 `[5] `__ , curl 7.41.1 `[6] `__ -* firmware: mirror selection has been widened to include kernel/base - upgrades -* firmware: bootstrap utility can now directly install e.g. the - development version +* ports: openssh 7.2p1 `[3] `__ , isc-dhcp-43 4.3.3P1_1 `[4] `__ , php 5.6.19 `[5] `__ , curl 7.41.1 `[6] `__ +* firmware: mirror selection has been widened to include kernel/base upgrades +* firmware: bootstrap utility can now directly install e.g. the development version * dhcp: all GUI pages have been reworked for a polished look and feel -* proxy: added category-based remote file support if compressed file - contains multiple files +* proxy: added category-based remote file support if compressed file contains multiple files * proxy: added ICAP support (contributed by Fabian Franz) * proxy: hook up the transparent FTP proxy * proxy: add intercept on IPv6 for FTP and HTTP proxy options * logging: syslog facilities, like services, are now fully pluggable -* vpn: stripped an invalid PPTP server configuration from the standard - configuration +* vpn: stripped an invalid PPTP server configuration from the standard configuration * vpn: converted to pluggable syslog, menu and ACL * dyndns: all GUI pages have been reworked for a polished look and feel * dyndns: widget now shows IPv6 entries too -* dns forwarder: all GUI pages have been reworked for a polished - look and feel -* dns resolver: all GUI pages have been reworked for a polished - look and feel +* dns forwarder: all GUI pages have been reworked for a polished look and feel +* dns resolver: all GUI pages have been reworked for a polished look and feel * dns resolver: rewrote the dhcp lease registration hooks -* dns resolver: allow parallel operation on non-standard port when dns - forwarder is running as well -* firewall: hide outbound nat rule input for "interface address" option - and toggle bitmask correctly +* dns resolver: allow parallel operation on non-standard port when dns forwarder is running as well +* firewall: hide outbound nat rule input for "interface address" option and toggle bitmask correctly * interfaces: fix problem when VLAN tags weren't generated properly * interfaces: improve interface capability reconfigure * ipsec: fix service restart behaviour from GUI diff --git a/source/releases/CE_16.7.rst b/source/releases/CE_16.7.rst index 68af57c5..fbbd8159 100644 --- a/source/releases/CE_16.7.rst +++ b/source/releases/CE_16.7.rst @@ -51,14 +51,12 @@ Until then, here are the full patch notes: * insight: fix downloading files in Chrome * mvc: consistently set locale (contributed by Alexander Shursha) * mvc: do not deliver content twice on API calls -* python: downgraded to 2.7.12 in order to fix segmentation faults - within insight reporting -* libressl: avoid possible side-channel leak of ECDSA private keys - when signing `[1] `__ +* python: downgraded to 2.7.12 in order to fix segmentation faults within insight reporting +* libressl: avoid possible side-channel leak of ECDSA private keys when signing `[1] `__ * ports: bind 9.10.4-P5 `[2] `__ * ports: perl 5.24.1 `[3] `__ * ports: sqlite 3.16.2 `[4] `__ -* ports: openssh-portable 7.4p1 `[5] `__ +* ports: openssh 7.4p1 `[5] `__ * ports: sudo 1.8.19p2 `[6] `__ * ports: lighttpd 1.4.45 `[7] `__ * ports: php 5.6.30 `[8] `__ diff --git a/source/releases/CE_17.1.rst b/source/releases/CE_17.1.rst index 95dc3e45..ead7b45b 100644 --- a/source/releases/CE_17.1.rst +++ b/source/releases/CE_17.1.rst @@ -221,39 +221,30 @@ Here are the full patch notes: * system: fix default route display in diagnostics page * system: consistent precision display in gateway monitoring loss and RTT * system: correctly restart cron via backend call -* system: use the internal RC script name instead file name to - load its variables +* system: use the internal RC script name instead file name to load its variables * system: keep WAN DHCPv6 configuration option on console port reassign -* system: unify the console yes/no prompts to indicate - their default behaviour +* system: unify the console yes/no prompts to indicate their default behaviour * system: separate row and unhide button for 2FA OTP QR code display * system: prevent stripping of migrated configuration during factory reset -* firmware: opnsense-bootstrap bare-mode addition for installing - repository metadata only -* firmware: opnsense-bootstrap will never be deleted in case it is - required for recovery +* firmware: opnsense-bootstrap bare-mode addition for installing repository metadata only +* firmware: opnsense-bootstrap will never be deleted in case it is required for recovery * firmware: opnsense-revert now always properly reverts the core package * firmware: fix argument parsing in all update and development utilities * firewall: do not save range when end port is empty * firewall: do not automatically reload filter after alias delete * firewall: skip well-known ports for ranges * firewall: fetching bogon files should not use fetch internal auto-retry -* interfaces: fix bug that prevented creation of IPv6 cache - IP files (contributed by @theq89) +* interfaces: fix bug that prevented creation of IPv6 cache IP files (contributed by theq89) * interfaces: defer reload of the filter on IPv6 renewal and keep it local * interfaces: avoid potential configure loops in IPv4 renewal * interfaces: improve diagnostic messages on boot -* interfaces: correct usage of interface cache files and properly - clear them during boot +* interfaces: correct usage of interface cache files and properly clear them during boot * ipsec: enable CA field for hybrid and mutual RSA Xauth * dynamic dns: fix prototype declaration (contributed by Evgeny Bevz) * dynamic dns: add support for STRATO -* mvc: fix iteration over several config nodes to avoid - "Node no longer exists" type warnings -* plugins: quagga 1.1.1 fixes reload of BGPv4 tables and - modal closing (contributed by Fabian Franz) -* plugins: monit 1.1 fixes import sender address and - validation (contributed by Frank Brendel) +* mvc: fix iteration over several config nodes to avoid "Node no longer exists" type warnings +* plugins: quagga 1.1.1 fixes reload of BGPv4 tables and modal closing (contributed by Fabian Franz) +* plugins: monit 1.1 fixes import sender address and validation (contributed by Frank Brendel) * src: removed duplicate unbound from FreeBSD base system * src: added locales to e.g. allow tmux to start up correctly * src: Xen migration enhancements `[1] `__ diff --git a/source/releases/CE_20.1.rst b/source/releases/CE_20.1.rst index 7be5f8b7..f3f660ce 100644 --- a/source/releases/CE_20.1.rst +++ b/source/releases/CE_20.1.rst @@ -41,11 +41,11 @@ from this day forward. Here are the full patch notes: -* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo) +* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by Alphakilo) * firewall: validate if NAT destination contains a port * firewall: prevent config_read_array() from adding an empty lo0 -* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe) -* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe) +* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by mikahe) +* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by mikahe) * mvc: LegacyLinkField not allowed to return null in __toString() * plugins: os-collectd 1.3 `[1] `__ * plugins: os-dyndns 1.22 `[2] `__ diff --git a/source/releases/CE_20.7.rst b/source/releases/CE_20.7.rst index 4a668c79..3315029f 100644 --- a/source/releases/CE_20.7.rst +++ b/source/releases/CE_20.7.rst @@ -540,7 +540,7 @@ Here are the full patch notes against 20.1.8_1: * system: add new "auth user changed" config event and hook it into LDAP updatePolicies() * system: adapt to 3wire serial console setting * system: figure out which sysctls are writeable before attempting to write them -* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo) +* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by Alphakilo) * system: disable PCRE JIT in PHP config * system: clean up start / stop beep handler * interfaces: improved VLAN handling and defaults for more stable netmap use on 12.1 @@ -559,14 +559,14 @@ Here are the full patch notes against 20.1.8_1: * firmware: added fingerprint for 20.7 series * firmware: hint at missing plugins and request to install or dismiss * intrusion detection: extend rule search with metadata and show results on rule info -* intrusion detection: updated pattern options (contributed by @Xeroxxx) +* intrusion detection: updated pattern options (contributed by Xeroxxx) * intrusion detection: synchronize suricata.yaml with default template -* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe) -* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe) +* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by mikahe) +* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by mikahe) * unbound: integrate functionality formerly known as "unbound-plus" plugin (contributed by Michael Muenz) * web proxy: support for custom error pages (sponsored by Incenter Technology) * web proxy: add connect_timeout (contributed by Michael Muenz) -* web proxy: allow PURGE on cache (contributed by @sazb) +* web proxy: allow PURGE on cache (contributed by sazb) * web proxy: add missing IPv6 listener * mvc: add "S" option for AllowDynamic in InterfaceField type * mvc: LegacyLinkField not allowed to return null in __toString() diff --git a/source/releases/CE_21.1.rst b/source/releases/CE_21.1.rst index e710c1a7..ddbb1681 100644 --- a/source/releases/CE_21.1.rst +++ b/source/releases/CE_21.1.rst @@ -269,7 +269,7 @@ Here are the full patch notes: * ports: libressl 3.3.3 `[12] `__ * ports: libxml2 fix for CVE-2021-3541 * ports: nss 3.65 `[13] `__ -* ports: openssh-portable 8.6p1 `[14] `__ +* ports: openssh 8.6p1 `[14] `__ * ports: openvpn 2.4.11 `[15] `__ * ports: php 7.3.28 `[16] `__ * ports: sqlite 3.35.5 `[17] `__ diff --git a/source/releases/CE_21.7.rst b/source/releases/CE_21.7.rst index 3037db91..6771c5fb 100644 --- a/source/releases/CE_21.7.rst +++ b/source/releases/CE_21.7.rst @@ -32,6 +32,180 @@ can be found below as well. * Full mirror list: https://opnsense.org/download/ +-------------------------------------------------------------------------- +21.7.5 (November 11, 2021) +-------------------------------------------------------------------------- + + +FreeBSD security advisories and an issue with Intel-based ixgbe driver +with "ifconfig -v" stalls keep this release rolling. Also note that +OpenSSH was updated to version 8.8 which deprecates ssh-rsa usage which +is mainly an issue for client access from the OPNsense system to the +outside and can be amended as per the suggestions in the respective +release notes. + +And as promised the development version includes the upgrade path to +the 22.1-BETA1 release. This will be an online-beta with a few iterations +over the FreeBSD 13 stable branch and eventually move to FreeBSD 13.1 +release as that becomes available. + +Highlights for 22.1 already include: + +* Suricata Netmap v14 support for multi-gigabit speed in IPS mode with RSS enabled +* Separate VLAN MAC spoofing and permanent promiscuous mode setting +* Tunable analytics provide automatic descriptions and type +* IPsec tunnel overview ported to MVC with pagination +* Proofpoint Emerging Threats rules for Suricata 5.0 +* Removed opportunistic interface address read functions +* Console-based LAGG configuration support +* Removed state killing on gateway failure feature +* Improved firmware update capabilities +* No-bind service awareness for virtual IPs +* FreeBSD 13 stable branch +* RFC 5424 and severity support in logs +* Clog support has been removed +* And more... + +Please note that the beta version will always be available for upgrade when +switching to the development version. At this point no stable packages +are provided and this includes plugins. These will become available as +the release candidate is released in early January 2022. + +All feedback is welcome but keep in mind that there are still a number of +moving parts ahead. Upgrade responsibly. + +Here are the full patch notes for version 21.7.5: + +* system: remove support for obsolete "local" syslog socket plugin request +* system: prevent setup wizard error in WAN-only configuration +* system: properly extract keyid string (contributed by kulikov-a) +* system: show all threads and correct WCPU in activity (contributed by kulikov-a) +* system: fix display and sorting in activity (contributed by kulikov-a) +* interfaces: remove obsolete link_interface_to_vlans() function +* interfaces: inline legacy_interface_rename() function +* interfaces: verbose output on test port (contributed by kulikov-a) +* firewall: add live view templates page to respective ACL (contributed by kulikov-a) +* firewall: replace pfInfo with statistics page +* firewall: add rules to statistics page (contributed by kulikov-a) +* firewall: remove defunct "block carp from self" CARP rule +* dhcp: automatically set AdvRASrcAddress for link-local CARP address +* dhcp: exclude link-local subnet router advertisements +* firmware: remove unavailable Hostcentral mirror +* firmware: opnsense-update: replace -A before -M and handle single directory -M independently +* firmware: opnsense-verify: disable verification for repositories without signatures +* firmware: opnsense-verify: let -l option properly discard duplicate repositories +* firmware: opnsense-version: support -x effective ABI probing +* ipsec: add sha256_96 flag (contributed by Patrick M. Hausen) +* monit: add polltime to service settings (contributed by Frank Brendel) +* ui: prevent event propagation to avoid click() events being forwarded +* plugins: os-bind 1.19 `[1] `__ +* plugins: os-dnscrypt-proxy 1.10 `[2] `__ +* plugins: os-dyndns 1.26 `[3] `__ +* plugins: os-freeradius 1.9.17 `[4] `__ +* plugins: os-frr 1.23 `[5] `__ +* plugins: os-haproxy 3.7 `[6] `__ +* plugins: os-nut 1.8.1 `[7] `__ +* plugins: os-openconnect 1.4.1 `[8] `__ +* plugins: os-relayd 2.6 `[9] `__ +* plugins: os-telegraf 1.12.2 `[10] `__ +* plugins: os-vnstat 1.3 `[11] `__ +* plugins: os-wireguard 1.8 `[12] `__ +* src: axgbe: correctly enable RSS driver support by default +* src: ixgbe: prevent subsequent I2C bus read timeouts +* src: fix kernel panic in vmci driver initialization `[13] `__ +* src: timezone database information update `[14] `__ +* ports: lighttpd 1.4.61 `[15] `__ +* ports: nss 3.72 `[16] `__ +* ports: openssh 8.8p1 `[17] `__ +* ports: pcre2 10.39 `[18] `__ +* ports: php 7.4.25 `[19] `__ +* ports: phpseclib 2.0.34 `[20] `__ + + +-------------------------------------------------------------------------- +21.7.4 (October 27, 2021) +-------------------------------------------------------------------------- + + +This update features three new major things: optional receive side scaling +(RSS) support in the kernel, asynchronous DNS resolving for aliases and +configuration support for advanced LAGG settings. + +RSS is disabled by default but may be switched on by adding a tunable +"net.inet.rss.enabled" with value "1" and rebooting the system. While +RSS can improve performance for certain hardware it should be used with +care at this point and is not generally recommended yet! The Suricata +version bundled with the development release offers the upcoming API +bindings to take advantage of the RSS-based multithreading. Also please +note that PPPoE cannot take advantage of RSS. + +On the side we are almost ready for our 22.1-BETA preview with rolling +releases for the development release type which is something new to look +forward to also. + +Here are the full patch notes: + +* system: prevent expired or intermediate CA certificates from being added to trust store by default +* system: prevent XSS in LDAP attribute return in authentication tester (reported by Orange CERT-CC) +* system: add product title to auth pages +* system: fix log search ignoring first character +* system: add xc0 entry video console entry if node exists +* system: add automatic outbound NAT logging option +* interfaces: let guess_interface_from_ip() find the best match on overlapping subnets (contributed by Jason Crowley) +* interfaces: improve configurability with LAGG devices +* firewall: fix non-sticky rule association in port forward +* firewall: switch failover peer address acquire away from deprecated function +* firewall: specify overload table on maximum new connections +* firewall: add loaded item count and last update to aliases page +* firewall: refactor getInterfaceGateway() to eliminate edge cases with IPsec route-to behaviour +* firewall: allow alias to skip entry on EmptyLabel (contributed by James Golovich) +* firewall: improve resolve performance by implementing asynchronous DNS lookups +* dhcp: show static leases without IP address assignments in the lease pages +* firmware: do not remove obsolete base files on major upgrades +* firmware: support ABI hints in the file "firmware-upgrade" +* firmware: opnsense-code utility now supports "-u" mode for automatic upgrade after fetch +* firmware: opnsense-code utility fix for "-d" option (contributed by Patrick M. Hausen) +* firmware: opnsense-update utility is now able to bootstrap its own configuration in "-d" mode +* firmware: opnsense-update utility now supports "-ct package-name" check for type change +* firmware: opnsense-update utility no longer assumes "-bkp" by default +* firmware: opnsense-update utility adds separate clean option for obsolete base files +* firmware: opnsense-update utility assorted cleanups +* ipsec: add charon.max_ikev1_exchanges parameter +* ipsec: add closeaction parameter (contributed by Patrick M. Hausen) +* ipsec: rewrite netmask calculation for VTI tunnel setup +* monit: add link event to alert settings (contributed by Frank Brendel) +* openvpn: remove obsolete remnants of tun-ipv6 +* unbound: add Abuse.ch ThreatFox list +* unbound: make so-reuseport conditional upon RSS status +* backend: static parameters ignored when no dynamic ones exist +* mvc: replace __toString() calls with string casts +* plugins: os-acme-client 3.4 `[1] `__ +* plugins: os-c-icap log file fix (contributed by Michael Muenz) +* plugins: os-dyndns 1.25 `[2] `__ +* plugins: os-haproxy 3.6 `[3] `__ +* plugins: os-lldpd will now identify itself as Network Connectivity Device (contributed by Xeroxxx) +* plugins: os-puppet-agent 1.0 `[4] `__ +* plugins: os-qemu-guest-agent 1.1 `[5] `__ +* plugins: os-theme-rebellion 1.8.8 (contributed by Team Rebellion) +* src: include RSS kernel support defaulting to off +* src: axgbe: properly multiplex on reading module signals +* src: libnetmap: reset errno in nmreq_register_decode() +* src: pf: remove side effect from nat logging patch +* src: dummynet: fix mbuf tag allocation failure handling +* src: aesni: avoid a potential out-of-bounds load in aes_encrypt_icm() +* ports: curl 7.79.1 `[6] `__ +* ports: dnspython 2.1.0 `[7] `__ +* ports: jinja 3.0.1 `[8] `__ +* ports: libressl 3.3.5 `[9] `__ +* ports: lighttpd 1.4.60 `[10] `__ +* ports: nss 3.71 `[11] `__ +* ports: openvpn 2.5.4 `[12] `__ +* ports: php 7.4.24 `[13] `__ +* ports: strongswan 5.9.4 `[14] `__ +* ports: sudo 1.9.8p2 `[15] `__ + + + -------------------------------------------------------------------------- 21.7.3 (September 22, 2021) --------------------------------------------------------------------------