mirror of
https://github.com/opnsense/docs
synced 2024-11-05 06:00:36 +00:00
629 lines
35 KiB
ReStructuredText
629 lines
35 KiB
ReStructuredText
===========================================================================================
|
|
20.1 "Keen Kingfisher" Series
|
|
===========================================================================================
|
|
|
|
|
|
|
|
For over 5 years now, OPNsense is driving innovation through modularising
|
|
and hardening the open source firewall, with simple and reliable firmware
|
|
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
|
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
|
|
|
20.1, nicknamed "Keen Kingfisher", is a subtle improvement on sustainable
|
|
firewall experience. This release adds VXLAN and additional loopback device
|
|
support, IPsec public key authentication and elliptic curve TLS certificate
|
|
creation amongst others. Third party software has been updated to their
|
|
latest versions. The logging frontend was rewritten for MVC with seamless
|
|
API support. On the far side the documentation increased in quality as well
|
|
as quantity and now presents itself in a familiar menu layout.
|
|
|
|
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
|
can be found below as well.
|
|
|
|
* Europe: https://opnsense.c0urier.net/releases/20.1/
|
|
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/
|
|
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/
|
|
* South America: http://mirror.upb.edu.co/opnsense/releases/20.1/
|
|
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/
|
|
* Full mirror list: https://opnsense.org/download/
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.1.9 (July 23, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
20.7-RC1 is already available and the final release of 20.7 is scheduled
|
|
for July 30. A hotfix release for 20.1.9 will enable the upgrade path
|
|
some hours after the initial 20.7 announcement is out, but please note
|
|
that updated 32-bit builds (also known as i386) will no longer be available
|
|
from this day forward.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by Alphakilo)
|
|
* firewall: validate if NAT destination contains a port
|
|
* firewall: prevent config_read_array() from adding an empty lo0
|
|
* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by mikahe)
|
|
* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by mikahe)
|
|
* mvc: LegacyLinkField not allowed to return null in __toString()
|
|
* plugins: os-collectd 1.3 `[1] <https://github.com/opnsense/plugins/blob/stable/20.1/net-mgmt/collectd/pkg-descr>`__
|
|
* plugins: os-dyndns 1.22 `[2] <https://github.com/opnsense/plugins/pull/1654>`__
|
|
* plugins: os-telegraf 1.8.1 `[3] <https://github.com/opnsense/plugins/blob/stable/20.1/net-mgmt/telegraf/pkg-descr>`__
|
|
* plugins: os-theme-rebellion 1.8.6 (contributed by Team Rebellion)
|
|
* plugins: os-tinc fixes switch mode `[4] <https://github.com/opnsense/plugins/pull/1733>`__
|
|
* plugins: os-wireguard 1.2 `[5] <https://github.com/opnsense/plugins/pull/1865>`__
|
|
* ports: ca_root_nss 3.54
|
|
* ports: curl 7.71.1 `[6] <https://curl.se/changes.html#7_71_1>`__
|
|
* ports: dnsmasq 2.82 `[7] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
|
|
* ports: monit 5.27.0 `[8] <https://mmonit.com/monit/changes/>`__
|
|
* ports: php 7.3.20 `[9] <https://www.php.net/ChangeLog-7.php#7.3.20>`__
|
|
* ports: python 3.7.8 `[10] <https://docs.python.org/release/3.7.8/whatsnew/changelog.html>`__
|
|
* ports: sqlite 3.32.3 `[11] <https://sqlite.org/releaselog/3_32_3.html>`__
|
|
* ports: syslog-ng 3.27.1 `[12] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.27.1>`__
|
|
|
|
A hotfix release was issued as 20.1.9_1:
|
|
|
|
* firmware: enable upgrade path to 20.7 (amd64 only)
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.1.8 (July 02, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
Sorry about the delay while we chased a race condition in the updates back
|
|
to an issue with the latest FreeBSD package manager updates. For now we
|
|
reverted to our current version but all relevant third party packages have
|
|
been updated as updates became available over the last weeks, e.g. cURL and
|
|
Python, and hostapd / wpa_supplicant amongst others.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: simpler get_interface_ip() usage in IPv4 renewal
|
|
* system: allow HA sync of network time settings
|
|
* system: download all filtered items in log export
|
|
* system: add support for upstream LDAP accounts in Nextcloud backup (contributed by Fabian Franz)
|
|
* interfaces: fix stateless DHCPv6 for track6 interfaces (contributed by Maurice Walker)
|
|
* firewall: fix missing address filter error by moving NAT targets to runtime resolve
|
|
* firewall: prevent gateway protocol mismatch from breaking the ruleset
|
|
* firewall: work around categories typeahead issue with recent jQuery libraries
|
|
* firewall: improve alias help text (contributed by Team Rebellion)
|
|
* firewall: switch from single log filter to one per attribute
|
|
* intrusion detection: when enabling rules prefixed with "# " consume the extra space (contributed by Tra5is)
|
|
* intrusion detection: less sensitive rule parsing
|
|
* intrusion detection: compress stats.log backups
|
|
* ipsec: valid IPSec Phase 2 hash config warning raises GUI alert (contributed by Brett Merrick)
|
|
* unbound: add DNS64 support (contributed by Maurice Walker)
|
|
* web proxy: fix wrong button label for Download ACLs (contributed by 90er)
|
|
* mvc: add sort_flags optional parameter support (contributed by NOYB)
|
|
* rc: add full PATH to rc.syshook invoke
|
|
* plugins: os-acme-client `[1] <https://github.com/opnsense/plugins/pull/1851>`__ `[2] <https://github.com/opnsense/plugins/pull/1880>`__
|
|
* plugins: os-dnscrypt-proxy 1.8 `[3] <https://github.com/opnsense/plugins/blob/stable/20.1/dns/dnscrypt-proxy/pkg-descr>`__
|
|
* plugins: os-dyndns 1.21 improves Cloudflare support (contributed by Andreas Rupper)
|
|
* plugins: os-freeradius 1.9.7 `[4] <https://github.com/opnsense/plugins/pull/1726>`__
|
|
* plugins: os-haproxy 2.23 `[5] <https://github.com/opnsense/plugins/pull/1883>`__
|
|
* plugins: os-intrusion-detection-content-snort-vrt 1.1
|
|
* plugins: os-stunnel 1.0 `[6] <https://docs.opnsense.org/manual/how-tos/stunnel.html>`__ (sponsored by Incenter Technology)
|
|
* plugins: os-tayga 1.1 `[7] <https://github.com/opnsense/plugins/pull/1826>`__
|
|
* plugins: os-theme-rebellion 1.8.4 `[8] <https://github.com/opnsense/plugins/pull/1892>`__
|
|
* ports: ca_root_nss 3.53
|
|
* ports: curl 7.71.0 `[9] <https://curl.se/changes.html#7_71_0>`__
|
|
* ports: hostapd / wpa_supplicant UPnP SUBSCRIBE advisory `[10] <https://w1.fi/security/2020-1/upnp-subscribe-misbehavior-wps-ap.txt>`__
|
|
* ports: krb5 1.18.2 `[11] <https://web.mit.edu/kerberos/krb5-1.18/>`__
|
|
* ports: ntp 4.2.8p15 `[12] <http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities>`__
|
|
* ports: pcre 8.44 `[13] <https://www.pcre.org/original/changelog.txt>`__
|
|
* ports: perl 5.30.3 `[14] <https://perldoc.perl.org/5.30.3/perldelta>`__
|
|
* ports: php 7.3.19 `[15] <https://www.php.net/ChangeLog-7.php#7.3.19>`__
|
|
* ports: python CVE-2019-18348 and CVE-2020-8492
|
|
* ports: sqlite 3.32.2 `[16] <https://sqlite.org/releaselog/3_32_2.html>`__
|
|
* ports: sudo 1.9.1 `[17] <https://www.sudo.ws/stable.html#1.9.1>`__
|
|
* ports: unbound 1.10.1 `[18] <https://nlnetlabs.nl/projects/unbound/download/#unbound-1-10-1>`__
|
|
|
|
A hotfix release was issued as 20.1.8_1:
|
|
|
|
* ipsec: fix status page display after third party library update
|
|
* plugins: os-dyndns fix for TTL validation (contributed by Andreas Rupper)
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.1.7 (May 20, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
Today we move to PHP 7.3 in order to be able to complete testing for the
|
|
20.7-BETA online upgrades. Also included is a patch for the packet filter
|
|
kernel code which could crash with shared forwarding when interfaces
|
|
disappeared due to use after free in the default network stack path.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: default net.inet.icmp.reply_from_interface to 1
|
|
* system: fix static gateway wizard handing
|
|
* firewall: allow outbound NAT source and destination port ranges
|
|
* interfaces: use interfaces_primary_address6() inside get_interface_ipv6()
|
|
* dhcp: add AdvLinkMTU to router advertisements settings (contributed by Ilteris Eroglu)
|
|
* unbound: prevent wildcard domains for the local system domain
|
|
* backend: suppress inconsequential IDNA warnings for aliases
|
|
* backend: add option to return a key value list for TLS ciphers
|
|
* mvc: reference constraint pointing validation results to the wrong field
|
|
* plugins: os-acme-client 1.32 adds Acmeproxy DNS support (contributed by Maarten den Braber)
|
|
* src: added Novatel Wireless MiFi 8800/8000 support (contributed by rootless4real)
|
|
* src: fix pf shared forwarding on non-existing interfaces
|
|
* src: patch in tty 3wire autologin support
|
|
* src: fix insufficient packet length validation in libalias `[1] <FREEBSD:FreeBSD-SA-20:12.libalias>`__
|
|
* src: fix memory disclosure vulnerability in libalias `[2] <FREEBSD:FreeBSD-SA-20:13.libalias>`__
|
|
* src: fix improper checking in SCTP-AUTH shared key update `[3] <FREEBSD:FreeBSD-SA-20:14.sctp>`__
|
|
* src: fix use after free in cryptodev module `[4] <FREEBSD:FreeBSD-SA-20:15.cryptodev>`__
|
|
* src: update to tzdata 2020a `[5] <FREEBSD:FreeBSD-EN-20:08.tzdata>`__
|
|
* ports: ca_root_nss 3.52
|
|
* ports: curl 7.70.0 `[6] <https://curl.se/changes.html#7_70_0>`__
|
|
* ports: dhcp6c v20200512
|
|
* ports: hyperscan 5.2.1 `[7] <https://github.com/intel/hyperscan/releases/tag/v5.2.1>`__
|
|
* ports: openldap 2.4.50 `[8] <https://www.openldap.org/software/release/changes.html>`__
|
|
* ports: pcre2 10.35 `[9] <https://www.pcre.org/changelog.txt>`__
|
|
* ports: php 7.3.18 `[10] <https://www.php.net/ChangeLog-7.php#7.3.18>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.1.6 (April 30, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
Quick update as planned. Here are the full patch notes:
|
|
|
|
* system: add data length option to gateway monitor settings
|
|
* firewall: avoid greedy matching with live log parsing regression from 20.1.5
|
|
* firmware: detect runtime defaults when using "make upgrade" with core.git
|
|
* firmware: clean up packaging code and support ".link" file extension
|
|
* firmware: use CORE_FLAVOUR instead of FLAVOUR when using opnsense-bootstrap
|
|
* firmware: enable to optionally reach master branch when using opnsense-boostrap
|
|
* firmware: allow overriding CORE_ABI when using opnsense-bootstrap
|
|
* firmware: copy make.conf instead of linking when using opnsense-code
|
|
* firmware: always fetch tools.git when using opnsense-code
|
|
* rc: use "onifexists" for VGA TTY instead of "on"
|
|
* rc: missing ntpd user on 20.7 / 12.1
|
|
* plugins: os-unbound-plus DoT validation fix (contributed by Michael Muenz)
|
|
* src: fix ipfw invalid mbuf handling `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:10.ipfw.asc>`__
|
|
* ports: libyaml 0.2.4 `[2] <https://raw.githubusercontent.com/yaml/libyaml/master/Changes>`__
|
|
* ports: openssl 1.1.1g `[3] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
|
|
* ports: py-yaml 5.3.1 `[4] <https://raw.githubusercontent.com/yaml/pyyaml/master/CHANGES>`__
|
|
* ports: radvd 2.18 `[5] <http://www.litech.org/radvd/CHANGES.txt>`__
|
|
* ports: sqlite 3.31.1 `[6] <https://sqlite.org/releaselog/3_31_1.html>`__
|
|
* ports: squid 4.11 `[7] <http://ftp.meisei-u.ac.jp/mirror/squid/squid-4.11-RELEASENOTES.html>`__
|
|
* ports: suricata 4.1.8 `[8] <https://suricata-ids.org/2020/04/28/suricata-4-1-8-released/>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.1.5 (April 23, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
Today ships the first release version of the supplemental firewall rule
|
|
API via plugin, a new firewall shaper statistics GUI and API and the usual
|
|
number of improvements and third party updates.
|
|
|
|
Note that this version does not ship OpenSSL 1.1.1g as at this point our
|
|
release decision would have been to push 20.1.5 to next week or do a
|
|
smaller 20.1.6 next week on top.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: support configuration for SSH HostKeyAlgorithms, KexAlgorithms, Ciphers and MACs
|
|
* system: simplify validations in gateway monitor settings
|
|
* interfaces: mark VXLAN and loopback devices as configurable
|
|
* interfaces: validation typo caused failure to communicate unassignable targets
|
|
* interfaces: netstat tree view GUI and API
|
|
* interfaces: use libxo to extract ARP data
|
|
* firewall: checkbox selection ignores visibility setting
|
|
* firewall: add network group type to combine aliases cleanly
|
|
* firewall: IPv6 essential icmpv6 allow for ::
|
|
* firewall: new shaper statistics GUI and API
|
|
* firewall: support filter log messages with PID
|
|
* reporting: when flow times are not returned stick to receive timestamp
|
|
* openvpn: use multihome when selecting "any" interface with UDP
|
|
* unbound: create shared startup script for background task
|
|
* mvc: also store "" field value as initial state to prevent empty fields as being marked as changed
|
|
* mvc: firewall source NAT ranges support in plugins
|
|
* mvc: keep options in static set for PortField
|
|
* mvc: support interface targets without addresses
|
|
* mvc. add "migration_prefix" attribute to model
|
|
* mvc: catch ArgumentCountError
|
|
* mvc: skip empty gateway artefact
|
|
* plugins: os-acme-client 1.31 `[1] <https://github.com/opnsense/plugins/pull/1784>`__
|
|
* plugins: os-firewall 1.0 API supplemental package
|
|
* plugins: os-haproxy 2.22 `[2] <https://github.com/opnsense/plugins/pull/1783>`__
|
|
* plugins: os-unbound-plus 1.1 `[3] <https://github.com/opnsense/plugins/blob/master/dns/unbound-plus/pkg-descr>`__
|
|
* plugins: os-wol 2.3 adds case insensitive matching in widget (contributed by Gauss23)
|
|
* ports: ca_root_nss 3.51.1
|
|
* ports: dnsmasq 2.81 `[4] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
|
|
* ports: krb5 1.18.1 `[5] <https://web.mit.edu/kerberos/krb5-1.18/>`__
|
|
* ports: openvpn 2.4.9 `[6] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9>`__
|
|
* ports: php 7.2.30 `[7] <https://www.php.net/ChangeLog-7.php#7.2.30>`__
|
|
* ports: py-certifi 2020.4.5.1
|
|
* ports: strongswan 5.8.4 `[8] <https://wiki.strongswan.org/versions/77>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.1.4 (April 08, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
It almost looks like business as usual. But we all know it is not.
|
|
We will get through this together.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: add missing strtolower() in LDAP sync response
|
|
* system: fix /var/run/legacy_log socket creation race with Syslog-ng
|
|
* system: add info button to display privilege / ACL endpoints
|
|
* system: make IPsec tap tunables overwriteable
|
|
* firewall: floating means either all interfaces or more than one selected
|
|
* firewall: simplify group maintenance by only applying them on filter reload
|
|
* interfaces: use primary IPv6 and support VIP tracking
|
|
* interfaces: multiple changes in radvd.conf setup (contributed by maurice-w)
|
|
* dhcp: fix DDNS support in DHCPv6 (contributed by Wagner Sartori Junior)
|
|
* firmware: mirror opnsense.ieji.de renamed to opn.sense.nz
|
|
* openvpn: improve openvpn_port_used() logic
|
|
* unbound: minor cleanup in /api/unbound/diagnostics/stats endpoint
|
|
* unbound: remove 192.0.0.0/24 from rebinding prevention list (contributed by maurice-w)
|
|
* mvc: simplify reload of captive portal, cron, IDS, alias, loopback, VXLAN, web proxy, routes, syslog and shaper
|
|
* mvc: limit dropdown size to 10 if not specified
|
|
* mvc: support inheritance of the ArrayField type
|
|
* mvc: synchronize backup timestamps with revisions
|
|
* mvc: fixed width for timestamp column in logging
|
|
* mvc: init errorMessage to prevent crash reports
|
|
* shell: use interfaces_primary_address6() for correct IPv6 display
|
|
* shell: append a newline in pluginctl -g mode
|
|
* plugins: os-acme-client 1.30 `[1] <https://github.com/opnsense/plugins/pull/1753>`__
|
|
* plugins: os-bind 1.13 `[2] <https://github.com/opnsense/plugins/blob/master/dns/bind/pkg-descr>`__
|
|
* plugins: os-freeradius 1.9.6 `[3] <https://github.com/opnsense/plugins/blob/master/net/freeradius/pkg-descr>`__
|
|
* plugins: os-haproxy 2.21 `[4] <https://github.com/opnsense/plugins/pull/1755>`__
|
|
* plugins: os-maltrail 1.5 `[5] <https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr>`__
|
|
* plugins: os-nginx 1.19 `[6] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
|
* plugins: os-nut 1.7 `[7] <https://github.com/opnsense/plugins/blob/master/sysutils/nut/pkg-descr>`__
|
|
* plugins: os-postfix 1.14 `[8] <https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr>`__
|
|
* plugins: os-tayga 1.0 (contributed by Michael Muenz)
|
|
* plugins: os-telegraf 1.7.7 `[9] <https://github.com/opnsense/plugins/blob/master/net-mgmt/telegraf/pkg-descr>`__
|
|
* plugins: os-unbound-plus 1.0 (contributed by Michael Muenz and Petr Kejval)
|
|
* lang: multiple updates to supported languages
|
|
* lang: new Turkish translation (contributed by Aydin Yakar)
|
|
* src: work around PCI devices which return all zeros for reads of existing MSI-X table VCTRL registers
|
|
* src: fix incorrect checksum calculations with IPv6 extension headers `[10] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:06.ipv6.asc>`__
|
|
* src: fix TCP IPv6 SYN cache kernel information disclosure `[11] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:04.tcp.asc>`__
|
|
* src: fix insufficient oce(4) ioctl(2) privilege checking `[12] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:05.if_oce_ioctl.asc>`__
|
|
* src: fix incorrect user-controlled pointer use in epair `[13] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:07.epair.asc>`__
|
|
* src: fix kernel memory disclosure with nested jails `[14] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:08.jail.asc>`__
|
|
* ports: curl 7.69.1 `[15] <https://curl.se/changes.html#7_69_1>`__
|
|
* ports: krb5 1.18 `[16] <https://web.mit.edu/kerberos/krb5-1.18/>`__
|
|
* ports: openssh 8.2p1 `[17] <https://www.openssh.com/txt/release-8.2>`__
|
|
* ports: openssl 1.1.1f `[18] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
|
|
* ports: perl 5.30.2 `[19] <https://perldoc.perl.org/5.30.2/perldelta>`__
|
|
* ports: php 7.2.29 `[20] <https://www.php.net/ChangeLog-7.php#7.2.29>`__
|
|
* ports: python 3.7.7 `[21] <https://docs.python.org/release/3.7.7/whatsnew/changelog.html>`__
|
|
* ports: strongswan 5.8.3 `[22] <https://wiki.strongswan.org/versions/76>`__
|
|
* ports: sudo 1.8.31p1 `[23] <https://www.sudo.ws/legacy.html#1.8.31p1>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.1.3 (March 18, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
Quick reliability release for all of you out there doing the impossible
|
|
providing VPN for road warriors and what not. Keep it up! :)
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: match group CN case-insensitive
|
|
* system: added pluggable log format parsing facility
|
|
* system: update nsComment in OpenSSL config (contributed by vnxme)
|
|
* interfaces: fix missing default gateway switch on linkup event
|
|
* firewall: properly lock alias_util API (contributed by Cedric Deconinck)
|
|
* firewall: flush priority sections to /tmp/rules.debug
|
|
* firewall: do not escape internal URLs
|
|
* firmware: revoke 19.7 fingerprint
|
|
* ipsec: add virtual IPv6 pool for mobile clients (contributed by vnxme)
|
|
* ipsec: add MVC service control API
|
|
* monit: simplify Monit reload
|
|
* openvpn: properly swapped help texts regarding routes
|
|
* unbound: multiple fixes in DHCP watcher
|
|
* mvc: fix CountryField for static options
|
|
* mvc: extend PortField to support multiple items
|
|
* mvc: BaseListField plus PortField now use getValidationMessage() to bootstrap defaults
|
|
* mvc: add NetworkAliasField, ProtocolField and LegacyLinkField types
|
|
* mvc: apply PSR12 style as found on master
|
|
* ui: add jQuery plugin to support a simple service reload/action button
|
|
* ui: hook bootgrid javascript texts
|
|
* plugins: os-munin-node 1.0 (contributed by Michael Muenz)
|
|
* plugins: os-sunnyvalley 1.2 (contributed by Sunny Valley
|
|
* plugins: os-wol: relax MAC address validation (contributed by Mikael Falkvidd)
|
|
* ports: ca_root_nss 3.51
|
|
* ports: ntp 4.2.8p14 `[1] <https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable>`__
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.1.2 (March 05, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
Today we pick up the recent FreeBSD security advisories as well as
|
|
the usual noise in bugfixes and third party updates. We are also at
|
|
the brink of a first HardenedBSD 12.1 based image so stay tuned.
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: fix leap year issue in new log reader
|
|
* system: add valid from and to dates to user certs display
|
|
* system: drop unused services.inc and diag_logs_template.inc
|
|
* interfaces: make sure descriptions are properly cleansed
|
|
* interfaces: introduce interfaces_primary_address6()
|
|
* interfaces: validate interface input in packet capture
|
|
* firewall: immediately download GeoIP if not already found
|
|
* firewall: improve performance when working with large number of aliases
|
|
* firewall: fix visibility on internal CARP rules
|
|
* captive portal: fix expiry and validity for vouchers (contributed by xx4h)
|
|
* dhcp: fix DNS registration for DHCPv6 static mappings (contributed by maurice-w)
|
|
* dhcp: add icons next to online/offline lease status (contributed by Tyler Ham)
|
|
* ipsec: allow configuration of inactivity parameter (contributed by Marcel Menzel)
|
|
* unbound: minor changes while scanning ACL subnets
|
|
* web proxy: work around to skip passing additional auth properties
|
|
* backend: allow pluginctl to return config.xml values
|
|
* console: improve type checks in set address function
|
|
* rc: join CARP early startup scripts
|
|
* plugins: os-dnscrypt-proxy fix for setup.sh on reboot
|
|
* plugins: os-dyndns 1.20 fixes verify restrictions, GratisDNS and missing break for Linode (contributed by NOYB, Johan Pramming, Andrew Gunnerson)
|
|
* plugins: os-maltrail 1.4 `[1] <https://github.com/opnsense/plugins/blob/master/security/maltrail/pkg-descr>`__
|
|
* plugins: os-nrpe fix for setup.sh on reboot
|
|
* plugins: os-tinc 1.5 fixes bug in IPv6 support (contributed by vnxme)
|
|
* src: fix imprecise ordering of SSP canary initialization `[2] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:01.ssp.asc>`__
|
|
* src: fix nmount invalid pointer dereference `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-20:02.nmount.asc>`__
|
|
* src: fix libfetch buffer overflow `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:01.libfetch.asc>`__
|
|
* src: fix kernel stack data disclosure `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-20:03.thrmisc.asc>`__
|
|
* ports: ca_root_nss 3.50
|
|
* ports: php 7.2.28 `[6] <https://www.php.net/ChangeLog-7.php#7.2.28>`__
|
|
* ports: squid 4.10 `[7] <http://squid.mirror.colo-serv.net/archive/4/squid-4.10-RELEASENOTES.html>`__
|
|
* ports: suricata 4.1.7 `[8] <https://suricata-ids.org/2020/02/13/suricata-4-1-7-released/>`__
|
|
* ports: syslog-ng 3.25.1 `[9] <https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.25.1>`__
|
|
* ports: unbound 1.10.0 `[10] <https://nlnetlabs.nl/projects/unbound/download/>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.1.1 (February 13, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
A tiny update to keep everyone happy. :)
|
|
|
|
Here are the full patch notes:
|
|
|
|
* system: increase size of user SSH key input box
|
|
* system: fix faulty PPP log link in the menu
|
|
* system: fix a PHP warning on the general settings page
|
|
* interfaces: update maximum MTU for 10Gb NICs (contributed by Len White)
|
|
* firewall: fix rule statistics display for rules using tagging
|
|
* reporting: fix missing separator in NetFlow configuration
|
|
* firmware: add Quantum mirror in Hungary
|
|
* openvpn: fix ifconfig-ipv6-push format
|
|
* plugins: os-dnscrypt-proxy 1.7 `[1] <https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr>`__
|
|
* plugins: os-net-snmp 1.4 `[2] <https://github.com/opnsense/plugins/blob/master/net-mgmt/net-snmp/pkg-descr>`__
|
|
* plugins: os-nginx 1.18 `[3] <https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr>`__
|
|
* plugins: os-theme-vicuna 1.0 (contributed by Team Rebellion)
|
|
* ports: lighttpd 1.4.55 `[4] <https://www.lighttpd.net/2020/1/31/1.4.55/>`__
|
|
* ports: openldap 2.4.49 `[5] <https://www.openldap.org/software/release/changes.html>`__
|
|
* ports: pkg libfetch security fix `[6] <https://github.com/freebsd/freebsd-ports/commit/eec0b5c>`__
|
|
* ports: sudo 1.8.31 `[7] <https://www.sudo.ws/legacy.html#1.8.31>`__
|
|
|
|
|
|
|
|
--------------------------------------------------------------------------
|
|
20.1 (January 30, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
For over 5 years now, OPNsense is driving innovation through modularising
|
|
and hardening the open source firewall, with simple and reliable firmware
|
|
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
|
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
|
|
|
20.1, nicknamed "Keen Kingfisher", is a subtle improvement on sustainable
|
|
firewall experience. This release adds VXLAN and additional loopback device
|
|
support, IPsec public key authentication and elliptic curve TLS certificate
|
|
creation amongst others. Third party software has been updated to their
|
|
latest versions. The logging frontend was rewritten for MVC with seamless
|
|
API support. On the far side the documentation increased in quality as well
|
|
as quantity and now presents itself in a familiar menu layout.
|
|
|
|
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
|
can be found below as well.
|
|
|
|
* Europe: https://opnsense.c0urier.net/releases/20.1/
|
|
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/
|
|
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/
|
|
* South America: http://mirror.upb.edu.co/opnsense/releases/20.1/
|
|
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/
|
|
* Full mirror list: https://opnsense.org/download/
|
|
|
|
These are the most prominent changes since version 19.7:
|
|
|
|
* Captive portal performance improvements
|
|
* IPsec public key authentication support
|
|
* Elliptic curve TLS certificate creation
|
|
* CARP service demotion hook
|
|
* VXLAN device support
|
|
* Loopback device support
|
|
* Extended firmware health audit checks
|
|
* Support direction and non-quick on interface rules
|
|
* Logging frontend migrated to MVC / API
|
|
* PSR 12 coding style
|
|
* Documentation for all core components
|
|
* Python 3.7 is now the default Python version
|
|
* LibreSSL 3.0 and OpenSSL 1.1.1
|
|
* Google Backup API 2.4
|
|
* jQuery 3.4.1
|
|
|
|
And here are the full patch notes against version 20.1-RC1:
|
|
|
|
* installer: welcome users as genuine 20.1 installer
|
|
* rc: revert growfs change since Nano does not grow anymore
|
|
* plugins: os-mail-backup 1.1 `[2] <https://github.com/opnsense/plugins/pull/1671>`__
|
|
* plugins: os-nrpe 1.0 (contributed by Michael Muenz)
|
|
* plugins: os-theme-rebellion 1.8.3 (contributed by Team Rebellion)
|
|
* plugins: os-vnstat 1.2 `[3] <https://github.com/opnsense/plugins/blob/stable/20.1/net/vnstat/pkg-descr>`__
|
|
* plugins: zabbix4-proxy 1.2 `[4] <https://github.com/opnsense/plugins/blob/stable/20.1/net-mgmt/zabbix4-proxy/pkg-descr>`__
|
|
* ports: ca_root_nss 3.49.2
|
|
* ports: curl 7.68.0 `[5] <https://curl.se/changes.html#7_68_0>`__
|
|
* ports: isc-dhcp 4.4.2 `[6] <https://downloads.isc.org/isc/dhcp/4.4.2/dhcp-4.4.2-RELNOTES>`__
|
|
* ports: php 7.2.27 `[7] <https://www.php.net/ChangeLog-7.php#7.2.27>`__
|
|
* ports: urllib3 1.27.7 `[8] <https://github.com/urllib3/urllib3/blob/master/CHANGES.rst#1257-2019-11-11>`__
|
|
|
|
Known issues and limitations:
|
|
|
|
* HardenedBSD 12.1 has been postponed to the next major release
|
|
* Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates
|
|
* To prevent stale configuration files for remote syslog we advise to setup the new targets first `[9] <https://docs.opnsense.org/manual/settingsmenu.html#logging-targets>`__ and disable the old ones under System: Settings: Logging
|
|
* i386 has not been deprecated for the time being ;)
|
|
|
|
The public key for the 20.1 series is:
|
|
|
|
.. code-block::
|
|
|
|
# -----BEGIN PUBLIC KEY-----
|
|
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oYxXjva1d2TC/jQ/ygT
|
|
# GNB2QM2Flhq1CKwYKioT6kuKCelmG/vDRVYGs2VwBeshl53qnnob3rrCVtuS84VG
|
|
# C8n0i7bWsVWuOCaPzVCOua7MyxQNDItwA5D18SrmDbs07JE9XD30cX36Lvyq8GvZ
|
|
# bjk3AnHHqefR6F7fMGjDNPE3JofyLXEXN7TiH/Wk1MmBm3TXMJ4q63qa/clbY5zT
|
|
# jd2k1dtKWy23CcBKfxplu8HycqdQLCRl4o9+qdq7OQ8v9VT5dPIJcJodCvX9hAf7
|
|
# AUAMqsP3e6AyDM7iQcEkJiwAiytFAawyEIVOECxhEA+NpXHykd4G/00f5jGB259X
|
|
# /A8ARhjyT3zadjgXTIcEEBe5YTmxZrrKvWud4PguBTQOo9+XpI0H8A+IcoZ9AXQT
|
|
# J/IDBZJjsdSLspLPzLiwVQk9JrVylMLeyXCbtGCBZ8FOXyffceNQQl119ubkAZkx
|
|
# +NvioMIYQ+8rX0vn0njJfot+GQh0ezadlzuAmBBsGD8EtMCj92l/7zOyGucG+dCW
|
|
# kIv1yX0IOKeaNBZR3GDJJoyj5hFnoxkj2aNbuWjetg5MvpjBMl/h44brjL93m8PK
|
|
# GUhwcEPqcwu4ngu12O6vEeJW4vAbFlEznvgxmwJhMQf1/R8SUmKmAiprWKnY/w0E
|
|
# VHzlx7aRoGcRnnPs71DeloMCAwEAAQ==
|
|
# -----END PUBLIC KEY-----
|
|
|
|
|
|
|
|
.. code-block::
|
|
|
|
# SHA256 (OPNsense-20.1-OpenSSL-dvd-amd64.iso.bz2) = 4b15e9b3d72732d325c5eaf46ba34575d4de8cdc3e3ac1b10666c7372563be6d
|
|
# SHA256 (OPNsense-20.1-OpenSSL-nano-amd64.img.bz2) = 27544a78ae03d480a483cfd2e7cfa703b60e50938a1ed188ec3ccde6c426fefe
|
|
# SHA256 (OPNsense-20.1-OpenSSL-serial-amd64.img.bz2) = f93bbcbe92059c5de49f22d485da292952b48658a28d1cdaf83191e8c95c03c2
|
|
# SHA256 (OPNsense-20.1-OpenSSL-vga-amd64.img.bz2) = 019a877c4b4cb96cfda62d041774a91c030c5a8ecd58f8c3fd0067c7ac392982
|
|
|
|
.. code-block::
|
|
|
|
# SHA256 (OPNsense-20.1-OpenSSL-dvd-i386.iso.bz2) = 36146d0a066d9d696433599487e2a538ee5575a6b3d631293ad9e14e5fbbc6e0
|
|
# SHA256 (OPNsense-20.1-OpenSSL-nano-i386.img.bz2) = 0980f49d1b3445505fd1db27ab070886a706388d3aa16d7c8d953f279b7e3b11
|
|
# SHA256 (OPNsense-20.1-OpenSSL-serial-i386.img.bz2) = 322adbafe331ef7232c08d839a6f355ee633f5a662009b1801ebad0edab03d73
|
|
# SHA256 (OPNsense-20.1-OpenSSL-vga-i386.img.bz2) = 8bdd109015d7d54d382c7293bdf8fac6397a6c2e37662b73647c276e98c19d64
|
|
|
|
--------------------------------------------------------------------------
|
|
20.1.r1 (January 24, 2020)
|
|
--------------------------------------------------------------------------
|
|
|
|
|
|
For over 5 years now, OPNsense is driving innovation through modularising
|
|
and hardening the open source firewall, with simple and reliable firmware
|
|
upgrades, multi-language support, HardenedBSD security, fast adoption of
|
|
upstream software updates as well as clear and stable 2-Clause BSD licensing.
|
|
|
|
We thank all of you for helping test, shape and contribute to the project!
|
|
We know it would not be the same without you.
|
|
|
|
Download links, an installation guide `[1] <https://docs.opnsense.org/manual/install.html>`__ and the checksums for the images
|
|
can be found below as well.
|
|
|
|
* Europe: https://opnsense.c0urier.net/releases/20.1/
|
|
* US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/20.1/
|
|
* US West Coast: https://mirror.sfo12.us.leaseweb.net/opnsense/releases/20.1/
|
|
* South America: http://mirror.upb.edu.co/opnsense/releases/20.1/
|
|
* South-East Asia: https://ftp.yzu.edu.tw/opnsense/releases/20.1/
|
|
* Full mirror list: https://opnsense.org/download/
|
|
|
|
Here are the full patch notes against 19.7.9_1:
|
|
|
|
* system: support for manually removing static route entries
|
|
* system: migrated logging to MVC
|
|
* system: regenerate default DH parameters
|
|
* system: randomize session ID in test cookie
|
|
* system: remove legacy XMLRPC push on changes
|
|
* system: deprecate the use of services.inc
|
|
* system: opt-out on "Allow DNS server list to be overridden by DHCP/PPP on WAN" for selected interfaces
|
|
* system: increase PHP memory limit to 512 MB
|
|
* system: opnsense-auth can now respond with extended properties in JSON on successful authentication
|
|
* interfaces: loopback device support
|
|
* interfaces: VXLAN device support
|
|
* interfaces: first steps toward fully pluggable device infrastructure
|
|
* interfaces: remove default load of netgraph framework on bootup
|
|
* interfaces: interfaces: move description into top block and rename titles
|
|
* interfaces: only trigger newwanip event for affected interfaces
|
|
* firmware: revoke 19.1, trust 20.1 fingerprint
|
|
* firmware: new mirror in Zurich, CH contributed by ServerBase AG
|
|
* firmware: add live search to mirror selection
|
|
* dhcp: add OMAPI configuration support (contributed by Yuri Moens)
|
|
* ipsec: add configurable dpdaction (contributed by Marcel Menzel)
|
|
* ipsec: refactor tunnel settings page
|
|
* unbound: add options for logging queries and extended statistics (contributed by Flightkick)
|
|
* mvc: BaseListField ignoring empty selected field
|
|
* ui: jQuery 3.4.1
|
|
* plugins: os-dyndns 1.19 adds dynv6 and Azure DNS support (contributed by Ralf Zerres and martgras)
|
|
* plugins: os-haproxy 2.20 `[2] <https://github.com/opnsense/plugins/pull/1646>`__
|
|
* plugins: os-zabbix-agent 1.7 `[3] <https://github.com/opnsense/plugins/pull/1578>`__ `[4] <https://github.com/opnsense/plugins/pull/1618>`__
|
|
* ports: ca_root_nss 3.49.1
|
|
* ports: curl 7.68.0 `[5] <https://curl.se/changes.html#7_68_0>`__
|
|
* ports: openssl 1.1.1d `[6] <https://www.openssl.org/news/openssl-1.1.1-notes.html>`__
|
|
|
|
Known issues and limitations:
|
|
|
|
* HardenedBSD 12.1 has been postponed to the next major release
|
|
* Nano growfs does not work on this release candidate, but a fix for 20.1 already exists
|
|
* Installer still advertises 19.7, but a fix for 20.1 already exists
|
|
* Legacy MPD5 plugins os-l2tp, os-pppoe and os-pptp have been deprecated and will no longer receive updates
|
|
* i386 has not been deprecated for the time being ;)
|
|
|
|
The public key for the 20.1 series is:
|
|
|
|
.. code-block::
|
|
|
|
# -----BEGIN PUBLIC KEY-----
|
|
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0oYxXjva1d2TC/jQ/ygT
|
|
# GNB2QM2Flhq1CKwYKioT6kuKCelmG/vDRVYGs2VwBeshl53qnnob3rrCVtuS84VG
|
|
# C8n0i7bWsVWuOCaPzVCOua7MyxQNDItwA5D18SrmDbs07JE9XD30cX36Lvyq8GvZ
|
|
# bjk3AnHHqefR6F7fMGjDNPE3JofyLXEXN7TiH/Wk1MmBm3TXMJ4q63qa/clbY5zT
|
|
# jd2k1dtKWy23CcBKfxplu8HycqdQLCRl4o9+qdq7OQ8v9VT5dPIJcJodCvX9hAf7
|
|
# AUAMqsP3e6AyDM7iQcEkJiwAiytFAawyEIVOECxhEA+NpXHykd4G/00f5jGB259X
|
|
# /A8ARhjyT3zadjgXTIcEEBe5YTmxZrrKvWud4PguBTQOo9+XpI0H8A+IcoZ9AXQT
|
|
# J/IDBZJjsdSLspLPzLiwVQk9JrVylMLeyXCbtGCBZ8FOXyffceNQQl119ubkAZkx
|
|
# +NvioMIYQ+8rX0vn0njJfot+GQh0ezadlzuAmBBsGD8EtMCj92l/7zOyGucG+dCW
|
|
# kIv1yX0IOKeaNBZR3GDJJoyj5hFnoxkj2aNbuWjetg5MvpjBMl/h44brjL93m8PK
|
|
# GUhwcEPqcwu4ngu12O6vEeJW4vAbFlEznvgxmwJhMQf1/R8SUmKmAiprWKnY/w0E
|
|
# VHzlx7aRoGcRnnPs71DeloMCAwEAAQ==
|
|
# -----END PUBLIC KEY-----
|
|
|
|
Please let us know about your experience!
|
|
|
|
|
|
|
|
.. code-block::
|
|
|
|
# SHA256 (OPNsense-20.1.r1-OpenSSL-dvd-amd64.iso.bz2) = fed43e5cc5092da5adcfcb2ccdddf51a1cea6a69f06b764fcd9c3d36e0705d4a
|
|
# SHA256 (OPNsense-20.1.r1-OpenSSL-nano-amd64.img.bz2) = bf825455cc09e2a410cbe702a0c1c5b454546c476c7e90ae87ab64fc3eee6a78
|
|
# SHA256 (OPNsense-20.1.r1-OpenSSL-serial-amd64.img.bz2) = 906103fb4cc3e573a9e2d560a6365baa7162077b8933a253bb45fd23a154dd87
|
|
# SHA256 (OPNsense-20.1.r1-OpenSSL-vga-amd64.img.bz2) = 3308412597f5b95f9b9e854ddbeb5f49735109d846af553dbe2553dedf73cb9b
|
|
|
|
.. code-block::
|
|
|
|
# SHA256 (OPNsense-20.1.r1-OpenSSL-dvd-i386.iso.bz2) = a110e2ed48228d918909daca5d93d8acafccdc4426e3e928d8561f7ad4180289
|
|
# SHA256 (OPNsense-20.1.r1-OpenSSL-nano-i386.img.bz2) = 201b757b0d719e8f3c4aa473b414005a5544a4b1553ca9d79c1743610d67b460
|
|
# SHA256 (OPNsense-20.1.r1-OpenSSL-serial-i386.img.bz2) = 74a8f6bc5cdf885f5ff906ad2dfd05584f8e217212f90cd2e3a3269a5a9b604a
|
|
# SHA256 (OPNsense-20.1.r1-OpenSSL-vga-i386.img.bz2) = 1779ca5aeb37d2d97bd7e053421d64206b27189db74711600b93e458d858caff
|