2
0
mirror of https://github.com/opnsense/docs synced 2024-11-15 06:12:58 +00:00
opensense-docs/source/releases/CE_15.7.rst
2022-04-26 15:21:15 +02:00

1207 lines
66 KiB
ReStructuredText

===========================================================================================
15.7 "Brave Badger" Series
===========================================================================================
While the summer is hot, we push forward to what now is 15.7 -- nicknamed
'Brave Badger' -- right in front of you. A lot of effort went into this
project during the past 6 months, and we dare say it has been worth all
of it. We would like to thank our followers and friends and feedback
givers and forum lurkers and contributors and doubters and supporters that
helped to make 15.7 what it is. We wouldn't be here without any of you.
Thank you.
In itself, 15.7 is a simple upgrade from 15.1.12 which we recommend to
everyone. What changes is that development will move to a different
branch so that from now on regressions are less likely and therefore
stability will increase further. The provided images may also be the only
ones for the next 6 months as we are confident in their longevity and the
online upgrade path. We have also bumped the LibreSSL flavour to a
production-ready state and encourage everyone to try it out. The installer's
import configuration tool coupled with a quick and easy installation can help
you move from OpenSSL to LibreSSL and back seamlessly.
The biggest addition is the intrusion detection integration (suricata) as
well as new local and remote blacklists options for the proxy server (squid).
Security-wise, it has been rather quiet with only a few CVEs in third-party
tools. Please see the full patch notes for details and references:
* kernel: borrowed a dummynet / ipnat patch from m0n0wall to enable symmetric
traffic shaping when NAT is involved
* kernel: fix recurse lock panic for tmpfs in conjunction with unionfs
* kernel: applied two stable patches that prevent squid from crashing `[1] <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195802>`__
* kernel: retired ALTQ support
* base: sendmail TLS/DH Interoperability Improvement `[2] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:08.sendmail.asc>`__
* base: improved iconv(3) UTF-7 support `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:10.iconv.asc>`__
* base: inconsistency between locale and rune locale states `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:09.xlocale.asc>`__
* notable ports updates: phalcon 2.0.3 `[5] <https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.3>`__ , curl 7.43.0_2 `[6] <https://curl.haxx.se/changes.html>`__ ,
openssh 6.8p1_8, python 2.7.10 `[7] <https://hg.python.org/cpython/raw-file/15c95b7d81dc/Misc/NEWS>`__ , perl 5.20.2_5 `[8] <https://perldoc.perl.org/5.20.2/perldelta>`__ , ntp 4.2.8p3 `[9] <http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable>`__ ,
libxml 2.9.2_3 `[10] <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1819>`__ , openldap24-server 2.4.41 `[11] <https://www.openldap.org/software/release/changes.html>`__
* opnsense-update: will no longer try to reinstall the istalled version
after a fresh installation
* bsdinstaller: bring back cpdup to error out on low memory installation
(you need 1 GB of RAM, or work around installation using the nano image)
* traffic shaper: removed legacy queues support in favour of the new traffic
shaper functionality
* traffic shaper: allow direct enable/disable toggle
* proxy: fix the initial daemon start on bootup
* proxy: added LAN as the default interface configuration
* proxy: local and remote blacklists with regex support
* intrusion detection: initial release of our IDS GUI based on suricata
* gateways: monitoring mode gained IPv6 support
* captive portal: fix idle timeout bug
* captive portal: do not delete the wrong zone when having multiple
configurations
* captive portal: removed include files from exposed web directory
* backend: always regenerate users and groups to avoid corruption after an
unclean shutdown
* backend: wait for configd socket to come up to address a startup race issue
* backend: clean up configd socket on exit
* backend: fixed regression that prevented user scripts from being started
via /etc/rc.conf
* gateways: only show apinger in services when monitoring is enabled for
a gateway
* languages: brought Simplified Chinese to 49% completed, German to
30% completed
* universal plug and play: make page invoke static to remove exploitability
of the legacy packages framework
* crash reporter: finally enabled the send button and provides human-readable
feedback whether the submission was complete
* console: added non-interactive interface assignment for headless deployments
* ssh: disable password authentication on factory reset to align with the
standard configuration
* diagnostics: avoid duplicated calls of gethostbyaddr() in NDP table view
* users: prompt for old password on password change to prevent account
hijacking
* users: stripped the impossible scponly user privileges since said utility
has never been part of our ecosystem
Images can be found on any of our mirrors, but they may take a
few hours to sync. The checksums are attached at the end of
this announcement for convenience.
https://opnsense.org/download/
--------------------------------------------------------------------------
15.7.25 (January 18, 2016)
--------------------------------------------------------------------------
This is good-bye. 6 months have passed and 15.7 has served us well.
In only 10 days 16.1 will be out and it is looking shiny. Please study
the end of life announcement on the firmware page before attempting to
upgrade to the next version.
As such, we have incorporated all of the outstanding security issues
of last week, mostly related to FreeBSD and OpenSSH. Patches for the
GUI are light; all pending improvements go directly into the next major
release.
Here are the full patch notes:
* src: SCTP ICMPv6 error message vulnerability `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-16:01.sctp.asc>`__
* src: ntp panic threshold bypass vulnerability `[2] <https://www.freebsd.org/security/advisories/FreeBSD-SA-16:02.ntp.asc>`__
* src: Linux compatibility layer incorrect futex handling `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-16:03.linux.asc>`__
* src: Linux compatibility layer setgroups(2) system call vulnerability `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-16:04.linux.asc>`__
* src: TCP MD5 signature denial of service `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-16:05.tcp.asc>`__
* src: Insecure default snmpd.config permissions `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-16:06.bsnmpd.asc>`__
* src: OpenSSH client information leak `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-16:07.openssh.asc>`__
* src: Invalid TCP checksums with pf(4) `[8] <https://www.freebsd.org/security/advisories/FreeBSD-EN-16:02.pf.asc>`__
* src: YP/NIS client library critical bug `[9] <https://www.freebsd.org/security/advisories/FreeBSD-EN-16:03.yplib.asc>`__
* ports: sqlite 3.10.0 `[10] <https://sqlite.org/releaselog/3_10_0.html>`__ , easy-rsa 3.0.1 `[11] <https://github.com/OpenVPN/easy-rsa/releases>`__ , openssh 7.1p2 `[12] <http://www.openssh.com/txt/release-7.1p2>`__
* traffic graphs: fix truncation of IP address to 14 characters
* firmware: EOL announcement for 15.7 added, ready for upgrading to 16.1 on January 28
* firmware: added mirror provided by RageNetwork (Munich, DE)
* menu: fix navigation after editing IPsec mobile clients (contributed by Manuel Faux)
* trust: properly reference CA in intermediate CAs (contributed by Manuel Faux)
--------------------------------------------------------------------------
15.7.24 (January 11, 2016)
--------------------------------------------------------------------------
We're back, and we have a lot of neat changes and security updates
for you. Most notably, the firewall pages received a lot of subtle
tweaks to improve user experience. Secondly, the firmware pages
gained the plugins management feature. And last but not least, the
kernel and base upgrade gained better signature support `[1] <https://github.com/opnsense/update#opnsense-sign--opnsense-verify>`__ that ties
right into FreeBSD's pkg verification mechanism, how cool is that!
We'd like to use this opportunity to thank four of our regular
contributors who've helped us to advance further than we could have
dreamed. A big thank you to Manuel Faux, Fabian Franz, Frank Wall
and Andreas Martin! And no, we do not make these up as we go. ;)
Here are the full patch notes:
* ports: suricata 2.0.11 `[2] <http://suricata-ids.org/2015/12/21/suricata-2-0-11-available/>`__ , dhcp6 20080615_5 `[3] <https://github.com/freebsd/freebsd-ports/commit/7f6883d1dd>`__ , lighttpd 1.4.39 `[4] <https://www.lighttpd.net/2016/1/2/1.4.39/>`__
* ports: syslogd 10.2, mpd 5.8 `[5] <http://mpd.sourceforge.net/doc5/mpd4.html#4>`__ , ca_root_nss 3.21, dnsmasq 2.75_1 `[6] <https://reviews.freebsd.org/D4813>`__
* ports: ntp 4.2.8p5 `[7] <http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities>`__ , php 5.6.17 `[8] <https://php.net/ChangeLog-5.php#5.6.17>`__ , python 2.7.11_1 `[9] <https://bugs.python.org/issue20397>`__
* ports: miniupnpd 1.9.20151212, openvpn 2.3.10 `[10] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.10>`__
* opnsense-update: add opnsense-verify and opnsense-sign
* opnsense-update: improve verification of signatures of kernel
and base upgrades
* menu: bring back dashboard entry due to popular demand
* menu: fix interface listing error when its description is empty
* menu: moved license file to lobby section for visibility
* menu: order VPN services for icon adjustment (contributed by
Fabian Franz)
* menu: renamed "config manager" to "configuration" and "certificate
manager" to "trust"
* language: multiple translation improvements (contributed by
Fabian Franz and Andreas Martin)
* language: fix behaviour of numerous apply buttons when using a
non-English translation
* dashboard: don't display widget headers when the actual widgets are
no longer installed
* backend: fix issue when configd target pattern cannot be found
* carp: fix support for OpenVPN clients
* system: remove the old FTP proxy implementation (use proxy server
service instead)
* system: pin down listbox size to unhide the search field
* health: tidy up the layout by removing visual blockers and general
bumpiness
* access: fix setting of default values for new users
* access: fix padding on user listing page
* access: adjusted file type of API credentials to fix Chrome's
download blues (contributed by Fabian Franz)
* configuration: fix replay of configuration backups
* interfaces: fix redirect after applying an interface's configuration
* trust: properly set certificate digest algorithm in form after
creation error
* gateways: bring back display of descriptions (contributed by Frank Wall)
* load balancer: bring back display of descriptions (contributed by
Frank Wall)
* ipsec: fix RSA authentication method check
* ipsec: finally brought back lease display in widgets and status page
* proxy: add configurable cache_mem setting
* unbound: honour the "register DHCP leases in DNS" option (contributed
by Manuel Faux)
* unbound: reorder advanced features inclusion
* dynamic dns: allow custom entries to set hostname to be used in e.g.
OpenVPN exports
* dynamic dns: updated cloudflare service binding
* firewall: fix saving of zero values on virtual IP page
* firewall: fix label for option source/invert in rules edit page
(contributed by Frank Wall)
* firewall: show warning banner on related pages when firewall is
globally disabled (contributed by Manuel Faux)
* firewall: add interface groups to firewall rules and port forwarding
* firewall: add matching behaviour indicator for floating rules
(contributed by Fabian Franz)
* firewall: make quick matching behaviour the default for floating rules
* firewall: fix spurious error when migrating alias from one interface
to the next
* firewall: sort alias listing for better overview
* firewall: fix header alignment for schedule repeat section
* firmware: added display of major announcements on the firmware page
* firmware: added reinstall / (un)lock buttons for installed packages
* firmware: added plugin listing to page with install / remove buttons
* firmware: restructured the backend and improved its resilience
* firmware: show the download size of the pending update in the update
check response
* firmware: added update verification signature for the upcoming 16.1
release series
* captive portal (devel): fix text of two help messages (contributed by
Fabian Franz)
--------------------------------------------------------------------------
15.7.23 (December 23, 2015)
--------------------------------------------------------------------------
As the end of the year 2015 is nearing, we push one last update. And
it's been a hell of a year! This is actually the 49th official update
we're releasing, so that gives you the idea of how serious we were about
"once a week". The major upgrade 16.1 is around the corner as well,
although major is a bit of a stretch: the main reason for calling it 16.1
are the all new captive portal and FreeBSD 10.2. But that's not the point.
Here it is...
We would like to thank everyone for their resounding support through good
and bad times, for lively discussions, outside contributions and all the
encouragement we've received. We've set a reasonable pace for progress
within our project and we will certainly keep it up for 2016. That's the
least we can do for you. After all, we do like to think we've built a
little family.
Here are the full patch notes:
* ports: bind 9.10.3-P2 `[1] <https://kb.isc.org/article/AA-01328/0/BIND-9.10.3-P2-Release-Notes.html>`__ , python 2.7.11 `[2] <https://hg.python.org/cpython/raw-file/53d30ab403f1/Misc/NEWS>`__ , openvpn 2.3.9 `[3] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.9>`__
* traffic shaper: page is now properly translated (contributed by Fabian Franz)
* system: all remaining pages in this section have been reworked for clarity
* logs: split up the old VPN multi-log page into their respective parts (L2TP, PPTP, PPPoE)
* logs: added filtering option to all logs that previously missed it
* certificates: now supports different extensions (Key Usage, Subject Alternative Name) and usage types
* dhcp: allow commas in advanced DHCP client options (contributed by Simon van der Linden)
* firewall: add direction indication icon to floating rules
* firewall: lock port numbers on protocols that are not TCP/UDP
* firewall: fix apply button on outbound NAT page in translation mode
* traffic shaper: add TCP ACK/non-ACK matching options
* proxy: two fixes for non-local authentication
--------------------------------------------------------------------------
15.7.22 (December 09, 2015)
--------------------------------------------------------------------------
So here are OpenSSL 1.0.2e and LibreSSL 2.2.5, finally! 15.7.22 itself is
only tweaks and minor fixes. We take it as a good sign that there were no
"oh no what did you do to the menu" complaints in the past week. Nobody
missed the RRD graphs either. You guys are really cool.
The root cause for the filter reload timeout reports that some of you
encountered in 15.7.19 has finally been found. The function
filter_generate_optcfg_array() could be called hundreds of times in a single
filter reload while only providing static interface data to the callers that
did not change over the runtime of the reload. At some point it must have
gotten so slow that a caching mechanism was added around the function, which
caused the function's output to get stuck, causing the initial bug report.
Now it's as fast as ever and glitch-free.
Here are the full patch notes:
* dhcp: show lease description in status pages if available (contributed
by Frank Wall)
* firewall: improve and align display of RFC 1918 and IANA rules (contributed
by Manuel Faux)
* firewall: fix hover cursor on the filter log page (contributed by
Manuel Faux)
* firewall: show implicit IPv6 block rule if enabled in system settings
(contributed by Manuel Faux)
* firewall: extend pfInfo to show active rules (contributed by Manuel Faux)
* unbound: fix JS to enable/disable interface selector (contributed by
Manuel Faux)
* unbound: fix starting of unbound via service status page (contributed by
Manuel Faux)
* proxy server: allow authentication against all available authentication
servers
* universal plug and play: fix read/write on the settings page
* interfaces: break device configuration pages out of interface assignment
section
* backend: optimise filter reload to not collect overall interface information
more than once
* backend: reapply the cache removal in light of the filter reload fixing
* backend: trigger config daemon templates on bootup
* backend: throw error when attempting to trigger a nonexistent template
* ports: curl 7.46 `[1] <https://curl.haxx.se/mail/lib-2015-12/0001.html>`__
* ports: openssl 1.0.2e `[2] <http://openssl.org/news/secadv/20151203.txt>`__
* ports: libressl 2.2.5 `[3] <http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.5-relnotes.txt>`__
* ports: squid 3.5.12 `[4] <http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5-ChangeLog.txt>`__
* ports: lighttpd 1.4.38 `[5] <http://www.lighttpd.net/2015/12/5/1.4.38/>`__
--------------------------------------------------------------------------
15.7.21 (December 04, 2015)
--------------------------------------------------------------------------
Back in September we've started out to work on the excessive GUI padding
and dispersed menu structure in order to get to a slick and clean page
layout. We've transformed tab navigation into submenu items, pulling
similar items together into one single category, adding distinctive icons
as a highlight and anchor point. We've come to like it so much that we
can't wait for 16.1 to merge it in so here it is for everyone to enjoy.
Work in this area will continue in tiny pieces as we go along. Send us
feedback, let us know what we can push even further.
15.7.21 brings updates to some of the most important ports and RRD frontend
pages have been completely removed. Unfortunately, we couldn't squeeze in
OpenSSL and LibreSSL at this point, but will follow up as soon as both of
them are available.
Here are the full patch notes:
* ports: phalcon 2.0.9 `[1] <https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.9>`__
* ports: php 5.6.16 `[2] <https://php.net/ChangeLog-5.php#5.6.16>`__
* ports: suricata 2.0.10 `[3] <http://suricata-ids.org/2015/11/25/suricata-2-0-10-available/>`__
* ports: openldap 2.4.43 `[4] <https://www.openldap.org/software/release/changes.html>`__
* ports: strongswan 5.3.5 `[5] <https://www.strongswan.org/blog/2015/11/26/strongswan-5.3.5-released.html>`__
* menu: removed tab navigation in favour of submenu items
* menu: removed the status and diagnostics from the top menu
* menu: made the menu smaller and added distinctive icons
* menu: order interfaces by their descriptive name
* layout: removed several paddings and spurious boarders
* rrd: removed the graphing frontend to complete our switch to System Health
* rrd: moved remaining settings to System: Settings: Logs / Reporting
* logs: can now narrow search using individual keywords separated by whitespace
* logs: added a raw firewall view as a default page instead of having a setting for it
* logs: ppp log messages won't show up in the system messages anymore
* universal plug and play: reworked settings page for clarity
* gateways/routes/users: reworked all pages for clarity
* settings: reworked admin access and general section for clarity
* settings: password authentication and permit root login settings changes did not trigger an immediate sshd restart
* ipsec: remove use of reqid in config
* ipsec: fix ESP/AH options on multiple phase2 entries
* ipsec: fix algorithm selection in phase1 and phase2
* ipsec: properly handle status error when ipsec is not enabled
* ipsec: subnet selection can now extend beyond 24 bits
* ipsec: make NAT type configurable for phase2 (contributed by Frank Wall)
* layout: updated to jQuery Bootgrid v1.3.1
* language: many translations added (contributed by Frederic Lietart and Fabian Franz)
* config: improve the session handling to ensure a responsive GUI
* ntp: gps settings now work with translations and properly reselect the configured device
--------------------------------------------------------------------------
15.7.20 (November 25, 2015)
--------------------------------------------------------------------------
Today we proudly present to you 15.7.20, which includes several improvements
and fixes in all areas. Notable from a development perspective are the
opnsense-bootstrap tool, which can install the latest OPNsense version on a
FreeBSD 10.1. Additionally, the development branch offers a sneak preview of
Suricata in true IPS mode! Instructions on how to test it can be found in
the forum `[9] <https://forum.opnsense.org/index.php?topic=1740>`__ .
Here are the full patch notes:
* src: fix kqueue write events never fired for files greater 2GB `[1] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:19.kqueue.asc>`__
* src: remove obsolete locking primitives IFA_LOCK() / IFA_UNLOCK()
* src: enable netmap(4) driver support in the kernel
* src: merge stf(4) driver modifications from pfSense `[2] <https://github.com/opnsense/src/commit/19ba0fbfd15ea8ff24ce172dee30e1>`__
* ports: squid 5.3.11 `[3] <http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5-ChangeLog.txt>`__
* ports: strongswan 5.3.4 `[4] <https://www.strongswan.org/blog/2015/11/16/strongswan-5.3.4-released.html>`__
* ports: choparp 20150613 `[5] <https://github.com/quinot/choparp>`__
* ports: libxml 2.9.3 `[6] <http://www.xmlsoft.org/news.html>`__
* ports: pkg 1.6.2 `[7] <https://github.com/freebsd/freebsd-ports/commit/0466b08981bf9c714>`__
* ports: opnsense-bootstrap, the infamous installer that works on stock FreeBSD `[8] <https://github.com/opnsense/update/commit/e3f63ecdb1149a8cc30e3>`__
* intrusion detection: ignore json parse errors in eve log file
* intrusion prevention (development): added Suricata 2.1beta4 in inline mode `[9] <https://forum.opnsense.org/index.php?topic=1740>`__
* interfaces: reverted cache removal due to multiple speed regressions reports
* backend: send timeouts with proper description to syslog
* openvpn: fix auth server selection for translations
* filter: make the status reload page provide better debug info
* interfaces: fix mobile carrier selection on main interface edit page
* interfaces: unify release/renew/connect/disconnect buttons in status page
* dashboard: show cell mode for ppp if available
--------------------------------------------------------------------------
15.7.19 (November 13, 2015)
--------------------------------------------------------------------------
Time for the weekly update. :)
15.7.19 is a smaller maintenance release with a backend switch for IPsec
reporting and a couple of minor fixes. With the help of the community, we're
also improving the consistency of the GUI translation with more commits
already in the works.
Notable from a development version perspective are the API authentication
and the revived voucher support for our new captive portal. This means two
more roadmap items already finished for 16.1.
Here are the full patch notes:
* ports: sudo 1.8.15 `[1] <https://www.sudo.ws/legacy.html#1.8.15>`__ , sqlite 3.9.2 `[2] <https://sqlite.org/releaselog/3_9_2.html>`__
* aliases: make url tables useable
* interfaces: fix faulty GUI caching issues `[3] <https://github.com/opnsense/core/issues/451>`__
* ipsec: obey force nat traversal
* ipsec: switch status page and widget from deprecated SMP to VICI interface
for reliable output
* ipsec: fixed remote network input validation
* status: show more raw ipfw info in the commands section
* config: don't use notices in early/low level code
* languages: a large number of old and new strings is now being properly
translated (with contributions from Franz Fabian and Frederic Lietart)
* languages: translation strings no longer use obfuscated argument reordering
by default
* languages: updated German and French to a newer version from
translate.opnsense.org
* captive portal (development): added a new voucher implementation
* api (development): added API key authentication mechanism `[4] <https://wiki.opnsense.org/index.php/Howto_use_the_API>`__
--------------------------------------------------------------------------
15.7.18 (November 04, 2015)
--------------------------------------------------------------------------
It took a while to track down a NTP regression with FreeBSD that turned out
to be a flaw in the kernel itself. That's now fixed for all FreeBSD versions.
Thanks everyone for helping out here again. :)
This update brings quite a few fixes, especially with regard to VMware and
Xen virtualisation plugins. If you are in need of such plugins for seamless
guest support the installation is quite painless:
.. code-block::
# pkg install os-vmware
# pkg install os-xen
In case of VMware, the masterplan is that vmx network devices will be
persistent after reboot so that such devices can be embedded into the
config.xml. Let us know how that works for you guys. Needless to say,
we'll keep working on making plugins accessible through the GUI with our
next major version that is 16.1.
We've also been working on ironing out further IPsec hiccups and adding more
features to the captive portal in the development version. Oh, and this:
fresh images based on 15.7.18 will be available a couple of days after this
release.
Here are the full patch notes:
* plugins: updated the VMware plugin to support early boot for persistent
vmx(4) device access
* plugins: added the Xen plugin for automatic guest support
* openvpn: fix server not saving interface without IP
* crash reporter: remember email for continuous feedback
* crash reporter: Suhosin PHP module no longer triggers crash reports
* crash reporter: fixed 10 assorted crash reports
* languages: fix all apply button prompts for non-English translations
* languages: updated German and French via https://translate.opnsense.org
* backend: added simple plugin hooks for boot up, early boot up and shutdown
* GUI: hooked up the authentication backend rewrite
* dhcp: remove illegal ifconfig tag in custom dhclient script
* virtual ips: make subnet selectable on ipalias
* ipsec: flip ipv4/ipv6 subnet options in phase2
* ipsec: fix issue when using both tunnels and roadwarrior
* ipsec: listen to disabled ipsec nat entries
* ipsec: do not overwrite settings for rekey/reauth
* proxy: fix error on saving special URL characters
* aliases: fix missing url table items
* aliases: hide minus when not applicable
* ntp: don't trigger set_gps_default on page load
* captive portal (development): clean rewrite of RADIUS
authentication/accounting
* captive portal (development): added a session overview feature to the new
* captive portal (development): fixed template download file name in Google
Chrome
* src: Implement pubkey support for pkg(7) bootstrap `[1] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:18.pkg.asc>`__
* src: rpcbind remote denial of service `[2] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:24.rpcbind.asc>`__
* src: Applications exiting due to segmentation violation on a correct
memory address `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:20.vm.asc>`__
* src: tzdata updated to 2015g `[4] <http://mm.icann.org/pipermail/tz-announce/2015-October/000034.html>`__
* ports: ntp 4.2.8p4 `[5] <https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-dev>`__
* ports: pkg 1.6.1 `[6] <https://github.com/freebsd/freebsd-ports/commit/233063d86be930>`__ `[7] <https://github.com/freebsd/freebsd-ports/commit/4cee57325035cc6>`__
* ports: sqlite 3.9.1 `[8] <https://sqlite.org/releaselog/3_9_1.html>`__
* ports: suricata 2.0.9 `[9] <http://suricata-ids.org/2015/09/25/suricata-2-0-9-available/>`__
* ports: php 5.6.15 `[10] <https://php.net/ChangeLog-5.php#5.6.15>`__
.. code-block::
# SHA256 (OPNsense-15.7.18-OpenSSL-cdrom-amd64.iso.bz2) = f193e04ce0f0d2b1eab54b246f5b4931cdd50ed0a97015a363e8ece24449825d
# SHA256 (OPNsense-15.7.18-OpenSSL-nano-amd64.img.bz2) = f1cfa7ff9f2fe30361f92773aa6fe416ac5bb3e27bd98c1b470f32ceea9ee4eb
# SHA256 (OPNsense-15.7.18-OpenSSL-serial-amd64.img.bz2) = e95698fac21e8bef7ac8c8e66406fcbece583a32db325da19be810d33a714147
# SHA256 (OPNsense-15.7.18-OpenSSL-vga-amd64.img.bz2) = 3cc366d5e48f74bba5a07466cbaa2808d98fba422814d3cafbbffb5e2847c888
# SHA256 (OPNsense-15.7.18-OpenSSL-cdrom-i386.iso.bz2) = 57229a3873d6020979e8ebb1dff1c97b14166afff7da6d5ca7e5b32a17e40207
# SHA256 (OPNsense-15.7.18-OpenSSL-nano-i386.img.bz2) = e89464b51c52c02a9d1a15d168190f23b7d72030be5b31db4bd5a78cfa0a108f
# SHA256 (OPNsense-15.7.18-OpenSSL-serial-i386.img.bz2) = 0eb92ffcbe6d4152b79e89e71984b5a3d00cf0e2e0946868331fd93a506cf54c
# SHA256 (OPNsense-15.7.18-OpenSSL-vga-i386.img.bz2) = 284157e596dd77551ce6ce4e5b661614273abcfaa590f6d4553903172332f370
.. code-block::
# MD5 (OPNsense-15.7.18-OpenSSL-cdrom-amd64.iso.bz2) = 7718af5a632a426c7e3832e4cf6e7f91
# MD5 (OPNsense-15.7.18-OpenSSL-nano-amd64.img.bz2) = 88018ba7ec8c6e6906054a03106020c6
# MD5 (OPNsense-15.7.18-OpenSSL-serial-amd64.img.bz2) = 50879c1a12ca65b95ebd5a77eea389e5
# MD5 (OPNsense-15.7.18-OpenSSL-vga-amd64.img.bz2) = 764c8a9c42b13cdfc73d1025e9795901
# MD5 (OPNsense-15.7.18-OpenSSL-cdrom-i386.iso.bz2) = ce115445d922883c1e57457503b7d044
# MD5 (OPNsense-15.7.18-OpenSSL-nano-i386.img.bz2) = 947d4955775295f09ef849b8ac7757a6
# MD5 (OPNsense-15.7.18-OpenSSL-serial-i386.img.bz2) = 4b7affd7c051e15171ef2ee4869739b6
# MD5 (OPNsense-15.7.18-OpenSSL-vga-i386.img.bz2) = 59b796e2a2a68cb699bb67b79f08c808
--------------------------------------------------------------------------
15.7.17 (October 20, 2015)
--------------------------------------------------------------------------
So this is 15.7.17 with a couple of neat things under the hood: AES-NI
is now supported by both LibreSSL and OpenSSL. Other than that only
minor fixes went in along with the latest version bumps for cURL, Squid,
Unbound and (of course) LibreSSL.
The development version has more things happening: we've reorganised the
menu to get rid of the "Status" and "Diagnostics" section, updating
layouts and minimising padding of the bootstrap theme. And that's not
all, because we're also replacing the old captive portal! The new captive
portal can already be tested and will receive more features as we near
version 16.1. Let us know what you think.
Here are the full patch notes:
* ports: both LibreSSL and OpenSSL now support AES-NI acceleration
* ports: curl 7.45 `[1] <https://curl.haxx.se/changes.html>`__ , squid 3.5.10 `[2] <http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5-ChangeLog.txt>`__ , unbound 1.5.5 `[3] <https://nlnetlabs.nl/projects/unbound/download/>`__ , libressl 2.2.4 `[4] <http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/007_obj2txt.patch.sig>`__
* layout: bumped font awesome to 4.4
* dhcp: dhcpd leases did not always reload dhcpleases daemon
* openvpn: fix Strict User/CN matching checkbox behaviour
* ipsec: fix tunnel identification when using NAT
* dns filter: add OpenDNS IPv6 servers
* dns resolver: fix apply glitch that would blank the settings temporarily
* log files: search is now case-insensitive
* firmware: improved reboot detection feedback
* crash reporter: improved wording as reports without contact info may be
hard to fix
* virtual ip: fix possible apply glitch with new VIP
* synchronisation: do not error on target down, log it instead
* languages: French is at 35% and German is at 65% complete now
* development: the captive portal has been replaced with a newly implemented
variant based on our MVC standards -- if you still want to use the old one
please use the release package instead (although any feedback for the new
captive portal is greatly appreciated)
--------------------------------------------------------------------------
15.7.16 (October 10, 2015)
--------------------------------------------------------------------------
We've spent three great days in Nuremberg at it-sa, thanks for everybody
who dropped by.
Originally we wanted to push out 15.7.16 earlier, but faced an interesting
challenge with the latest FreeBSD package manager version update. To that
end, we are probably going to release new images for 15.7.17 with the new
package manager included just to make sure we can retain a clean and flat
upgrade process even for the images. But fear not, online upgrades are still
working as expected.
Speaking of releases and images, we've had recent feedback about what we
call releases that do not necessarily offer images. We do this because in
a weekly update cycle it is far too complicated to bundle verified images.
The versioning scheme does not reflect this at the moment, but we've had
similar intentions when we moved away from the old 15.1 scheme. Long story
short, we will try to make this more clear in the future. The preferred
method of installation is via the latest available image that should be
upgraded immediately after installation.
Since the build tools are open, it's not a particular problem to build a
newer version yourself or if you require one that comes directly from us
just let us know so we can help your specific use case. Last but not least,
here are the full patch notes:
* ports: phalcon 2.0.8 `[1] <https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.8>`__ , php 5.6.14[3]
* unbound: improved DNS rebind protection
* traffic shaper: improved description field validation
* wizard: bring back missing files
* captive portal: redirect after successful RADIUS login
* health: fix reading of ntpd RRD data
* config manager: fix revert and delete in translations
* config daemon: don't pass stderr on script output call
* languages: German now 64% complete
--------------------------------------------------------------------------
15.7.15 (September 30, 2015)
--------------------------------------------------------------------------
We hope you guys are having a good week? Because if not we have a treat for
you: the wait for System Health `[1] <https://opnsense.org/system-health-whats-next/>`__ is finally over and the best part is that
it'll just work with your previously collected RRD data. :) We kindly ask
you to provide feedback via the usual channels in order to make it even
better. There's still a lot of time till 16.1 hits the shelves, so to speak.
This is a rather small maintenance release with a handful of fixes. The
things that pop out are StrongSwan 5.3.3 `[2] <https://wiki.strongswan.org/projects/strongswan/wiki/Changelog53>`__ as well as the menu now being
correctly translated when selecting a different language. And, BTW, behind
the scenes we're just now opening up our translation server that'll make it
even easier to contribute to language translations in the future.
Here are the full patch notes:
* health: added feature to browse RRD data in a modern way
* notable ports updates: strongswan 5.3.3
* logs: added proxy server access log and updated the layout
* users: fixed ldap import warning when no users could be found
* dhcp6: fix IPv6 grabbing with PPPoE
* openvpn: fix TLS auth enable behaviour in client settings
* firewall: fix missing log option in save form
* firewall: fix missing interface address in NAT page
* firmware: sped up package queries and added package size column
* wizard: multiple fixes and security improvements
* menu: now properly translates into the selected language
* traffic shaper: unload ipfw rules on disable
--------------------------------------------------------------------------
15.7.14 (September 22, 2015)
--------------------------------------------------------------------------
originally, we wanted to make 15.7.14 as boring as possible, but now we are
shipping our major firewall section rework on top of intricate configuration
management fixes instead. We should also note that the former improved
configuration imports from older systems. Be sure to let us know when you
find any issues with these changes.
From the third-party and/or security side not much has happened recently.
We are shipping the latest Bind and Squid, for details see the provided links.
Here are the full patch notes:
* config: do not set login auto-complete on factory reset
* config: fix faulty timezone on factory reset
* config: improve config migration path for legacy config imports
* config: new home in system section for the config history and backups
* config: improved the config history differential view
* notable port upgrades: bind 9.10.3 `[1] <https://kb.isc.org/article/AA-01306/0/BIND-9.10.3-Release-Notes.html>`__ , squid 3.5.9 `[2] <http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5-ChangeLog.txt>`__
* firmware: added Supranet Communications mirror (Middleton, US)
* firewall: reworked rules, schedules, virtual ip, nat and aliases pages
* users: removed special handling of the "all" group
* crash reporter: fixed 9 minor problem reports
* wireless: only advertise supported modes of operation
* system: fix theme selection for user-added themes
* menu: fix expand on all interface edit pages
* ntp: improve service status probing
* diagnostics: fix authentication tester to work in conjunction with translations
* languages: added French translation (33% complete)
* languages: updated German translation (57% complete)
--------------------------------------------------------------------------
15.7.13 (September 15, 2015)
--------------------------------------------------------------------------
15.7.13 is a short GUI-only update since we've seen frequent validation
errors in our crash reports. We've fixed that ahead of schedule and also
push a larger under-the-hood preparation of the coming firewall section
and menu rework while at it. Exciting stuff coming soon. :)
Here are the full patch notes:
* diagnostics: added real backend code leading to upcoming privilege
separation for pfInfo, pfTop, States and Tables pages
* dynamic dns: introduce constant naming away from "DynDNS" or "DDNS"
* gui: fix numerous typos spotted by our relentless translators
* gui: fixed validation errors in new components
* gui: removed partial shadow from active tab
* ipsec: fixed missing redirect after apply
Stay safe,
Your OPNsense team
--------------------------------------------------------------------------
15.7.12 (September 12, 2015)
--------------------------------------------------------------------------
The vacation time is over for most of us, and so we do roll on into
what is going to be a busy autumn. As we haven't had a release in 2
weeks a longer list of changes has accumulated. Most prominently, we
have a security advisory for FreeBSD that may allow privilege
escalation on amd64 architectures. More security-related updates are
available for LibreSSL, Bind and PHP.
We've also been able to iron out the few IPsec configuration problems
left related to the page rewrite thanks to relentless testing by
Frank Wall and others. We appreciate any help in doing the same for
the new Firewall pages we have staged in our development version `[12] <https://forum.opnsense.org/index.php?topic=1305.0>`__ .
Here is the full list of changes:
* src: local privilege escalation in IRET handler `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:21.amd64.asc>`__
* src: disable ixgbe(4) flow-director support `[2] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:14.ixgbe.asc>`__
* src: insufficient check of unsupported pkg(7) signature methods `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:15.pkg.asc>`__
* ports: libressl 2.2.3 `[4] <http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.3-relnotes.txt>`__ , bind 9.10.2P4 `[5] <https://kb.isc.org/article/AA-01301/81/BIND-9.10.2-P4-Release-Notes.html>`__ , openldap24-client 2.4.42 `[6] <https://www.openldap.org/software/release/changes.html>`__
* ports: radvd 1.15 `[7] <http://www.litech.org/radvd/CHANGES-1.txt>`__ , lighttpd 1.4.37 `[8] <http://www.lighttpd.net/2015/8/30/1.4.37/>`__ , squid 3.5.8 `[9] <http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5-ChangeLog.txt>`__
* ports: php 5.6.13 `[10] <https://php.net/ChangeLog-5.php#5.6.13>`__ , php-suhosin 0.9.38 `[11] <https://raw.githubusercontent.com/stefanesser/suhosin/master/Changelog>`__
* dhcp: use reverse mask instead of reverse address in config
* dns resolver: honour log verbosity toggle
* ssh: remove ssh1 key from generating, it is no longer supported in openssh
* filter: remove the unused snort2c table from generated rules
* xmlrpc: properly regenerate /etc/hosts on sync
* openvpn: fix TLS authentication option reset
* ipsec: proper redirect after apply in mobile tab
* ipsec: fix behaviour of enable rekey and enable reauth
* ipsec: only suffix connection number with sequence with multiple entries
* ipsec: fix diagnostics to be able to connect multi phase2 IKEv1 entries
* ipsec: fix Call to undefined function filter_configure()
* dashboard: traffic graph highlights are now branded in orange
* theme: render dropdown boxes a bit better
* theme: partial fix for wrapped tab display
* crash reporter: fix spurious crash report after actual submission
* crash reporter: assorted fixes for warnings and errors in the code
* crash reporter: improve submit/dismiss button layout
--------------------------------------------------------------------------
15.7.11 (August 27, 2015)
--------------------------------------------------------------------------
As we've had a couple of pending issues that needed addressing
before we push out new images, we've wrapped up 15.7.11 just now.
Here are the full patch notes:
* dns resolver: switch unbound to use libevent to address "too many fds"
log message
* firmware: os-update package was renamed to opnsense-update so "os-" can
be our plugin prefix
* firewall: fix alias page not being available due to a dirty config.xml
sample entry
* ipsec: fix pages throwing warnings due to a dirty config.xml sample entry
* ipsec: fix hash algorithm and protocol settings behaviour
* openvpn: honour TLS authentication disable
* themes: fix theme selection fallback not working in new components
* diagnostics: unhide routing table headers
.. code-block::
# SHA256 (OPNsense-15.7.11-OpenSSL-cdrom-amd64.iso.bz2) = 4e6a78e309945f950bb924345d3bb3571f4cc4891227129bbf7a9f462d1a0f6b
# SHA256 (OPNsense-15.7.11-OpenSSL-nano-amd64.img.bz2) = 714d2ab06db2d56b81421182a6315b6b7373defbc4f3d82f795e22371b8ef501
# SHA256 (OPNsense-15.7.11-OpenSSL-serial-amd64.img.bz2) = f644a45a770850aacee824a83992ecbf5f177ea05051f8907470d8d548183521
# SHA256 (OPNsense-15.7.11-OpenSSL-vga-amd64.img.bz2) = 3da0787d7e0d4708230f0d7b95a9617d74f7a3e12b861091b6eefa934d2a5564
# SHA256 (OPNsense-15.7.11-OpenSSL-cdrom-i386.iso.bz2) = 407a83caeaff638b046f8ee7b8fa0823eb8b5cae28458a376c80134f66555eea
# SHA256 (OPNsense-15.7.11-OpenSSL-nano-i386.img.bz2) = 03ab10b56367249d742b824a454891678025db576bca126fb97fa2a9e0297835
# SHA256 (OPNsense-15.7.11-OpenSSL-serial-i386.img.bz2) = cc316a27fee85107d358d6e970db69f9abae5cb67d33073026c9aec14210b9be
# SHA256 (OPNsense-15.7.11-OpenSSL-vga-i386.img.bz2) = b90cbc906324d3b1671302804b5f902eaab2180d0cdde4145e54614d61355e6c
--------------------------------------------------------------------------
15.7.10 (August 25, 2015)
--------------------------------------------------------------------------
15.7.10 is here with a larger number of third party updates as
well as a security advisory for FreeBSD. Otherwise it's relatively
silent as we are still busy reworking the firewall section pages
like we did with OpenVPN and IPSec recently.
We've also bumped the crash reporter into the system section as a
tool to generate custom reports, delivering the shortest possible
path to get in touch with us regarding bugs or other quirks that do
not automatically generate a report. We are totally happy with the
way you guys have already embraced the reporter and wish to see
even more usage of it. It has helped us to identify issues and
ship fixes a lot quicker.
Here are the full patch notes:
* src: Multiple integer overflows in expat (libbsdxml) XML parser `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:20.expat.asc>`__
* src: bumped tzdata to 2015f `[2] <http://mm.icann.org/pipermail/tz-announce/2015-August/000033.html>`__
* ports: curl 7.44.0 `[3] <https://curl.haxx.se/changes.html>`__ , ca_root_nss 3.20, openssh 7.1p1_1 `[4] <http://www.openssh.com/txt/release-7.1>`__ , sqlite 3.8.11.1 `[5] <https://sqlite.org/releaselog/3_8_11_1.html>`__ , phalcon 2.0.7 `[6] <https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.7>`__ , pcre 8.37_4 `[7] <https://svnweb.freebsd.org/ports/head/devel/pcre/Makefile?revision=395178&view=markup>`__
* crash reporter: create custom reports on demand
* certificates: ca generation issues with recent LibreSSL
* dns resolver: switched to ports-based Unbound (1.5.4) as per FreeBSD handbook
* menu: moved the crash reporter to system category for visibility
* menu: added hot-plugging support for upcoming plugins
* acl: added hot-plugging support for upcoming plugins
* ipsec: fix faulty behaviour on configuration changes
* console: switched halt and reboot numbering
* languages: bring German to 51% completed
* graphs: remove obsolete CPU graph pages
--------------------------------------------------------------------------
15.7.9 (August 19, 2015)
--------------------------------------------------------------------------
What's up! We are about to release new images to put a stake in the ground
following roughly 500 commits since 15.7 was released in early July. FreeBSD
10.2 is around the corner, which makes this all the more important. First
tests look promising, but it'll have to wait a few more weeks to hopefully
get rid of more custom patches and thorough testing. We've also made
progress with nano-style images to improve interoperability between different
media types. Images are scheduled to be released shortly after 15.7.10 for
said release.
With that in mind, 15.7.9 is a maintenance release which only addresses our
code before we make a bigger leap forward. Focus has been to improve firmware
upgrades and crash reporter, all OpenVPN and IPSec configuration pages and a
fix for recent LibreSSL flavours not wanting to generate certificates.
These are the full patch notes:
* firmware: functional rework of update fetch and install, show reboot
needed in alert box
* interfaces: fixed spurious truncated interface names from showing up
in the assignments
* intrusion detection: improved rule select/deselect behaviour and alert
querying
* firewall/rules: fix missing apply button when another language is
being used
* crash reporter: multiple fixes, layout and submission improvements
* firewall/logs: can now filter using IP version
* firewall/nat: add anti-lockout rule for redirection
* certificates: fix generation for LibreSSL flavour
* openvpn: allow advanced settings for all server types
* openvpn: reworked all configuration pages (especially client export)
* ipsec: reworked all configuration pages
Stay safe,
Your OPNsense team
--------------------------------------------------------------------------
15.7.8 (August 12, 2015)
--------------------------------------------------------------------------
While we do hope everyone is enjoying their summer vacation we're rolling
out a larger update due to multiple issues with FreeBSD and third party
programs. We also have a feature that our community has been yearning for:
the transparent proxy!
This time around, we took extra care with our development version and let
features simmer there until they are fully ready to be rolled out. We
already have VPN configuration improvements and firmware upgrade eye candy
staged in the current development package. Join our forum to find out more:
https://forum.opnsense.org/
Here are the full patch notes:
* src: shell injection vulnerability in patch `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:18.bsdpatch.asc>`__
* src: routed remote denial of service vulnerability `[2] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:19.routed.asc>`__
* ports: dnsmasq 2.75 `[3] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__ , squid 3.5.7 `[4] <http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5-ChangeLog.txt>`__ , openvpn 2.3.8 `[5] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.8>`__
* ports: libressl 2.2.2 `[6] <http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.2-relnotes.txt>`__ , lighttpd 1.4.36 `[7] <http://www.lighttpd.net/2015/7/26/1.4.36/>`__ , php 5.6.12 `[8] <https://php.net/ChangeLog-5.php#5.6.12>`__
* ports: pcre 8.37_3 `[9] <https://github.com/freebsd/freebsd-ports/commit/1b0e3ce910b727>`__ , pkg 1.5.6 `[10] <https://github.com/freebsd/freebsd-ports/commit/1a100a88a92d4>`__ , expat 2.1.0_3 `[11] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1283>`__
* dns resolver: improve bootstrapping of root directory to ensure
service startup
* firmware: fix handling of sample mirror file
* firmware: added a mirror for China
* firewall: always provide a sample bogons file for IPv6
* firewall: avoid blocking dhcpv6 on WAN via bogons
* menu: added 3 direct links to subpages
* crash reporter: weekly batch of PHP warnings purged from the codebase
* logs: reworked the firewall log summary page (yum, pie charts)
* intrusion detection: fix query for empty result
* intrusion detection: fix validation on new entries
* proxy: added transparent proxy knob
--------------------------------------------------------------------------
15.7.7 (August 05, 2015)
--------------------------------------------------------------------------
This week's 15.7.7 is a subtle maintenance release to wrap up remaining
issues that came in via crash reports since 15.7.6.
Furthermore, we are not aware of any security issues in third party software.
Here are the full patch notes:
* interfaces: VLAN on top of LAGG now correctly overrides flags on the actual
parent interfaces
* system: added firmware crypto flavour and mirror selection to general
settings
* logs: add missing prototype.js to fix pie charts display (contributed by
Chong Cheung)
* languages: updated German (42% complete) and Japanese (80% complete)
* crash reporter: fixed assorted minor coding errors/warnings
* system: improved LDAP bindings and user import (including fixes by
Christian Schonberg)
* proxy: added option to ignore subnets from getting into the access log
* proxy: fixed automatic startup on /var MFS
* intrusion detection: fixed automatic startup on /var MFS
* menu: fix collapse/expand for DHCP (contributed by Chong Cheung)
* menu: added logout option to user menu
Stay safe,
Your OPNsense team
--------------------------------------------------------------------------
15.7.6 (July 31, 2015)
--------------------------------------------------------------------------
This is 15.7.6 due to several security advisories for FreeBSD as well as
OpenSSH and Bind problems. Reference links are provided for external
issues as always. More crash reports came in for issues that date back
to as much as a few years long before we started OPNsense. We are very
happy for the chance to finally flush them out of the code base.
The update requires a reboot. Here are the full patch notes:
* src: shell injection vulnerability in patch(1) `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:14.bsdpatch.asc>`__
* src: resource exhaustion in TCP reassembly `[2] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:15.tcp.asc>`__
* src: OpenSSH multiple vulnerabilities `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:16.openssh.asc>`__
* ports: phalcon 2.0.6 `[4] <https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.6>`__ , openssh 6.9p1 `[5] <http://www.openssh.com/txt/release-6.9>`__ , bind 9.10.2P3 `[6] <https://kb.isc.org/article/AA-01280/81/BIND-9.10.2-P3-Release-Notes.html>`__ , dnsmasq 2.74 `[7] <https://www.thekelleys.org.uk/dnsmasq/CHANGELOG>`__
* opnsense-update: can now replace mirror locations
* crash reporter: fixed numerous remotely-submitted warnings and bugs
* universal plug and play: fixed concurrent enable for UPnP and NAT-PMP (contributed by Chong Cheung)
* intrusion detection: reload general settings after download
* intrusion detection: revised rule and ruleset toggle
* firmware: better upgrade reboot detection
* proxy: fix service start when IPv6 was disabled via system settings
* system: revised the VLAN acceleration disable option to properly unset the interface flags
--------------------------------------------------------------------------
15.7.5 (July 28, 2015)
--------------------------------------------------------------------------
First of all thanks to everyone who has been using the crash reporter in
the last few days. It's helped us tremendously in tracking down faulty
code bits that were invisible prior to 15.7.4. In order to keep the reports
fresh we're hereby pushing out 15.7.5 a bit earlier than usual.
No third-party code will be updated; no reboot necessary. Here are the
full patch notes:
* menu: fixed expand/collapse behaviour on subpages
* ipsec: fix a bug that prevented using a CARP address
* crash reporter: 200 reports helped to identify and fix 23 unique issues
* crash reporter: add dmesg.boot to files to be submitted
Stay safe,
Your OPNsense team
--------------------------------------------------------------------------
15.7.4 (July 24, 2015)
--------------------------------------------------------------------------
Another week it is, this time with a rather exciting TCP state fix in the
FreeBSD kernel. We've also taken the time to work through most of the code
base to eradicate code warnings and now enable them by default in the crash
reporter. We're half-expecting another stable update early next week just
to make sure your infrastructure keeps running as smoothly as possible.
Here are the the full patch notes:
* updated sudo 1.8.14p3 `[1] <http://www.sudo.ws/stable.html#1.8.14p3>`__ , pcre 8.37_2 `[2] <https://bugs.exim.org/show_bug.cgi?id=1651>`__ , and FreeBSD 10.1-RELEASE-p15 `[3] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:13.tcp.asc>`__
* firmware: fix upgrade when using opnsense-devel package
* proxy: fix config write for multiple interfaces
* crash reporter: raise PHP log level to warnings after an extensive cleanup
* dashboard: made widgets translatable (contributed by Fabian Franz)
* firewall logs: usability improvements (contributed by Fabian Franz)
* languages: Simplified Chinsese 64% complete
* languages: German 40% complete
* menu: fixed navigation for PPPoE edit
--------------------------------------------------------------------------
15.7.3 (July 17, 2015)
--------------------------------------------------------------------------
This is a quick 15.7.3 to address the recently released PHP 5.6.11 as well
as small fixes and further firmware experience improvements. We've also
taken the time to refine our version 16.1 road map items for you to review
and discuss:
https://opnsense.org/about/road-map/
The full list of changes are as follows:
* ports: php 5.6.11 `[1] <https://php.net/ChangeLog-5.php#5.6.11>`__
* ports: pkg 1.5.5 `[2] <https://github.com/freebsd/freebsd-ports/commit/1eb51efa2>`__
* ports: ca_root_nss 3.19.2
* ports: phalcon 2.0.5 `[3] <https://blog.phalconphp.com/post/phalcon-2-0-5-released>`__
* ports: isc-dhcp42-server 4.2.8_1 `[4] <https://github.com/freebsd/freebsd-ports/commit/3de9ed7a87>`__
* backup: fix infinite reboot loop on interface mismatch
* firmware: show locally installed packages
* firmware: reboot dialog now responsively redirects when the system is back up
* dashboard: upgrade link now directly launches into the firmware upgrade
* dashboard: added a system log widget (contributed by Sascha Linke)
* languages: merged German translation progress (contributed by Fabian Franz)
* xmlrpc: fix sync of static routes
* bogons: fix overwrite-on-upgrade bug
That's all for now. Really.
--------------------------------------------------------------------------
15.7.2 (July 10, 2015)
--------------------------------------------------------------------------
It's us. Again. Following the recent OpenSSL announcement of CVE-2015-1793
we are pushing out 15.7.2 earlier than expected. It is notable that FreeBSD
10.1 as well as LibreSSL are not affected. However, if you are running
OPNsense with OpenSSL you should upgrade immediately. Services are not
restarted automatically, so a reboot is advised but not mandatory. Please
take a responsible course of action.
Here are the full patch notes:
* notable ports updates: phalcon 2.0.4 `[1] <https://blog.phalconphp.com/post/phalcon-2-0-4-released>`__ , libressl 2.2.1 `[2] <http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.2.1-relnotes.txt>`__ ,
openssl 1.0.2d `[3] <https://www.openssl.org/news/secadv_20150709.txt>`__
* opnsense-update: can now switch from/to LibreSSL/OpenSSL on the fly
(needs root shell for now)
* ssh: work around a shutdown bug that prevents other users from logging
in (requires a reboot if used)
* console: allow the root menu to run one-shot shell commands too
* console: clean up the version advertisement in the banner
* dashboard: colour hostap wifi as green when up
* backup: do not redirect on interface mismatch, reboot right away instead
* system: migrated /var and /tmp memory disks to tmpfs (requires a reboot
if used)
* proxy: fix the startup when used on a /var memory disk (requires a manual
start after boot)
* intrusion detection: fix the startup when used on a /var memory disk
(requires a manual start after boot)
* intrusion detection: enable the uricontent keyword for the ET ruleset
--------------------------------------------------------------------------
15.7.1 (July 08, 2015)
--------------------------------------------------------------------------
We hope you guys are doing well. We are certainly happy with our first
production release out in the open. :) Now that that's taken care of, we
have the opportunity to introduce stable braches for 15.7.x, with this
week's 15.7.1 as the first of many.
Squid and Bind have CVE-related fixes. Otherwise, only minor fixes and
improvements went into this release. If you are being affected by the
DHCP server startup issue reboots are necessary in order to fix the root
cause. Please follow these steps:
1. Upgrade to 15.7.1 using your preferred method.
2. Disable RAM disks in "System: Settings: Misc." and reboot.
3. Enable RAM disks in "System: Settings: Misc." and reboot.
4. The DHCP server will now startup correctly.
Here is the full list of changes:
* overall: introducing stable updates for 15.7.x
* ports: bind910 9.10.2-P2 `[1] <https://kb.isc.org/article/AA-01269/81/BIND-9.10.2-P2-Release-Notes.html>`__ , freetype2 2.6 `[2] <https://sourceforge.net/projects/freetype/files/freetype2/2.6/>`__ , squid 3.5.6 `[3] <http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5-ChangeLog.txt>`__
* crash reporter: fixed the upload of additional files
* system: always have a symlink available for /var/db/pkg
* system: protect sshd against OOM kills
* system: can now properly select time zones which have a sub-sub-category
* intrusion detection: switch default interface to WAN
* menu: added awareness for further routing tabs
* login: switch off "autocapitalize" and "autocorrect" for username field
* status: do not scale RRD graphs over 100% of their actual size
* languages: minor tweaks for the German translation
--------------------------------------------------------------------------
15.7 (July 02, 2015)
--------------------------------------------------------------------------
While the summer is hot, we push forward to what now is 15.7 -- nicknamed
'Brave Badger' -- right in front of you. A lot of effort went into this
project during the past 6 months, and we dare say it has been worth all
of it. We would like to thank our followers and friends and feedback
givers and forum lurkers and contributors and doubters and supporters that
helped to make 15.7 what it is. We wouldn't be here without any of you.
Thank you.
In itself, 15.7 is a simple upgrade from 15.1.12 which we recommend to
everyone. What changes is that development will move to a different
branch so that from now on regressions are less likely and therefore
stability will increase further. The provided images may also be the only
ones for the next 6 months as we are confident in their longevity and the
online upgrade path. We have also bumped the LibreSSL flavour to a
production-ready state and encourage everyone to try it out. The installer's
import configuration tool coupled with a quick and easy installation can help
you move from OpenSSL to LibreSSL and back seamlessly.
The biggest addition is the intrusion detection integration (suricata) as
well as new local and remote blacklists options for the proxy server (squid).
Security-wise, it has been rather quiet with only a few CVEs in third-party
tools. Please see the full patch notes for details and references:
* kernel: borrowed a dummynet / ipnat patch from m0n0wall to enable symmetric
traffic shaping when NAT is involved
* kernel: fix recurse lock panic for tmpfs in conjunction with unionfs
* kernel: applied two stable patches that prevent squid from crashing `[1] <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195802>`__
* kernel: retired ALTQ support
* base: sendmail TLS/DH Interoperability Improvement `[2] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:08.sendmail.asc>`__
* base: improved iconv(3) UTF-7 support `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:10.iconv.asc>`__
* base: inconsistency between locale and rune locale states `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:09.xlocale.asc>`__
* notable ports updates: phalcon 2.0.3 `[5] <https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.3>`__ , curl 7.43.0_2 `[6] <https://curl.haxx.se/changes.html>`__ ,
openssh 6.8p1_8, python 2.7.10 `[7] <https://hg.python.org/cpython/raw-file/15c95b7d81dc/Misc/NEWS>`__ , perl 5.20.2_5 `[8] <https://perldoc.perl.org/5.20.2/perldelta>`__ , ntp 4.2.8p3 `[9] <http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable>`__ ,
libxml 2.9.2_3 `[10] <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1819>`__ , openldap24-server 2.4.41 `[11] <https://www.openldap.org/software/release/changes.html>`__
* opnsense-update: will no longer try to reinstall the istalled version
after a fresh installation
* bsdinstaller: bring back cpdup to error out on low memory installation
(you need 1 GB of RAM, or work around installation using the nano image)
* traffic shaper: removed legacy queues support in favour of the new traffic
shaper functionality
* traffic shaper: allow direct enable/disable toggle
* proxy: fix the initial daemon start on bootup
* proxy: added LAN as the default interface configuration
* proxy: local and remote blacklists with regex support
* intrusion detection: initial release of our IDS GUI based on suricata
* gateways: monitoring mode gained IPv6 support
* captive portal: fix idle timeout bug
* captive portal: do not delete the wrong zone when having multiple
configurations
* captive portal: removed include files from exposed web directory
* backend: always regenerate users and groups to avoid corruption after an
unclean shutdown
* backend: wait for configd socket to come up to address a startup race issue
* backend: clean up configd socket on exit
* backend: fixed regression that prevented user scripts from being started
via /etc/rc.conf
* gateways: only show apinger in services when monitoring is enabled for
a gateway
* languages: brought Simplified Chinese to 49% completed, German to
30% completed
* universal plug and play: make page invoke static to remove exploitability
of the legacy packages framework
* crash reporter: finally enabled the send button and provides human-readable
feedback whether the submission was complete
* console: added non-interactive interface assignment for headless deployments
* ssh: disable password authentication on factory reset to align with the
standard configuration
* diagnostics: avoid duplicated calls of gethostbyaddr() in NDP table view
* users: prompt for old password on password change to prevent account
hijacking
* users: stripped the impossible scponly user privileges since said utility
has never been part of our ecosystem
Images can be found on any of our mirrors, but they may take a
few hours to sync. The checksums are attached at the end of
this announcement for convenience.
https://opnsense.org/download/
.. code-block::
# SHA256 (OPNsense-15.7_LibreSSL-cdrom-amd64.iso.bz2) = 2251b042f47c710e3f940f1fca417f46b3f1f437e37973ae0ba11aa396a38501
# SHA256 (OPNsense-15.7_LibreSSL-nano-amd64.img.bz2) = 52a94a8cd9ace6733a6e311445cccbb27360a97a7c8ec5f9c8fe303be59dcf99
# SHA256 (OPNsense-15.7_LibreSSL-serial-amd64.img.bz2) = cc9a9827548984f5fc2b10222207b7088919c2da91bcdd29cdcc0f9890696b94
# SHA256 (OPNsense-15.7_LibreSSL-vga-amd64.img.bz2) = ae5c9882202e859a17074dffe433e7b2e160b3a0317a14f8562287122f4daf03
# SHA256 (OPNsense-15.7_LibreSSL-cdrom-i386.iso.bz2) = cbb6398e841db4d69f33e7a837d64636d87648a98fba3f1adf267cc168591ff7
# SHA256 (OPNsense-15.7_LibreSSL-nano-i386.img.bz2) = cb6cb90811310a2d15100505603fe853bd4c5044704061549a1671e35b7dc3c2
# SHA256 (OPNsense-15.7_LibreSSL-serial-i386.img.bz2) = 7e0fd8138f8b3e416b3cd72d095a2f6821c41175e2e4b69500e4c7088847bd0b
# SHA256 (OPNsense-15.7_LibreSSL-vga-i386.img.bz2) = f0c6cc573e0afec7bc9252e91f9e9164f11eee1298f5ce84ec8ec84f87ae160e
# SHA256 (OPNsense-15.7_OpenSSL-cdrom-amd64.iso.bz2) = 35f2bea1791db432ec625d155852403a6d1bfed468ab35ee3d3c448005bf555e
# SHA256 (OPNsense-15.7_OpenSSL-nano-amd64.img.bz2) = 8352cf10edaaff5bd2fe9f7322e67acb4fbe76238b82d0b60d7222f34a0adf7e
# SHA256 (OPNsense-15.7_OpenSSL-serial-amd64.img.bz2) = c995407085b06b0d1f1a4c00e7962ba89e2a7daefb21a6a24519861d92403b2b
# SHA256 (OPNsense-15.7_OpenSSL-vga-amd64.img.bz2) = 5630a50e2c23ab49ff95f62d61993f3038652f1225baefe1a3cc7d641b70af30
# SHA256 (OPNsense-15.7_OpenSSL-cdrom-i386.iso.bz2) = b27053f6afe979fe4b682538457dd5f3993e02a44f3f30638874d9c58a1f3504
# SHA256 (OPNsense-15.7_OpenSSL-nano-i386.img.bz2) = 410cab97a35660033ab1572cfa7eb0f411e08abf7325261185b645e361e15a19
# SHA256 (OPNsense-15.7_OpenSSL-serial-i386.img.bz2) = 5c0eacd5fd13abd5b575d7cb085ea5c4ad7e08250d8aac1f264965a01554c8e9
# SHA256 (OPNsense-15.7_OpenSSL-vga-i386.img.bz2) = 7a525085fa7140e3561ed3336a11a27c8ceafcab24bf871fd88900a15c5b69b6