Thema: Firewall-Distributionen diverses

[SiLæncer]

Release Notes -> https://blog.ipfire.org/post/ipfire-2-25-core-update-155-released-security-advisory

https://www.ipfire.org/download

[SiLæncer]

Release Notes -> https://blog.ipfire.org/post/ipfire-2-25-core-update-156-released

https://www.ipfire.org/download

[SiLæncer]

Release Notes

After a little break, IPFire 2.25 - Core Update 157 is out! This is the largest release in size we have ever had and updates various parts of the operating system and brings an updated kernel.

Since IPFire is built from source and not based on any distribution, we get to select the best versions of open source software to be a part of it. This release is the second part of our "spring clean" release which updates various software packages and we have also dropped software that we no longer need. The vast amount of this work has been done by Adolf Belka who has been spending many nights in front of a compiler trying to make it all work. If you want to support him and the entire development team, please help us with your donation.
Deprecating Python 2

We have made huge efforts to migrate away from Python 2 which has reached its end of life on January 1st of this year. That includes repackaging third-party modules for Python 3 and migrating our own software to Python 3.

The work will continue over the next couple of weeks and we are hopeful to remove all Python 2 code with the next release. We will keep Python 2 around for a little bit longer to give everyone with custom scripts a little bit of time to migrate them away, too.
Misc.

    The IPFire kernel has been rebased on Linux 4.14.232 which brings various security and stability fixes
    Updated packages: bash 5.1.4, boost 1.76.0, cmake 3.20.2, curl 7.76.1, dejavu-fonts-ttf 2.37, expat 2.3.0, file 5.40, fuse 3.10.3, gdb 10.2, glib 2.68.1, iproute2 5.12.0, less 581.2, libaio 0.3.112, libarchive 3.5.1, libcap-ng 0.8.2, libedit 20210419-3.1, libevent2 2.1.12, libexif 0.6.22, libgcrypt 1.9.3, libgpg-error 1.42, libtiff 4.3.0, libupnp 1.14.6, libxcrypt 4.4.20, libxml2 2.9.10, lm_sensors 3.6.0, lua 5.4.3, meson 0.58.0, OpenSSH 8.6p1, perl-Canary-Stability, perl-Convert-TNET 0.18, perl-Convert-UUlib 1.8, perl-Crypt-PasswdMD5 1.41, perl-Digest 1.19, pixman 0.40.0, poppler 21.05.0 (and poppler-data 0.4.10), pppd 2.4.9, readline 8.1, sqlite 3.35.5, squid 4.15, sudo 1.9.7, wireless-regdb 2020.11.20, xfsprogs 5.11.0
    Some packages that are no longer needed for the build process have been dropped
    Peter Müller has cleaned up the web server configuration for the web user interface and removed various quirks and hacks for old software like Microsoft Internet Explorer 8
    Leo-Andres Hofmann has contributed some cosmetic changes for the live graphs
    A security vulnerability has been reported by Mücahit Saratar (#12619) where it was possible to change a script as an unprivileged user due to a file permission error which could later be executed as root. Thank you for reporting this to us.

Add-ons

    Updated packages: cifs-utils 6.13, cups 2.3.3op2, cups-filters 1.28.8, dnsdist 1.6.0, elfutils 0.184, fetchmail 6.4.19, ffmpeg 4.4, libmicrohttpd 0.9.73, mpd 0.22.6, ncat 7.91, nmap 7.91, samba 4.14.4, Tor 0.4.5.8

[close]

https://www.ipfire.org/

[SiLæncer]

Release Notes

IPFire 2.25 - Core Update 158 is generally available. It comes with one-click VPNs for Apple iOS and Mac OS devices as well as with various fixes across the board including security fixes.

Before we talk about what is new, I would like to ask you for your support for our project. IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.

IPsec with Apple iOS & Mac OS

It is now possible to export IPsec road warrior connections for Apple devices so that they can easily be imported into those with only a few clicks. This makes creating secure connections with these devices quick and fool-proof - even when certificates are involved.

Various smaller changes come with these changes: Certificates now have sane expiry times (instead of a hundred years).

Unfortunately time did not allow to provide any detailed documentation for this feature, but this will be added in the near future. If you want to help the team, you can do this with your donation.

Misc.

    IPsec
        Curve448 is now listed above Curve25519 since it provides better security, but is computationally more expensive at the same time
        There will no longer be any safety rules installed for IPsec connections in "on-demand" mode. Leaking packets is not possible in this mode and it makes certain configurations easier when it is not necessary to work around the block rules
    The web proxy removed options to fake the Referrer and User-Agent. This is practically not effective since the majority of connections are encrypted where this feature did not work.
    We have progressed in removing Python 2 from the system by porting fireinfo to Python 3
    Leo-Andres Hofmann fixed the memory usage table which showed inconsistent values
    Updated packages of the core system: apache 2.4.48, bind 9.11.32, cmake 3.20.4, curl 7.77.0, dmidecode 3.3, ethtool 5.12, expat 2.4.1, fuse 3.10.4, glib 2.68.3, gnutls 3.6.16, gzip 1.10, iputils 20210202, knot 3.0.7, libcap 2.50, libedit 20210522-3.1, libnl-3 3.5.0, libpcap 1.10.1, libusb 1.0.24, libxcrypt 4.4.22, linux-firmware 20210511 as preparation for a new kernel, nettle 3.7.3, pcre2 10.37, perl-CGI 4.53, perl-TimeDate 2.33, perl-XML-Parser 2.46, python3-setuptools, python3-pyparsing 2.4.7, qpdf 10.3.2, rng-tools 6.12, smartmontools 7.2, sudo 1.9.7p1, vnstat 2.7, xfsprogs 5.12.0, zd1211-firmware 1.5, zerofree 1.1.1, zstd 1.5.0
    Microcode updates for Intel processors are shipped in this release (20210608) to address these hardware security vulnerabilities:
        INTEL-SA-00442 - 2021.1 IPU - Intel® VT-d Advisory
        INTEL-SA-00464 - 2021.1 IPU - Intel® Processor Advisory
        INTEL-SA-00465 - 2021.1 IPU - Intel Atom® Processor Advisory
    IPFire is also vulnerable where an authenticated third-party could inject and execute shell commands as a non-privileged user (#12616, CVE-2021-33393). This has been fixed by going through over 65000 lines of code to investigate where this is possible. The underlying reason is the Perl function to call shell commands unexpectedly performs shell expansion and might perform more than just the intended command. Functions that no longer allow this behaviour have been written, tested and replaced any vulnerable places. Unfortunately this vulnerability was published without responsible disclosure.
    The root partition of the flash image has been increased to 1600 MiB by default. The minimum required disk size is still 2GB, but it is getting tight...

Add-ons

    dnsdist received an improved initscript which will print any configuration issues before trying to start or restart the daemon
    Updated packages: cups-filter 1.28.9, elfutils 0.185, flac 1.3.3, libogg 1.3.5, nano 5.8, netsnmpd 5.9.1, Postfix 3.6.1, sarg 2.4.0, tcpdump 4.99.1, tmux 3.2a, Tor 0.4.6.5

Some packages have been dropped since they didn't have a maintainer for a long while, the upstream project has been discontinued, or it is unlikely that there are any users left out there. We recommend to install these applications on a different machine than the firewall itself: Asterisk, dpfhack, lcd4linux, miniupnpd, motion, SANE, sendEmail. They will automatically be uninstalled on all systems.

[close]

https://www.ipfire.org/

[SiLæncer]

OPNsense is an open-source, easy-to-use, and easy-to-build HardenedBSD based firewall and routing platform.

License: Open Source

Release Notes -> https://opnsense.org/opnsense-21-7-released/

https://opnsense.org/about/about-opnsense/

[SiLæncer]

Release Notes

This is the release announcement for IPFire 2.27 - Core Update 160. It comes with a large number of bug fixes and package updates and prepares for removing Python 2 which has reached its end of life.

Before we talk about what is new, I would like to ask you for your support. IPFire is a small team of people and like many of our open source friends, we’ve taken a hit this year and would like to ask you to help us out. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.

Improving Network Throughput

In recent days and months, the development team has spent a lot of time on finding bottlenecks and removing those. Our goal is to increase throughput on hardware and bringing latency down, for a faster network.

This update brings a first change which will enable network interfaces that support it, to send packets that belong to the same stream to the same processor core. This allows taking advantage of better cache locality and the firewall engine as well as the Intrusion Prevention System benefit from this, especially with a large number of connections and especially on hardware with smaller CPU caches.

This feature is automatically enabled on all hardware that supports it.

Removing Python 2

Python 2 has reached its end-of-life (EOL) at January 1st, 2021. In the past months and years, we have moved our own code to Python 3 which has been completed with this update.

However, Python 2 is still present in the distribution for all users who still have to port any custom scripts. With the next Core Update, we will remove Python 2 which means that you have to act now to port any custom scripts written in Python 2.

Misc.

    In the firewall engine, support for redirecting services as been added and long-standing bug #12265 has been fixed
    Some bugs have been fixed in the IPsec VPN scripts that prevented users to create certificate-based connections
    The web proxy can now be used on systems that do not have a GREEN network
    The firewall log viewer now displays IP protocol names instead of numbers.
    All graphs are now rendered in SVG format which makes any scaling in the browser smoother
    Updated packages: cURL 7.78.0, ddns 014, e2fsprogs 1.46.3, ethtool 5.13, glibc was patched for CVE-2021-33574 and a follow-up issue, iproute2 5.13.0, less 590, libloc 0.9.7, libhtp 5.0.38, libidn 1.38, libssh 0.9.6, OpenSSH 8.7p1, openssl 1.1.1k which fixes CVE-2021-3712 and CVE-2021-3711, pcre 8.45, poppler 21.07.0, sqlite3 3.36, sudo 1.9.7p2, strongswan 5.9.3, suricata 5.0.7, sysstat 12.5.4, sysfsutils 2.1.1

Add-ons

    Updated packages: alsa 1.2.5.1, bird 2.0.8, clamav 0.104.0, faad2 2.10.0, freeradius 3.0.23, frr 8.0.1, Ghostscript 9.54.0, hplip 3.21.6, iperf3 3.10.1, lynis 3.0.6, mc 7.8.27, monit 5.28.1, minidlna 1.3.0, ncat 7.91, ncdu 1.16, taglib 1.12, Tor 0.4.6.7, traceroute 2.1.0, Postfix 3.6.2, spice 0.15.0

[close]

https://www.ipfire.org/