Menü Schließen

OPNsense 19.1.3 und 19.1.2 Release

OPNsense Logo

Die Open-Source Firewall, OPNsense, erhielt vor wenigen Tagen ein Stabilitäts, Bugfix und Security Update. Die Version 19.1.3 verbessert die Stabilität des LDAPS Server, der DNS-Resolver Unbound unterstützt nun auch Host Overrides mittels Alias, OpenSSL erhielt das Security Update 1.0.2r und das aktuelle PAM Rework zum besseren aufteilen der Privilegien.

Dem OPNSense Team sind Kernelcrashe beim Booten berichtet worden, die analysiert werden. Wenn jemand betroffen ist, sollte die Verisoin 18.7 solange verwendet werden.

Das Update 19.1.2 ist etwas an mir vorbeigegangen, daher unten noch ein paar Infos zu diesem. Es behebt unter anderen ein Problem mit der IPS Suricata und aktualisiert die GUI, LibreSSL usw.

OPNSense 19.1.3 Release Notes

  • system: improve LDAPS mode and related authentication cleanups
  • system: move enable checkbox to the top in remote logging settings
  • system: allow reset of tunables to to factory defaults
  • system: new tunables factory default to prevent ICMP redirects being sent (net.inet.icmp.drop_redirect=1)
  • firewall: allow explicitly setting source hash key in outbound NAT (Fredrik Ronnvall)
  • interfaces: probe media before applying new settings
  • interfaces: correctly compare MAC addresses
  • dhcp: added TFTP bootfile-name (contributed by Bjorn Kalkbrenner)
  • firmware: move duty to return the correct set name / ID to opnsense-version
  • firmware: finally revoke 18.7 fingerprint
  • intrusion detection: minor template cleanups using helpers.empty()
  • ipsec: peer identifier can now fall back to remote-gateway in manual SPD entries
  • ipsec: allow easier override of colours in widget (contributed by Fabian Franz)
  • monit: add validation for test type (contributed by Frank Brendel)
  • openvpn: add auth-nocache option in exporter
  • openvpn: validate certificate type for servers
  • unbound: add host overrides alias support
  • web proxy: add auth to parent proxy (contributed by Michael Muenz)
  • backend: add helpers.empty() in configd
  • mvc: simplify save / close / cancel button labels
  • mvc: add sorting for field list types
  • rc: move all template generation to early stage
  • ui: improve escaping of displayed data in static page
  • ui: escape button values in static pages
  • ui: avoid short PHP tags
  • plugins: os-dnscrypt-proxy 1.3[1]
  • plugins: os-frr brings in missing area range code[2]
  • plugins: os-postfix log file ACL and wrapper mode typo fix (contributed by Michael Muenz)
  • plugins: os-theme-cicada IPsec widget colour fix (contributed by Team Rebellion)
  • plugins: os-theme-tukan IPsec widget colour fix (contributed by Team Rebellion)
  • plugins: os-vnstat /var MFS fix[3]
  • plugins: os-zabbix4-proxy 1.0 (contributed by Michael Muenz)
  • ports: openssl 1.0.2r[4]
  • ports: pam_opnsense 19.1.3 uses setuid for privilege separation
  • ports: phalcon 3.4.3[5]

[1] https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr
[4] https://www.openssl.org/news/secadv/20190226.txt
[5] https://github.com/phalcon/cphalcon/releases/tag/v3.4.3

Quelle: https://opnsense.org/opnsense-19-1-3-released/

OPNSense 19.1.2 Release Notes

  • system: move session files into their own directory (forces the current sessions to expire)
  • system: add validation check for time period for Dpinger (contributed by Team Rebellion)
  • system: hide „show certificate info“ button of pending CSR (contributed by nhirokinet)
  • system: move opnsense-auth to libexec, but keep a symlink in sbin directory
  • system: escaping issue in gateway edit page
  • system: fix ACL for halt and reboot pages
  • firewall: fix alias entry replacement in utility page
  • firewall: prevent new alias creation when adding an address
  • firewall: capture „nat“ traffic like we do for „rdr“ in live log
  • firewall: escaping issues in schedule edit page
  • interfaces: push dhclient and dhcp6c log messages to system log
  • interfaces: write all nameservers via dhclient-script in multi WAN scenarios
  • interfaces: check for valid alias IP in dhclient-script
  • interfaces: 6RD interface naming back to 18.7 to sidestep character limits on stacked setups
  • interfaces: avoid reading empty interface configurations
  • firmware: bootstrap rework for HTTPS repository URL
  • firmware: patch cache and assorted improvements
  • firmware: minor update utility cleanups
  • firmware: remove compatibility stubs for pre-19.1 version reads
  • firmware: show revoked package mirror error in GUI if applicabl
  • firmware: bump RageNetwork mirror to HTTPS
  • firmware: be more careful about parsing version info
  • dhcp: fix behaviour of determining primary/secondary (contributed by Fredrik Ronnvall)
  • intrusion detection: set stream.inline: true as an IPS workaround for a Suricata 4.1 regression[1]
  • intrusion detection: support required rules/files in metadata package
  • intrusion detection: less extensive logging
  • ipsec: fix escaping issue in mobile page
  • monit: fix address validation
  • openvpn: obey verify-x509-name for remote access (user auth)
  • openvpn: proper daemonize instead of background job
  • openvpn: extract full CA chain for setup
  • openvpn: missing „port“ in protocol export
  • mvc: fix port validation on whitespace input
  • mvc: fix compare constraint (contributed by Fabian Franz)
  • mvc: fix read-only access on config.xml during locked runs
  • mvc: prevent UserException from being pushed to PHP error log
  • ui: legacy browsers accommodation (contributed by NOYB)
  • ui: update to Tokenize2 1.3 plus additional escaping patches
  • ui: add support for Tokenize2 sortable tag
  • ui: hardening of gettext() invokes in HTML tags
  • ui: fix setFormData() HTML decode
  • plugins: os-bind safe search google domain updates (contributed by Michael Muenz)
  • plugins: os-dnscrypt-proxy 1.2[2]
  • plugins: os-dyndns 1.13 IPv6 device lookup fix
  • plugins: os-etpro-telemetry 1.2 reduces telemetry data collection
  • plugins: os-frr 1.8 adds route summarization via area range (contributed by Michael Muenz)
  • plugins: os-haproxy 2.15[3][4]
  • plugins: os-nginx 1.8[5]
  • plugins: os-ntopng 1.2[6]
  • src: clear callee-preserved registers on amd64 syscall exit[7]
  • ports: cpdup 1.20
  • ports: curl 7.64.0[8]
  • ports: libressl 2.8.3[9]
  • ports: openvpn 2.4.7[10]
  • ports: pam_opnsense manual page addition
  • ports: sqlite 3.27.1[11]
  • ports: squid forgery check avoidance[12]
  • ports: strongswan 5.7.2[13]
  • ports: unbound 1.9.0[14]

[1] https://redmine.openinfosecfoundation.org/issues/2811
[2] https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr
[3] https://github.com/opnsense/plugins/pull/1167
[4] https://github.com/opnsense/plugins/pull/1209
[5] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[6] https://github.com/opnsense/plugins/blob/master/net/ntopng/pkg-descr
[7] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:01.syscall.asc
[8] https://curl.haxx.se/changes.html
[9] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.8.3-relnotes.txt
[10] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24
[11] https://www.sqlite.org/releaselog/3_27_1.html
[12] https://github.com/opnsense/ports/issues/66
[13] https://wiki.strongswan.org/versions/72
[14] https://nlnetlabs.nl/projects/unbound/download/

Quelle: https://opnsense.org/opnsense-19-1-2-released/

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert