Die Open-Source Firwall, OPNsense, erhielt ein Security und Bugfix Update. Neben dem Microarchitectural Update (ZombieLoad), gegen , wird auch PHP und SQLite aktualisiert, sowie diverse Fehler behoben.
OPNsense 19.1.8 Release Notes
- system: address CVE-2019-11816 privilege escalation bugs[1] (reported by Arnaud Cordier)
- system: /etc/hosts generation without interface_has_gateway()
- system: show correct timestamp in config restore save message (contributed by nhirokinet)
- system: list the commands for the pluginctl utility when no argument is given
- system: introduce and use userIsAdmin() helper function instead of checking for ‚page-all‘ privilege directly
- system: use absolute path in widget ACLs (reported by Netgate)
- system: RRD-related cleanups for less code exposure
- interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion)
- interfaces: replace legacy_getall_interface_addresses() usage
- firewall: fix port validation in aliases with leading / trailing spaces
- firewall: fix outbound NAT translation display in overview page
- firewall: prevent CARP outgoing packets from using the configured gateway
- firewall: use CARP net.inet.carp.demotion to control current demotion in status page
- firewall: stop live log poller on error result
- dhcpd: change rule priority to 1 to avoid bogon clash
- dnsmasq: only admins may edit custom options field
- firmware: use insecure mode for base and kernel sets when package fingerprints are disabled
- firmware: add optional device support for base and kernel sets
- firmware: add Hostcentral mirror (HTTP, Melbourne, Australia)
- ipsec: always reset rightallowany to default when writing configuration
- lang: say „hola“ to Spanish as the newest available GUI language
- lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
- network time: only admins may edit custom options field
- openvpn: call openvpn_refresh_crls() indirectly via plugin_configure() for less code exposur
- openvpn: only admins may edit custom options field to prevent privilege escalation
- eported by Bill Marquette)
- openvpn: remove custom options field from wizard
- unbound: only admins may edit custom options field
- wizard: translate typehint as well
- plugins: os-freeradius 1.9.3 fixes string interpolation in LDAP filters (contributed by theq86)
- plugins: os-nginx 1.12[2]
- plugins: os-theme-cicada 1.17 (contributed by Team Rebellion)
- plugins: os-theme-tukan 1.17 (contributed by Team Rebellion)
- src: timezone database information update[3]
- src: install(1) broken with partially matching relative paths[4]
- src: microarchitectural Data Sampling (MDS) mitigation[5]
- ports: ca_root_nss 3.44
- ports: php 7.2.18[6]
- ports: sqlite 3.28.0[7]
- ports: strongswan custom XAuth generic patch removed
Stay safe,
Your OPNsense team
—
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11816
[2] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[3] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:08.tzdata.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:09.xinstall.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:07.mds.asc
[6] https://www.php.net/ChangeLog-7.php#7.2.18
[7] https://www.sqlite.org/changes.html
Interessiert in verschiedenste IT Themen, schreibe ich in diesem Blog über Software, Hardware, Smart Home, Games und vieles mehr. Ich berichte z.B. über die Installation und Konfiguration von Software als auch von Problemen mit dieser. News sind ebenso spannend, sodass ich auch über Updates, Releases und Neuigkeiten aus der IT berichte. Letztendlich nutze ich Taste-of-IT als eigene Dokumentation und Anlaufstelle bei wiederkehrenden Themen. Ich hoffe ich kann dich ebenso informieren und bei Problemen eine schnelle Lösung anbieten. Wer meinen Aufwand unterstützen möchte, kann gerne eine Tasse oder Pod Kaffe per PayPal spenden – vielen Dank.