OPNsense 19.1.8 Security und Bugfix Release

OPNsense 19.1.8 Security und Bugfix Release

Die Open-Source Firwall, OPNsense, erhielt ein Security und Bugfix Update. Neben dem Microarchitectural Update (ZombieLoad), gegen , wird auch PHP und SQLite aktualisiert, sowie diverse Fehler behoben.

OPNsense 19.1.8 Release Notes

  • system: address CVE-2019-11816 privilege escalation bugs[1] (reported by Arnaud Cordier)
  • system: /etc/hosts generation without interface_has_gateway()
  • system: show correct timestamp in config restore save message (contributed by nhirokinet)
  • system: list the commands for the pluginctl utility when no argument is given
  • system: introduce and use userIsAdmin() helper function instead of checking for ‘page-all’ privilege directly
  • system: use absolute path in widget ACLs (reported by Netgate)
  • system: RRD-related cleanups for less code exposure
  • interfaces: add EN DUID Generation using OPNsense PEN (contributed by Team Rebellion)
  • interfaces: replace legacy_getall_interface_addresses() usage
  • firewall: fix port validation in aliases with leading / trailing spaces
  • firewall: fix outbound NAT translation display in overview page
  • firewall: prevent CARP outgoing packets from using the configured gateway
  • firewall: use CARP net.inet.carp.demotion to control current demotion in status page
  • firewall: stop live log poller on error result
  • dhcpd: change rule priority to 1 to avoid bogon clash
  • dnsmasq: only admins may edit custom options field
  • firmware: use insecure mode for base and kernel sets when package fingerprints are disabled
  • firmware: add optional device support for base and kernel sets
  • firmware: add Hostcentral mirror (HTTP, Melbourne, Australia)
  • ipsec: always reset rightallowany to default when writing configuration
  • lang: say “hola” to Spanish as the newest available GUI language
  • lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
  • network time: only admins may edit custom options field
  • openvpn: call openvpn_refresh_crls() indirectly via plugin_configure() for less code exposur
  • openvpn: only admins may edit custom options field to prevent privilege escalation
  • eported by Bill Marquette)
  • openvpn: remove custom options field from wizard
  • unbound: only admins may edit custom options field
  • wizard: translate typehint as well
  • plugins: os-freeradius 1.9.3 fixes string interpolation in LDAP filters (contributed by theq86)
  • plugins: os-nginx 1.12[2]
  • plugins: os-theme-cicada 1.17 (contributed by Team Rebellion)
  • plugins: os-theme-tukan 1.17 (contributed by Team Rebellion)
  • src: timezone database information update[3]
  • src: install(1) broken with partially matching relative paths[4]
  • src: microarchitectural Data Sampling (MDS) mitigation[5]
  • ports: ca_root_nss 3.44
  • ports: php 7.2.18[6]
  • ports: sqlite 3.28.0[7]
  • ports: strongswan custom XAuth generic patch removed

Stay safe,
Your OPNsense team


[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11816
[2] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[3] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:08.tzdata.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-19:09.xinstall.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:07.mds.asc
[6] https://www.php.net/ChangeLog-7.php#7.2.18
[7] https://www.sqlite.org/changes.html

Schreibe einen Kommentar

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.