OPNsense 19.7.4 Release

Das Release ist 148,8MB groß und startet die Firewall im Anschluss neu. Es wurde 22 Änderungen und Fehler korrigiert. Die Roadmap enthält nun auch das nächste größere Release 20.0 Siehe: https://opnsense.org/about/road-map/ Unten folgen noch die älteren Releases, die ich im Blog nicht erwähnt hatte.

• system: fix legacy remote logging with custom port
• system: regenerate CA bundle when modifying trusted authorities
• system: fix translation order of tunables description
• system: fix CARP maintenance mode bootup
• firewall: missing daily refresh on GeoIP type
• firewall: fix fetch of GeoIP alias if its name is same as its country
• reporting: auto-load required kernel modules for NetFlow
• reporting: allow setting NetFlow active/inactive timeout (contributed by Frank Brendel)
• captive portal: optimise ipfw rule parsing
• firmware: Homelab.no has been superseded by TerraHost mirror (contributed by Thomas Jensen)
• unbound: support file-based custom includes
• unbound: set absolute path to root.hints (contributed by h-town)
• plugins: os-bind 1.8[2] (contributed by ErikJStaab)
• plugins: os-dnscrypt-proxy 1.6[3] (contributed by ErikJStaab)
• plugins: os-etpro-telemetry 1.4[4]
• plugins: os-theme-cicada 1.20 (contributed by Team Rebellion)
• plugins: os-theme-tukan 1.20 (contributed by Team Rebellion)
• ports: ca_root_nss 3.46
• ports: ldns 1.7.1[5]
• ports: pcre2 10.33[6]
• ports: php 7.2.22[7]
• ports: phpseclib 2.0.21[8]
• ports: unbound 1.9.3[9]

A hotfix release was issued as 19.7.4_1:

• captive portal: fix merge conflict in optimisation

OPNsense 19.7.3 Release Notes

• system: try all backups for automatic revert when config.xml is damaged
• system: do a system reset if all config.xml files are damaged
• system: only show tunables reboot hint when applying tunables (contributed by Northguy)
• system: use FQDN in system log remote messages
• system: add defunct gateways to GUI in disabled state
• interfaces: only allow VLAN parents that will work as VLAN parents
• interfaces: optionally promote/demote CARP on service status
• interfaces: CARP status page report with demotion level to avoid ambiguity
• firewall: revert problematic 19.7.2 change “unhide automatic interface-based output rules”
• firewall: restore automatic outbound NAT pre-19.7 behaviour which excludes gateways not configured and not dynamic
• firewall: add logging toggle to rules overview (contributed by johnaheadley)
• firewall: DHCPv6 relay would generate rules even if not enabled
• firmware: only do single-repository fingerprint verify defaulting to our OPNsense repository
• firmware: fix base and kernel package listing
• intrusion detection: show change message after toggle or save
• intrusion detection: rule download fix
• monit: add parent devices to interface list (contributed by Frank Brendel)
• monit: fix standard configuration migration (contributed by Frank Brendel)
• reporting: skip illegal NetFlow records in flow parser
• opendns: migrate update hook from DynDNS plugin to core to make it fully automatic
• backend: fix exception message string handling in Python 3
• backend: add help to pluginctl utility
• backend: configctl event handler support
• mvc: log API key when authentication failed
• ui:  more consistent HTML (contributed by gisforgirard)
• ui: sidebar bug fix (contributed by Team Rebellion)
• ui: fix initFormAdvancedUI() on initial load
• plugins: os-acme-client 1.25[1]
• plugins: os-bind 1.7[2]
• plugins: os-dyndns 1.17 removes OpenDNS and fixes DyNS
• plugins: os-haproxy 2.18[3]
• plugins: os-maltrail 1.1[4]
• plugins: os-nginx log rotation fix (contributed by Fabian Franz)
• plugins: os-postfix 1.10[5]
• plugins: os-smart 2.1 fixes widget status and adds NVMe disk support (contributed by irokinet and ATL)
• plugins: os-theme-cicada 1.19 (contributed by Team Rebellion)
• plugins: os-theme-tukan 1.19 (contributed by Team Rebellion)
• plugins: os-wireguard 1.1[6]
• src: fix incorrect exception handling in libunwind[7]
• src: fix multiple vulnerabilities in bzip2[8]
• src: fix ICMPv6 / MLDv2 out-of-bounds memory access[9]
• src: fix insufficient message length validation in bsnmp library[10]
• src: fix insufficient validation of guest-supplied data (e1000 device)[11]
• src: fix IPv6 remote denial of service[12]
• src: fix kernel memory disclosure from /dev/midistat[13]
• src: fix reference count overflow in mqueuefs[14]
• ports: hostapd 2.9[15]
• ports: nghttp2 1.39.2[16]
• ports: openldap 2.4.48[17]
• ports: perl 5.30.0[18]
• ports: php 7.2.21[19]
• ports: py-openssl 19.0.0[20]
• ports: syslog-ng 3.22.1[21]
• ports: wpa_supplicant 2.9[22]
  

OPNsense 19.7.2 Release Notes

• system: missing “” in legacy output via Syslog-ng
• system: fix writing gateway information for DNS servers
• system: allow gateway to work in DHCPv6 WAN when no router solicitation is available
• firewall: unhide automatic interface-based output rules
• firewall: unhide automatic non-interface-based floating rules
• firewall: lift length restriction in NAT rule description
• firewall: avoid newlines in rule descriptions
• firewall: only show usable addresses in NAT outbound rules
• interfaces: fix extended CARP output when parsing interface information
• interfaces: add more outputs to overview page to increase usefulness
• interfaces: use shared DHCP lease reader for ARP list
• captive portal: fix binary read issue in Python 3
• dhcp: fix DHCPv4 relay interface selection (contributed by jayantsahtoe)
• firmware: handle file signature verify correctly with multiple fingerprint repositories
• firmware: Aivian mirror is no longer active
• firmware: Cloudfence mirror in Brazil added
• plugins: os-acme-client 1.24[1]
• plugins: os-bind 1.6 (contributed by crazy-max)
• plugins: os-dnscrypt-proxy 1.5 (contributed by crazy-max)
• plugins: os-grid_example 1.0[2]
• plugins: os-helloworld Python 3 compatibility[3]
• plugins: os-nut 1.5 adds Riello driver (contributed by Michael Muenz)
• plugins: os-sunnyvalley 1.0[4][5]
• src: fix panic from Intel CPU vulnerability mitigation[6]
• src: fix multiple telnet client vulnerabilities[7]
• src: fix pts write-after-free[8]
• src: fix kernel memory disclosure in freebsd32_ioctl[9]
• src: fix reference count overflow in mqueuefs[10]
• src: fix byhve out-of-bounds read in XHCI device[11]
• src: fix file descriptor reference count leak[12]
• ports: libevent 2.1.11[13]

OPNsense 19.7.1 Release Notes

• system: do not create automatic copies of existing gateways
• system: do not translate empty tunables descriptions
• system: remove unwanted form action tags
• system: do not include Syslog-ng in rc.freebsd handler
• system: fix manual system log stop/start/restart
• system: scoped IPv6 “%” could confuse mwexecf(), use plain mwexec() instead
• system: allow curl-based downloads to use both trusted and local authorities
• system: fix group privilege print and correctly redirect after edit
• system: use cached address list in referrer check
• system: fix Syslog-ng search stats
• firewall: HTML-escape dynamic entries to display aliases
• firewall: display correct IP version in automatic rules
• firewall: fix a warning while reading empty outbound rules configuration
• firewall: skip illegal log lines in live log
• interfaces: performance improvements for configurations with hundreds of interfaces
• reporting: performance improvements for Python 3 NetFlow aggregator rewrite
• dhcp: move advanced router advertisement options to correct config section
• ipsec: replace global array access with function to ensure side-effect free boot
• ipsec: change DPD action on start to “dpdaction = restart”
• ipsec: remove already default “dpdaction = none” if not set
• ipsec: use interface IP address in local ID when doing NAT before IPsec
• web proxy: fix database reset for Squid 4 by replacing use of ssl_crtd with security_file_certgen
• plugins: os-acme-client 1.24[1]
• plugins: os-bind 1.6[2]
• plugins: os-dnscrypt-proxy 1.5[3]
• plugins: os-frr now restricts characters BGP prefix-list and route-maps[4]
• plugins: os-google-cloud-sdk 1.0[5]
• ports: curl 7.65.3[6]
• ports: monit 5.26.0[7]
• ports: openssh 8.0p1[8]
• ports: php 7.2.20[9]
• ports: python 3.7.4[10]
• ports: sqlite 3.29.0[11]
• ports: squid 4.8[12]