Menü Schließen

OPNsense 19.7 “Jazzy Jaguar” und Security Release 19.7.2

OPNsense Logo

Seit letztem Monat gibt es das neue Mainrelease 19.7, der beliebten Open-Source Firewall – OPNsense alias Jazzy Jaguar. Zu den Highlights gehören:

  • built-in remote system logging through Syslog-ng
  • route-based IPsec
  • updated translations with Spanish as a brand new and already fully translated
  • and newer Netmap code with VirtIO, VLAN child and vmxnet support

Vor kurzem gab es die Updates 19.7.1 und 19.7.2 hier die:

OPNsense 19.7.2 Release Notes

  • system: missing “” in legacy output via Syslog-ng
  • system: fix writing gateway information for DNS servers
  • system: allow gateway to work in DHCPv6 WAN when no router solicitation is available
  • firewall: unhide automatic interface-based output rules
  • firewall: unhide automatic non-interface-based floating rules
  • firewall: lift length restriction in NAT rule description
  • firewall: avoid newlines in rule descriptions
  • firewall: only show usable addresses in NAT outbound rules
  • interfaces: fix extended CARP output when parsing interface information
  • interfaces: add more outputs to overview page to increase usefulness
  • interfaces: use shared DHCP lease reader for ARP list
  • captive portal: fix binary read issue in Python 3
  • dhcp: fix DHCPv4 relay interface selection (contributed by jayantsahtoe)
  • firmware: handle file signature verify correctly with multiple fingerprint repositories
  • firmware: Aivian mirror is no longer active
  • firmware: Cloudfence mirror in Brazil added
  • plugins: os-acme-client 1.24[1]
  • plugins: os-bind 1.6 (contributed by crazy-max)
  • plugins: os-dnscrypt-proxy 1.5 (contributed by crazy-max)
  • plugins: os-grid_example 1.0[2]
  • plugins: os-helloworld Python 3 compatibility[3]
  • plugins: os-nut 1.5 adds Riello driver (contributed by Michael Muenz)
  • plugins: os-sunnyvalley 1.0[4][5]
  • src: fix panic from Intel CPU vulnerability mitigation[6]
  • src: fix multiple telnet client vulnerabilities[7]
  • src: fix pts write-after-free[8]
  • src: fix kernel memory disclosure in freebsd32_ioctl[9]
  • src: fix reference count overflow in mqueuefs[10]
  • src: fix byhve out-of-bounds read in XHCI device[11]
  • src: fix file descriptor reference count leak[12]
  • ports: libevent 2.1.11[13]


OPNsense 19.7 Release Notes

  • List automatic firewall rules
  • Statistics for all firewall rules
  • Alias JSON import / export
  • Optional statistics for aliases
  • Firewall rule locator for live log and automatic rules
  • Rewritten gateway handling and switching
  • Remote logging via Syslog-ng
  • LDAP group sync support
  • Support certificate signing requests
  • Route-based IPsec support (VTI)
  • XMLRPC sync support for alias, VHID, widgets
  • Unbound host overrides alias support
  • Web proxy and IPsec authentication using PAM
  • Parent web proxy support
  • Web proxy login privilege via group
  • Improved reliability and utility of opnsense-patch
  • Dpinger and DHCP servers ported to plugin framework
  • Language updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
  • Spanish as a new language
  • Netdata, WireGuard, Maltrail and Mail-Backup (PGP) plugin
  • Netmap update for VirtIO, VLAN child and vmxnet support
  • Bootstrap 3.4, LibreSSL 2.9, Unbound 1.9, PHP 7.2, Python 3.7, Squid 4

And here are the full changes against version 19.7-RC1:

  • system: lower automatic gateway priority for tunnel interfaces
  • system: only show enabled interfaces on gateway edit
  • system: speed up console banner interface print
  • interfaces: typo in default WAN selection for packet capture
  • interfaces: support multiple interfaces for packet capture
  • interfaces: fix ambiguity in get_parent_interface()
  • firewall: restart filterlog with every filter reload
  • firmware: add update syshook
  • ipsec: phase2 IP type selector using the wrong class
  • reporting: fix Insight bug not processing top port and address statistics
  • ui: window_highlight_table_option() fix for Safari
  • wizard: improve logo contrast in welcome message
  • plugins: os-frr redistribute configuration fix (contributed by Cedric Vanet)
  • plugins: os-intrusion-detection-content-et-pro 1.0.1 now uses suricata-4.0 rulesets
  • plugins: os-haproxy 2.17[2][3]
  • plugins: os-mail-backup 1.0 (contributed by Joao Vilaca)
  • plugins: os-maltrail 1.0 (contributed by Michael Muenz)
  • plugins os-smart 2.0 MVC conversion (contributed by Smart-Soft)
  • plugins: os-tinc chroot setup with resolv.conf
  • plugins: os-wireguard 1.0 (contributed by Michael Muenz)
  • plugins: os-wol 2.2 fixes byte conversion
  • src: bump netmap ring size, still too small in FreeBSD
  • src: add FCC6_FCCA regulatory domain to ath_hal(4)
  • src: restore IPV6_NEXTHOP option support
  • src: fix privilege escalation in cd(4) driver[4]
  • src: fix kernel stack disclosure in UFS/FFS[5]
  • src: fix iconv buffer overflow[6]
  • src: import tzdata 2019b
  • ports: ca_root_nss 3.45
  • ports: filterlog 0.3 will not print to console and lowercase IPv6 protocol output
  • ports: postfix update is now non-interactive to prevent stalls
  • ports: rrdtool 1.7.2[7]

Known issues and limitations:

  • Web proxy squid update from version 3 to 4 breaks the cache database.  To repair go to “Services: Web Proxy: Administration” tab “Support” and click “Reset”.
  • Web proxy login privilege is no longer available.  Access may be restricted by a group selector instead.
  • Nano images require a reinstall using the latest image to avoid inode shortage which makes the system appear to run out of space during recent 19.1.x updates.
  • OpenVPN no longer supports listening on gateway groups.  Use localhost paired with port forwards instead.


Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert