OPNsense 19.7 “Jazzy Jaguar” und Security Release 19.7.2

Seit letztem Monat gibt es das neue Mainrelease 19.7, der beliebten Open-Source Firewall – OPNsense alias Jazzy Jaguar. Zu den Highlights gehören:

• built-in remote system logging through Syslog-ng
• route-based IPsec
• updated translations with Spanish as a brand new and already fully translated
  language
• and newer Netmap code with VirtIO, VLAN child and vmxnet support

Vor kurzem gab es die Updates 19.7.1 und 19.7.2 hier die:

OPNsense 19.7.2 Release Notes

• system: missing “” in legacy output via Syslog-ng
• system: fix writing gateway information for DNS servers
• system: allow gateway to work in DHCPv6 WAN when no router solicitation is available
• firewall: unhide automatic interface-based output rules
• firewall: unhide automatic non-interface-based floating rules
• firewall: lift length restriction in NAT rule description
• firewall: avoid newlines in rule descriptions
• firewall: only show usable addresses in NAT outbound rules
• interfaces: fix extended CARP output when parsing interface information
• interfaces: add more outputs to overview page to increase usefulness
• interfaces: use shared DHCP lease reader for ARP list
• captive portal: fix binary read issue in Python 3
• dhcp: fix DHCPv4 relay interface selection (contributed by jayantsahtoe)
• firmware: handle file signature verify correctly with multiple fingerprint repositories
• firmware: Aivian mirror is no longer active
• firmware: Cloudfence mirror in Brazil added
• plugins: os-acme-client 1.24[1]
• plugins: os-bind 1.6 (contributed by crazy-max)
• plugins: os-dnscrypt-proxy 1.5 (contributed by crazy-max)
• plugins: os-grid_example 1.0[2]
• plugins: os-helloworld Python 3 compatibility[3]
• plugins: os-nut 1.5 adds Riello driver (contributed by Michael Muenz)
• plugins: os-sunnyvalley 1.0[4][5]
• src: fix panic from Intel CPU vulnerability mitigation[6]
• src: fix multiple telnet client vulnerabilities[7]
• src: fix pts write-after-free[8]
• src: fix kernel memory disclosure in freebsd32_ioctl[9]
• src: fix reference count overflow in mqueuefs[10]
• src: fix byhve out-of-bounds read in XHCI device[11]
• src: fix file descriptor reference count leak[12]
• ports: libevent 2.1.11[13]

Quelle: https://opnsense.org/opnsense-19-7-2-released/

OPNsense 19.7 Release Notes

• List automatic firewall rules
• Statistics for all firewall rules
• Alias JSON import / export
• Optional statistics for aliases
• Firewall rule locator for live log and automatic rules
• Rewritten gateway handling and switching
• Remote logging via Syslog-ng
• LDAP group sync support
• Support certificate signing requests
• Route-based IPsec support (VTI)
• XMLRPC sync support for alias, VHID, widgets
• Unbound host overrides alias support
• Web proxy and IPsec authentication using PAM
• Parent web proxy support
• Web proxy login privilege via group
• Improved reliability and utility of opnsense-patch
• Dpinger and DHCP servers ported to plugin framework
• Language updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
• Spanish as a new language
• Netdata, WireGuard, Maltrail and Mail-Backup (PGP) plugin
• Netmap update for VirtIO, VLAN child and vmxnet support
• Bootstrap 3.4, LibreSSL 2.9, Unbound 1.9, PHP 7.2, Python 3.7, Squid 4

And here are the full changes against version 19.7-RC1:

• system: lower automatic gateway priority for tunnel interfaces
• system: only show enabled interfaces on gateway edit
• system: speed up console banner interface print
• interfaces: typo in default WAN selection for packet capture
• interfaces: support multiple interfaces for packet capture
• interfaces: fix ambiguity in get_parent_interface()
• firewall: restart filterlog with every filter reload
• firmware: add update syshook
• ipsec: phase2 IP type selector using the wrong class
• reporting: fix Insight bug not processing top port and address statistics
• ui: window_highlight_table_option() fix for Safari
• wizard: improve logo contrast in welcome message
• plugins: os-frr redistribute configuration fix (contributed by Cedric Vanet)
• plugins: os-intrusion-detection-content-et-pro 1.0.1 now uses suricata-4.0 rulesets
• plugins: os-haproxy 2.17[2][3]
• plugins: os-mail-backup 1.0 (contributed by Joao Vilaca)
• plugins: os-maltrail 1.0 (contributed by Michael Muenz)
• plugins os-smart 2.0 MVC conversion (contributed by Smart-Soft)
• plugins: os-tinc chroot setup with resolv.conf
• plugins: os-wireguard 1.0 (contributed by Michael Muenz)
• plugins: os-wol 2.2 fixes byte conversion
• src: bump netmap ring size, still too small in FreeBSD
• src: add FCC6_FCCA regulatory domain to ath_hal(4)
• src: restore IPV6_NEXTHOP option support
• src: fix privilege escalation in cd(4) driver[4]
• src: fix kernel stack disclosure in UFS/FFS[5]
• src: fix iconv buffer overflow[6]
• src: import tzdata 2019b
• ports: ca_root_nss 3.45
• ports: filterlog 0.3 will not print to console and lowercase IPv6 protocol output
• ports: postfix update is now non-interactive to prevent stalls
• ports: rrdtool 1.7.2[7]

Known issues and limitations:

• Web proxy squid update from version 3 to 4 breaks the cache database.  To repair go to “Services: Web Proxy: Administration” tab “Support” and click “Reset”.
• Web proxy login privilege is no longer available.  Access may be restricted by a group selector instead.
• Nano images require a reinstall using the latest image to avoid inode shortage which makes the system appear to run out of space during recent 19.1.x updates.
• OpenVPN no longer supports listening on gateway groups.  Use localhost paired with port forwards instead.

Quelle: https://opnsense.org/opnsense-19-7-jazzy-jaguar-released/