OPNsense 21.1.6 Security und Bugfix Release veröffentlicht

Die Open-Source Firewall, OPNsense, erhielt das Security und Bugfix Release 21.1.6.

OPNsense 21.1.6 Release Notes

With a bit of delay we bring to you the usual mix of security and reliability updates. It is of note that the OpenVPN advisory tracked as CVE-2020-15078 does not affect the provided version 2.4.11, but the security audit will falsely flag it as vulnerable because the source of the audit is FreeBSD where OpenVPN was migrated to 2.5 series already.

Plans for upcoming 21.1.x versions include a swift Phalcon 4 migration as well as Python 3.8 and PHP 7.4 updates.

Here are the full patch notes:

• system: add audit log target and move related syslog messages there
• system: set HSTS max-age to 1 year (contributed by Maurice Walker)
• system: fix restore copy in console recovery
• interfaces: revise approach to clear states when WAN address changes
• interfaces: add policy-based routing support for “dynamic” interface gateways
• interfaces: return scoped link-local in get_configured_ip_addresses()
• firewall: NPTv6 configuration clean-up (contributed by Maurice Walker)
• firewall: remove redundant NPTv6 binat rule (contributed by Maurice Walker)
• firewall: live log widget multiple interfaces and inspect feature (contributed by kulikov-a)
• firewall: add live log filter templates feature (contributed by kulikov-a)
• dhcp: compress expanded IPv6 lease addresses for clean match with system
• dhcp: on the GUI pages avoid the use of dhcpd_dhcp_configure()
• dnsmasq: use dhcpd_staticmap() for lease registration
• firmware: opnsense-patch now also invalidates the menu cache
• ipsec: add “keyingtries” phase 1 configuration option
• ipsec: automatic outbound NAT rules missed mobile clients
• ipsec: fix typo in autogenerated rules for virtual IP use
• openvpn: fix wizard regression after certificate changes in 21.1.5
• openvpn: remove now defunct OpenSSL engine support
• unbound: cleanse blacklist domain input
• unbound: match whole entry in blacklists (contributed by kulikov-a)
• unbound: use dhcpd_staticmap() for lease registration
• ui: upgrade chart.js to 2.9.4
• ui: update chartjs-plugin-streaming to 1.9.0
• ui: order interfaces in groups
• ui: sidebar menu fix for long listings (contributed by Team Rebellion)
• plugins: os-acme-client 2.5[1]
• plugins: os-chrony 1.3[2]
• plugins: os-dyndns 1.24[3]
• plugins: os-freeradius 1.9.12[4]
• plugins: os-haproxy 3.3[5]
• plugins: os-intrusion-detection-content-et-open 1.0.1 adds emerging-inappropriate ruleset
• plugins: os-nginx expected MIME type fix (contributed by Kimotu Bates)
• plugins: os-qemu-guest-agent 1.0 (contributed by Frank Wall)
• plugins: os-relayd 2.5[6] (sponsored by Modirum)
• plugins: os-telegraf 1.10.1[7]
• plugins: os-zabbix4-proxy 1.3[8]
• plugins: os-zabbix5-proxy 1.5[9]
• src: axgbe: check for IFCAP_VLAN_HWTAGGING when reading descriptor
• src: axgbe: add 1000BASE-BX SFP support
• src: race condition in aesni(4) encrypt-then-auth operations[10]
• ports: curl 7.76.1[11]
• ports: filterlog 0.4 adds label support to output if applicable
• ports: libressl 3.3.3[12]
• ports: libxml2 fix for CVE-2021-3541
• ports: nss 3.65[13]
• ports: openssh-portable 8.6p1[14]
• ports: openvpn 2.4.11[15]
• ports: php 7.3.28[16]
• ports: sqlite 3.35.5[17]
• ports: sudo 1.9.7[18]
• ports: syslog-ng 3.32.1[19]

Quelle: OPNsense 21.1.6 released – OPNsense® is a true open source firewall and more