OPNsense Bugfix Release 21.7.2 und Hotfix 21.7.2_1

Die Open-Source Firewall, OPNsense, ist in der Version 21.7.2 erschienen. Das Bugfix Release berücksichtigt folgende CVEs: CVE-2021-3711, CVE-2021-3712, CVE-2021-23840 und CVE-2021-23841. Weiterhin ist bereits das Hotfix 21.7.2_1 veröffentlicht worden, da es durch das Bugfix Release unerwartete Fehler gab.

Das Team von OPNsense arbeitet an RSS (receive side scaling), was aktuell schon, mit der libnetmap Library für besseres Scaling in Netmap Mode, enthalten aber noch nicht aktiviert ist. Die Aktivierung ist für eines der später folgenden Stable Releases geplant.

OPNsense Release 21.7.2 Notes

• system: default RSS widget feed to forum announcements
• system: add missing ACL for Syslog targets page
• system: fix unescaped source field used for password in backup plugins
• system: reload FreeBSD services when reloading all services from console
• interfaces: use -M option in rtosold invoke in preparation for 22.1
• interfaces: correct indent in dhclient configuration
• firewall: allow to specify port ranges for outgoing NAT (contributed by Nikolay Denev)
• firewall: fix long comment preventing IPFW reload (contributed by Robin Schneider)
• firewall: fix compare interfaces (contributed by Smart-Soft)
• firmware: opnsense-patch can now patch installer and updater files
• firmware: opnsense-update -c option now honours the -f option
• firmware: opnsense-update improvements for mirror manipulation options
• firmware: undo masking vulnerability URLs in FreeBSD due to UUID use
• firmware: also check plugins sync for up to date core package
• firmware: fix visibility issue on console when syncing plugins
• firmware: replace php version_compare() call with pkg-version shell command
• firmware: correctly announce major upgrade reboot in status return
• firmware: do not fetch GeoIP database from business mirrors without a subscription
• firmware: backend now supports reinstall like opnsense-bootstrap -q
• intrusion detection: skip ruleset empty metadata (contributed by kulikov-a)
• ipsec: fix a regression in rightsubnets for non-mobile phase 2
• ipsec: fix a regression in VTI handling
• ipsec: identity quoting for ASN1DN and FQDN types with “#” characters
• ipsec: add auto type for identities
• openvpn: fix client-config-dir regression
• openvpn: check IPv4 tunnel prefix (contributed by kulikov-a)
• openvpn: simplify CIDR validation and remove trim() usage
• web proxy: adding additional memory cache options (contributed by Xeroxxx)
• plugins: os-acme-client 3.0[1]
• plugins: os-haproxy 3.5[2]
• src: runtime RSS code preparations and assorted related upstream patches
• src: axgbe: remove unneccesary packet length check
• src: iflib: fix partial length accounting error in netmap mode
• src: lib: add libnetmap and related patches
• src: dhclient: skip_to_semi() consumes semicolon already
• src: rtsold: slighty change address read
• src: fix missing error handling in bhyve(8) device models[3]
• src: fix remote code execution in ggatec(8)[4]
• src: fix libfetch out of bounds read[5]
• src: fix multiple OpenSSL vulnerabilities[6][7]
• ports: ifinfo 13.0
• ports: libressl 3.3.4[8]
• ports: nss 3.69[9]
• ports: monit 5.29.0[10]
• ports: mpd5 adds L2TP interoperability fix from upstream
• ports: openssl 1.1.1l[11]
• ports: php 7.4.23[12]
• ports: strongswan 5.9.3[13]
• ports: sudo 1.9.7p2[14]
• ports: unbound 1.13.2[15]

OPNsense hotfix release 21.7.2_1:

• firewall: remove reordering patch due to unintended behavioural changes