OPNsense Security und Bugfix Release 18.7.9

Für die Open-Source Firewall OPNsense ist das Update 18.7.9 erschienen. Neben einigen Bugfixes, wurde das neue Plugin DNSCrypt-Proxy, sowie einige Sicherheitsupdates von FreeBSD und 3.Partie Plugins
veröffentlicht .

OPNsense 18.7.9 Release Notes

• system: allow setting alternative names on CSR
• system: add link-local routes with correct scope
• system: fix LDAP import button for Firefox
• system: assorted cleanups in HTML and PHP code
• interfaces: add note about CGN addresses included in private range
• interfaces: fix checksum disable for IPv6 TX / RX flags
• interfaces: multiple type DUID support (contributed by Team Rebellion)
• interfaces: properly read and write dhcp6c DUID binary file
• interfaces: do not read VLAN capabilities from nonexistent interfaces
• interfaces: removal of PEAR.inc from IPv6 address library
• interfaces: assorted cleanups in HTML and PHP code
• firewall: only suffix subnet alias entry when a network is expected
• firewall: default alias protocol to both IPv4 and IPv6
• firewall: fix validation of outbound NAT destination alias
• firewall: fix performance regression in get_alias_description()
• firewall: repair defunct “no nat proto carp all” rule
• firewall: limit type to CARP when checking for VIP VHID reuse
• firewall: refactor subnet retrieval in VIP deletion
• firewall: display VHID for IP alias in overview
• firewall: DHCPv6 outgoing firewall rule changed to “from (self)” to fix static setups
• firewall: rearranged outbound NAT bottom symbol hints (contributed by Team Rebellion)
• firewall: ignore empty values in alias migration (contributed by Frank Wall)
• firewall: assorted cleanups in HTML and PHP code
• captive portal: work around service boot ordering issue
• captive portal: change “onestop” to “stop” in backend action
• dnsmasq: add DNSSEC option
• dnsmasq: assorted cleanups in HTML and PHP code
• dhcp: show lease count in page heading
• dhcp: refactor IPv6 subnet read
• dhcp: fix DDNS IPv6 algorithm use
• dhcp: assorted cleanups in HTML and PHP code
• firmware: opnsense-version can now handle kernel, base and plugin metadata
• firmware: when pkg needs to be updated do not prompt for base and kernel set
• firmware: use embedded obsolete file list for removal on base set install
• intrusion detection: fix daily cron job, was actually monthly
• ipsec: assorted cleanups in HTML and PHP code
• openvpn: assorted cleanups in HTML and PHP code
• unbound: only use IPv6 when enabled and IPv4 is not preferred
• unbound: restart after VPN is up
• unbound: updated help text for verbosity level (contributed by Northguy)
• unbound: assorted cleanups in HTML and PHP code
• web proxy: move bump_step1 down (contributed by Michael Muenz)
• mvc: missing isset() in routes migration
• mvc: Phalcon 3.4.2 scope compatibility fix
• mvc: assorted fixes in PHPDoc
• mvc: fix advanced field bug in dialogs (contributed by Fabian Franz)
• mvc: SetIfConstraint (contributed by Fabian Franz)
• mvc: hidden input field (contributed by Fabian Franz)
• mvc: json-data access support (contributed by Fabian Franz)
• ui: remove markup from user indicator
• ui: sidebar fixes (contributed by Team Rebellion)
• plugins: os-acme-client 1.18 with GratisDNS and ACME DNS support (contributed by Frank Wall, ricobach, TuEye)
• plugins: os-bind 1.3 adds Google and Yahoo safe search (contributed by Michael Muenz)
• plugins: os-dnscrypt-proxy 1.0 (contributed by Michael Muenz)
• plugins: os-freeradius 1.8.3 makes use of certificates clearer (contributed by Michael Muenz)
• plugins: os-haproxy 2.12 HTTP/2 support, http-request before use_backend (contributed by Frank Wall, Mathias Aerts)
• plugins: os-net-snmp 1.3 mark device as L3 enabled via SysServices (contributed by Michael Muenz)
• plugins: os-nginx 1.5 with lots of new features[1] (contributed by Fabian Franz, Carlos Cesario, Julio Cesar Camargo, fzoske)
• plugins: os-nut 1.4 adds listen directive and more flexible arguments (contributed by Michael Muenz)
• plugins: os-postfix 1.7 adds address rewriting, sender/recipient BCC and domain masquerading (contributed by Michael Muenz)
• plugins: os-theme-cicada 1.11 (contributed by Team Rebellion)
• plugins: os-theme-rebellion 1.8.1 (contributed by Team Rebellion)
• plugins: os-theme-tukan 1.10 (contributed by Team Rebellion)
• src: fix multiple vulnerabilities in NFS server code[2]
• src: fix ICMP buffer underwrite[3]
• src: timezone database information update[4]
• src: fix deferred kernel loading breaks loader password[5]
• src: fix insufficient bounds checking in bhyve(8) device model[6]
• ports: lighttpd 1.4.52[7]
• ports: sqlite 3.26.0[8]
• ports: perl 5.26.3[9]
• ports: php 7.1.25[10]
• ports: hostapd / wpa_supplicant 2.7[11]
• ports: unbound 1.8.2[12]

[1] https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
[2] https://www.freebsd.org/security/advisories/FreeBSD-SA-18:13.nfs.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:13.icmp.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:14.tzdata.asc
[5] https://www.freebsd.org/security/advisories/FreeBSD-EN-18:15.loader.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-SA-18:14.bhyve.asc
[7] https://www.lighttpd.net/2018/11/28/1.4.52/
[8] https://www.sqlite.org/releaselog/3_26_0.html
[9] https://metacpan.org/pod/release/SHAY/perl-5.26.3/pod/perldelta.pod
[10] http://php.net/ChangeLog-7.php#7.1.25
[11] http://lists.infradead.org/pipermail/hostap/2018-December/039069.html
[12] https://nlnetlabs.nl/news/2018/Dec/04/unbound-1.8.2-released/

Quelle: https://opnsense.org/opnsense-18-7-9-released/