Menü Schließen

OPNsense Update 23.1.1 und Hotfix 23.1.1_2

OPNsense Logo

Die Open-Source Firewall Community Edition OPNsense, erhielt das Update 23.1.1 und zu letzt und kurz danach den Hotfix 23.1.1_2. Die Updates stopfen neben Sicherheitslücken auch Fehler der vorherigen Version 23.1. Die Komponenten IPsec und Unbound erhielten eine Menge an Verbesserungen. Zudem erhielt Unbound DNS-Server eine SafeSearch Option und das neue Datenbankreporting der CPU Last, sollte nun niedriger sein und einfacher zu nutzen. in particular receive a number of improvements being the more prominent areas of work for this series.

OPNSense 23.1.1 Release Notes

  • system: replace single exec_command() with new shell_safe() wrapper
  • system: fix assorted PHP 8.1 deprecation notes
  • system: remove overreaching “Reconfigure a plugin facility” cron job and backend command that has no visible users
  • interfaces: fix VLAN rename after protocol addition in 23.1
  • interfaces: fix VLAN missing a config lock on delete
  • interfaces: make description field show for all types of VIP (contributed by FingerlessGloves)
  • interfaces: allow VHID reuse as it was before 23.1
  • firewall: prevent possible infinite loop in alias parsing (contributed by kulikov-a)
  • firewall: do not calculate local port range for alias (contributed by kulikov-a)
  • firewall: update validation of alias names to be slightly more restrictive
  • firewall: safeguard download_geolite() and log errors
  • firewall: do not switch gateway on bootup
  • captive portal: enforce a database repair during operation if necessary
  • firmware: move single-call function reporter page
  • intrusion detection: properly reset metadata response when no metadata is found
  • ipsec: allow “@” character in eap_id fields for new connections
  • ipsec: missing remapping pool UUID to name for new connections
  • ipsec: change status column sizing and hide local/remote auth by default
  • ipsec: fix username parsing in lease status
  • ipsec: refactor widget to use new data format
  • ipsec: migrate duplicated cron job
  • ipsec: faulty unique constraint in pre-shared keys
  • ipsec: fix eap_id placement for eap-mschapv2
  • unbound: simplify logger logic for required queries
  • unbound: add SafeSearch option to blocklists
  • unbound: match white/blocklist action exactly from reporting page
  • unbound: always prioritize whitelists over blocklists
  • unbound: various UX improvements in reporting page
  • unbound: add serve-expired, log-servfail, log-local-actions and val-log-level advanced settings
  • unbound: drop unnecessary index from reporting database and other optimizations to lower CPU usage
  • unbound: add HTTPS record type to reporting
  • unbound: remember reporting page logarithmic setting
  • unbound: missing global so that cache is never flushed when requested
  • mvc: cleanse $record input in searchRecordsetBase() before usage
  • plugins: os-haproxy 4.1[1]
  • plugins: os-openconnect 1.4.4[2]
  • plugins: os-qemu-guest-agent 1.2[3]
  • plugins: os-tayga fixes MVC interface registration
  • plugins: os-wireguard fixes MVC interface registration
  • src: geli: split the initalization of HMAC[4]
  • src: fix ena driver crash after reset in 7th gen AWS instance types[5]
  • src: fix sdhci broken write-protect settings[6]
  • src: import tzdata 2022g[7]
  • src: ipsec: clear pad bytes in PF_KEY messages
  • src: fib_algo: set vnet when destroying algo instance
  • src: if_ipsec: handle situations where there are no policy or SADB entry for if
  • src: if_ipsec: protect against user supplying unknown address family
  • src: if_me: use dedicated network privilege
  • src: vxlan: add support for socket ioctls SIOC[SG]TUNFIB
  • src: introduce and use the NET_EPOCH_DRAIN_CALLBACKS() macro
  • src: iflib: Add null check to iflib_stop()
  • src: x86: ignore stepping for APL30 errata
  • src: pfctl: rule.label is a two-dimensional array
  • src: pf: fix syncookies in conjunction with tcp fast port reuse
  • src: pf: fix panic on deferred packets
  • src: ipfw: Add missing ‘va’ code point name
  • src: netmap: try to count packet drops in emulated mode
  • src: netmap: fix a queue length check in the generic port rx path
  • src: netmap: tell the compiler to avoid reloading ring indices
  • ports: remove GnuTLS workarounds from ports previously required for LibreSSL
  • ports: dnsmasq 2.89[8]
  • ports: dpinger 3.3[9]
  • ports: lighttpd 1.4.68[10]
  • ports: openssh-portable 9.1p1[11]
  • ports: openssl 1.1.1t[12]
  • ports: php 8.1.15[13]

OPNsense Hotfix 23.1.1_2

  • captive portal: remove mod_evasion use which was discontinued by lighttpd
  • unbound: wait for pipe in logger (contributed by kulikov-a)

Rate limiting wurde aus dem Captive Portal war auf 250 Verbindungen von der selben IP-Adresse eingestellt und entfernt. Diese Einstellung kann einfach durch manuelle Firewallregeln mit Adavsanced Options “Max established” auf 250 Zieladressen eingestelt werden.


Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert