Software-update: OPNsense 21.1.4

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor 2fa, openvpn, ipsec, carp en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 21.1.4 uitgebracht met de volgende aankondiging:

OPNsense 21.1.4 released

The third party crypto libraries need patching so here we go! The number of user contributions and interaction regarding stability fixes and improvements from the OPNsense side seems to be picking up as well and that is great to see. The development version includes an update of Suricata to version 6.0.2 in case any of you want to try it out. Also, improvements in the DHCP static mapping can now deal with IPv6 prefix merge for such deployments using Unbound and Dnsmasq host registration.

In the past 3 months we have also been working on a business edition relaunch and now feel obligated to quickly present the results of these efforts: The upcoming release of the business edition will be versioned as 21.4 in order to decouple it from the community release cycle. To that end--and to stay true to open source--we have published the release engineering core branch for said business release.

You will see more distinction between "community" and "business" in communication, but the basic approach of a more conservative release cycle in volume and timing for the business edition remains the same. On top of this, the business edition also offers additional plugins, e.g. for central management tasks.

Here are the full patch notes:

• system: add assorted missing configuration sections for high availability sync
• system: restart web GUI with delay from services to prevent session disconnect
• system: improve error reporting in LDAP authentication (contributed by kulikov-a)
• system: changed USB serial option to use "on" instead of problematic "onifconsole"
• system: ignore garbled data in log lines
• system: fix single core activity display
• interfaces: immediately enable SLAAC during IPv6 initiation
• interfaces: fix a typo in the GIF setup code
• firewall: allow to select rules with no category set
• firewall: sort pfTable results before slice (contributed by kulikov-a)
• firewall: make categories work with numbers only (contributed kulikov-a)
• reporting: skip damaged NetFlow records
• dhcp: correct help text for IPv6 ranges (contributed by Team Rebellion)
• dhcp: remove obsolete subnet validation for static entries
• firmware: refine missing/invalid signature message during health check (contributed by Erik Inge Bolso)
• firmware: zap changelog remove description (contributed by Jacek Tomasiak)
• firmware: make status API endpoint synchronous when using POST
• openvpn: remove checks for NTP servers 3 and 4 (contributed by Christian Brueffer)
• unbound: Fix PTR records for DHCP endpoints (contributed by Gareth Owen)
• ui: use HTTPS everywhere (contributed by Robin Schneider)
• ui: bootgrid translation compatibility with Internet Explorer 11 (contributed by kulikov-a)
• plugins: add service annotations to supported plugins
• plugins: os-freeradius 1.9.10
• plugins: os-haproxy 3.1
• plugins: os-stunnel 1.0.3 adds client mode (contributed by Nicola Bonavita)
• plugins: os-telegraf 1.9.0
• plugins: os-theme-cicada 1.28 (contributed by Team Rebellion)
• plugins: os-theme-tukan 1.25 (contributed by Team Rebellion)
• plugins: os-theme-vicuna 1.4 (contributed by Team Rebellion)
• plugins: os-wireguard 1.5
• plugins: os-wol 2.4 fixes dashboard widget (contributed by kulikov-a)
• src: fix multiple OpenSSL vulnerabilities
• ports: ca_root_nss / nss 3.63
• ports: libressl 3.2.5
• ports: openldap 2.4.58
• ports: openssh fix for double free in ssh-agent
• ports: openssl 1.1.1k
• ports: sudo 1.9.6p1
• ports: suricata 5.0.6
• ports: syslog-ng 3.31.2
• ports: wpa_supplicant p2p vulnerability