Software-update: OPNsense 21.1.6

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor 2fa, openvpn, ipsec, carp en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 21.1.6 uitgebracht met de volgende aankondiging:

OPNsense 21.1.6 released

With a bit of delay we bring to you the usual mix of security and reliability updates. It is of note that the OpenVPN advisory tracked as CVE-2020-15078 does not affect the provided version 2.4.11, but the security audit will falsely flag it as vulnerable because the source of the audit is FreeBSD where OpenVPN was migrated to 2.5 series already.

Plans for upcoming 21.1.x versions include a swift Phalcon 4 migration as well as Python 3.8 and PHP 7.4 updates.

Here are the full patch notes:

• system: add audit log target and move related syslog messages there
• system: set HSTS max-age to 1 year (contributed by Maurice Walker)
• system: fix restore copy in console recovery
• interfaces: revise approach to clear states when WAN address changes
• interfaces: add policy-based routing support for "dynamic" interface gateways
• interfaces: return scoped link-local in get_configured_ip_addresses()
• firewall: NPTv6 configuration clean-up (contributed by Maurice Walker)
• firewall: remove redundant NPTv6 binat rule (contributed by Maurice Walker)
• firewall: live log widget multiple interfaces and inspect feature (contributed by kulikov-a)
• firewall: add live log filter templates feature (contributed by kulikov-a)
• dhcp: compress expanded IPv6 lease addresses for clean match with system
• dhcp: on the GUI pages avoid the use of dhcpd_dhcp_configure()
• dnsmasq: use dhcpd_staticmap() for lease registration
• firmware: opnsense-patch now also invalidates the menu cache
• ipsec: add "keyingtries" phase 1 configuration option
• ipsec: automatic outbound NAT rules missed mobile clients
• ipsec: fix typo in autogenerated rules for virtual IP use
• openvpn: fix wizard regression after certificate changes in 21.1.5
• openvpn: remove now defunct OpenSSL engine support
• unbound: cleanse blacklist domain input
• unbound: match whole entry in blacklists (contributed by kulikov-a)
• unbound: use dhcpd_staticmap() for lease registration
• ui: upgrade chart.js to 2.9.4
• ui: update chartjs-plugin-streaming to 1.9.0
• ui: order interfaces in groups
• ui: sidebar menu fix for long listings (contributed by Team Rebellion)
• plugins: os-acme-client 2.5
• plugins: os-chrony 1.3
• plugins: os-dyndns 1.24
• plugins: os-freeradius 1.9.12
• plugins: os-haproxy 3.3
• plugins: os-intrusion-detection-content-et-open 1.0.1 adds emerging-inappropriate ruleset
• plugins: os-nginx expected MIME type fix (contributed by Kimotu Bates)
• plugins: os-qemu-guest-agent 1.0 (contributed by Frank Wall)
• plugins: os-relayd 2.5
• plugins: os-telegraf 1.10.1
• plugins: os-zabbix4-proxy 1.3
• plugins: os-zabbix5-proxy 1.5
• src: axgbe: check for IFCAP_VLAN_HWTAGGING when reading descriptor
• src: axgbe: add 1000BASE-BX SFP support
• src: race condition in aesni(4) encrypt-then-auth operations
• ports: curl 7.76.1
• ports: filterlog 0.4 adds label support to output if applicable
• ports: libressl 3.3.3
• ports: libxml2 fix for CVE-2021-3541
• ports: nss 3.65
• ports: openssh-portable 8.6p1
• ports: openvpn 2.4.11
• ports: php 7.3.28
• ports: sqlite 3.35.5
• ports: sudo 1.9.7
• ports: syslog-ng 3.32.1