Software-update: OPNsense 21.7.2

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor 2fa, openvpn, ipsec, carp en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 21.7.2 uitgebracht met de volgende aankondiging:

OPNsense 21.7.2 released

Today the following CVEs are being addressed:

CVE-2021-3711, CVE-2021-3712, CVE-2021-23840, CVE-2021-23841

Please note that the Let's Encrypt client plugin is now called ACME client since acme.sh version 3 does support multiple providers.

Apart from the usual batch of fixes the work on RSS (receive side scaling) is progressing and groundwork has already made it to the kernel along with the libnetmap library for allowing better scaling in netmap mode along with it. At this point, however, RSS is not yet enabled and there is no impact on existing setups. That will likely change with one of the next stable versions in this series.

On the other hand, the work for FreeBSD 13 migration in 22.1 is ongoing as well to be able to test this rather sooner than later. In this iteration we will take the time to look at shared forwarding edge cases and have already upstreamed a number of patches that have been accumulated over the last couple of years to keep our code base light and tidy.

Here are the full patch notes:

• system: default RSS widget feed to forum announcements
• system: add missing ACL for Syslog targets page
• system: fix unescaped source field used for password in backup plugins
• system: reload FreeBSD services when reloading all services from console
• interfaces: use -M option in rtosold invoke in preparation for 22.1
• interfaces: correct indent in dhclient configuration
• firewall: allow to specify port ranges for outgoing NAT (contributed by Nikolay Denev)
• firewall: fix long comment preventing IPFW reload (contributed by Robin Schneider)
• firewall: fix compare interfaces (contributed by Smart-Soft)
• firmware: opnsense-patch can now patch installer and updater files
• firmware: opnsense-update -c option now honours the -f option
• firmware: opnsense-update improvements for mirror manipulation options
• firmware: undo masking vulnerability URLs in FreeBSD due to UUID use
• firmware: also check plugins sync for up to date core package
• firmware: fix visibility issue on console when syncing plugins
• firmware: replace php version_compare() call with pkg-version shell command
• firmware: correctly announce major upgrade reboot in status return
• firmware: do not fetch GeoIP database from business mirrors without a subscription
• firmware: backend now supports reinstall like opnsense-bootstrap -q
• intrusion detection: skip ruleset empty metadata (contributed by kulikov-a)
• ipsec: fix a regression in rightsubnets for non-mobile phase 2
• ipsec: fix a regression in VTI handling
• ipsec: identity quoting for ASN1DN and FQDN types with "#" characters
• ipsec: add auto type for identities
• openvpn: fix client-config-dir regression
• openvpn: check IPv4 tunnel prefix (contributed by kulikov-a)
• openvpn: simplify CIDR validation and remove trim() usage
• web proxy: adding additional memory cache options (contributed by Xeroxxx)
• plugins: os-acme-client 3.0
• plugins: os-haproxy 3.5
• src: runtime RSS code preparations and assorted related upstream patches
• src: axgbe: remove unneccesary packet length check
• src: iflib: fix partial length accounting error in netmap mode
• src: lib: add libnetmap and related patches
• src: dhclient: skip_to_semi() consumes semicolon already
• src: rtsold: slighty change address read
• src: fix missing error handling in bhyve(8) device models
• src: fix remote code execution in ggatec(8)
• src: fix libfetch out of bounds read
• src: fix multiple OpenSSL vulnerabilities
• ports: ifinfo 13.0
• ports: libressl 3.3.4
• ports: nss 3.69
• ports: monit 5.29.0
• ports: mpd5 adds L2TP interoperability fix from upstream
• ports: openssl 1.1.1l
• ports: php 7.4.23
• ports: strongswan 5.9.3
• ports: sudo 1.9.7p2
• ports: unbound 1.13.2