Software-update: IPFire 2.27 - Core Update 172

IPFire is een opensourcefirewall voor i586-, x86_64- en ARM-systemen. Het bevat onder andere een intrusion detection/prevention system, deelt het netwerk op in zones, doet stateful packet inspection en biedt vpn-mogelijkheden. Voor meer informatie verwijzen we naar deze pagina. De ontwikkelaars hebben versie 2.27 Core Update 172 uitgebracht, een stabiele uitgave voor productiesystemen. De bijbehorende aantekeningen zien er als volgt uit:

IPFire 2.27 - Core Update 172 released

Shortly after Christmas, we release IPFire 2.27 - Core Update 172. It comes with cryptography improvements for IPsec and OpenVPN, as well as security improvements under the hood, a plethora of package updates and various bugs fixed across the place.

Future-proofing VPN cryptography

This Core Update updates the key lengths of host certificates for both IPsec and OpenVPN clients/peers to 4,096 bit RSA, since the previous default of 2,048 bit is no longer recommended for long-term security purposes.

Both IPsec and OpenVPN root CA length has always been 4,096 bit, as has the key pair generated for IPFire's web interface - no action is required on that front. Unfortunately, existing IPsec/OpenVPN client/peer configurations cannot be migrated automatically, and have to be phased-out manually. Thanks to the respective CA certificates not requiring an update, complete disruptions of VPN infrastructure can, however, be avoided.

OpenVPN is automatically reconfigured to use a secure Diffie-Hellman parameter, both of sufficient length of 4,096 bit and standardized (see RFC 7919, section A.3, bug #12632). All OpenVPN clients and peers will automatically benefit from this cryptography improvement; no manual action is required. This also obsoletes the necessity of generating or uploading Diffie-Hellman parameters while configuring OpenVPN, saving a lot of time, as the generation of such parameters could have taken hours on slower hardware.

For early 2023, we anticipate post-quantum cryptography (PQC) to land in IPFire for IPsec, for which there is a strong (and growing) need, thanks to so-called "capture now, decrypt later" attacks endangering the confidentiality of information with long-term secrecy demand, such as biometric and health data.

Miscellaneous

• IPFire's trust store has been updated to incorporate Mozilla's decision to distrust the root certificates of TrustCor Systems S. DE R.L. (further media coverage)¹
• Displaying the status and actions of add-ons whose service names differed from their package names is fixed (#12935). The same page has also seen some translation improvements.
• Certificate Revocation Lists (CRLs) of OpenVPN are now properly backed up and reloaded before OpenVPN is (re-)started.
• Adolf Belka submitted a massive patchset for updating Python.
• Roberto Peña updated and improved the Spanish translation of IPFire's web interface.
• Some unnecessary files from linux-firmware are no longer shipped and automatically removed from existing installations to keep the system as lean as possible.
• Various file permissions have been tightened as a defense in-depth measure.
• The obsolete gnu-netcat add-on has been dropped.
• Updated packages: arm-trusted-firmware 2.7, bash 5.2, bind 9.16.35, conntrack-tools 1.4.7, curl 7.86.0, elinks 0.15.1, ethtool 6.0, expat 2.5.0, iana-etc 20221107, intel-microcode 20221108, iproute2 6.0.0, libedit 20221030-3.1, libhtp 0.5.42, libloc 0.9.15, libnetfilter_conntrack 1.0.9, libpng , 1.6.39, libtasn1 4.19.0, libtiff 4.4.0, libuv 1.44.2, libxcrypt 4.4.33, libxml2 2.10.3, linux-firmware 20221109, memtest86+ 6.00, nano 7.0, OpenSSH 9.1p1, OpenSSL 1.1.1s, OpenVPN 2.5.8, poppler 22.11.0, python3 3.10.8, readline 8.2, sed 4.9, sqlite 3400000, strongswan 5.9.8, sudo 1.9.12p1, suricata 6.0.9, sysstat 12.7.1, tzdata 2022e, u-boot 2022.10, unbound 1.17.0, usbutils 015, vnstat 2.10, xz 5.2.8, zlib 1.2.13
• Updated add-ons: cups-filters 1.28.16, ddrescue 1.26, dehydrated 0.7.1, fetchmail 6.4.34, ffmpeg 5.1.2, flac1.4.2, fmt 9.1.0, git 2.38.1, libassuan 2.5.5, libvirt 8.9.0, mpd 0.23.10, nginx 1.22.1, pcengines-apu-firmware 4.17.0.2, qemu 7.1.0, qemu-ga 7.1.0, rsync 3.2.7, samba 4.17.3, sdl2