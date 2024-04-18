IPFire is een opensourcefirewall voor i586-, x86_64- en Arm-systemen. Het bevat onder andere een intrusion detection/prevention system, deelt het netwerk op in zones, doet stateful packet inspection en biedt vpn-mogelijkheden. Voor meer informatie verwijzen we naar deze pagina. De ontwikkelaars hebben versie 2.29 Core Update 185 uitgebracht, een stabiele uitgave voor productiesystemen. De bijbehorende aantekeningen zien er als volgt uit:

I am happy to announce that we finally have a new release of IPFire: IPFire 2.29 - Core Update 185. It comes with a brand new IPFire IPS based on Suricata 7, a number of bug fixes across the distribution and a good amount of package updates.

Finally, Suricata 7 is here. A new major version of what the IPFire IPS is based on. It finally brings support for HTTP/2 which is no longer considered experiental and now supports deflate compression and byte-ranges. There are new keywords for HTTP header inspection, and support for handling TLS client certificates, support for IKEv1, the PostgreSQL protocol, a BitTorrent parser, and last but not least QUICv1 and GQUIC. Suricata is also locking itself down more using Linux Landlocked to prevent any damage in case the process could be exploited; and the developers have spent time to make it slightly more memory efficient.

This update fixes a Denial-Of-Service vulnerability where the firewall would accept packets if an attacker was able to crash the Suricata service. We have not observed this being exploited, but found this problem when testing this release.

From abuse.ch, we have added the ThreatFox Indicators Of Compromise Rules. Those rules help to identify any local hosts that might have been compromised by detecting traffic to for example botnets. The PT Attack and Secureworks rulesets have been dropped as they are no longer available.

IPFire has been rebased on glibc 2.39 - the C standard library and binutils 2.42. IPFire is also now being compiled with the highest set of source fortification -D_FORTIFY_SOURCE=3 . That means, that the compiler is adding compile time and runtime checks to avoid common errors like buffer overruns and overflows and so any undetected security vulnerabilities will be harder to exploit. Finally, we are now compiling the system with less debugging information which we don't need which slightly speeds up the compilation process.

OpenVPN Previously, the UI allowed creating certificates with a common name that was already in use (#13404) Imported net-to-net connections did not show correctly whether the certificate was password-protected (#13548) The OpenSSL configuration file has been cleaned up (#13595)

The time server configuration page is now showing the current system time

Custom DHCP options of type "integer 8" are now possible to configure (#12395)

Comments have sometimes been incorrectly encoded to ISO-8859-1 which broke Umlauts and other special and non-ASCII characters

Intel has published microcode updates for various of their processors to fix or mitigate the following security vulnerabilities: INTEL-SA-00972 INTEL-SA-00982 INTEL-SA-00898 INTEL-SA-00960 INTEL-SA-01045

The CA certificate bundle has been updated

Some basic functions of the initscripts have been cleaned up and enhanced to write shorter scripts

Updated packages: elfutils 0.191, ethtool 6.7, expat 2.6.2, knot 3.3.5, libffi 3.4.6, libpng 1.6.42, libplist 2.4.0, libgpg-error 1.48, intel-microcode 20240312, iproute2 6.8.0, meson 1.4.0, newt 0.52.24, OpenJPEG 2.5.2, OpenSSH 9.7p1, pango 1.52.0, pciutils 3.11.1, pixman 0.43.4, poppler 24.03.0, qpdf 11.9.0, shadow 4.15.0, SQLite 3.45.2, squid 6.8, Suricata 7.0.3, Tcl 8.6.14, Unbound 1.19.3, util-linux 2.39.3, wget 1.24.5, whois 5.5.21, xz 5.6.1