Software-update: OPNsense 26.1.6

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de zesde update voor versie 26.1 uitgebrachten de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 26.1.6 released

Yes, we are obviously still alive! This update addresses a number of security issues -- first and foremost an injection into LDAP authentication that can bypass group restrictions during login. Also included are Curl and OpenSSL third party updates as well as FreeBSD security advisories. Further UX tweaks reached the new firewall rules GUI, the MVC grid system and surprising movement in the Kea corner. But maybe most importantly: the captive portal finally gained native IPv6 support. Let us know what you think about it!

Here are the full patch notes:

• system: escape LDAP username during search
• system: dashboard gauge improvements
• system: compress height of the log viewer grid
• firewall: fix wrong "pass" on DNAT rule when using register rule
• interfaces: configurable cleanups for automatic neighbor discovery via hostwatch
• interfaces: refactor PPP CARP hook
• firewall: adjust sort order in networks and aliases in new rules GUI
• firewall: change sorting to interface/group name and stop caring about counted rules in new rules GUI
• firewall: change category sorting using names instead of counted rules in new rules GUI
• firewall: remove tokenizer from categories and use selectpicker instead in new rules GUI
• dnsmasq: prevent "*" from being collected as "client_id"
• firmware: repeat the update after pkg reinstall
• kea: add DDNS subnet-specific qualifying suffix and prevent updates if no server is set
• kea: add sockets max-retries and retry-wait-time options
• kea: add delete lease command and use socket for up-to-date lease collection
• kea: move pool-in-subnet validation logic mostly to KeaPoolsField
• kea: remove KeaCtrlAgent dependency on HA configuration
• kea: use SetConstraint for match_data to allow 0 as valid value
• ipsec: add 4 insecure proposals for compatibility
• captive portal: add IPv6 support
• radvd: when adding a manual instance for an automatic "track6" interface do not ignore its settings
• unbound: limit duckdb to a single thread in write mode to reduce logger memory usage
• unbound: add harden below NXDOMAIN option
• unbound: consolidate override aliases into tree view
• mvc: BaseListField: replace empty() check with isSet() for proper selection of value "0"
• mvc: HostnameField: show string that failed validation by default
• mvc: BaseField: add setValues() for generic use
• mvc: add SetConstraint for problematic "0" value constraining
• mvc: ApiMutableModelControllerBase: remove unused error returning in setActionHook()
• ui: set visibility hidden for base_bootgrid_table
• ui: upgrade Tabulator to version 6.4.0
• ui: automatic grid height calculation
• ui: bootgrid: maintain scrolling position for both datatree and command actions
• plugins: os-acme-client 4.15
• plugins: os-turnserver 1.2
• src: remote code execution via RPCSEC_GSS packet validation
• src: tcp: remotely exploitable DoS vector
• src: pf: silently ignores certain rules
• src: vnet: ensure the space allocated by vnet_data_alloc() is sufficent aligned
• src: ifnet: Fix decreasing the vnet interface count
• src: e1000: Increase FC pause/refresh time on PCH2 and newer
• src: net80211: fix VHT160/80P80/80 chanwidth selection in the "40-" case
• ports: curl 8.19.0
• ports: hostwatch 1.0.13
• ports: openssl 3.0.20
• ports: perl 5.42.2