Software-update: OPNsense 26.1.8

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de achtste update voor versie 26.1 uitgebrachten de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 26.1.8 released

This updated fixes two recently reported vulnerabilities in the core code pertaining to WAN DHCPv4 configuration and user management. It also includes third party updates to Dnsmasq, OpenSSH and Unbound amongst others.

Captive portal IPFW accounting rules will regain a performance boost by bringing back hash lookups. Since this update does not issue a reboot by itself either, do so or restart the captive portal instances to activate this change.

Here are the full patch notes:

• system: properly escape username in sync_user.php command invoke
• interfaces: safeguard DHCPv4 settings against arbitrary command injection
• system: fix XMLRPC sync with VIP and "nosync" option
• system: link CA references after all changes
• system: parse certificate "key_type" and "digest"
• system: allow flushing legacy OpenVPN legacy config
• system: audit "staticroute" config access
• system: use safe config iteration in core_user_changed_groups()
• interfaces: add missing config locks in device controllers
• interfaces: use safe iteration in backend code
• interfaces: adjust and annotate interface_dhcpv6_id()
• firewall: use save method from ApiMutableModelControllerBase for log command, move rule command and savepoint action
• firewall: safe config access in list_legacy_rules.php
• firewall: remove duplicated CSV button hook
• firewall: fix NPTv6 validation for empty external subnet
• firewall: make getRealInterface() a static utility function
• firewall: refactor searchRuleAction() to use the same filtering and sorting logic on MVC and legacy data
• firewall: fix inverted source/destination cosmetic issue in SNAT and One-to-One NAT grids
• captive portal: re-introduce hash lookup for accounting purposes
• captive portal: reload IPFW on captive portal reconfigure too
• dnsmasq: ignore DHCP names for "wpad" to fix CERT Vulnerability VU#598349
• firmware: opnsense-bootstrap: add "-B" bare bootstrap mode
• firmware: add repo configuration output to connectivity audit
• kea: plug socket into dynamic PD route installation script
• kea: add prefix to reservations to allow for static PD allocations based on DUID/MAC
• kea: infer IPv6 lease type in delete script via lease lookup so IA_NA/IA_PD can be deleted
• kea: DDNS add ddns-conflict-resolution-mode per subnet (contributed by chaispaquichui)
• kea: allow customizing "mac_sources" and change default to "ipv6-link-local"
• kea: add user-context object to config to emit description
• kea: fix option_data_autocollect mismatch in DHCPv6 page
• kea: enable internalModelSafeDelete due to increased model relation field usage
• kea: build reservation status from control socket output
• kea: add subnet vltime (partially contributed by Brandan Giles)
• kea: add client-id to DHCPv4 reservations
• network time: fix ACL definitions (contributed by Konstantinos Spartalis)
• openvpn: reload configuration for group sync after successful authentication
• openvpn: add tls-crypt-v2 support
• openvpn: allow restart action via cron
• radvd: allow to start a manual configuration without primary IPv6
• unbound: minor style/refactor for safe config access
• unbound: hide unused tree row in form output for overrides
• unbound: restyle statistics page
• wireguard: use getValues() consistently in control script
• mvc: remove unused UIModelGrid imports in IDS, Monit and Syslog controllers
• mvc: remove Util imports where not needed
• mvc: BaseField: add count() helper
• mvc: fix validation to use getValue instead of plain string cast
• mvc: UIModelGrid: remove flatten() method as getFlatNodes() is almost the same
• shell: safe iteration for VLAN/LAGG in port assignment
• shell: use safe config iteration in live mode banner
• ui: add static dialog header support and fix bool/string compare
• ui: add type_formatter keyword to form rendering
• ui: add save/cancel button support to form rendering
• ui: remove "event" use from bootgrid showSaveAlert()
• ui: add support for binary file uploads
• plugins: os-ddclient 1.31
• plugins: os-frr 1.52
• plugins: os-netbird 1.3
• plugins: os-q-feeds-connector 1.6
• plugins: os-turnserver 1.3
• ports: curl 8.20.0
• ports: dnsmasq 2.92rel2
• ports: expat 2.8.1
• ports: kea 3.0.3
• ports: krb5 1.22.2
• ports: libxml 2.15.3
• ports: nss 3.123.1
• ports: openssh 10.3p1
• ports: phalcon 5.12.1
• ports: py-duckdb 1.5.2
• ports: py-requests 2.33.1
• ports: unbound 1.25.0