Software-update: OPNsense 26.1.9

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de negende update voor versie 26.1 uitgebrachten de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 26.1.9 released

As a sign of the times this update ships 3 core security fixes as well as OS and third party updates. Kea dynamic prefix delegation is also included plus more GUI improvements. Time to 26.7 is short. See you soon! :)

Here are the full patch notes:

• system remove unused data-tooltip that is not properly escaped from certificates widget
• system: tighten landing page redirect (contributed by Konstantinos Spartalis)
• system: fix passing null into getRealInterface()
• system: fix regression in selective group delete introduced previously
• system: allow unregistered plugin cron actions to be deleted
• system: disable MAILTO for cron jobs
• reporting: render NaN values as empty values and omit leading empty records from data set for health graphs
• reporting: add max on Y axis for traffic graphs
• interfaces: dhclient.conf does not cope with multi-line request/require
• interfaces: account for multiple UUIDs in VIP deletion
• interfaces: more safe iteration through config_read_array()
• interfaces: fix wrong DUID-UUID format but keep accepting the wrong one
• interfaces: fix regression in selective device delete introduced previously
• interfaces: IAID selection and prefix range reservation for WAN DHCPv6
• firewall: fix for missing HTML escape in description render in legacy rules GUI
• firewall: add an alias formatter to show content fields as "dynamic" when populated by other components
• firewall: fix Tabulator regression with alias batch delete
• firewall: use safe config iteration in interface registration
• firewall: fix unintended change in filtering logic for new rules GUI
• firewall: fix action, ipprotocol and protocol translations for legacy rules in new rules GUI
• firewall: use safe iteration over rules in filter_core_rules_user()
• firewall: add missing exclamation mark for "not" in scrub rules
• firewall: fix interface sorting by value for live log and groups
• captive portal: remove redirection on HTTPS and ditch non-functional pass statement
• dnsmasq: change DHCP tag to DescriptionField
• ipsec: move swanctl.conf download button to the tab
• ipsec: restyle the connections page for clarity
• kea: dynamic prefix delegation support
• kea: always start the prefix watcher when DHCPv6 is enabled
• kea: cleanups for IntegerField using isSet() and no negative numbers allowed
• kea: add decline_probation_period and set lower default to mitigate faulty client implementations to consume the whole pool
• kea: add subnet allocator field (contributed by Marcos Della)
• kea: add DHCPv4 compatibility options (contributed by Marcos Della)
• kea: hook up reservation.next_server (contributed by Ian Munsie)
• kea: fix missing visual cues for manual mode in DDNS and DHCPv4/6
• monit: sanitize monit output before offering it
• network time: cleanse port option before use
• network time: small cleanups in ntpd_configure_gps()
• unbound: blocklists categorization and apply button message update (contributed by Konstantinos Spartalis)
• acl: some missing references and using camelCase pointers instead of snake_case
• mvc: add support for pluggable dynamic menu items and move some existing parts out of the MenuSystem class
• mvc: stricter email address validation
• mvc: OptionsField: use key as value if no value is set
• mvc: unify migration message returns
• mvc: do not translate empty strings
• ui: clean up useRequestHandlerOnGet usage
• ui: use space in apply box for the apply reminder
• ui: improve form validation error append
• ui: tab exclusion for SimpleActionButton
• ui: split form button row render as some forms only use save
• ui: override selectpicker defaults for translations
• ui: hide apply button for specific tabs on multiple pages (contributed by Konstantinos Spartalis)
• ui: bootgrid: align datakey with the rest of the options, but allow top-level placement
• ui: bootgrid: mark state variables as such
• ui: bootgrid: safeguard replace() function
• ui: bootgrid: remove unused getTotalRowCount() method
• ui: bootgrid: prevent NaN pagination values for non-ajax grids when row count is set to all
• ui: bootgrid: clean up converter compatibility code
• ui: bootgrid: replace "append" with "replace" for ajax: false grids
• ui: bootgrid: adjust column persistence behavior to prevent horizontal dead space
• plugins: use safe config iteration in interface registration code
• plugins: os-tinc fixes evaluation of hosts enabled flag (contributed by Konstantinos Spartalis)
• src: dhclient: improve server and filename validation
• src: setcred: fix buffer overflow
• src: kern: make sure to drain selinfo sleepers
• src: fusefs: handle buggy server LISTXATTR response
• src: ptrace: fix validation of PT_SC_REMOTE arguments
• src: libcasper: switch from select(2) to poll(2)
• src: cap_net: do not allow new limits to drop keys from the old ones
• src: ipfw: fix parsing error in nat config port_range
• src: ipfw: fix checksum after NAT
• src: igmp: Avoid leaving dangling pointers in the state-change queue
• src: vxlan: Update *m0 after a pullup
• src: routing: use a better error number in sysctl_fibs()
• src: routing: initialize V_rt_numfibs earlier during boot
• src: pfsync: reject invalid SCTP states
• src: pf: do not reject rules with colliding hashes
• src: rtnetlink: check for allocation failure in nlattr_get_multipath()
• src: rtnetlink: align RTA_MULTIPATH length validation in nlattr_get
• ports: nss 3.124
• ports: openvpn 2.7.4
• ports: php 8.3.31
• ports: py-numpy 2.4.4
• ports: suricata 8.0.5
• ports: unbound 1.25.1