Software-update: OPNsense 26.1.10

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de tiende update voor versie 26.1 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 26.1.10 released

This update is the obvious answer to recent reports throughout the ecosystem: There are 3 core security issues fixed, FreeBSD security advisories, third party updates as well as assorted fixes plus improvements in the new rules GUI.

The firmware page had a number of minor regressions that should be sorted out with this release. They did not affect updates, but made the process a bit less smooth than usual. Be assured that each minor update is tested quite extensively, but non-functional issues like these can always slip through a test cycle and will be found in the next one. In the worst case that means two stable releases: the issues appeared with 26.1.8 but were not visible before 26.1.9 was being tested.

Under the hood the preparation for Source NAT migration, MVC/API support for interface assignments and FreeBSD 15.1 support is underway. We expect a 26.7-BETA in the near future once we are satisfied with the overall quality.

Here are the full patch notes:

• system: routing: changed "disable" option to "enable"
• system: dashboard: explicitly compact on layout shift if there is no predefined layout
• system: dashboard: update result on default restore
• interfaces: parse ifconfig output despite exit error in legacy_interfaces_details()
• interfaces: hostwatch: pin warning banner to enabled flag
• firewall: always show automatic and legacy rules in new rules GUI
• firewall: add banner if no rules defined in new rules GUI to match legacy GUI
• firewall: use strnatcasecmp() for interface list in new rules GUI
• firewall: fix typo that prevented queues to be selectable in pf-based traffic shaping
• firewall: escape shaper targets in rule edit
• dnsmasq: change widget link from settings to leases page
• firmware: stop buffering in sed to fix chunked update log output
• firmware: retain ordering in update servers for connectivity check
• firmware: allow "local" business mirror subscription
• firmware: put clickable trailer for community plugins
• firmware: fix return value masking during updates
• firmware: opnsense-update: do not clean obsolete files on manual -r invokes
• intrusion detection: fix drop and alert buttons on rules tab
• ipsec: disable scroll in authentication and children grids
• ipsec: validate the use of refid in CA certificates
• kea: prevent converting the decimal prefix_id using hexdec() for dynamic PD
• openvpn: fix client export not showing common names
• openvpn: require an integer of at least 1 for "vpnid" field
• mvc: add new validators to TextField: AllowSpaces, AllowNewlines, AllowSpecial and introduce new StrictTextField
• mvc: strict alphanumeric-only regex for certificate refid
• mvc: simplify assorted option values to reduce duplication
• mvc: static header support for forms
• rc: move system_powerd_configure() to bootup plugin hook
• ui: bootgrid: allow column selection exclusions
• ui: allow passing of data attributes for select items in setFormData()
• ui: remove banner on inline reload if applicable
• ui: button padding when injecting next to apply button
• ui: fix spurious padding in apply button section
• plugins: os-cloudflared 1.0
• plugins: os-frr 1.53
• plugins: os-rfc2136 1.10
• plugins: os-stunnel fix for missing include in script
• plugins: os-telegraf 1.12.15
• src: missing permission check in thr_kill2
• src: arbitrary file overwrite via the KTLS receive path
• src: multiple vulnerabilities in the sound mmap path
• src: sigqueue missing capability mode restriction
• src: use-after-free bug in the IPV6_MSFILTER socket option handler
• src: flaw in Linuxulator execution of setugid binaries
• src: ASLR bypass for setuid executables via procctl
• src: integer overflow in vt CONS_HISTORY ioctl
• src: openssl: fix multiple vulnerabilities
• src: ldns: fix query response validation
• src: netlink: fix lock leak in nl_find_nhop
• src: pf: avoid taking the pf rules write lock in a couple of ioctls
• src: ipfw: add ability to run ipfw binary with 15.0+ kernel module
• src: ipfw: treat ipv6 address with zero mask as "any"
• ports: dnsmasq 2.93
• ports: filterlog 0.8 changes rule label fetch to libpfctl
• ports: openssl 3.0.21
• ports: phalcon 5.14.2
• ports: phpseclib 3.0.55
• ports: py-duckdb 1.5.3
• ports: py-numpy 2.4.6
• ports: python 3.13.14
• ports: sqlite3 3.53.1
• ports: strongswan 6.0.7