Software-update: OPNsense 26.1.11

OPNsense logo Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de elfde update voor versie 26.1 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 26.1.11 released

Back already with a bag of security advisories also for FreeBSD which came out just yesterday. We highly appreciate the increased amount of reports we are getting for the core code and we are working through them, but need to improve our process and guidelines somewhat in order to make more sense of the result for all of you. This will probably take additional effort after 26.7 is out.

Note that this update brings the outbound to source NAT migration page, but it is only a formality as outbound NAT will stay in 26.7 although the legacy firewall rules page will move to a plugin during the major upgrade. It is the same process that was employed with ISC-DHCP. Due to this addition, however, the source NAT rules entered in the system will no longer work unless the mode is set to either "manual" or "hybrid".

Here are the full patch notes:
  • system: configuration line injection via multiple GUI text fields
  • system: add missing legacy_html_escape_form_data() for $a_cert on administration settings
  • system: lockout: address newline injection and correct IP parsing
  • system: add "local_uri" type in SanitizeFilter() and use it to avoid hardcoding
  • system: several compatible adjustments for upcoming PHP 8.5
  • system: fix ACL pattern for carp_status action (contributed by Etienne Girault)
  • system: enhance live log widget (contributed by Greelan)
  • firewall: safeguard ISO country codes in alias download
  • firewall: escape user-controlled values in tooltip attributes
  • firewall: add the same new rules GUI design to the MVC NAT pages
  • firewall: add CSV download/upload to MVC NAT pages
  • firewall: add migration for outbound NAT into source NAT page
  • firewall: destination NAT: display effective port when local-port is omitted
  • firewall: source NAT: allow empty target which means the interface address
  • firewall: source NAT: skip rendering rules when mode is not advanced/manual or hybrid
  • firewall: improve performance on MVC pages using virtualDOM
  • firewall: allow WAN as "associated interface" for NPTv6 when prefix ID is set
  • firewall: fix TypeError on alias getItem() with unknown UUID (contributed by haxorton)
  • firewall: unify group names of OpenVPN, WireGuard and IPsec encapsulation
  • firewall: show rule counts that can be exported and hide tab if no rules exist
  • firewall: improve interface filter logic to include floating rules with multiple interfaces when they overlap with at least one interface in the interface filter request
  • firewall: add validations for "No RDR" option to prevent target and local-port being set
  • firewall: skip alias on new rules GUI apply
  • interfaces: prohibit the use of advanced DHCP option settings by non-administrators
  • interfaces: properly format API times to ISO format and convert timezone for display in automatic discovery
  • captive portal: pass in ip_address as a set for accounting
  • firmware: fix small glitch that re-prompts for showing community plugins
  • kea: add widget to show DHCP leases
  • kea: simplify model option values
  • monit: use throwNotFullAdmin() to restrict monit GUI write access to full admins due to intended system wide execution rights
  • network time: fix stored XSS in GPS init string display
  • openvpn: prevent path traversal in "common_name" attribute
  • openvpn: escape client common_name in connection-status views
  • openvpn: simplify model option values
  • mvc: checkAndThrowValueInUse validate input token which may only contain alphanum and dashes
  • mvc: guard BaseField::setNodes() against a list given for a scalar leaf (contributed by haxorton)
  • mvc: DescriptionField: disable special and newline characters
  • mvc: FileObject: fix exception bug (contributed by Greelan)
  • mvc: also do not translate empty labels in grids
  • mvc: give throwReadOnly() a sibling named throwNotFullAdmin()
  • mvc: use camelCase for carp_status action
  • ui: bootgrid: minor optimizations
  • ui: add generic escaping function htmlSafe() for JavaScript
  • plugins: os-cloudflared 1.1
  • plugins: os-freeradius 1.10.2
  • plugins: os-vnstat 1.4
  • src: vm: use-after-free in device pager page list
  • src: execve: local privilege escalation via execve(2) TOCTOU race
  • src: openzfs: multiple vulnerabilities in OpenZFS
  • src: libalias: bffer overflow in libalias RTSP handler
  • src: unlinkat: unlinkat(2) ignores AT_RESOLVE_BENEATH flag
  • src: tcp: use-after-free in TCP RACK stack option handler
  • src: posixshm: multiple vulnerabilities in POSIX largepage objects
  • src: audit: incorrect audit records for ptrace(2) syscall requests
  • src: ktls: remote DOS via uninitialized memory access in KTLS receive
  • src: linux: kernel stack disclosure in Linux compatibility layer
  • src: iconf: multiple vulnerabilities in iconv(3)
  • ports: curl 8.21.0
  • ports: expat 2.8.2
  • ports: ldns 1.9.2
  • ports: lighttpd 1.4.84
  • ports: phalcon 5.16.0
  • ports: py-duckdb 1.5.4
  • ports: syslog-ng 4.12.0

OPNsense

Versienummer 26.1.11
Releasestatus Final
Besturingssystemen BSD
Website OPNsense
Download https://opnsense.org/download
Licentietype Voorwaarden (GNU/BSD/etc.)

Door Bart van Klaveren

Downloads en Best Buy Guide

10-07-2026 • 18:00

0

Submitter: smerik

Bron: OPNsense

Update-historie

Reacties

Sorteer op:

Weergave:

Er zijn nog geen reacties geplaatst


Om te kunnen reageren moet je ingelogd zijn