Home

Software-update: OPNsense 23.7.8

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor 2fa, openvpn, ipsec, carp en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars hebben OPNsense 23.7.8 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 23.7.8 released

The configuration restore GUI has been improved in a number of ways due to recent demand and Squid was updated to the new major release version 6. A number of reliability improvements were also added to the WireGuard kernel plugin which from our perspective is now ready for core inclusion. The documentation is being updated accordingly, but will take a bit more time to ensure consistency following up on the GUI changes it received.

This update also includes FreeBSD security advisories and assorted fixes. We are aware of OpenSSL 1.1.1 CVE-2023-5678 and we are already testing builds based on OpenSSL 3 which can be available in 24.1 when it does not negatively impact overall operation. We also expect fixes for version 1 to be available sooner, but without OpenSSL providing such fixes directly the roundtrip time is likely going to increase for them.

Here are the full patch notes:
  • system: minor changes related to recent Gateway class refactoring
  • system: use unified style for "return preg_match" idiom so the caller receives a boolean
  • system: provide mismatching interface logic without reboot on configuration restore
  • system: allow new backup API to download latest configuration directly via /api/core/backup/download/this
  • system: extend restore to be able to migrate older configurations cleanly
  • system: make trust store reload conditional
  • interfaces: assorted bridge handling improvements
  • interfaces: ignore ULAs for primary IPv6 detection
  • interfaces: improve wireless channel parsing
  • firewall: keep filtered items available longer in live log
  • firewall: when migrating aliases make sure that nesting does not fail
  • firewall: port can be zero in automatic rule so render it accordingly
  • firewall: minor update to shaper model
  • firmware: invalidate GUI caches earlier since certctl blocks this longer now
  • firmware: add root file system to health audit
  • monit: minor update to model
  • lang: update Chinese, Czech, Italian, Korean, Polish and Spanish
  • openvpn: host bits must not be set for IPv4 server directive in instances
  • unbound: minor update to model
  • unbound: remove localhost from automatically created ACL
  • web proxy: handle the major update to version 6 and update model
  • mvc: enforce uniqueness and remove validation message in UnqiueIdField
  • mvc: config should be locked before calling checkAndThrowSafeDelete()
  • ui: prevent form submit for MVC pages
  • ui: improve default modal padding
  • plugins: os-bind 1.28
  • plugins: os-openconnect 1.4.5
  • plugins: os-wireguard 2.5
  • src: pfctl: fix incorrect mask on dynamic address
  • src: libpfctl: assorted improvements
  • src: msdosfs: zero partially valid extended cluster
  • src: copy_file_range: require CAP_SEEK capability
  • src: fflush: correct buffer handling in __sflush
  • src: cap_net: correct capability name from addr2name to name2addr
  • src: regcomp: use unsigned char when testing for escapes
  • ports: lighttpd 1.4.73
  • ports: php 8.2.12
  • ports: squid 6.4
  • ports: sudo 1.9.15

    • Source: Tweakers.net

    Previous

    Next