Software-update: IPFire 2.29 - Core Update 193

IPFire is een opensourcefirewall voor i586-, x86_64- en Arm-systemen. Het bevat onder andere een intrusion detection/prevention system, deelt het netwerk op in zones, doet stateful packet inspection en biedt vpn-mogelijkheden. Voor meer informatie verwijzen we naar deze pagina. De ontwikkelaars hebben versie 2.29 Core Update 193 uitgebracht, een stabiele uitgave voor productiesystemen. De bijbehorende releasenotes zien er als volgt uit:

Post-Quantum Cryptography for IPsec tunnels

IPsec tunnels now support key exchanges using the post-quantum Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM). This algorithm is believed to be secure against adversaries who possess a quantum computer and is therefore hardening the security of those tunnels that use it.

In IPFire, this is now enabled by default for new tunnels together with Curve448, Curve25519, various other NIST-certified elliptic curve algorithms and RSA-4096 and RSA-3072. This choice will ensure that modern cryptography is being used when available, but IPFire will remain compatible with older solutions from other vendors. Of course you may enable this for existing tunnels on the advanced settings page of the tunnel.

Additionally, we have updated the default list of ciphers for new tunnels: We prefer using AES-256 in either GCM or CBC mode, or ChaCha20-Poly1305 by default. AES-128 is no longer included in the default cipher list as it has weaker security and most hardware has acceleration for AES where AES-256 should always achieve the same throughput.

This way, the primary way to build VPN networks over the internet has become even more secure and ready for 2025 and onwards. Read more about this on our blog.

Toolchain Update

IPFire has been updated to use glibc - the C standard library - in version 2.41 and Binutils - the assembler and linker - in version 2.44. They are fundamental building blocks of the OS and we like to keep IPFire as modern as possible so that we generate the most optimal code which takes advantage of most recent hardware features. And of course, as this is the must crucial code outside of the kernel itself, they are important to keep IPFire hardened.

Misc.

The discontinued Botnet C2 blocklist from abuse.ch has been removedThe archive of firmware and microcodes has been updated including fixes forSecurity updates for INTEL-SA-01166Security updates for INTEL-SA-01213Security updates for INTEL-SA-01139Security updates for INTEL-SA-01228Security updates for INTEL-SA-01194A bug with an incorrect serial number has been fixed which prevented to renew the IPsec host certificateStephen Cuka has submitted his first patch with some aesthetic improvements for the Firewall Groups pagelucatrv has added DNS-over-TLS to the list of default servicesIt is very important to us to keep IPFire up to date and get any fixes and improvements from upstream, therefore we once again update large parts of the distribution:Apache 2.4.63autoconf 2.72BIND 9.20.6binutils 2.44btrfs-progs 6.13dhcpcd 10.20.1diffutils 3.11expat 2.7.0Fixes CVE-2024-8176fmt 11.1.3fontconfig 2.16.0glibc 2.41harfbuzz 10.2.0Intel Microcode 20250211jQuery 3.7.1kmod 34libexif 0.6.25libffi 3.4.7libloc 0.9.18libxcrypt 4.4.38libyang 3.7.8Linux Firmware 20250211LVM2 2.03.30Pango 1.56.1PCRE2 10.45SQLite 3.49.1squid 6.13strongSwan 6.0.0tcl 9.0.1tzdata 2025avim 9.1.1153vnstat 2.13which 2.23wpa_supplicant 2.11xfsprogs 6.13.0zstd 1.5.7

The discontinued Botnet C2 blocklist from abuse.ch has been removed

The archive of firmware and microcodes has been updated including fixes forSecurity updates for INTEL-SA-01166Security updates for INTEL-SA-01213Security updates for INTEL-SA-01139Security updates for INTEL-SA-01228Security updates for INTEL-SA-01194

Security updates for INTEL-SA-01166Security updates for INTEL-SA-01213Security updates for INTEL-SA-01139Security updates for INTEL-SA-01228Security updates for INTEL-SA-01194

Security updates for INTEL-SA-01166

Security updates for INTEL-SA-01213

Security updates for INTEL-SA-01139

Security updates for INTEL-SA-01228

Security updates for INTEL-SA-01194

A bug with an incorrect serial number has been fixed which prevented to renew the IPsec host certificate

Stephen Cuka has submitted his first patch with some aesthetic improvements for the Firewall Groups page

lucatrv has added DNS-over-TLS to the list of default services

It is very important to us to keep IPFire up to date and get any fixes and improvements from upstream, therefore we once again update large parts of the distribution:Apache 2.4.63autoconf 2.72BIND 9.20.6binutils 2.44btrfs-progs 6.13dhcpcd 10.20.1diffutils 3.11expat 2.7.0Fixes CVE-2024-8176fmt 11.1.3fontconfig 2.16.0glibc 2.41harfbuzz 10.2.0Intel Microcode 20250211jQuery 3.7.1kmod 34libexif 0.6.25libffi 3.4.7libloc 0.9.18libxcrypt 4.4.38libyang 3.7.8Linux Firmware 20250211LVM2 2.03.30Pango 1.56.1PCRE2 10.45SQLite 3.49.1squid 6.13strongSwan 6.0.0tcl 9.0.1tzdata 2025avim 9.1.1153vnstat 2.13which 2.23wpa_supplicant 2.11xfsprogs 6.13.0zstd 1.5.7

Apache 2.4.63autoconf 2.72BIND 9.20.6binutils 2.44btrfs-progs 6.13dhcpcd 10.20.1diffutils 3.11expat 2.7.0Fixes CVE-2024-8176fmt 11.1.3fontconfig 2.16.0glibc 2.41harfbuzz 10.2.0Intel Microcode 20250211jQuery 3.7.1kmod 34libexif 0.6.25libffi 3.4.7libloc 0.9.18libxcrypt 4.4.38libyang 3.7.8Linux Firmware 20250211LVM2 2.03.30Pango 1.56.1PCRE2 10.45SQLite 3.49.1squid 6.13strongSwan 6.0.0tcl 9.0.1tzdata 2025avim 9.1.1153vnstat 2.13which 2.23wpa_supplicant 2.11xfsprogs 6.13.0zstd 1.5.7

Apache 2.4.63

autoconf 2.72

BIND 9.20.6

binutils 2.44

btrfs-progs 6.13

dhcpcd 10.20.1

diffutils 3.11

expat 2.7.0Fixes CVE-2024-8176

Fixes CVE-2024-8176

Fixes CVE-2024-8176

fmt 11.1.3

fontconfig 2.16.0

glibc 2.41

harfbuzz 10.2.0

Intel Microcode 20250211

jQuery 3.7.1

kmod 34

libexif 0.6.25

libffi 3.4.7

libloc 0.9.18

libxcrypt 4.4.38

libyang 3.7.8

Linux Firmware 20250211

LVM2 2.03.30

Pango 1.56.1

PCRE2 10.45

SQLite 3.49.1

squid 6.13

strongSwan 6.0.0

tcl 9.0.1

tzdata 2025a

vim 9.1.1153

vnstat 2.13

which 2.23

wpa_supplicant 2.11

xfsprogs 6.13.0

zstd 1.5.7

Add-ons

Updated packages:aws-cli 1.37.4ddrescue 1.29FLAC 1.4.3gdb 16.1Git 2.48.1HAProxy 3.1.2htop 3.4.0lynis 3.1.3mc 4.8.33monit 5.34.4mpd 0.23.17nfs 2.8.2openvmtools 12.5.0Postfix 3.10.1python3-botocore 1.36.5rpcbind 1.2.7Samba 4.21.4tcpdump 4.99.5tmux 3.5atraceroute 2.1.6tshark 4.4.5

Updated packages:aws-cli 1.37.4ddrescue 1.29FLAC 1.4.3gdb 16.1Git 2.48.1HAProxy 3.1.2htop 3.4.0lynis 3.1.3mc 4.8.33monit 5.34.4mpd 0.23.17nfs 2.8.2openvmtools 12.5.0Postfix 3.10.1python3-botocore 1.36.5rpcbind 1.2.7Samba 4.21.4tcpdump 4.99.5tmux 3.5atraceroute 2.1.6tshark 4.4.5

aws-cli 1.37.4ddrescue 1.29FLAC 1.4.3gdb 16.1Git 2.48.1HAProxy 3.1.2htop 3.4.0lynis 3.1.3mc 4.8.33monit 5.34.4mpd 0.23.17nfs 2.8.2openvmtools 12.5.0Postfix 3.10.1python3-botocore 1.36.5rpcbind 1.2.7Samba 4.21.4tcpdump 4.99.5tmux 3.5atraceroute 2.1.6tshark 4.4.5

aws-cli 1.37.4

ddrescue 1.29

FLAC 1.4.3

gdb 16.1

Git 2.48.1

HAProxy 3.1.2

htop 3.4.0

lynis 3.1.3

mc 4.8.33

monit 5.34.4

mpd 0.23.17

nfs 2.8.2

openvmtools 12.5.0

Postfix 3.10.1

python3-botocore 1.36.5

rpcbind 1.2.7

Samba 4.21.4

tcpdump 4.99.5

tmux 3.5a

traceroute 2.1.6

tshark 4.4.5

Source: Tweakers.net