Software-update: OPNsense 26.1.9

Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de negende update voor versie 26.1 uitgebrachten de releasenotes voor die uitgave kunnen hieronder worden gevonden.

OPNsense 26.1.9 released

As a sign of the times this update ships 3 core security fixes as well as OS and third party updates. Kea dynamic prefix delegation is also included plus more GUI improvements. Time to 26.7 is short. See you soon! :)

Here are the full patch notes:

system remove unused data-tooltip that is not properly escaped from certificates widgetsystem: tighten landing page redirect (contributed by Konstantinos Spartalis)system: fix passing null into getRealInterface()system: fix regression in selective group delete introduced previouslysystem: allow unregistered plugin cron actions to be deletedsystem: disable MAILTO for cron jobsreporting: render NaN values as empty values and omit leading empty records from data set for health graphsreporting: add max on Y axis for traffic graphsinterfaces: dhclient.conf does not cope with multi-line request/requireinterfaces: account for multiple UUIDs in VIP deletioninterfaces: more safe iteration through config_read_array()interfaces: fix wrong DUID-UUID format but keep accepting the wrong oneinterfaces: fix regression in selective device delete introduced previouslyinterfaces: IAID selection and prefix range reservation for WAN DHCPv6firewall: fix for missing HTML escape in description render in legacy rules GUIfirewall: add an alias formatter to show content fields as "dynamic" when populated by other componentsfirewall: fix Tabulator regression with alias batch deletefirewall: use safe config iteration in interface registrationfirewall: fix unintended change in filtering logic for new rules GUIfirewall: fix action, ipprotocol and protocol translations for legacy rules in new rules GUIfirewall: use safe iteration over rules in filter_core_rules_user()firewall: add missing exclamation mark for "not" in scrub rulesfirewall: fix interface sorting by value for live log and groupscaptive portal: remove redirection on HTTPS and ditch non-functional pass statementdnsmasq: change DHCP tag to DescriptionFieldipsec: move swanctl.conf download button to the tabipsec: restyle the connections page for claritykea: dynamic prefix delegation supportkea: always start the prefix watcher when DHCPv6 is enabledkea: cleanups for IntegerField using isSet() and no negative numbers allowedkea: add decline_probation_period and set lower default to mitigate faulty client implementations to consume the whole poolkea: add subnet allocator field (contributed by Marcos Della)kea: add DHCPv4 compatibility options (contributed by Marcos Della)kea: hook up reservation.next_server (contributed by Ian Munsie)kea: fix missing visual cues for manual mode in DDNS and DHCPv4/6monit: sanitize monit output before offering itnetwork time: cleanse port option before usenetwork time: small cleanups in ntpd_configure_gps()unbound: blocklists categorization and apply button message update (contributed by Konstantinos Spartalis)acl: some missing references and using camelCase pointers instead of snake_casemvc: add support for pluggable dynamic menu items and move some existing parts out of the MenuSystem classmvc: stricter email address validationmvc: OptionsField: use key as value if no value is setmvc: unify migration message returnsmvc: do not translate empty stringsui: clean up useRequestHandlerOnGet usageui: use space in apply box for the apply reminderui: improve form validation error appendui: tab exclusion for SimpleActionButtonui: split form button row render as some forms only use saveui: override selectpicker defaults for translationsui: hide apply button for specific tabs on multiple pages (contributed by Konstantinos Spartalis)ui: bootgrid: align datakey with the rest of the options, but allow top-level placementui: bootgrid: mark state variables as suchui: bootgrid: safeguard replace() functionui: bootgrid: remove unused getTotalRowCount() methodui: bootgrid: prevent NaN pagination values for non-ajax grids when row count is set to allui: bootgrid: clean up converter compatibility codeui: bootgrid: replace "append" with "replace" for ajax: false gridsui: bootgrid: adjust column persistence behavior to prevent horizontal dead spaceplugins: use safe config iteration in interface registration codeplugins: os-tinc fixes evaluation of hosts enabled flag (contributed by Konstantinos Spartalis)src: dhclient: improve server and filename validationsrc: setcred: fix buffer overflowsrc: kern: make sure to drain selinfo sleeperssrc: fusefs: handle buggy server LISTXATTR responsesrc: ptrace: fix validation of PT_SC_REMOTE argumentssrc: libcasper: switch from select(2) to poll(2)src: cap_net: do not allow new limits to drop keys from the old onessrc: ipfw: fix parsing error in nat config port_rangesrc: ipfw: fix checksum after NATsrc: igmp: Avoid leaving dangling pointers in the state-change queuesrc: vxlan: Update *m0 after a pullupsrc: routing: use a better error number in sysctl_fibs()src: routing: initialize V_rt_numfibs earlier during bootsrc: pfsync: reject invalid SCTP statessrc: pf: do not reject rules with colliding hashessrc: rtnetlink: check for allocation failure in nlattr_get_multipath()src: rtnetlink: align RTA_MULTIPATH length validation in nlattr_getports: nss 3.124ports: openvpn 2.7.4ports: php 8.3.31ports: py-numpy 2.4.4ports: suricata 8.0.5ports: unbound 1.25.1

system remove unused data-tooltip that is not properly escaped from certificates widget

system: tighten landing page redirect (contributed by Konstantinos Spartalis)

system: fix passing null into getRealInterface()

system: fix regression in selective group delete introduced previously

system: allow unregistered plugin cron actions to be deleted

system: disable MAILTO for cron jobs

reporting: render NaN values as empty values and omit leading empty records from data set for health graphs

reporting: add max on Y axis for traffic graphs

interfaces: dhclient.conf does not cope with multi-line request/require

interfaces: account for multiple UUIDs in VIP deletion

interfaces: more safe iteration through config_read_array()

interfaces: fix wrong DUID-UUID format but keep accepting the wrong one

interfaces: fix regression in selective device delete introduced previously

interfaces: IAID selection and prefix range reservation for WAN DHCPv6

firewall: fix for missing HTML escape in description render in legacy rules GUI

firewall: add an alias formatter to show content fields as "dynamic" when populated by other components

firewall: fix Tabulator regression with alias batch delete

firewall: use safe config iteration in interface registration

firewall: fix unintended change in filtering logic for new rules GUI

firewall: fix action, ipprotocol and protocol translations for legacy rules in new rules GUI

firewall: use safe iteration over rules in filter_core_rules_user()

firewall: add missing exclamation mark for "not" in scrub rules

firewall: fix interface sorting by value for live log and groups

captive portal: remove redirection on HTTPS and ditch non-functional pass statement

dnsmasq: change DHCP tag to DescriptionField

ipsec: move swanctl.conf download button to the tab

ipsec: restyle the connections page for clarity

kea: dynamic prefix delegation support

kea: always start the prefix watcher when DHCPv6 is enabled

kea: cleanups for IntegerField using isSet() and no negative numbers allowed

kea: add decline_probation_period and set lower default to mitigate faulty client implementations to consume the whole pool

kea: add subnet allocator field (contributed by Marcos Della)

kea: add DHCPv4 compatibility options (contributed by Marcos Della)

kea: hook up reservation.next_server (contributed by Ian Munsie)

kea: fix missing visual cues for manual mode in DDNS and DHCPv4/6

monit: sanitize monit output before offering it

network time: cleanse port option before use

network time: small cleanups in ntpd_configure_gps()

unbound: blocklists categorization and apply button message update (contributed by Konstantinos Spartalis)

acl: some missing references and using camelCase pointers instead of snake_case

mvc: add support for pluggable dynamic menu items and move some existing parts out of the MenuSystem class

mvc: stricter email address validation

mvc: OptionsField: use key as value if no value is set

mvc: unify migration message returns

mvc: do not translate empty strings

ui: clean up useRequestHandlerOnGet usage

ui: use space in apply box for the apply reminder

ui: improve form validation error append

ui: tab exclusion for SimpleActionButton

ui: split form button row render as some forms only use save

ui: override selectpicker defaults for translations

ui: hide apply button for specific tabs on multiple pages (contributed by Konstantinos Spartalis)

ui: bootgrid: align datakey with the rest of the options, but allow top-level placement

ui: bootgrid: mark state variables as such

ui: bootgrid: safeguard replace() function

ui: bootgrid: remove unused getTotalRowCount() method

ui: bootgrid: prevent NaN pagination values for non-ajax grids when row count is set to all

ui: bootgrid: clean up converter compatibility code

ui: bootgrid: replace "append" with "replace" for ajax: false grids

ui: bootgrid: adjust column persistence behavior to prevent horizontal dead space

plugins: use safe config iteration in interface registration code

plugins: os-tinc fixes evaluation of hosts enabled flag (contributed by Konstantinos Spartalis)

src: dhclient: improve server and filename validation

src: setcred: fix buffer overflow

src: kern: make sure to drain selinfo sleepers

src: fusefs: handle buggy server LISTXATTR response

src: ptrace: fix validation of PT_SC_REMOTE arguments

src: libcasper: switch from select(2) to poll(2)

src: cap_net: do not allow new limits to drop keys from the old ones

src: ipfw: fix parsing error in nat config port_range

src: ipfw: fix checksum after NAT

src: igmp: Avoid leaving dangling pointers in the state-change queue

src: vxlan: Update *m0 after a pullup

src: routing: use a better error number in sysctl_fibs()

src: routing: initialize V_rt_numfibs earlier during boot

src: pfsync: reject invalid SCTP states

src: pf: do not reject rules with colliding hashes

src: rtnetlink: check for allocation failure in nlattr_get_multipath()

src: rtnetlink: align RTA_MULTIPATH length validation in nlattr_get

ports: nss 3.124

ports: openvpn 2.7.4

ports: php 8.3.31

ports: py-numpy 2.4.4

ports: suricata 8.0.5

ports: unbound 1.25.1

Source: Tweakers.net