Software-update: OPNsense 26.1.10
Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de tiende update voor versie 26.1 uitgebrachten de releasenotes voor die uitgave kunnen hieronder worden gevonden.
OPNsense 26.1.10 releasedThis update is the obvious answer to recent reports throughout the ecosystem: There are 3 core security issues fixed, FreeBSD security advisories, third party updates as well as assorted fixes plus improvements in the new rules GUI.
The firmware page had a number of minor regressions that should be sorted out with this release. They did not affect updates, but made the process a bit less smooth than usual. Be assured that each minor update is tested quite extensively, but non-functional issues like these can always slip through a test cycle and will be found in the next one. In the worst case that means two stable releases: the issues appeared with 26.1.8 but were not visible before 26.1.9 was being tested.
Under the hood the preparation for Source NAT migration, MVC/API support for interface assignments and FreeBSD 15.1 support is underway. We expect a 26.7-BETA in the near future once we are satisfied with the overall quality.
Here are the full patch notes:system: routing: changed "disable" option to "enable"system: dashboard: explicitly compact on layout shift if there is no predefined layoutsystem: dashboard: update result on default restoreinterfaces: parse ifconfig output despite exit error in legacy_interfaces_details()interfaces: hostwatch: pin warning banner to enabled flagfirewall: always show automatic and legacy rules in new rules GUIfirewall: add banner if no rules defined in new rules GUI to match legacy GUIfirewall: use strnatcasecmp() for interface list in new rules GUIfirewall: fix typo that prevented queues to be selectable in pf-based traffic shapingfirewall: escape shaper targets in rule editdnsmasq: change widget link from settings to leases pagefirmware: stop buffering in sed to fix chunked update log outputfirmware: retain ordering in update servers for connectivity checkfirmware: allow "local" business mirror subscriptionfirmware: put clickable trailer for community pluginsfirmware: fix return value masking during updatesfirmware: opnsense-update: do not clean obsolete files on manual -r invokesintrusion detection: fix drop and alert buttons on rules tabipsec: disable scroll in authentication and children gridsipsec: validate the use of refid in CA certificateskea: prevent converting the decimal prefix_id using hexdec() for dynamic PDopenvpn: fix client export not showing common namesopenvpn: require an integer of at least 1 for "vpnid" fieldmvc: add new validators to TextField: AllowSpaces, AllowNewlines, AllowSpecial and introduce new StrictTextFieldmvc: strict alphanumeric-only regex for certificate refidmvc: simplify assorted option values to reduce duplicationmvc: static header support for formsrc: move system_powerd_configure() to bootup plugin hookui: bootgrid: allow column selection exclusionsui: allow passing of data attributes for select items in setFormData()ui: remove banner on inline reload if applicableui: button padding when injecting next to apply buttonui: fix spurious padding in apply button sectionplugins: os-cloudflared 1.0plugins: os-frr 1.53plugins: os-rfc2136 1.10plugins: os-stunnel fix for missing include in scriptplugins: os-telegraf 1.12.15src: missing permission check in thr_kill2src: arbitrary file overwrite via the KTLS receive pathsrc: multiple vulnerabilities in the sound mmap pathsrc: sigqueue missing capability mode restrictionsrc: use-after-free bug in the IPV6_MSFILTER socket option handlersrc: flaw in Linuxulator execution of setugid binariessrc: ASLR bypass for setuid executables via procctlsrc: integer overflow in vt CONS_HISTORY ioctlsrc: openssl: fix multiple vulnerabilitiessrc: ldns: fix query response validationsrc: netlink: fix lock leak in nl_find_nhopsrc: pf: avoid taking the pf rules write lock in a couple of ioctlssrc: ipfw: add ability to run ipfw binary with 15.0+ kernel modulesrc: ipfw: treat ipv6 address with zero mask as "any"ports: dnsmasq 2.93ports: filterlog 0.8 changes rule label fetch to libpfctlports: openssl 3.0.21ports: phalcon 5.14.2ports: phpseclib 3.0.55ports: py-duckdb 1.5.3ports: py-numpy 2.4.6ports: python 3.13.14ports: sqlite3 3.53.1ports: strongswan 6.0.7
system: routing: changed "disable" option to "enable"system: dashboard: explicitly compact on layout shift if there is no predefined layoutsystem: dashboard: update result on default restoreinterfaces: parse ifconfig output despite exit error in legacy_interfaces_details()interfaces: hostwatch: pin warning banner to enabled flagfirewall: always show automatic and legacy rules in new rules GUIfirewall: add banner if no rules defined in new rules GUI to match legacy GUIfirewall: use strnatcasecmp() for interface list in new rules GUIfirewall: fix typo that prevented queues to be selectable in pf-based traffic shapingfirewall: escape shaper targets in rule editdnsmasq: change widget link from settings to leases pagefirmware: stop buffering in sed to fix chunked update log outputfirmware: retain ordering in update servers for connectivity checkfirmware: allow "local" business mirror subscriptionfirmware: put clickable trailer for community pluginsfirmware: fix return value masking during updatesfirmware: opnsense-update: do not clean obsolete files on manual -r invokesintrusion detection: fix drop and alert buttons on rules tabipsec: disable scroll in authentication and children gridsipsec: validate the use of refid in CA certificateskea: prevent converting the decimal prefix_id using hexdec() for dynamic PDopenvpn: fix client export not showing common namesopenvpn: require an integer of at least 1 for "vpnid" fieldmvc: add new validators to TextField: AllowSpaces, AllowNewlines, AllowSpecial and introduce new StrictTextFieldmvc: strict alphanumeric-only regex for certificate refidmvc: simplify assorted option values to reduce duplicationmvc: static header support for formsrc: move system_powerd_configure() to bootup plugin hookui: bootgrid: allow column selection exclusionsui: allow passing of data attributes for select items in setFormData()ui: remove banner on inline reload if applicableui: button padding when injecting next to apply buttonui: fix spurious padding in apply button sectionplugins: os-cloudflared 1.0plugins: os-frr 1.53plugins: os-rfc2136 1.10plugins: os-stunnel fix for missing include in scriptplugins: os-telegraf 1.12.15src: missing permission check in thr_kill2src: arbitrary file overwrite via the KTLS receive pathsrc: multiple vulnerabilities in the sound mmap pathsrc: sigqueue missing capability mode restrictionsrc: use-after-free bug in the IPV6_MSFILTER socket option handlersrc: flaw in Linuxulator execution of setugid binariessrc: ASLR bypass for setuid executables via procctlsrc: integer overflow in vt CONS_HISTORY ioctlsrc: openssl: fix multiple vulnerabilitiessrc: ldns: fix query response validationsrc: netlink: fix lock leak in nl_find_nhopsrc: pf: avoid taking the pf rules write lock in a couple of ioctlssrc: ipfw: add ability to run ipfw binary with 15.0+ kernel modulesrc: ipfw: treat ipv6 address with zero mask as "any"ports: dnsmasq 2.93ports: filterlog 0.8 changes rule label fetch to libpfctlports: openssl 3.0.21ports: phalcon 5.14.2ports: phpseclib 3.0.55ports: py-duckdb 1.5.3ports: py-numpy 2.4.6ports: python 3.13.14ports: sqlite3 3.53.1ports: strongswan 6.0.7
Source:
Tweakers.net