Security 10769 Published by

IPFire 2.27 - Core Update 175 has been released for testing.  IPFire is a powerful and professional Open Source firewall solution.



IPFire 2.27 - Core Update 175 is available for testing

The forthcoming update, IPFire 2.27 - Core Update 175, is available for testing! Most noteworthy, it updates OpenSSL to the 3.1.0 branch, features a kernel update as well as other package updates and a variety of bug fixes are also included in this update.

OpenSSL 3.1.0

IPFire makes heavy use of this cryptography library, which is why keeping it up to date (without causing any interference to existing installations) is an important task for the development team. Core Update 175 updates OpenSSL to version 3.1.0, for which some work under the hood was necessary, such as ensuring all dependent packages were ready for using OpenSSL's API, which has changed from the 1.1.x series.

To avoid breaking any custom software IPFire users may run on their installations, OpenSSL 1.1.1's files remain untouched on existing installations until the release of Core Update 176. However, please note that  OpenSSL 1.1.1 is scheduled for end of life on September 11, 2023, and ensure any custom changes are made compatible to OpenSSL 3.1.0 as soon as possible.

Linux 6.1.29

This Core Update also features an update of the Linux kernel. Aside from the usual heap of hardware support improvements, bug fixes, and other improvements, this fixes  CVE-2023-32233, a  flaw in Linux' Netfilter subsystem permitting local privilege escalation; IPFire installations properly kept up-to-date are thus not considered to be affected. Nevertheless, IPFire users are advised to install Core Update 175 as soon as possible once released, and reboot their system afterwards.

The kernel now also supports the Armada 38X RTC ( #12856) and Intel's XHCI USB Role Switch feature. In addition, IPFire now supports both the  OrangePi R1 Plus LTS and  NanoPi R2C (plus) SoC.

Miscellaneous

  • The  hostapd add-on now enables QCA vendor extensions to nl80211, improving performance and stability of WiFi networks provided by an IPFire system with Qualcomm and Atheros cards considerably.
  • Legacy firewall rules for PPPoE/PPTP have been dropped, since they are no longer needed, and pose a security risk to IPFire installations with  QMI enabled.
  • In addition, any bogon filtering has been adjusted to no longer interfere with 224.0.0.0/4,  used for multicasting services, such as IPTV.
  • Adolf and Erik have fixed a long-standing bug causing the download of  unencrypted PKCS12 OpenVPN client packages to fail ( #11048).
  • rsnapshot has been contributed by Gerd Hoerst and Jon Murphy as a new add-on.
  • Downloading large  backup files will no longer trigger the OOM killer ( #13096).
  • The size of the boot partition has been extended to 512 MBytes, which is XFS' minimum requirement.
  • Firmware files for APU1 boards are now provided again, to ensure  firmware-update can update even very outdated APU boards properly.
  • The powertop add-on has been removed, since it requires kernel functionalities which have been disabled due to security concerns in  Core Update 171.
  • CUPS' HTTPS websites are no properly accessible again ( #12924).
  • The dbus add-on is now properly terminated after uninstallation ( #13094).
  • Robin Roevens contributed a patch for displaying the logs crated by  Zabbix Agent in IPFire's  web interface.
  • Installation and removal procedure of the alsa add-on have seen notable improvements ( #13087).
  • FUSE mounts in  BorgBackup are now working properly again ( #13076).
  • Updated packages: acpid 2.0.34, apache 2.4.57, apr 1.7.4, aprutil 1.6.3, arping 2.23, automake 1.16.5, bash 5.2 (with patches 1 to 15), bind 9.16.39, grep 3.10, harfbuzz 7.2.0, iproute2 6.3.0, libcap 2.67, libgcrypt 1.10.2, libgpg-error 1.47, libhtp 0.5.43, libpcap 1.10.4, libxml2 2.11.1, linux-firmware 20230404, lvm2 2.03.21, memtest86+ 6.10, newt 0.52.23, OpenSSH 9.3p1, parted 3.6, pciutils 3.9.0, slang 2.3.3, sqlite 3410200, Squid 5.9, Suricata 6.0.11, tzdata 2023b, unbound 1.17.1, xfsprogs 6.2.0, zstd 1.5.5
  • Updated add-ons: 7zip 17.05, amazon-ssm-agent 3.2.582.0, aws-cli 1.27.100, bird 2.0.12, ClamAV 1.1.0, dnsdist 1.8.0, elfutils 0.189, ffmpeg 6.0, freeradius 3.0.26, ghostscript 10.01.1, nfs 2.6.3, opus 1.4, pmacct 1.7.8, Postfix 3.8.0, rng-tools 2.16, samba 4.18.1, sdl2 2.26.5, tcpdump 4.99.4, zabbix_agentd 6.0.16 (LTS)


As always, we thank all people contributing to this release in whatever shape and form. Please help  testing this update, especially if you are using exotic hardware, uncommon network setups, or add-ons, and provide feedback - which is absolutely essential to us.

IPFire 2.27 - Core Update 175 is available for testing