Security 10813 Published by

IPFire 2.29 - Core Update 188 has been released for testing. IPFire is a powerful and professional Open Source firewall solution.



IPFire 2.29 - Core Update 188 is available for testing

We have another HUGE IPFire release available for you. It comes with a large number of important changes for every user out there: a record number of package updates, a refreshed kernel, performance improvements for the Quality of Service, better handling for DHCP leases, an improved build system as well as a new version of OpenSSL and fixes for Intel's latest CPU vulnerabilities.

Please hit the donate button extra hard this time so that we can keep bringing you these kinds of releases with all those exciting changes.

Reducing CPU Usage of the Quality of Service

IPFire employs Quality of Service on all interfaces all of the time. This used to be done with CAKE since  Core Update 163 since everything is better with CAKE. And that is a true statement. However, we have found that CAKE has a much higher CPU consumption and could become a bottleneck on devices with a weak processor but fast network interfaces. Therefore we are changing IPFire to use fq_codel by default which is not the same as CAKE when it comes to saturate a link, but uses significantly less CPU at about 99% of throughput compared to CAKE.

When configuring the Quality of Service in the web UI, we will always use CAKE for its advanced features.

A new way to get DHCP leases into DNS

When IPFire hands out an IP address to a device on the local network, it would be nice if that device can be reached by its name, too, and not only by a random IP address. That process used to be done by a bridge which analysed all leases and synchronised them with Unbound, the DNS proxy.

This program has now been rewritten to listen for events from the DHCP server in order to be more flexible and scale better.

An Improved Build System

Our custom build system for IPFire has received major improvements throughout the board. We now have much better protection from the build system to the host system and vice-versa. This enables us to prevent unintended modification of the build source by either errors or compromised third-party source packages. This stronger isolation allows us to compile IPFire for all architectures on the same machine without any side-effects.

Paired with a lot of code cleanup and improving its robustness, these changes allow the developers to be more efficient and build IPFire faster.

Misc.

  • OpenSSL has been upgraded to 3.3.0. This is the latest production branch which mainly brings support for QUIC.
  • The Intel Microcode has been updated to address a number of security vulnerabilities in their CPUs:
  • Unbound has been updated to version 1.12.0 which solves a problem that the DNS proxy could lock up and become unresponsive for some time
  • Intrusion Prevention System
    • A bug has been fixed that the IPS wouldn't start when the RED interface is a 5G/4G modem using QMI
    • The verbose builtin Suricata rules are no longer enabled by default which will create less noise in the logs
  • This release comes with a fresh kernel based on Linux 6.6.47 which is a release that includes many bug, stability and security fixes
  • A bug was fixed that prohibited an interface starting when it is only being used for a VLAN and not as a native interface ( #12676)
  • Backups are no longer created with colon (:) in the filename which seems to confuse Windows computers ( #13734)
  • Updated packages: Apache 2.4.62, bash: 5.2.32, btrfs-progs 6.9.2, c-ares 1.32.1, coreutils 9.5, cURL 8.9.1, cyrus-sasl 2.1.28, e2fsprogs 1.47.1, exfatprogs 1.2.5, findutils 4.10.0, fmt 11.0.2, gettext 0.22.5, hwdata, iana-etc 20240701, intel-microcode 20240813, iproute2 6.10.0, knot 3.3.8, less 661, libarchive 3.7.4, libassuan 3.0.1, libcap 2.70, libcap-ng 0.8.5, libgcrypt 1.11.0, libgpg-error 1.50, libinih 58, libjpeg 3.0.3, libnet 1.3, libnl-3 3.10.0, libqmi 1.34.0, libsodium 1.0.20, libtiff 4.6.0, libtirpc 1.3.5, libusb 1.0.27, libuv 1.48.0, libxml2 2.13.3, libxslt 1.1.42, linux-atm 2.5.2, lz4 1.10.0, man-pages 6.9.1, nasm 2.16.03, ncurses 6.5, OpenSSL 3.3.0, pcre2 10.44, poppler 24.08.0, readline: 8.2.13, rrdtool 1.9.0, shadow 4.16.0, sqlite: 3.46.1, unbound 1.21.0, util-linux 2.40.2
  • The web UI has received a large number of patches which have been mostly back ported from other development branches. They clean up code, remove unused functions and bring in new ones to keep our framework tidy and extensible. There are now some new widgets for service status, a refactored connections list, and many more smaller improvements.

Add-Ons

  • Updated packages: bird 2.15.1, bwm-ng 0.6.3, CUPS 2.4.10, ddrescue 1.28, epson-inkjet-printer-escpr 1.8.5, fetchmail 6.4.39, fping 5.2, Freeradius 3.2.5, FRR 10.1, Ghostscript 10.03.1, Git 2.46.0, haproxy 3.0.3, hostapd 2.11, hplip 3.24.4, iperf 2.2.0, keepalived 2.3.1, nagios-plugins 2.4.11, nano 8.1, ncat 7.95, ncdu 1.20, netatalk 3.2.5, netsnmpd 5.9.3, nginx 1.26.1, nmap 7.95, oci-cli 3.45.2, pmacct 1.7.9, rng-tools 6.17, samba 4.20.4, SDL2 2.30.6, strace 6.10, stunnel 5.72, tshark 4.2.6
  • The Wireless Access Point UI has received major refactoring and now supports SSIDs in UTF-8 format

IPFire 2.29 - Core Update 188 is available for testing