Security 10806 Published by

IPFire 2.29 - Core Update 189 is now available for testing. It includes a security fix, a new graph for the Intrusion Prevention System (IPS), and numerous package changes.

The upgrade addresses a security flaw in the IPS that might open the firewall and expose services operating on it to the internet. To address this, changes have been made to the IPS's handling, such as a watcher process that restarts it in the event of an unexpected crash, the ability to skip whitelisted traffic in the iptables ruleset, and IPsec traffic filtering. The update also adds a new graph on the IPS page that divides IPS throughput into three categories: scanned bandwidth, whitelisted traffic, and bypass traffic. Linux Firmware version 20240811 includes updates to various firmware for WLAN and Ethernet interfaces, RAID controllers, and other hardware.





IPFire 2.29 - Core Update 189 is available for testing

IPFire 2.29 - Core Update 189 is ready to be tested. It comes with a security fix and a new graph for the IPS as well as a large number of package updates. It is one of the largest update that we have ever shipped because it brings a large number of new and updated firmware files for a lot of hardware.

Intrusion Prevention System (IPS)

In case of the IPS process crashing, it might open the firewall and expose services that are running on the firewall to the Internet. We did not observe any attackers intentionally crashing Suricata in the real world, but on systems with low memory, the process could be killed to make memory available ( #13764). This is considered a security risk and therefore we recommend to install this update as soon as possible - especially for users of the IPS.

To mitigate this problem, we have made various improvements to the handling of the IPS under the hood. There is now a watcher process active when the IPS is running to restart it in case the IPS crashes unexpectedly. Whitelisted traffic will not be send to the IPS any more to be excluded, but immediately skipped in the iptables ruleset ( #13691). It is now possible to filter IPsec traffic which was excluded before (unless it was coming in or exiting through one of the other scanned interfaces).

There is also a new graph on the IPS page which shows the IPS throughput in three different categories: We show the bandwidth of scanned bandwidth in incoming and outgoing direction, any whitelisted traffic as well as bypassed traffic.

Misc.

  • Linux Firmware has been updated to version 20240811 which brings updates for various firmware of wireless and Ethernet interfaces, RAID controllers and other sorts of hardware. It pushes the download size of this update slightly over 100 MiB.
  • It was fixed that live graphs no longer updated themselves.
  • Updated packages: automake 1.17, bind 9.20.1, cURL 8.10.0, dhcpcd 10.0.10, dtc 1.7.1, expat 2.6.3, gdbm 1.24, GCC 14.2.0, GnuTLS 3.8.7, glibc 2.40, iana-etc 20240813, lua 5.4.7, mcelog 200, meson 1.5.1, OpenSSL 3.3.2, OpenVPN 2.5.10, p11-kit 0.25.5, python3-msgpack 1.0.8, ruby 3.3.4, sudo 1.9.16, sysvinit 3.10, taglib 2.0.2, xfsprogs 6.9.0
  • New packages: autoconf-archive, libxxhash 1.4.0

Add-Ons

  • Updated packages: borgbackup 1.4.0, clamav 1.3.2, ffmpeg 7.0.2, iotop1.26, libvirt 10.7.0, mc 4.8.32, observium-agent 24.4, qemu + qemu-ga 9.0.2, shairport-sync 4.3.4, tshark 4.2.7, zabbix_agentd 6.0.33 (LTS)

IPFire 2.29 - Core Update 189 is available for testing