OPNsense 17.7.2 released

R29vZCBkYXkgdG8geW91IGFsbCwKClRvZGF5IGJyaW5ncyBhbnRpdmlydXMgdG8geW91ciB3ZWIg
cHJveHkgdmlhIHBsdWdpbnMgYXMgcHJvbWlzZWQgaW4gdGhlCmxhc3QgcmVsZWFzZSBhbm5vdW5j
ZW1lbnQuICBQbGVhc2Ugbm90ZSB0aGF0IHdlIGhhdmUgdXBkYXRlZCB0aGUKZG9jdW1lbnRhdGlv
biBvbiB0aG9zZSBzdWJqZWN0cywgc29tZXRoaW5nIHlvdSB3aWxsIHNlZSB3aXRoIGluY3JlYXNp
bmcKZnJlcXVlbmN5IGZyb20gbm93IG9uLgoKSGVyZSBhcmUgdGhlIGZ1bGwgcGF0Y2ggbm90ZXM6
CgpvIHN5c3RlbTogbWFrZSBsb2cgZmlsZSB2aWV3cyBhZGFwdCB0byBsb2cgZm9ybWF0IHRvIGZp
eCBkYXRlIGRpc3BsYXkKbyBzeXN0ZW06IHJlbW92ZWQgbTBuMHdhbGwvcGZTZW5zZSBjb25maWcg
bWlncmF0aW9uIGNvZGUKbyByZXBvcnRpbmc6IHRyYWZmaWMgZ3JhcGggbWluaS1ncmFwaCBhZGRp
dGlvbnMgKGNvbnRyaWJ1dGVkIGJ5IEplZmZyZXkgR2VudGVzKQpvIGZpcmV3YWxsOiBhbGlnbiBO
QVQgdGFyZ2V0IHBvcnQgdG8gZGVzdGluYXRpb24gcG9ydCB3aGVuIGNyZWF0aW5nIGEgbmV3IGVu
dHJ5Cm8gZmlyZXdhbGw6IHJlbW92ZSBzcHVyaW91cyBmaWx0ZXIgcmVsb2FkIHBhZ2UKbyBmaXJl
d2FsbDogd3JvbmcgZG91YmxlLWVuY29kZSBpbiBzY2hlZHVsZSBkZXNjcmlwdGlvbnMKbyBmaXJl
d2FsbDogbmF0dXJhbGx5IG9yZGVyIHNldHRpbmdzIG1lbnUKbyBmaXJtd2FyZTogZml4IEFMTE9X
X1JJU0tZX01BSk9SX1VQR1JBREUgY3JvbiBqb2IgcGFyYW1ldGVyCm8gZmlybXdhcmU6IGFkZCBu
ZXcgdHJ1c3RlZCBmaW5nZXJwcmludCBrZXkgZm9yIHVwY29taW5nIHJvdGF0aW9uCm8gZmlybXdh
cmU6IEFCSSBhdXRvLWFwcGVuZCBvbiBjdXN0b20gZmxhdm91ciBlbnRyeSB3aXRob3V0IG11bHRp
cGxlIGRpcmVjdG9yaWVzCm8gY2FwdGl2ZSBwb3J0YWw6IHNtYWxsIFVYIHR3ZWFrcyBmb3IgZGlh
bG9ncyBhbmQgc3BhY2luZwpvIGludHJ1c2lvbiBkZXRlY3Rpb246IHNlbGVjdGFibGUgaG9tZSBu
ZXR3b3JrcyBhcyBhZHZhbmNlZCBvcHRpb24KbyBpbnRydXNpb24gZGV0ZWN0aW9uOiBtaXNzaW5n
IGd6aXAgZGVjb2RlIG9uIGRvd25sb2FkCm8gdW5ib3VuZDogcmVzdGFydCBvbiBuZXcgV0FOIElQ
IGlmIGV4cGxpY2l0IGludGVyZmFjZSBtYXRjaGVzCm8gd2ViIHByb3h5OiBsb2cgbmFtZSBub3cg
c3RhcnRzIHdpdGggYSBtb2R1bGUgbmFtZQpvIHJjOiBjbGVhciAvdmFyL3J1biBjb250ZW50cyBv
biBib290dXAKbyB1aTogaW1wcm92ZWQgUEhQIDcuMSBjb21wYXRpYmlsaXR5IGZvciBzdGF0aWMg
cGFnZXMKbyB1aTogdXBkYXRlZCBudmQzIHRvIHZlcnNpb24gMS44LjUtZGV2Cm8gdWk6IGFsbG93
IHJ1bnRpbWUgYm9vdGdyaWQgdHJhbnNsYXRpb24gKGNvbnRyaWJ1dGVkIGJ5IEZhYmlhbiBGcmFu
eikKbyBwbHVnaW5zOiBtaWdyYXRlIHBsdWdpbiBtb2RlbHMgb24gaW5zdGFsbApvIHBsdWdpbnM6
IG9ubHkgcmVzdGFydCBjb25maWdkIG9uY2Ugb24gcmVpbnN0YWxsCm8gcGx1Z2luczogb3MtYWNt
ZS1jbGllbnQgMS4xMFsxXSAoY29udHJpYnV0ZWQgYnkgRnJhbmsgV2FsbCkKbyBwbHVnaW5zOiBv
cy1jbGFtYXYgMS4wWzJdIChjb250cmlidXRlZCBieSBNaWNoYWVsIE11ZW56KQpvIHBsdWdpbnM6
IG9zLWMtaWNhcCAxLjBbM10gKGNvbnRyaWJ1dGVkIGJ5IE1pY2hhZWwgTXVlbnopCm8gcGx1Z2lu
czogb3MtZHluZG5zIGZpeCBmb3IgQ2xvdWRmbGFyZSBwcm94eSBzdGF0dXMgKGNvbnRyaWJ1dGVk
IGJ5IHNsbDU1MikKbyBwbHVnaW5zOiBvcy1tZG5zLXJlcGVhdGVyWzRdIDEuMCAoY29udHJpYnV0
ZWQgYnkgRmFiaWFuIEZyYW56KQpvIHBsdWdpbnM6IG9zLXplcm90aWVyIDEuMS4wIChjb250cmli
dXRlZCBieSBEYXZpZCBIYXJyaWdhbikKbyBwb3J0czogbXBkIDUuOF8yWzVdWzZdCm8gcG9ydHM6
IHBocCA3LjAuMjNbN10KbyBwb3J0czogc3VkbyAxLjguMjFwMVs4XQoKClN0YXkgc2FmZSwKWW91
ciBPUE5zZW5zZSB0ZWFtCgotLQpbMV0gaHR0cHM6Ly9naXRodWIuY29tL29wbnNlbnNlL3BsdWdp
bnMvcHVsbC8yNTQKWzJdIGh0dHBzOi8vZG9jcy5vcG5zZW5zZS5vcmcvbWFudWFsL2hvdy10b3Mv
Y2xhbWF2Lmh0bWwKWzNdIGh0dHBzOi8vZG9jcy5vcG5zZW5zZS5vcmcvbWFudWFsL2hvdy10b3Mv
Yy1pY2FwLmh0bWwKWzRdIGh0dHBzOi8vZG9jcy5vcG5zZW5zZS5vcmcvbWFudWFsL2hvdy10b3Mv
bXVsdGljYXN0LWRucy5odG1sCls1XSBodHRwczovL2dpdGh1Yi5jb20vZnJlZWJzZC9mcmVlYnNk
LXBvcnRzL2NvbW1pdC80MTU2ZjFlM2QKWzZdIGh0dHBzOi8vZ2l0aHViLmNvbS9mcmVlYnNkL2Zy
ZWVic2QtcG9ydHMvY29tbWl0LzAwM2U3OTJkCls3XSBodHRwOi8vcGhwLm5ldC9DaGFuZ2VMb2ct
Ny5waHAjNy4wLjIzCls4XSBodHRwczovL3d3dy5zdWRvLndzL3N0YWJsZS5odG1sIzEuOC4yMXAx
Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCmFubm91bmNl
IG1haWxpbmcgbGlzdAphbm5vdW5jZUBsaXN0cy5vcG5zZW5zZS5vcmcKaHR0cDovL2xpc3RzLm9w
bnNlbnNlLm9yZy9saXN0aW5mby9hbm5vdW5jZQo=

OPNsense 17.1.11 released

The following information has been provided by the OPNsense announce mailing list.

Hi all,

An IPv6 problem has finally been fixed which could prevent reclaiming
address leases during an interface reload, especially when OpenVPN was
running.  Thanks to everyone involved in tracking this down!  Also,
the last bits for the new GUI major upgrade feature are now in place.
The 17.7 upgrade path will be unlocked on July 31, which will require
installing one tiny final update.

Here are the full patch notes:

o firmware: added major GUI upgrade code for upcoming 17.7 release
o firmware: added major GUI cron upgrade parameter “ALLOW_RISKY_MAJOR_UPGRADE”
o interfaces: dhcp6c can now properly reload without leaking its
listening socket to e.g. OpenVPN
o rc: allow to optionally prevent launch of configd via rc.conf variable
o openvpn: normalise line endings of used certificates
o openvpn: fix config handling in GUI pages for PHP 7.1
o plugins: os-quagga 1.3.2 (contributed by Fabian Franz and Michael Muenz)
o ports: perl 5.24.2[1]
o ports: strongswan 5.5.3[2]

Stay safe,
Your OPNsense team


[1] http://search.cpan.org/dist/perl-5.24.2/pod/perldelta.pod
[2] https://wiki.strongswan.org/versions/65
_______________________________________________
announce mailing list
announce@lists.opnsense.org
http://lists.opnsense.org/listinfo/announce

OPNsense 17.7-RC2 released

The following information has been provided by the OPNsense announce mailing lisT

Hello, hello!

For more than two and a half years now, OPNsense is driving innovation
through modularising and hardening the open source firewall, with simple
and reliable firmware upgrades, multi-language support, HardenedBSD
security, fast adoption of upstream software updates as well as clear
and stable 2-Clause BSD licensing.

We are writing to you today to announce the first release candidate for
version 17.7, which, over the course of the last 5 months, includes
highlights such as SafeStack application hardening, the Realtek re(4)
driver for network stability, a Quagga plugin with broad routing protocol
support and the Unbound resolver as the new default.  Additionally,
translations for Czech, Chinese, Japanese, Portuguese and German have
been completed during this iteration.

Focus in OPNsense has shifted to improving and streamlining its various
systems and providing continuous updates, which amounts to over 300
individual changes made in 17.1 so far.  The plugin infrastructure is
growing as well thanks to our awesome contributors Frank Wall, Frank
Brendel, Fabian Franz and Michael Muenz.  And we, last but not least,
have been working more closely than ever with HardenedBSD by unifying
our ports infrastructure.  Although this is only the beginning, let us
not skip ahead.

Here is the full list of changes against version 17.7-RC1:

o system: harden GUI by removing TLS_RSA_WITH_3DES_EDE_CBC_SHA
o system: harden GUI by improving Secure Attribute cookie usage
o system: harden GUI by using DH-4096 parameters
o system: regenerate Diffie-Hellman parameters
o system: allow to reverse password / token order in TOTP authentication
o system: added major GUI firmware upgrade code
o interfaces: fix WLAN device clone creation
o interfaces: improve LAGG MTU handling and reconfigure
o interfaces: Host-Uniq configuration option for PPPoE connections
o ipsec: IKEv2 can handle multiple phase 1 with the same IP
o installer: request password change after installation
o installer: now properly advertises itself as version 17.7
o rc: batch-run bootup command before starting services
o openvpn: normalise line endings like web GUI does
o openvpn: fix config read/write on PHP 7.1
o mvc: squelch a PHP notice on an undefined element in
forms (contributed by Evgeny Bevz)
o lang: update Chinese, Czech, German, Japanese
o plugins: enable stable plugins for 17.7
o plugins: os-dyndns 1.1 fixes menu entry visibility
o plugins: os-quagga 1.3.2 (contributed by Fabian Franz and Michael Muenz)
o ports: php 7.0.21[1]
o ports: perl 5.24.2[2]
o ports: suricata 3.2.3[3]
o ports: unbound 1.6.4[4]

The list of currently known issues with 17.7-RC2:

o LAGG device destroy may cause a kernel panic.  A fix is scheduled
for 17.7.
o IPsec inbound packet filtering does not work under NAT-T.  A fix is
scheduled for 17.7.
o PPPoE Host-Uniq is still in the test phase and may not be fully
operational.
o Configuration handling of static PHP is not always compatible with
PHP 7.1 at this point.  We are downgrading to 7.0 for the release of
17.7 to ensure integrity.

Users of 17.7-RC1 can upgrade to RC2 via the usual online updates.  Images
are not provided with this particular release.  As always with our pre-
releases, only OpenSSL is provided at this point, but can be switched for
LibreSSL as soon as the release is available.  This release candidate does
update directly into the 17.7 stable track and subsequent release candidates.
Please let us know about your experience!

Stay safe,
Your OPNsense team


[1] http://php.net/ChangeLog-7.php#7.0.21
[2] http://search.cpan.org/dist/perl-5.24.2/pod/perldelta.pod
[3] https://suricata-ids.org/2017/07/13/suricata-3-2-3-available/
[4] http://www.unbound.net/download.html
_______________________________________________
announce mailing list
announce@lists.opnsense.org
http://lists.opnsense.org/listinfo/announce