21.4 Series
The OPNsense business edition moves into a new era with this 21.4 release. Note that the version numbers are now diverging from the community edition to make it easier to distinguish between the two. The next major update will be 21.10 in October.
Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.
https://downloads.opnsense.com/
21.4.3 (August 11, 2021)
This business release is based on the OPNsense 21.1.8 community version with additional reliability improvements.
The OpenVPN advisory tracked as CVE-2020-15078 does not affect the provided version 2.4.11, but the security audit will falsely flag it as vulnerable because the source of the audit is FreeBSD where OpenVPN was migrated to 2.5 series already.
API errors during the update can appear but are a harmless side effect of the MVC framework major version transition to Phalcon 4. The system will reboot as normal. Make sure to clear your browser cache if the check for updates does not seem to work afterwards and/or double-check with a different browser.
Here are the full patch notes:
system: use ifinfo counters instead of pfctl in interface widget
system: prevent excessive config writes on LDAP import
system: do not split XMLRPC password into multiple pieces
system: fix IPv4 /31 assignment address assignment in shell
system: raised PHP memory limit to 1G
system: enable group sync for LDAP servers that do not return memberOf (contributed by rdd2)
system: isvalidpid() is not required for a single killbypid()
system: hide far gateway option for IPv6
system: Norwegian translation (contributed by Stein-Aksel Basma)
system: add HA sync entry for live log templates
system: add shell inactivity timeout feature for csh/tcsh
system: add Syslog-ng TLS transport options
system: remove unrelated service restarts from filter_configure_xmlrpc()
system: rotate interface statistics widget (contributed by FingerlessGloves)
interfaces: clear PPPoE SLAAC addresses on linkdown
interfaces: do not check for existing CARP interfaces midstream
interfaces: refactor IP address removal on configure
interfaces: set tunnel flag for IPv4 tunnel plus cleanups
interfaces: interface_configure() checks for enabled already
firewall: make sure net.pf.request_maxcount and table-entries are always aligned
firewall: add live log support for new filterlog format
firewall: set label for obsolete rule in live log (contributed by kulikov-a)
firewall: let live log use the newly provided rule log label instead of guessing it
firewall: calculate wildcard netmasks in aliases
dhcp: fix processing domain search list on static IPv6
dhcp: support ignore-client-uids in DHCPv4 (contributed by Kacper Why)
firmware: mask subscription in GUI output
firmware: add version/date header into check script as well
firmware: show update pending hint in system widget
firmware: add “-q” option for in-place opnsense-bootstrap run
firmware: fix grep call on FreeBSD 13 (contributed by Mariusz Zaborski)
firmware: correct return code on type change in opnsense-update
firmware: fix opnsense-code pull when ABI configuration is no longer there
firmware: fix upgrade with multiple repositories enabled
installer: assorted wording improvements
openvpn: fix invalid rules generated by wizard (contributed by kulikov-a)
openvpn: return empty list when /api/openvpn/export/accounts/ is called without parameters
console: throw error when opnsense-importer encounters an encrypted config.xml
mvc: catch all errors including syntax and class not found errors
mvc: bring back bind_textdomain_codeset() to fix possible faulty page rendering
mvc: migrated framework to Phalcon 4
mvc: return UUID in ApiMutableModelControllerBase::validateAndSave() if applicable
plugins: added variants support to share plugin code over different third-party software versions
plugins: added NO_ABI marker to themes
plugins: remove the use of $main_buttons in relevant code
plugins: compatibility fixes with Phalcon 4
plugins: os-acme-client 2.6 [1]
plugins: os-etpro-telemetry 1.5 exclude stale data from telemetry upload
plugins: os-freeradius 1.9.15 [2]
plugins: os-haproxy 3.4 [3]
plugins: os-maltrail 1.8 [4]
plugins: os-nut 1.8 [5]
plugins: os-telegraf 1.11.0 [6]
plugins: os-zabbix-agent 1.9 [7]
plugins: os-zabbix4-proxy is now a plugin variant
plugins: os-zabbix5-proxy is now a plugin variant
src: axgbe: make sure driver works on V1000 platform and remove unnecessary reset
src: axgbe: remove unneccesary packet length check
ports: clog 1.0.2 fixes garbage header write on init
ports: curl 7.78.0 [8]
ports: filterlog adds CARP IPv6 support and moves label to previously reserved spot
ports: isc-dhcp 4.4.2-P1 [9]
ports: libxml 2.9.12 [10]
ports: nss 3.67 [11]
ports: openldap 2.4.59 [12]
ports: openssl 1.1.1l [13]
ports: pcre2 10.37 [14]
ports: phalcon 4.1.2 [15]
ports: php 7.4.20 [16]
ports: sudo 1.9.7p1 [17]
ports: suricata 5.0.7 [18]
A hotfix release was issued as 21.4.3_8:
system: prevent expired or intermediate CA certificates from being added to trust store by default
system: fix unescaped source field used for password in backup plugins
firewall: fix long comment preventing IPFW reload (contributed by Robin Schneider)
firmware: enable upgrade path to 21.10
firmware: undo masking vulnerability URLs in FreeBSD due to UUID use
firmware: correctly announce major upgrade reboot in status return
firmware: do not fetch GeoIP database from business mirrors without a subscription
backend: catch broken pipe on event handler (contributed by kulikov-a)
21.4.2 (July 09, 2021)
This business release is based on the OPNsense 21.1.6 community version with additional reliability improvements.
The OpenVPN advisory tracked as CVE-2020-15078 does not affect the provided version 2.4.11, but the security audit will falsely flag it as vulnerable because the source of the audit is FreeBSD where OpenVPN was migrated to 2.5 series already.
Here are the full patch notes:
system: add audit log target and move related syslog messages there
system: allow to edit gateway entries with non-conforming names
system: correctly enforce “Disable writing log files to the local disk” when circular logs are not used
system: delete previous route when changed
system: fix PHP 7.4 deprecated warning in IPv6 library
system: lock config writes during HA merges
system: make web GUI restart action usable in cron jobs (contributed by Frank Wall)
system: set HSTS max-age to 1 year (contributed by Maurice Walker)
interfaces: add policy-based routing support for “dynamic” interface gateways
interfaces: disable legacy CSRF output buffering when downloading a packet capture
interfaces: execute OpenVPN device creation earlier during boot
interfaces: remove non-tunnel restriction from address collection
interfaces: return scoped link-local in get_configured_ip_addresses()
interfaces: revise approach to clear states when WAN address changes
interfaces: system match for primary address only works with compressed IPv6
firewall: NPTv6 configuration clean-up (contributed by Maurice Walker)
firewall: add live log filter templates feature (contributed by kulikov-a)
firewall: change live log address/port group matcher to correctly flip logic
firewall: explicit default for filter rule association in NAT port forwards
firewall: live log widget multiple interfaces and inspect feature (contributed by kulikov-a)
firewall: possibility to filter nat/rdr action in live log
firewall: prevent controls overlap in live log (contributed by kulikov-a)
firewall: remove redundant NPTv6 binat rule (contributed by Maurice Walker)
captive portal: fix GUI drop session issue
dhcp: compress expanded IPv6 lease addresses for clean match with system
dhcp: on the GUI pages avoid the use of dhcpd_dhcp_configure()
dnsmasq: use dhcpd_staticmap() for lease registration
firmware: allow manual development override on business subscription
firmware: push automatic flags to firmware frontend
intrusion detection: add YAML tag to custom.yaml.sample
intrusion detection: fix alert reads from eve.json
ipsec: add “keyingtries” phase 1 configuration option
lang: updated available translations
openvpn: remove now defunct OpenSSL engine support
openvpn: return “result” instead of “status” in export
unbound: cleanse blacklist domain input
unbound: honour space as “domainsearchlist” separator
unbound: match whole entry in blacklists (contributed by kulikov-a)
unbound: use dhcpd_staticmap() for lease registration
rc: unconditionally configure routing on rc.syshook start facility
ui: change service restart icons to fa-repeat
ui: order interfaces in groups
ui: prevent translation line breaks from breaking JS
ui: sidebar menu fix for long listings (contributed by Team Rebellion)
ui: switch firewall category icon for clarity
ui: update chartjs-plugin-streaming to 1.9.0
ui: upgrade chart.js to 2.9.4
plugins: os-acme-client 2.5 [1]
plugins: os-chrony 1.3 [2]
plugins: os-dyndns 1.24 [3]
plugins: os-fetchmail 1.0 (contributed by Michael Muenz)
plugins: os-freeradius 1.9.12 [4]
plugins: os-haproxy 3.3 [5]
plugins: os-intrusion-detection-content-et-open 1.0.1 adds emerging-inappropriate ruleset
plugins: os-OPNcentral 1.1 adds compatibility for new firmware API
plugins: os-qemu-guest-agent 1.0 (contributed by Frank Wall)
plugins: os-relayd 2.5 [6] (sponsored by Modirum)
plugins: os-telegraf 1.10.1 [7]
plugins: os-zabbix4-proxy 1.3 [8]
plugins: os-zabbix5-proxy 1.5 [9]
src: SMAP bypass [10]
src: pms data corruption [13]
src: libcasper: fix descriptors numbers [14]
src: linux: prevent integer overflow in futex_requeue [15]
ports: filterlog 0.4 adds label support to output if applicable
ports: libxml fix for CVE-2021-3541
ports: nss 3.65 [16]
ports: openssh 8.6p1 [17]
ports: php 7.3.28 [18]
ports: py-yaml 5.4.1
ports: sqlite 3.35.5 [19]
ports: squid 4.15 [20]
ports: sudo 1.9.7 [21]
ports: syslog-ng 3.32.1 [22]
21.4.1 (June 02, 2021)
This business release is based on the OPNsense 21.1.5 community version with additional reliability improvements.
The OpenVPN advisory tracked as CVE-2020-15078 does not affect the provided version 2.4.11, but the security audit will falsely flag it as vulnerable because the source of the audit is FreeBSD where OpenVPN was migrated to 2.5 series already.
Here are the full patch notes:
system: lighttpd include directory for configuration (contributed by Greelan)
system: remove /dev/crypto GUI support
system: add route address family return on dynamic gateway
system: allow CPU temperature display in Fahrenheit in widget (contributed by Team Rebellion)
system: performance enhancement for local_sync_accounts()
system: move extensions out of a certificate DN (contributed by kulikov-a)
system: fix restore copy in console recovery
interfaces: treat deprecated addresses as non-primary
interfaces: improve guess_interface_from_ip() (contributed by vnxme)
firewall: resolve IP addresses in kernel for force gateway rule
firewall: use tables in the shaper to avoid breaking ipfw with too many addresses
firewall: clarify help text for firewall rules traffic direction (contributed by Greelan)
firewall: sticky filter-rule-association setting for none/pass on copied items
firewall: copy and paste for alias content (contributed by kulikov-a)
firewall: improve loopack visibility
reporting: format 24 hour timestamps in traffic graphs and widget
dhcp: add dhcpd_staticmap() and fix DHCPv6 leases page with it
dhcp: add “none” option to gateway setting of static mappings
firmware: separate update error for “forbidden”
firmware: update error if upstream core package is missing yet installed
firmware: opnsense-patch now also invalidates the menu cache
installer: migrate to scripted solution using bsdinstall
ipsec: validation to prevent saving of route-based tunnels with “install policy” set
ipsec: automatic outbound NAT rules missed mobile clients
ipsec: fix typo in autogenerated rules for virtual IP use
unbound: prefer domain list over host file format (contributed by Gareth Owen)
rc: attempt to create /tmp if it does not exist
rc: add opensolaris module load for ZFS
rc: reverse list on stop action
ui: prevent autocomplete in the quick navigation
plugins: os-bind 1.17 [1]
plugins: os-chrony 1.2 [2]
plugins: os-debug 1.4 changes debugging profile to new version
plugins: os-freeradius 1.9.11 [3]
plugins: os-haproxy 3.2 [4]
plugins: os-intrusion-detection-content-et-open 1.0
plugins: os-maltrail 1.7 [5]
plugins: os-netdata 1.1 [6]
plugins: os-nginx 1.22 [7]
plugins: os-nginx expected MIME type fix (contributed by Kimotu Bates)
plugins: os-smart 2.2 JSON conversion (contributed by Arnav Singh)
plugins: os-telegraf 1.10.0 [8]
plugins: os-theme-rebellion 1.8.7 (contributed by Team Rebellion)
plugins: os-wireguard 1.6 [9]
plugins: os-zabbix5-proxy 1.4 [10]
src: axgbe: check for IFCAP_VLAN_HWTAGGING when reading descriptor
src: axgbe: add 1000BASE-BX SFP support
src: accept_filter: fix filter parameter handling [11]
src: vm_fault: shoot down multiply mapped COW source page mappings [12]
src: mount: disallow mounting over a jail root [13]
src: em: add support for Intel I219 V10 device
src: em: fix a null de-reference in em_free_pci_resources
src: bsdinstall: switch to OPNsense branding
src: race condition in aesni(4) encrypt-then-auth operations [14]
ports: curl 7.77.0 [15]
ports: dnsmasq 2.85 [16]
ports: expat 2.4.1
ports: hyperscan 5.4.0 [17]
ports: monit 5.28.0 [18]
ports: nettle 3.7.2
ports: phpseclib 2.0.31 [19]
ports: pkg 1.16.3
21.4 (April 08, 2021)
The OPNsense business edition moves into a new era with this 21.4 release. Note that the version numbers are now diverging from the community edition to make it easier to distinguish between the two. The next major update will be 21.10 in October.
Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.
https://downloads.opnsense.com/
This business release is based on the OPNsense 21.1.4 community version with additional reliability improvements.
Here are the full patch notes:
system: use authentication factory for web GUI login
system: allow case-insensitive matching for LDAP user authentication
system: removed unused gateway API dashboard feed
system: removed spurious comma from certificate subject print and unified underlying code
system: harden web GUI defaults to TLS 1.2 minimum and strong ciphers
system: generate a better self-signed certificate for web GUI default
system: allow self-signed renew for web GUI default (using “configctl webgui restart renew”)
system: allow subdirectories in NextCloud backup (contributed by Lorenzo Milesi)
system: first backup is same as current so ignore it on GUI and console
system: optionally allow TOTP users to regenerate a token from the password page
system: set hw.uart.console appropriately
system: reconfigure routes on bootup
system: relax gateway name validation
system: ignore disabled gateways in dpinger services
system: choose a better bind candidate for IPv4 in dpinger
system: do not trim string fields in upstream XMLRPC library
system: fix export API keys reload issue on Safari
system: retain index after tunables sorting in 21.1.1
system: fix firewall log widget update on small fixed number of entries
system: replace traffic graphs in widget using chart.js
system: make StartTLS work when retrieving LDAP authentication containers (contributed by Christian Brueffer)
system: fix IPv6 route deletion on status page
system: prevent duplicate dashboard traffic pollers mangling with the graphs
system: added cron job “HA update and reconfigure backup”
system: unify HA sync sections and remove legacy blocks
system: adapt lighttpd ssl.privkey approach
system: correctly remove routing entries directly connected to an interface
system: fix dashboard traffic widget load behaviour (contributed by kulikov-a)
system: fix dashboard widget title regression
system: add assorted missing configuration sections for high availability sync
system: restart web GUI with delay from services to prevent session disconnect
system: improve error reporting in LDAP authentication (contributed by kulikov-a)
system: changed USB serial option to use “on” instead of problematic “onifconsole”
system: ignore garbled data in log lines
system: fix single core activity display
system: return authentication errors for RADIUS also
system: better logic for serial console options -h and -D
system: reorder loader.conf settings to let tunables override all
interfaces: defer IPv6 disable in interface code to ensure PPP interfaces do exist
interfaces: no longer assume configuration-less interfaces can reach static setup code
interfaces: fix PPP links not linking to its advanced configuration page
interfaces: read deprecated flag, allow family spec in (-)alias calls
interfaces: fix address removal in IPv6 CARP case
interfaces: pick proper route for 6RD and 6to4 tunnels
interfaces: support 6RD with single /64 prefix (contributed by Marcel Hofer)
interfaces: work around slow manufacturer lookups in py-netaddr 0.8.0
interfaces: unhide primary IPv6 in overview page
interfaces: fix IPv6 misalignment in get_interfaces_info()
interfaces: correct dhcp6c configuration issue on PPPoE link down (contributed by Team Rebellion)
interfaces: better primary IPv6 address detection in diagnostic tools
interfaces: handle disabled interfaces in overview
interfaces: drop early return in PPPoE link down
interfaces: remove unused global definitions
interfaces: immediately enable SLAAC during IPv6 initiation
interfaces: fix a typo in the GIF setup code
firewall: support category filters for firewall and NAT rules [2] (sponsored by Modirum)
firewall: add live log “host”, “port” and “not” filters
firewall: create an appropriate max-mss scrub rule for IPv6
firewall: fix anti-spoof option for separate bridge interfaces
firewall: display zeros and sort columns in pfTables (contributed by kulikov-a)
firewall: relax schedule name validation
firewall: fix off-by-one error in alias utility listing
firewall: fix live log matching with “or” and empty filter (contributed by kulikov-a)
firewall: change order of shaper delay parameter to prevent parser errors
firewall: fix multiple PHP warnings regarding category additions
firewall: fix icon toggle for block and reject (contributed by ElJeffe)
firewall: typo in outbound alias use (contributed by kulikov-a)
firewall: rules icon color after toggle fix (contributed by kulikov-a)
firewall: allow to select rules with no category set
firewall: sort pfTable results before slice (contributed by kulikov-a)
firewall: make categories work with numbers only (contributed kulikov-a)
reporting: prevent calling top talkers when no interfaces are selected
reporting: cleanup deselected interface rows in top talkers
reporting: prevent NetFlow crash when interface number is missing
reporting: fix sidebar menu collapse for NetFlow link (contributed by Maurice Walker)
reporting: prevent crash when NetFlow attributes are missing
reporting: aggregate iftop results for traffic graphs
reporting: skip damaged NetFlow records
captive portal: validate that static IP address exists when writing the configuration
dhcp: hostname validation now includes domain
dhcp: use same logic as menu figuring out if DHCPv6 page is reachable from leases
dhcp: correct DHCPv6 custom options unsigned integer field (contributed by Team Rebellion)
dhcp: added toggle for disabling RDNSS in router advertisements (contributed by Team Rebellion)
dhcp: removed the need for a static IPv4 being outside of the pool (contributed by Gauss23)
dhcp: add min-secs option for each subnet (contributed by vnxme)
dhcp: correct help text for IPv6 ranges (contributed by Team Rebellion)
dhcp: remove obsolete subnet validation for static entries
dnsmasq: remove advanced configuration in favour of plugin directory
dnsmasq: use domain override for static hosts
firmware: disable autoscroll if client position differs
firmware: remove spurious *.pkgsave files and offload post install bits to rc.syshook
firmware: repair display of removed packages during release type transition
firmware: add ability to run audits from the console
firmware: show repository in package and plugin overviews
firmware: opnsense-update -t option executes after -p making it possible to run them at once
firmware: opnsense-update -t option now also uses recovery code introduced recently for -p
firmware: opnsense-update -vR no longer emits “unknown” if no version was found
firmware: opnsense-verify -l option lists enabled package repositories
firmware: add crypto package to health check
firmware: fix two JS tracker bugs
firmware: assorted non-breaking changes for upcoming firmware revamp
firmware: add product status backend for upcoming firmware page redesign
firmware: opnsense-code will now check out the default release branch
firmware: opnsense-update adds “-R” option for major release selection
firmware: opnsense-update will now update repositories if out of sync
firmware: opnsense-update will attempt to recover from fatal pkg behaviour
firmware: opnsense-update now correctly redirects stderr on major upgrades
firmware: opnsense-update now retains vital flag on faulty release type transition
firmware: opnsense-bootstrap shellcheck audit (contributed by Michael Adams)
firmware: revamp the UI and API
firmware: revoke old business key
firmware: fix compatibility regression with IE 11
firmware: refine missing/invalid signature message during health check (contributed by Erik Inge Bolso)
firmware: zap changelog remove description (contributed by Jacek Tomasiak)
firmware: make status API endpoint synchronous when using POST
firmware: migrate subscription to business release package
firmware: fix bug with subscription read from mirror URL
intrusion detection: replace file-based policy changes with detailed filters
intrusion detection: prevent flowbits:noalert from being dropped
intrusion detection: fix policies not matching categories
intrusion detection: clean up rule based additions to prevent collisions with the new policies
intrusion detection: add new Abuse.ch feed ThreatFox to detect indicators of compromise
intrusion detection: make manual rule status boolean for policies (contributed by kulikov-a)
ipsec: NAT with multiple phase 2 [3] (sponsored by m.a.x. it)
ipsec: prevent VTI interface to hit spurious 32768 limit
ipsec: allow mixed IPv4/IPv6 for VTI
ipsec: phase2 local/remote network check does not apply on VTI interfaces
ipsec: calculate netmask for provided tunnel addresses when using VTI
ipsec: do not pin reqid in case of mobile connections
monit: minor bugfixes and UI changes (contributed by Manuel Faux)
openvpn: added toggle for block-outside-dns (contributed by Julio Camargo)
openvpn: hide “openvpn_add_dhcpopts” fields when not parsed via the backend
openvpn: extend compression options (contributed by vnxme)
openvpn: remove checks for NTP servers 3 and 4 (contributed by Christian Brueffer)
unbound: allow /0 in ACL network
unbound: default to SO_REUSEPORT
unbound: update documentation URL (contributed by xorbital)
unbound: handle DHCP client expiring and returning (contributed by Gareth Owen)
unbound: Fix PTR records for DHCP endpoints (contributed by Gareth Owen)
web proxy: add GSuite and YouTube filtering (contributed by Julio Camargo)
web proxy: fix ownership issue on template directory
mvc: do not discard valid application/json content type headers
mvc: make sure isArraySequential() is only true on array input
mvc: speed up processing time when over 2000 users are selected in a group
mvc: add locking in JsonKeyValueStoreField type
mvc: change LOG_LOCAL4 to LOG_LOCAL2 in base model
images: use UFS2 as the default for nano, serial and vga
images: support UEFI boot in serial image
rc: opnsense-beep utility wrapper including manual page
rc: support reading JSON metadata from plugin version files
ui: add tooltips for service control widget
ui: move sidebar stage from session to local storage
ui: upgrade Tokenize2 to v1.3.3
ui: format packet count with toLocaleString() in interface statistics widget (contributed by bleetsheep)
ui: add compatibility for JS replaceAll() function
ui: refactor bootgrid usage in ARP, NDP, captive portal session, system activity and routes
ui: align layouts of select_multiple and dropdown types
ui: use HTTPS everywhere (contributed by Robin Schneider)
ui: bootgrid translation compatibility with Internet Explorer 11 (contributed by kulikov-a)
plugins: increase revision number for all plugins to force installation of metadata added in 21.1.1
plugins: provide JSON metadata in plugin version files
plugins: add service annotations to supported plugins
plugins: os-acme-client 2.4 [4]
plugins: os-bind 1.16 [5]
plugins: os-dyndns GratisDNS apex domain fix (contributed by Fredrik Rambris)
plugins: os-freeradius 1.9.10 [6]
plugins: os-frr 1.21 [7]
plugins: os-haproxy 3.1 [8]
plugins: os-maltrail 1.6 [9] (contributed by jkellerer)
plugins: os-nginx 1.21 [10]
plugins: os-node_exporter 1.1 [11]
plugins: os-postfix 1.18 [12]
plugins: os-rspamd 1.11 [13]
plugins: os-smart adds cron jobs for useful actions (contributed by Jacek Tomasiak)
plugins: os-stunnel 1.0.3 adds client mode (contributed by Nicola Bonavita)
plugins: os-telegraf 1.9.0 [14]
plugins: os-theme-cicada 1.28 (contributed by Team Rebellion)
plugins: os-theme-tukan 1.25 (contributed by Team Rebellion)
plugins: os-theme-vicuna 1.4 (contributed by Team Rebellion)
plugins: os-wireguard 1.5 [15]
plugins: os-wol 2.4 fixes dashboard widget (contributed by kulikov-a)
src: fix AES-CCM requests with an AAD size smaller than a single block
src: introduce HARDEN_KLD to ensure DTrace functionality
src: refine pf_route* behaviour in PF_DUPTO case for shared forwarding
src: assorted upstream fixes for ipfw, iflib, multicast processing and pf
src: netmap tun(4) support adds pseudo addresses to ethernet header emulation (contributed by Sunny Valley Networks)
src: add a manual page for axp(4) / AMD 10G Ethernet driver
src: fix traffic graph not showing bandwidth when IPS is enabled
src: panic when destroying VNET and epair simultaneously [16]
src: uninitialized file system kernel stack leaks [17]
src: Xen guest-triggered out of memory [18]
src: update timezone database information [19]
src: jail: Handle a possible race between jail_remove(2) and fork(2) [20]
src: jail: Change both root and working directories in jail_attach(2) [21]
src: x86: free microcode memory later [22]
src: xen-blkback: fix leak of grant maps on ring setup failure [23]
src: rtsold: auto-probe point to point interfaces
src: growfs: update check-hash when doing large filesystem expansions
src: axgbe: change default parameters to prevent manual tunable settings
src: arp: avoid segfaulting due to out-of-bounds memory access
src: fix multiple OpenSSL vulnerabilities [24]
src: axgbe: enable receive all mode to bypass the MAC filter to avoid dropping CARP MAC addresses
ports: ca_root_nss / nss 3.63 [25]
ports: curl 7.75.0 [26]
ports: dnsmasq 2.84 [27]
ports: igmpproxy 0.3 [28]
ports: krb5 1.19.1 [29]
ports: libressl 3.2.5 [30]
ports: lighttpd 1.4.59 [31]
ports: monit 5.27.2 [32]
ports: openldap 2.4.58 [33]
ports: openssh fix for double free in ssh-agent [34]
ports: openssl 1.1.1k [35]
ports: perl 5.32.1 [36]
ports: php 7.3.27 [37]
ports: pkg now provides fallback for version mismatch on pkg-add
ports: py-netaddr 0.8.0 [38]
ports: python 3.7.10 [39]
ports: sqlite 3.34.1 [40]
ports: squid 4.14 [41]
ports: sudo 1.9.6p1 [42]
ports: suricata 5.0.6 [43]
ports: syslog-ng 3.31.2 [44]
ports: unbound 1.13.1 [45]
ports: wpa_supplicant p2p vulnerability [46]
The public key for the 21.4 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtiv4C8TPBnVAxUS+xW3W
# uYhAOuLCZPA6F22Qatit4PVHI7AzfLbGjCQFZqjO+HRPVCmeiyggQWE4ZBOQrhbq
# Em/NqmnDVos2rdGfEvp5miY4fstebtHI9CPv26QswgO7bsoJuCUoSmtGTbgNXyaF
# ueNYTSXNEpWu35tQS830NCLW5Y6elfK99gxmNChlGdlz0wchaSA+myR6xH+TUw8L
# D+87Tny/R2guC9Q0XnsKpKeOMxkNh0X3H0GsmcWmyV0rGAiMh6GuJXIN/yhNMkaD
# wuHomqxd1OAyGLz9BjDNRKZ+b+y0iVpEx3qsDWlradtf8sUKZHJ96lf0jCRhEPvl
# v1+QkAOzsauWBr3UtFbkKfHONpuwb5XVNgAJzFIRrnGhmWRXD7liiShOP4O+KBP1
# Dzxs/X0plXgX2hOgzMbtgCMj4M1sV5HhKUrwiyqBpoe5nESJVrQ/DxETwEZIFoHy
# hwQxd/DDp7uJmZlCkveuZeUAo7pfTUVchDpe2GB54bHEhIn3OES93PURMQtQxB12
# mubV52vcfvzLnbv5FL5lMK/cgl64ip2bRu1jcB3wsKrKcGyUbtYJQDnHpowWrs5h
# RdMHSfLyaC8ROMKhZmJTe141wr5p8d+NmgjlDblnNmUJ0jHVJeP0+RO/OcY/o3Zt
# 2MxL1Yp2cUu2l1HEmyrCsIcCAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-business-21.4-OpenSSL-dvd-amd64.iso.bz2) = c7d5ff7e98af2be042b62b452aa4acfc38c00719bd739eb1e88c036ee612fbfd
# SHA256 (OPNsense-business-21.4-OpenSSL-nano-amd64.img.bz2) = 6201854edbdf8d08a03a85d2ec41dffb1cd19a68da9ee293d7268371d583e0c1
# SHA256 (OPNsense-business-21.4-OpenSSL-serial-amd64.img.bz2) = 6b33e1d9bcc5491286643200f4832040920bbc44fc8af67f895f16ef87c83a9b
# SHA256 (OPNsense-business-21.4-OpenSSL-vga-amd64.img.bz2) = 516eac14099ff10a9b8616780b0fe3418cef6d684cc1a994d77fa930e0989e7e