15.7 “Brave Badger” Series¶
While the summer is hot, we push forward to what now is 15.7 – nicknamed ‘Brave Badger’ – right in front of you. A lot of effort went into this project during the past 6 months, and we dare say it has been worth all of it. We would like to thank our followers and friends and feedback givers and forum lurkers and contributors and doubters and supporters that helped to make 15.7 what it is. We wouldn’t be here without any of you. Thank you.
In itself, 15.7 is a simple upgrade from 15.1.12 which we recommend to everyone. What changes is that development will move to a different branch so that from now on regressions are less likely and therefore stability will increase further. The provided images may also be the only ones for the next 6 months as we are confident in their longevity and the online upgrade path. We have also bumped the LibreSSL flavour to a production-ready state and encourage everyone to try it out. The installer’s import configuration tool coupled with a quick and easy installation can help you move from OpenSSL to LibreSSL and back seamlessly.
The biggest addition is the intrusion detection integration (suricata) as well as new local and remote blacklists options for the proxy server (squid). Security-wise, it has been rather quiet with only a few CVEs in third-party tools. Please see the full patch notes for details and references:
kernel: borrowed a dummynet / ipnat patch from m0n0wall to enable symmetric traffic shaping when NAT is involved
kernel: fix recurse lock panic for tmpfs in conjunction with unionfs
kernel: applied two stable patches that prevent squid from crashing [1]
kernel: retired ALTQ support
base: sendmail TLS/DH Interoperability Improvement [2]
base: improved iconv(3) UTF-7 support [3]
base: inconsistency between locale and rune locale states [4]
notable ports updates: phalcon 2.0.3 [5] , curl 7.43.0_2 [6] , openssh 6.8p1_8, python 2.7.10 [7] , perl 5.20.2_5 [8] , ntp 4.2.8p3 [9] , libxml 2.9.2_3 [10] , openldap 2.4.41 [11]
opnsense-update: will no longer try to reinstall the istalled version after a fresh installation
bsdinstaller: bring back cpdup to error out on low memory installation (you need 1 GB of RAM, or work around installation using the nano image)
traffic shaper: removed legacy queues support in favour of the new traffic shaper functionality
traffic shaper: allow direct enable/disable toggle
proxy: fix the initial daemon start on bootup
proxy: added LAN as the default interface configuration
proxy: local and remote blacklists with regex support
intrusion detection: initial release of our IDS GUI based on suricata
gateways: monitoring mode gained IPv6 support
captive portal: fix idle timeout bug
captive portal: do not delete the wrong zone when having multiple configurations
captive portal: removed include files from exposed web directory
backend: always regenerate users and groups to avoid corruption after an unclean shutdown
backend: wait for configd socket to come up to address a startup race issue
backend: clean up configd socket on exit
backend: fixed regression that prevented user scripts from being started via /etc/rc.conf
gateways: only show apinger in services when monitoring is enabled for a gateway
languages: brought Simplified Chinese to 49% completed, German to 30% completed
universal plug and play: make page invoke static to remove exploitability of the legacy packages framework
crash reporter: finally enabled the send button and provides human-readable feedback whether the submission was complete
console: added non-interactive interface assignment for headless deployments
ssh: disable password authentication on factory reset to align with the standard configuration
diagnostics: avoid duplicated calls of gethostbyaddr() in NDP table view
users: prompt for old password on password change to prevent account hijacking
users: stripped the impossible scponly user privileges since said utility has never been part of our ecosystem
Images can be found on any of our mirrors, but they may take a few hours to sync. The checksums are attached at the end of this announcement for convenience.
https://opnsense.org/download/
15.7.25 (January 18, 2016)¶
This is good-bye. 6 months have passed and 15.7 has served us well. In only 10 days 16.1 will be out and it is looking shiny. Please study the end of life announcement on the firmware page before attempting to upgrade to the next version.
As such, we have incorporated all of the outstanding security issues of last week, mostly related to FreeBSD and OpenSSH. Patches for the GUI are light; all pending improvements go directly into the next major release.
Here are the full patch notes:
src: SCTP ICMPv6 error message vulnerability [1]
src: ntp panic threshold bypass vulnerability [2]
src: Linux compatibility layer incorrect futex handling [3]
src: Linux compatibility layer setgroups(2) system call vulnerability [4]
src: TCP MD5 signature denial of service [5]
src: Insecure default snmpd.config permissions [6]
src: OpenSSH client information leak [7]
src: Invalid TCP checksums with pf(4) [8]
src: YP/NIS client library critical bug [9]
ports: sqlite 3.10.0 [10] , easy-rsa 3.0.1 [11] , openssh 7.1p2 [12]
traffic graphs: fix truncation of IP address to 14 characters
firmware: EOL announcement for 15.7 added, ready for upgrading to 16.1 on January 28
firmware: added mirror provided by RageNetwork (Munich, DE)
menu: fix navigation after editing IPsec mobile clients (contributed by Manuel Faux)
trust: properly reference CA in intermediate CAs (contributed by Manuel Faux)
15.7.24 (January 11, 2016)¶
We’re back, and we have a lot of neat changes and security updates for you. Most notably, the firewall pages received a lot of subtle tweaks to improve user experience. Secondly, the firmware pages gained the plugins management feature. And last but not least, the kernel and base upgrade gained better signature support [1] that ties right into FreeBSD’s pkg verification mechanism, how cool is that!
We’d like to use this opportunity to thank four of our regular contributors who’ve helped us to advance further than we could have dreamed. A big thank you to Manuel Faux, Fabian Franz, Frank Wall and Andreas Martin! And no, we do not make these up as we go. ;)
Here are the full patch notes:
ports: suricata 2.0.11 [2] , dhcp6 20080615_5 [3] , lighttpd 1.4.39 [4]
ports: syslogd 10.2, mpd 5.8 [5] , ca_root_nss 3.21, dnsmasq 2.75_1 [6]
ports: ntp 4.2.8p5 [7] , php 5.6.17 [8] , python 2.7.11_1 [9]
ports: miniupnpd 1.9.20151212, openvpn 2.3.10 [10]
opnsense-update: add opnsense-verify and opnsense-sign
opnsense-update: improve verification of signatures of kernel and base upgrades
menu: bring back dashboard entry due to popular demand
menu: fix interface listing error when its description is empty
menu: moved license file to lobby section for visibility
menu: order VPN services for icon adjustment (contributed by Fabian Franz)
menu: renamed “config manager” to “configuration” and “certificate manager” to “trust”
language: multiple translation improvements (contributed by Fabian Franz and Andreas Martin)
language: fix behaviour of numerous apply buttons when using a non-English translation
dashboard: don’t display widget headers when the actual widgets are no longer installed
backend: fix issue when configd target pattern cannot be found
carp: fix support for OpenVPN clients
system: remove the old FTP proxy implementation (use proxy server service instead)
system: pin down listbox size to unhide the search field
health: tidy up the layout by removing visual blockers and general bumpiness
access: fix setting of default values for new users
access: fix padding on user listing page
access: adjusted file type of API credentials to fix Chrome’s download blues (contributed by Fabian Franz)
configuration: fix replay of configuration backups
interfaces: fix redirect after applying an interface’s configuration
trust: properly set certificate digest algorithm in form after creation error
gateways: bring back display of descriptions (contributed by Frank Wall)
load balancer: bring back display of descriptions (contributed by Frank Wall)
ipsec: fix RSA authentication method check
ipsec: finally brought back lease display in widgets and status page
proxy: add configurable cache_mem setting
unbound: honour the “register DHCP leases in DNS” option (contributed by Manuel Faux)
unbound: reorder advanced features inclusion
dynamic dns: allow custom entries to set hostname to be used in e.g. OpenVPN exports
dynamic dns: updated cloudflare service binding
firewall: fix saving of zero values on virtual IP page
firewall: fix label for option source/invert in rules edit page (contributed by Frank Wall)
firewall: show warning banner on related pages when firewall is globally disabled (contributed by Manuel Faux)
firewall: add interface groups to firewall rules and port forwarding
firewall: add matching behaviour indicator for floating rules (contributed by Fabian Franz)
firewall: make quick matching behaviour the default for floating rules
firewall: fix spurious error when migrating alias from one interface to the next
firewall: sort alias listing for better overview
firewall: fix header alignment for schedule repeat section
firmware: added display of major announcements on the firmware page
firmware: added reinstall / (un)lock buttons for installed packages
firmware: added plugin listing to page with install / remove buttons
firmware: restructured the backend and improved its resilience
firmware: show the download size of the pending update in the update check response
firmware: added update verification signature for the upcoming 16.1 release series
captive portal (devel): fix text of two help messages (contributed by Fabian Franz)
15.7.23 (December 23, 2015)¶
As the end of the year 2015 is nearing, we push one last update. And it’s been a hell of a year! This is actually the 49th official update we’re releasing, so that gives you the idea of how serious we were about “once a week”. The major upgrade 16.1 is around the corner as well, although major is a bit of a stretch: the main reason for calling it 16.1 are the all new captive portal and FreeBSD 10.2. But that’s not the point. Here it is…
We would like to thank everyone for their resounding support through good and bad times, for lively discussions, outside contributions and all the encouragement we’ve received. We’ve set a reasonable pace for progress within our project and we will certainly keep it up for 2016. That’s the least we can do for you. After all, we do like to think we’ve built a little family.
Here are the full patch notes:
ports: bind 9.10.3-P2 [1] , python 2.7.11 [2] , openvpn 2.3.9 [3]
traffic shaper: page is now properly translated (contributed by Fabian Franz)
system: all remaining pages in this section have been reworked for clarity
logs: split up the old VPN multi-log page into their respective parts (L2TP, PPTP, PPPoE)
logs: added filtering option to all logs that previously missed it
certificates: now supports different extensions (Key Usage, Subject Alternative Name) and usage types
dhcp: allow commas in advanced DHCP client options (contributed by Simon van der Linden)
firewall: add direction indication icon to floating rules
firewall: lock port numbers on protocols that are not TCP/UDP
firewall: fix apply button on outbound NAT page in translation mode
traffic shaper: add TCP ACK/non-ACK matching options
proxy: two fixes for non-local authentication
15.7.22 (December 09, 2015)¶
So here are OpenSSL 1.0.2e and LibreSSL 2.2.5, finally! 15.7.22 itself is only tweaks and minor fixes. We take it as a good sign that there were no “oh no what did you do to the menu” complaints in the past week. Nobody missed the RRD graphs either. You guys are really cool.
The root cause for the filter reload timeout reports that some of you encountered in 15.7.19 has finally been found. The function filter_generate_optcfg_array() could be called hundreds of times in a single filter reload while only providing static interface data to the callers that did not change over the runtime of the reload. At some point it must have gotten so slow that a caching mechanism was added around the function, which caused the function’s output to get stuck, causing the initial bug report. Now it’s as fast as ever and glitch-free.
Here are the full patch notes:
dhcp: show lease description in status pages if available (contributed by Frank Wall)
firewall: improve and align display of RFC 1918 and IANA rules (contributed by Manuel Faux)
firewall: fix hover cursor on the filter log page (contributed by Manuel Faux)
firewall: show implicit IPv6 block rule if enabled in system settings (contributed by Manuel Faux)
firewall: extend pfInfo to show active rules (contributed by Manuel Faux)
unbound: fix JS to enable/disable interface selector (contributed by Manuel Faux)
unbound: fix starting of unbound via service status page (contributed by Manuel Faux)
proxy server: allow authentication against all available authentication servers
universal plug and play: fix read/write on the settings page
interfaces: break device configuration pages out of interface assignment section
backend: optimise filter reload to not collect overall interface information more than once
backend: reapply the cache removal in light of the filter reload fixing
backend: trigger config daemon templates on bootup
backend: throw error when attempting to trigger a nonexistent template
ports: curl 7.46 [1]
ports: openssl 1.0.2e [2]
ports: libressl 2.2.5 [3]
ports: squid 3.5.12 [4]
ports: lighttpd 1.4.38 [5]
15.7.21 (December 04, 2015)¶
Back in September we’ve started out to work on the excessive GUI padding and dispersed menu structure in order to get to a slick and clean page layout. We’ve transformed tab navigation into submenu items, pulling similar items together into one single category, adding distinctive icons as a highlight and anchor point. We’ve come to like it so much that we can’t wait for 16.1 to merge it in so here it is for everyone to enjoy. Work in this area will continue in tiny pieces as we go along. Send us feedback, let us know what we can push even further.
15.7.21 brings updates to some of the most important ports and RRD frontend pages have been completely removed. Unfortunately, we couldn’t squeeze in OpenSSL and LibreSSL at this point, but will follow up as soon as both of them are available.
Here are the full patch notes:
ports: phalcon 2.0.9 [1]
ports: php 5.6.16 [2]
ports: suricata 2.0.10 [3]
ports: openldap 2.4.43 [4]
ports: strongswan 5.3.5 [5]
menu: removed tab navigation in favour of submenu items
menu: removed the status and diagnostics from the top menu
menu: made the menu smaller and added distinctive icons
menu: order interfaces by their descriptive name
layout: removed several paddings and spurious boarders
rrd: removed the graphing frontend to complete our switch to System Health
rrd: moved remaining settings to System: Settings: Logs / Reporting
logs: can now narrow search using individual keywords separated by whitespace
logs: added a raw firewall view as a default page instead of having a setting for it
logs: ppp log messages won’t show up in the system messages anymore
universal plug and play: reworked settings page for clarity
gateways/routes/users: reworked all pages for clarity
settings: reworked admin access and general section for clarity
settings: password authentication and permit root login settings changes did not trigger an immediate sshd restart
ipsec: remove use of reqid in config
ipsec: fix ESP/AH options on multiple phase2 entries
ipsec: fix algorithm selection in phase1 and phase2
ipsec: properly handle status error when ipsec is not enabled
ipsec: subnet selection can now extend beyond 24 bits
ipsec: make NAT type configurable for phase2 (contributed by Frank Wall)
layout: updated to jQuery Bootgrid v1.3.1
language: many translations added (contributed by Frederic Lietart and Fabian Franz)
config: improve the session handling to ensure a responsive GUI
ntp: gps settings now work with translations and properly reselect the configured device
15.7.20 (November 25, 2015)¶
Today we proudly present to you 15.7.20, which includes several improvements and fixes in all areas. Notable from a development perspective are the opnsense-bootstrap tool, which can install the latest OPNsense version on a FreeBSD 10.1. Additionally, the development branch offers a sneak preview of Suricata in true IPS mode! Instructions on how to test it can be found in the forum [9] .
Here are the full patch notes:
src: fix kqueue write events never fired for files greater 2GB [1]
src: remove obsolete locking primitives IFA_LOCK() / IFA_UNLOCK()
src: enable netmap(4) driver support in the kernel
src: merge stf(4) driver modifications from pfSense [2]
ports: squid 5.3.11 [3]
ports: strongswan 5.3.4 [4]
ports: choparp 20150613 [5]
ports: libxml 2.9.3 [6]
ports: pkg 1.6.2 [7]
ports: opnsense-bootstrap, the infamous installer that works on stock FreeBSD [8]
intrusion detection: ignore json parse errors in eve log file
intrusion prevention (development): added Suricata 2.1beta4 in inline mode [9]
interfaces: reverted cache removal due to multiple speed regressions reports
backend: send timeouts with proper description to syslog
openvpn: fix auth server selection for translations
filter: make the status reload page provide better debug info
interfaces: fix mobile carrier selection on main interface edit page
interfaces: unify release/renew/connect/disconnect buttons in status page
dashboard: show cell mode for ppp if available
15.7.19 (November 13, 2015)¶
Time for the weekly update. :)
15.7.19 is a smaller maintenance release with a backend switch for IPsec reporting and a couple of minor fixes. With the help of the community, we’re also improving the consistency of the GUI translation with more commits already in the works.
Notable from a development version perspective are the API authentication and the revived voucher support for our new captive portal. This means two more roadmap items already finished for 16.1.
Here are the full patch notes:
aliases: make url tables useable
interfaces: fix faulty GUI caching issues [3]
ipsec: obey force nat traversal
ipsec: switch status page and widget from deprecated SMP to VICI interface for reliable output
ipsec: fixed remote network input validation
status: show more raw ipfw info in the commands section
config: don’t use notices in early/low level code
languages: a large number of old and new strings is now being properly translated (with contributions from Franz Fabian and Frederic Lietart)
languages: translation strings no longer use obfuscated argument reordering by default
languages: updated German and French to a newer version from translate.opnsense.org
captive portal (development): added a new voucher implementation
api (development): added API key authentication mechanism [4]
15.7.18 (November 04, 2015)¶
It took a while to track down a NTP regression with FreeBSD that turned out to be a flaw in the kernel itself. That’s now fixed for all FreeBSD versions. Thanks everyone for helping out here again. :)
This update brings quite a few fixes, especially with regard to VMware and Xen virtualisation plugins. If you are in need of such plugins for seamless guest support the installation is quite painless:
# pkg install os-vmware
# pkg install os-xen
In case of VMware, the masterplan is that vmx network devices will be persistent after reboot so that such devices can be embedded into the config.xml. Let us know how that works for you guys. Needless to say, we’ll keep working on making plugins accessible through the GUI with our next major version that is 16.1.
We’ve also been working on ironing out further IPsec hiccups and adding more features to the captive portal in the development version. Oh, and this: fresh images based on 15.7.18 will be available a couple of days after this release.
Here are the full patch notes:
plugins: updated the VMware plugin to support early boot for persistent vmx(4) device access
plugins: added the Xen plugin for automatic guest support
openvpn: fix server not saving interface without IP
crash reporter: remember email for continuous feedback
crash reporter: Suhosin PHP module no longer triggers crash reports
crash reporter: fixed 10 assorted crash reports
languages: fix all apply button prompts for non-English translations
languages: updated German and French via https://translate.opnsense.org
backend: added simple plugin hooks for boot up, early boot up and shutdown
GUI: hooked up the authentication backend rewrite
dhcp: remove illegal ifconfig tag in custom dhclient script
virtual ips: make subnet selectable on ipalias
ipsec: flip ipv4/ipv6 subnet options in phase2
ipsec: fix issue when using both tunnels and roadwarrior
ipsec: listen to disabled ipsec nat entries
ipsec: do not overwrite settings for rekey/reauth
proxy: fix error on saving special URL characters
aliases: fix missing url table items
aliases: hide minus when not applicable
ntp: don’t trigger set_gps_default on page load
captive portal (development): clean rewrite of RADIUS authentication/accounting
captive portal (development): added a session overview feature to the new
captive portal (development): fixed template download file name in Google Chrome
src: Implement pubkey support for pkg(7) bootstrap [1]
src: rpcbind remote denial of service [2]
src: Applications exiting due to segmentation violation on a correct memory address [3]
src: tzdata updated to 2015g [4]
ports: ntp 4.2.8p4 [5]
ports: sqlite 3.9.1 [8]
ports: suricata 2.0.9 [9]
ports: php 5.6.15 [10]
# SHA256 (OPNsense-15.7.18-OpenSSL-cdrom-amd64.iso.bz2) = f193e04ce0f0d2b1eab54b246f5b4931cdd50ed0a97015a363e8ece24449825d
# SHA256 (OPNsense-15.7.18-OpenSSL-nano-amd64.img.bz2) = f1cfa7ff9f2fe30361f92773aa6fe416ac5bb3e27bd98c1b470f32ceea9ee4eb
# SHA256 (OPNsense-15.7.18-OpenSSL-serial-amd64.img.bz2) = e95698fac21e8bef7ac8c8e66406fcbece583a32db325da19be810d33a714147
# SHA256 (OPNsense-15.7.18-OpenSSL-vga-amd64.img.bz2) = 3cc366d5e48f74bba5a07466cbaa2808d98fba422814d3cafbbffb5e2847c888
# SHA256 (OPNsense-15.7.18-OpenSSL-cdrom-i386.iso.bz2) = 57229a3873d6020979e8ebb1dff1c97b14166afff7da6d5ca7e5b32a17e40207
# SHA256 (OPNsense-15.7.18-OpenSSL-nano-i386.img.bz2) = e89464b51c52c02a9d1a15d168190f23b7d72030be5b31db4bd5a78cfa0a108f
# SHA256 (OPNsense-15.7.18-OpenSSL-serial-i386.img.bz2) = 0eb92ffcbe6d4152b79e89e71984b5a3d00cf0e2e0946868331fd93a506cf54c
# SHA256 (OPNsense-15.7.18-OpenSSL-vga-i386.img.bz2) = 284157e596dd77551ce6ce4e5b661614273abcfaa590f6d4553903172332f370
# MD5 (OPNsense-15.7.18-OpenSSL-cdrom-amd64.iso.bz2) = 7718af5a632a426c7e3832e4cf6e7f91
# MD5 (OPNsense-15.7.18-OpenSSL-nano-amd64.img.bz2) = 88018ba7ec8c6e6906054a03106020c6
# MD5 (OPNsense-15.7.18-OpenSSL-serial-amd64.img.bz2) = 50879c1a12ca65b95ebd5a77eea389e5
# MD5 (OPNsense-15.7.18-OpenSSL-vga-amd64.img.bz2) = 764c8a9c42b13cdfc73d1025e9795901
# MD5 (OPNsense-15.7.18-OpenSSL-cdrom-i386.iso.bz2) = ce115445d922883c1e57457503b7d044
# MD5 (OPNsense-15.7.18-OpenSSL-nano-i386.img.bz2) = 947d4955775295f09ef849b8ac7757a6
# MD5 (OPNsense-15.7.18-OpenSSL-serial-i386.img.bz2) = 4b7affd7c051e15171ef2ee4869739b6
# MD5 (OPNsense-15.7.18-OpenSSL-vga-i386.img.bz2) = 59b796e2a2a68cb699bb67b79f08c808
15.7.17 (October 20, 2015)¶
So this is 15.7.17 with a couple of neat things under the hood: AES-NI is now supported by both LibreSSL and OpenSSL. Other than that only minor fixes went in along with the latest version bumps for cURL, Squid, Unbound and (of course) LibreSSL.
The development version has more things happening: we’ve reorganised the menu to get rid of the “Status” and “Diagnostics” section, updating layouts and minimising padding of the bootstrap theme. And that’s not all, because we’re also replacing the old captive portal! The new captive portal can already be tested and will receive more features as we near version 16.1. Let us know what you think.
Here are the full patch notes:
ports: both LibreSSL and OpenSSL now support AES-NI acceleration
ports: curl 7.45 [1] , squid 3.5.10 [2] , unbound 1.5.5 [3] , libressl 2.2.4 [4]
layout: bumped font awesome to 4.4
dhcp: dhcpd leases did not always reload dhcpleases daemon
openvpn: fix Strict User/CN matching checkbox behaviour
ipsec: fix tunnel identification when using NAT
dns filter: add OpenDNS IPv6 servers
dns resolver: fix apply glitch that would blank the settings temporarily
log files: search is now case-insensitive
firmware: improved reboot detection feedback
crash reporter: improved wording as reports without contact info may be hard to fix
virtual ip: fix possible apply glitch with new VIP
synchronisation: do not error on target down, log it instead
languages: French is at 35% and German is at 65% complete now
development: the captive portal has been replaced with a newly implemented variant based on our MVC standards – if you still want to use the old one please use the release package instead (although any feedback for the new captive portal is greatly appreciated)
15.7.16 (October 10, 2015)¶
We’ve spent three great days in Nuremberg at it-sa, thanks for everybody who dropped by.
Originally we wanted to push out 15.7.16 earlier, but faced an interesting challenge with the latest FreeBSD package manager version update. To that end, we are probably going to release new images for 15.7.17 with the new package manager included just to make sure we can retain a clean and flat upgrade process even for the images. But fear not, online upgrades are still working as expected.
Speaking of releases and images, we’ve had recent feedback about what we call releases that do not necessarily offer images. We do this because in a weekly update cycle it is far too complicated to bundle verified images. The versioning scheme does not reflect this at the moment, but we’ve had similar intentions when we moved away from the old 15.1 scheme. Long story short, we will try to make this more clear in the future. The preferred method of installation is via the latest available image that should be upgraded immediately after installation.
Since the build tools are open, it’s not a particular problem to build a newer version yourself or if you require one that comes directly from us just let us know so we can help your specific use case. Last but not least, here are the full patch notes:
ports: phalcon 2.0.8 [1] , php 5.6.14[3]
unbound: improved DNS rebind protection
traffic shaper: improved description field validation
wizard: bring back missing files
captive portal: redirect after successful RADIUS login
health: fix reading of ntpd RRD data
config manager: fix revert and delete in translations
config daemon: don’t pass stderr on script output call
languages: German now 64% complete
15.7.15 (September 30, 2015)¶
We hope you guys are having a good week? Because if not we have a treat for you: the wait for System Health [1] is finally over and the best part is that it’ll just work with your previously collected RRD data. :) We kindly ask you to provide feedback via the usual channels in order to make it even better. There’s still a lot of time till 16.1 hits the shelves, so to speak.
This is a rather small maintenance release with a handful of fixes. The things that pop out are StrongSwan 5.3.3 [2] as well as the menu now being correctly translated when selecting a different language. And, BTW, behind the scenes we’re just now opening up our translation server that’ll make it even easier to contribute to language translations in the future.
Here are the full patch notes:
health: added feature to browse RRD data in a modern way
notable ports updates: strongswan 5.3.3
logs: added proxy server access log and updated the layout
users: fixed ldap import warning when no users could be found
dhcp6: fix IPv6 grabbing with PPPoE
openvpn: fix TLS auth enable behaviour in client settings
firewall: fix missing log option in save form
firewall: fix missing interface address in NAT page
firmware: sped up package queries and added package size column
wizard: multiple fixes and security improvements
menu: now properly translates into the selected language
traffic shaper: unload ipfw rules on disable
15.7.14 (September 22, 2015)¶
originally, we wanted to make 15.7.14 as boring as possible, but now we are shipping our major firewall section rework on top of intricate configuration management fixes instead. We should also note that the former improved configuration imports from older systems. Be sure to let us know when you find any issues with these changes.
From the third-party and/or security side not much has happened recently. We are shipping the latest Bind and Squid, for details see the provided links. Here are the full patch notes:
config: do not set login auto-complete on factory reset
config: fix faulty timezone on factory reset
config: improve config migration path for legacy config imports
config: new home in system section for the config history and backups
config: improved the config history differential view
firmware: added Supranet Communications mirror (Middleton, US)
firewall: reworked rules, schedules, virtual ip, nat and aliases pages
users: removed special handling of the “all” group
crash reporter: fixed 9 minor problem reports
wireless: only advertise supported modes of operation
system: fix theme selection for user-added themes
menu: fix expand on all interface edit pages
ntp: improve service status probing
diagnostics: fix authentication tester to work in conjunction with translations
languages: added French translation (33% complete)
languages: updated German translation (57% complete)
15.7.13 (September 15, 2015)¶
15.7.13 is a short GUI-only update since we’ve seen frequent validation errors in our crash reports. We’ve fixed that ahead of schedule and also push a larger under-the-hood preparation of the coming firewall section and menu rework while at it. Exciting stuff coming soon. :)
Here are the full patch notes:
diagnostics: added real backend code leading to upcoming privilege separation for pfInfo, pfTop, States and Tables pages
dynamic dns: introduce constant naming away from “DynDNS” or “DDNS”
gui: fix numerous typos spotted by our relentless translators
gui: fixed validation errors in new components
gui: removed partial shadow from active tab
ipsec: fixed missing redirect after apply
Stay safe, Your OPNsense team
15.7.12 (September 12, 2015)¶
The vacation time is over for most of us, and so we do roll on into what is going to be a busy autumn. As we haven’t had a release in 2 weeks a longer list of changes has accumulated. Most prominently, we have a security advisory for FreeBSD that may allow privilege escalation on amd64 architectures. More security-related updates are available for LibreSSL, Bind and PHP.
We’ve also been able to iron out the few IPsec configuration problems left related to the page rewrite thanks to relentless testing by Frank Wall and others. We appreciate any help in doing the same for the new Firewall pages we have staged in our development version [12] . Here is the full list of changes:
src: local privilege escalation in IRET handler [1]
src: disable ixgbe(4) flow-director support [2]
src: insufficient check of unsupported pkg(7) signature methods [3]
ports: libressl 2.2.3 [4] , bind 9.10.2P4 [5] , openldap 2.4.42 [6]
ports: radvd 1.15 [7] , lighttpd 1.4.37 [8] , squid 3.5.8 [9]
dhcp: use reverse mask instead of reverse address in config
dns resolver: honour log verbosity toggle
ssh: remove ssh1 key from generating, it is no longer supported in openssh
filter: remove the unused snort2c table from generated rules
xmlrpc: properly regenerate /etc/hosts on sync
openvpn: fix TLS authentication option reset
ipsec: proper redirect after apply in mobile tab
ipsec: fix behaviour of enable rekey and enable reauth
ipsec: only suffix connection number with sequence with multiple entries
ipsec: fix diagnostics to be able to connect multi phase2 IKEv1 entries
ipsec: fix Call to undefined function filter_configure()
dashboard: traffic graph highlights are now branded in orange
theme: render dropdown boxes a bit better
theme: partial fix for wrapped tab display
crash reporter: fix spurious crash report after actual submission
crash reporter: assorted fixes for warnings and errors in the code
crash reporter: improve submit/dismiss button layout
15.7.11 (August 27, 2015)¶
As we’ve had a couple of pending issues that needed addressing before we push out new images, we’ve wrapped up 15.7.11 just now.
Here are the full patch notes:
dns resolver: switch unbound to use libevent to address “too many fds” log message
firmware: os-update package was renamed to opnsense-update so “os-” can be our plugin prefix
firewall: fix alias page not being available due to a dirty config.xml sample entry
ipsec: fix pages throwing warnings due to a dirty config.xml sample entry
ipsec: fix hash algorithm and protocol settings behaviour
openvpn: honour TLS authentication disable
themes: fix theme selection fallback not working in new components
diagnostics: unhide routing table headers
# SHA256 (OPNsense-15.7.11-OpenSSL-cdrom-amd64.iso.bz2) = 4e6a78e309945f950bb924345d3bb3571f4cc4891227129bbf7a9f462d1a0f6b
# SHA256 (OPNsense-15.7.11-OpenSSL-nano-amd64.img.bz2) = 714d2ab06db2d56b81421182a6315b6b7373defbc4f3d82f795e22371b8ef501
# SHA256 (OPNsense-15.7.11-OpenSSL-serial-amd64.img.bz2) = f644a45a770850aacee824a83992ecbf5f177ea05051f8907470d8d548183521
# SHA256 (OPNsense-15.7.11-OpenSSL-vga-amd64.img.bz2) = 3da0787d7e0d4708230f0d7b95a9617d74f7a3e12b861091b6eefa934d2a5564
# SHA256 (OPNsense-15.7.11-OpenSSL-cdrom-i386.iso.bz2) = 407a83caeaff638b046f8ee7b8fa0823eb8b5cae28458a376c80134f66555eea
# SHA256 (OPNsense-15.7.11-OpenSSL-nano-i386.img.bz2) = 03ab10b56367249d742b824a454891678025db576bca126fb97fa2a9e0297835
# SHA256 (OPNsense-15.7.11-OpenSSL-serial-i386.img.bz2) = cc316a27fee85107d358d6e970db69f9abae5cb67d33073026c9aec14210b9be
# SHA256 (OPNsense-15.7.11-OpenSSL-vga-i386.img.bz2) = b90cbc906324d3b1671302804b5f902eaab2180d0cdde4145e54614d61355e6c
15.7.10 (August 25, 2015)¶
15.7.10 is here with a larger number of third party updates as well as a security advisory for FreeBSD. Otherwise it’s relatively silent as we are still busy reworking the firewall section pages like we did with OpenVPN and IPSec recently.
We’ve also bumped the crash reporter into the system section as a tool to generate custom reports, delivering the shortest possible path to get in touch with us regarding bugs or other quirks that do not automatically generate a report. We are totally happy with the way you guys have already embraced the reporter and wish to see even more usage of it. It has helped us to identify issues and ship fixes a lot quicker.
Here are the full patch notes:
src: Multiple integer overflows in expat (libbsdxml) XML parser [1]
src: bumped tzdata to 2015f [2]
ports: curl 7.44.0 [3] , ca_root_nss 3.20, openssh 7.1p1_1 [4] , sqlite 3.8.11.1 [5] , phalcon 2.0.7 [6] , pcre 8.37_4 [7]
crash reporter: create custom reports on demand
certificates: ca generation issues with recent LibreSSL
dns resolver: switched to ports-based Unbound (1.5.4) as per FreeBSD handbook
menu: moved the crash reporter to system category for visibility
menu: added hot-plugging support for upcoming plugins
acl: added hot-plugging support for upcoming plugins
ipsec: fix faulty behaviour on configuration changes
console: switched halt and reboot numbering
languages: bring German to 51% completed
graphs: remove obsolete CPU graph pages
15.7.9 (August 19, 2015)¶
What’s up! We are about to release new images to put a stake in the ground following roughly 500 commits since 15.7 was released in early July. FreeBSD 10.2 is around the corner, which makes this all the more important. First tests look promising, but it’ll have to wait a few more weeks to hopefully get rid of more custom patches and thorough testing. We’ve also made progress with nano-style images to improve interoperability between different media types. Images are scheduled to be released shortly after 15.7.10 for said release.
With that in mind, 15.7.9 is a maintenance release which only addresses our code before we make a bigger leap forward. Focus has been to improve firmware upgrades and crash reporter, all OpenVPN and IPSec configuration pages and a fix for recent LibreSSL flavours not wanting to generate certificates.
These are the full patch notes:
firmware: functional rework of update fetch and install, show reboot needed in alert box
interfaces: fixed spurious truncated interface names from showing up in the assignments
intrusion detection: improved rule select/deselect behaviour and alert querying
firewall/rules: fix missing apply button when another language is being used
crash reporter: multiple fixes, layout and submission improvements
firewall/logs: can now filter using IP version
firewall/nat: add anti-lockout rule for redirection
certificates: fix generation for LibreSSL flavour
openvpn: allow advanced settings for all server types
openvpn: reworked all configuration pages (especially client export)
ipsec: reworked all configuration pages
Stay safe, Your OPNsense team
15.7.8 (August 12, 2015)¶
While we do hope everyone is enjoying their summer vacation we’re rolling out a larger update due to multiple issues with FreeBSD and third party programs. We also have a feature that our community has been yearning for: the transparent proxy!
This time around, we took extra care with our development version and let features simmer there until they are fully ready to be rolled out. We already have VPN configuration improvements and firmware upgrade eye candy staged in the current development package. Join our forum to find out more:
Here are the full patch notes:
src: shell injection vulnerability in patch [1]
src: routed remote denial of service vulnerability [2]
ports: dnsmasq 2.75 [3] , squid 3.5.7 [4] , openvpn 2.3.8 [5]
ports: libressl 2.2.2 [6] , lighttpd 1.4.36 [7] , php 5.6.12 [8]
ports: pcre 8.37_3 [9] , pkg 1.5.6 [10] , expat 2.1.0_3 [11]
dns resolver: improve bootstrapping of root directory to ensure service startup
firmware: fix handling of sample mirror file
firmware: added a mirror for China
firewall: always provide a sample bogons file for IPv6
firewall: avoid blocking dhcpv6 on WAN via bogons
menu: added 3 direct links to subpages
crash reporter: weekly batch of PHP warnings purged from the codebase
logs: reworked the firewall log summary page (yum, pie charts)
intrusion detection: fix query for empty result
intrusion detection: fix validation on new entries
proxy: added transparent proxy knob
15.7.7 (August 05, 2015)¶
This week’s 15.7.7 is a subtle maintenance release to wrap up remaining issues that came in via crash reports since 15.7.6.
Furthermore, we are not aware of any security issues in third party software.
Here are the full patch notes:
interfaces: VLAN on top of LAGG now correctly overrides flags on the actual parent interfaces
system: added firmware crypto flavour and mirror selection to general settings
logs: add missing prototype.js to fix pie charts display (contributed by Chong Cheung)
languages: updated German (42% complete) and Japanese (80% complete)
crash reporter: fixed assorted minor coding errors/warnings
system: improved LDAP bindings and user import (including fixes by Christian Schonberg)
proxy: added option to ignore subnets from getting into the access log
proxy: fixed automatic startup on /var MFS
intrusion detection: fixed automatic startup on /var MFS
menu: fix collapse/expand for DHCP (contributed by Chong Cheung)
menu: added logout option to user menu
Stay safe, Your OPNsense team
15.7.6 (July 31, 2015)¶
This is 15.7.6 due to several security advisories for FreeBSD as well as OpenSSH and Bind problems. Reference links are provided for external issues as always. More crash reports came in for issues that date back to as much as a few years long before we started OPNsense. We are very happy for the chance to finally flush them out of the code base.
The update requires a reboot. Here are the full patch notes:
src: shell injection vulnerability in patch(1) [1]
src: resource exhaustion in TCP reassembly [2]
src: OpenSSH multiple vulnerabilities [3]
ports: phalcon 2.0.6 [4] , openssh 6.9p1 [5] , bind 9.10.2P3 [6] , dnsmasq 2.74 [7]
opnsense-update: can now replace mirror locations
crash reporter: fixed numerous remotely-submitted warnings and bugs
universal plug and play: fixed concurrent enable for UPnP and NAT-PMP (contributed by Chong Cheung)
intrusion detection: reload general settings after download
intrusion detection: revised rule and ruleset toggle
firmware: better upgrade reboot detection
proxy: fix service start when IPv6 was disabled via system settings
system: revised the VLAN acceleration disable option to properly unset the interface flags
15.7.5 (July 28, 2015)¶
First of all thanks to everyone who has been using the crash reporter in the last few days. It’s helped us tremendously in tracking down faulty code bits that were invisible prior to 15.7.4. In order to keep the reports fresh we’re hereby pushing out 15.7.5 a bit earlier than usual.
No third-party code will be updated; no reboot necessary. Here are the full patch notes:
menu: fixed expand/collapse behaviour on subpages
ipsec: fix a bug that prevented using a CARP address
crash reporter: 200 reports helped to identify and fix 23 unique issues
crash reporter: add dmesg.boot to files to be submitted
Stay safe, Your OPNsense team
15.7.4 (July 24, 2015)¶
Another week it is, this time with a rather exciting TCP state fix in the FreeBSD kernel. We’ve also taken the time to work through most of the code base to eradicate code warnings and now enable them by default in the crash reporter. We’re half-expecting another stable update early next week just to make sure your infrastructure keeps running as smoothly as possible.
Here are the the full patch notes:
updated sudo 1.8.14p3 [1] , pcre 8.37_2 [2] , and FreeBSD 10.1-RELEASE-p15 [3]
firmware: fix upgrade when using opnsense-devel package
proxy: fix config write for multiple interfaces
crash reporter: raise PHP log level to warnings after an extensive cleanup
dashboard: made widgets translatable (contributed by Fabian Franz)
firewall logs: usability improvements (contributed by Fabian Franz)
languages: Simplified Chinsese 64% complete
languages: German 40% complete
menu: fixed navigation for PPPoE edit
15.7.3 (July 17, 2015)¶
This is a quick 15.7.3 to address the recently released PHP 5.6.11 as well as small fixes and further firmware experience improvements. We’ve also taken the time to refine our version 16.1 road map items for you to review and discuss:
https://opnsense.org/about/road-map/
The full list of changes are as follows:
ports: php 5.6.11 [1]
ports: pkg 1.5.5 [2]
ports: ca_root_nss 3.19.2
ports: phalcon 2.0.5 [3]
ports: isc-dhcp42-server 4.2.8_1 [4]
backup: fix infinite reboot loop on interface mismatch
firmware: show locally installed packages
firmware: reboot dialog now responsively redirects when the system is back up
dashboard: upgrade link now directly launches into the firmware upgrade
dashboard: added a system log widget (contributed by Sascha Linke)
languages: merged German translation progress (contributed by Fabian Franz)
xmlrpc: fix sync of static routes
bogons: fix overwrite-on-upgrade bug
That’s all for now. Really.
15.7.2 (July 10, 2015)¶
It’s us. Again. Following the recent OpenSSL announcement of CVE-2015-1793 we are pushing out 15.7.2 earlier than expected. It is notable that FreeBSD 10.1 as well as LibreSSL are not affected. However, if you are running OPNsense with OpenSSL you should upgrade immediately. Services are not restarted automatically, so a reboot is advised but not mandatory. Please take a responsible course of action.
Here are the full patch notes:
notable ports updates: phalcon 2.0.4 [1] , libressl 2.2.1 [2] , openssl 1.0.2d [3]
opnsense-update: can now switch from/to LibreSSL/OpenSSL on the fly (needs root shell for now)
ssh: work around a shutdown bug that prevents other users from logging in (requires a reboot if used)
console: allow the root menu to run one-shot shell commands too
console: clean up the version advertisement in the banner
dashboard: colour hostap wifi as green when up
backup: do not redirect on interface mismatch, reboot right away instead
system: migrated /var and /tmp memory disks to tmpfs (requires a reboot if used)
proxy: fix the startup when used on a /var memory disk (requires a manual start after boot)
intrusion detection: fix the startup when used on a /var memory disk (requires a manual start after boot)
intrusion detection: enable the uricontent keyword for the ET ruleset
15.7.1 (July 08, 2015)¶
We hope you guys are doing well. We are certainly happy with our first production release out in the open. :) Now that that’s taken care of, we have the opportunity to introduce stable braches for 15.7.x, with this week’s 15.7.1 as the first of many.
Squid and Bind have CVE-related fixes. Otherwise, only minor fixes and improvements went into this release. If you are being affected by the DHCP server startup issue reboots are necessary in order to fix the root cause. Please follow these steps:
Upgrade to 15.7.1 using your preferred method.
Disable RAM disks in “System: Settings: Misc.” and reboot.
Enable RAM disks in “System: Settings: Misc.” and reboot.
The DHCP server will now startup correctly.
Here is the full list of changes:
overall: introducing stable updates for 15.7.x
ports: bind910 9.10.2-P2 [1] , freetype2 2.6 [2] , squid 3.5.6 [3]
crash reporter: fixed the upload of additional files
system: always have a symlink available for /var/db/pkg
system: protect sshd against OOM kills
system: can now properly select time zones which have a sub-sub-category
intrusion detection: switch default interface to WAN
menu: added awareness for further routing tabs
login: switch off “autocapitalize” and “autocorrect” for username field
status: do not scale RRD graphs over 100% of their actual size
languages: minor tweaks for the German translation
15.7 (July 02, 2015)¶
While the summer is hot, we push forward to what now is 15.7 – nicknamed ‘Brave Badger’ – right in front of you. A lot of effort went into this project during the past 6 months, and we dare say it has been worth all of it. We would like to thank our followers and friends and feedback givers and forum lurkers and contributors and doubters and supporters that helped to make 15.7 what it is. We wouldn’t be here without any of you. Thank you.
In itself, 15.7 is a simple upgrade from 15.1.12 which we recommend to everyone. What changes is that development will move to a different branch so that from now on regressions are less likely and therefore stability will increase further. The provided images may also be the only ones for the next 6 months as we are confident in their longevity and the online upgrade path. We have also bumped the LibreSSL flavour to a production-ready state and encourage everyone to try it out. The installer’s import configuration tool coupled with a quick and easy installation can help you move from OpenSSL to LibreSSL and back seamlessly.
The biggest addition is the intrusion detection integration (suricata) as well as new local and remote blacklists options for the proxy server (squid). Security-wise, it has been rather quiet with only a few CVEs in third-party tools. Please see the full patch notes for details and references:
kernel: borrowed a dummynet / ipnat patch from m0n0wall to enable symmetric traffic shaping when NAT is involved
kernel: fix recurse lock panic for tmpfs in conjunction with unionfs
kernel: applied two stable patches that prevent squid from crashing [1]
kernel: retired ALTQ support
base: sendmail TLS/DH Interoperability Improvement [2]
base: improved iconv(3) UTF-7 support [3]
base: inconsistency between locale and rune locale states [4]
notable ports updates: phalcon 2.0.3 [5] , curl 7.43.0_2 [6] , openssh 6.8p1_8, python 2.7.10 [7] , perl 5.20.2_5 [8] , ntp 4.2.8p3 [9] , libxml 2.9.2_3 [10] , openldap 2.4.41 [11]
opnsense-update: will no longer try to reinstall the istalled version after a fresh installation
bsdinstaller: bring back cpdup to error out on low memory installation (you need 1 GB of RAM, or work around installation using the nano image)
traffic shaper: removed legacy queues support in favour of the new traffic shaper functionality
traffic shaper: allow direct enable/disable toggle
proxy: fix the initial daemon start on bootup
proxy: added LAN as the default interface configuration
proxy: local and remote blacklists with regex support
intrusion detection: initial release of our IDS GUI based on suricata
gateways: monitoring mode gained IPv6 support
captive portal: fix idle timeout bug
captive portal: do not delete the wrong zone when having multiple configurations
captive portal: removed include files from exposed web directory
backend: always regenerate users and groups to avoid corruption after an unclean shutdown
backend: wait for configd socket to come up to address a startup race issue
backend: clean up configd socket on exit
backend: fixed regression that prevented user scripts from being started via /etc/rc.conf
gateways: only show apinger in services when monitoring is enabled for a gateway
languages: brought Simplified Chinese to 49% completed, German to 30% completed
universal plug and play: make page invoke static to remove exploitability of the legacy packages framework
crash reporter: finally enabled the send button and provides human-readable feedback whether the submission was complete
console: added non-interactive interface assignment for headless deployments
ssh: disable password authentication on factory reset to align with the standard configuration
diagnostics: avoid duplicated calls of gethostbyaddr() in NDP table view
users: prompt for old password on password change to prevent account hijacking
users: stripped the impossible scponly user privileges since said utility has never been part of our ecosystem
Images can be found on any of our mirrors, but they may take a few hours to sync. The checksums are attached at the end of this announcement for convenience.
https://opnsense.org/download/
# SHA256 (OPNsense-15.7_LibreSSL-cdrom-amd64.iso.bz2) = 2251b042f47c710e3f940f1fca417f46b3f1f437e37973ae0ba11aa396a38501
# SHA256 (OPNsense-15.7_LibreSSL-nano-amd64.img.bz2) = 52a94a8cd9ace6733a6e311445cccbb27360a97a7c8ec5f9c8fe303be59dcf99
# SHA256 (OPNsense-15.7_LibreSSL-serial-amd64.img.bz2) = cc9a9827548984f5fc2b10222207b7088919c2da91bcdd29cdcc0f9890696b94
# SHA256 (OPNsense-15.7_LibreSSL-vga-amd64.img.bz2) = ae5c9882202e859a17074dffe433e7b2e160b3a0317a14f8562287122f4daf03
# SHA256 (OPNsense-15.7_LibreSSL-cdrom-i386.iso.bz2) = cbb6398e841db4d69f33e7a837d64636d87648a98fba3f1adf267cc168591ff7
# SHA256 (OPNsense-15.7_LibreSSL-nano-i386.img.bz2) = cb6cb90811310a2d15100505603fe853bd4c5044704061549a1671e35b7dc3c2
# SHA256 (OPNsense-15.7_LibreSSL-serial-i386.img.bz2) = 7e0fd8138f8b3e416b3cd72d095a2f6821c41175e2e4b69500e4c7088847bd0b
# SHA256 (OPNsense-15.7_LibreSSL-vga-i386.img.bz2) = f0c6cc573e0afec7bc9252e91f9e9164f11eee1298f5ce84ec8ec84f87ae160e
# SHA256 (OPNsense-15.7_OpenSSL-cdrom-amd64.iso.bz2) = 35f2bea1791db432ec625d155852403a6d1bfed468ab35ee3d3c448005bf555e
# SHA256 (OPNsense-15.7_OpenSSL-nano-amd64.img.bz2) = 8352cf10edaaff5bd2fe9f7322e67acb4fbe76238b82d0b60d7222f34a0adf7e
# SHA256 (OPNsense-15.7_OpenSSL-serial-amd64.img.bz2) = c995407085b06b0d1f1a4c00e7962ba89e2a7daefb21a6a24519861d92403b2b
# SHA256 (OPNsense-15.7_OpenSSL-vga-amd64.img.bz2) = 5630a50e2c23ab49ff95f62d61993f3038652f1225baefe1a3cc7d641b70af30
# SHA256 (OPNsense-15.7_OpenSSL-cdrom-i386.iso.bz2) = b27053f6afe979fe4b682538457dd5f3993e02a44f3f30638874d9c58a1f3504
# SHA256 (OPNsense-15.7_OpenSSL-nano-i386.img.bz2) = 410cab97a35660033ab1572cfa7eb0f411e08abf7325261185b645e361e15a19
# SHA256 (OPNsense-15.7_OpenSSL-serial-i386.img.bz2) = 5c0eacd5fd13abd5b575d7cb085ea5c4ad7e08250d8aac1f264965a01554c8e9
# SHA256 (OPNsense-15.7_OpenSSL-vga-i386.img.bz2) = 7a525085fa7140e3561ed3336a11a27c8ceafcab24bf871fd88900a15c5b69b6