Hello everyone,

I hope everyone is making their way okay through this pandemic. In case you got bored, we have a brand new Core Update available for you for testing.
It introduces new metrics for OpenVPN and ships the largest number of package updates that we have ever had, fixing various bugs and carrying plenty of security-related fixes.

OpenVPN Metrics

OpenVPN will from now on collect metrics about connected clients. On an extra page, it will be shown which client has connected when and for how long it was connected.

Misc.

  • The random number generator will be launched earlier in the boot process to see the kernel's pseudo-random number generator as soon as possible. On some systems, this could have blocked the boot process for a couple of minutes.
  • Firewall: Connections that are being NATed will now always be logged in the filter chain, too
  • vnstat, the tool behind the net traffic graphs on the IPFire web user interface has been updated to use a new database format and refreshes its graphs more often, for more detailed and accurate data
  • Pakfire correctly uses upstream proxies now
  • A vast amount of system libraries have been updated. They make the system faster, more robust, and more secure: automake 1.16.2, berkeley 5.3.28, bind 9.11.19, cmake 3.17.0, coreutils 8.32, hyperscan 5.2.1, iproute2 5.6.0, ipset 7.6, knot 2.9.4, libevent2 2.1.11-stable, libhtp 0.5.33, libjpeg 2.0.4, libpng 1.6.37, libseccomp 2.4.3, libusb 1.0.23, libwww-perl 6.43, netpbm 10.73.31, openldap 2.4.29, openvpn 2.4.9, suricata 5.0.3, unbound 1.10.1, vnstat 2.6
  • The translations have been improved by adding new phrases, fixing typos and removing unused translation strings.

Add-ons

Updated packages: borgbackup 1.1.11, clamav 0.102.3, faad2 2.8.8,
ffmpeg 4.4.2, fping 4.2, lame 3.100, libogg 1.3.4, libmpeg2 0.4.1, libshout 2.4.3, libtiff 4.1.0, libvorbis 1.3.6, motion 4.3.0, nano 4.9.2, opus 1.3.1, pcengines-apu-firmware 4.11.0.6, postfix 3.5.1, shairport-sync 3.3.6, sox 14.4.2, strace 5.5, taglib 1.11.1, tmux 3.1, tor 0.4.3.5, tshark 3.2.3, xvid 1.3.7

netatalk has been added as a new package. It provides file-sharing services for Apple devices.

WIO has been updated and shows the connection times for IPsec tunnels.


This is the official release announcement for IPFire 2.25 - Core Update 144. This contains a number of security fixes in OpenSSL, the squid web proxy, the DHCP client and more. We recommend to install it as soon as possible and reboot.

OpenSSL 1.1.1g

The OpenSSL team has issued a security advisory for the 1.1.1 release with "high" severity.

Applicants on client or service side that call SSL_check_chain() during a TLSv1.3 handshake may crash the application due to incorrect handling of the signature_algorithms_cert" TLS extension.

CVE-2020-1967 has been assigned to track this vulnerability and an immediate installation of this update is recommended.

The DHCP Client (#12354)

Some users using RED in DHCP mode might have seen various crashes of the client. This happened because of attackers sending forged DHCP replies from cloud-hosted networks across the Internet.

After the daemon crashed, the firewall would lose Internet connectivity until it is manually restarted.

Providers normally filter forged DHCP traffic, but some do not seem to do this correctly. We are in touch with them and try to find a solution.

The Squid Web Proxy

The web proxy is vulnerable to cross-site scripting attacks, cache poisoning and access control bypass when processing HTTP request messages.

These problems are known as SQUID-2020:4, SQUID-2019:12, SQUID-2019:4, CVE-2020-11945, CVE-2019-12519, CVE-2019-12521, CVE-2019-12520, CVE-2019-12524 and #12386.

Misc.

  • Updated packages: apache 2.4.43, bind 9.11.18, dhcpcd 9.0.2, squid 4.11
  • The build system has changed the Go compiler from GCCGO to Golang which seems to be introducing fewer bugs into compiled programs

Less than 48 hours after releasing IPFire 2.25 - Core Update 143, we already have the next update ready for testing. It is full with fixes for security vulnerabilities in OpenSSL, the squid web proxy, the DHCP client and more.

OpenSSL 1.1.1g

The OpenSSL team has issued a security advisory for the 1.1.1 release with "high" severity.

Applicants on client or service side that call SSL_check_chain() during a TLSv1.3 handshake may crash the application due to incorrect handling of the signature_algorithms_cert" TLS extension.

CVE-2020-1967 has been assigned to track this vulnerability and an immediate installation of this update is recommended.

The DHCP Client (#12354)

Some users using RED in DHCP mode might have seen various crashes of the client. This happened because of attackers sending forged DHCP replies from cloud-hosted networks across the Internet.

After the daemon crashed, the firewall would lose Internet connectivity until it is manually restarted.

Providers normally filter forged DHCP traffic, but some do not seem to do this correctly. We are in touch with them and try to find a solution.

The Squid Web Proxy

The web proxy is vulnerable to cross-site scripting attacks, cache poisoning and access control bypass when processing HTTP request messages.

These problems are known as SQUID-2020:4, SQUID-2019:12, SQUID-2019:4, CVE-2020-11945, CVE-2019-12519, CVE-2019-12521, CVE-2019-12520, CVE-2019-12524 and #12386.

Misc.

  • Updated packages: apache 2.4.43, bind 9.11.18, dhcpcd 9.0.2, squid 4.11
  • The build system has changed the Go compiler from GCCGO to Golang which seems to be introducing fewer bugs into compiled programs

Please help us testing this release, so that we can make it available for all users as soon as possible. Report any feedback to our bugtracker and you can of course support the IPFire Project with your donation.