With this week's release of Core Update 146, we already have made the next one available for testing. It contains a vast amount of package updates and brings some security updates.

Security Updates

The squid web proxy had a number of security vulnerabilities that have been patched in version 4.12. Those are:

There was a third vulnerability in the TLS component of squid which is not activated in IPFire and therefore IPFire is not vulnerable (CVE-2020-14058).

Misc.

  • The Linux firmware package was updated to version 20200519 and brings various improvements to hardware components and adds support for more hardware.
  • A long-standing issue with forwarding GRE connections has been resolved. It was absolutely impossible to get such connections through the firewall, because IPFire's internal connection tracking refused to handle them.
  • Amazon Web Services: The firewall will now configure all zones to use jumbo frames by default. Since Amazon's network allows packets with up to 9001 bytes, this will increase bandwidth in the cloud. The RED interface is exempt, because the Internet still defaults to only 1500 bytes per packet.
  • Updated packages: bind 9.11.20, dhcpcd 9.1.2, GnuTLS 3.6.14, gmp 6.2.0, iproute2 5.7.0, libassuan 2.5.3, libgcrypt 1.8.5, libgpg-error 1.38, OpenSSH 8.3p1, squidguard 1.6.0

Add-ons

Updates

  • Bacula, a backup solution, was updated to version 9.6.5 by Adolf Belka
  • borgbackup 1.1.13
  • haproxy 2.1.7
  • Joe 4.6

Although this update is rather small in number of changes, it is rather large on disk due to the many Linux firmware files that we are shipping. Please help us testing this release to make sure it won't introduce any new regressions into IPFire.


The next Core Update for IPFire is available. It updates the IPFire kernel, enhances its hardening and adds mitigations for Intel's latest hardware vulnerabilities.

Linux 4.14.184

Arne has rebased the IPFire kernel on version 4.14.184 from the Linux kernel developers and integrated our custom patches into this release. It brings various stability and security fixes.

This kernel brings mitigations for processor vulnerabilities in Intel's processors and includes updates of Intel's microcode.

Discontinuing support for 32 bit systems with PAE

Since it is becoming more and more difficult to support 32 bit architectures, we have taken the decision to slowly ease it out. This will free development time which currently only very few users benefit from and will help us focus on features that are used by larger groups of the community.

On 32 bit Intel (i.e. i586), we have removed the optional PAE kernel. This kernel allowed addressing more than 4GB of memory even on 32 bit systems and brought some hardening that it not possible on processors that doe not support PAE and the NX bit.

Those systems are very few now and we recommend to upgrade to 64 bit, since this hardware very often supports 64 bit, too. For those who are still running a pure 32 bit installation, we recommend upgrading your hardware soon.

For now, we will continue to support 32 bit, but it definitely has become a second-class architecture for the Linux kernel developers as well as plenty of other software. Many major distributions have retired their ix86 ports many years ago and so maintaining it falls with fewer and fewer developers who do the work for fewer and fewer users. Fixes for the recent vulnerabilities predominantly in Intel's processors have not fully been backported to 32 bit either.

Additionally, we have retired the Xen installer tool for 32 bit paravirtualised systems. This was used on systems that do not support hardware virtualisation and not used by many people any more.


It is time for another important and exciting update for IPFire. IPFire 2.25 - Core Update 146 is available for testing and updates the IPFire kernel and enhances its hardening against attacks as well as improving its performance.

Linux 4.14.184

Arne has rebased the IPFire kernel on version 4.14.184 from the Linux kernel developers and integrated our custom patches into this release. It brings various stability and security fixes.

This kernel brings mitigations for processor vulnerabilities in Intel's processors and includes updates of Intel's microcode.

Discontinuing support for 32 bit systems with PAE

Since it is becoming more and more difficult to support 32 bit architectures, we have taken the decision to slowly ease it out. This will free development time which currently only very few users benefit from and will help us focus on features that are used by larger groups of the community.

On 32 bit Intel (i.e. i586), we have removed the optional PAE kernel. This kernel allowed addressing more than 4GB of memory even on 32 bit systems and brought some hardening that it not possible on processors that doe not support PAE and the NX bit.

Those systems are very few now and we recommend to upgrade to 64 bit, since this hardware very often supports 64 bit, too. For those who are still running a pure 32 bit installation, we recommend upgrading your hardware soon.

For now, we will continue to support 32 bit, but it definitely has become a second-class architecture for the Linux kernel developers as well as plenty of other software. Many major distributions have retired their ix86 ports many years ago and so maintaining it falls with fewer and fewer developers who do the work for fewer and fewer users. Fixes for the recent vulnerabilities predominantly in Intel's processors have not fully been backported to 32 bit either.

Additionally, we have retired the Xen installer tool for 32 bit paravirtualised systems. This was used on systems that do not support hardware virtualisation and not used by many people any more.

Please support our work

Please support us by helping us test this release, so that we can release it as soon as possible and introducing as few regressions as possible.

You can also donate to the project to fund the developer's work and make IPFire better!