Just with the release of IPFire 2.23 - Core Update 137, we are making the next update available to address and mitigate recently announced vulnerabilities in Intel processors.

Intel Vulnerabilities

Intel has blessed us again with a variety of hardware vulnerabilities which need to be mitigated in software. Unfortunately those will further decrease the performance of your IPFire systems due to changes in Intel's microcodes which are also shipped with this Core Update.

If you would like to learn more about these vulnerabilities, please look here, here, here, and here.

We recommend to install this update as quickly as possible to prevent your system from being exploited through these vulnerabilities. A reboot is required to activate the changes.

Stored XSS Vulnerability

A stored cross-site scripting vulnerability has been reported to us by Pisher Honda. In the mail.cgi script, an authenticated attacker could have stored a crafted value in the email service configuration.

This vulnerability with low severity has been fixed in this Core Update.


We are happy to announce the release of IPFire 2.23 - Core Update 137. It comes with an updated kernel, a reworked Quality of Service and various bug and security fixes.

Development around the Quality of Service and tackling some of the bugs required an exceptional amount of team effort in very short time and I am very happy that we are now able to deliver the result to you to improve your networks. Please help us to keep these things coming to you with your donation!

An improved and faster QoS

As explained in detail in a separate blog post from the engine room, we have been working hard on improving our Quality of Service (QoS).

It allows to pass a lot more traffic on smaller systems as well as reduces packet latency on faster ones to create a more responsive and faster network.

To take full advantage of these changes, we recommend to reboot the system after installing the update.

Linux 4.14.150

The IPFire Kernel has been rebased on Linux 4.14.150 and equipped with our usual hardening and other patches.

The kernel has been tuned to deliver more throughput for IP connections as well as reducing latency to a minimum to keep your network as responsive and fast as possible.

An especially nasty bug that caused the system to drop DNS packets when the Intrusion Detection System was enabled has been tracked down by a large group of IPFire developers and additional help of the suricata team.

Misc.

  • Downloaded GeoIP databases were not always cleaned up from /tmp when a download was unsuccessful. This can cause that the script is filling up the root partition. You can reboot your system to free up space if this has happened to you, too. The script has now been cleaned up, and catches any errors to cleanup afterwards.
  • IPsec now supports Curve 448 with 224 bit of security. It is a lightweight and slightly faster alternative to Curve25519 and enabled by default for new connections.
  • Tim Fitzgeorge contributed a patch that restarts the syslog daemon after a backup is being restored to close old log files and write to the restored ones
  • /var/log/mail is now being rotated
  • Updated packages: bind 9.11.12, iptables 1.8.3, iproute2 5.3.0, knot 2.8.4, libhtp 0.5.30, libnetfilter_queue 1.0.4, libpcap 1.9.1, libssh 0.9.0, Net-SSLeay 1.88, pcre 8.43, strongswan 5.8.1, suricata 4.1.5, tzdata 2019c, unbound 1.9.4, wpa_supplicant 2.9

Add-ons

New: speedtest-cli

This is a handy tool to perform a regular speedtest on the console. It was packaged to test the QoS but is handy to test throughput of the firewall to and from the Internet on the console.

Updated Packages

  • bird 2.0.6 now supports RPKI validation by connecting to a process that holds the key material either via TCP or using SSH
  • sane has been updated to version 1.0.28 and now supports more hardware
  • A French translation is now available for the Who is Online? add-on
  • Others: clamav 0.102.0, hostapd 2.9, ipset 7.3, mtr 0.93, nano 4.5, ncat 7.80, nmap 7.80, shairport-sync 3.3.2, tcpdump 4.9.3, tor 0.4.1.6, tshark 3.0.5

Finally, the moment is here. We are launching our new Community Portal based on Discourse!

What is New?

Together with this new IPFire Community Portal, we are launching IPFire People - our new account system which is being integrated here, our bugtracker Bugzilla, Patchwork and many other things more. In order to sign up for this, you will need to head over to IPFire People and register a new account. That will allow you to login everywhere - a single sign-on solution.

A new categorisation system will organise topics better and hopefully allow us to keep conversations around a problem more contained in one place, have everyone join in to contribute their knowledge and therefore create a dynamic support community!

To be as inclusive as possible, we will make this portal English only. Having this debated for a long time, and after phasing out translations on the Wiki, we have decided that we will reach a maximum number of users and leave nobody excluded.

The project has a large group of users in Germany, but we keep growing and IPFire is becoming more and more popular all around the world. English is the de-facto language in Open Source and allows everyone to take part in our community.

Why Discourse?

Our support forums have been run by some outdated, PHP-based software for a long time. Every upgrade was a struggle. They did not look nice or add any features, but were rather a flashback to the web of the early 2000s.

After looking around for a long time for some better software, we discovered Discourse which is now widely adopted and feels more modern, engaging and is very simple to use. We hope that our community, which is large, but sometimes feels very quiet, will develop a different dynamic because of this and I am looking forward to be in touch with you all more!

Since there is no working converter and because of the changes in how the community is working, we are not going to migrate any user accounts or posts.

Retiring the old Forum

The old forum will remain around for a little while. But since it is not being patched any more, it is becoming a security threat for our whole infrastructure.

However, it is a source of vast knowledge around the project. At the same time, it is full of outdated information and many many spam accounts. For that reason, it will disappear from the Internet in about a year.

The plan is to migrate any information that the community would like to retain into the IPFire Wiki where it should be. In order to do that, we will switch the forum into read-only mode in a couple of weeks. At that time, we will also send an invitation to all forum users to create a new account.

Any new conversation should be started here, on the new portal.

Get Started

If you do not have an account already, please register one now, log in to the new IPFire Community Portal and become a part of our community!