The forthcoming update, IPFire 2.27 - Core Update 175, is available for testing! Most noteworthy, it updates OpenSSL to the 3.1.0 branch, features a kernel update as well as other package updates and a variety of bug fixes are also included in this update.

OpenSSL 3.1.1

IPFire makes heavy use of this cryptography library, which is why keeping it up to date (without causing any interference to existing installations) is an important task for the development team. Core Update 175 updates OpenSSL to version 3.1.1, for which some work under the hood was necessary, such as ensuring all dependent packages were ready for using OpenSSL's API, which has changed from the 1.1.x series.

To avoid breaking any custom software IPFire users may run on their installations, OpenSSL 1.1.1's files remain untouched on existing installations until the release of Core Update 176. However, please note that OpenSSL 1.1.1 is scheduled for end of life on September 11, 2023, and ensure any custom changes are made compatible to OpenSSL 3.1.x as soon as possible.

Linux 6.1.30

This Core Update also features an update of the Linux kernel. Aside from the usual heap of hardware support improvements, bug fixes, and other improvements, this fixes CVE-2023-32233, a flaw in Linux' Netfilter subsystem permitting local privilege escalation; IPFire installations properly kept up-to-date are thus not considered to be affected. Nevertheless, IPFire users are advised to install Core Update 175 as soon as possible once released, and reboot their system afterwards.

The kernel now also supports the Armada 38X RTC (#12856) and Intel's XHCI USB Role Switch feature. In addition, IPFire now supports both the OrangePi R1 Plus LTS and NanoPi R2C (plus) SoC.

Miscellaneous

• The hostapd add-on now enables QCA vendor extensions to nl80211, improving performance and stability of WiFi networks provided by an IPFire system with Qualcomm and Atheros cards considerably.
• Legacy firewall rules for PPPoE/PPTP have been dropped, since they are no longer needed, and pose a security risk to IPFire installations with QMI enabled.
• In addition, any bogon filtering has been adjusted to no longer interfere with 224.0.0.0/4, used for multicasting services, such as IPTV.
• rsnapshot has been contributed by Gerd Hoerst and Jon Murphy as a new add-on.
• Downloading large backup files will no longer trigger the OOM killer (#13096).
• The size of the boot partition has been extended to 512 MBytes, which is XFS' minimum requirement.
• Firmware files for APU1 boards are now provided again, to ensure firmware-update can update even very outdated APU boards properly.
• The powertop add-on has been removed, since it requires kernel functionalities which have been disabled due to security concerns in Core Update 171.
• CUPS' HTTPS websites are now properly accessible again (#12924).
• The dbus add-on is now properly terminated after uninstallation (#13094).
• Robin Roevens contributed a patch for displaying the logs crated by Zabbix Agent in IPFire's web interface.
• Installation and removal procedure of the alsa add-on have seen notable improvements (#13087).
• FUSE mounts in BorgBackup are now working properly again (#13076).
• Updated packages: acpid 2.0.34, apache 2.4.57, apr 1.7.4, aprutil 1.6.3, arping 2.23, automake 1.16.5, bash 5.2 (with patches 1 to 15), bind 9.16.39, grep 3.10, harfbuzz 7.2.0, iproute2 6.3.0, libcap 2.67, libgcrypt 1.10.2, libgpg-error 1.47, libhtp 0.5.43, libpcap 1.10.4, libxml2 2.11.1, linux-firmware 20230404, lvm2 2.03.21, memtest86+ 6.10, newt 0.52.23, OpenSSH 9.3p1, parted 3.6, pciutils 3.9.0, slang 2.3.3, sqlite 3410200, Squid 5.9, Suricata 6.0.12, tzdata 2023b, unbound 1.17.1, xfsprogs 6.2.0, zstd 1.5.5
• Updated add-ons: 7zip 17.05, alsa 1.2.9, amazon-ssm-agent 3.2.582.0, aws-cli 1.27.100, bird 2.0.12, ClamAV 1.1.0, dnsdist 1.8.0, elfutils 0.189, ffmpeg 6.0, freeradius 3.0.26, ghostscript 10.01.1, nfs 2.6.3, opus 1.4, pmacct 1.7.8, Postfix 3.8.0, rng-tools 2.16, samba 4.18.1, sdl2 2.26.5, tcpdump 4.99.4, zabbix_agentd 6.0.16 (LTS)

As always, we thank all people contributing to this release in whatever shape and form. Please help testing this update, especially if you are using exotic hardware, uncommon network setups, or add-ons, and provide feedback - which is absolutely essential to us.

The next Core Update has been released: IPFire 2.27 - Core Update 174. It is a traditional spring clean release which updates major parts of the core system and comes with a large number of bug fixes throughout.

This update also comes with a number of security patches in Apache, cURL and more, but none of them have been assessed as being exploitable on IPFire. Nevertheless, we intend to bring those updates to all of our users as soon as possible, and encourage speedy installation of Core Update 174.

Updated Toolchain

The "toolchain" includes the most basic parts to build software and consists of GCC as the compiler, Binutils as the assembler and linker, and glibc as the C standard library. They have been updated to their latest versions improving performance for all generated code and fixing bugs.

Although they are not as exciting for our users, they are the building blocks IPFire is founded on and make it the modern, fast and secure distribution that it is.

Bug Fixes

• The OpenVPN CGI will now display the expiry date of certificates.
• Duplicate address issuance by the DHCP server in case of overlapping fixed leases has been corrected (#10629).
• Customizing the Snort/VRT GPLv2 Community IPS ruleset has been fixed (#12948).
• The logs of apcupsd are now accessible through the system log viewer (#12950), as are the logs of the HAProxy add-on (#12922).
• Several CGIs have received CSS cleanups, resulting in better appearance (#13024, #13039).
• The Content-Type header of e-mails generated by the core system itself and various add-ons has been changed from multipart/mixed to multipart/alternative to avoid useless attachment icon display in some MUAs (#13040).
• Faulty CGI behaviour after toggling logging of dropped packages by the IP blocklists firewall component has been fixed (#12979).
• An overly permissive regular expression for parsing unbound log data has been corrected.
• The external traffic status page will now always use the correct interface to display traffic data from.
• efivar is now properly instructed to adjust instructions to the target architecture rather than that of the build host.
• The CPU graph has been redesigned for systems with large numbers of processor cores (#12890).
• Reloading IP blocklists after an update has been fixed (#13072).

Miscellaneous

• rng-tools has been moved from the core system to an add-on (#12900).
• Conversely, perl-TimeDate is now part of the core system, since it became a dependency of the OpenVPN CGI.
• Arne has worked a lot on bringing the RISC-V build up to speed.
• IPFire's trust store has been synced against Mozilla's current trusted CA certificate bundle.
• Useless Qualcomm Bluetooth firmware files are no longer shipped (IPFire dropped Bluetooth support a long time ago due to security reasons), saving a couple of megabytes on new and existing IPFire installations alike.
• Updated packages: apache 2.4.56, apr 1.7.2, bind 9.16.38, binutils 2.40, boost 1.81.0, curl 7.88.1, elinks 0.16.0, ethtool 6.2, freetype 2.13.0, gcc 12.2.0, glibc 2.37, gnutls 3.8.0, grep 3.9, harfbuzz 7.0.1, intel-microcode 20230214, iproute2 6.2.0, libtirpc 1.3.3, liburcu 0.14.0, linux-firmware 20230210, lmdb 0.9.30, logwatch 7.8, lsof 4.98.0, pango 1.50.13, poppler 23.03.0, poppler-data 0.4.12, qpdf 11.3.0, rust 1.67.0, squid 5.8, strongswan 5.9.10 (fixes CVE-2023-26463, which is not exploitable on IPFire unless heavily customized IPsec connections have been configured using the CLI rather than the IPsec web interface), sudo 1.9.13p3, tzdata 2022g, wireless-regdb 2023-02-12, zstd 1.5.4
• Updated add-ons: cups 2.4.2, dbus 1.14.6, epson-inkjet-printer-escpr 1.7.23, fetchmail 6.4.36, HAProxy 2.7.4, htop 3.2.2, make 4.4.1, monit 5.33.0, pcengines-apu-firmware 4.19.0.1, python3-setuptools 67.5.1, samba 4.17.5

As always, we thank all people contributing to this release in whatever shape and form. Please note IPFire is backed by volunteers, maintaining and improving this distribution in their spare time - should you like what we are doing, please donate to keep the lights on, an consider becoming engaged in development to distribute the load over more shoulders.

The next Core Update is ready for testing: IPFire 2.27 - Core Update 174. It is a traditional spring clean release which updates major parts of the core system and comes with a large number of bug fixes throughout.

This update also comes with a number of security patches in Apache, cURL and more, but none of them have been assessed as being exploitable on IPFire. Nevertheless, we intend to bring those updates to all of our users as soon as possible, and encourage speedy installation of Core Update 174 after its testing phase has been completed successfully.

Updated Toolchain

The "toolchain" includes the most basic parts to build software and consists of GCC as the compiler, Binutils as the assembler and linker, and glibc as the C standard library. They have been updated to their latest versions improving performance for all generated code and fixing bugs.

Although they are not as exciting for our users, they are the building blocks IPFire is founded on and make it the modern, fast and secure distribution that it is.

Bug Fixes

• The OpenVPN CGI will now display the expiry date of certificates.
• Duplicate address issuance by the DHCP server in case of overlapping fixed leases has been corrected (#10629).
• Customizing the Snort/VRT GPLv2 Community IPS ruleset has been fixed (#12948).
• The logs of apcupsd are now accessible through the system log viewer (#12950), as are the logs of the HAProxy add-on (#12922).
• Several CGIs have received CSS cleanups, resulting in better appearance (#13024, #13039).
• The Content-Type header of e-mails generated by the core system itself and various add-ons has been changed from multipart/mixed to multipart/alternative to avoid useless attachment icon display in some MUAs (#13040).
• Faulty CGI behaviour after toggling logging of dropped packages by the IP blocklists firewall component has been fixed (#12979).
• An overly permissive regular expression for parsing unbound log data has been corrected.
• The external traffic status page will now always use the correct interface to display traffic data from.
• efivar is now properly instructed to adjust instructions to the target architecture rather than that of the build host.
• The CPU graph has been redesigned for systems with large numbers of processor cores (#12890).
• Reloading IP blocklists after an update has been fixed (#13072).

Miscellaneous

• rng-tools has been moved from the core system to an add-on (#12900).
• Conversely, perl-TimeDate is now part of the core system, since it became a dependency of the OpenVPN CGI.
• Arne has worked a lot on bringing the RISC-V build up to speed.
• IPFire's trust store has been synced against Mozilla's current trusted CA certificate bundle.
• Useless Qualcomm Bluetooth firmware files are no longer shipped (IPFire dropped Bluetooth support a long time ago due to security reasons), saving a couple of megabytes on new and existing IPFire installations alike.
• Updated packages: apache 2.4.56, apr 1.7.2, bind 9.16.38, binutils 2.40, boost 1.81.0, curl 7.88.1, elinks 0.16.0, ethtool 6.2, freetype 2.13.0, gcc 12.2.0, glibc 2.37, gnutls 3.8.0, grep 3.9, harfbuzz 7.0.1, intel-microcode 20230214, iproute2 6.2.0, libtirpc 1.3.3, liburcu 0.14.0, linux-firmware 20230210, lmdb 0.9.30, logwatch 7.8, lsof 4.98.0, pango 1.50.13, poppler 23.03.0, poppler-data 0.4.12, qpdf 11.3.0, rust 1.67.0, squid 5.8, strongswan 5.9.10 (fixes CVE-2023-26463, which is not exploitable on IPFire unless heavily customized IPsec connections have been configured using the CLI rather than the IPsec web interface), sudo 1.9.13p3, tzdata 2022g, wireless-regdb 2023-02-12, zstd 1.5.4
• Updated add-ons: cups 2.4.2, dbus 1.14.6, epson-inkjet-printer-escpr 1.7.23, fetchmail 6.4.36, HAProxy 2.7.4, htop 3.2.2, make 4.4.1, monit 5.33.0, pcengines-apu-firmware 4.19.0.1, python3-setuptools 67.5.1, samba 4.17.5

As always, we thank all people contributing to this release in whatever shape and form. Please help testing this update, especially if you are using exotic hardware, uncommon network setups, or add-ons, and provide feedback - which is absolutely essential to us.