Dear IPFire Community,

this is the official release announcement for IPFire 2.21 – Core Update 124. It brings new features and immensely improves security and performance of the whole system.

Thanks for the people who contributed to this Core Update. Please help us to support everyone’s work with your donation!

IPFire on Amazon Cloud

IPFire is now available on AWS EC2. This is sponsored by Lightning Wire Labs and provides a virtual cloud appliance that is set up within minutes and provides the full set of features of IPFire.

IPFire is ideal to securely connect your infrastructure to the cloud by using IPsec VPNs and provides throughput of multiple tens of gigabits per second! But IPFire can also be used as a small instance that protects your web, mail and other servers in the cloud with the IPFire Intrusion Detection and Prevention Systen, load balance web traffic and many things more.

Try it now!

Kernel Hardening

We have updated the Linux kernel to version 4.14.72 which comes with a large number of bug fixes, especially for network adapters. It has also been hardened against various attack vectors by enabling and testing built-in kernel security features that prohibit access to privileged memory by unprivileged users and similar mechanisms.

Due to this, the update requires a reboot after it has been installed.

OpenSSH Hardening

Peter has contributed a number of patches that improve security of the SSH daemon running inside IPFire. For those, who have SSH access enabled, it will now require latest ciphers and key exchange algorithms that make the key handshake and connection not only more secure, but also faster when transferring data.

For those admins who use the console: The SSH client has also been enabled to show a graphic representation of the SSH key presented by the server so that comparing those is easier and man-in-the-middle attacks can be spotted quickly and easily.

Unbound Hardening

The settings of the IPFire DNS proxy unbound have been hardened to avoid and DNS cache poisoning and use aggressive NSEC by default. The latter will reduce the load on DNS servers on the internet through more aggressive caching and will make DNS resolution of DNSSEC-enabled domains faster.

EFI

IPFire now supports booting in EFI mode on BIOSes that support it. Some newer hardware only supports EFI mode and booting IPFire on it was impossible before this update. EFI is only supported on x86_64.

Existing installations won’t be upgraded to use EFI. However, the flash image and systems installed with one of the installation images of this update are compatible to be booted in both, BIOS and EFI mode.

Although this change does not improve performance and potentially increases the attack vector on the whole firewall system because of software running underneath the IPFire operating system, we are bringing this change to you to support more hardware. It might be considered to disable EFI in the BIOS if your hardware allows for it.

Misc.

  • CVE-2018-16232: Remote shell command injection in backup.cgi: It has been brought to our attention that it was possible for an authenticated attacker to inject shell commands through the backup.cgi script of the web user interface. Those commands would have been executed as a non-priviledged user. Thanks to Reginald Dodd to spot this vulnerability and informing us through responsible disclosure.
  • The hostname of the system was set incorrectly in the kernel before and is now being set correctly
  • Firewall: Creating rules with the same network as source and destination is now possible and renaming a network/host group is now correctly updating all firewall rules
  • Cryptography: ChaCha20-Poly1305 is now working on ARM, too
  • IPsec: The status of connections in waiting state is now shown correctly at all times; before, they always showed up as enabled although they were disabled.
  • pakfire: Some old and unused code has been cleaned out and the mirror health check has been removed, because a download will fail-over to another available mirror anyways
  • Intrusion Detection: Emerging Threats rules are now being downloaded over HTTPS rather than HTTP
  • Updated packages: bind 9.11.4-P1, iproute2 4.18.0, ntp 4.2.8p12, openssh 7.8p1, parted 3.2, pciutils 3.5.6, rng-tools 6.4, syslinux 6.04-pre1, unbound 1.8.0

Add-Ons

  • Updated packages: nano 3.1, postfix 3.3.1

Dear IPFire Community,

finally, our latest Core Update is available for testing. It is an update full of new features and immensely improves security and performance of the whole system.

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!

Kernel Hardening

We have updated the Linux kernel to version 4.14.72 which comes with a large number of bug fixes, especially for network adapters. It has also been hardened against various attack vectors by enabling and testing built-in kernel security features that prohibit access to privileged memory by unprivileged users and similar mechanisms.

Due to this, the update requires a reboot after it has been installed.

OpenSSH Hardening

Peter has contributed a number of patches that improve security of the SSH daemon running inside IPFire. For those, who have SSH access enabled, it will now require latest ciphers and key exchange algorithms that make the key handshake and connection not only more secure, but also faster when transferring data.

For those admins who use the console: The SSH client has also been enabled to show a graphic representation of the SSH key presented by the server so that comparing those is easier and man-in-the-middle attacks can be spotted quickly and easily.

Unbound Hardening

The settings of the IPFire DNS proxy unbound have been hardened to avoid and DNS cache poisoning and use aggressive NSEC by default. The latter will reduce the load on DNS servers on the internet through more aggressive caching and will make DNS resolution of DNSSEC-enabled domains faster.

EFI

IPFire now supports booting in EFI mode on BIOSes that support it. Some newer hardware only supports EFI mode and booting IPFire on it was impossible before this update. EFI is only supported on x86_64.

Existing installations won’t be upgraded to use EFI. However, the flash image and systems installed with one of the installation images of this update are compatible to be booted in both, BIOS and EFI mode.

Although this change does not improve performance and potentially increases the attack vector on the whole firewall system because of software running underneath the IPFire operating system, we are bringing this change to you to support more hardware. It might be considered to disable EFI in the BIOS if your hardware allows for it.

Misc.

  • CVE-2018-16232: Remote shell command injection in backup.cgi: It has been brought to our attention that it was possible for an authenticated attacker to inject shell commands through the backup.cgi script of the web user interface. Those commands would have been executed as a non-priviledged user. Thanks to Reginald Dodd to spot this vulnerability and informing us through responsible disclosure.
  • The hostname of the system was set incorrectly in the kernel before and is now being set correctly
  • Firewall: Creating rules with the same network as source and destination is now possible and renaming a network/host group is now correctly updating all firewall rules
  • Cryptography: ChaCha20-Poly1305 is now working on ARM, too
  • IPsec: The status of connections in waiting state is now shown correctly at all times; before, they always showed up as enabled although they were disabled.
  • pakfire: Some old and unused code has been cleaned out and the mirror health check has been removed, because a download will fail-over to another available mirror anyways
  • Intrusion Detection: Emerging Threats rules are now being downloaded over HTTPS rather than HTTP
  • Updated packages: bind 9.11.4-P1, iproute2 4.18.0, ntp 4.2.8p12, openssh 7.8p1, parted 3.2, pciutils 3.5.6, rng-tools 6.4, syslinux 6.04-pre1, unbound 1.8.0

Add-Ons

  • Updated packages: nano 3.1, postfix 3.3.1

This is the release announcement for IPFire 2.21 – Core Update 123 – a house-keeping release with a large number of fixes and some fixes for security vulnerabilities.

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!


This release ships a large number of microcode updates for various processors (linux-firmware 30.7.2018, intel-microcode 20180807). Most notable, vulnerabilities in Intel processors might have been fixed or mitigations applied. Microcodes are now also being loaded into the processor earlier to avoid any attacks on the system at boot time.

This update also comes with a large number of smaller changes that improve security and fix bugs:

  • OpenSSL has been updated to versions 1.1.0i and for legacy applications version 1.0.2p (CVE-2018-0732 and CVE-2018-0737)
  • IPsec
    • IPsec now supports ChaCha20/Poly1305 for encryption
    • It also allows to configure a connection to passively wait until a peer initiates it. This is helpful in some environments where one peer is behind NAT.
  • OpenVPN
    • Creating Diffie-Hellman keys with length of 1024 bits is no longer possible because they are considered insecure and not being supported by OpenVPN any more
    • There is better warnings about this and other cryptographic issues on the web user interface
  • Intrusion Detection
    • Links in the log files have been fixed to open the correct page with details about a certain attack
    • Downloads of rulesets properly validate any TLS certificates
  • The /proc filesystem has been hardened so that no kernel pointers are being exposed any more
  • nss-myhostname is now being used to dynamically determine the hostname of the IPFire system. Before /etc/hosts was changed which is no longer required.
  • collectd: The cpufreq plugin has been fixed
  • Generating a backup ISO file has been fixed
  • Updated packages: apache 2.4.34, conntrack-tools 1.4.5, coreutils 8.29, fireinfo, gnupg 1.4.23, iana-etc 2.30, iptables 1.6.2, libgcrypt 1.8.3, libnetfilter_conntrack 1.0.7, libstatgrab 0.91, multipath-tools 0.7.7, openvpn 2.4.6, postfix 3.2.6, rng-tools 6.3.1, smartmontools 6.6, squid 3.5.28, strongswan 5.6.3, tzdata 2018e, unbound 1.7.3

Add-ons

  • Support for owncloud has been removed from guardian (version 2.0.2)
  • Updates: clamav 0.100.1, fping 4.0, hplip 3.18.6, ipset 6.38, lynis 2.6.4, mtr 0.92, nginx 1.15.1, tmux 2.7, tor 0.3.3.9
  • avahi has been brought back in version 0.7 as it is required as a dependency by cups which has been fixed to automatically find any printers on the local network automatically
  • asterisk is now compiled with any optimisation for the build system which was accidentally enabled by the asterisk build system