This is the official release announcement for IPFire 2.23 - Core Update 136. A new update packed with loads of security fixes, bug fixes and a couple of important new features.
Please donate to help our developers and keep bringing you new features. Thank you, it means a lot.
This update ships the latest update of the OpenSSL library which has received some important fixes in its latest release:
- CVE-2019-1547: With custom elliptic curves, timing attacks were made possible again. This is of very low risk in IPFire, since we are not using any custom curves.
- CVE-2019-1549: Forked processes could have shared the same seed for their random number generator which is being fixed in this one by mixing in a high precision timer.
- CVE-2019-1563: Another padding oracle for large PKCS7 messages
All of these are classified as "low severity". However, we recommend to install this update as soon as possible.
Arne has been busy and been working on replacing Perl with the latest stable version. This requires that loads of applications that use Perl - like our own web user interface - have to be shipped again as well as many add-ons. Hence this update is rather large.
Since Maxmind is no longer publishing their GeoIP database in the original format, but unfortunately not providing any good bindings for the new release, we have only had an outdated version of the database that we made available in IPFire.
There is now a script that converts the current data into the old format which allows us to provide a recent database again.
This database is however only being used for showing the country flags on the web UI. GeoIP blocking uses a database in a different format and therefore always has recent data to only block the right things.
- The firewall has a limit for log messages so that flooding the firewall with packets won't cause a Denial-of-Service by filling up the hard drive with gigabytes of logs and also to not starve on write operations. This limit was however very low for modern standards and has therefore been increased to 10 logged packets per second. That will ensure that we won't drop a packet without logging it.
- Updated packages:
logrotate could conflict when running at the same time. This has been changed so only one of them is running at the same time.
- Log messages for DMA, the IPFire mailer, and Postfix are now shown on the web UI
- The toolchain now ships a compiler for Go
- Updated packages:
dnsdist has had its limit of open connections increased to work better in bigger environments
tor: A permission problem has been fixed so that the web UI can save settings again
wio: The RRD files will now be included in the backup as well as various UI improvements have been done
This update needs a reboot of your IPFire system.