Dear community,

the summer has been a quiet time for us with a little relaxation, but also some shifted focus on our infrastructure and other things. But now we are back with a large update which is packed with important new features and fixes.

OpenSSL 1.1.1d

This update ships the latest update of the OpenSSL library which has received some important fixes in its latest release:

  • CVE-2019-1547: With custom elliptic curves, timing attacks were made possible again. This is of very low risk in IPFire, since we are not using any custom curves.
  • CVE-2019-1549: Forked processes could have shared the same seed for their random number generator which is being fixed in this one by mixing in a high precision timer.
  • CVE-2019-1563: Another padding oracle for large PKCS7 messages

All of these are classified as "low severity". However, we recommend to install this update as soon as possible.

Perl 5.30

Arne has been busy and been working on replacing Perl with the latest stable version. This requires that loads of applications that use Perl - like our own web user interface - have to be shipped again as well as many add-ons. Hence this update is rather large.

GeoIP

Since Maxmind is no longer publishing their GeoIP database in the original format, but unfortunately not providing any good bindings for the new release, we have only had an outdated version of the database that we made available in IPFire.

There is now a script that converts the current data into the old format which allows us to ship a recent database again.

This database is however only being used for showing the country flags on the web UI. GeoIP blocking uses a database in a different format and therefore always has recent data to only block the right things.

Misc.

  • The firewall has a limit for log messages so that flooding the firewall with packets won't cause a Denial-of-Service by filling up the hard drive with gigabytes of logs and also to not starve on write operations. This limit was however very low for modern standards and has therefore been increased to 10 logged packets per second. That will ensure that we won't drop a packet without logging it.
  • Updated packages: apache 2.4.41, bind 9.11.10, clamav 0.101.4, dhcpcd 8.0.3, knot 2.8.3, logrotate 3.5.1, openssh 8.0p1, patch 2.7.6, texinfo 6.6, unbound 1.9.3, usb_modeswitch 1.5.2
  • logwatch and logrotate could conflict when running at the same time. This has been changed so only one of them is running at the same time.
  • Log messages for DMA, the IPFire mailer, and Postfix are now shown on the web UI
  • The toolchain now ships a compiler for Go

Add-ons

  • Updated packages: freeradius 3.0.19, haproxy 2.0.5, postfix 3.4.6, spamassassin 3.4.2, zabbix_agent 4.2.6
  • dnsdist has had its limit of open connections increased to work better in bigger environments
  • tor: A permission problem has been fixed so that the web UI can save settings again
  • wio: The RRD files will now be included in the backup as well as various UI improvements have been done

Please reboot!

This update needs a reboot of your IPFire system.

Please join in to help us testing and make this another successful and bug-free release of IPFire. Please report any bugs to Bugzilla and if you cannot spare any of your time, you can of course help us out with your donation.


Infrastructure Updates

by Michael Tremer, September 12, Updated September 12

This is a post to the developers and other people who contribute to the IPFire project and have an account on our infrastructure.

Since we have rolled out loads of changes recently, some change in client configuration is required. This was announced on the development mailing list, but for those who have missed it, here is a little blog post.

Step 1: Change your password

We have introduced Kerberos to all of our internal services. This will help us to make authentication more secure and at the same time more convenient by using single sign-on. To create all necessary attributes to your user profile and generate a Kerberos key, you will need to log in to people.ipfire.org and change your password - as Kerberos keys are being derived from your password. Please make sure to use a very strong password.

Step 2: Update your email client

If you are using an email client on your desktop or mobile, please update the settings as shown on the wiki.

That is it! You are now set up to use our new email server with all the new features like TLSv1.3. More on that in an extra blog post soon...


This is the official release announcement for IPFire 2.23 - Core Update 135, which is packed with a new kernel, various bug fixes and we recommend to install it as soon as possible.

Kernel Update

The IPFire Linux kernel has been rebased on 4.14.138 and various improvements have been added. Most notably, this kernel - once again - fixes CPU vulnerabilities.

Misc.

  • On x86_64, the effectiveness of KASLR has been improved which prevents attackers from executing exploits or injecting code
  • DNS: unbound has been improved so that it will take much less time to start up in case a DNS server is unavailable.
  • Scripts that boot up IPFire have been improved, rewritten and cleaned up for a faster boot and they now handle some error cases better
  • Updated packages: dhcpcd 7.2.3, nettle 3.5.1, squid 4.8, tzdata 2019b

Add-ons

Updated Packages

  • bird 2.0.4
  • clamav 0.101.3
  • iperf 2.0.13
  • iperf3 3.7
  • mc 4.8.23
  • pcengines-firmware 4.9.0.7