Happy Thanksgiving! Today, we are releasing the latest update for IPFire as our special Black Friday gift for you. It comes with a large number of security updates in OpenSSL, Suricata, Apache & Samba as well as a number of kernel fixes.

If you haven't spent all your money on all the great Black Friday offers, maybe consider making a donation to IPFire today. It helps us to bring you these updates more frequently and allows us to pack more exciting things into them. If you would like to support us, please donate today!

Under The Hood

This update features yet another kernel update based on Linux 6.1.61. It brings various security & stability fixes as well as improving IOMMU handling on ARM. To improve security, we have followed Google and disabled io_uring for the time being as it seems to have a lot of security issues.

We have also switched from eudev to the upstream udev which is now part of systemd as eudev is no longer maintained and was lagging behind upstream.

Security Updates

• OpenSSL 3.1.4: The OpenSSL project announced a security vulnerability (CVE-2023-5363)
• suricata 6.0.15: This update patches a potential denial-of-service vulnerability in the MIME decoder
• Apache 2.4.58 patches a number of security issues in the HTTP/2.0 engine (CVE-2023-45802, CVE-2023-43622 & CVE-2023-31122)
• Samba 4.19.2: Various security issues have been fixed which could be exploited to cause data loss and elevate privileges (CVE-2023-3961, CVE-2023-4091, CVE-2023-4154, CVE-2023-42669 & CVE-2023-42670)

Misc.

• A long standing issue in OpenVPN has been fixed where the web UI offered to download a configuration package in an incorrect format when no password was configured (#11048)
• Other package updates: lynis 3.0.9, Postfix 3.8.2, sysvinit 3.08, Tor 0.4.8.7, Zabbix Agent 6.0.22

It is time to test the latest version of IPFire: It comes with a large number of security updates in OpenSSL, Suricata, Apache & Samba as well as a number of kernel fixes.

Under The Hood

This update features yet another kernel update based on Linux 6.1.61. It brings various security & stability fixes as well as improving IOMMU handling on ARM. To improve security, we have followed Google and disabled io_uring for the time being as it seems to have a lot of security issues.

We have also switched from eudev to the upstream udev which is now part of systemd as eudev is no longer maintained and was lagging behind upstream.

Security Updates

• OpenSSL 3.1.4: The OpenSSL project announced a security vulnerability (CVE-2023-5363)
• suricata 6.0.15: This update patches a potential denial-of-service vulnerability in the MIME decoder
• Apache 2.4.58 patches a number of security issues in the HTTP/2.0 engine (CVE-2023-45802, CVE-2023-43622 & CVE-2023-31122)
• Samba 4.19.2: Various security issues have been fixed which could be exploited to cause data loss and elevate privileges (CVE-2023-3961, CVE-2023-4091, CVE-2023-4154, CVE-2023-42669 & CVE-2023-42670)

Misc.

• A long standing issue in OpenVPN has been fixed where the web UI offered to download a configuration package in an incorrect format when no password was configured (#11048)
• Other package updates: lynis 3.0.9, Postfix 3.8.2, sysvinit 3.08, Tor 0.4.8.7, Zabbix Agent 6.0.22

Please help us test this update and report and feedback back to us. If you like what we do, please support our developers with your donation.

It is time for another update for your most favourite firewall: IPFire 2.27 - Core Update 180 is out - coming with an updated toolchain, a large number of package updates, deprecation for ReiserFS as well as a number of bug and security fixes.

Toolchain Update

IPFire has been rebased on the latest version of the GNU toolchain comprising of glibc 2.38, GCC 13.2.0 & binutils 2.41. This allows us to keep IPFire modern, taking advantage of the latest advances in hardware support and acceleration, but most importantly use the latest hardening technologies available to us.

ReiserFS Deprecation

The Linux kernel maintainers have deprecated support for ReiserFS.

This filesystem has been available for installation in IPFire in the past, but we have removed the option to create new systems in Core Update 167. Therefore we do not expect many people to be using this on IPFire. If you do, you will see a warning on the web console that will warn you about using ReiserFS. Unfortunately, you will need to backup your system and perform a reinstall with a different filesystem, and finally restore the backup.

If you don't use see the warning, you ware using a different filesystem and no action is required.

Misc.

• cURL has been patched against a heap buffer overflow (CVE-2023-38545)
• Package updates: bind 9.16.44, Boost 1.83.0, dhcpcd 10.0.2, freetype 2.13.2, gzip 1.3, hwdata, iana-etc 20230810, json-c 0.17, krb5 1.21.2, libedit 20230828-3.1, libgudev 238, libtiff 4.5.1, libnl-3 3.8.0, mpfr 4.2.1, OpenSSH 9.4p1, procps 4.0.4, sqlite 3.43.0, squid 6.3, tcl 8.6.13, tzdata 2023c, unbound 1.18.0, util-linux 2.39.2, wireless-regdb 2023-05-03, vnstat 2.11, wget 1.21.4, whois 5.5.18, zlib 1.3
• Updated add-ons: bacula 11.0.6, clamav 1.2.0, foomatic 4.0.13, Git 2.42.0, mc 4.8.30, ncdu 1.18.1, samba 4.19.0, SDL 2.28.3, Tor 0.4.8.5, traceroute 2.1.2, transmission 4.0.4, xinetd 2.3.15.4, zabbix-agent 6.0.21
• Jonatan Schlag cleaned up some no longer used functionality from the network scripts
• wtmp files are now rotated monthly, keeping them for one year

Although this change log does not read very long, the update is a large step and moves IPFire forward to become an even better firewall. If you would like to support us, please donate!