This is the official release announcement for IPFire 2.17 – Core Update 92. This update comes with various security fixes for the OpenSSL library and the squid web proxy server.
The openssl package has been updated to version 1.0.2d because of a high severity security fix filed under CVE-2015-1793.
During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.
More information can be found in the security advisory.
Squid Advisory SQUID-2015:2
This update comes with a patched version of squid to fix SQUID-2015:2.
conntrack-tools 1.4.2, curl 7.43.0, dnsmasq 2.73, libgcrypt 1.63, libgpg-error 1.18, libnfnetlink 1.0.1, libnetfilter_conntrack 1.0.4, libnetfilter_queue 1.0.2, libnetfilter_cthelper (new package), libpcap 1.7.3, libusb 1.0.19 (replaces libusbx), python 2.7.10, rrdtool 1.5.3
7zip 9.38.1, asterisk 11.18.0, git 2.4.4 (and perl modules for
git send-email: perl-Net-SMTP-SSL, perl-MIME-Base64, perl-Authen-SASL), keepalived 1.2.17, libassuan 2.2.0, nano 2.4.1, powertop 2.7, tcpdump 4.7.4, tor 0.2.6.9
- ipsec: Allow selection of ESP group type (#10860)
- webaccess.cgi: Fix loading language
- connections.cgi: Fix broken NAT rules when there is an empty destination IP address
- url-filter: Use upstream proxy when downloading blacklists