just a few days after the release of IPFire 2.19 – Core Update 100, we uploaded the upcoming Core Update to the testing tree and would like to ask all of you to take part in testing it.
This update contains various security fixes, bug fixes and we would like to release it as soon as possible. These are the changes in detail:
Cross-Site-Scripting Vulnerability and Remote Code Execution in the IPFire Web User Interface
Yann Cam, an independent security researcher, discovered to vulnerabilities in the IPFire Web User interface that could be used in some circumstances. In the
ipinfo.cgi file, a cross-site scripting attack could be executed on logged in users and in two more CGI files (
chpasswd.cgi), a remote code execution vulnerability was found which allowed attackers to use the aforementioned cross-site scripting attack to execute shell commands as an unprivileged user on the IPFire system.
These attacks are only possible to perform on an admin’s computer and only in that instance when the administrator is logged in to the web user interface. Of course we recommend to install this update as soon as possible to close these vulnerabilities.
We would like to thank Yann to look closely at the IPFire code and help us to improve it and we would like to invite everyone who wants to do so as well and report any bugs or security vulnerabilities that they may find.
Security Fixes in other packages
The web proxy
squid was patched against a vulnerability filed under CVE-2016-3947 that cannot be exploited in IPFire.
Connection Tracking Issues
On many systems, some protocols that require special care by the connection tracking implementation failed to traverse NAT. These include FTP, SIP and PPTP and where unfortunately not discovered in the testing phase of Core Update 100 before.
Those connection tracking helpers are now enabled by default on all migrated systems.
- installer: A bug on x86_64 systems let the EXT4 filesystem creation fail if a previous XFS filesystem was installed on the target partition before.
dmidecodewas added on x86. A tool to read information from the BIOS.
- Fix 40 MHz channel bandwidth usage in some Atheros WiFi modules (
- Fix miscompiled 802.11 stack in the Raspberry Pi kernel.
- Updated packages:
As always, we would like to ask all users to participate in testing which will highly improve the quality of this update. Please report any bugs to our bug tracker and provide any feedback on our development mailing list.