Just one day after we have released IPFire 2.23 - Core Update 133, we are testing the next one which contains fixes for the famous SACK vulnerability.

SACK Panic (CVE-2019-11477 & CVE-2019-11478)

The Linux kernel was vulnerable for two DoS attacks against its TCP stack. The first one made it possible for a remote attacker to panic the kernel and a second one could trick the system into transmitting very small packets so that a data transfer would have used the whole bandwidth but filled mainly with packet overhead.

The IPFire kernel is now based on Linux 4.14.129, which fixes this vulnerability and fixes various other bugs.

The microcode for some Intel processors has also been updated and includes fixes for some vulnerabilities of the Spectre/Meltdown class for some Intel Xeon processors.

Misc.

  • Package updates: bind 9.11.8, unbound 1.9.2, vim 8.1
  • The French translation has been updated by St├ęphane Pautrel and translates various strings as well as improving some others
  • We now prefer other cipher modes over CBC when IPFire itself opens a TLS connection. CBC is now considered to be substantially weaker than GCM.
  • Email addresses entered in the web UI can now contain underscores.
  • The Captive Portal now comes up properly after IPFire is being rebooted.