the summer has been a quiet time for us with a little relaxation, but also some shifted focus on our infrastructure and other things. But now we are back with a large update which is packed with important new features and fixes.
This update ships the latest update of the OpenSSL library which has received some important fixes in its latest release:
- CVE-2019-1547: With custom elliptic curves, timing attacks were made possible again. This is of very low risk in IPFire, since we are not using any custom curves.
- CVE-2019-1549: Forked processes could have shared the same seed for their random number generator which is being fixed in this one by mixing in a high precision timer.
- CVE-2019-1563: Another padding oracle for large PKCS7 messages
All of these are classified as "low severity". However, we recommend to install this update as soon as possible.
Arne has been busy and been working on replacing Perl with the latest stable version. This requires that loads of applications that use Perl - like our own web user interface - have to be shipped again as well as many add-ons. Hence this update is rather large.
Since Maxmind is no longer publishing their GeoIP database in the original format, but unfortunately not providing any good bindings for the new release, we have only had an outdated version of the database that we made available in IPFire.
There is now a script that converts the current data into the old format which allows us to ship a recent database again.
This database is however only being used for showing the country flags on the web UI. GeoIP blocking uses a database in a different format and therefore always has recent data to only block the right things.
- The firewall has a limit for log messages so that flooding the firewall with packets won't cause a Denial-of-Service by filling up the hard drive with gigabytes of logs and also to not starve on write operations. This limit was however very low for modern standards and has therefore been increased to 10 logged packets per second. That will ensure that we won't drop a packet without logging it.
- Updated packages:
logrotatecould conflict when running at the same time. This has been changed so only one of them is running at the same time.
- Log messages for DMA, the IPFire mailer, and Postfix are now shown on the web UI
- The toolchain now ships a compiler for Go
- Updated packages:
dnsdisthas had its limit of open connections increased to work better in bigger environments
tor: A permission problem has been fixed so that the web UI can save settings again
wio: The RRD files will now be included in the backup as well as various UI improvements have been done
This update needs a reboot of your IPFire system.
Please join in to help us testing and make this another successful and bug-free release of IPFire. Please report any bugs to Bugzilla and if you cannot spare any of your time, you can of course help us out with your donation.