IPFire 2.25 - Core Update 142 is available for testing

by Michael Tremer, February 27, 2020, Updated March 2, 2020

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

Only days after finally releasing our new DNS stack in IPFire 2.25 - Core Update 141, we are ready to publish the next update for testing: IPFire 2.25 - Core Update 142.

This update comes with many features that massively improve the security and hardening of the IPFire operating system. We have also removed some more components of the systems that are no longer needed to shrink the size of the operating system on disk.

We have a huge backlog of changes that are ready for testing in a wider audience. Hopefully we will be able to deliver those to you in a swift series of Core Updates. Please help us testing, or if you prefer, send us a donation so that we can keep working on these things.

Kernel Hardening

This update brings a new kernel which is based on Linux 4.14.171.

For the first time, we have enabled kernel module signing which cryptographically prevents foreign modules from being loaded into the IPFire kernel. An attacker who is trying to load and install a rootkit will have no chance to activate it on the system any more.

This is a huge improvement to the system when attackers have gained control of it through any other security vulnerabilities. More on this in a later blog post.

Support for Marvel's Kirkwood ARM architecture has been removed in this release, since it is unmaintained upstream and there are no users in fireinfo using this any more.

Suricata 5 - Our Intrusion Prevention System

suricata, the Intrusion Prevention System working inside of IPFire has been updated to version 5.0.2.

This release fixes a number of bugs in our IPS, increases performance and brings three new protocol parsers for RDP, SNMP and SIP. The protocol detection engine has been extended to provide better accuracy.

This release also introduces using Rust, which has recently been added to IPFire. Protocol parsers written in Rust can - by design of the language - not have any stack buffer overflows or other memory corruption problems like some C programs do. Therefore, this release makes it easier for the maintainers to extend the IPS at the same time as making it more robust and secure.

Making Testing Easier

This release introduces a new configuration option for Pakfire. Users can now choose between the stable, and two testing branches to easier install unreleased builds.

We hope that this helping you to help us testing IPFire better and therefore be able to give us more valuable feedback on releases.

Misc.

  • pppd, the Point-to-Point protocol daemon which is used for DSL and LTE connections has a severe vulnerability which allowed Remote Code execution on the client and server side. It has also been updated to version 2.4.8 which fixes some more bugs.
  • Password for proxy users were limited to eight characters due to an old hash algorithm being used. This has now been upgraded and passwords of unlimited length can be used.
  • The squid web proxy has been updated to version 4.10 which closes a number of security vulnerabilities
  • ddns, our suite for dynamic DNS updates, has been updated to version 013. This release ports the software to Python 3 since support for Python 2 is deprecated now.
  • Wireless Access Point devices are now properly added to a network bridge at boot time
  • Some smaller aesthetic fixes for the new DNS Configuration page

Add-Ons

Updates

  • clamav has been updated 0.102.2 which closes a number of security vulnerabilities
  • dehydrated has been fixed to properly conduct a backup and restore when it is being updated
  • guardian has received fixes for its HTTP log parser
  • haproxy has been updated to 2.1.3 and support for Lua has been enabled
  • libpciaccess has been updated to 0.16. This library is used to pass PCI devices through to a virtual machine.
  • The qemu package has been stripped from any firmware blobs for architectures that cannot be used on IPFire in order to save disk space on the root partition.
  • Further package updates: dnsdist 1.4.0, mc 4.8.24, tmux 3.0a, tor 0.4.2.6, vdr 2.4.1, vdradmin 3.6.10, w_scan 20170107

Cleaned-up Packages

We have removed a number of packages that have been abandoned by the people who maintain them. We believe that it is better to not offer them instead of exposing your systems to any security risks:

  • arm a CLI monitoring tool for tor
  • batctl, to configure B.A.T.M.A.N., which unfortunately was never finished in IPFire
  • cyrus-imapd - An IMAP/POP daemon
  • multicat & bitstream: Two tools to capture and decode multimedia streams over a network. Has been submitted to IPFire but was sadly never updated by the maintainer.
  • check_mk_agent - A monitoring tool
  • DirectFB - Graphics drivers
  • ez-ipupdate - A tool for dynamic DNS updates, which is unused, because we have ddns
  • icecast, icecastgenerator & streamripper - A media relay for radio streams
  • setserial - A tool to manage serial connections on console
  • rtpproxy - A relay for RTP streams

We currently have very limited development resources and would prefer investing those on things where more people benefit from. Please donate to support us!