Only days after finally releasing our new DNS stack in IPFire 2.25 - Core Update 141, we are ready to publish the next update for testing: IPFire 2.25 - Core Update 142.
This update comes with many features that massively improve the security and hardening of the IPFire operating system. We have also removed some more components of the systems that are no longer needed to shrink the size of the operating system on disk.
We have a huge backlog of changes that are ready for testing in a wider audience. Hopefully we will be able to deliver those to you in a swift series of Core Updates. Please help us testing, or if you prefer, send us a donation so that we can keep working on these things.
This update brings a new kernel which is based on Linux 4.14.171.
For the first time, we have enabled kernel module signing which cryptographically prevents foreign modules from being loaded into the IPFire kernel. An attacker who is trying to load and install a rootkit will have no chance to activate it on the system any more.
This is a huge improvement to the system when attackers have gained control of it through any other security vulnerabilities. More on this in a later blog post.
Support for Marvel's Kirkwood ARM architecture has been removed in this release, since it is unmaintained upstream and there are no users in fireinfo using this any more.
Suricata 5 - Our Intrusion Prevention System
suricata, the Intrusion Prevention System working inside of IPFire has been updated to version 5.0.2.
This release fixes a number of bugs in our IPS, increases performance and brings three new protocol parsers for RDP, SNMP and SIP. The protocol detection engine has been extended to provide better accuracy.
This release also introduces using Rust, which has recently been added to IPFire. Protocol parsers written in Rust can - by design of the language - not have any stack buffer overflows or other memory corruption problems like some C programs do. Therefore, this release makes it easier for the maintainers to extend the IPS at the same time as making it more robust and secure.
Making Testing Easier
This release introduces a new configuration option for Pakfire. Users can now choose between the stable, and two testing branches to easier install unreleased builds.
We hope that this helping you to help us testing IPFire better and therefore be able to give us more valuable feedback on releases.
pppd, the Point-to-Point protocol daemon which is used for DSL and LTE connections has a severe vulnerability which allowed Remote Code execution on the client and server side. It has also been updated to version 2.4.8 which fixes some more bugs.
- Password for proxy users were limited to eight characters due to an old hash algorithm being used. This has now been upgraded and passwords of unlimited length can be used.
squidweb proxy has been updated to version 4.10 which closes a number of security vulnerabilities
ddns, our suite for dynamic DNS updates, has been updated to version 013. This release ports the software to Python 3 since support for Python 2 is deprecated now.
- Wireless Access Point devices are now properly added to a network bridge at boot time
- Some smaller aesthetic fixes for the new DNS Configuration page
clamavhas been updated 0.102.2 which closes a number of security vulnerabilities
dehydratedhas been fixed to properly conduct a backup and restore when it is being updated
guardianhas received fixes for its HTTP log parser
haproxyhas been updated to 2.1.3 and support for Lua has been enabled
libpciaccesshas been updated to 0.16. This library is used to pass PCI devices through to a virtual machine.
qemupackage has been stripped from any firmware blobs for architectures that cannot be used on IPFire in order to save disk space on the root partition.
- Further package updates:
We have removed a number of packages that have been abandoned by the people who maintain them. We believe that it is better to not offer them instead of exposing your systems to any security risks:
arma CLI monitoring tool for
batctl, to configure B.A.T.M.A.N., which unfortunately was never finished in IPFire
cyrus-imapd- An IMAP/POP daemon
bitstream: Two tools to capture and decode multimedia streams over a network. Has been submitted to IPFire but was sadly never updated by the maintainer.
check_mk_agent- A monitoring tool
DirectFB- Graphics drivers
ez-ipupdate- A tool for dynamic DNS updates, which is unused, because we have
streamripper- A media relay for radio streams
setserial- A tool to manage serial connections on console
rtpproxy- A relay for RTP streams
We currently have very limited development resources and would prefer investing those on things where more people benefit from. Please donate to support us!