The next update is ready for testing. It contains a large number of updated packages in the build system and updates many important system libraries. Among all those updates are many bug fixes and some security fixes.

Toolchain

The toolchain - all tools to build the distribution like compilers, linkers and essential system libraries - have been updated and are now based on glibc 2.31, GCC 9.3.0, binutils 2.34.

The build system has also been optimised to take advantage of machines that have a lot of memory and uses less I/O resources by not writing any large temporary files to disk any more when this can be avoided.

Intrusion Prevention System

The Intrusion Prevention System has received many smaller fixes to make it run faster, generate fewer false-positives and of course more secure.

  • The DNS flood trigger has been disabled, since it was causing loads of false positives. This will lead to more solid DNS resolution on busy systems when the IPS is enabled with rules matching DNS flooding events.
  • All HTTP proxy from and to the web proxy is now being processed by the HTTP preprocessor, too.
  • Additional firewall rules have been added to work around a Linux kernel bug when packets that were destined to go through an IPsec VPN tunnel could break out unencrypted on the RED interface when the IPS has crashed unexpectedly.

Misc.

  • IPsec: The IKE lifetime can now be set to up to 24 hours again
  • OpenVPN: Net-to-Net connections will now be properly stopped when they are being deleted & all RRD files will be deleted, too
  • DNS: Some hostnames configured on the "Edit Hosts" page might not have been made public in unbound. This has now been fixed and unbound will search any local entries before using the global DNS.
  • The kernel has been hardened against unauthorised access to files that were symlinked or hardlinked.
  • The boot process could lock up for several minutes on some systems when searching for sensors. This scan is now being done in the background so it will no longer affect the boot process.
  • The IPFire-internal mail agent has now support for implicit TLS.
  • The Net Traffic page did not show any recent data on some systems. This is now being fixed.
  • Many strings in the German translation have been improved and unified for better clarity.
  • Updated packages: bind 9.11.17, cairo 1.16.0, coreutils 8.31, dhcp 4.4.2, dma 0.12, libtool 2.4.6, logwatch 7.5.3, ncurses 6.2, ntp 4.2.8p14, openssh 8.2p1, openssl 1.1.1f, smartmontools 7.1, strongswan 5.8.4, unbound 1.10.0, xz 5.2.5

Add-ons

Bluetooth

The Bluetooth add-ons has been dropped because there is no application for it in IPFire. Wireless modems could be used before, but since this is not widely used, we have decided to drop the add-on.

Updates

  • amazon-ssm-agent 2.3.930.0, keepalived 2.0.20, libssh 0.9.3, nano 4.9, nginx 1.17.8, postfix 3.5.0, pcengines-apu-firmware 4.11.0.5, spectre-meltdown-checker 0.43, tor 0.4.2.7, tshark 3.2.2