Less than 48 hours after releasing IPFire 2.25 - Core Update 143, we already have the next update ready for testing. It is full with fixes for security vulnerabilities in OpenSSL, the squid web proxy, the DHCP client and more.
OpenSSL 1.1.1g
The OpenSSL team has issued a security advisory for the 1.1.1 release with "high" severity.
Applicants on client or service side that call SSL_check_chain() during a TLSv1.3 handshake may crash the application due to incorrect handling of the signature_algorithms_cert" TLS extension.
CVE-2020-1967 has been assigned to track this vulnerability and an immediate installation of this update is recommended.
The DHCP Client (#12354)
Some users using RED in DHCP mode might have seen various crashes of the client. This happened because of attackers sending forged DHCP replies from cloud-hosted networks across the Internet.
After the daemon crashed, the firewall would lose Internet connectivity until it is manually restarted.
Providers normally filter forged DHCP traffic, but some do not seem to do this correctly. We are in touch with them and try to find a solution.
The Squid Web Proxy
The web proxy is vulnerable to cross-site scripting attacks, cache poisoning and access control bypass when processing HTTP request messages.
These problems are known as SQUID-2020:4, SQUID-2019:12, SQUID-2019:4, CVE-2020-11945, CVE-2019-12519, CVE-2019-12521, CVE-2019-12520, CVE-2019-12524 and #12386.
Misc.
- Updated packages:
apache2.4.43,bind9.11.18,dhcpcd9.0.2,squid4.11 - The build system has changed the Go compiler from GCCGO to Golang which seems to be introducing fewer bugs into compiled programs
Please help us testing this release, so that we can make it available for all users as soon as possible. Report any feedback to our bugtracker and you can of course support the IPFire Project with your donation.