The first update of the year will be an enormous one. We have been working hard in the lab to update the underlying operating system to harden and improve IPFire and we have added WPA3 client support and made DNS faster and more resilient against broken Internet connections.
This is probably the release with the largest number of package updates. This is necessary for us to keep the system modern and adopt any fixes from upstream projects. Thank you to everyone who has contributed by sending in patches.
Before we talk about what is new, I would like to ask you for your support for our project. IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.
DNS Resolution Improvements
The DNS proxy working inside IPFire will now reuse any TLS and TCP connections for DNS resolution making it substantially faster. Before, a TCP or TLS connection had to be opened and closed after a response was received causing a lot of overhead.
Please consider if your setup can run DNS-over-TLS to protect your privcacy.
If you had a brief outage of your Internet connection, or if any or all of the upstream name servers did not respond, it could become possible that the DNS proxy no longer retried accessing them. This was due to some DoS protection being overly ambitious which has been changed to constantly try to reach any servers that are down.
WPA3 Client Support
The previous Core Update added WPA3 support for access points. This is now being complimented by adding it for the client side, too.
If you are running your RED interface as a client to another wireless, it can now use WPA3 to authenticate to the network and to encrypt packets. WPA2 has also been improved by optionally using SHA256 over SHA1 if the access point supports it.
There is a number of various changes in this release:
- Various command injections and privilege escalations where reported by Albert Schwarzkopf in the security layer between the web user-interface and the operating system. With those, an authenticated unprivileged user could gain root access to the operating system.
- DDNS: The UI has been improved for providers that support "token authentication"
- SSH sometimes failed to end itself when the system was shut down which caused an unnecessary delay
- IPsec: XFRM policy lookup has been disabled for VTI interfaces
- Keyboard support on virtualised systems on Microsoft Hyper-V was sometimes not working and has now been fixed.
- Various cosmetic fixes for the web user interface and various code cleanup has been conducted by Matthias and Leo.
- Updated packages:
newt0.52.21, OpenSSL 1.1.1j, PAM 1.5.1,
- Updated packages:
tshark3.4.2, QEMU 5.2.0,