IPFire 2.25 - Core Update 155 released [SECURITY ADVISORY]

by Michael Tremer, March 27, 2021, Updated July 20, 2021

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

Donate Download IPFire 2.25 - Core Update 155

Today, we are releasing IPFire 2.25- Core Update 155 which comes with various security fixes to mitigate NAT Slipstreaming attacks and important fixes in the OpenSSL library which allowed that attackers could have crashed services that use TLS on the firewall.

Before we talk about what is new, I would like to ask you for your support for our project. IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.

We recommend installing this update as soon as possible and reboot the system.

Mitigating NAT Slipstreaming

Peter has recently announced our measures against NAT Slipstreaming. Through feedback from the community, we have seen that most people are not affected by these changes.

We are going to disable and remove support for all Application Layer Gateways. This includes SIP, FTP, H.323, IRC, PPTP and TFTP. They will be automatically disabled on systems that install this update and will no longer be available.

This change might require some attention if you are using any software that relies on the ALG. This is most likely the case for VoIP solutions that use SIP. From feedback during the testing period of this update, we can confirm that only a very small fraction of users is affected.

Spanning Tree Protocol support in Zone Configuration

The zone configuration allows configuring Spanning Tree Protocol (STP) for bridges. Since it is possible add multiple interfaces to the same bridge, it becomes a danger that loops are being created on the network. STP avoids those by disabling bridge ports when a loop is being detected.

Zone Configuration with STP

OpenSSL Security Vulnerabilities

The OpenSSL team released version 1.1.1k which fixes two rather severe security issues:

  • CVE-2021-3449: TLS servers could have been crashed with a maliciously crafted renegotiation message. In IPFire this could be used to deny service of the web user interface or some add-ons like haproxy
  • CVE-2021-3450: Enabling strict certificate checking caused the opposite effect that some certificates were evaluated as valid when they were actually not

We are also shipping fixes from an earlier OpenSSL release (1.1.1j) which were of lower severity: CVE-2021-23841, CVE-2021-23839 & CVE-2021-23840

Miscellaneous

  • The wireless client configuration is now processing priorities correctly. Before, wireless networks were prioritised in the opposite order
  • The QoS graphs will now have consistent colours in the downstream and upstream direction
  • The Update Accelerator "Passive Mode" option has been clarified
  • New packages: PCRE2, which is an improved version of PCRE, implementing Perl-compatible Regular Expressions
  • Updated packages: attr 2.4.48, autoconf 2.71, bind 9.11.28, freetype 2.10.4, iproute2 5.11.0, ipset 7.11, lcms2 2.12, libgcrypt 1.9.2, libhtp 0.5.37, libffi 3.3, libxcrypt 4.4.17 which replaces libcrypt which came bundled with glibc, lz4 1.9.3, lzo 2.10, mpage 2.5.7, net-tools 2.10, nettle 3.7.1, openssh 8.5p1, Python 3.8.7, qpdf 10.3.0, rust 1.50, sqlite3 3.34.1, squid 4.14, suricata 5.0.6, sysvinit 2.98, tar 1.34, tcl 8.6.11, unbound 1.13.1, wget 1.21.1
  • IPFire can experimentally be compiled for RISC-V for 64bit
  • Various older versions of operating system libraries have been removed. They were needed to keep older programs compatible without need of recompiling them. Those were: Berkeley DB, GMP, libjpeg, PCRE, readline
  • On i586, SSE2-optimised versions of performance-critical libraries have been dropped. This affects GMP and OpenSSL, which might result in lower VPN throughput with OpenVPN on affected systems. Support for this will be removed with the next release of glibc.
  • The unattended installer started in regular mode on serial consoles
  • Roberto Peña has contributed Spanish translation for the Captive Portal

Add-ons

  • Updated packages: elfutils 0.183, hplip 3.21.2, fireperf 0.2.0, krb5 1.19.1, mc 4.8.26, monit 5.27.2, nano 5.6, nagios_nrpe 4.0.3, nagios-plugins 2.3.3, stunnel 5.58, tor 0.4.5.6, tshark 3.4.3