Another update is available for testing and it is packed a one-click VPNs for Apple iOS and Mac OS devices as well as with various fixes across the board including security fixes.
IPsec with Apple iOS & Mac OS
It is now possible to export IPsec road warrior connections for Apple devices so that they can easily be imported into those with only a few clicks. This makes creating secure connections with these devices quick and fool-proof - even when certificates are involved.
Various smaller changes come with these changes: Certificates now have sane expiry times (instead of a hundred years).
Detailed documentation for this feature is not available yet, but will be added before the release.
- Curve448 is now listed above Curve25519 since it provides better security, but is computationally more expensive at the same time
- There will no longer be any safety rules installed for IPsec connections in "on-demand" mode. Leaking packets is not possible in this mode and it makes certain configurations easier when it is not necessary to work around the block rules
- The web proxy removed options to fake the Referrer and User-Agent. This is practically not effective since the majority of connections are encrypted where this feature did not work.
- We have progressed in removing Python 2 from the system by porting fireinfo to Python 3
- Leo-Andres Hofmann fixed the memory usage table which showed inconsistent values
- Updated packages of the core system:
linux-firmware20210511 as preparation for a new kernel,
- Microcode updates for Intel processors are shipped in this release (20210608) to address these hardware security vulnerabilities:
- IPFire is also vulnerable where an authenticated third-party could inject and execute shell commands as a non-privileged user (#12616, CVE-2021-33393). This has been fixed by going through over 65000 lines of code to investigate where this is possible. The underlying reason is the Perl function to call shell commands unexpectedly performs shell expansion and might perform more than just the intended command. Functions that no longer allow this behaviour have been written, tested and replaced any vulnerable places. Unfortunately this vulnerability was published without responsible disclosure.
- The root partition of the flash image has been increased to 1600 MiB by default. The minimum required disk size is still 2GB, but it is getting tight...
- dnsdist received an improved initscript which will print any configuration issues before trying to start or restart the daemon
- Updated packages:
netsnmpd5.9.1, Postfix 3.6.1,
tmux3.2a, Tor 0.4.6.5
Some packages have been dropped since they didn't have a maintainer for a long while, the upstream project has been discontinued, or it is unlikely that there are any users left out there. We recommend to install these applications on a different machine than the firewall itself: Asterisk,
motion, SANE, sendEmail. They will automatically be uninstalled on all systems.
This is another very large update (in both, size and number of changes) and we would like you to help us testing it. If you find any problems, please report them to our bugtracker or search help on our Community Portal.