IPFire 2.25 - Core Update 158 released

by Michael Tremer, July 19, 2021, Updated August 2, 2021

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

IPFire 2.25 - Core Update 158 is generally available. It comes with one-click VPNs for Apple iOS and Mac OS devices as well as with various fixes across the board including security fixes.

Before we talk about what is new, I would like to ask you for your support for our project. IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.

IPsec with Apple iOS & Mac OS

It is now possible to export IPsec road warrior connections for Apple devices so that they can easily be imported into those with only a few clicks. This makes creating secure connections with these devices quick and fool-proof - even when certificates are involved.

Various smaller changes come with these changes: Certificates now have sane expiry times (instead of a hundred years).

Unfortunately time did not allow to provide any detailed documentation for this feature, but this will be added in the near future. If you want to help the team, you can do this with your donation.

Misc.

  • IPsec
    • Curve448 is now listed above Curve25519 since it provides better security, but is computationally more expensive at the same time
    • There will no longer be any safety rules installed for IPsec connections in "on-demand" mode. Leaking packets is not possible in this mode and it makes certain configurations easier when it is not necessary to work around the block rules
  • The web proxy removed options to fake the Referrer and User-Agent. This is practically not effective since the majority of connections are encrypted where this feature did not work.
  • We have progressed in removing Python 2 from the system by porting fireinfo to Python 3
  • Leo-Andres Hofmann fixed the memory usage table which showed inconsistent values
  • Updated packages of the core system: apache 2.4.48, bind 9.11.32, cmake 3.20.4, curl 7.77.0, dmidecode 3.3, ethtool 5.12, expat 2.4.1, fuse 3.10.4, glib 2.68.3, gnutls 3.6.16, gzip 1.10, iputils 20210202, knot 3.0.7, libcap 2.50, libedit 20210522-3.1, libnl-3 3.5.0, libpcap 1.10.1, libusb 1.0.23, libxcrypt 4.4.22, linux-firmware 20210511 as preparation for a new kernel, nettle 3.7.3, pcre2 10.37, perl-CGI 4.53, perl-TimeDate 2.33, perl-XML-Parser 2.46, python3-setuptools, python3-pyparsing 2.4.7, qpdf 10.3.2, rng-tools 6.12, smartmontools 7.2, sudo 1.9.7p1, vnstat 2.7, xfsprogs 5.12.0, zd1211-firmware 1.5, zerofree 1.1.1, zstd 1.5.0
  • Microcode updates for Intel processors are shipped in this release (20210608) to address these hardware security vulnerabilities:
  • IPFire is also vulnerable where an authenticated third-party could inject and execute shell commands as a non-privileged user (#12616, CVE-2021-33393). This has been fixed by going through over 65000 lines of code to investigate where this is possible. The underlying reason is the Perl function to call shell commands unexpectedly performs shell expansion and might perform more than just the intended command. Functions that no longer allow this behaviour have been written, tested and replaced any vulnerable places. Unfortunately this vulnerability was published without responsible disclosure.
  • The root partition of the flash image has been increased to 1600 MiB by default. The minimum required disk size is still 2GB, but it is getting tight...

Add-ons

  • dnsdist received an improved initscript which will print any configuration issues before trying to start or restart the daemon
  • Updated packages: cups-filter 1.28.9, elfutils 0.185, flac 1.3.3, libogg 1.3.5, nano 5.8, netsnmpd 5.9.1, Postfix 3.6.1, sarg 2.4.0, tcpdump 4.99.1, tmux 3.2a, Tor 0.4.6.5

Some packages have been dropped since they didn't have a maintainer for a long while, the upstream project has been discontinued, or it is unlikely that there are any users left out there. We recommend to install these applications on a different machine than the firewall itself: Asterisk, dpfhack, lcd4linux, miniupnpd, motion, SANE, sendEmail. They will automatically be uninstalled on all systems.