Security 10816 Published by

IPFire 2.27 - Core Update 165 has been released for testing.



IPFire 2.27 - Core Update 165 is available for testing

Another update is ready for testing: IPFire 2.27 - Core Update 165. It comes with various updates for the firewall engine that improve its performance and increase its flexibility, as well as with an updated toolchain, Python 3.10 and various more bug and security fixes.

Firewall Updates

The firewall engine has received various improvements for better performance, faster ruleset reloads, and easier code for developers:

  • The backend for the Location Filter, dropping traffic from hostile network, and more is now using ipset which is built into the Linux kernel instead the formerly used external kernel module called xt_geoip. This is important work which will allow us integrating new firewall features easier.
  • The Location Filter has been tuned so that it will load its rulesets faster and will consume less memory; this will improve any lookups and use less CPU resources and cause less level 2 cache congestion.
  • The P2P filter has been removed because it is outdated technology. Most of the P2P networks that were supported don't exist for a long time and those which do can easily work around this type of filtering. We recommend using the IPS for filtering this if you still need to.

Updated Toolchain

The toolchain - all programs that are required to build IPFire and the most basic system libraries - has been updated and is based on glibc 2.35, binutils 2.37 and GCC 11.1.0.

On x86, we now support Intel Control-flow Enforcement Technology (CET) which protects the C standard library with indirect branch tracking (IBT) and shadow stack (SHSTK). On aarch64,  memory tagging has been enabled on processors that support it (ARMv8.5 and higher).

IPFire has been rebased to Python 3.10.1. All packages that provide or use any Python modules are being updated and shipped again.

It is now possible to completely cross-compile IPFire on any architecture for any other architecture. This is done by compiling a native toolchain with a different target architecture which will then be emulated using QEMU in userland. This is slow, but helpful to build IPFire for new architectures; currently  we are conducting experiments with RISC-V without having any hardware.

Misc.

  • A long-standing bug with broken cable modems has been fixed: Some providers have cable modems which return an unusually small MTU of only 576 bytes which will cause that IPFire will fragment every packet larger than this before it can be sent out on the RED interface. This can now properly changed in the setup tool and IPFire will accept any custom value. This used to break video conferences over UDP which could not re-assemble the fragmented video stream and which did not automatically fall back to TCP ( #12563).
  • Because of the growth of the operating system, the root partition of the flash image has been increased to 1800 MiB. This is the minimum to install the system and will be grown to the full size of the storage device on first boot.
  • IPsec: Due to a typo, Curve 25519 wasn't selected as default
  • OpenVPN: Due to an error in timezone handling, the usage charts could be incorrect which has been fixed now.
  • Wireless Client: Support for WEP has been removed which didn't work for a longer time.
  • More updated packages: bash 5.1.16, bind 9.16.26, cURL 7.81.0, ethtool 5.16, expat 2.4.6, findutils 4.9.0, gdbm 1.23, glib 2.71.1, harfbuzz 3.3.2, iproute2 5.16.0, lcms2 2.13.1, libarchive 3.6.0, libcap 2.63, libgpg-error 1.44, libloc 0.9.10, libusb 1.0.25, libwww-perl 6.61, libxcrypt 4.428, lua 5.4.4, mdadm 4.2, OpenSSL 1.1.1m, p11-kit 0.24.1, pango 1.50.3, poppler 22.02.0, SDL2 2.0.20, SQLite 3.37.2, squid 5.4.1, sudo 1.9.9, wpa_supplicant 2.10, Zstandard 1.5.2

Add-ons

  • New packages:
    • gptfdisk - A CLI tool to partition harddrives with GPT
    • oci-cli - Command line tools for Oracle Cloud
  • Updated packages: borgbackup 1.1.17, CUPS 2.4.1, Git 2.35.1, hostapd 2.10, monit 5.31.0, nano 6.1, samba 4.15.5, stunnel 5.62, Tor 0.4.6.10
  • Proxy Accounting
    • This package has been renamed to proxy-accounting from squid-accounting
    • Alphanumerical post codes are now accepted as being used in the UK, Australia, Canada, etc.


IPFire 2.27 - Core Update 165 is available for testing