Security 10816 Published by

Michael Tremer has announced the release of IPFire 2.27 - Core Update 165. IPFire is a powerful and professional Open Source firewall solution.



IPFire 2.27 - Core Update 165 released

Shortly after the last one, the next release of IPFire is ready: IPFire 2.27 - Core Update 165. It comes with various updates for the firewall engine that improve its performance and increase its flexibility, as well as with an updated toolchain, Python 3.10 and various more bug and security fixes.

Before we talk in detail about what is new, I would like to ask you for your support. IPFire is a small team of people and like many of our open source friends, we’ve taken a hit this year and would like to ask you to help us out. Please follow the link below where your donation can help fund our continued development:  https://www.ipfire.org/donate.

Firewall Updates

The firewall engine has received various improvements for better performance, faster ruleset reloads, and easier code for developers:

  • The backend for the Location Filter, dropping traffic from hostile network, and more is now using ipset which is built into the Linux kernel instead the formerly used external kernel module called xt_geoip. This is important work which will allow us integrating new firewall features easier.
  • The Location Filter has been tuned so that it will load its rulesets faster and will consume less memory; this will improve any lookups and use less CPU resources and cause less level 2 cache congestion.
  • The P2P filter has been removed because it is outdated technology. Most of the P2P networks that were supported don't exist for a long time and those which do can easily work around this type of filtering. We recommend using the IPS for filtering this if you still need to.

Updated Toolchain

The toolchain - all programs that are required to build IPFire and the most basic system libraries - has been updated and is based on glibc 2.35, binutils 2.37 and GCC 11.1.0.

On x86, we now support Intel Control-flow Enforcement Technology (CET) which protects the C standard library with indirect branch tracking (IBT) and shadow stack (SHSTK). On aarch64,  memory tagging has been enabled on processors that support it (ARMv8.5 and higher).

IPFire has been rebased to Python 3.10.1. All packages that provide or use any Python modules are being updated and shipped again.

It is now possible to completely cross-compile IPFire on any architecture for any other architecture. This is done by compiling a native toolchain with a different target architecture which will then be emulated using QEMU in userland. This is slow, but helpful to build IPFire for new architectures; currently  we are conducting experiments with RISC-V without having any hardware.

Misc.

  • A long-standing bug with broken cable modems has been fixed: Some providers have cable modems which return an unusually small MTU of only 576 bytes which will cause that IPFire will fragment every packet larger than this before it can be sent out on the RED interface. This can now properly changed in the setup tool and IPFire will accept any custom value. This used to break video conferences over UDP which could not re-assemble the fragmented video stream and which did not automatically fall back to TCP ( #12563).
  • Because of the growth of the operating system, the root partition of the flash image has been increased to 1800 MiB. This is the minimum to install the system and will be grown to the full size of the storage device on first boot.
  • IPsec: Due to a typo, Curve 25519 wasn't selected as default
  • OpenVPN: Due to an error in timezone handling, the usage charts could be incorrect which has been fixed now.
  • Wireless Client: Support for WEP has been removed which didn't work for a longer time.
  • OpenSSL has been updated to version 1.1.1n which fixes a denial-of-service attack filed under  CVE-2022-0778.
  • More updated packages: bash 5.1.16, bind 9.16.26, cURL 7.81.0, ethtool 5.16, expat 2.4.6, findutils 4.9.0, gdbm 1.23, glib 2.71.1, harfbuzz 3.3.2, iproute2 5.16.0, lcms2 2.13.1, libarchive 3.6.0, libcap 2.63, libgpg-error 1.44, libloc 0.9.10, libusb 1.0.25, libwww-perl 6.61, libxcrypt 4.428, lua 5.4.4, mdadm 4.2, OpenSSL 1.1.1n, p11-kit 0.24.1, pango 1.50.3, poppler 22.02.0, SDL2 2.0.20, SQLite 3.37.2, sudo 1.9.9, wpa_supplicant 2.10, Zstandard 1.5.2

Add-ons

  • New packages:
    • gptfdisk - A CLI tool to partition harddrives with GPT
    • oci-cli - Command line tools for Oracle Cloud
  • Updated packages: borgbackup 1.1.17, CUPS 2.4.1, Git 2.35.1, hostapd 2.10, monit 5.31.0, nano 6.1, samba 4.15.5, stunnel 5.62, Tor 0.4.6.10
  • Proxy Accounting
    • This package has been renamed to proxy-accounting from squid-accounting
    • Alphanumerical post codes are now accepted as being used in the UK, Australia, Canada, etc.


IPFire 2.27 - Core Update 165 released