Security 10816 Published by

IPFire 2.27 - Core Update 168 has been released.  IPFire is a powerful and professional Open Source firewall solution.



IPFire 2.27 - Core Update 168 released - The IPFire Blog

Another update of IPFire is ready: IPFire 2.27 - Core Update 168. It comes with significant improvements to the Intrusion Prevention System (IPS), various security improvements, an updated version of Linux' firmware bundle, as well as a heap of updated packages and bug fixes.

Heads up! IPFire running on software RAIDs will need to rebuild their RAIDs. It is possible, that the RAID was damaged since the last update due to failure to initialise it correctly at boot time ( #12862). Systems affected by this problem, would have run just fine, but without the RAID. During the installation of this update, the RAID will be fixed. For that, a reboot is required after installing the update, and it might be necessary to be able to boot from the secondary RAID device.

Intrusion Prevention System improvements

Stefan contributed a patch series for notably improving the  IPS, particularly when it comes to handling of ruleset providers. While many of the changes are done under the hood, the following are visible to the web interface:

  • Monitoring mode can now be enabled for each ruleset provider individually. This makes  baselining and testing much less of a hassle, since newly introduced IPS ruleset providers can now first be used for logging only, without risking disruptions or unintended side-effects.
  • Parsing and restructuring changed or updated rulesets has been improved and is now faster by orders of magnitude.
  • The downloader will now automatically check whether a ruleset has been updated on its providers' server by checking the ETag HTTP header. This allows us to drop the update interval selection; every IPS ruleset will now updated automatically on the appropriate interval.

3rd party firmware updates

linux-firmware, the conglomerate of 3rd party firmware required for all sorts of hardware has been updated. Similar to a kernel update, this brings support for new devices requiring proprietary firmware, fixes bugs and plugs some security holes.

Firmware for APU borards has been updated as well, finally enabling their hardware-based random number generator to work properly. On APU-based IPFire installations, this will speed up cryptography operations (such as VPN traffic handling) a lot.

Security improvements

  • IPFire now drops any packet that is received on a different interface than it would have been routed back to. This thwarts entire classes of network spoofing attacks, particularly originating from or targeting internal networks.
  • OpenSSH has been updated to 9.0p1, introducing (among other changes)  quantum-resistant cryptography. IPFire's custom OpenSSH configuration has been updated to make use of it. Also, spoofable TCP-based keep-alive messages are no longer sent, preventing MITM attackers to force-keep an established SSH connection opened.
  • As a defense-in-depth measure, various file permissions have been tightened to prevent any unprivileged attacker from reading potentially sensitive configuration on an IPFire installation.

Miscellaneous

  • CUPS configuration is now properly processed while creating backups and restoring them.
  • Various CGIs received fixes for HTML syntax validity and solving bugs, most notably the Pakfire CGI.
  • Unnecessary vnstat calls have been removed from initscripts.
  • Updated packages: bind 9.16.28, curl 7.83.0, efibootmgr 17, expat 2.4.8, freetype 2.12.1, fribidi 1.0.12, harfbuzz 4.2.0, iana-etc 20220414, intel-microcode 20220510, ipset 7.15, knot 3.1.7, libaio 0.3.113, libcap 2.64, libcap-ng 0.8.3, libgcrypt 1.10.1, libhtp 0.5.40, libinih r55, libmnl 1.0.5, libnfnetlink 1.0.2, linux-firmware 20220411, logwatch 7.6, man 2.10.2, man-pages 5.13, meson 0.62.1, mpfr 4.1.0 (plus additional upstream patches), multipath-tools 0.8.9, nano 6.3, nasm 2.15.05, openjpeg 2.4.0, openldap 2.6.1, OpenSSH 9.0p1, OpenSSL 1.1.1o, OpenVPN 2.5.6, pango 1.50.6, pciutils 3.0.8, pcre2 10.40, perl-libwww 6.62, poppler 22.04.0, procps 4.0.0, strongswan 5.9.6, sqlite 3380300, Squid 5.5, Suricata 5.0.9, vnstat 2.9, whois 5.5.13
  • Updated add-ons: bird 2.0.9, borgbackup 1.2.0, dbus 1.14.0, git 2.36.0, haproxy 2.5.5, hplip 3.22.4, ipvsadm 1.31, keepalived 2.2.7, lcdproc 0.5.9, libseccomp 2.5.4, lynis 3.0.7, mc 4.8.28, mcelog 181, mpc 0.34, mpd 0.23.6, mtr 0.95, ncdu 1.17, nfs 2.6.1, nginx 1.20.2, nut 2.8.0, oci-cli 3.7.3, oci-python-sdk 2.64.0, openvmtools 12.0.0, parted 3.5, pcengines-apu-firmware 4.16.0.3, Postfix 3.7.1, powertop 2.14, python3-botocore 1.24.37,python3-charset-vomailzer 2.0.12, python3-click 8.1.2, python3-flit 3.7.1, python3-jmespath 1.0.0, python3-pyparsing 3.0.7, python3-pytz 2022.1, python3-s3transfer 0.5.2, python3-semantic-version 2.9.0, python3-setuptools-rust 1.2.0, python3-setuptools-scm 6.4.2, python3-tomli 2.0.1, python3-typing-extensions 4.1.1, python3-urllib3 1.26.9, rsync 3.2.4, samba 4.16.0, sdl2 2.0.22, spectre-meltdown-checker 0.45, strace 5.17, stress 1.0.5, stunnel 5.63, Tor 0.4.7.7, tshark 3.6.3
  • Any changes to the system cron table will be lost during this update, but any custom scripts in /etc/fcron.* will remain in place.

As always, we thank all people contributing to this release in whatever shape and form. Please note IPFire is backed by volunteers, maintaining and improving this distribution in their spare time - should you like what we are doing, please  donate to keep the lights on, an consider  becoming engaged in development to distribute the load over more shoulders.



IPFire 2.27 - Core Update 168 released - The IPFire Blog