Security 10808 Published by

IPFire 2.27 - Core Update 169 has been released.  IPFire is a powerful and professional Open Source firewall solution.



IPFire 2.27 - Core Update 169 released

The next Core Update - one of the biggest in size we have ever put together - is released: IPFire 2.27 - Core Update 169. It introduces the support of two-factor authentication (2FA) for OpenVPN clients, updates several core parts of the system, provides mitigations for another two types of CPU side-channel attacks, as well as package updates, bug fixes and other security improvements.

Before we talk in detail about what is new, I would like to ask you for your support. IPFire is a small team of people and like many of our open source friends, we’ve taken a hit this year and would like to ask you to help us out. Please follow the link below where your donation can help fund our continued development:  https://www.ipfire.org/donate.

OpenVPN Two-Factor Authentication

For  OpenVPN clients, the setup of two-factor authentication based on  time-based one-time password (TOTP) is now supported. It can be enforced on a per-client basis, preserving the flexibility of mixing end-user devices with machine clients, where no manual interaction is feasible during OpenVPN connection establishment.

Further documentation on this feature can be retrieved  here and  here.

Updated Kernel, Updated linux-firmware, Updated Toolchain - All in one go

This Core Update updates the Linux kernel to 5.15.49, thus providing our users with the usual bunch of bug fixes, plugged security vulnerabilities, and hardware support improvements. Particularly noteworthy are mitigations against another CPU side-channel attack,  MMIO Stale Data, which can led to the exposure of sensitive memory data. Further upstream documentation can be obtained  here; IPFire systems not serving as a  hypervisor for VMs (which we recommend against for production due to security reasons anyway) are most likely unaffected. The precise status of all known CPU vulnerabilities is displayed  in the web interface.

The following kernel hardening improvements have been made in addition:

  • On x86_64 systems, kernel mitigations for  straight-line speculation, another CPU side-channel vulnerability, have been enabled.
  • Support for RPC dprintk debugging has been removed to cut potential attack surface.
  • The  YAMA Linux security module is now enabled to provide further control on ptrace operations, for which there is no legitimate use-case on an IPFire machine.

Due to an  upstream change, the kernel will now always report to have 256 bits of entropy available. Therefore, the entropy graph has been removed, as it does not provide any useful information anymore.

linux-firmware, the conglomerate of proprietary third party firmware, has been updated. That improves the hardware support, particularly for newer devices and components, and fixes bugs as well as security vulnerabilities in these binary blobs.

GCC, the GNU Compiler Collection, has been updated to 11.3.0, bringing fixes to bugs and regressions (some of them serious ones) from upstream to our users.

Miscellaneous

  • For applications running on IPFire itself, the availability of Extension Mechanisms for DNS (EDNS0), as specified in  RFC 2671, is now properly announced. This has already been the case for DNS clients querying the resolver of an IPFire installation.
  • Mount options of /boot have been hardened on flash images. Existing installations remain unchanged for the time being, but we plan to apply this change to them as well soon.
  • IPFire's NTP daemon will now use itself as a preferred time source, rather than any hardware RTC. As the latter can be quite unreliably, particularly if CMOS battery power is low, this will result in more accurate time synchronization.
  • A bug in misc-progs, the safety net between the web interface and the operating system, has been fixed, which sometimes led to the swallowing of a commands' first argument.
  • The Hardware Detection Tool (HDT) has been dropped from the CDROM menu, as it does not run on EFI and better tools are nowadays available for hardware detection.
  • Plain OpenVPN PKCS12 files are now properly downloadable again ( #12883).
  • A missing dependency for  BorgBackup has been added, making this add-on usable again ( #12884).
  • Spaces are now allowed again in OpenVPN static IP pool names ( #12865).
  • On IPFire instances  running in various clouds, user-data scripts are now executed at the end of initialization, ensuring that such systems are fully initialized before conducting user-defined actions.
  • The download URL for Talos IPS rulesets has been updated.
  • Updated packages: Apache 2.4.54, bind 9.16.30, curl 7.81.1, fuse 3.11.0, gdb 12.1, iptables 1.8.8, libnetfilter_cthelper 1.0.1, libnetfilter_cttimeout 1.0.1, libxml2 2.9.14, libxslt 1.1.35, libyang 2.0.194, lmdb 0.9.29, logrotate 3.20.1, lzip 1.23, OpenSSL 1.1.1p, sqlite 3380500, Squid 5.6, tzdata 2022a, unbound 1.16.0, xfsprogs 5.16.0
  • Updated add-ons: aws-cli 1.23.12, clamav 0.105.0, dnsdist 1.7.2, git 2.36.1, libvorbis 1.3.7, lynis 3.0.8, Postfix 3.7.2, python3-botocore 1.25.12, tmux 3.3, Tor 0.4.7.8

As always, we thank all people contributing to this release in whatever shape and form. Please note IPFire is backed by volunteers, maintaining and improving this distribution in their spare time - should you like what we are doing, please  donate to keep the lights on, an consider  becoming engaged in development to distribute the load over more shoulders.



IPFire 2.27 - Core Update 169 released