Security 10816 Published by

IPFire 2.27 - Core Update 172 is now available for testing.  IPFire is a powerful and professional Open Source firewall solution.





IPFire 2.27 - Core Update 172 is available for testing

Despite being currently busy with an IPFire 3 hackathon, we found the time to release the next Core Update for testing: IPFire 2.27 - Core Update 172. It comes with cryptography improvement for IPsec and OpenVPN, as well as security improvements under the hood, a plethora of package updates and various bugs fixed across the place.

Future-proofing VPN cryptography

This Core Update updates the key lengths of host certificates for both  IPsec and  OpenVPN clients/peers to 4,096 bit RSA, since the previous default of 2,048 bit  is no longer recommended for long-term security purposes.

Both IPsec and OpenVPN root CA length has always been 4,096 bit, as has the key pair generated for IPFire's web interface - no action is required on that front. Unfortunately, existing IPsec/OpenVPN client/peer configurations cannot be migrated automatically, and have to be phased-out manually. Thanks to the respective CA certificates not requiring an update, complete disruptions of VPN infrastructure can, however, be avoided.

OpenVPN is automatically reconfigured to use a secure Diffie-Hellman parameter, both of sufficient length of 4,096 bit and standardized (see  RFC 7919, section A.3, bug  #12632). All OpenVPN clients and peers will automatically benefit from this cryptography improvement; no manual action is required. This also obsoletes the necessity of generating or uploading Diffie-Hellman parameters while configuring OpenVPN, saving a lot of time, as the generation of such parameters could have taken hours on slower hardware.

For early 2023, we anticipate post-quantum cryptography (PQC) to land in IPFire for IPsec, for which there is a strong (and growing) need, thanks to so-called "capture now, decrypt later" attacks endangering the confidentiality of information with long-term secrecy demand, such as biometric and health data.

Miscellaneous

  • IPFire's trust store has been updated to incorporate  Mozilla's decision to distrust the root certificates of TrustCor Systems S. DE R.L.
  • Displaying the status and actions of add-ons whose service names differed from their package names is fixed ( #12935). The same page has also seen some translation improvements.
  • Certificate Revocation Lists (CRLs) of OpenVPN are now properly backed up and reloaded before OpenVPN is (re-)started.
  • Adolf Belka submitted a massive patchset for updating Python.
  • Roberto Peña updated and improved the Spanish translation of IPFire's web interface.
  • Some unnecessary files from linux-firmware are no longer shipped and automatically removed from existing installations to keep the system as lean as possible.
  • Various file permissions have been tightened as a defense in-depth measure.
  • Obsolete gnu-netcat and powertop add-ons have been dropped.
  • Updated packages: arm-trusted-firmware 2.7, bash 5.2, bind 9.16.35, conntrack-tools 1.4.7, curl 7.86.0, elinks 0.15.1, ethtool 6.0, expat 2.5.0, iana-etc 20221107, intel-microcode 20221108, iproute2 6.0.0, libedit 20221030-3.1, libhtp 0.5.42, libloc 0.9.15, libnetfilter_conntrack 1.0.9, libpng , 1.6.39, libtasn1 4.19.0, libtiff 4.4.0, libuv 1.44.2, libxcrypt 4.4.33, libxml2 2.10.3, linux-firmware 20221109, lsof 4.96.4, memtest86+ 6.00, nano 7.0, OpenSSH 9.1p1, OpenSSL 1.1.1s, OpenVPN 2.5.8, poppler 22.11.0, python3 3.10.8, readline 8.2, sed 4.9, sqlite 3400000, strongswan 5.9.8, sudo 1.9.12p1, suricata 6.0.9, sysstat 12.7.1, tzdata 2022e, u-boot 2022.10, unbound 1.17.0, usbutils 015, vnstat 2.10, xz 5.2.8, zlib 1.2.13
  • Updated add-ons: cups-filters 1.28.16, ddrescue 1.26, dehydrated 0.7.1, fetchmail 6.4.34, ffmpeg 5.1.2, flac1.4.2, fmt 9.1.0, git 2.38.1, libassuan 2.5.5, libvirt 8.9.0, mpd 0.23.10, nginx 1.22.1, pcengines-apu-firmware 4.17.0.2, qemu 7.1.0, qemu-ga 7.1.0, rsync 3.2.7, samba 4.17.3, sdl2 2.26.0, Tor 0.4.7.11

As always, we thank all people contributing to this release in whatever shape and form. Please help  testing this update, especially if you are using exotic hardware, uncommon network setups, or add-ons, and provide feedback - which is absolutely essential to us.



IPFire 2.27 - Core Update 172 is available for testing