Security 10809 Published by

IPFire 2.27 - Core Update 173 is now available for testing.  IPFire is a powerful and professional Open Source firewall solution.





IPFire 2.27 - Core Update 173 is available for testing

The first Core Update in 2023 is ready for testing: IPFire 2.27 - Core Update 173. It introduces support for Qualcomm's MSM Interface (QMI), features a kernel fresh from the latest 6.1 stable series, as well as the usual plethora of package updates, security improvements and bug fixes.

IPFire users running 32-bit ARM devices should note that support for this architecture will sunset on February 28, 2023,  as announced previously, and are advised to migrate their installations to a hardware architecture  supported by IPFire now.

Introducing QMI support

The Qualcomm MSM Interface is a proprietary interface increasingly used by 4G and 5G  cellular modems. Commencing with this Core Update, IPFire supports interacting with such modems through libqmi, thus significantly expanding its hardware compatibility to QMI-only cellular modems, and providing a faster and more modern interface to cellular modems providing both a QMI interface and its legacy counterpart.

Thanks to Michael for implementing this feature. On that occasion, he also refactored related networking code.

Linux Kernel 6.1.9

Arne has updated the Linux kernel to the most recent stable series, 6.1.x, which is expected to become a new long-term series. Aside from the usual improvements such a major kernel update brings - bug fixes, hardware support (which is accompanied by an update of linux-firmware in this Core Update) and security improvements, and so on -, we took the occasion to bring several new hardening changes to IPFire users:

  • System calls permitting processes to read or write other processes' memory are no longer provided by the kernel.
  • On EFI systems supporting it, the firmware is now instructed to wipe all memory when rebooting, to hamper cold boot attacks.
  • Landlock support has been enabled.
  • GCC's "latent entropy" plugin has been disabled, since it does not generate cryptographically secure entropy.
  • To cut attack surface, support for both the ACPI configuration file system and obsolete PCMCIA/CardBus subsystem has been removed.
  • On 64-bit ARM installations, direct memory access via malicious PCI devices are no longer possible.

Miscellaneous

  • The  OpenVPN 2FA authenticator will no longer enter an infinite loop if the socket connection to OpenVPN is lost ( #12963).
  • A user group necessary for interaction between D-Bus and Avahi is now properly created while installing the latter add-on ( #13017).
  • The  OpenVPN GUI has seen minor improvements and cleanups ( #13030).
  • A bug in the firewall engine permitting the creation of rules with invalid sources has been resolved.
  • Input like *.example.com is now properly treated as a wildcard domain by the web interface ( #12937).
  • libtirpc is now part of the core system, since it is needed as a dependency by lsof ( #13015).
  • The obsolete spandsp add-on has been dropped.
  • Updated packages: Apache 2.4.55, bind 9.16.37, curl 7.87.0, ethtool 6.1, file 5.44, fontconfig 2.14.1, fuse 3.13.0, grep 3.8, harfbuzz 6.0.0, iana-etc 20221226, iproute2 6.1.0, ipset 7.17, iptables 1.8.9, iputils 20221126, iw 5.19, jquery 3.6.3, json-c 0.16, keyutils 1.6.3, knot 3.2.4, krb5 1.20.1, lcms2 2.14, less 608, libarchive 3.6.2, libcap 2.66, libconfig 1.7.3, libffi 3.4.4, libgpg-error 1.46, libidn 1.41, libinih r56, libjpeg 2.1.4, libloc 0.9.16, libmpc 1.3.1, libpcap 1.10.3, libssh 0.10.4, libstatgrab 0.92.1, libtiff 4.5.0, libtool 2.4.7, libusb 1.0.26, libxslt 1.1.37, libyang 2.1.4, linux-firmware 20221214, logrotate 3.21.0, lz4 1.9.4, memtest86+ 6.01, mpfr 4.2.0, nano 7.2, ncurses 6.4, OpenSSH 9.2p1, pcre2 10.42, perl-HTML-Parser 3.78, pixman 0.42.2, poppler 23.01.0, psmisc 23.6, rust 1.65, sdl2 2.26.2, shadow 4.13, sqlite 3400100, squid-asnbl 0.2.4 (resolving  #13023), strongswan 5.9.9, sudo 1.9.12p2, xfsprogs 6.1.1, xz 5.4.1
  • Updated add-ons: alsa 1.2.8, bird 2.0.11, borgbackup 1.2.3 (resolving  #13032), ClamAV 1.0.0, dbus 1.14.4, dnsdist 1.7.3, ghostscript 10.0.0, haproxy 2.7.1, igmpproxy 0.4, iotop 1.22, iperf 2.1.8, iperf3 3.12, libcdada 0.4.0, libexif 0.6.24, libpciaccess 0.17, libshout 2.4.6, libtalloc 2.3.4, libusbredir 0.13.0, libvirt 8.10.0, mc 4.8.29, nfs 2.6.2, nqptp ad384f9, pcengines-apu-firmware 4.17.0.3, python3-packaging 23.0, samba 4.17.4, shairport-sync 4.1.1, strace 6.1, tcpdump 4.99.3, Tor 0.4.7.13

As always, we thank all people contributing to this release in whatever shape and form. Please help  testing this update, especially if you are using exotic hardware, uncommon network setups, or add-ons, and provide feedback - which is absolutely essential to us.



IPFire 2.27 - Core Update 173 is available for testing