Security 10816 Published by

The final version of IPFire 2.27 - Core Update 173 is now available.  IPFire is a powerful and professional Open Source firewall solution.



IPFire 2.27 - Core Update 173 released

he first Core Update in 2023 has been released: IPFire 2.27 - Core Update 173. It introduces support for 4G and 5G modems that use the QMI interface, features a kernel fresh from the latest 6.1 stable series, as well as the usual plethora of package updates, security improvements and bug fixes.

IPFire users running 32-bit ARM devices should note that support for this architecture will sunset  at the end of this month, and are advised to migrate their installations to a hardware architecture  supported by IPFire now. Consequently, this will be the last update released for this architecture.

Introducing QMI support

The Qualcomm MSM Interface is a proprietary interface increasingly used by 4G and 5G  cellular modems. Commencing with this Core Update, IPFire supports interacting with such modems, thus significantly expanding its hardware compatibility to QMI-only cellular modems, and providing a faster and more modern interface.

Thanks to Michael for implementing this feature. On that occasion, he also refactored related networking code.

Linux Kernel 6.1.11

Arne has updated the Linux kernel to the most recent stable series, 6.1.11, which has become the new long-term series. Aside from the usual improvements such major kernel updates bring like bug fixes, improved hardware support and security improvements, we took the occasion to bring several new hardening changes to IPFire users:

  • System calls permitting processes to read or write other processes' memory are no longer provided by the kernel.
  • On EFI systems supporting it, the firmware is now instructed to wipe all memory when rebooting, to hamper cold boot attacks.
  • Landlock support has been enabled.
  • GCC's "latent entropy" plugin has been disabled, since it does not generate cryptographically secure entropy.
  • To cut attack surface, support for both the ACPI configuration file system and obsolete PCMCIA/CardBus subsystem has been removed.
  • On 64-bit ARM installations, direct memory access via malicious PCI devices is no longer possible.

Miscellaneous

  • The  OpenVPN 2FA authenticator will no longer enter an infinite loop if the socket connection to OpenVPN is lost ( #12963).
  • A user group necessary for interaction between D-Bus and Avahi is now properly created while installing the latter add-on ( #13017).
  • The  OpenVPN GUI has seen minor improvements and cleanups ( #13030).
  • A bug in the firewall engine permitting the creation of rules with invalid sources has been resolved.
  • Input like *.example.com is now properly treated as a wildcard domain by the web interface ( #12937).
  • libtirpc is now part of the core system, since it is needed as a dependency by lsof ( #13015).
  • The obsolete spandsp add-on has been dropped.
  • Updated packages: Apache 2.4.55, bind 9.16.37, curl 7.87.0, ethtool 6.1, file 5.44, fontconfig 2.14.1, fuse 3.13.0, grep 3.8, harfbuzz 6.0.0, iana-etc 20221226, iproute2 6.1.0, ipset 7.17, iptables 1.8.9, iputils 20221126, iw 5.19, jquery 3.6.3, json-c 0.16, keyutils 1.6.3, knot 3.2.4, krb5 1.20.1, lcms2 2.14, less 608, libarchive 3.6.2, libcap 2.66, libconfig 1.7.3, libffi 3.4.4, libgpg-error 1.46, libidn 1.41, libinih r56, libjpeg 2.1.4, libloc 0.9.16, libmpc 1.3.1, libpcap 1.10.3, libssh 0.10.4, libstatgrab 0.92.1, libtiff 4.5.0, libtool 2.4.7, libusb 1.0.26, libxslt 1.1.37, libyang 2.1.4, linux-firmware 20221214, logrotate 3.21.0, lz4 1.9.4, memtest86+ 6.01, mpfr 4.2.0, nano 7.2, ncurses 6.4, OpenSSH 9.2p1, OpenSSL 1.1.1t, pcre2 10.42, perl-HTML-Parser 3.78, pixman 0.42.2, poppler 23.01.0, psmisc 23.6, rust 1.65, sdl2 2.26.2, shadow 4.13, sqlite 3400100, squid-asnbl 0.2.4 (resolving  #13023), strongswan 5.9.9, sudo 1.9.12p2, suricata 6.0.10, xfsprogs 6.1.1, xz 5.4.1
  • Updated add-ons: alsa 1.2.8, bird 2.0.11, borgbackup 1.2.3 (resolving  #13032), ClamAV 1.0.1, dbus 1.14.4, dnsdist 1.7.3, ghostscript 10.0.0, haproxy 2.7.1, igmpproxy 0.4, iotop 1.22, iperf 2.1.8, iperf3 3.12, libcdada 0.4.0, libexif 0.6.24, libpciaccess 0.17, libshout 2.4.6, libtalloc 2.3.4, libusbredir 0.13.0, libvirt 8.10.0, mc 4.8.29, nfs 2.6.2, nqptp ad384f9, pcengines-apu-firmware 4.17.0.3, python3-packaging 23.0, samba 4.17.4, shairport-sync 4.1.1, strace 6.1, tcpdump 4.99.3, Tor 0.4.7.13


As always, we thank all people contributing to this release in whatever shape and form. Please note IPFire is backed by volunteers, maintaining and improving this distribution in their spare time - should you like what we are doing, please  donate to keep the lights on, an consider  becoming engaged in development to distribute the load over more shoulders.

IPFire 2.27 - Core Update 173 released