Security 10816 Published by

Core Update 185 of IPFire 2.29 has been made available for testing. Bug fixes and package updates have been implemented in the most recent version of the IPFire intrusion prevention system (IPS). The Intrusion Prevention System, Suricata 7, now supports HTTP/2, deflate compression, byte-ranges, TLS client certificates, IKEv1, PostgreSQL protocol, BitTorrent parser, QUICv1, and GQUIC. Additionally, it is compatible with more than one protocol. As an additional measure to prevent damage, Suricata is locked down with Linux Landlocked. Additionally, it is slightly more memory efficient.



IPFire 2.29 - Core Update 185 is available for testing

This update is another testing version for IPFire: It comes with the brand release of the IPFire IPS, a number of bug fixes across the entire system and a good amount of package updates. Test it while it's still hot!

Suricata 7 - Intrusion Prevention System

Finally, Suricata 7 is here. A new major version of what the IPFire IPS is based on. It finally brings support for HTTP/2 which is no longer considered experiental and now supports deflate compression and byte-ranges. There are new keywords for HTTP header inspection, and support for handling TLS client certificates, support for IKEv1, the PostgreSQL protocol, a BitTorrent parser, and last but not least QUICv1 and GQUIC. Suricata is also locking itself down more using Linux Landlocked to prevent any damage in case the process could be exploited; and the developers have spent time to make it slightly more memory efficient.

From abuse.ch, we have added the  ThreatFox Indicators Of Compromise Rules. Those rules help to identify any local hosts that might have been compromised by detecting traffic to for example botnets. The PT Attack and Secureworks rulesets have been dropped as they are no longer available.

Toolchain Update

IPFire has been rebased on glibc 2.39 - the C standard library and binutils 2.42. IPFire is also now being compiled with the highest set of source fortification -D_FORTIFY_SOURCE=3. That means, that the compiler is adding compile time and runtime checks to avoid common errors like buffer overruns and overflows and so any undetected security vulnerabilities will be harder to exploit. Finally, we are now compiling the system with less debugging information which we don't need which slightly speeds up the compilation process.

Misc.

  • OpenVPN
    • Previously, the UI allowed creating certificates with a common name that was already in use ( #13404)
    • Imported net-to-net connections did not show correctly whether the certificate was password-protected ( #13548)
    • The OpenSSL configuration file has been cleaned up ( #13595)
  • The time server configuration page is now showing the current system time
  • Custom DHCP options of type "integer 8" are now possible to configure ( #12395)
  • Comments have sometimes been incorrectly encoded to ISO-8859-1 which broke Umlauts and other special and non-ASCII characters
  • Intel has  published microcode updates for various of their processors to fix or mitigate the following security vulnerabilities:
  • The CA certificate bundle has been updated
  • Some basic functions of the initscripts have been cleaned up and enhanced to write shorter scripts
  • Updated packages: elfutils 0.191, ethtool 6.7, expat 2.6.2, knot 3.3.5, libffi 3.4.6, libpng 1.6.42, libplist 2.4.0, libgpg-error 1.48, intel-microcode 20240312, iproute2 6.8.0, meson 1.4.0, newt 0.52.24, OpenJPEG 2.5.2, OpenSSH 9.7p1, pango 1.52.0, pciutils 3.11.1, pixman 0.43.4, poppler 24.03.0, qpdf 11.9.0, shadow 4.15.0, SQLite 3.45.2, squid 6.8, Suricata 7.0.3, Tcl 8.6.14, Unbound 1.19.3, util-linux 2.39.3, wget 1.24.5, whois 5.5.21, xz 5.6.1

Add-Ons

  • wsdd is a service that implements the Web Service Discovery protocol for Windows. This enables clients from Windows 10 or older to discover any file shares exported by the Samba service. It will be automatically installed on all machines that run Samba. ( #13445)
  • Updated packages: ClamAV 1.3.0, dnsdist 1.9.1, GDB 14.2, Ghostscript 10.03.0, Git 2.44.0, gptfdisk 1.0.10, libmpdclient 2.22, mpc 0.35, mpd 0.23.15, mympd 14.1.0, opus 1.5.1, Samba 4.19.5, SDL 2.30.1, Zabbix Agent 6.0.24 (LTS)
  • Entries to the IPFire web UI menu have been added for VDR and transmission if installed

Support Us!

We are very happy to bring you all these exciting changes for IPFire that we have put so much effort in. Please help us to keep these coming by supporting our team with your  donation.

IPFire 2.29 - Core Update 185 is available for testing