Security 10809 Published by

Core Update 185 of IPFire 2.29 has been released, which includes a new IPFire intrusion prevention system (IPS) that is based on Suricata 7 as well as bug fixes and package updates. Support for HTTP/2, deflate compression, byte-ranges, TLS client certificates, IKEv1, PostgreSQL protocol, BitTorrent parser, QUICv1 and GQUIC, and Linux Landlocked — all of which are designed to prevent damage — are included in the update. In addition to this, it adds ThreatFox Indicators of Compromise Rules from abuse.ch, fixes a vulnerability that could have caused a denial of service, and removes the PT Attack and Secureworks rule sets.



IPFire 2.29 - Core Update 185 released

I am happy to announce that we finally have a new release of IPFire: IPFire 2.29 - Core Update 185. It comes with a brand new IPFire IPS based on Suricata 7, a number of bug fixes across the distribution and a good amount of package updates.

But before we start talking about the changes in detail, we would like to take a moment and ask for your  support. We put a lot of effort into building and testing this update and could not do any of this without your donation. Please, donate to the project helping us to put more resources to bring you more and better updates. It is very much appreciated by all of us here!

Suricata 7 - Intrusion Prevention System

Finally, Suricata 7 is here. A new major version of what the IPFire IPS is based on. It finally brings support for HTTP/2 which is no longer considered experiental and now supports deflate compression and byte-ranges. There are new keywords for HTTP header inspection, and support for handling TLS client certificates, support for IKEv1, the PostgreSQL protocol, a BitTorrent parser, and last but not least QUICv1 and GQUIC. Suricata is also locking itself down more using Linux Landlocked to prevent any damage in case the process could be exploited; and the developers have spent time to make it slightly more memory efficient.

This update fixes a Denial-Of-Service vulnerability where the firewall would accept packets if an attacker was able to crash the Suricata service. We have not observed this being exploited, but found this problem when testing this release.

From abuse.ch, we have added the  ThreatFox Indicators Of Compromise Rules. Those rules help to identify any local hosts that might have been compromised by detecting traffic to for example botnets. The PT Attack and Secureworks rulesets have been dropped as they are no longer available.

Toolchain Update

IPFire has been rebased on glibc 2.39 - the C standard library and binutils 2.42. IPFire is also now being compiled with the highest set of source fortification -D_FORTIFY_SOURCE=3. That means, that the compiler is adding compile time and runtime checks to avoid common errors like buffer overruns and overflows and so any undetected security vulnerabilities will be harder to exploit. Finally, we are now compiling the system with less debugging information which we don't need which slightly speeds up the compilation process.

Misc.

  • OpenVPN
    • Previously, the UI allowed creating certificates with a common name that was already in use ( #13404)
    • Imported net-to-net connections did not show correctly whether the certificate was password-protected ( #13548)
    • The OpenSSL configuration file has been cleaned up ( #13595)
  • The time server configuration page is now showing the current system time
  • Custom DHCP options of type "integer 8" are now possible to configure ( #12395)
  • Comments have sometimes been incorrectly encoded to ISO-8859-1 which broke Umlauts and other special and non-ASCII characters
  • Intel has  published microcode updates for various of their processors to fix or mitigate the following security vulnerabilities:
  • The CA certificate bundle has been updated
  • Some basic functions of the initscripts have been cleaned up and enhanced to write shorter scripts
  • Updated packages: elfutils 0.191, ethtool 6.7, expat 2.6.2, knot 3.3.5, libffi 3.4.6, libpng 1.6.42, libplist 2.4.0, libgpg-error 1.48, intel-microcode 20240312, iproute2 6.8.0, meson 1.4.0, newt 0.52.24, OpenJPEG 2.5.2, OpenSSH 9.7p1, pango 1.52.0, pciutils 3.11.1, pixman 0.43.4, poppler 24.03.0, qpdf 11.9.0, shadow 4.15.0, SQLite 3.45.2, squid 6.8, Suricata 7.0.3, Tcl 8.6.14, Unbound 1.19.3, util-linux 2.39.3, wget 1.24.5, whois 5.5.21, xz 5.6.1

Add-Ons

  • wsdd is a service that implements the Web Service Discovery protocol for Windows. This enables clients from Windows 10 or older to discover any file shares exported by the Samba service. It will be automatically installed on all machines that run Samba. ( #13445)
  • Updated packages: ClamAV 1.3.0, dnsdist 1.9.1, GDB 14.2, Ghostscript 10.03.0, Git 2.44.0, gptfdisk 1.0.10, libmpdclient 2.22, mpc 0.35, mpd 0.23.15, mympd 14.1.0, opus 1.5.1, Samba 4.19.5, SDL 2.30.1, Zabbix Agent 6.0.24 (LTS)
  • Entries to the IPFire web UI menu have been added for VDR and transmission if installed

IPFire 2.29 - Core Update 185 released