Security 10816 Published by

IPFire 2.29 - Core Update 187 has been released.



IPFire 2.29 - Core Update 187 released

Finally it is time for another release of IPFire: IPFire 2.29 Core Update 187! It protects your network better against (Distributed) Denial-of-Service attacks and uses SIMD instructions for the Intrusion Prevention System on ARM for more throughout. It also comes with a number of security fixes in OpenSSH, Suricata and Apache2 as well as the usual package of bug fixes and software updates.

Advanced (Distributed) Denial-of-Service Protection

Since IPFire is very commonly deployed in data centres where denial-of-service attacks happen on a regular basis, we now have added better protection against those kinds of attacks. Formerly, the system protected itself rather well against (D)DoS attacks, but this was only limited if TCP connections terminated at the firewall itself like for reverse proxies, etc.

Now, IPFire can use TCP SYN cookies to protect infrastructure behind it better against SYN flood attacks. This is especially useful in high-bandwidth scenarios and cloud deployments and can be activated with only one checkbox separately for each firewall rule.

Misc.

  • The IP Blocklist feature now supports two more lists: 3CORESec and Abuse.ch Botnet C2
  • Since Intel's  Hyperscan library is no longer available as free software, we have changed to  Vectorscan which is a fork of the original Hyperscan. On top of support the x86_64 architecture, Vectorscan supports ARM64 as well which should bring performance improvements for the Intrusion Prevention System.
  • The firewall will now create more rules when configured in the most restrictive mode to allow IPsec traffic to flow for any local connections.
  • It is now possible to create IPsec connections using an FQDN as Local/Remote ID instead of the usual email address-like format using the @@ prefix. With the @# prefix it is now also possible to match a connection by the ID of a key.
  • Unprivileged programs can no longer use the bpf() syscall. This is a precautionary measure as currently no program requires this, but it might be exploited by any attacker who manages to inject and execute code.
  • OpenSSH has been updated to version 9.8p1 to address the recently discovered privileges escalation attack commonly known as  regreSSHion.
  • Updated packages: Apache 2.4.61 (Addressing  CVE-2024-39573 CVE-2024-38477 CVE-2024-38476 CVE-2024-38475 CVE-2024-38474 CVE-2024-38473 CVE-2024-38472 CVE-2024-36387 and  CVE-2024-39884), BIND 9.16.50, cpio 2.15, cURL 8.8.0, dhcpcd 10.0.8, e2fsprogs 1.47.0, ed 1.20.2, ethtool 6.9, GCC 13.3.0, GnuTLS 3.8.5, iana-etc 20240502, Intel Microcode 20240531, iw 6.9, jq 1.7.1, kbd 2.6.4, libedit 20240517-3.1, zip 1.24.1, man-pages 6.8, mdadm 4.3, ntp 4.2.8p18, oath-toolkit 2.6.11, PAM 1.6.1, PCRE2 10.43, psmisc 23.7, screen 4.9.1, shadow 4.15.1, SQLite 3.46.0, squid 6.10, Suricata 7.0.6 addressing various security and stability fixes, Unbound 1.20.0, util-linux 2.40.1, vim 9.1, whois 5.5.23, xfsprogs 6.8.0, Zstd 1.5.6

IPFire 2.29 - Core Update 187 released