Security 10816 Published by

IPFire 2.29 - Core Update 188 is a big release that includes several changes for users. It features package updates, a new kernel, performance improvements for Quality of Service, better handling of DHCP leases, an enhanced build system, a new version of OpenSSL, and solutions for Intel's most recent CPU vulnerabilities. The version also includes a new method for getting DHCP leases into DNS, allowing devices to be reached by their names rather than a random IP address.

The IPFire build system has been upgraded, resulting in stronger protection from the build system to the host system and vice versa. This increased isolation allows IPFire to be compiled for all architectures on the same machine without causing any negative effects. The version also includes bug fixes, stability and security improvements, as well as a new kernel based on Linux 6.6.47.



IPFire 2.29 - Core Update 188 has been released

Today, we have a huge release fresh out of the kitchen. It comes with a large number of important changes for every user out there: a record number of package updates, a refreshed kernel, performance improvements for the Quality of Service, better handling for DHCP leases, an improved build system as well as a new version of OpenSSL and fixes for Intel's latest CPU vulnerabilities.

We would like to ask for your support by sending us a donation. It helps us to keep bringing you more updates and keeping IPFire the modern and secure distribution that it is today. This would not be possible without our amazing community funding the developers' work. Thank you for donating. It is much appreciated by all of us!

Reducing CPU Usage of the Quality of Service

IPFire employs Quality of Service on all interfaces all of the time. This used to be done with CAKE since  Core Update 163 since everything is better with CAKE. And that is a true statement. However, we have found that CAKE has a much higher CPU consumption and could become a bottleneck on devices with a weak processor but fast network interfaces. Therefore we are changing IPFire to use fq_codel by default which is not the same as CAKE when it comes to saturate a link, but uses significantly less CPU at about 99% of throughput compared to CAKE.

When configuring the Quality of Service in the web UI, we will always use CAKE for its advanced features.

A new way to get DHCP leases into DNS

When IPFire hands out an IP address to a device on the local network, it would be nice if that device can be reached by its name, too, and not only by a random IP address. That process used to be done by a bridge which analysed all leases and synchronised them with Unbound, the DNS proxy.

This program has now been rewritten to listen for events from the DHCP server in order to be more flexible and scale better.

An Improved Build System

Our custom build system for IPFire has received major improvements throughout the board. We now have much better protection from the build system to the host system and vice-versa. This enables us to prevent unintended modification of the build source by either errors or compromised third-party source packages. This stronger isolation allows us to compile IPFire for all architectures on the same machine without any side-effects.

Paired with a lot of code cleanup and improving its robustness, these changes allow the developers to be more efficient and build IPFire faster.

Misc.

  • OpenSSL has been upgraded to 3.3.0. This is the latest production branch which mainly brings support for QUIC.
  • The Intel Microcode has been updated to address a number of security vulnerabilities in their CPUs:
  • Unbound has been updated to version 1.12.0 which solves a problem that the DNS proxy could lock up and become unresponsive for some time
  • Intrusion Prevention System
    • A bug has been fixed that the IPS wouldn't start when the RED interface is a 5G/4G modem using QMI
    • The verbose builtin Suricata rules are no longer enabled by default which will create less noise in the logs
  • This release comes with a fresh kernel based on Linux 6.6.47 which is a release that includes many bug, stability and security fixes
  • A bug was fixed that prohibited an interface starting when it is only being used for a VLAN and not as a native interface ( #12676)
  • Backups are no longer created with colon (:) in the filename which seems to confuse Windows computers ( #13734)
  • Updated packages: Apache 2.4.62, bash: 5.2.32, btrfs-progs 6.9.2, c-ares 1.32.1, coreutils 9.5, cURL 8.9.1, cyrus-sasl 2.1.28, e2fsprogs 1.47.1, exfatprogs 1.2.5, findutils 4.10.0, fmt 11.0.2, gettext 0.22.5, hwdata, iana-etc 20240701, intel-microcode 20240813, iproute2 6.10.0, knot 3.3.8, less 661, libarchive 3.7.4, libassuan 3.0.1, libcap 2.70, libcap-ng 0.8.5, libgcrypt 1.11.0, libgpg-error 1.50, libinih 58, libjpeg 3.0.3, libnet 1.3, libnl-3 3.10.0, libqmi 1.34.0, libsodium 1.0.20, libtiff 4.6.0, libtirpc 1.3.5, libusb 1.0.27, libuv 1.48.0, libxml2 2.13.3, libxslt 1.1.42, linux-atm 2.5.2, lz4 1.10.0, man-pages 6.9.1, nasm 2.16.03, ncurses 6.5, OpenSSL 3.3.0, pcre2 10.44, poppler 24.08.0, readline: 8.2.13, rrdtool 1.9.0, shadow 4.16.0, sqlite: 3.46.1, unbound 1.21.0, util-linux 2.40.2
  • The web UI has received a large number of patches which have been mostly back ported from other development branches. They clean up code, remove unused functions and bring in new ones to keep our framework tidy and extensible. There are now some new widgets for service status, a refactored connections list, and many more smaller improvements.

Add-Ons

  • Updated packages: bird 2.15.1, bwm-ng 0.6.3, CUPS 2.4.10, ddrescue 1.28, epson-inkjet-printer-escpr 1.8.5, fetchmail 6.4.39, fping 5.2, Freeradius 3.2.5, FRR 10.1, Ghostscript 10.03.1, Git 2.46.0, haproxy 3.0.3, hostapd 2.11, hplip 3.24.4, iperf 2.2.0, keepalived 2.3.1, nagios-plugins 2.4.11, nano 8.1, ncat 7.95, ncdu 1.20, netatalk 3.2.5, netsnmpd 5.9.3, nginx 1.26.1, nmap 7.95, oci-cli 3.45.2, pmacct 1.7.9, rng-tools 6.17, samba 4.20.4, SDL2 2.30.6, strace 6.10, stunnel 5.72, tshark 4.2.6
  • The Wireless Access Point UI has received major refactoring and now supports SSIDs in UTF-8 format

IPFire 2.29 - Core Update 188 has been released