Security 10809 Published by

IPFire 2.29 Core Update 189 represents a notable enhancement, featuring a security fix, an updated graph for the IPS, and various package updates. This update represents one of the most significant releases to date, delivering a multitude of new firmware files for a range of hardware.

The update serves as a security measure aimed at preventing the IPS process from crashing, thereby safeguarding services operating on the firewall from exposure to the Internet. Improvements have been implemented to enhance the handling of the IPS. These include the introduction of a watcher process to restart the IPS in the event of unexpected crashes, the ability to bypass whitelisted traffic in the iptables ruleset, and the filtering of IPsec traffic. The IPS page now presents IPS throughput categorized into three distinct areas: scanned bandwidth, whitelisted traffic, and bypassed traffic. The Linux firmware has been updated to version 20240811, featuring a marginally increased download size.





IPFire 2.29 - Core Update 189 released

Get ready for a new release of IPFire: Version 2.29 - Core Update 189. It comes with a security fix and a new graph for the IPS as well as a large number of package updates. It is one of the largest update that we have ever shipped because it brings a large number of new and updated firmware files for a lot of hardware.

Before we talk about the changes in detail, we would like to ask for your support by  sending us a donation. Without them, it is not possible for us to bring you these updates and keep IPFire the modern, versatile and secure distribution it is today. We are currently looking to fund development of a  WireGuard implementation for IPFire.

Intrusion Prevention System (IPS)

In case of the IPS process crashing, it might open the firewall and expose services that are running on the firewall to the Internet. We did not observe any attackers intentionally crashing Suricata in the real world, but on systems with low memory, the process could be killed to make memory available ( #13764). This is considered a security risk and therefore we recommend to install this update as soon as possible - especially for users of the IPS.

To mitigate this problem, we have made various improvements to the handling of the IPS under the hood. There is now a watcher process active when the IPS is running to restart it in case the IPS crashes unexpectedly. Whitelisted traffic will not be send to the IPS any more to be excluded, but immediately skipped in the iptables ruleset ( #13691). It is now possible to filter IPsec traffic which was excluded before (unless it was coming in or exiting through one of the other scanned interfaces).

There is also a new graph on the IPS page which shows the IPS throughput in three different categories: We show the bandwidth of scanned bandwidth in incoming and outgoing direction, any whitelisted traffic as well as bypassed traffic.

Misc.

  • Linux Firmware has been updated to version 20240811 which brings updates for various firmware of wireless and Ethernet interfaces, RAID controllers and other sorts of hardware. It pushes the download size of this update slightly over 100 MiB.
  • It was fixed that live graphs no longer updated themselves.
  • Updated packages: automake 1.17, bind 9.20.1, cURL 8.10.0, dhcpcd 10.0.10, dtc 1.7.1, expat 2.6.3, gdbm 1.24, GCC 14.2.0, GnuTLS 3.8.7, glibc 2.40, iana-etc 20240813, lua 5.4.7, mcelog 200, meson 1.5.1, OpenSSL 3.3.2, OpenVPN 2.5.10, p11-kit 0.25.5, python3-msgpack 1.0.8, ruby 3.3.4, sudo 1.9.16, sysvinit 3.10, taglib 2.0.2, xfsprogs 6.9.0
  • New packages: autoconf-archive, libxxhash 1.4.0

Add-Ons

  • Updated packages: borgbackup 1.4.0, clamav 1.3.2, ffmpeg 7.0.2, iotop1.26, libvirt 10.7.0, mc 4.8.32, observium-agent 24.4, qemu + qemu-ga 9.0.2, shairport-sync 4.3.4, tshark 4.2.7, zabbix_agentd 6.0.33 (LTS)

www.ipfire.org - IPFire 2.29 - Core Update 189 released