This is the official release announcement for IPFire 2.17 – Core Update 96. This update comes with many smaller changes and security fixes.

Ramdisk usage change

IPFire uses round-robin databases to collect system data and generate beautiful graphs. The databases have usually been kept in memory. This change was made in early versions of IPFire to keep the amount of writes to the block device to a minimum. However, the number of the databases has been growing and many systems don’t have enough capacity in memory. The objective was also that ordinary flash storage is quite slow. These systems are now however less commonly used which makes this change unnecessary.

To give an example, many of the ALIX boards use very slow compact flash storage and do only have 256 or even 128 MB of memory. So neither is really an option. Systems you will purchase today usually come with fast SSD storage and a few gigabytes of memory. So both is a viable option to store these databases.

New installed IPFire systems will now only use the persistent storage to store these database files. All updates systems will stick with the old behaviour if they have about 512 MB of RAM or more. Otherwise upgraded systems will also fall back to the persistent storage.


  • openssl has been updated to version 1.0.2e which fixes various security vulnerabilities: CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196
  • The NTP service was unable to communicate with the local clock and therefore not able to provide time to the network.
  • strongswan is updated to version 5.3.5 which fixes various security issues
    • The connection list in the web user interface when IPsec subnets with multiple local or remote subnets are used.
  • The firewall engine handles SNAT rules more restrictive and avoids overmatching of packages that are sent over an IPsec network
  • Various patches to improve dnsmasq have been imported from upstream
  • curl wasn’t able to validate publicly signed SSL certificates because it could not find the certificate store. This is now fixed.
  • dma, the internal mail agent, now handles authentication against remote mail servers better due to a patch sent to the project by the IPFire developers
  • Support for cryptodev has been dropped
  • mdadm has been updated to version 3.3.4, arping has been updated to version 2.15, rrdtool has been updated to version 1.5.5, libnet 1.1.6 is now shipped with the core distribution
  • On x86-based systems, GRUB, the bootloader, has been patched against an integer overflow vulnerability filed under CVE-2015-8370 which allowed users to bypass authentication after pressing backspace for 28 times
  • Snort now also monitors alias address on red if any have been configured
  • The Turkish translation has been updated

Updated add-ons

  • nano has been updated to 2.5.0
  • Midnight Commander has been updated to 4.8.15
  • clamav has been updated to version 0.99
  • openvmtools have been updated to version 10.0.5
  • squid-accounting has received minor bug fixes
  • tripwire has been dropped

Published by Michael Tremer, January 20, 2016 at 9:00 pm