This is the release announcement for IPFire 2.21 – Core Update 123 – a house-keeping release with a large number of fixes and some fixes for security vulnerabilities.
Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!
This release ships a large number of microcode updates for various processors (
intel-microcode 20180807). Most notable, vulnerabilities in Intel processors might have been fixed or mitigations applied. Microcodes are now also being loaded into the processor earlier to avoid any attacks on the system at boot time.
This update also comes with a large number of smaller changes that improve security and fix bugs:
- OpenSSL has been updated to versions 1.1.0i and for legacy applications version 1.0.2p (CVE-2018-0732 and CVE-2018-0737)
- IPsec now supports ChaCha20/Poly1305 for encryption
- It also allows to configure a connection to passively wait until a peer initiates it. This is helpful in some environments where one peer is behind NAT.
- Creating Diffie-Hellman keys with length of 1024 bits is no longer possible because they are considered insecure and not being supported by OpenVPN any more
- There is better warnings about this and other cryptographic issues on the web user interface
- Intrusion Detection
- Links in the log files have been fixed to open the correct page with details about a certain attack
- Downloads of rulesets properly validate any TLS certificates
/procfilesystem has been hardened so that no kernel pointers are being exposed any more
nss-myhostnameis now being used to dynamically determine the hostname of the IPFire system. Before /etc/hosts was changed which is no longer required.
- collectd: The cpufreq plugin has been fixed
- Generating a backup ISO file has been fixed
- Updated packages:
- Support for
owncloudhas been removed from
avahihas been brought back in version 0.7 as it is required as a dependency by
cupswhich has been fixed to automatically find any printers on the local network automatically
asteriskis now compiled with any optimisation for the build system which was accidentally enabled by the asterisk build system