The next Core Update - one of the biggest in size we have ever put together - is available for testing. It introduces the support of two-factor authentication (2FA) for OpenVPN clients, updates several core parts of the system, provides mitigations for another two types of CPU side-channel attacks, as well as package updates, bug fixes and other security improvements.
OpenVPN Two-Factor Authentication
For OpenVPN clients, the setup of two-factor authentication based on time-based one-time password (TOTP) is now supported. It can be enforced on a per-client basis, preserving the flexibility of mixing end-user devices with machine clients, where no manual interaction is feasible during OpenVPN connection establishment.
Updated Kernel, Updated
linux-firmware, Updated Toolchain - All in one go
This Core Update updates the Linux kernel to 5.15.49, thus providing our users with the usual bunch of bug fixes, plugged security vulnerabilities, and hardware support improvements. Particularly noteworthy are mitigations against another CPU side-channel attack, MMIO Stale Data, which can led to the exposure of sensitive memory data. Further upstream documentation can be obtained here; IPFire systems not serving as a hypervisor for VMs (which we recommend against for production due to security reasons anyway) are most likely unaffected. The precise status of all known CPU vulnerabilities is displayed in the web interface.
The following kernel hardening improvements have been made in addition:
x86_64systems, kernel mitigations for straight-line speculation, another CPU side-channel vulnerability, have been enabled.
- Support for RPC
dprintkdebugging has been removed to cut potential attack surface.
- The YAMA Linux security module is now enabled to provide further control on
ptraceoperations, for which there is no legitimate use-case on an IPFire machine.
linux-firmware, the conglomerate of proprietary third party firmware, has been updated. That improves the hardware support, particularly for newer devices and components, and fixes bugs as well as security vulnerabilities in these binary blobs.
GCC, the GNU Compiler Collection, has been updated to 11.3.0, bringing fixes to bugs and regressions (some of them serious ones) from upstream to our users.
- For applications running on IPFire itself, the availability of Extension Mechanisms for DNS (EDNS0), as specified in RFC 2671, is now properly announced. This has already been the case for DNS clients querying the resolver of an IPFire installation.
- Mount options of
/boothave been hardened on flash images. Existing installations remain unchanged for the time being, but we plan to apply this change to them as well soon.
- IPFire's NTP daemon will now use itself as a preferred time source, rather than any hardware RTC. As the latter can be quite unreliably, particularly if CMOS battery power is low, this will result in more accurate time synchronization.
- A bug in
misc-progs, the safety net between the web interface and the operating system, has been fixed, which sometimes led to the swallowing of a commands' first argument.
- The Hardware Detection Tool (HDT) has been dropped from the CDROM menu, as it does not run on EFI and better tools are nowadays available for hardware detection.
- Plain OpenVPN PKCS12 files are now properly downloadable again (#12883).
- A missing dependency for BorgBackup has been added, making this add-on usable again (#12884).
- Spaces are now allowed again in OpenVPN static IP pool names (#12865).
- On IPFire instances running in various clouds, user-data scripts are now executed at the end of initialization, ensuring that such systems are fully initialized before conducting user-defined actions.
- The download URL for Talos IPS rulesets has been updated.
- Updated packages: Apache 2.4.54,
lzip1.23, OpenSSL 1.1.1p,
sqlite3380500, Squid 5.6,
- Updated add-ons:
lynis3.0.8, Postfix 3.7.2,
tmux3.3, Tor 0.4.7.8
As always, we thank all people contributing to this release in whatever shape and form. Please test this update, especially if you are using exotic hardware, uncommon network setups, or add-ons, and provide feedback. IPFire is backed by volunteers - should you like what we are doing, please donate to keep the lights on.