This is the official release announcement for IPFire 2.25 - Core Update 144. This contains a number of security fixes in OpenSSL, the squid web proxy, the DHCP client and more. We recommend to install it as soon as possible and reboot.
OpenSSL 1.1.1g
The OpenSSL team has issued a security advisory for the 1.1.1 release with "high" severity.
Applicants on client or service side that call SSL_check_chain() during a TLSv1.3 handshake may crash the application due to incorrect handling of the signature_algorithms_cert" TLS extension.
CVE-2020-1967 has been assigned to track this vulnerability and an immediate installation of this update is recommended.
The DHCP Client (#12354)
Some users using RED in DHCP mode might have seen various crashes of the client. This happened because of attackers sending forged DHCP replies from cloud-hosted networks across the Internet.
After the daemon crashed, the firewall would lose Internet connectivity until it is manually restarted.
Providers normally filter forged DHCP traffic, but some do not seem to do this correctly. We are in touch with them and try to find a solution.
The Squid Web Proxy
The web proxy is vulnerable to cross-site scripting attacks, cache poisoning and access control bypass when processing HTTP request messages.
These problems are known as SQUID-2020:4, SQUID-2019:12, SQUID-2019:4, CVE-2020-11945, CVE-2019-12519, CVE-2019-12521, CVE-2019-12520, CVE-2019-12524 and #12386.
Misc.
- Updated packages:
apache2.4.43,bind9.11.18,dhcpcd9.0.2,squid4.11 - The build system has changed the Go compiler from GCCGO to Golang which seems to be introducing fewer bugs into compiled programs