From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: IPFire 2.23 - Core Update 132 released Date: Fri, 07 Jun 2019 11:36:50 +0100 Message-ID: <22D23F90-C7A8-4F74-9516-CB675A1ED14D@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1941944306308718163==" List-Id: --===============1941944306308718163== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://blog.ipfire.org/post/ipfire-2-23-core-update-132-released The next version of IPFire is ready: IPFire 2.23 - Core Update 132. This upda= te contains various security fixes and improvements to secure systems that ar= e vulnerable to recently-published problems in Intel processors. Intel Vulnerabilities: RIDL, Fallout & ZombieLoad Two new types of vulnerabilities [1] have been found in Intel processors. The= y cannot be fixed unless the hardware is changed, but can be somewhat mitigat= ed through some changes in the Linux kernel (4.14.120) and an update microcod= e (version 20190514). Both is shipped in this release. Additionally, to mitigate this bug which cannot be fixed at all, SMT is disab= led by default [2] on all affected processors which has significant performan= ce impacts. Please note, that Intel unfortunately is not releasing microcode for all proc= essors any more and so you might still be vulnerable. To apply the fixes, please reboot your system. There is a new GUI which will show you for which attacks your hardware is vul= nerable and if mitigations are in place: https://nopaste.ipfire.org/raw/gLhF11dD=20 VLAN Configuration Florian B=C3=BChrle has contributed a UI to configure VLAN interfaces for zon= es. This way, it can be done graphically and the system needs to be rebooted = to apply the changes. The GUI also allows to set up a zone in bridge mode which is helpful for adva= nced users who need some custom configuration. https://nopaste.ipfire.org/raw/PmFWLMCH Misc. This update also contains a number of various bug fixes: =E2=80=A2 The new IPS now starts on systems with more than 16 CPU cores =E2=80=A2 For improved security of the web UI, the web service now prefers ci= phers in GCM mode over CBC. This is because CBC seems to be weakened by new a= ttack vectors. =E2=80=A2 OpenVPN has received some changes to the UI and improvements of its= security. =E2=80=A2 Alexander Koch sent in some changes around the wpad.dat handling: I= t is now possible to define a list of exceptions to this file on the web UI a= nd all VPN networks are included by default. =E2=80=A2 Captive Portal: A stored cross-site scripting vulnerability has bee= n fixed in the argument handling of the title; an uploaded logo file can now = be deleted =E2=80=A2 The same type of stored cross-site scripting attack was resolved in= the static routing UI =E2=80=A2 Log entries for Suricata now properly show up in the system log sec= tion =E2=80=A2 Updated packages (all from Matthias Fischer): bind 9.11.6-P1, dhcpc= d 7.2.2, knot 2.8.1, libedit 20190324-3.1 Add-ons Wireless AP The wireless AP add-on has received some new features: =E2=80=A2 For hardware that supports it, Automatic Channel Selection can be e= nabled, which scans the environment and automatically selects the best channe= l for the wireless access point. When it is activated, 80 MHz channel bandwid= th will be enabled for 802.11ac networks doubling throughput. =E2=80=A2 DFS is supported (on hardware that supports it, too) which is neede= d to use higher channels in the 5 GHz spectrum =E2=80=A2 Management Frame Protection can optionally be enabled to encrypt me= ssages between the station and the access point. This prevents a rogue attack= er to deauthenticate stations from the wireless LAN or other denial-of-servic= e attacks. Updates =E2=80=A2 igmpproxy 0.2.1, tor 0.4.0.5, zabbix_agentd 4.2.1 =E2=80=A2 Qemu is now being hardened with libseccomp which is a "syscall fire= wall". It limits what actions a virtual machine can perform and is enabled by= default Please support our project with your donation: https://www.ipfire.org/donate [1] https://mdsattacks.com/ [2] https://blog.ipfire.org/post/security-announcement-disabling-smt-by-defau= lt-on-affected-intel-processors --===============1941944306308718163==--