https://blog.ipfire.org/post/ipfire-2-23-core-update-133-has-been-released
It is time for the next Core Update. Number 133! Another bug-fix release with many changes under the hood. As always, we recommend to install this update as soon as possible to benefit from the fixes and to help us keeping those coming and to support our developers, please donate now!
Toolchain Updates
This update brings many updates on the core libraries of the system. Various changes to our build systemare also helping us to build a more modern distribution, faster. The toolchain is now based on GCC 8.3.0, binutils 2.32 and glibc 2.29 which bring various bugfixes, performance improvements and some new features.
Although these might not be the most exciting changes, we recommend upgrading as soon as possible since this is essential hardening for backbone components of the user-space.
Disabling SMT - Intel's Security Issues
Disabling SMT has also been fine-tuned. It is now also being disabled on systems that are vulnerable to "Foreshadow". Probably all processors that are vulnerable to MDS are vulnerable to Foreshadow, too, so this won't affect many systems, but it is more correct to do so.
Increasing throughput of the new Intrusion Prevention System
As announced before, we were working on increasing the throughput of the IPS. This is being shipped now with this update and integrates a library from Intel which is optimised to perform pattern matching very fast on huge data sets. Its name is hyperscan.
This library comes in multiple versions which are all shipped at the same time and is being compiled with support for various CPU instructions which are enabled when the hardware supports them. Those are for example AVX2, AVX and of course all of the SSE series.
By utilising those optimised instructions, the processor can process more data by executing only one instruction which is a lot faster. We are soon going to release benchmarks, but first tests have shown that larger systems are benefitting hugely from this and even some smaller embedded processors gain slightly.
This feature is automatically configured and will always be enabled when supported.
Another change on the IPS is coming from Tim Fitzgeorge who investigated that the IPS was occasionally dropping some packets which it was not meant to without logging. The rule generation was patched accordingly so that won't happen any more and rules will automatically updated when installing this Core Update.
Misc. • A long-standing bug in adding fixed DHCP leases has been fixed. Those are now saved right away on the first click, but it is possible to edit the entry. • An incorrect list of cipher suites was generated for IPsec connections when PFS was disabled. This updates fixes that and updates all connections with the correct settings. • ddns: Some new provides have been added • Package updates: bind 9.11.7, jansson 2.12, knot 2.8.2, linux-pam 1.3.1, monit 5.25.3, openssl1.1.1.c, rrdtool 1.7.2, squid 4.7, strongswan 5.8.0, wpa_supplicant 2.8
Add-ons
New Packages • tshark A CLI version of Wireshark which is like tcpdump, but has better support for decoding captured packets.
Updated Packages • hostapd has been updated to version 2.8 which fixes various security vulnerabilities and other bugs • tor: some bugs that didn't allow the service to start after the last update have been fixed • wio: A problem which caused the IPFire system to unexpectedly shut down has been solved • miau, an IRC bouncer, which was unmaintained since 2010 has been dropped