Hello all,
after testing too little in the past months, I am hereby trying to catch up for announced Core Update 132.
Most services are running as expected: - IPsec - OpenVPN (tested with RW connections only) - DDNS - Squid (non-transparent, including upstream proxy) - Suricata (IPS mode, activated on all interfaces)
Tor suffers from missing libseccomp dependency and a permission bug (see #12088), but starts correctly after installing the library and fixing /var/lib/tor permissions manually.
I can confirm IDS rulesets download works in combination with an upstream proxy now (tested with Emerging Threats).
Suricata seems to drop some packets (as internal connections sometimes take ages to establish), but does not log anything. This requires some further investigation, and it is kind of an evident-missing blame at the moment.
Talking about the <sarcasm>all-new-and-improved Intel CPU vulnerabilities</sarcasm>, disabling SMT automatically seems to work:
[root@maverick ~]# grep . /sys/devices/system/cpu/vulnerabilities/* /sys/devices/system/cpu/vulnerabilities/l1tf:Not affected /sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT disabled /sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Not affected /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling
(CPU is an Intel Celeron N3150 4x 1.60 GHz .)
However, the new WebUI CGI is partly missing German translations, and claims "Simultaneous Multi-Threading (SMT) is not supported". The latter is confusing, as the system states the opposite.
Talking about aesthetics, the CGI is a bit messy, but that is not a functionality problem and might be fixed in an upcoming update.
Thanks, and best regards, Peter Müller