https://blog.ipfire.org/post/ipfire-2-23-core-update-133-has-been-released
It is time for the next Core Update. Number 133! Another bug-fix release with many changes under the hood. As always, we recommend to install this update as soon as possible to benefit from the fixes and to help us keeping those coming and to support our developers, please donate now!
Toolchain Updates
This update brings many updates on the core libraries of the system. Various changes to our build systemare also helping us to build a more modern distribution, faster. The toolchain is now based on GCC 8.3.0, binutils 2.32 and glibc 2.29 which bring various bugfixes, performance improvements and some new features.
Although these might not be the most exciting changes, we recommend upgrading as soon as possible since this is essential hardening for backbone components of the user-space.
Disabling SMT - Intel's Security Issues
Disabling SMT has also been fine-tuned. It is now also being disabled on systems that are vulnerable to "Foreshadow". Probably all processors that are vulnerable to MDS are vulnerable to Foreshadow, too, so this won't affect many systems, but it is more correct to do so.
Increasing throughput of the new Intrusion Prevention System
As announced before, we were working on increasing the throughput of the IPS. This is being shipped now with this update and integrates a library from Intel which is optimised to perform pattern matching very fast on huge data sets. Its name is hyperscan.
This library comes in multiple versions which are all shipped at the same time and is being compiled with support for various CPU instructions which are enabled when the hardware supports them. Those are for example AVX2, AVX and of course all of the SSE series.
By utilising those optimised instructions, the processor can process more data by executing only one instruction which is a lot faster. We are soon going to release benchmarks, but first tests have shown that larger systems are benefitting hugely from this and even some smaller embedded processors gain slightly.
This feature is automatically configured and will always be enabled when supported.
Another change on the IPS is coming from Tim Fitzgeorge who investigated that the IPS was occasionally dropping some packets which it was not meant to without logging. The rule generation was patched accordingly so that won't happen any more and rules will automatically updated when installing this Core Update.
Misc.
• A long-standing bug in adding fixed DHCP leases has been fixed. Those are now saved right away on the first click, but it is possible to edit the entry.
• An incorrect list of cipher suites was generated for IPsec connections when PFS was disabled. This updates fixes that and updates all connections with the correct settings.
• ddns: Some new provides have been added
• Package updates: bind 9.11.7, jansson 2.12, knot 2.8.2, linux-pam 1.3.1, monit 5.25.3, openssl1.1.1.c, rrdtool 1.7.2, squid 4.7, strongswan 5.8.0, wpa_supplicant 2.8
Add-ons
New Packages
• tshark A CLI version of Wireshark which is like tcpdump, but has better support for decoding captured packets.
Updated Packages
• hostapd has been updated to version 2.8 which fixes various security vulnerabilities and other bugs
• tor: some bugs that didn't allow the service to start after the last update have been fixed
• wio: A problem which caused the IPFire system to unexpectedly shut down has been solved
• miau, an IRC bouncer, which was unmaintained since 2010 has been dropped
https://blog.ipfire.org/post/ipfire-2-23-core-update-132-released
The next version of IPFire is ready: IPFire 2.23 - Core Update 132. This update contains various security fixes and improvements to secure systems that are vulnerable to recently-published problems in Intel processors.
Intel Vulnerabilities: RIDL, Fallout & ZombieLoad
Two new types of vulnerabilities [1] have been found in Intel processors. They cannot be fixed unless the hardware is changed, but can be somewhat mitigated through some changes in the Linux kernel (4.14.120) and an update microcode (version 20190514). Both is shipped in this release.
Additionally, to mitigate this bug which cannot be fixed at all, SMT is disabled by default [2] on all affected processors which has significant performance impacts.
Please note, that Intel unfortunately is not releasing microcode for all processors any more and so you might still be vulnerable.
To apply the fixes, please reboot your system.
There is a new GUI which will show you for which attacks your hardware is vulnerable and if mitigations are in place:
https://nopaste.ipfire.org/raw/gLhF11dD
VLAN Configuration
Florian Bührle has contributed a UI to configure VLAN interfaces for zones. This way, it can be done graphically and the system needs to be rebooted to apply the changes.
The GUI also allows to set up a zone in bridge mode which is helpful for advanced users who need some custom configuration.
https://nopaste.ipfire.org/raw/PmFWLMCH
Misc.
This update also contains a number of various bug fixes:
• The new IPS now starts on systems with more than 16 CPU cores
• For improved security of the web UI, the web service now prefers ciphers in GCM mode over CBC. This is because CBC seems to be weakened by new attack vectors.
• OpenVPN has received some changes to the UI and improvements of its security.
• Alexander Koch sent in some changes around the wpad.dat handling: It is now possible to define a list of exceptions to this file on the web UI and all VPN networks are included by default.
• Captive Portal: A stored cross-site scripting vulnerability has been fixed in the argument handling of the title; an uploaded logo file can now be deleted
• The same type of stored cross-site scripting attack was resolved in the static routing UI
• Log entries for Suricata now properly show up in the system log section
• Updated packages (all from Matthias Fischer): bind 9.11.6-P1, dhcpcd 7.2.2, knot 2.8.1, libedit 20190324-3.1
Add-ons
Wireless AP
The wireless AP add-on has received some new features:
• For hardware that supports it, Automatic Channel Selection can be enabled, which scans the environment and automatically selects the best channel for the wireless access point. When it is activated, 80 MHz channel bandwidth will be enabled for 802.11ac networks doubling throughput.
• DFS is supported (on hardware that supports it, too) which is needed to use higher channels in the 5 GHz spectrum
• Management Frame Protection can optionally be enabled to encrypt messages between the station and the access point. This prevents a rogue attacker to deauthenticate stations from the wireless LAN or other denial-of-service attacks.
Updates
• igmpproxy 0.2.1, tor 0.4.0.5, zabbix_agentd 4.2.1
• Qemu is now being hardened with libseccomp which is a "syscall firewall". It limits what actions a virtual machine can perform and is enabled by default
Please support our project with your donation: https://www.ipfire.org/donate
[1] https://mdsattacks.com/
[2] https://blog.ipfire.org/post/security-announcement-disabling-smt-by-default…
Hello editors,
this is a pre-announcement email to all editors out there who write about
IPFire. We would like to let you know, that we are planning to release the next
IPFire release, IPFire 2.23 Core Update 132, this Friday, June 7th, between
10:00 and 14:00 UTC.
We are sending you this announcement to give you some time to prepare a news
article about this new release of IPFire to help us make IPFire better-known and
of course to make our existing users aware of this exciting new update being
ready to be installed. We are very grateful for your support for our project!
The changelog can be found here:
https://blog.ipfire.org/post/ipfire-2-23-core-update-132-is-available-for-t…
This release is a security update that comes with a new Linux kernel and
Automatically will disable SMT (aka Intel Hyper-Threading) by default on
vulnerable systems:
https://blog.ipfire.org/post/security-announcement-disabling-smt-by-default…
In this release, we also introduced some new features for the Wireless
Access Point add-on as well as fixing a variety of other bugs.
Please get in touch if you have any further questions.
We will send you the final announcement when the update is officially released.
Thank you very much for supporting our project!
Best regards,
-Michael