- Press - lists.ipfire.org

The new IPFire Community Portal
by Michael Tremer 04 Nov '19

04 Nov '19

https://blog.ipfire.org/post/the-new-ipfire-community-portal Finally, the moment is here. We are launching our new Community Portal based on Discourse! What is New? Together with this new IPFire Community Portal, we are launching IPFire People [1] - our new account system which is being integrated here, our bugtracker Bugzilla [2], Patchwork [3] and many other things more. In order to sign up for this, you will need to head over to IPFire People and register [4] a new account. That will allow you to login everywhere - a single sign-on solution. A new categorisation system will organise topics better and hopefully allow us to keep conversations around a problem more contained in one place, have everyone join in to contribute their knowledge and therefore create a dynamic support community! To be as inclusive as possible, we will make this portal English only. Having this debated for a long time, and after phasing out translations on the Wiki, we have decided that we will reach a maximum number of users and leave nobody excluded. The project has a large group of users in Germany, but we keep growing and IPFire is becoming more and more popular all around the world. English is the de-facto language in Open Source and allows everyone to take part in our community. Why Discourse? Our support forums have been run by some outdated, PHP-based software for a long time. Every upgrade was a struggle. They did not look nice or add any features, but were rather a flashback to the web of the early 2000s. After looking around for a long time for some better software, we discovered Discourse which is now widely adopted and feels more modern, engaging and is very simple to use. We hope that our community, which is large, but sometimes feels very quiet, will develop a different dynamic because of this and I am looking forward to be in touch with you all more! Since there is no working converter and because of the changes in how the community is working, we are not going to migrate any user accounts or posts. Retiring the old Forum The old forum will remain around for a little while. But since it is not being patched any more, it is becoming a security threat for our whole infrastructure. However, it is a source of vast knowledge around the project. At the same time, it is full of outdated information and many many spam accounts. For that reason, it will disappear from the Internet in about a year. The plan is to migrate any information that the community would like to retain into the IPFire Wiki [5] where it should be. In order to do that, we will switch the forum into read-only mode in a couple of weeks. At that time, we will also send an invitation to all forum users to create a new account. Any new conversation should be started here, on the new portal. Get Started If you do not have an account already, please register [4] one now, log in to the new IPFire Community Portal [6] and become a part of our community! [1] https://people.ipfire.org/ [2] https://bugzilla.ipfire.org/ [3] https://patchwork.ipfire.org/ [4] https://people.ipfire.org/register [5] https://wiki.ipfire.org/ [6] https://community.ipfire.org/

1 0

IPFire 2.23 - Core Update 136 released
by Michael Tremer 10 Oct '19

10 Oct '19

https://blog.ipfire.org/post/ipfire-2-23-core-update-136-released This is the official release announcement for IPFire 2.23 - Core Update 136. A new update packed with loads of security fixes, bug fixes and a couple of important new features. Please donate [1] to help our developers and keep bringing you new features. Thank you, it means a lot. OpenSSL 1.1.1d This update ships the latest update of the OpenSSL library which has received some important fixes [2] in its latest release: * CVE-2019-1547: With custom elliptic curves, timing attacks were made possible again. This is of very low risk in IPFire, since we are not using any custom curves. * CVE-2019-1549: Forked processes could have shared the same seed for their random number generator which is being fixed in this one by mixing in a high precision timer. * CVE-2019-1563: Another padding oracle for large PKCS7 messages All of these are classified as "low severity". However, we recommend to install this update as soon as possible. Perl 5.30 Arne has been busy and been working on replacing Perl with the latest stable version. This requires that loads of applications that use Perl - like our own web user interface - have to be shipped again as well as many add-ons. Hence this update is rather large. GeoIP Since Maxmind is no longer publishing their GeoIP database in the original format, but unfortunately not providing any good bindings for the new release, we have only had an outdated version of the database that we made available in IPFire. There is now a script that converts the current data into the old format which allows us to ship a recent database again. This database is however only being used for showing the country flags on the web UI. GeoIP blocking uses a database in a different format and therefore always has recent data to only block the right things. Misc. * The firewall has a limit for log messages so that flooding the firewall with packets won't cause a Denial-of-Service by filling up the hard drive with gigabytes of logs and also to not starve on write operations. This limit was however very low for modern standards and has therefore been increased to 10 logged packets per second. That will ensure that we won't drop a packet without logging it. * Updated packages: apache 2.4.41, bind 9.11.10, clamav 0.101.4, dhcpcd 8.0.3, knot 2.8.3, logrotate 3.5.1, openssh 8.0p1, patch 2.7.6, texinfo 6.6, unbound 1.9.3, usb_modeswitch1.5.2 * logwatch and logrotate could conflict when running at the same time. This has been changed so only one of them is running at the same time. * Log messages for DMA, the IPFire mailer, and Postfix are now shown on the web UI * The toolchain now ships a compiler for Go Add-ons * Updated packages: freeradius 3.0.19, haproxy 2.0.5, postfix 3.4.6, spamassassin 3.4.2, zabbix_agent 4.2.6 * dnsdist has had its limit of open connections increased to work better in bigger environments * tor: A permission problem has been fixed so that the web UI can save settings again * wio: The RRD files will now be included in the backup as well as various UI improvements have been done Please reboot! This update needs a reboot of your IPFire system. [1] https://www.ipfire.org/donate [2] https://www.openssl.org/news/secadv/20190910.txt

1 0

IPFire 2.23 - Core Update 135 released
by Michael Tremer 04 Sep '19

04 Sep '19

https://blog.ipfire.org/post/ipfire-2-23-core-update-135-released This is the official release announcement for IPFire 2.23 - Core Update 135, which is packed with a new kernel, various bug fixes and we recommend to install it as soon as possible. Kernel Update The IPFire Linux kernel has been rebased on 4.14.138 and various improvements have been added. Most notably, this kernel - once again - fixes CPU vulnerabilities. Misc. • On x86_64, the effectiveness of KASLR has been improved which prevents attackers from executing exploits or injecting code • DNS: unbound has been improved so that it will take much less time to start up in case a DNS server is unavailable. • Scripts that boot up IPFire have been improved, rewritten and cleaned up for a faster boot and they now handle some error cases better • Updated packages: dhcpcd 7.2.3, nettle 3.5.1, squid 4.8, tzdata 2019b Add-ons Updated Packages • bird 2.0.4 • clamav 0.101.3 • iperf 2.0.13 • iperf3 3.7 • mc 4.8.23 • pcengines-firmware 4.9.0.7

1 0

IPFire 2.23 - Core Update 134 released
by Michael Tremer 03 Jul '19

03 Jul '19

https://blog.ipfire.org/post/ipfire-2-23-core-update-134-released This is the official release announcement for IPFire 2.23 - Core Update 134. This update ships security fixes in the Linux kernel for the "SACK Panic" attack as well as some other smaller fixes. SACK Panic (CVE-2019-11477 & CVE-2019-11478) The Linux kernel was vulnerable for two DoS attacks against its TCP stack. The first one made it possible for a remote attacker to panic the kernel and a second one could trick the system into transmitting very small packets so that a data transfer would have used the whole bandwidth but filled mainly with packet overhead. The IPFire kernel is now based on Linux 4.14.129, which fixes this vulnerability and fixes various other bugs. The microcode for some Intel processors has also been updated and includes fixes for some vulnerabilities of the Spectre/Meltdown class for some Intel Xeon processors. Misc. • Package updates: bind 9.11.8, unbound 1.9.2, vim 8.1 • The French translation has been updated by Stéphane Pautrel and translates various strings as well as improving some others • We now prefer other cipher modes over CBC when IPFire itself opens a TLS connection. CBC is now considered to be substantially weaker than GCM. • Email addresses entered in the web UI can now contain underscores. • The Captive Portal now comes up properly after IPFire is being rebooted.

1 0

IPFire 2.23 - Core Update 133 has been released
by Michael Tremer 23 Jun '19

23 Jun '19

https://blog.ipfire.org/post/ipfire-2-23-core-update-133-has-been-released It is time for the next Core Update. Number 133! Another bug-fix release with many changes under the hood. As always, we recommend to install this update as soon as possible to benefit from the fixes and to help us keeping those coming and to support our developers, please donate now! Toolchain Updates This update brings many updates on the core libraries of the system. Various changes to our build systemare also helping us to build a more modern distribution, faster. The toolchain is now based on GCC 8.3.0, binutils 2.32 and glibc 2.29 which bring various bugfixes, performance improvements and some new features. Although these might not be the most exciting changes, we recommend upgrading as soon as possible since this is essential hardening for backbone components of the user-space. Disabling SMT - Intel's Security Issues Disabling SMT has also been fine-tuned. It is now also being disabled on systems that are vulnerable to "Foreshadow". Probably all processors that are vulnerable to MDS are vulnerable to Foreshadow, too, so this won't affect many systems, but it is more correct to do so. Increasing throughput of the new Intrusion Prevention System As announced before, we were working on increasing the throughput of the IPS. This is being shipped now with this update and integrates a library from Intel which is optimised to perform pattern matching very fast on huge data sets. Its name is hyperscan. This library comes in multiple versions which are all shipped at the same time and is being compiled with support for various CPU instructions which are enabled when the hardware supports them. Those are for example AVX2, AVX and of course all of the SSE series. By utilising those optimised instructions, the processor can process more data by executing only one instruction which is a lot faster. We are soon going to release benchmarks, but first tests have shown that larger systems are benefitting hugely from this and even some smaller embedded processors gain slightly. This feature is automatically configured and will always be enabled when supported. Another change on the IPS is coming from Tim Fitzgeorge who investigated that the IPS was occasionally dropping some packets which it was not meant to without logging. The rule generation was patched accordingly so that won't happen any more and rules will automatically updated when installing this Core Update. Misc. • A long-standing bug in adding fixed DHCP leases has been fixed. Those are now saved right away on the first click, but it is possible to edit the entry. • An incorrect list of cipher suites was generated for IPsec connections when PFS was disabled. This updates fixes that and updates all connections with the correct settings. • ddns: Some new provides have been added • Package updates: bind 9.11.7, jansson 2.12, knot 2.8.2, linux-pam 1.3.1, monit 5.25.3, openssl1.1.1.c, rrdtool 1.7.2, squid 4.7, strongswan 5.8.0, wpa_supplicant 2.8 Add-ons New Packages • tshark A CLI version of Wireshark which is like tcpdump, but has better support for decoding captured packets. Updated Packages • hostapd has been updated to version 2.8 which fixes various security vulnerabilities and other bugs • tor: some bugs that didn't allow the service to start after the last update have been fixed • wio: A problem which caused the IPFire system to unexpectedly shut down has been solved • miau, an IRC bouncer, which was unmaintained since 2010 has been dropped

1 0

IPFire 2.23 - Core Update 132 released
by Michael Tremer 07 Jun '19

07 Jun '19

https://blog.ipfire.org/post/ipfire-2-23-core-update-132-released The next version of IPFire is ready: IPFire 2.23 - Core Update 132. This update contains various security fixes and improvements to secure systems that are vulnerable to recently-published problems in Intel processors. Intel Vulnerabilities: RIDL, Fallout & ZombieLoad Two new types of vulnerabilities [1] have been found in Intel processors. They cannot be fixed unless the hardware is changed, but can be somewhat mitigated through some changes in the Linux kernel (4.14.120) and an update microcode (version 20190514). Both is shipped in this release. Additionally, to mitigate this bug which cannot be fixed at all, SMT is disabled by default [2] on all affected processors which has significant performance impacts. Please note, that Intel unfortunately is not releasing microcode for all processors any more and so you might still be vulnerable. To apply the fixes, please reboot your system. There is a new GUI which will show you for which attacks your hardware is vulnerable and if mitigations are in place: https://nopaste.ipfire.org/raw/gLhF11dD VLAN Configuration Florian Bührle has contributed a UI to configure VLAN interfaces for zones. This way, it can be done graphically and the system needs to be rebooted to apply the changes. The GUI also allows to set up a zone in bridge mode which is helpful for advanced users who need some custom configuration. https://nopaste.ipfire.org/raw/PmFWLMCH Misc. This update also contains a number of various bug fixes: • The new IPS now starts on systems with more than 16 CPU cores • For improved security of the web UI, the web service now prefers ciphers in GCM mode over CBC. This is because CBC seems to be weakened by new attack vectors. • OpenVPN has received some changes to the UI and improvements of its security. • Alexander Koch sent in some changes around the wpad.dat handling: It is now possible to define a list of exceptions to this file on the web UI and all VPN networks are included by default. • Captive Portal: A stored cross-site scripting vulnerability has been fixed in the argument handling of the title; an uploaded logo file can now be deleted • The same type of stored cross-site scripting attack was resolved in the static routing UI • Log entries for Suricata now properly show up in the system log section • Updated packages (all from Matthias Fischer): bind 9.11.6-P1, dhcpcd 7.2.2, knot 2.8.1, libedit 20190324-3.1 Add-ons Wireless AP The wireless AP add-on has received some new features: • For hardware that supports it, Automatic Channel Selection can be enabled, which scans the environment and automatically selects the best channel for the wireless access point. When it is activated, 80 MHz channel bandwidth will be enabled for 802.11ac networks doubling throughput. • DFS is supported (on hardware that supports it, too) which is needed to use higher channels in the 5 GHz spectrum • Management Frame Protection can optionally be enabled to encrypt messages between the station and the access point. This prevents a rogue attacker to deauthenticate stations from the wireless LAN or other denial-of-service attacks. Updates • igmpproxy 0.2.1, tor 0.4.0.5, zabbix_agentd 4.2.1 • Qemu is now being hardened with libseccomp which is a "syscall firewall". It limits what actions a virtual machine can perform and is enabled by default Please support our project with your donation: https://www.ipfire.org/donate [1] https://mdsattacks.com/ [2] https://blog.ipfire.org/post/security-announcement-disabling-smt-by-default…

1 0

Pre-release announcement for IPFire 2.23- Core Update 132
by Michael Tremer 04 Jun '19

04 Jun '19

Hello editors, this is a pre-announcement email to all editors out there who write about IPFire. We would like to let you know, that we are planning to release the next IPFire release, IPFire 2.23 Core Update 132, this Friday, June 7th, between 10:00 and 14:00 UTC. We are sending you this announcement to give you some time to prepare a news article about this new release of IPFire to help us make IPFire better-known and of course to make our existing users aware of this exciting new update being ready to be installed. We are very grateful for your support for our project! The changelog can be found here: https://blog.ipfire.org/post/ipfire-2-23-core-update-132-is-available-for-t… This release is a security update that comes with a new Linux kernel and Automatically will disable SMT (aka Intel Hyper-Threading) by default on vulnerable systems: https://blog.ipfire.org/post/security-announcement-disabling-smt-by-default… In this release, we also introduced some new features for the Wireless Access Point add-on as well as fixing a variety of other bugs. Please get in touch if you have any further questions. We will send you the final announcement when the update is officially released. Thank you very much for supporting our project! Best regards, -Michael

1 0

IPFire 2.23 - Core Update 131 released
by Michael Tremer 16 May '19

16 May '19

https://blog.ipfire.org/post/ipfire-2-23-core-update-131-released Finally, we are releasing another big release of IPFire. In IPFire 2.23 - Core Update 131, we are rolling out our new Intrusion Prevention System. On top of that, this update also contains a number of other bug fixes and enhancements. Thank you very much to everyone who has contributed to this release. If you want to contribute, too, and if you want to support our team to have more new features in IPFire, please donate [1] today! A New Intrusion Prevention System We are finally shipping our recently announced IPS [2] - making all of your networks more secure by deeply inspecting packets and trying to identify threats. This new system has many advantages over the old one in terms of performance, security and it simply put - more modern. We would like to thank the team at Suricata [3] on which it is based for their hard work and for creating such an important tool that is now working inside of IPFire. We have put together some documentation on how to set up the IPS [4], what rulesets are supported [5] and what hardware resources [6] you will need. Migration from the older Intrusion Detection System Your settings will automatically be converted if you are using the existing IDS and replicated with the new IPS. However, you will need to select the ruleset and rules that you want to use again, since those cannot be migrated. Please note that the automatic migration will enable the new IPS, but in monitoring mode only. This is that we won't break any existing configurations. Please disable the monitoring mode if you want the IPS to filter packets, too. If you restore an old backup, the IDS settings won't be converted. The guardian add-on is no longer required any more for the IDS to work but still provides means against SSH brute-force attacks and brute-force attacks against the IPFire Web UI. OS Updates This release rebases the IPFire kernel on 4.14.113 which brings various bug and security fixes. We have disabled some debugging functionality that we no longer need which will give all IPFire systems a small performance boost. Updated packages: gnutls 3.6.7.1, lua 5.3.5, nettle 3.4.1, ntp 4.2.8p13, rrdtool 1.7.1, unbound 1.9.1. The wireless regulatory database has also been updated. Misc. • SSH Agent Forwarding: This can now be enabled on the IPFire SSH service which allows administrators to connect to the firewall and use SSH Agent authentication when using the IPFire as a bastion host and connecting onwards to an internal server. • When multiple hosts are created to overwrite the local DNS zone, a PTR record was automatically created too. Sometimes hosts might have multiple names which makes it desirable to not create a PTR record for an alias which can now be done with an additional checkbox. • A bug in the firewall UI has been fixed which caused that the rule configuration page could not be rendered when the GeoIP database has not been downloaded, yet. This was an issue when a system was configured, but never connected to the internet before. • On systems with a vast number of DHCP leases, the script that imports them into the DNS system has been optimised to make sure that they are imported faster and that at no time a half-written file is available on disk which lead unbound to crash under certain circumstances. • Some minor UI issues on the IPsec VPN pages have been fixed: On editing existing connections, the MTU field is now filled with the default; • We are no longer trying to search for any temperature sensors on AWS. This caused a large number of error messages in the system log. Add-ons • Package updates: borgbackup 1.1.9, dnsdist 1.3.3, freeradius 4.0.18, nginx 1.15.9, postfix 3.4.5, zabbix_agentd 4.2.0 • tor has received an extra firewall chain for custom rules to control outgoing traffic (TOR_OUTPUT). This allows to create rules for traffic that originates from the local tor relay. The service is also running as an own user now. • Wireless Access Point: It is now possible to enable client isolation so that wireless clients won't be able to communicate with each other through the access point. New Packages • flashrom - A tool to update firmware [1] https://www.ipfire.org/donate [2] https://blog.ipfire.org/post/introducing-ipfire-s-new-intrusion-prevention-… [3] https://www.suricata-ids.org/ [4] https://wiki.ipfire.org/configuration/firewall/ips/start [5] https://wiki.ipfire.org/configuration/firewall/ips/rulesets [6] https://wiki.ipfire.org/configuration/firewall/ips/performance-consideratio…

1 0

Pre-release announcement for IPFire 2.23- Core Update 131
by Michael Tremer 09 May '19

09 May '19

Hello editors, this is a pre-announcement email to all editors out there who write about IPFire. We would like to let you know, that we are planning to release the next IPFire release, IPFire 2.23 Core Update 131, next Thursday, May 16th, between 10:00 and 14:00 UTC. We are sending you this announcement to give you some time to prepare a news article about this new release of IPFire to help us make IPFire better-known and of course to make our existing users aware of this exciting new update being ready to be installed. We are very grateful for your support for our project! The changelog can be found here: https://blog.ipfire.org/post/ipfire-2-23-core-update-131-is-available-for-t… This release is a *major* release of IPFire. The newly introduced Intrusion Prevention System is bringing the distribution to another level because of its enhanced capabilities compared to its predecessor snort in combination with Guardian. The new IPS is a lost faster, more accurate and therefore more secure and we think that many users who have not been using the old IDS, will now use the new IPS. Here is some documentation: https://wiki.ipfire.org/configuration/firewall/ips/start In this release, we also updated our Linux kernel for better stability, hardware support and security. We have also updated various software of the core distribution to keep our users safe. We are very excited about this release. Please get in touch if you have any further questions. We will send you the final announcement when the update is officially released. Thank you very much for supporting our project! Best regards, -Michael

1 0

IPFire 2.21 - Core Update 130 released
by Michael Tremer 16 Apr '19

16 Apr '19

https://blog.ipfire.org/post/ipfire-2-21-core-update-130-released Just a couple of days after the release of IPFire 2.21 - Core Update 130, the next release is available. This is an emergency update with various bug fixes and a large number of security fixes. Security IPFire 2.21 - Core Update 130 contains security updates for the following packages: • Apache 2.4.39: The Apache Web Server, which runs the IPFire Web User Interface, was vulnerable for various privilege escalations (CVE-2019-0211), access control bypasses (CVE-2019-0215, CVE-2019-0217), DoS attacks (CVE-2019-0197), buffer overflow (CVE-2019-0196) and a URL normalisation inconsistency (CVE-2019-0220). They are all regarded to be of "low" severity. • wget 1.20.3: wget has had multiple vulnerabilities that allowed an attacker to execute arbitrary code (CVE-2019-5953). • clamav 0.101.2: ClamAV, the virus scanner, has had multiple vulnerabilities that allowed DoS and a buffer overflow in a bundled third-party library. Although some of these vulnerabilities are only of low severity, we recommend to install this update as soon as possible! IPsec Regression The last update introduced a regression in the IPsec stack that caused that the firewall could no longer access any hosts on the remote side when the tunnel was run in tunnel mode without any VTI/GRE interfaces. This update fixes that.

1 0

2024

2023

2022

2021

2020

2019

2018

Press