From mboxrd@z Thu Jan 1 00:00:00 1970 From: The IPFire Project To: ipfire-announce@lists.ipfire.org Subject: IPFire 2.23 - Core Update 136 released Date: Thu, 10 Oct 2019 19:30:18 +0100 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8716412260277074217==" List-Id: --===============8716412260277074217== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://blog.ipfire.org/post/ipfire-2-23-core-update-136-released This is the official release announcement for IPFire 2.23 - Core Update 136. = A new update packed with loads of security fixes, bug fixes and a couple of i= mportant new features. Please donate [1] to help our developers and keep bringing you new features. = Thank you, it means a lot. OpenSSL 1.1.1d This update ships the latest update of the OpenSSL library which has received= some important fixes [2] in its latest release: * CVE-2019-1547: With custom elliptic curves, timing attacks were made possib= le again. This is of very low risk in IPFire, since we are not using any cust= om curves. * CVE-2019-1549: Forked processes could have shared the same seed for their r= andom number generator which is being fixed in this one by mixing in a high p= recision timer. * CVE-2019-1563: Another padding oracle for large PKCS7 messages All of these are classified as "low severity". However, we recommend to insta= ll this update as soon as possible. Perl 5.30 Arne has been busy and been working on replacing Perl with the latest stable = version. This requires that loads of applications that use Perl - like our ow= n web user interface - have to be shipped again as well as many add-ons. Henc= e this update is rather large. GeoIP Since Maxmind is no longer publishing their GeoIP database in the original fo= rmat, but unfortunately not providing any good bindings for the new release, = we have only had an outdated version of the database that we made available i= n IPFire. There is now a script that converts the current data into the old format whic= h allows us to ship a recent database again. This database is however only being used for showing the country flags on the= web UI. GeoIP blocking uses a database in a different format and therefore a= lways has recent data to only block the right things. Misc. * The firewall has a limit for log messages so that flooding the firewall wit= h packets won't cause a Denial-of-Service by filling up the hard drive with g= igabytes of logs and also to not starve on write operations. This limit was h= owever very low for modern standards and has therefore been increased to 10 l= ogged packets per second. That will ensure that we won't drop a packet withou= t logging it. * Updated packages: apache 2.4.41, bind 9.11.10, clamav 0.101.4, dhcpcd 8.0.3= , knot 2.8.3, logrotate 3.5.1, openssh 8.0p1, patch 2.7.6, texinfo 6.6, unb= ound 1.9.3, usb_modeswitch1.5.2 * logwatch and logrotate could conflict when running at the same time. This h= as been changed so only one of them is running at the same time. * Log messages for DMA, the IPFire mailer, and Postfix are now shown on the w= eb UI * The toolchain now ships a compiler for Go Add-ons * Updated packages: freeradius 3.0.19, haproxy 2.0.5, postfix 3.4.6, spamassa= ssin 3.4.2, zabbix_agent 4.2.6 * dnsdist has had its limit of open connections increased to work better in b= igger environments * tor: A permission problem has been fixed so that the web UI can save settin= gs again * wio: The RRD files will now be included in the backup as well as various UI= improvements have been done Please reboot! This update needs a reboot of your IPFire system. [1] https://www.ipfire.org/donate [2] https://www.openssl.org/news/secadv/20190910.txt --===============8716412260277074217==--