From mboxrd@z Thu Jan 1 00:00:00 1970 From: The IPFire Project To: ipfire-announce@lists.ipfire.org Subject: IPFire 2.25 - Core Update 144 released Date: Fri, 24 Apr 2020 16:31:27 +0100 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1463634990119633195==" List-Id: --===============1463634990119633195== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://blog.ipfire.org/post/ipfire-2-25-core-update-144-released This is the official release announcement for IPFire 2.25 - Core Update 144. = This contains a number of security fixes in OpenSSL, the squid web proxy, the= DHCP client and more. We recommend to install it as soon as possible and reb= oot. OpenSSL 1.1.1g The OpenSSL team has issued a security advisory for the 1.1.1 release with "h= igh" severity. Applicants on client or service side that call SSL_check_chain() during a TLS= v1.3 handshake may crash the application due to incorrect handling of the sig= nature_algorithms_cert" TLS extension. CVE-2020-1967 has been assigned to track this vulnerability and an immediate = installation of this update is recommended. The DHCP Client (#12354) Some users using RED in DHCP mode might have seen various crashes of the clie= nt. This happened because of attackers sending forged DHCP replies from cloud= -hosted networks across the Internet. After the daemon crashed, the firewall would lose Internet connectivity until= it is manually restarted. Providers normally filter forged DHCP traffic, but some do not seem to do thi= s correctly. We are in touch with them and try to find a solution. The Squid Web Proxy The web proxy is vulnerable to cross-site scripting attacks, cache poisoning = and access control bypass when processing HTTP request messages. These problems are known as SQUID-2020:4, SQUID-2019:12, SQUID-2019:4, CVE-20= 20-11945, CVE-2019-12519, CVE-2019-12521, CVE-2019-12520, CVE-2019-12524 and = #12386. Misc. * Updated packages: apache 2.4.43, bind 9.11.18, dhcpcd 9.0.2, squid 4.11 * The build system has changed the Go compiler from GCCGO to Golang which see= ms to be introducing fewer bugs into compiled programs --===============1463634990119633195==--