From mboxrd@z Thu Jan 1 00:00:00 1970 From: The IPFire Project To: ipfire-announce@lists.ipfire.org Subject: IPFire 2.21 - Core Update 127 released Date: Wed, 06 Feb 2019 12:25:37 +0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4719998692512189880==" List-Id: --===============4719998692512189880== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://blog.ipfire.org/post/ipfire-2-21-core-update-127-released The first update of the year and it is packed with loads of new features, man= y many performance improvements as well as some security fixes. This is quite= a long change log, but please read through it. It is worth it! To support our project and keep us bringing these updates for you, please don= ate [1]! Squid 4.5 - Making the web proxy faster and more secure We have finally updated to squid 4.5, the latest version of the web proxy wor= king inside IPFire. It has various improvements in speed due to major parts b= eing rewritten in C++. We have as well changed some things on the user interface to make its configu= ration easier and to avoid any configuration mistakes. One of the major changes is that we have removed a control that allowed to co= nfigure the number of child processes for each redirector (e.g. URL filter, U= pdate Accelerator, etc.). This is now statically configured to the number of = processors. Due to that, we only use as many processes as the system has memo= ry for but allow to use maximum CPU power by being able to saturate all cores= at the same time. That makes the URL filter and other redirectors faster and= more efficient in their resource consumption. They will now also be launched= at the start of the web proxy so that there is no wait any more for the firs= t request being handled or when the proxy is under higher load. We expect these improvements to make proxies that serve hundreds or even thou= sands of users at the same time to become faster by being more efficient. We have dropped some features that no longer make sense in 2019: Those are th= e web browser check and download throttling by file extension. Since the web = is migrating more and more towards HTTPS, those neither work for all the traf= fic, nor are they very reliable or commonly used. We have also removed authentication against Microsoft Windows NT 4.0 domains.= Those authentication protocols used back then are unsafe for years and nobod= y should be using those any more. Please consider this when updating to this = release. We have also mitigated a security issue in the proxy authentication against M= icrosoft Windows Active Directory domains. Due to squid's default configurati= on, an authenticated user was remembered by their IP address for up to one se= cond. That means that with an authenticated browser, any other software comin= g from the same system was allowed for one second to send requests to the web= proxy being properly authenticated. This could have been exploited by malwar= e or other software running inside a virtual machine or similar services to g= et access to the internet without having valid credentials. This is now resol= ved and (re-)authorisation is always required. New installations will now be recommended to set up a proxy with slightly mor= e cache in memory and no cache on disk. Ultimately, this is something that sh= ould be considered for each installation individually, but is a better defaul= t than the previous values. Furthermore, some minor usability improvements of the web proxy configuration= page have been implemented. DNS Forwarding The DNS forwarding feature has been extended to make using it more flexible. = It now accepts hostnames as well as IP addresses to forward requests to multi= ple servers that are found by resolving the hostname. It is also possible to = add multiple servers as a comma-separated list so that multiple servers can b= e queries for one single domain. Before only one IP address was supported whi= ch rendered the domain unresolvable in case of that specific server becoming = unreachable. These changes allow to redirect requests to DNS blacklists for example direct= ly to the right name servers and not worry about any changes of IP addresses = at the provider. There is also load-balancing between multiple servers and th= e fastest server is being preferred so that DNS resolution for all domains is= faster and more resilient, too. Misc. =E2=80=A2 Kernel modules that initialised framebuffer are no longer being loa= ded again. This cause some crashes on various hardware with processors from V= IA and was a regression introduced by compression kernel modules with the las= t Core Update. =E2=80=A2 Creating certificates for IPsec and OpenVPN threw an error before w= hich has now been fixed by ensuring that the internal certificate database is= initialised correctly =E2=80=A2 We have enabled a Just-In-Time compiler for the Perl Regular Expres= sions engine. This will increase speed of various modules that use it like th= e Intrusion Detection system which might have significantly more throughput a= s well as speed of the URL filter and various other components on the system. =E2=80=A2 fireinfo now supports authentication against any upstream web proxi= es =E2=80=A2 Installing IPFire from ISO on i586-based systems failed because of = a bug in the EFI code of the installer. This has now been fixed. =E2=80=A2 Installing IPFire on XFS filesystems is now also working again. Bef= ore, the installed system was not able to boot because GRUB did not support s= ome modern file system features. =E2=80=A2 The description on which SSH port IPFire is listening has been fixe= d. =E2=80=A2 Connection Tracking support is now enabled by default for Linux Vir= tual Servers, i.e. layer-4 load-balancers. =E2=80=A2 GeoIP: Scripts have been updated to use a new format of the GeoIP d= atabase =E2=80=A2 Updated packages: bind 9.11.5-P1, ipvsadm 1.29, Python 2.7.15, snor= t 2.9.12, sqlite 3.26.0 which fixes a couple of security vulnerabilities, squ= id 4.5, tar 1.31 which fixes a couple of security vulnerabilities, unbound 1= .8.3, wget 1.20.1 Add-ons =E2=80=A2 Updated packages: clamav 0.101.1, libvirt 4.10 which fixes some pro= blems with stopping and resuming virtual machines, mc 4.8.22, transmission 2.= 94 =E2=80=A2 The haproxy package now correctly handles its backup [1] https://www.ipfire.org/donate --===============4719998692512189880==--