From mboxrd@z Thu Jan 1 00:00:00 1970 From: The IPFire Project To: ipfire-announce@lists.ipfire.org Subject: IPFire 2.19 - Core Update 111 released Date: Wed, 14 Jun 2017 20:16:38 +0100 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2924954776260796267==" List-Id: --===============2924954776260796267== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable http://www.ipfire.org/news/ipfire-2-19-core-update-111-released This is the official release announcement of IPFire 2.19 =E2=80=93 Core Updat= e 111. It comes with various packages from all areas and some new features. WPA Enterprise Authentication in Client Mode The firewall can now authenticate itself with a wireless network that uses Extensible Authentication Protocol (EAP, [1]). These are commonly used in enterprises and require a username and password in order to connect to the network. IPFire supports PEAP and TTLS which are the two most common ones. They can be found in the configured on the =E2=80=9CWiFi Client=E2=80=9D page which only = shows up when the RED interface is a wireless device. This page also shows the status and protocols used to establish the connection. The index page also shows various information about the status, bandwidth and quality of the connection to a wireless network. That also works for wireless=C2=A0networks that use WPA/WPA2-PSK or WEP. QoS Multi-Queueing The Quality of Service is now using all CPU cores to balance traffic. Before, only one processor core was used which caused a slower connection on systems with weaker processors like the Intel Atom series, etc. but fast Ethernet adapters. This has now been changed so that one processor is no longer a bott= le neck any more. New crypto defaults In many parts of IPFire cryptographic algorithms play a huge role. However, t= hey age. Hence we changed the defaults on new systems and for new VPN connections= to something that is newer and considered to be more robust. IPsec * The latest version of strongSwan supports Curve 25519 for the IKE and ESP proposals which is also available in IPFire now and enabled by default. * The default proposal for new connections now only allows the explicitly selected algorithms which maximises security but might have a compatibility impact on older peers: SHA1 is dropped, SHA2 256 or higher must be used; the group type must use a key with length of 2048 bit or larger * Since some people use IPFire in association with ancient equipment, it is n= ow allowed to select MODP-768 in the IKE and ESP proposals. This is considered broken and marked so. OpenVPN * OpenVPN used SHA1 for integrity by default which has now been changed to SHA512 for new installations. Unfortunately OpenVPN cannot negotiate this o= ver the connection. So if you want to use SHA512 on an existing system, you will have to re-download all client connections as well. Various markers have been added to highlight that certain algorithms (e.g. MD5 and SHA1) are considered broken or cryptographically weak. Misc. * IPsec VPNs will be shown as =E2=80=9CConnecting=E2=80=9D when they are not = established, but the system is trying to * A shutdown bug has been fixed that delayed the system shutting down when the RED interface was configured as static * The DNSSEC status is now shown correctly on all systems * The following packages have been updated: acpid 2.0.28, bind 9.11.1, coreut= ils 8.27, cpio 2.12, dbus 1.11.12, file 5.30, gcc 4.9.4, gdbm 1.13, gmp 6.1.2, gzip 1.8, logrotate 3.12.1, logwatch 7.4.3, m4 1.4.18, mpfr 3.1.5, openssl 1.0.2l (only bug fixes), openvpn 2.3.16 which fixes CVE-2017-7479 and CVE-2017-7478, pcre 8.40, pkg-config 0.29.1, rrdtool 1.6.0, strongswan 5.5.= 2, unbound 1.6.2, unzip 60, vnstat 1.17 * Matthias Fischer contributed some cosmetic changes for the firewall log section * Gabriel Rolland improved the Italian translation * Various parts of the build system have been cleaned up Add-ons New Add-ons * ltrace: A tool to trace library calls of a binary Updated Add-ons The samba addon has been patched for a security vulnerability (CVE-2017-7494) which allowed a remote code executing on writable shares. * libvirt 3.1.0 + python3-libvirt 3.6.1 * git 2.12.1 * nano 2.8.1 * netsnmpd which now supports reading temperature sensors with help of lm_sensors * nmap 7.40 * tor 0.3.0.7 We are currently crowdfunding a Captive Portal [2] for IPFire and would like = you to ask to check it out and support us! Please help us to support the work on IPFire Project with your donation [3]. [1] https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol [2] http://wishlist.ipfire.org/wish/the-ipfire-captive-portal [3] http://www.ipfire.org/donate --===============2924954776260796267== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSlpRWXVXQUFvSkVJQjU4UDl2a0FrSDUwNFFBSXdlREc1U2p4VndwM216UXVaclhrc0MK eE15YkNpWEhZK1dUeFBZOUZTM2NSUDlxamhjeU95eHFScy9tMW1ERjNZaDRmMHJkUjk5REJ5VzU2 RUZ5T1pPKwpRWHB4QzYzT21vd0FzcVkvbzJYTDM2TjZDaFVVNms3QkUweDc2MjlQUGRidEM0dS9C a01uTXFsSmVzdzBDR0VOCktaeVpmNWVlYW04UmwxcGVqUUtIYzRYOWk0bm00S1grQnJlemVEUDNn TlFrSStrT0hBeDZ1S1M2UkJKUTZaZGwKSVA3TWdBZ050bGxPZzlTRDBKeWc4ZGt0TGlwV014ZGgv MmpWVjMxd2ZmN2g3cmdHQ1daWmFndW1BVTJCTTc2MwplMUx3OHp5K25PeFJ0Mnk5eDluRTJPbDdv aS9qUWlSeFRJNzhhM0FPUUM3UkJtVW1iUGJpeE4yYjU5dElmZ3krCkl1b0dWdkFON2sveVpMcmww SE43dDRCN2xvaDFJNmRIK2srOHlnZy9kdWFHOGtIcDdEQlh6UWk2RU9kVzNQbEUKZm1rZjc1Sm5G NzR1NXJ2YnRFSVVvN20wVER3QUYvTlNFVTNyb1lsb0ppZUJZYUpjS2Z1aWIxMEd2SS9VcS9LVgpy R1QzWnE1TnhzOUNrSHNyUHRhTHIva1I4MDhiZjFRY3lNeXI1aU42SXdEcUVncExuNkovOWlQNm9N em9oUUlrCnhjQWZGKzFFTGpaTnhVQkRBRFZ1UUJYM0VMcEh0d29hT1FuTUlYUjl0RGVBQmZsNTRW U2YvWmVLSThKTmxkcjAKYStPZ1QvdnU0bUR5OGJHRGl1bkJkdDlCWFd2bUZCMEFDTVUxaStiOUdB UEFsa2QwUUtxLzhFYTI0RURiaWlBRwpzUmpRd2x0UGl6UkxGdVFicStrWgo9ZXJORwotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============2924954776260796267==--