From mboxrd@z Thu Jan 1 00:00:00 1970 From: The IPFire Project To: ipfire-announce@lists.ipfire.org Subject: IPFire 2.19 - Core Update 115 released Date: Thu, 02 Nov 2017 20:21:14 +0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2869461799169828900==" List-Id: --===============2869461799169828900== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://www.ipfire.org/news/ipfire-2-19-core-update-115-released Hello Community, finally, we are releasing the long-awaited IPFire 2.19 =E2=80=93 Core Update = 115 which brings the shiny new Captive Portal and various security and performance improvements as well as fixing security vulnerabilities. This is a large Core Update with a huge number of changes and to support our efforts to develop new features and maintain the existing system as well as constantly improving it, we would like to ask you to donate [1]! Captive Portal The new IPFire Captive Portal comes pre-installed on every IPFire system and allows easy access control for wireless and even wired networks. It is simple and very easy to set with only a few configuration options. That makes it versatile for many adminstrators and also very simple for all users. It comes with two configuration modes: The default mode asks the user to acce= pt terms and conditions. After doing so, access to the network is granted for a configurable time. After the time has expired, Internet access is blocked aga= in immediately. Optionally you can generate coupons that allow access for one device for a set time. Those coupons can also be exported as a PDF document and being printed = so that they can be handed out easily at a hotel reception for example. Although, Germany has just abolished the controversial law that made the subscriber of on Internet connection liable for everything anyone does over t= hat connection (St=C3=B6rerhaftung), this is still a great feature for 2017 where= WiFi networks in hotels, cafes and everywhere else are a must. It allows to only g= ive access to the people who booked a room in your hotel, or bought a cup of coff= ee in your cafe. That will keep the WiFi from being overloaded and it will be fa= st for everyone. The full documentation can be found on our wiki [2]. Thanks go to all the people of our community who have worked on this for a ve= ry long time. Security Improvements The web user interface has been hardened by a series of patches from Peter M=C3=BCller: * When establishing a new TLS connection, ECDSA is now preferred over RSA whi= ch makes the TLS handshake much faster and uses less resources on the client a= nd server. It is also considered to be stronger to brute-force. * An additional ECDSA key is now generated in addition to the existing RSA key which improves security of any TLS connections to the web user interface. * Previously, some attacks were possible to make the web browser submit login credentials via HTTP without encryption. The apache configuration has been changed to never ask for login without establishing a TLS connection before. * A smaller information leak has also been fixed where anyone could access the credits.cgi page which revealed the version information of the installed system. These changes require to restart the web server that runs the web user interface. This happens automatically during the installation of this Core Update but might render the web user interface unavailable for a short moment. OpenVPN Configuration Updates The OpenVPN project has deprecated some configuration options. This has been updated in IPFire as well which will now generate new configuration files when ever a new certificate has been issued. The old configuration files and certificates will remain but won=E2=80=99t be compatible with OpenVPN 2.5 any= more. There is no need for action right now, but old connections might not work with clients that run a newer version of OpenVPN in the future. New connections wi= ll work fine with any recent and future version of OpenVPN. Thanks for Erik for sending in a patch for this. Misc * The WiFi access point add-on has already been patched against the KRACK attacks on the day those were announced. The wpa_supplicant package which implements the WiFi client feature of IPFire has been patched in this relea= se against those attacks. * IPsec VPNs that use Curve25519 would not want to come up after installing t= he previous Core Update. This has been fixed now. * Updated packages: logrotate 3.13.0, openvpn 2.3.18, unbound 1.6.7 * Some files that have been unused for a very long time have been cleaned up. * All downloads of the project=E2=80=99s ISO files are now done over HTTPS. Updated Add-Ons * tor 3.1.7 [1] https://www.ipfire.org/donate [2] https://wiki.ipfire.org/en/configuration/network/captive --===============2869461799169828900==--