From mboxrd@z Thu Jan 1 00:00:00 1970 From: The IPFire Project To: ipfire-announce@lists.ipfire.org Subject: IPFire 2.21 - Core Update 128 released Date: Wed, 13 Mar 2019 11:04:36 +0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1771704924236913942==" List-Id: --===============1771704924236913942== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://blog.ipfire.org/post/ipfire-2-21-core-update-128-released This is the official release announcement for IPFire 2.21 - Core Update 128; = another maintenance update with a brand new kernel, introducing TLS 1.3 throu= ghout the whole system and of course a whole package of bug fixes and other i= mprovements. Thanks to everyone who has contributed to this Core Update with either sendin= g in patches, testing, reporting bugs and many many other things. I am quite = happy to see the team grow! Thank you very much as well to all of you who hav= e supported our Donations Challenge [1] so far. We have received a lot of nic= e words and support from you, but we are not there, yet! Please support our p= roject and donate! Kernel Update The Linux kernel, the core of the IPFire operating system, has been updated t= o the latest release of the 4.14 branch. We have added some extra patches to = improve hardware support and fix some security vulnerabilities. LEDs of PCeng= ines' APU boards are now supported on newer versions of the mainboard and on = those boards, the serial console is always enabled. On x86-based systems, we = now support up to 64 processors. OpenSSL 1.1.1 & TLS 1.3 We have also updated the main TLS/SSL library to OpenSSL in version 1.1.1. Th= is adds support for TLS 1.3 and of course brings various other improvements w= ith it. On browsers that support it, the IPFire web user interface is now ava= ilable over TLS 1.3 and any outgoing SSL connection from the firewall support= s it, too. We ensure that those connections only use secure and performant ci= phers to make connections as fast as they can be. We have also updated the list of trusted Certificate Authorities (CAs). We have removed any previous versions of OpenSSL from the system which will s= oon be end-of-life. If you have anything custom that you have compiled yourse= lf on your system, please be aware of that and note that you might potentiall= y rebuild your custom software. Add-ons provided by the IPFire Project now support TLS 1.3 as well. If you ar= e running a custom configuration for postfix or haproxy make sure that TLS 1.= 3 is not excluded from the supported TLS protocols. Performance Tuning The system is now configured to be able to route more packets. During some be= nchmarks and testing we have discovered that IPFire does not always use the f= ull performance of the hardware underneath it. While most system probably won= 't benefit much from these improvements, some systems with very fast processo= r cores will see a 5-10% increase in bandwidth from and to the firewall as we= ll as routed through it. That comes at the cost of very slight increase of po= wer consumption, but we figured that that is a price worth paying not only pr= ovide you a secure firewall, but also a fast one. Misc. =E2=80=A2 A change of the firewall policy might potentially be backwards-inco= mpatible, but we saw no other way to improve the security of the system: Prev= iously, systems on the ORANGE network were always allowed to connect to the I= nternet on RED. This was carried over from the very beginning of IPFire when = the firewall user interface was way more basic and rules to change this behav= iour could not be configured at all. Now, it makes a lot more sense to not ha= ve this default which was also not well-known and allow users to create rules= to either allow or deny traffic like this.=20 =E2=80=A2 The kdig utility is now available on command line which supports DN= S lookups via TLS =E2=80=A2 Updated packages: apache 2.4.38, apr 1.6.5, curl 7.64.0, dhcpcd 7.1= .1, ghostscript 9.26, logrotate 3.15, openssl 7.9p1, postfix 3.3.2, strongsw= an 5.7.2, tzdata 2018i Add-ons =E2=80=A2 powertop has been updated to version 2.10 =E2=80=A2 tor has been updated to version 0.3.5.7 =E2=80=A2 sendEmail has been fixed by Rob. The script had a wrong file owners= hip. [1] https://blog.ipfire.org/post/donations-challenge --===============1771704924236913942==--