IPFire 2.13 - Core Update 72 released

The IPFire Project ipfire-announce at lists.ipfire.org
Tue Aug 27 15:24:20 CEST 2013

Today, IPFire 2.13 Core Update 72 and the crowd-funded Tor add-on [1]
have been released.

The Core Update comes with a lot of feature enhancements for IPsec,
smaller fixes for OpenVPN and fixed two denial-of-service attacks in the
Squid web proxy.

strongswan 5.1.0

strongswan, the software package that is responsible for IPsec VPN
connections, has been updated to version 5.1.0. This is a major version,
which fixes various kinds of bugs and also fixes a denial-of-service bug
[2], which is of very little priority for IPFire users (CVE-2013-5013

Elliptic Curve Cryptography

It is now possible to use Elliptic Curve Cryptography (ECC) groups in
the Internet Key Exchange (IKE) protocols in addition to the previously
defined Diffie-Hellman groups. Advantages of using these include better
efficiency because the underlying integer arithmetic is much faster than
the binary field arithmetic MODP uses. Also ECC requires much smaller
keys in order to achieve the same level of security than the
Diffie-Hellman algorithm does. Therefore less entropy is consumed.
Smaller default keys

As it has often been pointed out, it is a problem to gather enough
entropy on some computers. This makes it hard to do a proper key
exchange, because you need to generate keys for that which are of a
certain length of random data. The default settings for the key length
have been very high since IPFire 2.13 and are now lowered, because of
the reasons above. Instead of 8192 bits, the highest selected MODP group
uses 4096 bits long keys.

More technical reasons are to be found in the comments of #10396 [4].

squid Web Proxy server

The squid web proxy server has got two denial-of-service issues that are
fixed in this Core Update. It was able to crash the cache manager when
authenticating and it was possible to crash the entire proxy server with
requests with over-long domain names (more information about this [5]).

OpenVPN fixes

The OpenVPN GUI does now more precise validation of the subnet that is
used as a transfer network for OpenVPN N2N connections. Incorrect data
let the openvpnctrl binary crash when a new connection was started and
no firewall rules were added.

It is now permitted to leave the “remote” field empty on a N2N server
site, which makes creating connections with clients from dynamic IP
addresses easier.

OpenVPN client connections with more than one space character in their
names work again.

Misc Changes

 * snort has been enabled to decode packets from non-Ethernet devices again.
 * Dynamic DNS supports all-inkl.com now.
 * This update comes with all the requirements you need for Tor.

Tor – Protecting Online Anonymity

The Tor add-on is finally released together with Core Update 72, which
you need to install first if you want to use Tor. Please make sure to
reboot your IPFire system after the Tor add-on has been installed.

Documentation about this add-on can be found on our wiki: Tor
documentation [6]

We would like to thank all the people who contributed to this wish on
the IPFire wishlist. If you want to, there are other things you can
support [7], so those get implemented soon, too!

Please note a deprecation warning for Xen 3.x users [8]!


[1] http://wishlist.ipfire.org/wish/tor-protecting-online-anonymity
[2] http://www.strongswan.org/blog/2013/08/01/strongswan-denial-of-service-vulnerability-(cve-2013-5018).html
[3] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-5018
[4] https://bugzilla.ipfire.org/show_bug.cgi?id=10396
[5] http://www.squid-cache.org/Versions/v3/3.1/changesets/
[6] http://wiki.ipfire.org/en/addons/tor/start
[7] http://wishlist.ipfire.org/
[8] http://planet.ipfire.org/post/dropping-support-for-xen-3-x-deprecation-warning

More information about the IPFire-Announce mailing list