IPFire 2.15 - Core Update 80 released

The IPFire Project ipfire-announce at lists.ipfire.org
Sun Aug 3 21:19:15 CEST 2014


This is the official release announcement for IPFire 2.15 – Core Update
80. It comes with lots of new features, some bugfixes and some minor
security fixes.


There has been a crowdfunding on the IPFire wishlist which raised money
for implementing a DNSSEC validating DNS proxy. The DNS proxy service
that is running inside of IPFire has been forked and some features that
were dropped in the upstream version have been backported.

IPFire now validates every DNS response of zones that are signed. If the
DNSSEC signatures do not validate a DNS error is raised and therefore
spoofing attacks are not longer possible. However, it is not sufficient
for the internal DNS proxy to have DNSSEC enabled. Client systems should
validate DNSSEC records, too, but we think that these changes block most
spoofing attacks from the Internet and only DNS spoofing attacks from
the local network are possible. The cache pool size has been increased
so that dnsmasq is able to cache many DNS keys and signatures and that
the verification does not harm the user experience.

It is required that the DNS servers from the Internet service providers
validate DNSSEC as well. If not, you may change to one of those public
DNS servers in this list. There is more information about DNS and IPFire
on our wiki.

New dynamic DNS updater

A new tool to update dynamic DNS records has been written. It replaces
the old, faulty and hard to maintain perl script setddns.pl. The new
client is written in Python and portable to other distributions as well.
It is easily extensible and avoids duplicating code. The sources can be
found on our own git server or on GitHub and we are happy to receive
improvements and patches that add support for new providers.

The user interface has been simplified and obsolete and deprecated
features like wildcard support have been dropped.

There is support for all DNS providers that have been formerly
supported. Providers that don’t exist any more have been removed and
some new ones have been added: all-inkl.com, dhs.org,
dns.lightningwirelabs.com, dnspark.com, dtdns.com, dyndns.org, dynu.com,
easydns.com, enom.com, entrydns.net, freedns.afraid.org, namecheap.com,
no-ip.com, nsupdate.info, opendns.com ovh.com, regfish.com, selfhost.de,
spdns.org, strato.com, twodns.de, udmedia.de, variomedia.de,


* The lzo libary has been updated to version 2.08 because of a
potential, but very unlikely security issue filed under CVE-2014-4607.
* wpa_supplicant has been updated to version 2.2.
* strongswan has been updated to version 5.2.0
* Ersan Yildirim submitted updates for the Turkish translation.
* The dhcrelay binary and an initscript are shipped.
* The bind tools have been updated to version 9.9.5 to support DNSSEC,
* rng-tools have been updated to version 5 to support Intel processors
that come with the RDRAND instruction, but without AES-NI.
* squid web proxy: The minimum and maximum object size of objects that
are put into the cache is no longer ignored.
* Firewall hits by country: Fix chart for dial-up connections.
* Static routes cannot be added twice into the configuration and must
not be a part of any of the local networks.


  New arrivals
    ownCloud – The private cloud – Documentation

    clamav 0.98.4
    hostapd 2.2
    sane 1.0.24
    transmission 2.84

Thanks to all the people who contributed in any way to this version of
IPFire. If you want to support us too, we appreciate your donation.

More information about the IPFire-Announce mailing list