IPFire 2.19 - Core Update 111 released
The IPFire Project
ipfire-announce at lists.ipfire.org
Wed Jun 14 21:16:38 CEST 2017
This is the official release announcement of IPFire 2.19 – Core Update 111. It
comes with various packages from all areas and some new features.
WPA Enterprise Authentication in Client Mode
The firewall can now authenticate itself with a wireless network that uses
Extensible Authentication Protocol (EAP, ). These are commonly used in
enterprises and require a username and password in order to connect to the
IPFire supports PEAP and TTLS which are the two most common ones. They can be
found in the configured on the “WiFi Client” page which only shows up when the
RED interface is a wireless device. This page also shows the status and
protocols used to establish the connection.
The index page also shows various information about the status, bandwidth and
quality of the connection to a wireless network. That also works for
wireless networks that use WPA/WPA2-PSK or WEP.
The Quality of Service is now using all CPU cores to balance traffic. Before,
only one processor core was used which caused a slower connection on systems
with weaker processors like the Intel Atom series, etc. but fast Ethernet
adapters. This has now been changed so that one processor is no longer a bottle
neck any more.
New crypto defaults
In many parts of IPFire cryptographic algorithms play a huge role. However, they
age. Hence we changed the defaults on new systems and for new VPN connections to
something that is newer and considered to be more robust.
* The latest version of strongSwan supports Curve 25519 for the IKE and ESP
proposals which is also available in IPFire now and enabled by default.
* The default proposal for new connections now only allows the explicitly
selected algorithms which maximises security but might have a compatibility
impact on older peers: SHA1 is dropped, SHA2 256 or higher must be used; the
group type must use a key with length of 2048 bit or larger
* Since some people use IPFire in association with ancient equipment, it is now
allowed to select MODP-768 in the IKE and ESP proposals. This is considered
broken and marked so.
* OpenVPN used SHA1 for integrity by default which has now been changed to
SHA512 for new installations. Unfortunately OpenVPN cannot negotiate this over
the connection. So if you want to use SHA512 on an existing system, you will
have to re-download all client connections as well.
Various markers have been added to highlight that certain algorithms (e.g. MD5
and SHA1) are considered broken or cryptographically weak.
* IPsec VPNs will be shown as “Connecting” when they are not established, but
the system is trying to
* A shutdown bug has been fixed that delayed the system shutting down when the
RED interface was configured as static
* The DNSSEC status is now shown correctly on all systems
* The following packages have been updated: acpid 2.0.28, bind 9.11.1, coreutils
8.27, cpio 2.12, dbus 1.11.12, file 5.30, gcc 4.9.4, gdbm 1.13, gmp 6.1.2,
gzip 1.8, logrotate 3.12.1, logwatch 7.4.3, m4 1.4.18, mpfr 3.1.5, openssl
1.0.2l (only bug fixes), openvpn 2.3.16 which fixes CVE-2017-7479 and
CVE-2017-7478, pcre 8.40, pkg-config 0.29.1, rrdtool 1.6.0, strongswan 5.5.2,
unbound 1.6.2, unzip 60, vnstat 1.17
* Matthias Fischer contributed some cosmetic changes for the firewall log
* Gabriel Rolland improved the Italian translation
* Various parts of the build system have been cleaned up
* ltrace: A tool to trace library calls of a binary
The samba addon has been patched for a security vulnerability (CVE-2017-7494)
which allowed a remote code executing on writable shares.
* libvirt 3.1.0 + python3-libvirt 3.6.1
* git 2.12.1
* nano 2.8.1
* netsnmpd which now supports reading temperature sensors with help of
* nmap 7.40
* tor 0.3.0.7
We are currently crowdfunding a Captive Portal  for IPFire and would like you
to ask to check it out and support us!
Please help us to support the work on IPFire Project with your donation .
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part
More information about the IPFire-Announce