IPFire 2.19 - Core Update 111 released

The IPFire Project ipfire-announce at lists.ipfire.org
Wed Jun 14 21:16:38 CEST 2017


This is the official release announcement of IPFire 2.19 – Core Update 111. It
comes with various packages from all areas and some new features.

WPA Enterprise Authentication in Client Mode

The firewall can now authenticate itself with a wireless network that uses
Extensible Authentication Protocol (EAP, [1]). These are commonly used in
enterprises and require a username and password in order to connect to the

IPFire supports PEAP and TTLS which are the two most common ones. They can be
found in the configured on the “WiFi Client” page which only shows up when the
RED interface is a wireless device. This page also shows the status and
protocols used to establish the connection.

The index page also shows various information about the status, bandwidth and
quality of the connection to a wireless network. That also works for
wireless networks that use WPA/WPA2-PSK or WEP.

QoS Multi-Queueing

The Quality of Service is now using all CPU cores to balance traffic. Before,
only one processor core was used which caused a slower connection on systems
with weaker processors like the Intel Atom series, etc. but fast Ethernet
adapters. This has now been changed so that one processor is no longer a bottle
neck any more.

New crypto defaults

In many parts of IPFire cryptographic algorithms play a huge role. However, they
age. Hence we changed the defaults on new systems and for new VPN connections to
something that is newer and considered to be more robust.


* The latest version of strongSwan supports Curve 25519 for the IKE and ESP
  proposals which is also available in IPFire now and enabled by default.
* The default proposal for new connections now only allows the explicitly
  selected algorithms which maximises security but might have a compatibility
  impact on older peers: SHA1 is dropped, SHA2 256 or higher must be used; the
  group type must use a key with length of 2048 bit or larger
* Since some people use IPFire in association with ancient equipment, it is now
  allowed to select MODP-768 in the IKE and ESP proposals. This is considered
  broken and marked so.


* OpenVPN used SHA1 for integrity by default which has now been changed to
  SHA512 for new installations. Unfortunately OpenVPN cannot negotiate this over
  the connection. So if you want to use SHA512 on an existing system, you will
  have to re-download all client connections as well.

Various markers have been added to highlight that certain algorithms (e.g. MD5
and SHA1) are considered broken or cryptographically weak.


* IPsec VPNs will be shown as “Connecting” when they are not established, but
  the system is trying to
* A shutdown bug has been fixed that delayed the system shutting down when the
  RED interface was configured as static
* The DNSSEC status is now shown correctly on all systems
* The following packages have been updated: acpid 2.0.28, bind 9.11.1, coreutils
  8.27, cpio 2.12, dbus 1.11.12, file 5.30, gcc 4.9.4, gdbm 1.13, gmp 6.1.2,
  gzip 1.8, logrotate 3.12.1, logwatch 7.4.3, m4 1.4.18, mpfr 3.1.5, openssl
  1.0.2l (only bug fixes), openvpn 2.3.16 which fixes CVE-2017-7479 and
  CVE-2017-7478, pcre 8.40, pkg-config 0.29.1, rrdtool 1.6.0, strongswan 5.5.2,
  unbound 1.6.2, unzip 60, vnstat 1.17
* Matthias Fischer contributed some cosmetic changes for the firewall log
* Gabriel Rolland improved the Italian translation
* Various parts of the build system have been cleaned up


New Add-ons

* ltrace: A tool to trace library calls of a binary

Updated Add-ons

The samba addon has been patched for a security vulnerability (CVE-2017-7494)
which allowed a remote code executing on writable shares.

* libvirt 3.1.0 + python3-libvirt 3.6.1
* git 2.12.1
* nano 2.8.1
* netsnmpd which now supports reading temperature sensors with help of
* nmap 7.40
* tor

We are currently crowdfunding a Captive Portal [2] for IPFire and would like you
to ask to check it out and support us!

Please help us to support the work on IPFire Project with your donation [3].

[1] https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol
[2] http://wishlist.ipfire.org/wish/the-ipfire-captive-portal
[3] http://www.ipfire.org/donate
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.ipfire.org/pipermail/ipfire-announce/attachments/20170614/24110bd4/attachment.sig>

More information about the IPFire-Announce mailing list