IPFire 2.19 - Core Update 118 released

The IPFire Project ipfire-announce at lists.ipfire.org
Wed Feb 14 20:34:37 GMT 2018


https://www.ipfire.org/news/ipfire-2-19-core-update-118-released

Hello community,

this is the official release announcement for IPFire 2.19 – Core Update 118. It
comes with a number of security and bug fixes as well as some new features.
Please note the that we are dropping support for some add-ons.

Thanks for the people who contributed to this Core Update by submitting their
patches and please help us to support everyone’s work with your donation:

  https://www.ipfire.org/donate


Spring Clean

It is the time of the year where we reviewed large parts of the distribution and
decided to drop support for various packages and add-ons that cannot be
maintained any more:

Most importantly, this Core Update drops support for PHP and therefore various
add-ons that rely on it. We have taken that decision some while ago without any
objections and first dropped all add-ons that are not supported and updated by
their respective authors and maintainers. That left us with only one package
that needed PHP but also be installed anywhere else.

PHP is a huge problem to maintain and does not really have a place on a firewall
in 2018. Our web user interface is entirely independent and since we value
security more than anything else, we have decided to drop support for PHP with
this Core Update.

If you have anything installed manually that requires PHP, please move it to
another web server before installing this Core Update.

Add-ons that have also been dropped: cacti, openmailadmin, phpSANE, nagios
because icinga is available, nagiosql, mediatomb, owncloud


Meltdown/Spectre

This Core Update originally contained the microcode updates that Intel has now
pulled from public release. Since they make the system very unstable and cause
random reboots and reportedly can render some systems unbootable, we decided to
remove them from the update again.

So far due to the hardening Meltdown exploits do not work on IPFire although
this still is a hardware bug and software can only be modified to mitigate this
massive problem. Over the coming days and weeks we will continue to work on
providing a solution that mitigates all problems, but so far we are not in a
position to have patches for Linux that fix them all and are at the same time
complete and stable enough to be released.


Security Improvements

* The list of Certificate Authorities has been updated and various CAs have been
  removed
* Users are now warned that 3DES and 1024 bit long RSA keys are considered
  “weak” cryptography
* Content Security Policy headers have been added to the web user interface and
  Captive portal pages so that browsers are prevented to load any resources from
  external sites


Update Accelerator Improvements

Justin Luth has contributed fixes and improvements for the Update Accelerator
which has sometimes re-downloaded files with special characters in the URL
(#10504).

He has also improved caching of Microsoft updates which is now based on a
checksum of the update file (#11558, https://bugzilla.ipfire.org/show_bug.cgi?id
=10504).


Misc

* squid, the web proxy, has been patched against a security vulnerability in its
  HTTP parser (SA 2018:2)
* GeoIP information has been added to some pages on the web user interface
* Updated packages: bind 9.11.2-P1, dmidecode 3.1, glib2 2.54.3, gzip 1.9,
  hdparm 9.53, openssh 7.6p1, sed 4.4, snort 2.9.11.1, unbound 1.6.8, wget 1.9.4
* fireinfo is now submitting all profiles over HTTPS
* The LZ4 compression library is now shipped


Add-Ons

New Add-ons

* mdns-repeater is now being packages which is a tool that relays mDNS messages
  from one network segment to another one. That helps devices like printers and
  other IoT devices to be auto-discovered from the GREEN network when they are
  connected to the BLUE one and vice-versa.

Updates

* tor 0.3.2.9
* nano 2.9.2
* clamav 0.99.3 which fixes various severe security vulnerabilities
* libvirt has been updated to version 4.0
* qemu 2.11
* Smaller packages updated for qemu & libvirt: opus 1.2.1, spice 0.14


More information about the IPFire-Announce mailing list