IPFire 2.21 - Core Update 123 released

Michael Tremer michael.tremer at ipfire.org
Wed Sep 5 17:10:03 BST 2018


IPFire 2.21 - Core Update 123 released

This is the release announcement for IPFire 2.21 – Core Update 123 – a 
house-keeping release
with a large number of fixes and some fixes for security 

Thanks for the people who contributed to this Core Update by submitting 
their patches and
please help us to support everyone’s work with your donation [1]!

This release ships a large number of microcode updates for various 
processors (linux-firmware
30.7.2018, intel-microcode 20180807). Most notable, vulnerabilities in 
Intel processors might
have been fixed or mitigations applied. Microcodes are now also being 
loaded into the processor
earlier to avoid any attacks on the system at boot time.

This update also comes with a large number of smaller changes that 
improve security and fix bugs:

   * OpenSSL has been updated to versions 1.1.0i and for legacy 
applications version 1.0.2p
     (CVE-2018-0732 and CVE-2018-0737)
   * IPsec
     * IPsec now supports ChaCha20/Poly1305 for encryption
     * It also allows to configure a connection to passively wait until a 
peer initiates it. This
       is helpful in some environments where one peer is behind NAT.
   * OpenVPN
      * Creating Diffie-Hellman keys with length of 1024 bits is no 
longer possible because they
        are considered insecure and not being supported by OpenVPN any 
      * There is better warnings about this and other cryptographic 
issues on the web user interface
   * Intrusion Detection
       * Links in the log files have been fixed to open the correct page 
with details about
         a certain attack
       * Downloads of rulesets properly validate any TLS certificates
   * The /proc filesystem has been hardened so that no kernel pointers 
are being exposed any more
   * nss-myhostname is now being used to dynamically determine the 
hostname of the IPFire
     system. Before /etc/hosts was changed which is no longer required.
   * collectd: The cpufreq plugin has been fixed
   * Generating a backup ISO file has been fixed
   * Updated packages: apache 2.4.34, conntrack-tools 1.4.5, coreutils 
8.29, fireinfo,
     gnupg 1.4.23, iana-etc 2.30, iptables 1.6.2, libgcrypt 1.8.3, 
libnetfilter_conntrack 1.0.7,
     libstatgrab 0.91, multipath-tools 0.7.7, openvpn 2.4.6, postfix 
3.2.6, rng-tools 6.3.1,
     smartmontools 6.6, squid 3.5.28, strongswan 5.6.3, tzdata 2018e, 
unbound 1.7.3


   * Support for owncloud has been removed from guardian (version 2.0.2)
   * Updates: clamav 0.100.1, fping 4.0, hplip 3.18.6, ipset 6.38, lynis 
2.6.4, mtr 0.92,
     nginx 1.15.1, tmux 2.7, tor
   * avahi has been brought back in version 0.7 as it is required as a 
dependency by cups
     which has been fixed to automatically find any printers on the local 
network automatically
   * asterisk is now compiled with any optimisation for the build system 
which was accidentally
     enabled by the asterisk build system

[1] https://www.ipfire.org/donate

More information about the Press mailing list