IPFire Changelog

New in version 2.15 Core 84

October 17th, 2014
  • GNU bash fixes:
  • As you may have already seen on the news, the Shellshock issues made more people look into the code of the default shell of many *nix systems. Those people found many more programming errors and provided fixes for them which have been applied in this release. IPFire is now shipping GNU bash 4.3.30 and the companion library readline in version 6.3.
  • squid web proxy:
  • There have been some Denial-of-Service issues in the squid web proxy which have been fixed in release 3.4.8. Those are of minor severity only and quite possibly cannot be exploited to inject code.
  • Firewall changes:
  • The firewall got a couple of new features which I explained in detail in a post on the IPFire planet. Both enhance the firewall to better protect hosted services from Denial-of-Service attacks and similar things by limiting the number of new connections that can be opened within a certain span of time or by limiting the overall number of open connections by a host on the Internet.
  • Using NAT for rules where the source and destination is in the same subnet is now possible. Some code has been cleaned up and made more robust. The firewall.local script will now also be reloaded when settings of the firewall are changed on the web user interface.
  • P2P block:
  • The P2P block feature of the firewall has not been very effective for many protocols. The detection has now been improved and blocking unwanted P2P protocols from your network works now much better but will result in a bit more load.
  • DNS Proxy:
  • dnsmasq, the DNS proxy working inside of IPFire, has been updated to version 2.72 which includes some stability fixes and fixes some of the crashes some IPFire users have been experiencing especially in conjunction with (faulty) DNSSEC-enabled DNS recursors on the Internet.
  • Misc:
  • Applying static routes at boot has been improved, as sometimes not all routes were correctly applied.
  • URL-Filter
  • The “safe search” feature has been fixed for Google News and been introduced for Bing Search as well.
  • Blocking downloads of files by extension has been improved, too.
  • Some spelling fixes for the English language throughout the whole web interface.
  • parted has been updated to version 3.1.

New in version 2.15 Core 83 (September 29th, 2014)

  • This is the official release announcement for IPFire 2.15 Core Update 83. It mainly provides a fix for several security issues in the GNU bash package also known as “ShellShock” and filed under CVE-2014-6271 and CVE-2014-7169.
  • ShellShock:
  • It was possible to inject shell commands that were executed from the shell environment. IPFire uses CGI scripts for its web user interface. Therefore it was possible for authenticated users to execute shell commands with non-root privileges and of course users that had access to the shell on command line. Also other services that execute shell scripts like the DHCP client were vulnerable.
  • We regard this as a serious security issue and recommend to update as soon as possible. Please do not forget to reboot your machine afterwards and check for updates for your other *nix distribution as well because they are probably vulnerable, too.
  • It appears that there might be more problems in GNU bash for which there is no working fix available right now. So please stay tuned for more updates.
  • Misc:
  • squid – the Web Proxy – has been updated to version 3.4.7 due to various security and stability fixes
  • Several security and stability fixes have been added to glibc
  • The URL to detailed descriptions of the snort alerts has been updated
  • Various minor bug fixes.

New in version 2.15 Core 81 (August 8th, 2014)

  • This is the official release announcement for IPFire 2.15 – Core Update 81 comes with fixes for nine security vulnerabilities in the OpenSSL library and some other smaller bugfixes. We recommend to install this update as soon as possible and reboot your systems.
  • OpenSSL 1.0.1i:
  • Those OpenSSL security fixes are filed under CVE-2014-3508, CVE-2014-5139, CVE-2014-3509, CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3510, CVE-2014-3511, and CVE-2014-3512. They are all in various protocols and parts of the library, but all of moderate severity.
  • Misc:
  • The firewall has been extended to detect more types of port scans over the TCP protocol and connections that are marked as invalid by the connection tracking are from now on dropped. Some broken TCP/IP stacks (how we find them in Android) caused that packets could get from the internal networks to RED without being masqueraded.
  • ddns – The new dynamic DNS updater
  • The logging if no update has been performed has been silenced and is only visible in debugging mode. This was a request by users who use flash drives and would like to preserve a long lifetime of those.
  • Using special characters like “%” in passwords is now possible to use.
  • Support for regfish.com has been fixed.
  • lzo has been downgraded to version 2.06 because it did not work on ARM any more. However, the security fix from the last core update has been backported.
  • OpenVPN: When creating a new roadwarrior connection, a required field of the certificate form has not been validated correctly if no input was given.
  • Add-ons:
  • The tor addon has been updated to version 0.2.4.23 with a fix that users of the network cannot be de-anonymized easily.
  • check_mk_agent has been added.

New in version 2.15 Core 80 (August 3rd, 2014)

  • DNSSEC:
  • There has been a crowdfunding on the IPFire wishlist which raised money for implementing a DNSSEC validating DNS proxy. The DNS proxy service that is running inside of IPFire has been forked and some features that were dropped in the upstream version have been backported.
  • IPFire now validates every DNS response of zones that are signed. If the DNSSEC signatures do not validate a DNS error is raised and therefore spoofing attacks are not longer possible. However, it is not sufficient for the internal DNS proxy to have DNSSEC enabled. Client systems should validate DNSSEC records, too, but we think that these changes block most spoofing attacks from the Internet and only DNS spoofing attacks from the local network are possible. The cache pool size has been increased so that dnsmasq is able to cache many DNS keys and signatures and that the verification does not harm the user experience.
  • It is required that the DNS servers from the Internet service providers validate DNSSEC as well. If not, you may change to one of those public DNS servers in this list. There is more information about DNS and IPFire on our wiki.
  • New dynamic DNS updater:
  • A new tool to update dynamic DNS records has been written. It replaces the old, faulty and hard to maintain perl script setddns.pl. The new client is written in Python and portable to other distributions as well. It is easily extensible and avoids duplicating code. The sources can be found on our own git server or on GitHub and we are happy to receive improvements and patches that add support for new providers.
  • The user interface has been simplified and obsolete and deprecated features like wildcard support have been dropped.
  • There is support for all DNS providers that have been formerly supported. Providers that don’t exist any more have been removed and some new ones have been added: all-inkl.com, dhs.org, dns.lightningwirelabs.com, dnspark.com, dtdns.com, dyndns.org, dynu.com, easydns.com, enom.com, entrydns.net, freedns.afraid.org, namecheap.com, no-ip.com, nsupdate.info, opendns.com ovh.com, regfish.com, selfhost.de, spdns.org, strato.com, twodns.de, udmedia.de, variomedia.de, zoneedit.com.
  • Misc:
  • The lzo libary has been updated to version 2.08 because of a potential, but very unlikely security issue filed under CVE-2014-4607.
  • wpa_supplicant has been updated to version 2.2.
  • strongswan has been updated to version 5.2.0
  • Ersan Yildirim submitted updates for the Turkish translation.
  • The dhcrelay binary and an initscript are shipped.
  • The bind tools have been updated to version 9.9.5 to support DNSSEC, too.
  • rng-tools have been updated to version 5 to support Intel processors that come with the RDRAND instruction, but without AES-NI.
  • squid web proxy: The minimum and maximum object size of objects that are put into the cache is no longer ignored.
  • Firewall hits by country: Fix chart for dial-up connections.
  • Static routes cannot be added twice into the configuration and must not be a part of any of the local networks.
  • Add-ons:
  • ownCloud – The private cloud – Documentation
  • Updates:
  • clamav 0.98.4
  • hostapd 2.2
  • sane 1.0.24
  • tor 0.2.4.22
  • transmission 2.84

New in version 2.15 Core 79 (July 8th, 2014)

  • OpenVPN:
  • The OpenVPN capabilities have been massively extended by Erik Kapfer...
  • Certificate Authorities:
  • The certificate authority that can be created on the OpenVPN page now uses much better hashes to protect the integrity of itself. The CA root certificate uses a SHA512 hash and a RSA key with length of 4096 bit. All new created host certificates use a RSA key with 2048 bit length and a SHA256 hash.
  • Additionally, a set of Diffie-Hellman parameters can be generated for better protection of the session keys. The length of the pregenerated DH parameters can be chosen in the web interface.
  • Ciphers:
  • The cipher that is used for each net-to-net connection can be changed now to for example take benefit of hardware crypto processors. To the list of already supported ciphers came SEED.
  • ATTENTION: Some other ciphers that are evidently broken have been removed for use with the roadwarrior server. Those are: DES-CBC, RC2-CBC, RC2-64-CBC and RC2-40-CBC. If you are using one of these, please replace all your roadwarrior connections.
  • HMAC/Hashing:
  • To ensure that the transmitted data has not been altered on the way from sender to receiver a hash function is used. This hash is now configurable with a couple of options: SHA2 (512, 384 and 256 bit), Whirpool (512 bit) and SHA1 (160 bit).
  • To mitigate DoS attacks against the OpenVPN server, the tls-auth option can be enabled which uses a HMAC function that lets the server very quickly decide if a packet is coming from a legitimate sender and needs to be decrypted (which is a very costly operation) or if it is just some spoofed data sent to slow down the server. In the latter case the HMAC does not match and the packet can be discarded right away.
  • All this may sound a bit complicated, but in the end the OpenVPN feature is usable just in the same and easy way as you know it in IPFire. Everything described here works under the hood and gives you better protection for your data.
  • Kernel Update
  • The Linux kernel running inside IPFire has been updated to version 3.10.44 which adds better support for some hardware, comes with lots of stability fixes and closes some security issues. The vendor drivers for Intel network adapters have been updated, too.
  • One of the most significant changes is that the system now uses the PCIe ASPM configuration from the BIOS. The former option was to save as much power as possible which may lead to instabilities with some PCIe periphery. It is now possible to easily configure the desired operation mode in the BIOS of the system.
  • Various changes have been applied to the Xen image so installing IPFire on para-virtualized systems runs much more smoothly now.
  • PPP dial-in:
  • pppd, the Point-to-Point-Protocol Daemon, has been updated to version 2.4.6 which comes with some stability and security fixes. For PPPoE sessions, the system will try to connect to the Internet for a longer time now before giving up. This helps us to establish a connection even if there is some really weird modems around that need some time to initialize when the network link goes up (seen with radio link antennas).
  • LTE/3G Modem Status:
  • The IPFire web interface got a new status page for modems. This includes all serial modems from 56k analogue modems up to LTE and 3G modems. On this page there will be various information about the connected network, signal quality and SIM card if one is available.
  • Squid Web Proxy Update:
  • The Squid web proxy server has been updated to version 3.4.5. As this is a major version update, several deprecated things and incompatibilities had to be resolved. The redirect wrapper process has been rewritten and all the redirect helpers (URL-Filter, Update Accelerator and squidclamav) have been patched to be able to communicate with the proxy process again.
  • When using proxy.pac for automatic client configuration, please note that access to the web proxy is now only granted for the actual subnets of the firewall and not for the entire private RFC1918 address space any more. In addition to that, accessing resources of the same subdomain as the clients (i.e. internet network access) circumvents the proxy as well.
  • Support for the internal Quality of Service has been compiled in.
  • Intrusion Detection System:
  • snort, the Intrusion Detection System, has been updated to version 2.9.6.1. Downloading of rules will be possible for some time now.
  • Misc:
  • Alf Høgemark contributed an updated version of vnstat which is a tool to measure the consumed traffic on each network interface and generates beautiful graphs out of it.
  • He also contributed a new log page on the IPFire web interface that shows from which country the most firewall hits originate from.
  • The new firewall GUI now supports blocking access to the GREEN firewall interface from the GREEN network.
  • The PIE packet scheduler has been added for experienced users to experiment.
  • Lots of cleanup of the generated HTML output of the CGI web interface scripts has been done.
  • The Turkish translating has been updated by Ersan Yildirim.
  • The net-utils which provided the basic tools like ping has been removed and now only the version of ping that comes with the iputils package is used. The hostname command has been replaced by a version that is maintained by Debian.
  • Updated packages: daq 2.0.2, libpcap 1.4.0, openvpn 2.3.4, sudo 1.8.10p3
  • The build system is now able to use qemu and compile for ARM on x86 machines.
  • Enabling the front LEDs on an ALIX system has been fixed when a RED device has been assigned but the system actually uses a dial-in connection.
  • Installer:
  • Installation on systems that only got a serial console is now possible from the ISO image. The baudrate has been set to 115200 throughout the entire process which has formerly been broken and it was needed to change the baudrate a couple of times.
  • The default size of the root partition has been increased.
  • The backup ISO that can be generated on the backup page of the IPFire web interface is now a hybrid image as well so that it can be put on an USB key instead of burning it on a disk.
  • Dynamic DNS providers:
  • Some new dynamic DNS providers have been added: spdns.de (Bernhard Bitsch), twodns.de, variomedia.de (Stefan Ernst)
  • Add-ons:
  • New Arrivals:
  • icinga 1.11.4 (The nagios package may be dropped in the near future)
  • sslscan 1.10.2 – A simple tool to scan which SSL features and ciphers a remote host supports
  • Updates:
  • cacti 0.8.8b
  • clamav 0.98.4
  • nut 2.7.2 (Dirk Wagner)
  • samba 3.6.24
  • transmission 2.83
  • Dropped add-ons:
  • icecc

New in version 2.15 Core 78 (June 9th, 2014)

  • This update comes with important openssl security fixes and we recommend to install it as soon as possible.
  • OpenSSL 1.0.1h:
  • There have been several vulnerabilities discovered in the openssl library which is responsible for implementing the SSL/TLS protocol and other cryptographic tasks. All details about these can be found in the original openssl security advisory.

New in version 2.15 Core 77 (June 9th, 2014)

  • New firewall GUI
  • The Linux kernel – now grsecurity-enabled
  • ARM support
  • New Web User Interface style
  • Stronger Ciphers for the Web User Interface
  • beep has been updated to version 1.3 and supports more beepers.
  • fireinfo did not properly read harddisk serial numbers if those were shorter than 10 characters. This may cause some systems to change their fireinfo ID.
  • The boot process has been improved so that the system should boot up slightly faster.
  • OpenVPN net-to-net connections sometimes stuck in WAIT state. The user interface now shows reliably if a connection is established or not.
  • Insertion of thousands of hosts of the wireless access page has been improved.
  • Command line parsing of the setuid binaries has been improved as it was possible to let those commands crash because of a stack buffer overflow.
  • Statistics of the Solus PCI DSL modems are shown in the web user interface.
  • The update accelerator supports Archlinux packages now and does not stumble upon files with a colon (:) in the URL.
  • New packages: iotop, stunnel
  • mysql has been updated to version 5.0.96.
  • cups has been updated to version 1.7.0 and uses libusb to communicate with USB printers.
  • gutenprint has been updated to version 5.2.9 and comes with support for many new printers.
  • foomatic has been updated to version 4.09/4.0.17 (20131023) and provides even more drivers for printers.
  • miniupnpd has been updated to version 1.8.
  • fetchmail has been updated to version 6.3.26.
  • git has been updated to version 1.8.5.2.
  • nginx has been updated to version 1.4.4.
  • clamav has been updated to version 0.98.1.
  • rsync has been updated to version 3.1.0.
  • samba has been updated to version 3.6.19.
  • vdr has been updated to version 2.0.5.
  • w_scan has been updated to version 20130331.

New in version 2.13 Core 76 (April 23rd, 2014)

  • This release comes with a security fix for the strongswan package which is responsible for IPsec VPN connections. The vulnerability has got the number CVE-2014-2338. It was possible to bypass the authentication and therefore to overtake a VPN connection whilst the original peers are rekeying. IKEv1 connections are not vulnerable, but IKEv2.

New in version 2.13 Core 75 (January 13th, 2014)

  • OpenVPN TLS certificate validation:
  • Due to a change in OpenVPN 2.3, the common name of the certificate of the user that was connection was formatted in an other way than before. This led to that the certificate could not be properly validated because it was searched for one with a different name.
  • This update ships a fixed version of the verify script that can work with both formats of the common name.
  • OpenVPN connection configuration:
  • Because of a related cause, the route configuration was not pushed to some clients when they connected. This issue that is filed under bug id #10323 and has been addressed in this update.
  • Pakfire locking up:
  • When pakfire receives an empty mirror list, the process stalls while it is checking for a working mirror server. A fix for this problem has been introduced that will download packages from the main server, when none of the mirror servers is available.