IPFire 2.23 – Core Update 136 releases

IPFire

IPFire is a Linux distribution, which focuses on ease of equipment, easy operation and high level of security. It is an intuitive web-based interface for operational management, the interface for the novice and experienced system administrator to provide a lot of intuitive configuration options. IPFire is maintained by a group of developers who are concerned about security and frequently update the product to keep it safe. IPFire comes with a custom package manager called Pakfire, which can also be extended with a variety of attachments.

IPfire 2.23 – Core Update 136 has been released.

Changelog

OpenSSL 1.1.1d

This update ships the latest update of the OpenSSL library which has received some important fixes in its latest release:

  • CVE-2019-1547: With custom elliptic curves, timing attacks were made possible again. This is of very low risk in IPFire, since we are not using any custom curves.
  • CVE-2019-1549: Forked processes could have shared the same seed for their random number generator which is being fixed in this one by mixing in a high precision timer.
  • CVE-2019-1563: Another padding oracle for large PKCS7 messages

All of these are classified as “low severity”. However, we recommend to install this update as soon as possible.

Perl 5.30

Arne has been busy and been working on replacing Perl with the latest stable version. This requires that loads of applications that use Perl – like our own web user interface – have to be shipped again as well as many add-ons. Hence this update is rather large.

GeoIP

Since Maxmind is no longer publishing their GeoIP database in the original format, but unfortunately not providing any good bindings for the new release, we have only had an outdated version of the database that we made available in IPFire.

There is now a script that converts the current data into the old format which allows us to ship a recent database again.

This database is however only being used for showing the country flags on the web UI. GeoIP blocking uses a database in a different format and therefore always has recent data to only block the right things.

Misc.

  • The firewall has a limit for log messages so that flooding the firewall with packets won’t cause a Denial-of-Service by filling up the hard drive with gigabytes of logs and also to not starve on write operations. This limit was however very low for modern standards and has therefore been increased to 10 logged packets per second. That will ensure that we won’t drop a packet without logging it.
  • Updated packages: apache 2.4.41, bind 9.11.10, clamav 0.101.4, dhcpcd 8.0.3, knot 2.8.3, logrotate 3.5.1, openssh 8.0p1, patch 2.7.6, texinfo 6.6, unbound 1.9.3, usb_modeswitch 1.5.2
  • logwatch and logrotate could conflict when running at the same time. This has been changed so only one of them is running at the same time.
  • Log messages for DMA, the IPFire mailer, and Postfix are now shown on the web UI
  • The toolchain now ships a compiler for Go

Add-ons

  • Updated packages: freeradius 3.0.19, haproxy 2.0.5, postfix 3.4.6, spamassassin 3.4.2, zabbix_agent 4.2.6
  • dnsdist has had its limit of open connections increased to work better in bigger environments
  • tor: A permission problem has been fixed so that the web UI can save settings again
  • wio: The RRD files will now be included in the backup as well as various UI improvements have been done

Download