IPFire 2.23 – Core Update 134 releases: fix SACK Panic vulnerability

IPFire

IPFire is a Linux distribution, which focuses on ease of equipment, easy operation and high level of security. It is an intuitive web-based interface for operational management, the interface for the novice and experienced system administrator to provide a lot of intuitive configuration options. IPFire is maintained by a group of developers who are concerned about security and frequently update the product to keep it safe. IPFire comes with a custom package manager called Pakfire, which can also be extended with a variety of attachments.

IPfire 2.23 – Core Update 134 has been released.

Changelog

SACK Panic (CVE-2019-11477 & CVE-2019-11478)

The Linux kernel was vulnerable for two DoS attacks against its TCP stack. The first one made it possible for a remote attacker to panic the kernel and a second one could trick the system into transmitting very small packets so that a data transfer would have used the whole bandwidth but filled mainly with packet overhead.

The IPFire kernel is now based on Linux 4.14.129, which fixes this vulnerability and fixes various other bugs.

The microcode for some Intel processors has also been updated and includes fixes for some vulnerabilities of the Spectre/Meltdown class for some Intel Xeon processors.

Misc

  • Package updates: bind 9.11.8, unbound 1.9.2, vim 8.1
  • The French translation has been updated by Stéphane Pautrel and translates various strings as well as improving some others
  • We now prefer other cipher modes over CBC when IPFire itself opens a TLS connection. CBC is now considered to be substantially weaker than GCM.
  • Email addresses entered in the web UI can now contain underscores.
  • The Captive Portal now comes up properly after IPFire is being rebooted.

Download