Hi all,

Quite the list of changes after a few weeks of a turbulent summer. This update addresses Stack Clash, OpenVPN, Bind and cURL security issues, see the reference links below.

17.7 is almost here, which means we have skipped over Alpha and Beta phase due to the fact that the base system is staying on FreeBSD 11.0. What you can expect is a Release Candidate within a week and a smooth transition.

Here are the full patch notes:

o firewall: move gateway switching from system to firewall advanced settings

o firewall: keep category selection when changing tabs

o firewall: do not skip gateway switch parsing too early (contributed by Stephane Lesimple)

o interfaces: show VLAN description during edit

o firmware: opnsense-revert can now handle multiple packages at once

o firmware: opnsense-patch can now handle permission changes from patches

o dnsmasq: use canned –bogus-priv for no_private_reverse

o dnsmasq: separate log file, ACL and menu entries

o dynamic dns: fix update for IPv6 (contributed by Alexander Leisentritt)

o dynamic dns: remove usage of CURLAUTH_ANY (contributed by Alexander Leisentritt)

o intrusion detection: suppress “fast mode available” boot warning in PCAP mode

o openvpn: plugin framework adaption

o unbound: add local-zone typetransparent for PTR zone (contributed by Davide Gerhard)

o unbound: separate log file, ACL and menu entries

o wizard: remove HTML from description strings

o mvc: group relation to something other than uuid if needed

o mvc: rework “item in” for our Volt templates

o lang: Czech to 100% translated (contributed by Pavel Borecki)

o plugins: zabbix-agent 1.1 (contributed by Frank Wall)

o plugins: haproxy 1.16 (contributed by Frank Wall)

o plugins: acme-client 1.8 (contributed by Frank Wall)

o plugins: tinc fix for switch mode (contributed by Johan Grip)

o plugins: monit 1.3 (contributed by Frank Brendel)

o src: support dhclient supersede statement for option 54 (contributed by Fabian Kurtz)

o src: add Intel Atom Cherryview SOC HSUART support

o src: add the ID for the Huawei ME909S LTE modem

o src: HardenedBSD Stack Clash mitigations[1]

o ports: sqlite 3.19.3[2]

o ports: openvpn 2.4.3[3]

o ports: sudo 1.8.20p2[4]

o ports: dnsmasq 2.77[5]

o ports: openldap 2.4.45[6]

o ports: php 7.0.20[7]

o ports: suricata 3.2.2[8]

o ports: squid 3.5.26[9]

o ports: ca_root_nss 3.31

o ports: bind 9.11.1-P2[10]

o ports: unbound 1.6.3[11]

o ports: curl 7.54.1[12]

Stay safe,

Your OPNsense team

—

[1] https://hardenedbsd.org/article/shawn-webb/2017-06-25/stack-clash-mitigations

[2] https://www.sqlite.org/releaselog/3_19_3.html

[3] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24

[4] https://www.sudo.ws/stable.html#1.8.20p2

[5] https://github.com/imp/dnsmasq/blob/master/CHANGELOG

[6] https://www.openldap.org/software/release/changes.html

[7] http://php.net/ChangeLog-7.php#7.0.20

[8] https://suricata-ids.org/2017/06/07/suricata-3-2-2-available/

[9] http://lists.squid-cache.org/pipermail/squid-announce/2017-June/000076.html

[10] https://kb.isc.org/article/AA-01507

[11] http://www.unbound.net/download.html

[12] https://curl.haxx.se/changes.html