Hi all,This is a smaller stable update consisting of LDAPS authentication server improvements, Unbound host overrides alias support, OpenSSL 1.0.2r security update and the recent PAM rework for better privilege separation.We are currently focusing on IPsec VTI, third-party service PAM integration and investigating kernel boot crashes. In the latter case we are aware of the update issues some people are having and recommend running 18.7 until this is taken care of. Above all, please be patient. New images and seamless upgrade paths will be provided as soon as the problems have been pinned down.Here are the full patch notes:o system: improve LDAPS mode and related authentication cleanupso system: move enable checkbox to the top in remote logging settingso system: allow reset of tunables to to factory defaultso system: new tunables factory default to prevent ICMP redirects being sent (net.inet.icmp.drop_redirect=1)o firewall: allow explicitly setting source hash key in outbound NAT (Fredrik Ronnvall)o interfaces: probe media before applying new settingso interfaces: correctly compare MAC addresseso dhcp: added TFTP bootfile-name (contributed by Bjorn Kalkbrenner)o firmware: move duty to return the correct set name / ID to opnsense-versiono firmware: finally revoke 18.7 fingerprinto intrusion detection: minor template cleanups using helpers.empty()o ipsec: peer identifier can now fall back to remote-gateway in manual SPD entrieso ipsec: allow easier override of colours in widget (contributed by Fabian Franz)o monit: add validation for test type (contributed by Frank Brendel)o openvpn: add auth-nocache option in exportero openvpn: validate certificate type for serverso unbound: add host overrides alias supporto web proxy: add auth to parent proxy (contributed by Michael Muenz)o backend: add helpers.empty() in configdo mvc: simplify save / close / cancel button labelso mvc: add sorting for field list typeso rc: move all template generation to early stageo ui: improve escaping of displayed data in static pageso ui: escape button values in static pageso ui: avoid short PHP tagso plugins: os-dnscrypt-proxy 1.3[1]o plugins: os-frr brings in missing area range code[2]o plugins: os-postfix log file ACL and wrapper mode typo fix (contributed by Michael Muenz)o plugins: os-theme-cicada IPsec widget colour fix (contributed by Team Rebellion)o plugins: os-theme-tukan IPsec widget colour fix (contributed by Team Rebellion)o plugins: os-vnstat /var MFS fix[3]o plugins: os-zabbix4-proxy 1.0 (contributed by Michael Muenz)o ports: openssl 1.0.2r[4]o ports: pam_opnsense 19.1.3 uses setuid for privilege separationo ports: phalcon 3.4.3[5]Stay safe,Your OPNsense team--[1] https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr [2] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr [3] https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr [4] https://www.openssl.org/news/secadv/20190226.txt [5] https://github.com/phalcon/cphalcon/releases/tag/v3.4.3