Howdy partners,

With Meltdown and Spectre just behind us here comes another round of security advisories and assorted changes.

Three mentionable changes are included: We are switching back to single-source NAT on the primary IP instead of using all additional VIPs on the interface. The hardware-assisted VLAN capability check was removed from the system enabling e.g. XEN users to create VLANs. And the multi-WAN traffic shaping experience has been corrected for non-default interfaces within the scope of shared forwarding.

Expected is an image release based on this version some time within the next week for completeness.

Here are the full patch notes:

system: reverse reload order for gateway switching on OpenVPN

system: implement password policies for local accounts

system: separate web GUI and configd log files

system: add syslog and login service visibility

system: show root as disabled in user manager if disabled

interfaces: no longer restrict VLAN driver capability

firewall: switch back to old NAT auto-outbound behaviour

firewall: reload schedules 1 minute later

firewall: filter descriptions option does no longer exist

firewall: updated anti-lockout link (contributed by Michael Muenz)

firewall: fix help text in shaper masks (contributed by Michael Muenz)

firewall: add delay option to pipe in shaper (contributed by Michael Muenz)

reporting: add insight aggregator to service list

dashboard: large CPU usage widget (contributed by Team Rebellion)

dhcp: fix display of DUID in IPv6 leases

firmware: let opnsense-patch apply chmod even in partially failed patches

firmware: let opnsense-code fetch all remotes as well as prune them

intrusion detection: provide custom.yaml for user edits

web proxy: fix pid file pointer for service status probe

ui: help data-for attribute (contributed by NOYB)

ui: reversed zebra redraw on static page mobile forms

ui: cleanup for unused classes in static pages

mvc: add constraint type for dependent fields

plugins: merge rc.plugins_configure code into pluginctl

plugins: os-c-icap 1.5_1 service controller fix (contributed by Fabian Franz)

plugins: os-frr 1.3 adds BGP for IPv6 (contributed by Michael Muenz)

plugins: os-lcdproc-sdeclcd 1.0 release adds LCD usage to Lanner/Watchguard Firebox

plugins: os-monit 1.7 fixes compatibility with UI rework

plugins: os-rspamd 1.2 allows to specify bad file extensions (contributed by Fabian Franz and Michael Muenz)

plugins: os-shadowsocks 1.0 release (contributed by Michael Muenz)

plugins: os-theme-rebellion 1.0 release (contributed by Team Rebellion)

plugins: os-web-proxy-sso 2.2 adds XMLRPC sync (contributed by Smart-Soft)

plugins: os-web-proxy-useracl 1.1 adds XMLRPC sync (contributed by Smart-Soft)

plugins: os-zabbix-agent 1.2_1 fixes service controls

src: fix mutli-wan traffic shaper on non-default gateway interfaces

src: ipsec crash or denial of service[1]

src: vt console memory disclosure[2]

src: multiple small kernel memory disclosures[3]

src: timezone database information update[4]

ports: dnsmasq 2.79[5]

ports: openssl 1.0.2o[6]

ports: perl 5.26.1[7]

ports: php 7.1.16[8]

ports: squid 3.5.27 adds LDAP authentication

Stay safe,

Your OPNsense team

--

[1] https://security.freebsd.org/advisories/FreeBSD-SA-18:05.ipsec.asc

[2] https://security.freebsd.org/advisories/FreeBSD-SA-18:04.vt.asc

[3] https://security.freebsd.org/advisories/FreeBSD-EN-18:04.mem.asc

[4] https://security.freebsd.org/advisories/FreeBSD-EN-18:03.tzdata.asc

[5] http://www.thekelleys.org.uk/dnsmasq/CHANGELOG

[6] https://www.openssl.org/news/secadv/20180327.txt

[7] https://metacpan.org/pod/release/SHAY/perl-5.26.1/pod/perldelta.pod

[8] http://php.net/ChangeLog-7.php#7.1.16