IPFire is an open source firewall for i586, x86_64 and ARM systems. It includes an intrusion detection/prevention system, divides the network into zones, does stateful packet inspection and offers VPN options. For more information, we refer to this page. The developers have released version 2.27 Core Update 169 for production systems. The corresponding announcements look like this:
IPFire 2.27 – Core Update 169 released
The next Core Update – one of the biggest in size we have ever put together – is released: IPFire 2.27 – Core Update 169. It introduces the support of two-factor authentication (2FA) for OpenVPN clients, updates several core parts of the system , provides mitigations for another two types of CPU side-channel attacks, as well as package updates, bug fixes and other security improvements.
Before we talk in detail about what is new, I would like to ask you for your support. IPFire is a small team of people and like many of our open source friends, we’ve taken a hit this year and would like to ask you to help us out. Please follow the link below where your donation can help fund our continued development: https://www.ipfire.org/donate.
OpenVPN Two Factor Authentication
For OpenVPN clientsthe setup of two-factor authentication based on time based one time password (TOTP) is now supported. It can be enforced on a per-client basis, preserving the flexibility of mixing end-user devices with machine clients, where no manual interaction is feasible during OpenVPN connection establishment. Further documentation on this feature can be retrieved here and here.
Updated Kernel, Updated linux firmware, Updated Toolchain – All in one go
This Core Update updates the Linux kernel to 5.15.49, thus providing our users with the usual bunch of bug fixes, plugged security vulnerabilities, and hardware support improvements. Particularly noteworthy are mitigations against another CPU side-channel attack, MMIO Steel Data, which can led to the exposure of sensitive memory data. Further upstream documentation can be obtained here; IPFire systems not serving as a hypervisor for VMs (which we recommend against for production due to security reasons anyway) are most likely unaffected. The precise status of all known CPU vulnerabilities is displayed in the web interface. The following kernel hardening improvements have been made in addition:
- On x86_64 systems, kernel mitigations for straight line speculationanother CPU side-channel vulnerability, have been enabled.
- Support for RPC dprintk debugging has been removed to cut potential attack surface.
- The YAMA Linux security module is now enabled to provide further control on ptrace operations, for which there is no legitimate use-case on an IPFire machine.
Due to an upstream change, the kernel will now always report to have 256 bits of entropy available. Therefore, the entropy graph has been removed, as it does not provide any useful information anymore.
linux firmware, the conglomerate of proprietary third party firmware, has been updated. That improves the hardware support, particularly for newer devices and components, and fixes bugs as well as security vulnerabilities in these binary blobs.
GCC, the GNU Compiler Collection, has been updated to 11.3.0, bringing fixes to bugs and regressions (some of them serious ones) from upstream to our users.
- For applications running on IPFire itself, the availability of Extension Mechanisms for DNS (EDNS0), as specified in RFC 2671, has now been properly announced. This has already been the case for DNS clients querying the resolver of an IPFire installation.
- Mount options of /boot have been hardened on flash images. Existing installations remain unchanged for the time being, but we plan to apply this change to them as well soon.
- IPFire’s NTP daemon will now use itself as a preferred time source, rather than any hardware RTC. As the latter can be quite unreliably, particularly if CMOS battery power is low, this will result in more accurate time synchronization.
- A bug in misc-progs, the safety net between the web interface and the operating system, has been fixed, which sometimes led to the swallowing of a commands’ first argument.
- The Hardware Detection Tool (HDT) has been dropped from the CDROM menu, as it does not run on EFI and better tools are nowadays available for hardware detection.
- Plain OpenVPN PKCS12 files are now properly downloadable again (#12883).
- A missing dependency for DepositBackup has been added, making this add-on usable again (#12884).
- Spaces are now allowed again in OpenVPN static IP pool names (#12865).
- On IPFire instances running in various cloudsuser-data scripts are now executed at the end of initialization, ensuring that such systems are fully initialized before conducting user-defined actions.
- The download URL for Talos IPS rulesets has been updated.
- Updated packages: Apache 2.4.54, bind 9.16.30, curl 7.81.1, fuse 3.11.0, gdb 12.1, iptables 1.8.8, libnetfilter_cthelper 1.0.1, libnetfilter_cttimeout 1.0.1, libxml2 2.9.14, libxslt 1.1.35 , libyang 2.0.194, lmdb 0.9.29, logrotate 3.20.1, lzip 1.23, OpenSSL 1.1.1p, sqlite 3380500, Squid 5.6, tzdata 2022a, unbound 1.16.0, xfsprogs 5.16.0
- Updated add-ons: aws-cli 1.23.12, clamav 0.105.0, dnsdist 1.7.2, git 2.36.1, libvorbis 1.3.7, lynis 3.0.8, Postfix 3.7.2, python3-botocore 1.25.12, tmux 3.3, Tor 0.4.7.8
|Version number||2.27 – Core Update 169|
|License type||Prerequisites (GNU/BSD/etc.)|