Software update: IPFire 2.27 – Core Update 174

IPFire is an open source firewall for i586, x86_64 and ARM systems. It includes an intrusion detection/prevention system, divides the network into zones, performs stateful packet inspection and offers VPN options. For more information please refer to this page. The developers have released version 2.27 Core Update 174, a stable release for production systems. The accompanying notes look like this:

IPFire 2.27 – Core Update 174 released

The next Core Update has been released: IPFire 2.27 – Core Update 174. It is a traditional spring clean release which updates major parts of the core system and comes with a large number of bug fixes throughout.

This update also comes with a number of security patches in Apache, cURL and more, but none of them have been assessed as being exploitable on IPFire. Nevertheless, we intend to bring those updates to all of our users as soon as possible, and encourage speedy installation of Core Update 174.

Updated Toolchain

The “toolchain” includes the most basic parts to build software and consists of GCC as the compiler, Binutils as the assembler and linker, and glibc as the C standard library. They have been updated to their latest versions improving performance for all generated code and fixing bugs. Although they are not as exciting for our users, they are the building blocks IPFire is founded on and make it the modern, fast and secure distribution that it is.

Bug fixes

• The OpenVPN CGI will now display the expiry date of certificates.
• Duplicate address issuance by the DHCP server in case of overlapping fixed leases has been corrected (#10629).
• Customizing the Snort/VRT GPLv2 Community IPS ruleset has been fixed (#12948).
• The logs of apcupsd are now accessible through the system log viewer (#12950), as are the logs of the HAProxy add-on (#12922).
• Several CGIs have received CSS cleanups, resulting in better appearance (#13024, #13039).
• The Content-Type header of emails generated by the core system itself and various add-ons has been changed from multipart/mixed to multipart/alternative to avoid useless attachment icon display in some MUAs (#13040).
• Faulty CGI behavior after toggling logging of dropped packages by the IP blocklists firewall component has been fixed (#12979).
• An overly permissive regular expression for parsing unbound log data has been corrected.
• The external traffic status page will now always use the correct interface to display traffic data from.
• efivar is now properly instructed to adjust instructions to the target architecture rather than that of the build host.
• The CPU graph has been redesigned for systems with large numbers of processor cores (#12890).
• Reloading IP block lists after an update has been fixed (#13072).

Miscellaneous

• rng-tools has been moved from the core system to an add-on (#12900).
• Conversely, perl-TimeDate is now part of the core system, since it became a dependency of the OpenVPN C.G.I.
• Arne has worked a lot on bringing the RISC-V build up to speed.
• IPFire’s trust store has been synced against Mozilla’s current trusted CA certificate bundle.
• Useless Qualcomm Bluetooth firmware files are no longer shipped (IPFire dropped Bluetooth support a long time ago due to security reasons), saving a couple of megabytes on new and existing IPFire installations alike.
• Updated packages: apache 2.4.56, apr 1.7.2, bind 9.16.38, binutils 2.40, boost 1.81.0, curl 7.88.1, elinks 0.16.0, ethtool 6.2, freetype 2.13.0, gcc 12.2.0, glibc 2.37, gnutls 3.8.0, grep 3.9, harfbuzz 7.0.1, intel microcode 20230214, iproute2 6.2.0, libtirpc 1.3.3, liburcu 0.14.0, linux firmware 20230210, lmdb 0.9.30, logwatch 7.8, lsof 4.98 .0, pango 1.50.13, poppler 23.03.0, poppler-data 0.4.12, qpdf 11.3.0, rest 1.67.0, squid 5.8, strongswan 5.9.10 (fixes CVE-2023-26463which is not exploitable on IPFire unless heavily customized IPsec connections have been configured using the CLI rather than the IPsec web interface), sudo 1.9.13p3, tzdata 2022g, wireless-regdb 2023-02-12, zstd 1.5.4
• Updated add-ons: cups 2.4.2, dbus 1.14.6, epson-inkjet-printer-escpr 1.7.23, fetchmail 6.4.36, HAProxy 2.7.4, htop 3.2.2, make 4.4.1, monit 5.33.0 , pcengines-apu-firmware 4.19.0.1, python3-setuptools 67.5.1, samba 4.17.5