Software Update: OPNsense 19.1.8

The package OPNsense is a firewall with extensive possibilities. It is based on the FreeBSD operating system and is originally a fork of m0n0wall and pfSense. The package can be set up completely via a web interface and has support for 2fa, openvpn, ipsec, carp and captive portal, among others. In addition, it can apply packet filtering and has a traffic shaper. The developers have released OPNsense 19.1.8 with the following announcement:

OPNsense 19.1.8 released

Good day to you all,

This update addresses several privilege escalation issues in the access control implementation and new memory disclosure issues in Intel CPUs. We would like to thank Arnaud Cordier and Bill Marquette for the top-notch reports and coordination.

Here are the full patch notes:

• system: address CVE-2019-11816 privilege escalation bugs[1] (reported by Arnaud Cordier)
• system: /etc/hosts generation without interface_has_gateway()
• system: show correct timestamp in config restore save message (contributed by nhirokinet)
• system: list the commands for the pluginctl utility when no argument is given
• system: introduce and use userIsAdmin() helper function instead of checking for ‘page-all’ privilege directly
• system: use absolute path in widget ACLs (reported by Netgate)
• system: RRD-related cleanups for less code exposure
• interfaces: add AND DUID Generation using OPNsense PEN (contributed by Team Rebellion)
• interfaces: replace legacy_geall_interface_addresses() usage
• firewall: fix port validation in aliases with leading / trailing spaces
• firewall: fix outbound NAT translation display in overview page
• firewall: prevent CARP outgoing packets from using the configured gateway
• firewall: use CARP net.inet.carp.demotion to control current demotion in status page
• firewall: stop live log poller on error result
• dhcpd: change rule priority to 1 to avoid bogon clash
• dnsmasq: only admins may edit custom options field
• firmware: use insecure mode for base and kernel sets when package fingerprints are disabled
• firmware: add optional device support for base and kernel sets
• firmware: add Hostcentral mirror (HTTP, Melbourne, Australia)
• ipsec: always reset rightallowany to default when writing configuration
• lang: say “hola” to Spanish as the newest available GUI language
• lang: updates for Chinese, Czech, Japanese, German, French, Russian and Portuguese
• network time: only admins may edit custom options field
• openvpn: call openvpn_refresh_crls() indirectly via plugin_configure() for less code exposure
• openvpn: only admins may edit custom options field to prevent privilege escalation (reported by Bill Marquette)
• openvpn: remove custom options field from wizard
• unbound: only admins may edit custom options field
• wizard: translate type hint as well
• plugins: os-freeradius 1.9.3 fixes string interpolation in LDAP filters (contributed by theq86)
• plugins: os-nginx 1.12[2]
• plugins: os-theme-cicada 1.17 (contributed by Team Rebellion)
• plugins: os-theme-tukan 1.17 (contributed by Team Rebellion)
• src: timezone database information update[3]
• src: install(1) broken with partially matching relative paths[4]
• src: microarchitectural Data Sampling (MDS) mitigation[5]
• ports: ca_root_nss 3.44
• ports: php 7.2.18[6]
• ports: sqlite 3.28.0[7]
• ports: strongswan custom XAuth generic patch removed

stay safe,
Your OPNsense team