Software Update: OPNsense 21.7.2

The package OPNsense is a firewall with extensive possibilities. It is based on the FreeBSD operating system and is originally a fork of m0n0wall and pfSense. The package can be set up completely via a web interface and has support for 2fa, openvpn, ipsec, carp and captive portal, among others. In addition, it can apply packet filtering and has a traffic shaper. The developers have released OPNsense 21.7.2 with the following announcement:

OPNsense 21.7.2 released

Today the following CVEs are being addressed:

CVE-2021-3711, CVE-2021-3712, CVE-2021-23840, CVE-2021-23841

Please note that the Let’s Encrypt client plugin is now called ACME client since acme.sh version 3 does support multiple providers.

Apart from the usual batch of fixes the work on RSS (receive side scaling) is progressing and groundwork has already made it to the kernel along with the libnetmap library for allowing better scaling in netmap mode along with it. At this point, however, RSS is not yet enabled and there is no impact on existing setups. That will likely change with one of the next stable versions in this series.

On the other hand, the work for FreeBSD 13 migration in 22.1 is ongoing as well to be able to test this rather sooner than later. In this iteration we will take the time to look at shared forwarding edge cases and have already upstreamed a number of patches that have been accumulated over the last couple of years to keep our code base light and tidy.

Here are the full patch notes:

• system: default RSS widget feed to forum announcements
• system: add missing ACL for Syslog targets page
• system: fix unescaped source field used for password in backup plugins
• system: reload FreeBSD services when reloading all services from console
• interfaces: use -M option in rtosold invoke in preparation for 22.1
• interfaces: correctly indent in dhclient configuration
• firewall: allow to specify port ranges for outgoing NAT (contributed by Nikolay Denev)
• firewall: fix long comment preventing IPFW reload (contributed by Robin Schneider)
• firewall: fix compare interfaces (contributed by Smart-Soft)
• firmware: opnsense-patch can now patch installer and updater files
• firmware: opnsense-update -c option now honors the -f option
• firmware: opnsense-update improvements for mirror manipulation options
• firmware: undo masking vulnerability URLs in FreeBSD due to UUID use
• firmware: also check plugins sync for up to date core package
• firmware: fix visibility issue on console when syncing plugins
• firmware: replace php version_compare() call with pkg-version shell command
• firmware: correctly announce major upgrade reboot in status return
• firmware: do not fetch GeoIP database from business mirrors without a subscription
• firmware: backend now supports reinstall like opnsense-bootstrap -q
• intrusion detection: skip ruleset empty metadata (contributed by kulikov-a)
• ipsec: fix a regression in rightsubnets for non-mobile phase 2
• ipsec: fix a regression in VTI handling
• ipsec: identity quoting for ASN1DN and FQDN types with “#” characters
• ipsec: add auto type for identities
• openvpn: fix client-config-dir regression
• openvpn: check IPv4 tunnel prefix (contributed by kulikov-a)
• openvpn: simplify CIDR validation and remove trim() usage
• web proxy: adding additional memory cache options (contributed by Xeroxxx)
• plugins: os-acme-client 3.0
• plugins: os-haproxy 3.5
• src: runtime RSS code preparations and assorted related upstream patches
• src: axgbe: remove unneccesary packet length check
• src: iflib: fix partial length accounting error in netmap mode
• src: lib: add libnetmap and related patches
• src: dhclient: skip_to_semi() consumes semicolon already
• src: rtsold: slighty change address read
• src: fix missing error handling in bhyve(8) device models
• src: fix remote code execution in ggatec(8)
• src: fix libfetch out of bounds read
• src: fix multiple OpenSSL vulnerabilities
• ports: ifinfo 13.0
• ports: lipressl 3.3.4
• ports: nss 3.69
• ports: monitor 5.29.0
• ports: mpd5 adds L2TP interoperability fix from upstream
• ports: openssl 1.1.1l
• ports: php 7.4.23
• ports: strongswan 5.9.3
• ports: sudo 1.9.7p2
• ports: unbound 1.13.2