Current File : //backups/router/usr/local/opnsense/changelog/23.1.1.htm
<p>Hello,</p><p>Apart from security updates for operating system and third party software this mainly fixes issues with the initial 23.1 release. IPsec and Unbound components in particular receive a number of improvements being the more prominent areas of work for this series. Unbound also gained a SafeSearch option and the new reporting database CPU usage should be much lower and easier to use.</p><p>Overall we are happy with how the major release turned out and look forward to further fixes in e.g. Netmap framework including Suricata changes for multi-threading support which has been in the works for a long time. OpenVPN 2.6 update and related changes are also pending at the moment.</p><p>The roadmap for 23.7 will be published soon and will again include a number of MVC/API conversions for static components. Statistics do indicate that we are over 60% done with converting the code base to a modern framework as compared to early 2015 which is now already over 8 years ago!</p><p>Here are the full patch notes:</p><p><ul><li>system: replace single exec_command() with new shell_safe() wrapper</li><li>system: fix assorted PHP 8.1 deprecation notes</li><li>system: remove overreaching "Reconfigure a plugin facility" cron job and backend command that has no visible users</li><li>interfaces: fix VLAN rename after protocol addition in 23.1</li><li>interfaces: fix VLAN missing a config lock on delete</li><li>interfaces: make description field show for all types of VIP (contributed by FingerlessGloves)</li><li>interfaces: allow VHID reuse as it was before 23.1</li><li>firewall: prevent possible infinite loop in alias parsing (contributed by kulikov-a)</li><li>firewall: do not calculate local port range for alias (contributed by kulikov-a)</li><li>firewall: update validation of alias names to be slightly more restrictive</li><li>firewall: safeguard download_geolite() and log errors</li><li>firewall: do not switch gateway on bootup</li><li>captive portal: enforce a database repair during operation if necessary</li><li>firmware: move single-call function to reporter page</li><li>intrusion detection: properly reset metadata response when no metadata is found</li><li>ipsec: allow "@" character in eap_id fields for new connections</li><li>ipsec: missing remapping pool UUID to name for new connections</li><li>ipsec: change status column sizing and hide local/remote auth by default</li><li>ipsec: fix username parsing in lease status</li><li>ipsec: refactor widget to use new data format</li><li>ipsec: migrate duplicated cron job</li><li>ipsec: faulty unique constraint in pre-shared keys</li><li>ipsec: fix eap_id placement for eap-mschapv2</li><li>unbound: simplify logger logic for required queries</li><li>unbound: add SafeSearch option to blocklists</li><li>unbound: match white/blocklist action exactly from reporting page</li><li>unbound: always prioritize whitelists over blocklists</li><li>unbound: various UX improvements in reporting page</li><li>unbound: add serve-expired, log-servfail, log-local-actions and val-log-level advanced settings</li><li>unbound: drop unnecessary index from reporting database and other optimizations to lower CPU usage</li><li>unbound: add HTTPS record type to reporting</li><li>unbound: remember reporting page logarithmic setting</li><li>unbound: missing global so that cache is never flushed when requested</li><li>mvc: cleanse $record input in searchRecordsetBase() before usage</li><li>plugins: os-haproxy 4.1[<a target="_blank" href="https://github.com/opnsense/plugins/blob/stable/23.1/net/haproxy/pkg-descr">1</a>]</li><li>plugins: os-openconnect 1.4.4[<a target="_blank" href="https://github.com/opnsense/plugins/blob/stable/23.1/security/openconnect/pkg-descr">2</a>]</li><li>plugins: os-qemu-guest-agent 1.2[<a target="_blank" href="https://github.com/opnsense/plugins/blob/stable/23.1/emulators/qemu-guest-agent/pkg-descr">3</a>]</li><li>plugins: os-tayga fixes MVC interface registration</li><li>plugins: os-wireguard fixes MVC interface registration</li><li>src: geli: split the initalization of HMAC[<a target="_blank" href="https://www.freebsd.org/security/advisories/FreeBSD-SA-23:01.geli.asc">4</a>]</li><li>src: fix ena driver crash after reset in 7th gen AWS instance types[<a target="_blank" href="https://www.freebsd.org/security/advisories/FreeBSD-EN-23:03.ena.asc">5</a>]</li><li>src: fix sdhci broken write-protect settings[<a target="_blank" href="https://www.freebsd.org/security/advisories/FreeBSD-EN-23:02.sdhci.asc">6</a>]</li><li>src: import tzdata 2022g[<a target="_blank" href="https://www.freebsd.org/security/advisories/FreeBSD-EN-23:01.tzdata.asc">7</a>]</li><li>src: ipsec: clear pad bytes in PF_KEY messages</li><li>src: fib_algo: set vnet when destroying algo instance</li><li>src: if_ipsec: handle situations where there are no policy or SADB entry for if</li><li>src: if_ipsec: protect against user supplying unknown address family</li><li>src: if_me: use dedicated network privilege</li><li>src: vxlan: add support for socket ioctls SIOC[SG]TUNFIB</li><li>src: introduce and use the NET_EPOCH_DRAIN_CALLBACKS() macro</li><li>src: iflib: add null check to iflib_stop()</li><li>src: x86: ignore stepping for APL30 errata</li><li>src: pfctl: rule.label is a two-dimensional array</li><li>src: pf: fix syncookies in conjunction with tcp fast port reuse</li><li>src: pf: fix panic on deferred packets</li><li>src: ipfw: add missing 'va' code point name</li><li>src: netmap: try to count packet drops in emulated mode</li><li>src: netmap: fix a queue length check in the generic port rx path</li><li>src: netmap: tell the compiler to avoid reloading ring indices</li><li>ports: remove GnuTLS workarounds from ports previously required for LibreSSL</li><li>ports: dnsmasq 2.89[<a target="_blank" href="https://www.thekelleys.org.uk/dnsmasq/CHANGELOG">8</a>]</li><li>ports: dpinger 3.3[<a target="_blank" href="https://github.com/dennypage/dpinger/releases/tag/v3.3">9</a>]</li><li>ports: lighttpd 1.4.68[<a target="_blank" href="https://www.lighttpd.net/2023/1/3/1.4.68/">10</a>]</li><li>ports: openssh 9.1p1[<a target="_blank" href="https://www.openssh.com/txt/release-9.1">11</a>]</li><li>ports: openssl 1.1.1t[<a target="_blank" href="https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md">12</a>]</li><li>ports: php 8.1.15[<a target="_blank" href="https://www.php.net/ChangeLog-8.php#8.1.15">13</a>]</li></ul></p><p>A hotfix release was issued as 23.1.1_2:</p><p><ul><li>captive portal: remove mod_evasion use which was discontinued by lighttpd</li><li>unbound: wait for pipe in logger (contributed by kulikov-a)</li></ul></p><p>Rate limiting was removed from the captive portal which was set to 250 connections by the same IP to the captive portal itself. This can be easily replaced by a manual firewall rule with advanced options set, e.g. "Max established" set to 250 with destination "This Firewall".</p><p><br>Stay safe,<br> Your OPNsense team</p>
Mini Shell