Current File : //backups/router/usr/local/opnsense/changelog/24.1.2.htm
<p>Hello world,</p><p>It is time to move back to Suricata version 7 after identifying the relevant default option changes in order to keep IPS/Netmap happy when running it. Kea also received a number of tweaks and updates as well as our VPN service integrations.</p><p>Last but not least this includes FreeBSD 13.2-p10 and the recent DNS denial of service attack mitigation.</p><p>Here are the full patch notes:</p><p><ul><li>system: accept colon character in log queries</li><li>system: add issuer and logo to OTP link</li><li>system: fix gateway migration issue causing individual items to be skipped</li><li>reporting: update traffic graph colors to be contrast and consistent (contributed by brotherla)</li><li>interfaces: fix strpos() deprecation null haystack</li><li>interfaces: add missing ACL entries for ARP/NDP tables</li><li>interfaces: fix VXLAN validation</li><li>firewall: change default traffic normalization behavior and choose "in" as standard direction for manual rules</li><li>firewall: make select width more consistent on alias diagnostics table selection</li><li>dhcp: set RemoveAdvOnExit to off in CARP mode for router advertisements</li><li>dhcp: make sure the register DNS leases options reflect that this is only supported for ISC DHCP</li><li>dhcp: make option_data_autocollect option more explicit in Kea</li><li>dhcp: gather missing Kea leases another way since the logs are unreliable</li><li>dhcp: add address constraint to Kea reservations</li><li>dhcp: add unique constraint for MAC address + subnet in Kea</li><li>dhcp: add domain-name to client configuration in Kea</li><li>dhcp: loosen constraints for TFTP boot in Kea</li><li>intrusion detection: adjust for default behaviour changes in Suricata 7</li><li>ipsec: improve enable button placement on connections page</li><li>ipsec: show EAP-RADIUS settings only when legacy tunnels are being used</li><li>ipsec: allow % to support %any in ID for connections</li><li>openvpn: when "cert_depth" is left empty it should ignore the value</li><li>openvpn: data-ciphers-fallback should be a single option</li><li>openvpn: fix support for /30 p2p/net30 instances</li><li>openvpn: add "various_push_flags" field for simple boolean server push options in connections</li><li>unbound: prevent os.write() on None when another thread closed the pipe in Python module</li><li>wireguard: key constraints should only apply on peers and not instances</li><li>wireguard: peer uniqueness should depend on pubkey + endpoint</li><li>wireguard: skip attached instance address routes</li><li>wireguard: remove duplicate ID columns</li><li>mvc: fix Phalcon 5.4 and up</li><li>src: jail: fix information leak[<a target="_blank" href="https://www.freebsd.org/security/advisories/FreeBSD-SA-24:02.tty.asc">1</a>]</li><li>src: bhyveload: use a dirfd to support -h[<a target="_blank" href="https://www.freebsd.org/security/advisories/FreeBSD-SA-24:01.bhyveload.asc">2</a>]</li><li>src: EVFILT_SIGNAL: do not use target process pointer on detach[<a target="_blank" href="https://www.freebsd.org/security/advisories/FreeBSD-EN-24:03.kqueue.asc">3</a>]</li><li>src: setusercontext(): apply personal settings only on matching effective UID[<a target="_blank" href="https://www.freebsd.org/security/advisories/FreeBSD-EN-24:02.libutil.asc">4</a>]</li><li>src: re: generate an address if there is none in the EEPROM</li><li>src: wg: detect loops in netmap mode</li><li>src: wg: detach bpf upon destroy as well</li><li>src: wg: fix access to noise_local->l_has_identity and l_private</li><li>src: wg: fix erroneous calculation in calculate_padding() for p_mtu == 0</li><li>plugins: os-acme-client 4.1[<a target="_blank" href="https://github.com/opnsense/plugins/blob/stable/24.1/security/acme-client/pkg-descr">5</a>]</li><li>plugins: os-ddclient 1.21[<a target="_blank" href="https://github.com/opnsense/plugins/blob/stable/24.1/dns/ddclient/pkg-descr">6</a>]</li><li>plugins: os-dnscrypt-proxy 1.15[<a target="_blank" href="https://github.com/opnsense/plugins/blob/stable/24.1/dns/dnscrypt-proxy/pkg-descr">7</a>]</li><li>ports: dnsmasq 2.90[<a target="_blank" href="https://www.thekelleys.org.uk/dnsmasq/CHANGELOG">8</a>]</li><li>ports: openvpn 2.6.9[<a target="_blank" href="https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26#Changesin2.6.9">9</a>]</li><li>ports: phalcon 5.6.1[<a target="_blank" href="https://github.com/phalcon/cphalcon/releases/tag/v5.6.1">10</a>]</li><li>ports: radvd adds upstream patch for RemoveAdvOnExit option</li><li>ports: suricata 7.0.3[<a target="_blank" href="https://suricata.io/2024/02/08/suricata-7-0-3-and-6-0-16-released/">11</a>]</li><li>ports: unbound 1.19.1[<a target="_blank" href="https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-1">12</a>]</li></ul></p><p>A hotfix release was issued as 24.1.2_1:</p><p><ul><li>system: fix dynamic gateway persisting its address</li></ul></p><p><br>Stay safe,<br> Your OPNsense team</p>
Mini Shell