siosios
05-13-2023, 03:08 AM
The first Core Update in 2023 is ready for testing: IPFire 2.27 - Core Update 173. It introduces support for Qualcomm's MSM Interface (QMI), features a kernel fresh from the latest 6.1 stable series, as well as the usual plethora of package updates, security improvements and bug fixes.
IPFire users running 32-bit ARM devices should note that support for this architecture will sunset on February 28, 2023, as announced previously (https://blog.ipfire.org/post/ipfire-2-27-core-update-171-released-security-advisory), and are advised to migrate their installations to a hardware architecture supported (https://wiki.ipfire.org/hardware) by IPFire now.
Introducing QMI support
The Qualcomm MSM Interface is a proprietary interface increasingly used by 4G and 5G cellular modems (https://wiki.ipfire.org/installation/red/mobile). Commencing with this Core Update, IPFire supports interacting with such modems through libqmi, thus significantly expanding its hardware compatibility to QMI-only cellular modems, and providing a faster and more modern interface to cellular modems providing both a QMI interface and its legacy counterpart.
Thanks to Michael for implementing this feature. On that occasion, he also refactored related networking code.
Linux Kernel 6.1.11
Arne has updated the Linux kernel to the most recent stable series, 6.1.x, which is expected to become a new long-term series. Aside from the usual improvements such major kernel updates bring - bug fixes, hardware support (which is accompanied by an update of linux-firmware in this Core Update) and security improvements, and so on -, we took the occasion to bring several new hardening changes to IPFire users:
System calls permitting processes to read or write other processes' memory are no longer provided by the kernel.
On EFI systems supporting it, the firmware is now instructed to wipe all memory when rebooting, to hamper cold boot attacks.
Landlock support has been enabled.
GCC's "latent entropy" plugin has been disabled, since it does not generate cryptographically secure entropy.
To cut attack surface, support for both the ACPI configuration file system and obsolete PCMCIA/CardBus subsystem has been removed.
On 64-bit ARM installations, direct memory access via malicious PCI devices is no longer possible.
Miscellaneous
The OpenVPN 2FA (https://blog.ipfire.org/post/openvpn-otp-2fa) authenticator will no longer enter an infinite loop if the socket connection to OpenVPN is lost (#12963 (https://bugzilla.ipfire.org/show_bug.cgi?id=12963)).
A user group necessary for interaction between D-Bus and Avahi is now properly created while installing the latter add-on (#13017 (https://bugzilla.ipfire.org/show_bug.cgi?id=13017)).
The OpenVPN GUI (https://wiki.ipfire.org/configuration/services/openvpn) has seen minor improvements and cleanups (#13030 (https://bugzilla.ipfire.org/show_bug.cgi?id=13030)).
A bug in the firewall engine permitting the creation of rules with invalid sources has been resolved.
Input like *.example.com is now properly treated as a wildcard domain by the web interface (#12937 (https://bugzilla.ipfire.org/show_bug.cgi?id=12937)).
libtirpc is now part of the core system, since it is needed as a dependency by lsof (#13015 (https://bugzilla.ipfire.org/show_bug.cgi?id=13015)).
The obsolete spandsp add-on has been dropped.
Updated packages: Apache 2.4.55, bind 9.16.37, curl 7.87.0, ethtool 6.1, file 5.44, fontconfig 2.14.1, fuse 3.13.0, grep 3.8, harfbuzz 6.0.0, iana-etc 20221226, iproute2 6.1.0, ipset 7.17, iptables 1.8.9, iputils 20221126, iw 5.19, jquery 3.6.3, json-c 0.16, keyutils 1.6.3, knot 3.2.4, krb5 1.20.1, lcms2 2.14, less 608, libarchive 3.6.2, libcap 2.66, libconfig 1.7.3, libffi 3.4.4, libgpg-error 1.46, libidn 1.41, libinih r56, libjpeg 2.1.4, libloc 0.9.16, libmpc 1.3.1, libpcap 1.10.3, libssh 0.10.4, libstatgrab 0.92.1, libtiff 4.5.0, libtool 2.4.7, libusb 1.0.26, libxslt 1.1.37, libyang 2.1.4, linux-firmware 20221214, logrotate 3.21.0, lz4 1.9.4, memtest86+ 6.01, mpfr 4.2.0, nano 7.2, ncurses 6.4, OpenSSH 9.2p1, OpenSSL 1.1.1t, pcre2 10.42, perl-HTML-Parser 3.78, pixman 0.42.2, poppler 23.01.0, psmisc 23.6, rust 1.65, sdl2 2.26.2, shadow 4.13, sqlite 3400100, squid-asnbl 0.2.4 (resolving #13023 (https://bugzilla.ipfire.org/show_bug.cgi?id=13023)), strongswan 5.9.9, sudo 1.9.12p2, suricata 6.0.10, xfsprogs 6.1.1, xz 5.4.1
Updated add-ons: alsa 1.2.8, bird 2.0.11, borgbackup 1.2.3 (resolving #13032 (https://bugzilla.ipfire.org/show_bug.cgi?id=13032)), ClamAV 1.0.1, dbus 1.14.4, dnsdist 1.7.3, ghostscript 10.0.0, haproxy 2.7.1, igmpproxy 0.4, iotop 1.22, iperf 2.1.8, iperf3 3.12, libcdada 0.4.0, libexif 0.6.24, libpciaccess 0.17, libshout 2.4.6, libtalloc 2.3.4, libusbredir 0.13.0, libvirt 8.10.0, mc 4.8.29, nfs 2.6.2, nqptp ad384f9, pcengines-apu-firmware 4.17.0.3, python3-packaging 23.0, samba 4.17.4, shairport-sync 4.1.1, strace 6.1, tcpdump 4.99.3, Tor 0.4.7.13
As always, we thank all people contributing to this release in whatever shape and form. Please help testing this update (https://wiki.ipfire.org/configuration/ipfire/pakfire/testing), especially if you are using exotic hardware, uncommon network setups, or add-ons, and provide feedback - which is absolutely essential to us.
More... (https://blog.ipfire.org/post/ipfire-2-27-core-update-173-is-available-for-testing)
IPFire users running 32-bit ARM devices should note that support for this architecture will sunset on February 28, 2023, as announced previously (https://blog.ipfire.org/post/ipfire-2-27-core-update-171-released-security-advisory), and are advised to migrate their installations to a hardware architecture supported (https://wiki.ipfire.org/hardware) by IPFire now.
Introducing QMI support
The Qualcomm MSM Interface is a proprietary interface increasingly used by 4G and 5G cellular modems (https://wiki.ipfire.org/installation/red/mobile). Commencing with this Core Update, IPFire supports interacting with such modems through libqmi, thus significantly expanding its hardware compatibility to QMI-only cellular modems, and providing a faster and more modern interface to cellular modems providing both a QMI interface and its legacy counterpart.
Thanks to Michael for implementing this feature. On that occasion, he also refactored related networking code.
Linux Kernel 6.1.11
Arne has updated the Linux kernel to the most recent stable series, 6.1.x, which is expected to become a new long-term series. Aside from the usual improvements such major kernel updates bring - bug fixes, hardware support (which is accompanied by an update of linux-firmware in this Core Update) and security improvements, and so on -, we took the occasion to bring several new hardening changes to IPFire users:
System calls permitting processes to read or write other processes' memory are no longer provided by the kernel.
On EFI systems supporting it, the firmware is now instructed to wipe all memory when rebooting, to hamper cold boot attacks.
Landlock support has been enabled.
GCC's "latent entropy" plugin has been disabled, since it does not generate cryptographically secure entropy.
To cut attack surface, support for both the ACPI configuration file system and obsolete PCMCIA/CardBus subsystem has been removed.
On 64-bit ARM installations, direct memory access via malicious PCI devices is no longer possible.
Miscellaneous
The OpenVPN 2FA (https://blog.ipfire.org/post/openvpn-otp-2fa) authenticator will no longer enter an infinite loop if the socket connection to OpenVPN is lost (#12963 (https://bugzilla.ipfire.org/show_bug.cgi?id=12963)).
A user group necessary for interaction between D-Bus and Avahi is now properly created while installing the latter add-on (#13017 (https://bugzilla.ipfire.org/show_bug.cgi?id=13017)).
The OpenVPN GUI (https://wiki.ipfire.org/configuration/services/openvpn) has seen minor improvements and cleanups (#13030 (https://bugzilla.ipfire.org/show_bug.cgi?id=13030)).
A bug in the firewall engine permitting the creation of rules with invalid sources has been resolved.
Input like *.example.com is now properly treated as a wildcard domain by the web interface (#12937 (https://bugzilla.ipfire.org/show_bug.cgi?id=12937)).
libtirpc is now part of the core system, since it is needed as a dependency by lsof (#13015 (https://bugzilla.ipfire.org/show_bug.cgi?id=13015)).
The obsolete spandsp add-on has been dropped.
Updated packages: Apache 2.4.55, bind 9.16.37, curl 7.87.0, ethtool 6.1, file 5.44, fontconfig 2.14.1, fuse 3.13.0, grep 3.8, harfbuzz 6.0.0, iana-etc 20221226, iproute2 6.1.0, ipset 7.17, iptables 1.8.9, iputils 20221126, iw 5.19, jquery 3.6.3, json-c 0.16, keyutils 1.6.3, knot 3.2.4, krb5 1.20.1, lcms2 2.14, less 608, libarchive 3.6.2, libcap 2.66, libconfig 1.7.3, libffi 3.4.4, libgpg-error 1.46, libidn 1.41, libinih r56, libjpeg 2.1.4, libloc 0.9.16, libmpc 1.3.1, libpcap 1.10.3, libssh 0.10.4, libstatgrab 0.92.1, libtiff 4.5.0, libtool 2.4.7, libusb 1.0.26, libxslt 1.1.37, libyang 2.1.4, linux-firmware 20221214, logrotate 3.21.0, lz4 1.9.4, memtest86+ 6.01, mpfr 4.2.0, nano 7.2, ncurses 6.4, OpenSSH 9.2p1, OpenSSL 1.1.1t, pcre2 10.42, perl-HTML-Parser 3.78, pixman 0.42.2, poppler 23.01.0, psmisc 23.6, rust 1.65, sdl2 2.26.2, shadow 4.13, sqlite 3400100, squid-asnbl 0.2.4 (resolving #13023 (https://bugzilla.ipfire.org/show_bug.cgi?id=13023)), strongswan 5.9.9, sudo 1.9.12p2, suricata 6.0.10, xfsprogs 6.1.1, xz 5.4.1
Updated add-ons: alsa 1.2.8, bird 2.0.11, borgbackup 1.2.3 (resolving #13032 (https://bugzilla.ipfire.org/show_bug.cgi?id=13032)), ClamAV 1.0.1, dbus 1.14.4, dnsdist 1.7.3, ghostscript 10.0.0, haproxy 2.7.1, igmpproxy 0.4, iotop 1.22, iperf 2.1.8, iperf3 3.12, libcdada 0.4.0, libexif 0.6.24, libpciaccess 0.17, libshout 2.4.6, libtalloc 2.3.4, libusbredir 0.13.0, libvirt 8.10.0, mc 4.8.29, nfs 2.6.2, nqptp ad384f9, pcengines-apu-firmware 4.17.0.3, python3-packaging 23.0, samba 4.17.4, shairport-sync 4.1.1, strace 6.1, tcpdump 4.99.3, Tor 0.4.7.13
As always, we thank all people contributing to this release in whatever shape and form. Please help testing this update (https://wiki.ipfire.org/configuration/ipfire/pakfire/testing), especially if you are using exotic hardware, uncommon network setups, or add-ons, and provide feedback - which is absolutely essential to us.
More... (https://blog.ipfire.org/post/ipfire-2-27-core-update-173-is-available-for-testing)