siosios
08-13-2024, 06:56 PM
Finally it is time for another release of IPFire: IPFire 2.29 Core Update 187! It protects your network better against (Distributed) Denial-of-Service attacks and uses SIMD instructions for the Intrusion Prevention System on ARM for more throughout. It also comes with a number of security fixes in OpenSSH, Suricata and Apache2 as well as the usual package of bug fixes and software updates.
But before we start talking about the changes in detail, we would like to take a moment and ask for your support. We put a lot of effort into building and testing this update and could not do any of this without your donation. Please, donate today (https://www.ipfire.org/donate) helping us to put more resources to bring you more and better updates. It is very much appreciated by all of us here!
Advanced (Distributed) Denial-of-Service ProtectionSince IPFire is very commonly deployed in data centres where denial-of-service attacks happen on a regular basis, we now have added better protection against those kinds of attacks. Formerly, the system protected itself rather well against (D)DoS attacks, but this was only limited if TCP connections terminated at the firewall itself like for reverse proxies, etc.
Now, IPFire can use TCP SYN cookies to protect infrastructure behind it better against SYN flood attacks. This is especially useful in high-bandwidth scenarios and cloud deployments and can be activated with only one checkbox separately for each firewall rule.
Read an in-depth explanation on how this works on the IPFire Blog. (https://www.ipfire.org/blog/ipfire-against-the-bad-guys-denial-of-service-protection-of-up-to-hundreds-of-gigabit-s)
Misc.
The IP Blocklist feature now supports two more lists: 3CORESec and Abuse.ch Botnet C2
Since Intel's Hyperscan (https://www.hyperscan.io) library is no longer available as free software, we have changed to Vectorscan (https://github.com/VectorCamp/vectorscan) which is a fork of the original Hyperscan. On top of support the x86_64 architecture, Vectorscan supports ARM64 as well which should bring performance improvements for the Intrusion Prevention System.
The firewall will now create more rules when configured in the most restrictive mode to allow IPsec traffic to flow for any local connections.
It is now possible to create IPsec connections using an FQDN as Local/Remote ID instead of the usual email address-like format using the @@ prefix. With the @# prefix it is now also possible to match a connection by the ID of a key.
Unprivileged programs can no longer use the bpf() syscall. This is a precautionary measure as currently no program requires this, but it might be exploited by any attacker who manages to inject and execute code.
OpenSSH has been updated to version 9.8p1 to address the recently discovered privileges escalation attack commonly known as regreSSHion (https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server).
Updated packages: Apache 2.4.61 (Addressing CVE-2024-39573 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-39573), CVE-2024-38477 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38477), CVE-2024-38476 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38476), CVE-2024-38475 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38475), CVE-2024-38474 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38474), CVE-2024-38473 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38473), CVE-2024-38472 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38472), CVE-2024-36387 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-36387) and CVE-2024-39884 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-39884)), BIND 9.16.50, cpio 2.15, cURL 8.8.0, dhcpcd 10.0.8, e2fsprogs 1.47.0, ed 1.20.2, ethtool 6.9, GCC 13.3.0, GnuTLS 3.8.5, iana-etc 20240502, Intel Microcode 20240531, iw 6.9, jq 1.7.1, kbd 2.6.4, libedit 20240517-3.1, zip 1.24.1, man-pages 6.8, mdadm 4.3, ntp 4.2.8p18, oath-toolkit 2.6.11, PAM 1.6.1, PCRE2 10.43, psmisc 23.7, screen 4.9.1, shadow 4.15.1, SQLite 3.46.0, squid 6.10, Suricata 7.0.6 addressing various security and stability fixes, Unbound 1.20.0, util-linux 2.40.1, vim 9.1, whois 5.5.23, xfsprogs 6.8.0, Zstd 1.5.6
Add-ons
apcupsd now sends email if power was lost and recovered.
Updated packages: dnsdist 1.9.4, fetchmail 6.4.38, Git 2.45.2, hplip 3.23.12, monit 5.34.0, nano 8.0, nut 2.8.2, Postfix 3.9.0, rsync 3.3.0, Samba 4.20.2, taglib 2.0.1, tmux 3.4, Tor 0.4.8.12, traceroute 2.1.5, tshark 4.2.5, wsdd 0.8, Zabbix Agent 6.0.30 (LTS)
After installing this update, please reboot your IPFire appliance.
More... (https://www.ipfire.org/blog/ipfire-2-29-core-update-187-released)
But before we start talking about the changes in detail, we would like to take a moment and ask for your support. We put a lot of effort into building and testing this update and could not do any of this without your donation. Please, donate today (https://www.ipfire.org/donate) helping us to put more resources to bring you more and better updates. It is very much appreciated by all of us here!
Advanced (Distributed) Denial-of-Service ProtectionSince IPFire is very commonly deployed in data centres where denial-of-service attacks happen on a regular basis, we now have added better protection against those kinds of attacks. Formerly, the system protected itself rather well against (D)DoS attacks, but this was only limited if TCP connections terminated at the firewall itself like for reverse proxies, etc.
Now, IPFire can use TCP SYN cookies to protect infrastructure behind it better against SYN flood attacks. This is especially useful in high-bandwidth scenarios and cloud deployments and can be activated with only one checkbox separately for each firewall rule.
Read an in-depth explanation on how this works on the IPFire Blog. (https://www.ipfire.org/blog/ipfire-against-the-bad-guys-denial-of-service-protection-of-up-to-hundreds-of-gigabit-s)
Misc.
The IP Blocklist feature now supports two more lists: 3CORESec and Abuse.ch Botnet C2
Since Intel's Hyperscan (https://www.hyperscan.io) library is no longer available as free software, we have changed to Vectorscan (https://github.com/VectorCamp/vectorscan) which is a fork of the original Hyperscan. On top of support the x86_64 architecture, Vectorscan supports ARM64 as well which should bring performance improvements for the Intrusion Prevention System.
The firewall will now create more rules when configured in the most restrictive mode to allow IPsec traffic to flow for any local connections.
It is now possible to create IPsec connections using an FQDN as Local/Remote ID instead of the usual email address-like format using the @@ prefix. With the @# prefix it is now also possible to match a connection by the ID of a key.
Unprivileged programs can no longer use the bpf() syscall. This is a precautionary measure as currently no program requires this, but it might be exploited by any attacker who manages to inject and execute code.
OpenSSH has been updated to version 9.8p1 to address the recently discovered privileges escalation attack commonly known as regreSSHion (https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server).
Updated packages: Apache 2.4.61 (Addressing CVE-2024-39573 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-39573), CVE-2024-38477 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38477), CVE-2024-38476 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38476), CVE-2024-38475 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38475), CVE-2024-38474 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38474), CVE-2024-38473 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38473), CVE-2024-38472 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-38472), CVE-2024-36387 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-36387) and CVE-2024-39884 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-39884)), BIND 9.16.50, cpio 2.15, cURL 8.8.0, dhcpcd 10.0.8, e2fsprogs 1.47.0, ed 1.20.2, ethtool 6.9, GCC 13.3.0, GnuTLS 3.8.5, iana-etc 20240502, Intel Microcode 20240531, iw 6.9, jq 1.7.1, kbd 2.6.4, libedit 20240517-3.1, zip 1.24.1, man-pages 6.8, mdadm 4.3, ntp 4.2.8p18, oath-toolkit 2.6.11, PAM 1.6.1, PCRE2 10.43, psmisc 23.7, screen 4.9.1, shadow 4.15.1, SQLite 3.46.0, squid 6.10, Suricata 7.0.6 addressing various security and stability fixes, Unbound 1.20.0, util-linux 2.40.1, vim 9.1, whois 5.5.23, xfsprogs 6.8.0, Zstd 1.5.6
Add-ons
apcupsd now sends email if power was lost and recovered.
Updated packages: dnsdist 1.9.4, fetchmail 6.4.38, Git 2.45.2, hplip 3.23.12, monit 5.34.0, nano 8.0, nut 2.8.2, Postfix 3.9.0, rsync 3.3.0, Samba 4.20.2, taglib 2.0.1, tmux 3.4, Tor 0.4.8.12, traceroute 2.1.5, tshark 4.2.5, wsdd 0.8, Zabbix Agent 6.0.30 (LTS)
After installing this update, please reboot your IPFire appliance.
More... (https://www.ipfire.org/blog/ipfire-2-29-core-update-187-released)