Today we are proud to present the next challenger stepping into the ring: IPFire 2.29 Core Update 202! In this corner, a brand-new Linux 6.18 kernel. In the other corner, OpenVPN 2.7 with kernel-accelerated Data Channel Offload, delivering up to 10 Gigabit per second per tunnel. Add to that a long list of important security fixes, package updates, and bug fixes - and you have a release that is ready for testing. So power up your test systems, and let's get readyyyy to upgraaaade!
Linux Kernel Security Vulnerabilities
In this release, the IPFire kernel has been rebased on Linux 6.18.28 which most notably fixes a couple of prominent security vulnerabilities:
- Dirty Frag — ESP/IPsec (CVE-2026-43284) — A local privilege escalation flaw disclosed on May 7, 2026 in the kernel module providing support for ESP, one of the protocols used for IPsec, allowing an unprivileged local user to escalate to root.
- Copy Fail (CVE-2026-31431) — A logic flaw in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module of the AF_ALG interface, disclosed April 29, 2026, that lets any unprivileged local user gain root via a tiny exploit on essentially every distribution shipping kernels built since 2017.
While these vulnerabilities are serious for Linux systems in general, IPFire is by design not exposed to the most common attack paths. Both flaws require an unprivileged local user with shell access to the system, and IPFire does not provide unprivileged shell accounts on the firewall - only the administrator has access to the console, and there are no other users logged in. That said, defence in depth matters, and we always recommend keeping systems up to date regardless of whether a known attack path applies, because the next vulnerability may well take a different shape.
OpenVPN 2.7
IPFire is now shipping OpenVPN 2.7 which has been released earlier this year. Over the last couple of updates, we have already rolled out changes that allow a smooth transition. The highlight of this release is support for Data Channel Offloading (DCO) to the kernel. Instead of passing any packets to the OpenVPN daemon for encryption and decryption, the kernel can encrypt or decrypt packets itself which will massively boost throughput. We have observed throughput to jump from 1 GBit/s to 10 GBit/s per tunnel with reduced jitter and less CPU utilisation due to the kernel's better use of the hardware's crypto acceleration.
Misc.
- Firewall: Multiple ports in a comma-separated list are now being applied properly (#13959)
- Intrusion Prevention System: The IPS is no longer logging any stats which have used a lot of disk space on some systems. The updater automatically removes any log files freeing the disk space. The remaining log files are now being rotated daily instead of weekly.
- The IPFire DNS Proxy is now permitted outbound access without any additional firewall rules
- IPsec: Due to a typo in a script, some automatically generated firewall rules were not removed after a tunnel was shut down. This did not have any other implications than a growing table of redundant rules.
- In glibc, a crafted DNS response can trick gethostbyaddr/gethostbyaddr_r into treating a non-answer section as a valid answer, violating the DNS spec. The result is an out-of-bounds read and bogus hostnames returned to callers — risky for anything that uses reverse DNS in logging or access decisions (GLIBC-SA-2026-0005).
- Updated packages: abseil-cpp 20260107.1, Apache2 2.4.67, autoconf 2.73, BIND 9.20.22, btrfs-progs 6.19.1, cURL 8.20.0, ethtool 7.0, expat 2.8.0, freetype 2.14.3, glib 2.88.1, GnuTLS 3.8.13, groff 1.24.1, harfbuzz 14.2.0, hwdata 0.406, iana-etc 20260409, intel-microcode 20260227, inotify-tools 4.25.9.0, iproute2 7.0.0, ipset 7.24, Knot 3.5.4, libarchive 3.8.7, libcap 2.78, libcap-ng 0.9.3, libedit 20251016-3.1, libgcrypt 1.12.2, libinih 62, libjpeg 3.1.4.1, libpng 1.6.58, libsodium 1.0.22, liburcu 0.15.6, libxml2 2.15.3, lmdb 0.9.35, LVM2 2.03.40, man-pages 6.18, mdadm 4.6, oath-toolkit 2.6.14, OpenSSH 10.3p1, OpenSSL 3.6.2, OpenVPN 2.7.3, pango 1.57.1, parted 3.7, pciutils 3.15.0, python3-yaml 6.0.3, sed 4.10, SQLite 3.53.0, strongSwan 6.0.6, Suricata 8.0.4, systemd 260.1, texinfo 7.3, tzdata 2026b, Unbound 1.25.0, usb-modeswitch-data 20251207, wireguard-tools 1.0.20260223, XZ 5.8.3
- IP Blocklist: Links to the BOGON and BOGON_FULL lists have been updated
Add-Ons
- Updated packages: arpwatch 3.9, dnsdist 2.0.5, ffmpeg 8.1, FRR 10.6.0, htop 3.5.1, iperf3 3.21, Git 2.54.0, HAProxy 3.2.15, keepalived 2.3.4, libid3tag 0.16.4, libmicrohttpd 1.0.5, libmpc 1.4.1, libpciaccess 0.19, libvirt 12.3.0, lldpd 1.0.21, mympd 25.0.1, nano 9.0, ncat 7.99, nfs 2.9.1, nmap 7.99, Postfix 3.11.1, rsync 3.4.2, Samba 4.24.1, Tor 0.4.9.7, transmission 4.1.1, tshark 4.6.5, Zabbix Agent 7.0.24 (LTS) + Monitoring for D-Bus & LLDP
As always, this update would not be possible without the hard work of the IPFire developers, the wider open-source community whose projects we ship, and everyone who tests, reports bugs, and contributes patches. If you would like to support the continued development of IPFire, please donate - every contribution helps us keep the project independent and moving forward.
Happy testing!
More...
