In this release, IPFire 2.29 - Core Update 202, we are fixing the most prominent kernel vulnerabilities of the last few weeks. OpenVPN has been updated to version 2.7 which brings support for Data Channel Offloading massively upgrading throughput for your OpenVPN tunnels. As usual, this release contains a large number of package updates with various more security fixes.
We would like to encourage to install this update as soon as possible to be protected against the unusually large amount of vulnerabilities that have been discovered recently in the Linux kernel as well as lots of other software components. Ensure to reboot your IPFire system afterwards.
Linux Kernel Security Vulnerabilities
In this release, the IPFire kernel has been rebased on Linux 6.18.32 which most notably fixes a couple of prominent security vulnerabilities:
- Dirty Frag — ESP/IPsec (CVE-2026-43284) — A local privilege escalation flaw disclosed on May 7, 2026 in the kernel module providing support for ESP, one of the protocols used for IPsec, allowing an unprivileged local user to escalate to root.
- Copy Fail (CVE-2026-31431) — A logic flaw in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module of the AF_ALG interface, disclosed April 29, 2026, that lets any unprivileged local user gain root via a tiny exploit on essentially every distribution shipping kernels built since 2017.
While these vulnerabilities are serious for Linux systems in general, IPFire is by design not exposed to the most common attack paths. Both flaws require an unprivileged local user with shell access to the system, and IPFire does not provide unprivileged shell accounts on the firewall - only the administrator has access to the console, and there are no other users logged in. That said, defence in depth matters, and we always recommend keeping systems up to date regardless of whether a known attack path applies, because the next vulnerability may well take a different shape.
OpenVPN 2.7
IPFire is now shipping OpenVPN 2.7 which has been released earlier this year. Over the last couple of updates, we have already rolled out changes that allow a smooth transition. The highlight of this release is support for Data Channel Offloading (DCO) to the kernel. Instead of passing any packets to the OpenVPN daemon for encryption and decryption, the kernel can encrypt or decrypt packets itself which will massively boost throughput. We have observed throughput to jump from 1 GBit/s to 10 GBit/s per tunnel with reduced jitter and less CPU utilisation due to the kernel's better use of the hardware's crypto acceleration.
Misc.
- Firewall: Multiple ports in a comma-separated list are now being applied properly (#13959)
- Intrusion Prevention System: The IPS is no longer logging any stats which have used a lot of disk space on some systems. The updater automatically removes any log files freeing the disk space. The remaining log files are now being rotated daily instead of weekly.
- The IPFire DNS Proxy is now permitted outbound access without any additional firewall rules
- IPsec: Due to a typo in a script, some automatically generated firewall rules were not removed after a tunnel was shut down. This did not have any other implications than a growing table of redundant rules.
- In glibc, a crafted DNS response can trick gethostbyaddr/gethostbyaddr_r into treating a non-answer section as a valid answer, violating the DNS spec. The result is an out-of-bounds read and bogus hostnames returned to callers — risky for anything that uses reverse DNS in logging or access decisions (GLIBC-SA-2026-0005).
- Updated packages: abseil-cpp 20260107.1, Apache2 2.4.67, autoconf 2.73, BIND 9.20.22, btrfs-progs 6.19.1, cURL 8.20.0, ethtool 7.0, expat 2.8.0, freetype 2.14.3, glib 2.88.1, GnuTLS 3.8.13, groff 1.24.1, harfbuzz 14.2.0, hwdata 0.406, iana-etc 20260409, intel-microcode 20260227, inotify-tools 4.25.9.0, iproute2 7.0.0, ipset 7.24, Knot 3.5.4, libarchive 3.8.7, libcap 2.78, libcap-ng 0.9.3, libedit 20251016-3.1, libgcrypt 1.12.2, libinih 62, libjpeg 3.1.4.1, libpng 1.6.58, libsodium 1.0.22, liburcu 0.15.6, libxml2 2.15.3, lmdb 0.9.35, LVM2 2.03.40, man-pages 6.18, mdadm 4.6, oath-toolkit 2.6.14, OpenSSH 10.3p1, OpenSSL 3.6.2, OpenVPN 2.7.3, pango 1.57.1, parted 3.7, pciutils 3.15.0, python3-yaml 6.0.3, sed 4.10, SQLite 3.53.0, strongSwan 6.0.6, Suricata 8.0.5, systemd 260.1, texinfo 7.3, tzdata 2026b, Unbound 1.25.1, usb-modeswitch-data 20251207, wireguard-tools 1.0.20260223, XZ 5.8.3
- IP Blocklist: Links to the BOGON and BOGON_FULL lists have been updated
Add-Ons
- Samba: A security researcher working under the pseudonym valent1 has reported two security vulnerabilities in this add-on which are patched in this release:
- Missing input validation during the join operation allowed authenticated attackers to run arbitrary shell commands as a non-privileged user (CVE pending)
- Inappropriate shell command escaping allowed attackers to gain root privileges from a shell using the sambactrl helper binary (CVE pending)
- Who Is Online? valent1 reported a now fixed XSS vulnerability for authenticated users (CVE pending)
- Updated packages: arpwatch 3.9, dnsdist 2.0.5, ffmpeg 8.1, FRR 10.6.0, htop 3.5.1, iperf3 3.21, Git 2.54.0, HAProxy 3.2.15, keepalived 2.3.4, libid3tag 0.16.4, libmicrohttpd 1.0.5, libmpc 1.4.1, libpciaccess 0.19, libvirt 12.3.0, lldpd 1.0.21, mympd 25.0.1, nano 9.0, ncat 7.99, nfs 2.9.1, nmap 7.99, Postfix 3.11.1, rsync 3.4.2, Samba 4.24.1, Tor 0.4.9.7, transmission 4.1.1, tshark 4.6.5, Zabbix Agent 7.0.24 (LTS) + Monitoring for D-Bus & LLDP
We want to urge you to upgrade your systems, so you aren't vulnerable to the Dirty Frag, Copy Fail, Fragnesia vulnerabilities. Thanks to everyone for giving feedback for the testing release and reporting any problems to Bugzilla.
If you would like to thank the developers & support their work, please donate, to keep the project moving fast!
More...
