Software-update: OPNsense 26.1.7
Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de zesde update voor versie 26.1 uitgebrachten de releasenotes voor die uitgave kunnen hieronder worden gevonden.
OPNsense 26.1.7 releasedThis includes all very recent FreeBSD SA/EN patches, a number of system improvements (how are you doing, Kea!) and third party updates for OpenVPN and StrongSwan. It also includes one high and one medium advisory for our code. GitHub has not issued a CVE for this yet, unfortunately, but this announcement will be updated as soon as that happens. See below for details.
Here are the full patch notes:system: protect popen() with exec_safe()system: lockout bypass fixsystem: refactor dashboard to use User model instead of direct config accesssystem: throw UserException when dashboard size limit was reached on savesystem: add notes dashboard widget (contributed by Konstantinos Spartalis)system: allow gateway load balance weights from 1 to 10 for more flexibility (contributed by Matthew Hall)system: fix traffic dashboard widget initialization race condition (contributed by Greelan)system: avoid side effect rendering sysctl item in config.xml during console assignmentsystem: improve cron command and parameter escapingsystem: add "nosync" option to gateway configurationsystem: support RADIUS NAS-IP-Address attribute for authenticationsystem: add compatibility layer to future route disable/enable migrationsystem: only split first colon when reading sysctlssystem: revisit snapshot name validation (partially contributed by Konstantinos Spartalis)interfaces: refactor bridge reconfigure scriptfirewall: live view: decode HTML where necessary to aid filteringfirewall: fix typo in alias update error log and make parser a bit more resilientfirmware: opnsense-update: handle FreeBSD.conf disable internallykea: fix "Delegated length must be longer than or equal to prefix length" validationkea: add ddns-override-no-update, ddns-override-client-update and ddns-update-on-renew per subnetkea: DDNS DNS server port can now be specifiedkea: add explicit reverse DDNS zones support (contributed by XtraLarge)kea: add DDNS manual config overridekea: remove depend constraint of ddns_reverse_zoneradvd: allow user controlled hop limit (contributed by BPplays)unbound: improve hostname/domain override validationbackend: configctl: properly quote parameters to avoid skipping empty ones (contributed by Majx)lang: numerous updates and fixes in existing languagesmvc: introduce JSON field type and refactor dashboard to use itmvc: fixed a number of class import statementsshell: config access refactor in password and setaddr scriptsui: generalize placeholders between controllers and JSui: simplify and clean up debounce() usageui: trap generic error popup for specific API URLs such as /api/core/firmware/upgradestatus when it adds no value and known to be unstableplugins: os-acme-client 4.16plugins: os-zabbix-agent 1.9plugins: os-zabbix-proxy 1.7src: vm_fault: reset m_needs_zeroing properlysrc: timerfd: Fix interval callout schedulingsrc: tty: avoid leaving dangling pointers in tty_drop_ctty()src: pkru: fix handling of 1GB largepage mappingssrc: contrib/tzdata: import tzdata 2025c, 2026a and 2026bsrc: amd64: fix INVLPGB range invalidationsrc: pf: improve SCTP validationsrc: execve: fix an operator precedence bugsrc: dhclient: check for unexpected characters in some DHCP server optionssrc: dhclient: fix reallocation of dhclient script environmentssrc: libnv: switch fd_wait() from select(2) to poll(2)src: libnv: fix heap overflow in nvlist_recv()src: libpcap: update to 1.10.6src: ipfw_nptv6: fix handling the ifaddr removal eventsrc: if_tuntap: make SIOCIFDESTROY interruptiblesrc: pfctl: parser must not ignore error from pfctl_optimize_ruleset()src: pf: fix duplicate rule detection for automatic tablessrc: openssl: update from 3.0.16 to 3.0.20src: routing: fix use-after-free in finalize_nhopsrc: ixgbe: fix MRQC register valuesrc: in_mcast: Fix a lock leak in inp_set_source_filters()src: linuxkpi: fix an off-by-one error in the kfifo implementationsrc: sctp: fix so_proto when peeling off a socketports: expat 2.8.0ports: openvpn 2.6.20ports: phpseclib 3.0.52ports: strongswan 6.0.6
system: protect popen() with exec_safe()system: lockout bypass fixsystem: refactor dashboard to use User model instead of direct config accesssystem: throw UserException when dashboard size limit was reached on savesystem: add notes dashboard widget (contributed by Konstantinos Spartalis)system: allow gateway load balance weights from 1 to 10 for more flexibility (contributed by Matthew Hall)system: fix traffic dashboard widget initialization race condition (contributed by Greelan)system: avoid side effect rendering sysctl item in config.xml during console assignmentsystem: improve cron command and parameter escapingsystem: add "nosync" option to gateway configurationsystem: support RADIUS NAS-IP-Address attribute for authenticationsystem: add compatibility layer to future route disable/enable migrationsystem: only split first colon when reading sysctlssystem: revisit snapshot name validation (partially contributed by Konstantinos Spartalis)interfaces: refactor bridge reconfigure scriptfirewall: live view: decode HTML where necessary to aid filteringfirewall: fix typo in alias update error log and make parser a bit more resilientfirmware: opnsense-update: handle FreeBSD.conf disable internallykea: fix "Delegated length must be longer than or equal to prefix length" validationkea: add ddns-override-no-update, ddns-override-client-update and ddns-update-on-renew per subnetkea: DDNS DNS server port can now be specifiedkea: add explicit reverse DDNS zones support (contributed by XtraLarge)kea: add DDNS manual config overridekea: remove depend constraint of ddns_reverse_zoneradvd: allow user controlled hop limit (contributed by BPplays)unbound: improve hostname/domain override validationbackend: configctl: properly quote parameters to avoid skipping empty ones (contributed by Majx)lang: numerous updates and fixes in existing languagesmvc: introduce JSON field type and refactor dashboard to use itmvc: fixed a number of class import statementsshell: config access refactor in password and setaddr scriptsui: generalize placeholders between controllers and JSui: simplify and clean up debounce() usageui: trap generic error popup for specific API URLs such as /api/core/firmware/upgradestatus when it adds no value and known to be unstableplugins: os-acme-client 4.16plugins: os-zabbix-agent 1.9plugins: os-zabbix-proxy 1.7src: vm_fault: reset m_needs_zeroing properlysrc: timerfd: Fix interval callout schedulingsrc: tty: avoid leaving dangling pointers in tty_drop_ctty()src: pkru: fix handling of 1GB largepage mappingssrc: contrib/tzdata: import tzdata 2025c, 2026a and 2026bsrc: amd64: fix INVLPGB range invalidationsrc: pf: improve SCTP validationsrc: execve: fix an operator precedence bugsrc: dhclient: check for unexpected characters in some DHCP server optionssrc: dhclient: fix reallocation of dhclient script environmentssrc: libnv: switch fd_wait() from select(2) to poll(2)src: libnv: fix heap overflow in nvlist_recv()src: libpcap: update to 1.10.6src: ipfw_nptv6: fix handling the ifaddr removal eventsrc: if_tuntap: make SIOCIFDESTROY interruptiblesrc: pfctl: parser must not ignore error from pfctl_optimize_ruleset()src: pf: fix duplicate rule detection for automatic tablessrc: openssl: update from 3.0.16 to 3.0.20src: routing: fix use-after-free in finalize_nhopsrc: ixgbe: fix MRQC register valuesrc: in_mcast: Fix a lock leak in inp_set_source_filters()src: linuxkpi: fix an off-by-one error in the kfifo implementationsrc: sctp: fix so_proto when peeling off a socketports: expat 2.8.0ports: openvpn 2.6.20ports: phpseclib 3.0.52ports: strongswan 6.0.6
Source:
Tweakers.net