siosios
07-27-2023, 02:18 PM
The next update for IPFire is available for testing! It contains more hardening features for modern processors and a large number of security fixes in third-party packages.
Indirect Branch Tracking by DefaultThis update comes with extended hardening for the kernel by using Indirect Branch Tracking (https://lwn.net/Articles/889475/) wherever possible. This will prevent hackers to hijack functions calls and jump into injected code. This feature is currently only supported on Intel processors.
In the near future, we will extend this feature to the user-space and more processor types.
Security UpdatesThis update features a large number of package updates that patch security vulnerabilities:
Kernel Update: The IPFire kernel has been rebased to Linux 6.1.41 which amongst the usual improvements fixes the StackRot (https://github.com/lrh2000/StackRot#stackrot-cve-2023-3269-linux-kernel-privilege-escalation-vulnerability) vulnerability (CVE-2023-3269 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3269)).
OpenSSH (CVE-2023-38408 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-38408)) contains a vulnerability in the SSH agent component.
Zenbleed (https://lock.cmpxchg8b.com/zenbleed.html) - An issue where vector registers leak their content.
Ghostscript contained a code execution vulnerability filed under CVE-2023-36664 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-36664).
Misc.
Legacy OpenSSL version removed: OpenSSL 1.1.1 library files have been removed as previously announced (https://blog.ipfire.org/post/ipfire-2-27-core-update-175-released)
Package updates: Ghostscript 10.01.2, iproute2 6.4.0, Linux Firmware 20230625, memtest 6.20, ntp 4.2.8p17, OpenSSH 9.3p2, samba 4.18.5, Squid 6.1, sudo 1.9.14p2, util-linux 2.39.1
The Unbound/DHCP Leases bridge loads any leases into Unbound more efficiently than before due to Unbound recently adding the ability to reload its configuration.
dehydrated will try harder to update any remaining certificates if the update of one fails.
Fireinfo used to crash if the hypervisor IPFire is running on could not be detected (#13155 (https://bugzilla.ipfire.org/show_bug.cgi?id=13155))
Proxy ASN Blacklist: A crash that caused the proxy to restart has been fixed (#13023 (https://bugzilla.ipfire.org/show_bug.cgi?id=13023))
pmacct: #13159 (https://bugzilla.ipfire.org/show_bug.cgi?id=13159) has been fixed which fixes some invalid directives in the default configuration.
The SquidClamAV add-on has been removed: This used to be able to scan any plaintext content that passed through the web proxy. With Internet traffic being predominantly HTTPS and therefore not scannable, this feature does not serve any useful purpose and has therefore been removed.
We would like to thank all people contributing to this release. Please help testing this update, especially if you are using exotic hardware, uncommon network setups, or add-ons, and provide feedback - which is absolutely essential to us. And if you like to support our team, please donate (https://www.ipfire.org/donate).
More... (https://blog.ipfire.org/post/ipfire-2-27-core-update-177-is-available-for-testing)
Indirect Branch Tracking by DefaultThis update comes with extended hardening for the kernel by using Indirect Branch Tracking (https://lwn.net/Articles/889475/) wherever possible. This will prevent hackers to hijack functions calls and jump into injected code. This feature is currently only supported on Intel processors.
In the near future, we will extend this feature to the user-space and more processor types.
Security UpdatesThis update features a large number of package updates that patch security vulnerabilities:
Kernel Update: The IPFire kernel has been rebased to Linux 6.1.41 which amongst the usual improvements fixes the StackRot (https://github.com/lrh2000/StackRot#stackrot-cve-2023-3269-linux-kernel-privilege-escalation-vulnerability) vulnerability (CVE-2023-3269 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3269)).
OpenSSH (CVE-2023-38408 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-38408)) contains a vulnerability in the SSH agent component.
Zenbleed (https://lock.cmpxchg8b.com/zenbleed.html) - An issue where vector registers leak their content.
Ghostscript contained a code execution vulnerability filed under CVE-2023-36664 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-36664).
Misc.
Legacy OpenSSL version removed: OpenSSL 1.1.1 library files have been removed as previously announced (https://blog.ipfire.org/post/ipfire-2-27-core-update-175-released)
Package updates: Ghostscript 10.01.2, iproute2 6.4.0, Linux Firmware 20230625, memtest 6.20, ntp 4.2.8p17, OpenSSH 9.3p2, samba 4.18.5, Squid 6.1, sudo 1.9.14p2, util-linux 2.39.1
The Unbound/DHCP Leases bridge loads any leases into Unbound more efficiently than before due to Unbound recently adding the ability to reload its configuration.
dehydrated will try harder to update any remaining certificates if the update of one fails.
Fireinfo used to crash if the hypervisor IPFire is running on could not be detected (#13155 (https://bugzilla.ipfire.org/show_bug.cgi?id=13155))
Proxy ASN Blacklist: A crash that caused the proxy to restart has been fixed (#13023 (https://bugzilla.ipfire.org/show_bug.cgi?id=13023))
pmacct: #13159 (https://bugzilla.ipfire.org/show_bug.cgi?id=13159) has been fixed which fixes some invalid directives in the default configuration.
The SquidClamAV add-on has been removed: This used to be able to scan any plaintext content that passed through the web proxy. With Internet traffic being predominantly HTTPS and therefore not scannable, this feature does not serve any useful purpose and has therefore been removed.
We would like to thank all people contributing to this release. Please help testing this update, especially if you are using exotic hardware, uncommon network setups, or add-ons, and provide feedback - which is absolutely essential to us. And if you like to support our team, please donate (https://www.ipfire.org/donate).
More... (https://blog.ipfire.org/post/ipfire-2-27-core-update-177-is-available-for-testing)