siosios
11-05-2023, 12:03 PM
It is time to test the latest version of IPFire: It comes with a large number of security updates in OpenSSL, Suricata, Apache & Samba as well as a number of kernel fixes.
Under The Hood This update features yet another kernel update based on Linux 6.1.61. It brings various security & stability fixes as well as improving IOMMU handling on ARM. To improve security, we have followed Google (https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html) and disabled io_uring for the time being as it seems to have a lot of security issues.
We have also switched from eudev to the upstream udev which is now part of systemd as eudev is no longer maintained and was lagging behind upstream.
Security Updates
OpenSSL 3.1.4: The OpenSSL project announced a security vulnerability (https://www.openssl.org/news/secadv/20231024.txt) (CVE-2023-5363 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-5363))
suricata 6.0.15: This update patches a potential denial-of-service vulnerability in the MIME decoder
Apache 2.4.58 patches a number of security issues in the HTTP/2.0 engine (CVE-2023-45802 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-45802), CVE-2023-43622 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-43622) & CVE-2023-31122 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-31122))
Samba 4.19.2: Various security issues have been fixed which could be exploited to cause data loss and elevate privileges (CVE-2023-3961 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3961), CVE-2023-4091 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4091), CVE-2023-4154 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4154), CVE-2023-42669 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-42669) & CVE-2023-42670 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-42670))
Misc.
A long standing issue in OpenVPN has been fixed where the web UI offered to download a configuration package in an incorrect format when no password was configured (#11048 (https://bugzilla.ipfire.org/show_bug.cgi?id=11048))
Other package updates: lynis 3.0.9, Postfix 3.8.2, sysvinit 3.08, Tor 0.4.8.7, Zabbix Agent 6.0.22
Please help us test this update and report and feedback back to us. If you like what we do, please support our developers with your donation (https://www.ipfire.org/donate).
More... (https://blog.ipfire.org/post/ipfire-2-27-core-update-181-is-available-for-testing)
Under The Hood This update features yet another kernel update based on Linux 6.1.61. It brings various security & stability fixes as well as improving IOMMU handling on ARM. To improve security, we have followed Google (https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html) and disabled io_uring for the time being as it seems to have a lot of security issues.
We have also switched from eudev to the upstream udev which is now part of systemd as eudev is no longer maintained and was lagging behind upstream.
Security Updates
OpenSSL 3.1.4: The OpenSSL project announced a security vulnerability (https://www.openssl.org/news/secadv/20231024.txt) (CVE-2023-5363 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-5363))
suricata 6.0.15: This update patches a potential denial-of-service vulnerability in the MIME decoder
Apache 2.4.58 patches a number of security issues in the HTTP/2.0 engine (CVE-2023-45802 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-45802), CVE-2023-43622 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-43622) & CVE-2023-31122 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-31122))
Samba 4.19.2: Various security issues have been fixed which could be exploited to cause data loss and elevate privileges (CVE-2023-3961 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3961), CVE-2023-4091 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4091), CVE-2023-4154 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4154), CVE-2023-42669 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-42669) & CVE-2023-42670 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-42670))
Misc.
A long standing issue in OpenVPN has been fixed where the web UI offered to download a configuration package in an incorrect format when no password was configured (#11048 (https://bugzilla.ipfire.org/show_bug.cgi?id=11048))
Other package updates: lynis 3.0.9, Postfix 3.8.2, sysvinit 3.08, Tor 0.4.8.7, Zabbix Agent 6.0.22
Please help us test this update and report and feedback back to us. If you like what we do, please support our developers with your donation (https://www.ipfire.org/donate).
More... (https://blog.ipfire.org/post/ipfire-2-27-core-update-181-is-available-for-testing)