siosios
11-23-2023, 12:15 PM
Happy Thanksgiving! Today, we are releasing the latest update for IPFire as our special Black Friday gift for you. It comes with a large number of security updates in OpenSSL, Suricata, Apache & Samba as well as a number of kernel fixes.
If you haven't spent all your money on all the great Black Friday offers, maybe consider making a donation to IPFire today. It helps us to bring you these updates more frequently and allows us to pack more exciting things into them. If you would like to support us, please donate today (https://www.ipfire.org/donate)!
Under The HoodThis update features yet another kernel update based on Linux 6.1.61. It brings various security & stability fixes as well as improving IOMMU handling on ARM. To improve security, we have followed Google (https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html) and disabled io_uring for the time being as it seems to have a lot of security issues.
We have also switched from eudev to the upstream udev which is now part of systemd as eudev is no longer maintained and was lagging behind upstream.
Security Updates
OpenSSL 3.1.4: The OpenSSL project announced a security vulnerability (https://www.openssl.org/news/secadv/20231024.txt) (CVE-2023-5363 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-5363))
suricata 6.0.15: This update patches a potential denial-of-service vulnerability in the MIME decoder
Apache 2.4.58 patches a number of security issues in the HTTP/2.0 engine (CVE-2023-45802 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-45802), CVE-2023-43622 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-43622) & CVE-2023-31122 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-31122))
Samba 4.19.2: Various security issues have been fixed which could be exploited to cause data loss and elevate privileges (CVE-2023-3961 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3961), CVE-2023-4091 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4091), CVE-2023-4154 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4154), CVE-2023-42669 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-42669) & CVE-2023-42670 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-42670))
Misc.
A long standing issue in OpenVPN has been fixed where the web UI offered to download a configuration package in an incorrect format when no password was configured (#11048 (https://bugzilla.ipfire.org/show_bug.cgi?id=11048))
Other package updates: lynis 3.0.9, Postfix 3.8.2, sysvinit 3.08, Tor 0.4.8.7, Zabbix Agent 6.0.22
More... (https://blog.ipfire.org/post/ipfire-2-27-core-update-181-released)
If you haven't spent all your money on all the great Black Friday offers, maybe consider making a donation to IPFire today. It helps us to bring you these updates more frequently and allows us to pack more exciting things into them. If you would like to support us, please donate today (https://www.ipfire.org/donate)!
Under The HoodThis update features yet another kernel update based on Linux 6.1.61. It brings various security & stability fixes as well as improving IOMMU handling on ARM. To improve security, we have followed Google (https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html) and disabled io_uring for the time being as it seems to have a lot of security issues.
We have also switched from eudev to the upstream udev which is now part of systemd as eudev is no longer maintained and was lagging behind upstream.
Security Updates
OpenSSL 3.1.4: The OpenSSL project announced a security vulnerability (https://www.openssl.org/news/secadv/20231024.txt) (CVE-2023-5363 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-5363))
suricata 6.0.15: This update patches a potential denial-of-service vulnerability in the MIME decoder
Apache 2.4.58 patches a number of security issues in the HTTP/2.0 engine (CVE-2023-45802 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-45802), CVE-2023-43622 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-43622) & CVE-2023-31122 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-31122))
Samba 4.19.2: Various security issues have been fixed which could be exploited to cause data loss and elevate privileges (CVE-2023-3961 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-3961), CVE-2023-4091 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4091), CVE-2023-4154 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-4154), CVE-2023-42669 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-42669) & CVE-2023-42670 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-42670))
Misc.
A long standing issue in OpenVPN has been fixed where the web UI offered to download a configuration package in an incorrect format when no password was configured (#11048 (https://bugzilla.ipfire.org/show_bug.cgi?id=11048))
Other package updates: lynis 3.0.9, Postfix 3.8.2, sysvinit 3.08, Tor 0.4.8.7, Zabbix Agent 6.0.22
More... (https://blog.ipfire.org/post/ipfire-2-27-core-update-181-released)