siosios
03-19-2025, 05:27 AM
Hello Community!
Only a few days after releasing the latest update, we are excited to begin testing the next one. It comes with support for Post-Quantum Cryptography in IPsec as well as a new toolchain and a lot of bug and security updates.
Post-Quantum Cryptography for IPsec tunnelsIPsec tunnels now support key exchanges using the post-quantum Module-Lattice-Based Key-Encapsulation Mechanism (https://csrc.nist.gov/pubs/fips/203/final) (ML-KEM). This algorithm is believed to be secure against adversaries who possess a quantum computer and is therefore hardening the security of those tunnels that use it.
In IPFire, this is now enabled by default for new tunnels together with Curve448, Curve25519, various other NIST-certified elliptic curve algorithms and RSA-4096 and RSA-3072. This choice will ensure that modern cryptography is being used when available, but IPFire will remain compatible with older solutions from other vendors. Of course you may enable this for existing tunnels on the advanced settings page of the tunnel.
Additionally, we have updated the default list of ciphers for new tunnels: We prefer using AES-256 in either GCM or CBC mode, or ChaCha20-Poly1305 by default. AES-128 is no longer included in the default cipher list as it has weaker security and most hardware has acceleration for AES where AES-256 should always achieve the same throughput.
This way, the primary way to build VPN networks over the internet has become even more secure and ready for 2025 and onwards.
Toolchain UpdateIPFire has been updated to use glibc - the C standard library - in version 2.41 and Binutils - the assembler and linker - in version 2.44. They are fundamental building blocks of the OS and we like to keep IPFire as modern as possible so that we generate the most optimal code which takes advantage of most recent hardware features. And of course, as this is the must crucial code outside of the kernel itself, they are important to keep IPFire hardened.
Misc.
The discontinued Botnet C2 blocklist from abuse.ch has been removed
The archive of firmware and microcodes has been updated including fixes for
Security updates for INTEL-SA-01166 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01166.html)
Security updates for INTEL-SA-01213 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01213.html)
Security updates for INTEL-SA-01139 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html)
Security updates for INTEL-SA-01228 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01228.html)
Security updates for INTEL-SA-01194 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01194.html)
A bug with an incorrect serial number has been fixed which prevented to renew the IPsec host certificate
Stephen Cuka (http://n00bunlimited.net//users/stephen) has submitted his first patch with some aesthetic improvements for the Firewall Groups page
lucatrv (http://n00bunlimited.net//users/lucatrv) has added DNS-over-TLS to the list of default services
It is very important to us to keep IPFire up to date and get any fixes and improvements from upstream, therefore we once again update large parts of the distribution:
Apache 2.4.63
autoconf 2.72
BIND 9.20.6
binutils 2.44
btrfs-progs 6.13
dhcpcd 10.20.1
diffutils 3.11
expat 2.7.0
Fixes CVE-2024-8176 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-8176)
fmt 11.1.3
fontconfig 2.16.0
glibc 2.41
harfbuzz 10.2.0
Intel Microcode 20250211
jQuery 3.7.1
kmod 34
libexif 0.6.25
libffi 3.4.7
libloc 0.9.18 (https://lists.ipfire.org/location/5635E989-C74F-4FCF-BB17-91E6615E279C@ipfire.org/T/#u)
libxcrypt 4.4.38
libyang 3.7.8
Linux Firmware 20250211
LVM2 2.03.30
Pango 1.56.1
PCRE2 10.45
SQLite 3.49.1
squid 6.13
strongSwan 6.0.0
tcl 9.0.1
tzdata 2025a
vim 9.1.1153
vnstat 2.13
which 2.23
wpa_supplicant 2.11
xfsprogs 6.13.0
zstd 1.5.7
Add-ons
Updated packages:
aws-cli 1.37.4
ddrescue 1.29
FLAC 1.4.3
gdb 16.1
Git 2.48.1
HAProxy 3.1.2
htop 3.4.0
lynis 3.1.3
mc 4.8.33
monit 5.34.4
mpd 0.23.17
nfs 2.8.2
openvmtools 12.5.0
Postfix 3.10.1
python3-botocore 1.36.5
rpcbind 1.2.7
Samba 4.21.4
tcpdump 4.99.5
tmux 3.5a
traceroute 2.1.6
tshark 4.4.5
More... (https://www.ipfire.org/blog/ipfire-2-29-core-update-193-is-available-for-testing)
Only a few days after releasing the latest update, we are excited to begin testing the next one. It comes with support for Post-Quantum Cryptography in IPsec as well as a new toolchain and a lot of bug and security updates.
Post-Quantum Cryptography for IPsec tunnelsIPsec tunnels now support key exchanges using the post-quantum Module-Lattice-Based Key-Encapsulation Mechanism (https://csrc.nist.gov/pubs/fips/203/final) (ML-KEM). This algorithm is believed to be secure against adversaries who possess a quantum computer and is therefore hardening the security of those tunnels that use it.
In IPFire, this is now enabled by default for new tunnels together with Curve448, Curve25519, various other NIST-certified elliptic curve algorithms and RSA-4096 and RSA-3072. This choice will ensure that modern cryptography is being used when available, but IPFire will remain compatible with older solutions from other vendors. Of course you may enable this for existing tunnels on the advanced settings page of the tunnel.
Additionally, we have updated the default list of ciphers for new tunnels: We prefer using AES-256 in either GCM or CBC mode, or ChaCha20-Poly1305 by default. AES-128 is no longer included in the default cipher list as it has weaker security and most hardware has acceleration for AES where AES-256 should always achieve the same throughput.
This way, the primary way to build VPN networks over the internet has become even more secure and ready for 2025 and onwards.
Toolchain UpdateIPFire has been updated to use glibc - the C standard library - in version 2.41 and Binutils - the assembler and linker - in version 2.44. They are fundamental building blocks of the OS and we like to keep IPFire as modern as possible so that we generate the most optimal code which takes advantage of most recent hardware features. And of course, as this is the must crucial code outside of the kernel itself, they are important to keep IPFire hardened.
Misc.
The discontinued Botnet C2 blocklist from abuse.ch has been removed
The archive of firmware and microcodes has been updated including fixes for
Security updates for INTEL-SA-01166 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01166.html)
Security updates for INTEL-SA-01213 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01213.html)
Security updates for INTEL-SA-01139 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html)
Security updates for INTEL-SA-01228 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01228.html)
Security updates for INTEL-SA-01194 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01194.html)
A bug with an incorrect serial number has been fixed which prevented to renew the IPsec host certificate
Stephen Cuka (http://n00bunlimited.net//users/stephen) has submitted his first patch with some aesthetic improvements for the Firewall Groups page
lucatrv (http://n00bunlimited.net//users/lucatrv) has added DNS-over-TLS to the list of default services
It is very important to us to keep IPFire up to date and get any fixes and improvements from upstream, therefore we once again update large parts of the distribution:
Apache 2.4.63
autoconf 2.72
BIND 9.20.6
binutils 2.44
btrfs-progs 6.13
dhcpcd 10.20.1
diffutils 3.11
expat 2.7.0
Fixes CVE-2024-8176 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-8176)
fmt 11.1.3
fontconfig 2.16.0
glibc 2.41
harfbuzz 10.2.0
Intel Microcode 20250211
jQuery 3.7.1
kmod 34
libexif 0.6.25
libffi 3.4.7
libloc 0.9.18 (https://lists.ipfire.org/location/5635E989-C74F-4FCF-BB17-91E6615E279C@ipfire.org/T/#u)
libxcrypt 4.4.38
libyang 3.7.8
Linux Firmware 20250211
LVM2 2.03.30
Pango 1.56.1
PCRE2 10.45
SQLite 3.49.1
squid 6.13
strongSwan 6.0.0
tcl 9.0.1
tzdata 2025a
vim 9.1.1153
vnstat 2.13
which 2.23
wpa_supplicant 2.11
xfsprogs 6.13.0
zstd 1.5.7
Add-ons
Updated packages:
aws-cli 1.37.4
ddrescue 1.29
FLAC 1.4.3
gdb 16.1
Git 2.48.1
HAProxy 3.1.2
htop 3.4.0
lynis 3.1.3
mc 4.8.33
monit 5.34.4
mpd 0.23.17
nfs 2.8.2
openvmtools 12.5.0
Postfix 3.10.1
python3-botocore 1.36.5
rpcbind 1.2.7
Samba 4.21.4
tcpdump 4.99.5
tmux 3.5a
traceroute 2.1.6
tshark 4.4.5
More... (https://www.ipfire.org/blog/ipfire-2-29-core-update-193-is-available-for-testing)