siosios
04-09-2025, 06:01 AM
We are happy to announce the release of IPFire 2.29 - Core Update 193. This is an important update that brings a number of significant improvements, including support for post-quantum cryptography in IPsec and a major update to the core toolchain. These changes are part of our ongoing work to keep IPFire secure, modern, and efficient. As always, we recommend installing this update as soon as possible to benefit from the latest enhancements and fixes.
Post-Quantum Cryptography for IPsec tunnelsIPsec tunnels now support key exchanges using the post-quantum Module-Lattice-Based Key-Encapsulation Mechanism (https://csrc.nist.gov/pubs/fips/203/final) (ML-KEM). This algorithm is believed to be secure against adversaries who possess a quantum computer and is therefore hardening the security of those tunnels that use it.
In IPFire, this is now enabled by default for new tunnels together with Curve448, Curve25519, various other NIST-certified elliptic curve algorithms and RSA-4096 and RSA-3072. This choice will ensure that modern cryptography is being used when available, but IPFire will remain compatible with older solutions from other vendors. Of course you may enable this for existing tunnels on the advanced settings page of the tunnel.
Additionally, we have updated the default list of ciphers for new tunnels: We prefer using AES-256 in either GCM or CBC mode, or ChaCha20-Poly1305 by default. AES-128 is no longer included in the default cipher list as it has weaker security and most hardware has acceleration for AES where AES-256 should always achieve the same throughput.
This way, the primary way to build VPN networks over the internet has become even more secure and ready for 2025 and onwards.
Read more about this on our blog (https://www.ipfire.org/blog/introducing-post-quantum-cryptography-for-ipsec-in-ipfire).
Toolchain UpdateIPFire has been updated to use glibc - the C standard library - in version 2.41 and Binutils - the assembler and linker - in version 2.44. They are fundamental building blocks of the OS and we like to keep IPFire as modern as possible so that we generate the most optimal code which takes advantage of most recent hardware features. And of course, as this is the must crucial code outside of the kernel itself, they are important to keep IPFire hardened.
Misc.
The discontinued Botnet C2 blocklist from abuse.ch has been removed
The archive of firmware and microcodes has been updated including fixes for
Security updates for INTEL-SA-01166 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01166.html)
Security updates for INTEL-SA-01213 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01213.html)
Security updates for INTEL-SA-01139 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html)
Security updates for INTEL-SA-01228 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01228.html)
Security updates for INTEL-SA-01194 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01194.html)
A bug with an incorrect serial number has been fixed which prevented to renew the IPsec host certificate
Stephen Cuka (http://n00bunlimited.net//users/stephen) has submitted his first patch with some aesthetic improvements for the Firewall Groups page
lucatrv (http://n00bunlimited.net//users/lucatrv) has added DNS-over-TLS to the list of default services
It is very important to us to keep IPFire up to date and get any fixes and improvements from upstream, therefore we once again update large parts of the distribution:
Apache 2.4.63
autoconf 2.72
BIND 9.20.6
binutils 2.44
btrfs-progs 6.13
dhcpcd 10.20.1
diffutils 3.11
expat 2.7.0
Fixes CVE-2024-8176 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-8176)
fmt 11.1.3
fontconfig 2.16.0
glibc 2.41
harfbuzz 10.2.0
Intel Microcode 20250211
jQuery 3.7.1
kmod 34
libexif 0.6.25
libffi 3.4.7
libloc 0.9.18 (https://lists.ipfire.org/location/5635E989-C74F-4FCF-BB17-91E6615E279C@ipfire.org/T/#u)
libxcrypt 4.4.38
libyang 3.7.8
Linux Firmware 20250211
LVM2 2.03.30
Pango 1.56.1
PCRE2 10.45
SQLite 3.49.1
squid 6.13
strongSwan 6.0.0
tcl 9.0.1
tzdata 2025a
vim 9.1.1153
vnstat 2.13
which 2.23
wpa_supplicant 2.11
xfsprogs 6.13.0
zstd 1.5.7
Add-ons
Updated packages:
aws-cli 1.37.4
ddrescue 1.29
FLAC 1.4.3
gdb 16.1
Git 2.48.1
HAProxy 3.1.2
htop 3.4.0
lynis 3.1.3
mc 4.8.33
monit 5.34.4
mpd 0.23.17
nfs 2.8.2
openvmtools 12.5.0
Postfix 3.10.1
python3-botocore 1.36.5
rpcbind 1.2.7
Samba 4.21.4
tcpdump 4.99.5
tmux 3.5a
traceroute 2.1.6
tshark 4.4.5
As always, we would like to thank everyone who supports the IPFire project — whether by contributing code, reporting bugs, or helping others in the community. If you enjoy using IPFire and want to see it continue to grow and improve, please consider supporting us with a donation (https://www.ipfire.org/donate) or by becoming a sponsor. Every contribution helps us keep development going strong and ensures that IPFire remains free and open for everyone.
More... (https://www.ipfire.org/blog/ipfire-2-29-core-update-193-released)
Post-Quantum Cryptography for IPsec tunnelsIPsec tunnels now support key exchanges using the post-quantum Module-Lattice-Based Key-Encapsulation Mechanism (https://csrc.nist.gov/pubs/fips/203/final) (ML-KEM). This algorithm is believed to be secure against adversaries who possess a quantum computer and is therefore hardening the security of those tunnels that use it.
In IPFire, this is now enabled by default for new tunnels together with Curve448, Curve25519, various other NIST-certified elliptic curve algorithms and RSA-4096 and RSA-3072. This choice will ensure that modern cryptography is being used when available, but IPFire will remain compatible with older solutions from other vendors. Of course you may enable this for existing tunnels on the advanced settings page of the tunnel.
Additionally, we have updated the default list of ciphers for new tunnels: We prefer using AES-256 in either GCM or CBC mode, or ChaCha20-Poly1305 by default. AES-128 is no longer included in the default cipher list as it has weaker security and most hardware has acceleration for AES where AES-256 should always achieve the same throughput.
This way, the primary way to build VPN networks over the internet has become even more secure and ready for 2025 and onwards.
Read more about this on our blog (https://www.ipfire.org/blog/introducing-post-quantum-cryptography-for-ipsec-in-ipfire).
Toolchain UpdateIPFire has been updated to use glibc - the C standard library - in version 2.41 and Binutils - the assembler and linker - in version 2.44. They are fundamental building blocks of the OS and we like to keep IPFire as modern as possible so that we generate the most optimal code which takes advantage of most recent hardware features. And of course, as this is the must crucial code outside of the kernel itself, they are important to keep IPFire hardened.
Misc.
The discontinued Botnet C2 blocklist from abuse.ch has been removed
The archive of firmware and microcodes has been updated including fixes for
Security updates for INTEL-SA-01166 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01166.html)
Security updates for INTEL-SA-01213 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01213.html)
Security updates for INTEL-SA-01139 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01139.html)
Security updates for INTEL-SA-01228 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01228.html)
Security updates for INTEL-SA-01194 (https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01194.html)
A bug with an incorrect serial number has been fixed which prevented to renew the IPsec host certificate
Stephen Cuka (http://n00bunlimited.net//users/stephen) has submitted his first patch with some aesthetic improvements for the Firewall Groups page
lucatrv (http://n00bunlimited.net//users/lucatrv) has added DNS-over-TLS to the list of default services
It is very important to us to keep IPFire up to date and get any fixes and improvements from upstream, therefore we once again update large parts of the distribution:
Apache 2.4.63
autoconf 2.72
BIND 9.20.6
binutils 2.44
btrfs-progs 6.13
dhcpcd 10.20.1
diffutils 3.11
expat 2.7.0
Fixes CVE-2024-8176 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-8176)
fmt 11.1.3
fontconfig 2.16.0
glibc 2.41
harfbuzz 10.2.0
Intel Microcode 20250211
jQuery 3.7.1
kmod 34
libexif 0.6.25
libffi 3.4.7
libloc 0.9.18 (https://lists.ipfire.org/location/5635E989-C74F-4FCF-BB17-91E6615E279C@ipfire.org/T/#u)
libxcrypt 4.4.38
libyang 3.7.8
Linux Firmware 20250211
LVM2 2.03.30
Pango 1.56.1
PCRE2 10.45
SQLite 3.49.1
squid 6.13
strongSwan 6.0.0
tcl 9.0.1
tzdata 2025a
vim 9.1.1153
vnstat 2.13
which 2.23
wpa_supplicant 2.11
xfsprogs 6.13.0
zstd 1.5.7
Add-ons
Updated packages:
aws-cli 1.37.4
ddrescue 1.29
FLAC 1.4.3
gdb 16.1
Git 2.48.1
HAProxy 3.1.2
htop 3.4.0
lynis 3.1.3
mc 4.8.33
monit 5.34.4
mpd 0.23.17
nfs 2.8.2
openvmtools 12.5.0
Postfix 3.10.1
python3-botocore 1.36.5
rpcbind 1.2.7
Samba 4.21.4
tcpdump 4.99.5
tmux 3.5a
traceroute 2.1.6
tshark 4.4.5
As always, we would like to thank everyone who supports the IPFire project — whether by contributing code, reporting bugs, or helping others in the community. If you enjoy using IPFire and want to see it continue to grow and improve, please consider supporting us with a donation (https://www.ipfire.org/donate) or by becoming a sponsor. Every contribution helps us keep development going strong and ensures that IPFire remains free and open for everyone.
More... (https://www.ipfire.org/blog/ipfire-2-29-core-update-193-released)