Good day everyone,
Pick up the new FreeBSD security advisories while also introducing assorted reliability improvements. CRL now works again for elliptic curve with the adoption of version 3 of phpseclib. Wireless handling was improved due to PHP 8 errors and coding style issues. It is also the subject of further work for 23.1.
Here are the full patch notes:
- system: migrate CRL handling to phpseclib 3
- system: run monitor reload inside system_routing_configure()
- system: fix IPv6 link-local HTTP_REFERER check (contributed by Maurice Walker)
- system: fix assorted PHP 8 warnings in the codebase
- system: extend nameservers script return for debugging purposes, i.e. "configctl system list nameservers debug"
- system: lighttpd obsoletion of server listing directive, disabled by default
- system: decode stored CRL data before display (contributed by kulikov-a)
- interfaces: update link-local matching pattern
- interfaces: PPP is an exception, only created after interface configuration
- interfaces: only remove known primary addresses in interface_bring_down()
- interfaces: improve shell banner address return in prefix-only IPv6 case
- interfaces: improve problematic <wireless/> node handling
- interfaces: DHCP does not signal RELEASE
- interfaces: web GUI locale sorts files differently when invoking ifctl
- interfaces: improve legacy_interface_listget()
- interfaces: only parse actual options in legacy_interfaces_details(), not nd6 options
- firewall: implement a router file read fallback for new ifctl :slaac suffix
- firewall: stick-address only in effect with pool option and multiple routers
- firewall: remove dead pptpd server code
- captive portal: lighttpd deprecation of legacy SSL options, disabled by default
- dhcp: allow rapid-commit message exchange in IPv6 server (contributed by Maurice Walker)
- firmware: major upgrade "pkgs" set was still unknown to plugin sync
- intrusion detection: fix enable rule button and present active detail overwrite if present
- ipsec: fixed widget link (contributed by Patrik Kernstock)
- unbound: improve FQDN handling when address is moving in DHCP watcher
- unbound: prevent DNS rebinding check and DNSSEC validation on explicit forwarded domains
- unbound: restrict creation of PTR records for both the system domain and host overrides
- unbound: add AAAA-only mode (contributed by Maurice Walker)
- lang: fix syntax errors in French translation (contributed by kulikov-a)
- ui: fix type cast issue in Bootgrid
- plugins: os-ddclient relaxes validation of description field
- plugins: os-frr 1.30[1]
- plugins: os-nginx now uses simplified NAME_setup service handling
- plugins: os-wireguard 1.12[2]
- plugins: os-zabbix-agent 1.13[3]
- plugins: os-zabbix-proxy 1.9[4]
- src: rc: improve NAME_setup integration
- src: zlib: fix a bug when getting a gzip header extra field with inflate()[5]
- src: tzdata: import tzdata 2022b and 2022c[6]
- ports: ldns 1.8.3[7]
- ports: liblz4 1.9.4
- ports: libxml 2.10.1[8]
- ports: nss 3.82[9]
- ports: phpseclib 3.0.14[10]
A hotfix release was issued as 22.7.3_2:
- system: work around phpseclib 3 flagging RSA-PSS as an invalid key alogrithm
- system: check for existing X509 class before doing CRL update
Stay safe,
Your OPNsense team