OPNsense 15.7 released

Franco Fichtner franco at opnsense.org
Thu Jul 2 21:22:54 CEST 2015

A good evening to you all,

while the summer is hot, we push forward to what now is
15.7 -- nicknamed 'Brave Badger' -- right in front of you.
A lot of effort went into this project during the past 6
months, and we dare say it has been worth all of it.  We
would like to thank our followers and friends and feedback
givers and forum lurkers and contributors and doubters and
supporters that helped to make 15.7 what it is.  We wouldn’t
be here without any of you.  Thank you.

In itself, 15.7 is a simple upgrade from 15.1.12 which we
recommend to everyone.  What changes is that development
will move to a different branch so that from now on
regressions are less likely and therefore stability will
increase further.  The provided images may also be the only
ones for the next 6 months as we are confident in their 
longevity and the online upgrade path.  We have also bumped 
he LibreSSL flavour to a production-ready state and encourage
everyone to try it out.  The installer’s import configuration
tool coupled with a quick and easy installation can help you
move from OpenSSL to LibreSSL and back seamlessly.

The biggest addition is the intrusion detection integration
(suricata) as well as new local and remote blacklists options
for the proxy server (squid).  Security-wise, it has been
rather quiet with only a few CVEs in third-party tools.
Please see the full patch notes for details and references:

o kernel: borrowed a dummynet / ipnat patch from m0n0wall to
	enable symmetric traffic shaping when NAT is involved
o kernel: fix recurse lock panic for tmpfs in conjunction
	with unionfs
o kernel: applied two stable patches that prevent squid from
	crashing [1]
o kernel: retired ALTQ support
o base: sendmail TLS/DH Interoperability Improvement [2]
o base: improved iconv(3) UTF-7 support [3]
o base: inconsistency between locale and rune locale states [4]
o notable ports updates: phalcon 2.0.3 [5], curl 7.43.0_2 [6],
	openssh 6.8p1_8, python 2.7.10 [7], perl 5.20.2_5 [8],
	ntp 4.2.8p3 [9], libxml2 [10] 2.9.2_3,
	openldap24-server 2.4.41 [11]
o opnsense-update: will no longer try to reinstall the
	istalled version after a fresh installation
o bsdinstaller: bring back cpdup to error out on low memory
	installation (you need 1 GB of RAM, or work around
	installation using the nano image)
o traffic shaper: removed legacy queues support in favour of
	the new traffic shaper functionality
o traffic shaper: allow direct enable/disable toggle
o proxy: fix the initial daemon start on bootup
o proxy: added LAN as the default interface configuration
o proxy: local and remote blacklists with regex support
o intrusion detection: initial release of our IDS GUI based
	on suricata
o gateways: monitoring mode gained IPv6 support
o captive portal: fix idle timeout bug
o captive portal: do not delete the wrong zone when having
	multiple configurations
o captive portal: removed include files from exposed web directory
o backend: always regenerate users and groups to avoid corruption
	after an unclean shutdown
o backend: wait for configd socket to come up to address a
	startup race issue
o backend: clean up configd socket on exit
o backend: fixed regression that prevented user scripts from
	being started via /etc/rc.conf
o gateways: only show apinger in services when monitoring is
	enabled for a gateway
o languages: brought Simplified Chinese to 49% completed,
	German to 30% completed
o universal plug and play: make page invoke static to remove
	exploitability of the legacy packages framework
o crash reporter: finally enabled the send button and provides
	human-readable feedback whether the submission was
o console: added non-interactive interface assignment for
	headless deployments
o ssh: disable password authentication on factory reset to align
	with the standard configuration
o diagnostics: avoid duplicated calls of gethostbyaddr() in
	NDP table view
o users: prompt for old password on password change to prevent
	account hijacking
o users: stripped the impossible scponly user privileges since
	said utility has never been part of our ecosystem

Images can be found on any of our mirrors, but they may take a
few hours to sync.  The checksums are attached at the end of
this announcement for convenience.


Stay safe,
Your OPNsense team

[1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195802
[2] https://www.freebsd.org/security/advisories/FreeBSD-EN-15:08.sendmail.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-EN-15:10.iconv.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-15:09.xlocale.asc
[5] https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.3
[6] http://curl.haxx.se/changes.html
[7] https://hg.python.org/cpython/raw-file/15c95b7d81dc/Misc/NEWS
[8] http://perldoc.perl.org/perl5202delta.html
[9] http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable
[10] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1819
[11] http://www.openldap.org/software/release/readme.html

SHA256 (OPNsense-15.7_LibreSSL-cdrom-amd64.iso.bz2) = 2251b042f47c710e3f940f1fca417f46b3f1f437e37973ae0ba11aa396a38501
SHA256 (OPNsense-15.7_LibreSSL-nano-amd64.img.bz2) = 52a94a8cd9ace6733a6e311445cccbb27360a97a7c8ec5f9c8fe303be59dcf99
SHA256 (OPNsense-15.7_LibreSSL-serial-amd64.img.bz2) = cc9a9827548984f5fc2b10222207b7088919c2da91bcdd29cdcc0f9890696b94
SHA256 (OPNsense-15.7_LibreSSL-vga-amd64.img.bz2) = ae5c9882202e859a17074dffe433e7b2e160b3a0317a14f8562287122f4daf03
SHA256 (OPNsense-15.7_LibreSSL-cdrom-i386.iso.bz2) = cbb6398e841db4d69f33e7a837d64636d87648a98fba3f1adf267cc168591ff7
SHA256 (OPNsense-15.7_LibreSSL-nano-i386.img.bz2) = cb6cb90811310a2d15100505603fe853bd4c5044704061549a1671e35b7dc3c2
SHA256 (OPNsense-15.7_LibreSSL-serial-i386.img.bz2) = 7e0fd8138f8b3e416b3cd72d095a2f6821c41175e2e4b69500e4c7088847bd0b
SHA256 (OPNsense-15.7_LibreSSL-vga-i386.img.bz2) = f0c6cc573e0afec7bc9252e91f9e9164f11eee1298f5ce84ec8ec84f87ae160e
SHA256 (OPNsense-15.7_OpenSSL-cdrom-amd64.iso.bz2) = 35f2bea1791db432ec625d155852403a6d1bfed468ab35ee3d3c448005bf555e
SHA256 (OPNsense-15.7_OpenSSL-nano-amd64.img.bz2) = 8352cf10edaaff5bd2fe9f7322e67acb4fbe76238b82d0b60d7222f34a0adf7e
SHA256 (OPNsense-15.7_OpenSSL-serial-amd64.img.bz2) = c995407085b06b0d1f1a4c00e7962ba89e2a7daefb21a6a24519861d92403b2b
SHA256 (OPNsense-15.7_OpenSSL-vga-amd64.img.bz2) = 5630a50e2c23ab49ff95f62d61993f3038652f1225baefe1a3cc7d641b70af30
SHA256 (OPNsense-15.7_OpenSSL-cdrom-i386.iso.bz2) = b27053f6afe979fe4b682538457dd5f3993e02a44f3f30638874d9c58a1f3504
SHA256 (OPNsense-15.7_OpenSSL-nano-i386.img.bz2) = 410cab97a35660033ab1572cfa7eb0f411e08abf7325261185b645e361e15a19
SHA256 (OPNsense-15.7_OpenSSL-serial-i386.img.bz2) = 5c0eacd5fd13abd5b575d7cb085ea5c4ad7e08250d8aac1f264965a01554c8e9
SHA256 (OPNsense-15.7_OpenSSL-vga-i386.img.bz2) = 7a525085fa7140e3561ed3336a11a27c8ceafcab24bf871fd88900a15c5b69b6

More information about the announce mailing list