OPNsense 17.7.9 released

Franco Fichtner franco at opnsense.org
Thu Dec 7 13:46:00 UTC 2017

Hi all,

Today a XSS vulnerability in the certificate manager is being fixed
that is based on a crafted certificate being imported into the system.
PHP was finally updated from 7.0 to 7.1 which should make things a bit
faster.  Last but not least, the HAProxy plugin by Frank Wall receives
a major update for improved usability, several new features and two
bug fixes.

Here are the full patch notes:

o system: fix XSS with crafted certificates in certificate manager[1]
o system: removed duplicated firmware privileges
o system: fix resolving routes in diagnostics page
o system: regenerated DH parameters
o dhcp: support stateless DHCPv6
o firmware: kernel and base set visibility and better API session handling
o intrusion detection: improve download and install speed of et-open rules
o intrusion detection: add TLS and HTTP logging in eve and alert log viewer
o openvpn: allow remote network in peer to peer modes
o web proxy: better service and API session handling
o router advertisements: advertise on VIPs belonging to the same interface
o configd: allow template overrides via optional target directory
o mvc: prepare for use-based language setting (contributed
  by Alexander Shursha)
o mvc: prepare for auto-generated page titles
o mvc: tighten against frame-based attacks
o mvc: correctly hide advanced option headers in forms (contributed
  by Evgeny Bevz)
o ui: fix for deactivated storage in sticky "help all"
  toggle (contributed by Fabian Franz)
o ui: make "advanced mode" sticky too
o plugins: os-acme-client 1.12[2] (contributed by Frank Wall)
o plugins: os-arp-scan (contributed by Giuseppe De Marco)
o plugins: os-clamav 1.3 (contributed by Alexander Shursha)
o plugins: os-dyndns 1.4 adds Route53 IPv6 support (contributed
  by Kuo-Cheng Yeu)
o plugins: os-freeradius 1.3.1 (contributed by Michael Muenz)
o plugins: os-haproxy 2.0[3] (contributed by Frank Wall)
o plugins: os-relayd 1.2 fixes "check send" directive
o plugins: os-tor 1.3 (contributed by Fabian Franz)
o plugins: os-zabbix-agent 1.2 fixes service status indicator
o plugins: os-zabbix-proxy 1.0 (contributed by Michael Muenz)
o ports: ca_root_nss 3.34.1
o ports: curl 7.57.0[4]
o ports: lighttpd 1.4.48[5]
o ports: php 7.1.12[6]
o ports: pkg 1.10.3[7]
o ports: py-Jinja2 2.10[8]
o ports: syslogd 11.1

Stay safe,
Your OPNsense team

[1] https://github.com/opnsense/core/issues/1964
[2] https://github.com/opnsense/plugins/pull/336
[3] https://github.com/opnsense/plugins/pull/330
[4] https://curl.haxx.se/changes.html
[5] https://www.lighttpd.net/2017/11/11/1.4.48/
[6] http://de2.php.net/ChangeLog-7.php#7.1.12
[7] https://github.com/freebsd/freebsd-ports/commit/c6da09c68
[8] http://jinja.pocoo.org/docs/2.10/changelog/#version-2-10

More information about the announce mailing list