OPNsense 17.1.7 released

Franco Fichtner franco at opnsense.org
Thu May 18 15:39:33 CEST 2017

Hi there,

OpenVPN released version 2.4.2 and also 2.3.15 which come with two high
profile fixes addressing CVE-2017-7479 and CVE-2017-7478.  While we still
aim for OpenVPN 2.4 adoption during the 17.1 series, we have deferred
updating the release version from 2.3 to 2.4 at this point to be able
to respond more quickly.

Here are the full patch notes:

o system: fix gateway failover edge cases missed in 17.1.6
o system: fix default route display in diagnostics page
o system: consistent precision display in gateway monitoring loss and RTT
o system: correctly restart cron via backend call
o system: use the internal RC script name instead file name to
  load its variables
o system: keep WAN DHCPv6 configuration option on console port reassign
o system: unify the console yes/no prompts to indicate
  their default behaviour
o system: separate row and unhide button for 2FA OTP QR code display
o system: prevent stripping of migrated configuration during factory reset
o firmware: opnsense-bootstrap bare-mode addition for installing
  repository metadata only
o firmware: opnsense-bootstrap will never be deleted in case it is
  required for recovery
o firmware: opnsense-revert now always properly reverts the core package
o firmware: fix argument parsing in all update and development utilities
o firewall: do not save range when end port is empty
o firewall: do not automatically reload filter after alias delete
o firewall: skip well-known ports for ranges
o firewall: fetching bogon files should not use fetch internal auto-retry
o interfaces: fix bug that prevented creation of IPv6 cache
  IP files (contributed by @theq89)
o interfaces: defer reload of the filter on IPv6 renewal and keep it local
o interfaces: avoid potential configure loops in IPv4 renewal
o interfaces: improve diagnostic messages on boot
o interfaces: correct usage of interface cache files and properly
  clear them during boot
o ipsec: enable CA field for hybrid and mutual RSA Xauth
o dynamic dns: fix prototype declaration (contributed by Evgeny Bevz)
o dynamic dns: add support for STRATO
o mvc: fix iteration over several config nodes to avoid
  "Node no longer exists" type warnings
o plugins: quagga 1.1.1 fixes reload of BGPv4 tables and
  modal closing (contributed by Fabian Franz)
o plugins: monit 1.1 fixes import sender address and
  validation (contributed by Frank Brendel)
o src: removed duplicate unbound from FreeBSD base system
o src: added locales to e.g. allow tmux to start up correctly
o src: Xen migration enhancements[1]
o src: allow TOS value zero and add extended DSCP support
o ports: openvpn 2.3.15[2]
o ports: php 7.0.19[3]
o ports: squid 3.5.25[4]
o ports: sudo 1.8.20[5]

Stay safe,
Your OPNsense team

[1] https://www.freebsd.org/security/advisories/FreeBSD-EN-17:05.xen.asc
[2] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
[3] http://php.net/ChangeLog-7.php#7.0.19
[4] http://ftp.meisei-u.ac.jp/mirror/squid/squid-3.5.25-RELEASENOTES.html
[5] https://www.sudo.ws/stable.html

More information about the announce mailing list