Download OPNsense 18.7.7

Spread the love

The package OPNsense is a firewall with extensive possibilities. It is based on the FreeBSD operating system and is originally a fork of m0n0wall and pfSense. The package can be set up completely via a web interface and has support for 2fa, openvpn, ipsec, carp and captive portal, among others. In addition, it can apply packet filtering and has a traffic shaper. The developers have released OPNsense 18.7.7 with the following announcement:

OPNsense 18.7.7 released

Dear all,

Today we are addressing CVE-2018-18958 regarding an unenforced “deny config write” privilege. The issue was reported by brainrecursion this Monday and subsequently fixed along with several related issues. The “deny config write” privilege coupled with admin or user and group manager rights are affected combinations. It is an uncommon way to configureaccess as the “deny config write” privilege is commonly used for role-based access to non-system services, eg captive portals.

As we cannot be sure that no further issues of this sort exist please refrain from using the “deny config write” privilege or at least stop giving access to system services or full admin rights to these users or groups. In the midterm we will be looking for replacements of the current privilege for something that is more generic and robust in enforcement.

Additionally, the update to Suricata 4.0.6 addresses the SMTP crash vulnerability CVE-2018-18956. Since the update does not reboot without an operating system update please manually restart the intrusion detection service.

Here are the full patch notes:

  • system: CVE-2018-18958 prevent restore of configuration of read-only user (reported by brainrecursion)
  • system: prevent related read-only user configuration manipulation for history and defaults pages
  • system: prevent several creative ways to strip read-only privileges in the user and group manager
  • system: allow wildcards in certificate subject alternative name
  • system: avoid direct $global access in routing setup
  • system: do not offer root-only opnsense-shell to non-root users
  • system: remove FreeBSD 10 password workaround
  • interfaces: use pure jquery to avoid browser-specific behavior
  • interfaces: nonfunctional cleanups in backend and interface GUI configuration
  • interfaces: clear the correct files IPv6 state files on interface down
  • interfaces: wait for PPPoE to fully exit on interface down
  • firewall: fix port alias conversion under new API
  • firewall: missing filter reload for port alias types
  • firewall: missing “other” type in VIP network expand
  • firewall: disabled alias should leave us with an empty one
  • firewall: category for “United States” moves from Pacific to America
  • firewall: resolve outbound NAT interface address in kernel
  • dhcp: only map enabled interfaces in IPv4 leases
  • dhcp: interface iteration code cleanups
  • dhcp: do not hand out IPv6 system DNS servers when Unbound or Dnsmasq are used
  • dhcp: IPv6 PD in manual DHCPv6 case (contributed by Team Rebellion)
  • dhcp: correctly merge prefix for IPv6 static leases in manual DHCPv6 case (contributed by Raimar Sandner)
  • firmware: add log file for package manager output
  • monit: use theme override for widget CSS (contributed by Fabian Franz)
  • ntp: internal cleanup of function argument order
  • rc: improvements in service startup scripting
  • rc: print date and time after successful boot
  • unbound: disable redirect type until fixed
  • web proxy: fix typo in description or upload caps (contributed by Juan Manuel Carrillo Moreno)
  • shell: stop router advertisement daemon too on console port reassign
  • mvc: remove errors in cron and monit API
  • plugins: os-freeradius 1.8.2 (contributed by Michael Muenz and Reza Ebrahimi)
  • plugins: os-nut 1.3 apcsmart and blazer_usb driver, reworked UI (contributed by Michael Muenz)
  • plugins: os-telegraf 1.7.1 adds ZFS input (contributed by Michael Muenz)
  • plugins: os-tinc now sets all defined subnets (contributed by QDaniel)
  • plugins: os-theme-cicada 1.8 (contributed by Team Rebellion)
  • plugins: os-theme-tukan 1.8 (contributed by Team Rebellion)
  • plugins: os-smart 1.5 standard widget coloring (contributed by Fabian Franz)
  • plugins: os-rspamd now uses scan_mime_parts (contributed by Michael Muenz)
  • ports: curl 7.62.0
  • ports: krb5 1.16.2
  • ports: strongswan 5.7.1
  • ports: suricata 4.0.6

stay safe,
Your OPNsense team

Version number 18.7.7
Release status Final
Operating systems BSD
Website OPNsense
Download
License type Conditions (GNU/BSD/etc.)
You might also like