Download IPFire 2.27 – Core Update 185

Spread the love

IPFire is an open source firewall for i586, x86_64 and Arm systems. It includes an intrusion detection/prevention system, divides the network into zones, performs stateful packet inspection and offers VPN options. For more information please refer to this page. The developers have released version 2.27 Core Update 185, a stable release for production systems. The accompanying notes look like this:

IPFire 2.27 – Core Update 185 released

I am happy to announce that we finally have a new release of IPFire: IPFire 2.29 – Core Update 185. It comes with a brand new IPFire IPS based on Suricata 7, a number of bug fixes across the distribution and a good amount of package updates .

Suricata 7 – Intrusion Prevention System

Finally, Suricata 7 is here. A new major version of what the IPFire IPS is based on. It finally brings support for HTTP/2 which is no longer considered experiential and now supports deflate compression and byte-ranges. There are new keywords for HTTP header inspection, and support for handling TLS client certificates, support for IKEv1, the PostgreSQL protocol, a BitTorrent parser, and last but not least QUICv1 and GQUIC. Suricata is also locking itself down more using Linux Landlocked to prevent any damage in case the process could be exploited; and the developers have spent time to make it slightly more memory efficient.

This update fixes a Denial-Of-Service vulnerability where the firewall would accept packets if an attacker was able to crash the Suricata service. We have not observed this being exploited, but found this problem when testing this release.

From abuse.ch, we have added the ThreatFox Indicators Of Compromise Rules. Those rules help to identify any local hosts that might have been compromised by detecting traffic to for example botnets. The PT Attack and Secureworks rulesets have been dropped as they are no longer available.

Toolchain Update

IPFire has been rebased on glibc 2.39 – the C standard library and binutils 2.42. IPFire is also now being compiled with the highest set of source fortification -D_FORTIFY_SOURCE=3. That means, that the compiler is adding compile time and runtime checks to avoid common errors like buffer overruns and overflows and so any undetected security vulnerabilities will be harder to exploit. Finally, we are now compiling the system with less debugging information which we don't need which slightly speeds up the compilation process.

Misc.

  • OpenVPN
    • Previously, the UI allowed creating certificates with a common name that was already in use (#13404)
    • Imported net-to-net connections did not show correctly whether the certificate was password-protected (#13548)
    • The OpenSSL configuration file has been cleaned up (#13595)
  • The time server configuration page is now showing the current system time
  • Custom DHCP options of type “integer 8” are now possible to configure (#12395)
  • Comments have sometimes been incorrectly encoded to ISO-8859-1 which broke Umlauts and other special and non-ASCII characters
  • Intel has published microcode updates for various of their processors to fix or mitigate the following security vulnerabilities:
  • The CA certificate bundle has been updated
  • Some basic functions of the initscripts have been cleaned up and enhanced to write shorter scripts
  • Updated packages: elfutils 0.191, ethtool 6.7, expat 2.6.2, knot 3.3.5, libffi 3.4.6, libpng 1.6.42, libplist 2.4.0, libgpg-error 1.48, intel-microcode 20240312, iproute2 6.8.0, meson 1.4.0, newt 0.52.24, OpenJPEG 2.5.2, OpenSSH 9.7p1, pango 1.52.0, pciutils 3.11.1, pixman 0.43.4, poppler 24.03.0, qpdf 11.9.0, shadow 4.15.0, SQLite 3.45 .2, squid 6.8, Suricata 7.0.3, Tcl 8.6.14, Unbound 1.19.3, util-linux 2.39.3, wget 1.24.5, whois 5.5.21, xz 5.6.1

Add-Ons

  • wsdd is a service that implements the Web Service Discovery protocol for Windows. This enables clients from Windows 10 or older to discover any file shares exported by the Samba service. It will be automatically installed on all machines that run Samba. (#13445)
  • Updated packages: ClamAV 1.3.0, dnsdist 1.9.1, GDB 14.2, Ghostscript 10.03.0, Git 2.44.0, gptfdisk 1.0.10, libmpdclient 2.22, mpc 0.35, mpd 0.23.15, mympd 14.1.0, opus 1.5. 1, Samba 4.19.5, SDL 2.30.1, Zabbix Agent 6.0.24 (LTS)
  • Entries to the IPFire web UI menu have been added for VDR and transmission if installed

Version number 2.27 – Core Update 185
Release status Final
Operating systems Linux
Website IPFire
Download https://www.ipfire.org/download/ipfire-2.27-core185
License type GPL
You might also like
Exit mobile version