IPFire 2.15 – Core Update 81 comes with nine security vulnerability fixes in the OpenSSL package and some other minor bugfixes. This update is going to be released very soon and therefore we would like you helping us to verify that everything is working fine.
OpenSSL 1.0.1i
Those OpenSSL security fixes are filed under CVE-2014-3508, CVE-2014-5139, CVE-2014-3509, CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3510, CVE-2014-3511, and CVE-2014-3512. They are all in various protocols and parts of the library, but all of moderate severity. We still recommend to install the update as soon as possible.
Misc
- The firewall has been extended to detect more types of port scans over the TCP protocol and connections that are marked as invalid by the connection tracking system are from now on dropped. Some broken TCP/IP stacks how we find them in the Android OS caused that packets could get from the internal networks to RED without being masqueraded.
- ddns – The new dynamic DNS updater
- The logging if no update has been performed has been silenced and is only visible in debugging mode. This was a request by users of flash drives.
- Using special characters like “%” in passwords is now possible.
- Support for regfish.com has been fixed.
- lzo has been downgraded to version 2.06 because it did not work on ARM any more. However, the security fix from the last core update has been backported.
- OpenVPN: When creating a new roadwarrior connection, a required field of the certificate form has not been validated correctly if no input was given.
Add-ons
- The
tor
addon has been updated to version 0.2.4.23 with a fix that users of the network cannot be de-anonymized easily. check_mk_agent
has been added.
As we are going to release this Core Update very soon we would like you to help us with testing. You find the update in the testing tree. After you installed it and tested it, please send us your feedback right away!