IPFire 2.17 – Core Update 94 has been pushed to the testing tree. It contains smaller security fixes and is a maintenance release in general. Please test!
OpenSSH
OpenSSH was updated to version 7.1p1. With that we added support for elliptic curves (ECDSA and ED25519) and removed support for DSA which is considered broken. Too small RSA keys are removed as well and regenerated. These may required to import the keys of the IPFire system on your admin computer again.
Internal mail agent
An internal mail agent was added that is used by internal services to send out reports or alerts. So far only a few services use this (like the squid accounting add-on), but we expect to add more things in the future.
This is a very simple and lightweight mail agent that can be configured on the web user interface and will usually require an upstream mail server.
IPsec MOBIKE
A new checkbox in the advanced settings page of an IPsec connections has been added. It allows to force using MOBIKE, a technology for IPsec to traverse NAT better. Sometimes when behind faulty routers, IPsec connections can be established, but no data can be transferred and the connection breaks very quickly (some routers have difficulties with forwarding DPD packets). MOBIKE circumvents that by using UDP port 4500 for IKE messages.
Misc
- Required fields are now marked with a star. Previously this was the other way round so that optional fields where marked with a star, which is not seen anywhere on the web any more.
- A monthly forced ddns update is removed since ddns is taking care itself of keeping all records up to date and refreshing them after 30 days if necessary.
- fireinfo: Some crashes were fixed with IDs that only contain
0xff
Updated packages
bind 9.10.2-P4, coreutils 8.24, dnsmasq got the latest changes imported, file 5.24, glibc (security fixes), hdparm 9.48, iproute2 4.2.0, libgcrypt 1.6.4, libgpg-error 1.20, pcre (fixes for more buffer overflows), rrdtool 1.5.4, squid 3.4.14
Please help us testing this release. For our very keen testers, we now also have nightly builds.
This update does not require a reboot, though it is recommended.