Just a couple of days after the release of IPFire 2.21 - Core Update 130, the next release is available for testing. This is an emergency update with various bug fixes and a large number of security fixes.
Security
IPFire 2.21 - Core Update 130 contains security updates for the following packages:
Apache
2.4.39: The Apache Web Server, which runs the IPFire Web User Interface, was vulnerable for various privilege escalations (CVE-2019-0211), access control bypasses (CVE-2019-0215, CVE-2019-0217), DoS attacks (CVE-2019-0197), buffer overflow (CVE-2019-0196) and a URL normalisation inconsistency (CVE-2019-0220). They are all regarded to be of "low" severity.wget
1.20.3: wget has had multiple vulnerabilities that allowed an attacker to execute arbitrary code (CVE-2019-5953).clamav
0.101.2: ClamAV, the virus scanner, has had multiple vulnerabilities that allowed DoS and a buffer overflow in a bundled third-party library.
Although some of these vulnerabilities are only of low severity, we recommend to install this update as soon as possible!
IPsec Regression
The last update introduced a regression in the IPsec stack that caused that the firewall could no longer access any hosts on the remote side when the tunnel was run in tunnel mode without any VTI/GRE interfaces. This update fixes that.
This update is available in testing and we are planning to make it generally available early next week.