Hello Community!
Only a few days after releasing the latest update, we are excited to begin testing the next one. It comes with support for Post-Quantum Cryptography in IPsec as well as a new toolchain and a lot of bug and security updates.
Post-Quantum Cryptography for IPsec tunnels
IPsec tunnels now support key exchanges using the post-quantum Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM). This algorithm is believed to be secure against adversaries who possess a quantum computer and is therefore hardening the security of those tunnels that use it.
In IPFire, this is now enabled by default for new tunnels together with Curve448, Curve25519, various other NIST-certified elliptic curve algorithms and RSA-4096 and RSA-3072. This choice will ensure that modern cryptography is being used when available, but IPFire will remain compatible with older solutions from other vendors. Of course you may enable this for existing tunnels on the advanced settings page of the tunnel.
Additionally, we have updated the default list of ciphers for new tunnels: We prefer using AES-256 in either GCM or CBC mode, or ChaCha20-Poly1305 by default. AES-128 is no longer included in the default cipher list as it has weaker security and most hardware has acceleration for AES where AES-256 should always achieve the same throughput.
This way, the primary way to build VPN networks over the internet has become even more secure and ready for 2025 and onwards.
Toolchain Update
IPFire has been updated to use glibc - the C standard library - in version 2.41 and Binutils - the assembler and linker - in version 2.44. They are fundamental building blocks of the OS and we like to keep IPFire as modern as possible so that we generate the most optimal code which takes advantage of most recent hardware features. And of course, as this is the must crucial code outside of the kernel itself, they are important to keep IPFire hardened.
Misc.
- The discontinued Botnet C2 blocklist from abuse.ch has been removed
- The archive of firmware and microcodes has been updated including fixes for
- Security updates for INTEL-SA-01166
- Security updates for INTEL-SA-01213
- Security updates for INTEL-SA-01139
- Security updates for INTEL-SA-01228
- Security updates for INTEL-SA-01194
- A bug with an incorrect serial number has been fixed which prevented to renew the IPsec host certificate
- Stephen Cuka has submitted his first patch with some aesthetic improvements for the Firewall Groups page
- lucatrv has added DNS-over-TLS to the list of default services
- It is very important to us to keep IPFire up to date and get any fixes and improvements from upstream, therefore we once again update large parts of the distribution:
- Apache 2.4.63
- autoconf 2.72
- BIND 9.20.6
- binutils 2.44
- btrfs-progs 6.13
- dhcpcd 10.20.1
- diffutils 3.11
- expat 2.7.0
- Fixes CVE-2024-8176
- fmt 11.1.3
- fontconfig 2.16.0
- glibc 2.41
- harfbuzz 10.2.0
- Intel Microcode 20250211
- jQuery 3.7.1
- kmod 34
- libexif 0.6.25
- libffi 3.4.7
- libloc 0.9.18
- libxcrypt 4.4.38
- libyang 3.7.8
- Linux Firmware 20250211
- LVM2 2.03.30
- Pango 1.56.1
- PCRE2 10.45
- SQLite 3.49.1
- squid 6.13
- strongSwan 6.0.0
- tcl 9.0.1
- tzdata 2025a
- vim 9.1.1153
- vnstat 2.13
- which 2.23
- wpa_supplicant 2.11
- xfsprogs 6.13.0
- zstd 1.5.7
Add-ons
- Updated packages:
- aws-cli 1.37.4
- ddrescue 1.29
- FLAC 1.4.3
- gdb 16.1
- Git 2.48.1
- HAProxy 3.1.2
- htop 3.4.0
- lynis 3.1.3
- mc 4.8.33
- monit 5.34.4
- mpd 0.23.17
- nfs 2.8.2
- openvmtools 12.5.0
- Postfix 3.10.1
- python3-botocore 1.36.5
- rpcbind 1.2.7
- Samba 4.21.4
- tcpdump 4.99.5
- tmux 3.5a
- traceroute 2.1.6
- tshark 4.4.5