We have been busy baking another large update for you which is full of oozy goodness. It includes an updated toolchain based on GCC 10 and glibc 2.32 and we have added a lot of tuning which makes IPFire 33% faster on some systems.
Toolchain Update
IPFire is based on glibc 2.32, the standard library for all C programs, and GCC 10.2, the GNU Compiler Collection. Both bring various bug fixes and improvements.
The most notable change is that we have decided to remove a mitigation Spectre 2 which caused that user space programs in IPFire were running about 50% slower due to using a microcode feature which is called "retpoline". Those "return trampolines" disable the branch prediction engine in out-of-order processors which was considered to help with mitigating leaking any information from any unaccessible kernel space.
This is however not as effective as thought and massively decreases performance in the user land which mainly affects features like our Intrusion Prevention System, Web Proxy and URL filter. We still use this mechanism to avoid leaking any kernel memory into the user space.
On top of that, we have updated various tools used for building IPFire as well as core libraries.
We have also enabled a new GCC feature called "stack clash protection" on x86_64 and aarch64 which adds additional checks to mitigate exploits and we have enabled "CF protection" which hardens all software against attackers gaining control over a program flow and circumventing security checks like password or signature validation.
BootHole, aka GRUB 2.04
As reported on the media, there were various security vulnerabilities in the GRUB boot loader which is used in IPFire on x86_64, i586 and aarch64. These have now been patched in IPFire and the new boot loader is installed automatically.
Intel Security Vulnerabilities & Virtual Machines
In May 2019, we have announced to disable SMT on all machines. This is now disabled for any virtual machines since the mitigation is required to be activated on the host system.
Emulated processors might run on multiple physical processors which IPFire in a virtual machine has no control over. However, we still recommend against running IPFire in a virtual environment.
Deprecating i586
This release also officially degrades the i586 architecture to a secondary architecture. On the download page, you will already find downloads for that architecture at the bottom of the page.
This is because various security mitigations are not available for i586 and development work on the Linux kernel and other software that IPFire relies on is mainly done for x86_64 or other modern 64 bit architectures. This is a development that we saw coming for a while now, and despite that we will try to keep IPFire available in this architecture.
We urge everyone who's hardware supports it to update their systems to x86_64. You will see a notification on the web user interface if you are affected.
Misc.
- OpenSSL: We have removed all ciphers that do not support Perfect Forward Secrecy from the default cipher list. That means that all programs in IPFire that initiate TLS connections will no longer accept any "weak" ciphers without PFS.
- OpenVPN
- In order to make IPFire compliant with PCI DSS, OpenVPN requires all clients to use TLS 1.2 or newer. This change is automatically enabled on all systems and very old clients might need to be updated. Please check if you are using any outdated clients before updating.
- The maximum number of simultaneous OpenVPN connections can now be set to up to 1024 and was limited to 255 before.
- New packages: zstd, a modern and fast compression algorithm is now part of IPFire
- Updated packages: apache 2.4.46, bind 9.11.21, bison 3.7.1, curl 7.71.1, GRUB 2.04, intel-microcode 20200616, hyperscan 5.3.0, iproute2 5.8.0, kbd 2.2.0, logrotate 3.17.0, lsof 4.91, mpfr 4.1.0, popt 1.18, unbound 1.11.0, xfsprogs 5.7.0
Add-ons
- Updated: clamav 0.102.4, dnsdist 1.5.0, haproxy 2.2.2, fping 5.0, libvirt 6.5.0, minicom 2.7.1, nfs 2.5.1, postfix 3.5.6, qemu 5.0.0, rsync 3.2.3, spandsp 0.0.6, tor 0.4.3.6, tshark 3.2.6, usbredir 0.8.0, watchdog 5.16, WIO
- Marcel Follert has contributed a new package: socat, a CLI tool which can be used to communicate with UNIX sockets.