Software-update: OPNsense 25.7.8
Het pakket OPNsense is een firewall met uitgebreide mogelijkheden. Het is gebaseerd op het besturingssysteem FreeBSD en is oorspronkelijk een fork van m0n0wall en pfSense. Het pakket kan volledig via een webinterface worden ingesteld en heeft onder andere ondersteuning voor mfa, OpenVPN, IPsec, CARP en captive portal. Daarnaast kan het packetfiltering toepassen en beschikt het over een traffic shaper. De ontwikkelaars achter OPNsense hebben de achtste update voor versie 25.7 uitgebracht en de releasenotes voor die uitgave kunnen hieronder worden gevonden.
OPNsense 25.7.8 releasedSo we are making way for safer command execution since a comment was added to the certification of the business version about a possible injection into interfaces_pfsync_configure() -- note that it was a comment and not a security issue since the exploit requires to edit the config.xml and/or do a configuration import.
The issue in interfaces_pfsync_configure() has now been fixed, but as mentioned the idea was to get rid of these problems once and for all so the Shell class was rewritten and every call was audited. You will see more movement on our way to 26.1 in this area as we do not want to push all changes into the 25.7 series immediately so that they can be properly verified first. Suffice to say most of the code we worked on over the years was already much safer due to the introduction of exec_safe() very early in the project history.
The Unbound blocklists feature formerly known as a business feature is now a community feature. Since this required merging both the existing community one with the business one you need to make sure to reapply the blocklist settings after the reboot since it will not generate a new and possibly incompatible format. Make sure to check your automatically migrated settings while at it.
What does all of this mean? It means security matters. It also means that community matters. We will continue to improve the community version because it is the base for the business version and that is exactly how it should be so that everybody can benefit from these changes!
Note this release includes a new kernel with a lot of improvements in the vtnet(4) driver department. It is stable code according to release engineering procedure but if you are seeing specific issues let us know.
Here are the full patch notes:system: defaults: properly delete empty model containers in the configurationsystem: switch int/bool to string in gateway propertiessystem: ignore TypeErrors when parsing log lines in the backendsystem: replace various raw exec(), system(), passthru() and shell_exec() calls with safer variantssystem: add host route deletion support to system_host_route()system: move the general page host route removal to system_host_route()system: add CA chain to PKCS12 exportinterfaces: support link-local IPv6 modeinterfaces: also stop PPPoE connections when CARP is temporarily disabled (contributed by René Mayrhofer)interfaces: fix packet capture and ping buttons not working since 25.7.7interfaces: limit execution of sysctl scope in PPP device edit codeinterfaces: safer interfaces_pfsync_configure() handlingfirewall: live log: make this grid static and slightly adjust info column widthfirewall: live log: backwards compatibility for old 'interface_name' field typefirewall: live view: fix wrong variable scopefirewall: automation: split search logic and normalize legacy outputfirewall: aliases: add a few GeoIP related logging messagesfirewall: mute pfctl-based table entry expire to avoid cron noise due to stderr usefirewall: aliases: missing placeholder for username in basic auth type selectionfirewall: support "0" as valid rule ID in rule lookup redirectfirewall: automation: add per-rule state timeouts for "udp.first", "udp.multiple" and "udp.single"captive portal: fix selectpicker #voucher-groups not being re-rendered after change eventcaptive portal: move grid init to tab show eventdnsmasq: switch to file_safe() use in backenddnsmasq: minor safe execution changes in backendkea-dhcp: automatic route support for PD leaseskea-dhcp: case insensitive MAC address comparisonisc-dhcp: adjust backend for safe executionipsec: disable model caching on SPD pageipsec: add AES256GCM16 to the child ESP proposals listipsec: hide phase 2 output based on phase 1 status instead of the row count for phase 2ipsec: add "reqid_base" setting to advanced settingsopenssh: minor safe execution change in backendopenvpn: swap description and mode in "tls_key" and require a description for static keysopenvpn: one safe execution changeopenvpn: add fast-io option (contributed by mdten)radvd: safe execution changesunbound: improve CNAME handling of whitelisted domainsunbound: safe command execution changesunbound: merge extended blocklists into community versionunbound: duplicate pointer records due to not casting the field typeswireguard: fix wrong maximum value for "PersistentKeepalive"backend: rename "realif" variables to "device" in a number of spotsbackend: avoid the use of get_real_interface() when it does not matter and remove dead code associated with thatbackend: exend shell_safe() to emulate exec() $output argument magicbackend: reimplement existing command execution functions with Shell class implementationbackend: replace mwexecf_bg() with mwexecfb() for claritymvc: move translation to menu system and add "FixedName" propertymvc: extend ModelRelationField so it can optionally disable cachingmvc: rewrite the old Shell class according to our current standards for safe command execution (exec_safe() wrapper)mvc: make "data_change_message_content" configurableshell: assorted cleanups in console menu related scriptsui: fix tokenizer event trigger loopplugins: os-freeradius 1.9.28plugins: os-frr 1.49plugins: os-ndp-proxy-go 1.0 is a hot-off-the-press userspace IPv6 Neighbor Discovery Proxyplugins: os-q-feeds-connector 1.3plugins: os-theme-flexcolor 1.0 is a new 3-in one themesrc: vtnet: assorted stable branch improvementssrc: ifconfig: assorted stable branch improvementssrc: SO_REUSEPORT_LB breaks connect(2) for UDP socketssrc: sctp, tcp, udp: improve deferred computation of checksumssrc: dhclient: improve UDP checksum handlingsrc: ipfw: check for errors from sooptcopyin() and sooptcopyout()src: ipfw: pmod: avoid further rule processing after tcp-mod failuressrc: dummynet: move excessive logging messages under debug outputsrc: net: validate interface group names in ioctl handlerssrc: pf: improve DIOCRCLRTABLES validationsrc: pf: improve add state validationsrc: pf: SCTP abort messages fully close the connectionsrc: if_vxlan: fix byteorder of source portsrc: ixl: fix multicast promiscuous mode state tracking and filter managementsrc: ix/ixv: add support for new Intel Ethernet E610 family devicessrc: ice: add PCI IDs for E835 devicessrc: ice: add support for E835-XXV-4 adaptersrc: igb: fix out-of-bounds register access on VFssrc: netlink: in snl_init_writer() do not overwrite error in case of failureports: curl 8.17.0ports: nss 3.118.1ports: openvpn 2.6.16ports: pcre2 10.47ports: php 8.3.28
system: defaults: properly delete empty model containers in the configurationsystem: switch int/bool to string in gateway propertiessystem: ignore TypeErrors when parsing log lines in the backendsystem: replace various raw exec(), system(), passthru() and shell_exec() calls with safer variantssystem: add host route deletion support to system_host_route()system: move the general page host route removal to system_host_route()system: add CA chain to PKCS12 exportinterfaces: support link-local IPv6 modeinterfaces: also stop PPPoE connections when CARP is temporarily disabled (contributed by René Mayrhofer)interfaces: fix packet capture and ping buttons not working since 25.7.7interfaces: limit execution of sysctl scope in PPP device edit codeinterfaces: safer interfaces_pfsync_configure() handlingfirewall: live log: make this grid static and slightly adjust info column widthfirewall: live log: backwards compatibility for old 'interface_name' field typefirewall: live view: fix wrong variable scopefirewall: automation: split search logic and normalize legacy outputfirewall: aliases: add a few GeoIP related logging messagesfirewall: mute pfctl-based table entry expire to avoid cron noise due to stderr usefirewall: aliases: missing placeholder for username in basic auth type selectionfirewall: support "0" as valid rule ID in rule lookup redirectfirewall: automation: add per-rule state timeouts for "udp.first", "udp.multiple" and "udp.single"captive portal: fix selectpicker #voucher-groups not being re-rendered after change eventcaptive portal: move grid init to tab show eventdnsmasq: switch to file_safe() use in backenddnsmasq: minor safe execution changes in backendkea-dhcp: automatic route support for PD leaseskea-dhcp: case insensitive MAC address comparisonisc-dhcp: adjust backend for safe executionipsec: disable model caching on SPD pageipsec: add AES256GCM16 to the child ESP proposals listipsec: hide phase 2 output based on phase 1 status instead of the row count for phase 2ipsec: add "reqid_base" setting to advanced settingsopenssh: minor safe execution change in backendopenvpn: swap description and mode in "tls_key" and require a description for static keysopenvpn: one safe execution changeopenvpn: add fast-io option (contributed by mdten)radvd: safe execution changesunbound: improve CNAME handling of whitelisted domainsunbound: safe command execution changesunbound: merge extended blocklists into community versionunbound: duplicate pointer records due to not casting the field typeswireguard: fix wrong maximum value for "PersistentKeepalive"backend: rename "realif" variables to "device" in a number of spotsbackend: avoid the use of get_real_interface() when it does not matter and remove dead code associated with thatbackend: exend shell_safe() to emulate exec() $output argument magicbackend: reimplement existing command execution functions with Shell class implementationbackend: replace mwexecf_bg() with mwexecfb() for claritymvc: move translation to menu system and add "FixedName" propertymvc: extend ModelRelationField so it can optionally disable cachingmvc: rewrite the old Shell class according to our current standards for safe command execution (exec_safe() wrapper)mvc: make "data_change_message_content" configurableshell: assorted cleanups in console menu related scriptsui: fix tokenizer event trigger loopplugins: os-freeradius 1.9.28plugins: os-frr 1.49plugins: os-ndp-proxy-go 1.0 is a hot-off-the-press userspace IPv6 Neighbor Discovery Proxyplugins: os-q-feeds-connector 1.3plugins: os-theme-flexcolor 1.0 is a new 3-in one themesrc: vtnet: assorted stable branch improvementssrc: ifconfig: assorted stable branch improvementssrc: SO_REUSEPORT_LB breaks connect(2) for UDP socketssrc: sctp, tcp, udp: improve deferred computation of checksumssrc: dhclient: improve UDP checksum handlingsrc: ipfw: check for errors from sooptcopyin() and sooptcopyout()src: ipfw: pmod: avoid further rule processing after tcp-mod failuressrc: dummynet: move excessive logging messages under debug outputsrc: net: validate interface group names in ioctl handlerssrc: pf: improve DIOCRCLRTABLES validationsrc: pf: improve add state validationsrc: pf: SCTP abort messages fully close the connectionsrc: if_vxlan: fix byteorder of source portsrc: ixl: fix multicast promiscuous mode state tracking and filter managementsrc: ix/ixv: add support for new Intel Ethernet E610 family devicessrc: ice: add PCI IDs for E835 devicessrc: ice: add support for E835-XXV-4 adaptersrc: igb: fix out-of-bounds register access on VFssrc: netlink: in snl_init_writer() do not overwrite error in case of failureports: curl 8.17.0ports: nss 3.118.1ports: openvpn 2.6.16ports: pcre2 10.47ports: php 8.3.28
Source:
Tweakers.net