Hello,

Please do enjoy this round of timely crypto library updates and
other reliability fixes.

Work has so far been focused on the firmware update process to ensure
its safety around edge cases and recovery methods for the worst case.
To that end 21.1.3 will likely receive the full revamp including API and
GUI changes for a swift transition after thorough testing of the changes
now available in the development package of this release.

Here are the full patch notes:

o system: do not trim string fields in upstream XMLRPC library
o system: fix export API keys reload issue on Safari
o system: retain index after tunables sorting in 21.1.1
o system: fix firewall log widget update on small fixed number of entries
o system: replace traffic graphs in widget using chart.js
o system: make StartTLS work when retrieving LDAP authentication containers (contributed by Christian Brueffer)
o system: fix IPv6 route deletion on status page
o interfaces: work around slow manufacturer lookups in py-netaddr 0.8.0
o firewall: fix off-by-one error in alias utility listing
o firewall: fix live log matching with ‘or’ and empty filter (contributed by kulikov-a)
o reporting: prevent NetFlow crash when interface number is missing
o firmware: opnsense-update -t option executes after -p making it possible to run them at once
o firmware: opnsense-update -t option now also uses recovery code introduced recently for -p
o firmware: opnsense-update -vR no longer emits “unknown” if no version was found
o firmware: opnsense-verify -l option lists enabled package repositories
o firmware: add crypto package to health check
o firmware: fix two JS tracker bugs
o firmware: assorted non-breaking changes for upcoming firmware revamp
o intrusion detection: prevent flowbits:noalert from being dropped
o intrusion detection: fix policies not matching categories
o ipsec: phase2 local/remote network check does not apply on VTI interfaces
o web proxy: fix ownership issue on template directory
o rc: opnsense-beep utility wrapper including manual page
o plugins: increase revision number for all plugins to force installation of metadata added in 21.1.1
o plugins: os-acme-client 2.4[1]
o plugins: os-postfix 1.18[2]
o plugins: os-rspamd 1.11[3]
o plugins: os-theme-cicada 1.27 (contributed by Team Rebellion)
o plugins: os-theme-tukan 1.24 (contributed by Team Rebellion)
o plugins: os-theme-vicuna 1.3 (contributed by Team Rebellion)
o ports: curl 7.75.0
o ports: libressl 3.2.4
o ports: openssl 1.1.1j
o ports: php 7.3.27
o ports: squid 4.14
o ports: unbound 1.13.1

Stay safe,
Your OPNsense team

—
[1] https://github.com/opnsense/plugins/blob/stable/21.1/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/21.1/mail/postfix/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/21.1/mail/rspamd/pkg-descr
[4] https://curl.se/changes.html#7_75_0
[5] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.2.4-relnotes.txt
[6] https://www.openssl.org/news/openssl-1.1.1-notes.html
[7] https://www.php.net/ChangeLog-7.php#7.3.27
[8] http://www.squid-cache.org/Versions/v4/squid-4.14-RELEASENOTES.html
[9] https://nlnetlabs.nl/projects/unbound/download/#unbound-1-13-1