Hi there,

With a bit of delay we bring to you the usual mix of security and
reliablilty updates.  It is of note that the OpenVPN advisory tracked
as CVE-2020-15078 does not affect the provided version 2.4.11, but the
security audit will falsely flag it as vulnerable because the source
of the audit is FreeBSD where OpenVPN was migrated to 2.5 series already.

Plans for upcoming 21.1.x versions include a swift Phalcon 4 migration as
well as Python 3.8 and PHP 7.4 updates.

Here are the full patch notes:

o system: add audit log target and move related syslog messages there
o system: set HSTS max-age to 1 year (contributed by Maurice Walker)
o system: fix restore copy in console recovery
o interfaces: revise approach to clear states when WAN address changes
o interfaces: add policy-based routing support for “dynamic” interface gateways
o interfaces: return scoped link-local in get_configured_ip_addresses()
o firewall: NPTv6 configuration clean-up (contributed by Maurice Walker)
o firewall: remove redundant NPTv6 binat rule (contributed by Maurice Walker)
o firewall: live log widget multiple interfaces and inspect feature (contributed by kulikov-a)
o firewall: add live log filter templates feature (contributed by kulikov-a)
o dhcp: compress expanded IPv6 lease addresses for clean match with system
o dhcp: on the GUI pages avoid the use of dhcpd_dhcp_configure()
o dnsmasq: use dhcpd_staticmap() for lease registration
o firmware: opnsense-patch now also invaldates the menu cache
o ipsec: add “keyingtries” phase 1 configuration option
o ipsec: automatic outbound NAT rules missed mobile clients
o ipsec: fix typo in autogenerated rules for virtual IP use
o openvpn: fix wizard regression after certificate changes in 21.1.5
o openvpn: remove now defunct OpenSSL engine support
o unbound: cleanse blacklist domain input
o unbound: match whole entry in blacklists (contributed by kulikov-a)
o unbound: use dhcpd_staticmap() for lease registration
o ui: upgrade chart.js to 2.9.4
o ui: update chartjs-plugin-streaming to 1.9.0
o ui: order interfaces in groups
o ui: sidebar menu fix for long listings (contributed by Team Rebellion)
o plugins: os-acme-client 2.5[1]
o plugins: os-chrony 1.3[2]
o plugins: os-dyndns 1.24[3]
o plugins: os-freeradius 1.9.12[4]
o plugins: os-haproxy 3.3[5]
o plugins: os-intrusion-detection-content-et-open 1.0.1 adds emerging-inappropriate ruleset
o plugins: os-nginx expected MIME type fix (contributed by Kimotu Bates)
o plugins: os-qemu-guest-agent 1.0 (contributed by Frank Wall)
o plugins: os-relayd 2.5[6] (sponsored by Modirum)
o plugins: os-telegraf 1.10.1[7]
o plugins: os-zabbix4-proxy 1.3[8]
o plugins: os-zabbix5-proxy 1.5[9]
o src: axgbe: check for IFCAP_VLAN_HWTAGGING when reading descriptor
o src: axgbe: add 1000BASE-BX SFP support
o src: race condition in aesni(4) encrypt-then-auth operations[10]
o ports: curl 7.76.1[11]
o ports: filterlog 0.4 adds label support to output if applicable
o ports: libressl 3.3.3[12]
o ports: libxml2 fix for CVE-2021-3541
o ports: nss 3.65[13]
o ports: openssh-portable 8.6p1[14]
o ports: openvpn 2.4.11[15]
o ports: php 7.3.28[16]
o ports: sqlite 3.35.5[17]
o ports: sudo 1.9.7[18]
o ports: syslog-ng 3.32.1[19]

Stay safe,
Your OPNsense team

—
[1] https://github.com/opnsense/plugins/blob/stable/21.1/security/acme-client/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/21.1/net/chrony/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/21.1/dns/dyndns/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/21.1/net/freeradius/pkg-descr
[5] https://github.com/opnsense/plugins/blob/stable/21.1/net/haproxy/pkg-descr
[6] https://github.com/opnsense/plugins/issues/2232
[7] https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/telegraf/pkg-descr
[8] https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/zabbix4-proxy/pkg-descr
[9] https://github.com/opnsense/plugins/blob/stable/21.1/net-mgmt/zabbix5-proxy/pkg-descr
[10] https://www.freebsd.org/security/advisories/FreeBSD-EN-21:11.aesni.asc
[11] https://curl.se/changes.html#7_76_1
[12] https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.3-relnotes.txt
[13] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.65_release_notes
[14] https://www.openssh.com/txt/release-8.6
[15] https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.11
[16] https://www.php.net/ChangeLog-7.php#7.3.28
[17] https://sqlite.org/releaselog/3_35_5.html
[18] https://www.sudo.ws/stable.html#1.9.7
[19] https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-3.32.1