:: c0urier.net

Good day everyone,

Pick up the new FreeBSD security advisories while also introducing assorted
reliability improvements. CRL now works again for elliptic curve with the
adoption of version 3 of phpseclib. Wireless handling was improved due to
PHP 8 errors and coding style issues. It is also the subject of further work
for 23.1.

Here are the full patch notes:

o system: migrate CRL handling to phpseclib version 3
o system: run monitor reload inside system_routing_configure()
o system: fix IPv6 link-local HTTP_REFERER check (contributed by Maurice Walker)
o system: fix assorted PHP 8 warnings in the codebase
o system: extend nameservers script return for debugging purposes, i.e. “configctl system list nameservers debug”
o system: lighttpd obsoletion of server listing directive, disabled by default
o system: decode stored CRL data before display (contributed by kulikov-a)
o interfaces: update link-local matching pattern
o interfaces: PPP is an exception, only created after interface configuration
o interfaces: only remove known primary addresses in interface_bring_down()
o interfaces: improve shell banner address return in prefix-only IPv6 case
o interfaces: improve problematic <wireless/> node handling
o interfaces: DHCP does not signal RELEASE
o interfaces: web GUI locale sorts files differently when invoking ifctl
o interfaces: improve legacy_interface_listget()
o interfaces: only parse actual options in legacy_interfaces_details(), not nd6 options
o firewall: implement a router file read fallback for new ifctl :slaac suffix
o firewall: stick-address only in effect with pool option and multiple routers
o firewall: remove dead pptpd server code
o captive portal: lighttpd deprecation of legacy SSL options, disabled by default
o dhcp: allow rapid-commit message exchange in IPv6 server (contributed by Maurice Walker)
o firmware: major upgrade “pkgs” set was still unknown to plugin sync
o intrusion detection: fix enable rule button and present active detail overwrite if present
o ipsec: fixed widget link (contributed by Patrik Kernstock)
o unbound: improve FQDN handling when address is moving in DHCP watcher
o unbound: prevent DNS rebinding check and DNSSEC validation on explicit forwarded domains
o unbound: restrict creation of PTR records for both the system domain and host overrides
o unbound: add AAAA-only mode (contributed by Maurice Walker)
o lang: fix syntax errors in French translation (contributed by kulikov-a)
o ui: fix type cast issue in Bootgrid
o plugins: os-ddclient relaxes validation of description field
o plugins: os-frr 1.30[1]
o plugins: os-nginx now uses simplified NAME_setup service handling
o plugins: os-wireguard 1.12[2]
o plugins: os-zabbix-agent 1.13[3]
o plugins: os-zabbix-proxy 1.9[4]
o src: rc: improve NAME_setup integration
o src: zlib: fix a bug when getting a gzip header extra field with inflate()[5]
o src: tzdata: import tzdata 2022b and 2022c[6]
o ports: ldns 1.8.3[7]
o ports: liblz4 1.9.4
o ports: libxml 2.10.1[8]
o ports: nss 3.82[9]
o ports: phpseclib 3.0.14[10]

Stay safe,
Your OPNsense team

—
[1] https://github.com/opnsense/plugins/blob/stable/22.7/net/frr/pkg-descr
[2] https://github.com/opnsense/plugins/blob/stable/22.7/net/wireguard/pkg-descr
[3] https://github.com/opnsense/plugins/blob/stable/22.7/net-mgmt/zabbix-agent/pkg-descr
[4] https://github.com/opnsense/plugins/blob/stable/22.7/net-mgmt/zabbix-proxy/pkg-descr
[5] https://www.freebsd.org/security/advisories/FreeBSD-SA-22:13.zlib.asc
[6] https://www.freebsd.org/security/advisories/FreeBSD-EN-22:20.tzdata.asc
[7] https://raw.githubusercontent.com/NLnetLabs/ldns/1.8.3/Changelog
[8] http://www.xmlsoft.org/news.html
[9] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.82_release_notes
[10] https://github.com/phpseclib/phpseclib/releases/tag/3.0.14