Howdy partners,

With Meltdown and Spectre just behind us here comes another round of security advisories and assorted changes.

Three mentionable changes are included: We are switching back to single-source NAT on the primary IP instead of using all additional VIPs on the interface.  The hardware-assisted VLAN capability check was removed from the system enabling e.g. XEN users to create VLANs. And the multi-WAN traffic shaping experience has been corrected for non-default interfaces within the scope of shared forwarding.

Expected is an image release based on this version some time within the next week for completeness.

Here are the full patch notes:

• system: reverse reload order for gateway switching on OpenVPN
• system: implement password policies for local accounts
• system: separate web GUI and configd log files
• system: add syslog and login service visibility
• system: show root as disabled in user manager if disabled
• interfaces: no longer restrict VLAN driver capability
• firewall: switch back to old NAT auto-outbound behaviour
• firewall: reload schedules 1 minute later
• firewall: filter descriptions option does no longer exist
• firewall: updated anti-lockout link (contributed by Michael Muenz)
• firewall: fix help text in shaper masks (contributed by Michael Muenz)
• firewall: add delay option to pipe in shaper (contributed by Michael Muenz)
• reporting: add insight aggregator to service list
• dashboard: large CPU usage widget (contributed by Team Rebellion)
• dhcp: fix display of DUID in IPv6 leases
• firmware: let opnsense-patch apply chmod even in partially failed patches
• firmware: let opnsense-code fetch all remotes as well as prune them
• intrusion detection: provide custom.yaml for user edits
• web proxy: fix pid file pointer for service status probe
• ui: help data-for attribute (contributed by NOYB)
• ui: reversed zebra redraw on static page mobile forms
• ui: cleanup for unused classes in static pages
• mvc: add constraint type for dependent fields
• plugins: merge rc.plugins_configure code into pluginctl
• plugins: os-c-icap 1.5_1 service controller fix (contributed by Fabian Franz)
• plugins: os-frr 1.3 adds BGP for IPv6 (contributed by Michael Muenz)
• plugins: os-lcdproc-sdeclcd 1.0 release adds LCD usage to Lanner/Watchguard Firebox
• plugins: os-monit 1.7 fixes compatibility with UI rework
• plugins: os-rspamd 1.2 allows to specify bad file extensions (contributed by Fabian Franz and Michael Muenz)
• plugins: os-shadowsocks 1.0 release (contributed by Michael Muenz)
• plugins: os-theme-rebellion 1.0 release (contributed by Team Rebellion)
• plugins: os-web-proxy-sso 2.2 adds XMLRPC sync (contributed by Smart-Soft)
• plugins: os-web-proxy-useracl 1.1 adds XMLRPC sync (contributed by Smart-Soft)
• plugins: os-zabbix-agent 1.2_1 fixes service controls
• src: fix mutli-wan traffic shaper on non-default gateway interfaces
• src:  ipsec crash or denial of service[1]
• src: vt console memory disclosure[2]
• src: multiple small kernel memory disclosures[3]
• src: timezone database information update[4]
• ports: dnsmasq 2.79[5]
• ports: openssl 1.0.2o[6]
• ports: perl 5.26.1[7]
• ports: php 7.1.16[8]
• ports: squid 3.5.27 adds LDAP authentication

Stay safe,

Your OPNsense team

—

[1] https://security.freebsd.org/advisories/FreeBSD-SA-18:05.ipsec.asc

[2] https://security.freebsd.org/advisories/FreeBSD-SA-18:04.vt.asc

[3] https://security.freebsd.org/advisories/FreeBSD-EN-18:04.mem.asc

[4] https://security.freebsd.org/advisories/FreeBSD-EN-18:03.tzdata.asc

[5] http://www.thekelleys.org.uk/dnsmasq/CHANGELOG

[6] https://www.openssl.org/news/secadv/20180327.txt

[7] https://metacpan.org/pod/release/SHAY/perl-5.26.1/pod/perldelta.pod

[8] http://php.net/ChangeLog-7.php#7.1.16