This is a smaller stable update consisting of LDAPS authentication server improvements, Unbound host overrides alias support, OpenSSL 1.0.2r security update and the recent PAM rework for better privilege separation.

We are currently focusing on IPsec VTI, third-party service PAM integration and investigating kernel boot crashes. In the latter case we are aware of the update issues some people are having and recommend running 18.7 until this is taken care of. Above all, please be patient. New images and seamless upgrade paths will be provided as soon as the problems have been pinned down.

Here are the full patch notes:

o system: improve LDAPS mode and related authentication cleanups
o system: move enable checkbox to the top in remote logging settings
o system: allow reset of tunables to to factory defaults
o system: new tunables factory default to prevent ICMP redirects being sent (net.inet.icmp.drop_redirect=1)
o firewall: allow explicitly setting source hash key in outbound NAT (Fredrik Ronnvall)
o interfaces: probe media before applying new settings
o interfaces: correctly compare MAC addresses
o dhcp: added TFTP bootfile-name (contributed by Bjorn Kalkbrenner)
o firmware: move duty to return the correct set name / ID to opnsense-version
o firmware: finally revoke 18.7 fingerprint
o intrusion detection: minor template cleanups using helpers.empty()
o ipsec: peer identifier can now fall back to remote-gateway in manual SPD entries
o ipsec: allow easier override of colours in widget (contributed by Fabian Franz)
o monit: add validation for test type (contributed by Frank Brendel)
o openvpn: add auth-nocache option in exporter
o openvpn: validate certificate type for servers
o unbound: add host overrides alias support
o web proxy: add auth to parent proxy (contributed by Michael Muenz)
o backend: add helpers.empty() in configd
o mvc: simplify save / close / cancel button labels
o mvc: add sorting for field list types
o rc: move all template generation to early stage
o ui: improve escaping of displayed data in static pages
o ui: escape button values in static pages
o ui: avoid short PHP tags
o plugins: os-dnscrypt-proxy 1.3[1]
o plugins: os-frr brings in missing area range code[2]
o plugins: os-postfix log file ACL and wrapper mode typo fix (contributed by Michael Muenz)
o plugins: os-theme-cicada IPsec widget colour fix (contributed by Team Rebellion)
o plugins: os-theme-tukan IPsec widget colour fix (contributed by Team Rebellion)
o plugins: os-vnstat /var MFS fix[3]
o plugins: os-zabbix4-proxy 1.0 (contributed by Michael Muenz)
o ports: openssl 1.0.2r[4]
o ports: pam_opnsense 19.1.3 uses setuid for privilege separation
o ports: phalcon 3.4.3[5]

Stay safe,
Your OPNsense team

—
[1] https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/pkg-descr
[2] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr
[3] https://github.com/opnsense/plugins/blob/master/net/vnstat/pkg-descr
[4] https://www.openssl.org/news/secadv/20190226.txt
[5] https://github.com/phalcon/cphalcon/releases/tag/v3.4.3