Results 1 to 1 of 1

Thread: IPFire 2.27 - Core Update 172 released

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    g0d! Contributing Member siosios's Avatar
    Join Date
    Oct 2006
    Location
    In a cardboard box
    Age
    51
    HlStats

    HLStatsX Ranking for STEAM_0:1:13488560
    Posts
    13.567
    Blog Entries
    12
    Rep Power
    10

    Default IPFire 2.27 - Core Update 172 released

    Shortly after Christmas, we release IPFire 2.27 - Core Update 172. It comes with cryptography improvements for IPsec and OpenVPN, as well as security improvements under the hood, a plethora of package updates and various bugs fixed across the place.
    Future-proofing VPN cryptography

    This Core Update updates the key lengths of host certificates for both IPsec and OpenVPN clients/peers to 4,096 bit RSA, since the previous default of 2,048 bit is no longer recommended for long-term security purposes.
    Both IPsec and OpenVPN root CA length has always been 4,096 bit, as has the key pair generated for IPFire's web interface - no action is required on that front. Unfortunately, existing IPsec/OpenVPN client/peer configurations cannot be migrated automatically, and have to be phased-out manually. Thanks to the respective CA certificates not requiring an update, complete disruptions of VPN infrastructure can, however, be avoided.
    OpenVPN is automatically reconfigured to use a secure Diffie-Hellman parameter, both of sufficient length of 4,096 bit and standardized (see RFC 7919, section A.3, bug #12632). All OpenVPN clients and peers will automatically benefit from this cryptography improvement; no manual action is required. This also obsoletes the necessity of generating or uploading Diffie-Hellman parameters while configuring OpenVPN, saving a lot of time, as the generation of such parameters could have taken hours on slower hardware.
    For early 2023, we anticipate post-quantum cryptography (PQC) to land in IPFire for IPsec, for which there is a strong (and growing) need, thanks to so-called "capture now, decrypt later" attacks endangering the confidentiality of information with long-term secrecy demand, such as biometric and health data.
    Miscellaneous


    • IPFire's trust store has been updated to incorporate Mozilla's decision to distrust the root certificates of TrustCor Systems S. DE R.L. (further media coverage)1
    • Displaying the status and actions of add-ons whose service names differed from their package names is fixed (#12935). The same page has also seen some translation improvements.
    • Certificate Revocation Lists (CRLs) of OpenVPN are now properly backed up and reloaded before OpenVPN is (re-)started.
    • Adolf Belka submitted a massive patchset for updating Python.
    • Roberto Peņa updated and improved the Spanish translation of IPFire's web interface.
    • Some unnecessary files from linux-firmware are no longer shipped and automatically removed from existing installations to keep the system as lean as possible.
    • Various file permissions have been tightened as a defense in-depth measure.
    • The obsolete gnu-netcat add-on has been dropped.
    • Updated packages: arm-trusted-firmware 2.7, bash 5.2, bind 9.16.35, conntrack-tools 1.4.7, curl 7.86.0, elinks 0.15.1, ethtool 6.0, expat 2.5.0, iana-etc 20221107, intel-microcode 20221108, iproute2 6.0.0, libedit 20221030-3.1, libhtp 0.5.42, libloc 0.9.15, libnetfilter_conntrack 1.0.9, libpng , 1.6.39, libtasn1 4.19.0, libtiff 4.4.0, libuv 1.44.2, libxcrypt 4.4.33, libxml2 2.10.3, linux-firmware 20221109, memtest86+ 6.00, nano 7.0, OpenSSH 9.1p1, OpenSSL 1.1.1s, OpenVPN 2.5.8, poppler 22.11.0, python3 3.10.8, readline 8.2, sed 4.9, sqlite 3400000, strongswan 5.9.8, sudo 1.9.12p1, suricata 6.0.9, sysstat 12.7.1, tzdata 2022e, u-boot 2022.10, unbound 1.17.0, usbutils 015, vnstat 2.10, xz 5.2.8, zlib 1.2.13
    • Updated add-ons: cups-filters 1.28.16, ddrescue 1.26, dehydrated 0.7.1, fetchmail 6.4.34, ffmpeg 5.1.2, flac1.4.2, fmt 9.1.0, git 2.38.1, libassuan 2.5.5, libvirt 8.9.0, mpd 0.23.10, nginx 1.22.1, pcengines-apu-firmware 4.17.0.2, qemu 7.1.0, qemu-ga 7.1.0, rsync 3.2.7, samba 4.17.3, sdl2 2.26.0, Tor 0.4.7.12

    As always, we thank all people contributing to this release in whatever shape and form. Please note IPFire is backed by volunteers, maintaining and improving this distribution in their spare time - should you like what we are doing, please donate to keep the lights on, an consider becoming engaged in development to distribute the load over more shoulders.


    1. See also: Global PKI considered harmful: A plaidoyer for using DANE*




    More...
    Last edited by siosios; 05-13-2023 at 03:12 AM.

Thread Information

Users Browsing this Thread

There are currently 3 users browsing this thread. (0 members and 3 guests)

Similar Threads

  1. IPFire 2.27 - Core Update 174 released
    By siosios in forum Ipfire
    Replies: 0
    Last Post: 05-13-2023, 03:08 AM
  2. Replies: 0
    Last Post: 05-13-2023, 03:08 AM
  3. Enabling IPFire for 5G
    By siosios in forum Ipfire
    Replies: 0
    Last Post: 05-13-2023, 03:08 AM
  4. IPFire 2.27 - Core Update 173 released
    By siosios in forum Ipfire
    Replies: 0
    Last Post: 05-13-2023, 03:08 AM
  5. Replies: 0
    Last Post: 05-13-2023, 03:08 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •