It is time for another release of IPFire: IPFire 2.27 - Core Update 177. A brand-new update which brings enhanced hardening for the IPFire OS on modern processors, a large number of package updates and fixes various security vulnerabilities in the Linux kernel, AMD processors, OpenSSH and more.
Before we start talking about the changes in detail, we would like to ask for your support. We put a lot of effort into building and testing this update and could not do any of this without you. Please, if you can, donate to the project helping us to put more resources to bring you more and better updates. It is very much appreciated by all of us here!
Indirect Branch Tracking by Default

This update comes with extended hardening for the kernel by using Indirect Branch Tracking wherever possible. This will prevent hackers to hijack functions calls and jump into injected code. This feature is currently only supported on Intel processors.
In the near future, we will extend this feature to the user-space and more processor types.
Security Updates

This update features a large number of package updates that patch security vulnerabilities:

  • Kernel Update: The IPFire kernel has been rebased to Linux 6.1.42 which amongst the usual improvements fixes the StackRot vulnerability (CVE-2023-3269).
  • OpenSSH (CVE-2023-38408) contains a vulnerability in the SSH agent component.
  • Zenbleed - An issue where vector registers leak their content.
  • Ghostscript contained a code execution vulnerability filed under CVE-2023-36664.

Misc.

  • Legacy OpenSSL version removed: OpenSSL 1.1.1 library files have been removed as previously announced
  • Package updates: Ghostscript 10.01.2, iproute2 6.4.0, Linux Firmware 20230625, memtest 6.20, ntp 4.2.8p17, OpenSSH 9.3p2, samba 4.18.5, Squid 6.1, sudo 1.9.14p2, util-linux 2.39.1
  • The Unbound/DHCP Leases bridge loads any leases into Unbound more efficiently than before due to Unbound recently adding the ability to reload its configuration.
  • dehydrated will try harder to update any remaining certificates if the update of one fails.
  • Fireinfo used to crash if the hypervisor IPFire is running on could not be detected (#13155)
  • Proxy ASN Blacklist: A crash that caused the proxy to restart has been fixed (#13023)
  • pmacct: #13159 has been fixed which fixes some invalid directives in the default configuration.
  • The SquidClamAV add-on has been removed: This used to be able to scan any plaintext content that passed through the web proxy. With Internet traffic being predominantly HTTPS and therefore not scannable, this feature does not serve any useful purpose and has therefore been removed.

Please reboot your system after installing this update.


More...