Hello hello, Today is the day for a number of FreeBSD security advisories and a few reliability fixes.
We are still testing a batch of Netmap improvement patches with a separate kernel. This and the Realtek vendor driver update will likely follow in the next kernel update. All feedback is welcome. Here are the full patch notes: o system: use different shell gateway name to appease wizard o system: simplify CARP hook o interfaces: phase out netaddr.eui.ieee.OUI_REGISTRY_PATH usage o firewall: add MAC type to top right filter selection o firewall: fix two scrub rule parsing bugs o firewall: omit group type interfaces in filter selection o intrusion detection: re-create rule cache after rule deployment o unbound: add "unbound-plus" section to XMLRPC sync o dhcp: adding DDNS values of each additional pool to the $ddns_zones array (contributed by Mathieu St-Pierre) o dhcp: add static interface mode to router advertisements o rc: fix ssh key permissions on MSDOS import o rc: support service identifier in pluginctl -s mode o plugins: os-bind download link changes (contributed by gap579137) o plugins: os-chrony 1.0 (contributed by Michael Muenz) o plugins: os-dnscrypt-proxy blocklist script fixes (contributed by Mark Keisler) o plugins: os-frr 1.17[1] o plugins: os-postfix 1.17[2] o plugins: os-rspamd 1.10[3] o plugins: os-theme-cicada 1.25 (contributed by Team Rebellion) o plugins: os-theme-tukan 1.23 (contributed by Team Rebellion) o plugins: os-theme-vicuna 1.1 (contributed by Team Rebellion) o plugins: os-wireguard 1.3[4] o plugins: os-zabbix-agent 1.8[5] o src: fix FreeBSD Linux ABI kernel panic[6] o src: fix SCTP socket use-after-free[7] o src: fix dhclient heap overflow[8] o src: fix ure device driver susceptible to packet-in-packet attack[9] o src: fix bhyve privilege escalation via VMCS access[10] o src: fix bhyve SVM guest escape[11] o src: fix ftpd privilege escalation via ftpchroot[12] o src: set PAX_HARDENING_NOSHLIBRANDOM in the RTLD by default o src: fix kernel panic while trying to read multicast stream o ports: mpd 5.9[13] o ports: nss 3.57[14] o ports: php 7.3.22[15] o ports: pkg 1.15.6[16] Stay safe, Your OPNsense team -- [1] https://github.com/opnsense/plugins/blob/master/net/frr/pkg-descr [2] https://github.com/opnsense/plugins/blob/master/mail/postfix/pkg-descr [3] https://github.com/opnsense/plugins/blob/master/mail/rspamd/pkg-descr [4] https://github.com/opnsense/plugins/blob/master/net/wireguard/pkg-descr [5] https://github.com/opnsense/plugins/blob/master/net-mgmt/zabbix-agent/pkg-descr [6] https://www.freebsd.org/security/advisories/FreeBSD-EN-20:17.linuxthread.asc [7] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:25.sctp.asc [8] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc [9] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:27.ure.asc [10] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:28.bhyve_vmcs.asc [11] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:29.bhyve_svm.asc [12] https://www.freebsd.org/security/advisories/FreeBSD-SA-20:30.ftpd.asc [13] http://mpd.sourceforge.net/doc5/mpd4.html#4 [14] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes [15] https://www.php.net/ChangeLog-7.php#7.3.22 [16] https://github.com/freebsd/freebsd-ports/commit/fd4f5566aea _______________________________________________ announce mailing list announce@lists.opnsense.org http://lists.opnsense.org/listinfo/announce