Hi guys,
Today we are following up on the OpenSSL advisories. LibreSSL was not affected (surprise, surprise), but received a tiny fix to sync up with the deprecation of the high-severity SSL_OP_SINGLE_DH_USE option of its sibling.
In other news, we are shipping a few minor fixes along with all-new SSL-centric rulesets for the intrusion prevention courtesy of abuse.ch[3]. Protect your assets, they are worth it!
Without fuzz, here are the full patch notes:
- ports: libressl 2.2.6[1], openssl 1.0.2f[2]
- intrusion prevention: add SSL fingerprint blacklist and other abuse lists (courtesy of abuse.ch[3])
- captive portal: limit the max vouchers per call
- captive portal: change voucher download filename to match group name
- captive portal: strip bad characters from group name
- captive portal: fix multiple voucher generation
- firewall: add rule categorisation tag field
- search: tweak padding to align with right visual boarder
- console: fix halt script to show product name again
- firmware: revoked the old 15.7 update fingerprint
- interfaces: fix VLAN edit page to show the correct page name
- squid: fix authentication script permission regression
- dashboard: remove non-authoriative hardware crypto probing
- system: do not accept an authentication server with an empty name
- system: added hint that device polling setting needs reboot (contributed by Olivier Paroz)
- system: assorted translation fixes (contributed by Fabian Franz)
- logging: unhide IGMP packets from firewall log view (contributed by Isaac Levy)
Stay safe,
Your OPNsense team