Hi all,
Today a XSS vulnerability in the certificate manager is being fixed that is based on a crafted certificate being imported into the system. PHP was finally updated from 7.0 to 7.1 which should make things a bit faster. Last but not least, the HAProxy plugin by Frank Wall receives a major update for improved usability, several new features and two bug fixes.
Here are the full patch notes:
- system: fix XSS with crafted certificates in certificate manager[1]
- system: removed duplicated firmware privileges
- system: fix resolving routes in diagnostics page
- system: regenerated DH parameters
- dhcp: support stateless DHCPv6
- firmware: kernel and base set visibility and better API session handling
- intrusion detection: improve download and install speed of et-open rules
- intrusion detection: add TLS and HTTP logging in eve and alert log viewer
- openvpn: allow remote network in peer to peer modes
- web proxy: better service and API session handling
- router advertisements: advertise on VIPs belonging to the same interface
- configd: allow template overrides via optional target directory
- mvc: prepare for user-based language setting (contributed by Alexander Shursha)
- mvc: prepare for auto-generated page titles
- mvc: tighten against frame-based attacks
- mvc: correctly hide advanced option headers in forms (contributed by Evgeny Bevz)
- ui: fix for deactivated storage in sticky "help all" toggle (contributed by Fabian Franz)
- ui: make "advanced mode" sticky too
- plugins: os-acme-client 1.12[2] (contributed by Frank Wall)
- plugins: os-arp-scan (contributed by Giuseppe De Marco)
- plugins: os-clamav 1.3 (contributed by Alexander Shursha)
- plugins: os-dyndns 1.4 adds Route53 IPv6 support (contributed by Kuo-Cheng Yeu)
- plugins: os-freeradius 1.3.1 (contributed by Michael Muenz)
- plugins: os-haproxy 2.0[3] (contributed by Frank Wall)
- plugins: os-relayd 1.2 fixes "check send" directive
- plugins: os-tor 1.3 (contributed by Fabian Franz)
- plugins: os-zabbix-agent 1.2 fixes service status indicator
- plugins: os-zabbix-proxy 1.0 (contributed by Michael Muenz)
- ports: ca_root_nss 3.34.1
- ports: curl 7.57.0[4]
- ports: lighttpd 1.4.48[5]
- ports: php 7.1.12[6]
- ports: pkg 1.10.3[7]
- ports: py-Jinja2 2.10[8]
- ports: syslogd 11.1
A hotfix release was issued as 17.7.9_8:
- system: correctly populate logging settings after clearing all logs
- firewall: fix 2 PHP 7.1 warnings
- ipsec: fix 2 PHP 7.1 warnings and one runtime error
- interfaces: fix a PHP 7.1 warning
- intrusion detection: add protocol display to alert dialog
- plugins: os-haproxy 2.1 fixes HSTS usage[9] (contributed by Frank Wall)
Another hotfix release was issued as 17.7.9_9:
- system: fix a PHP 7.1 runtime error in certificate generation
- plugins: os-haproxy 2.2 fixes rules parameters[10] (contributed by Frank Wall)
Stay safe,
Your OPNsense team