Finally, the next Core Update with number 106 is available for testing. It comes with a number of exciting new features, many bug fixes and a few security improvements. Please help us testing!
dnsmasq as DNS proxy before which is now replaced by
unbound. The latter is in contrast to the former software that is specifically designed as an DNS forwarding proxy or DNS recursor and implemented DNSSEC from early on.
Because of our decision to enable DNSSEC by default and various problems in
dnsmasq we have been toying with the idea of replacing it for a very long time. Unfortunately development resources are tight and because of this being a substantial part of the system and hooked into many other things, this was a very time-consuming project.
Finally, this new solution should now bring various advantages:
unbound is multi-threaded and IPFire will start one thread per CPU core that is available. That will allow execution of multiple queries in parallel which should increase responsiveness and throughput.
The cache size is adjusted based on memory available on the system. Bigger systems will have a significantly bigger DNS cache which will speed up browsing especially in larger environments like universities with a large number of clients.
DNSSEC is enabled by default (as it was before). However,
unbound does not rely on the upstream servers being validating resolvers, too. This will bring DNSSEC to many more users. DNS servers are now tested before being passed on for use and any malfunctioning DNS servers won’t be used. Status of this can be seen on the user web interface.
Please see this list of various DNS services on the Internet for more details.
If none of the DNS servers configured or received from the provider can be used, unbound will fall back to full recursor mode.
With the next key rollover of the DNS root zone, IPFire will automatically download and validate the new key according to RFC5011.
DHCP leases will be published into the local DNS zone as before. Static leases are imported as well which is a new feature. Everything IP address will resolve to its hostname by publishing PTR records.
sambaadd-on enables SMBv2 by default
This update installs a large number of updated packages:
openssl1.0.2j which fixes some implementation errors and DoS introduced in the 1.0.2i update
strongswanhas been updated to version 5.5.0
As always, we would like to ask all users to participate in testing which will highly improve the quality of this update.
Please report any bugs to our bug tracker and provide any feedback on our development mailing list.
With the last Core Update just being released a few days ago, it is time for the next one already. IPFire 2.19 – Core Update 105 patches a number of security issues in two cryptographic libaries:
IPFire is now shipping
openssl in version 1.0.2i which patches all of the above security vulnerabilities.
Felix Dörre and Vladimir Klebanov from the Karlsruhe Institute of Technology found a bug in the mixing functions of Libgcrypt’s random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions and is filed under CVE-2016-6316.
As always, we would like to encourage you to help us testing this release and we would like to roll it out to everyone as soon as possible.
Since 2011, we ship qemu as a package which makes it possible to virtualise another system on IPFire. This was very hard to use because there was no really nice way to create a new machine and to administrate them. Until now! After a lot of work and testing, I am happy to announce that libvirt is now available as a package for IPFire.
Libvirt is a library, which makes it very easy to administrate and control virtual machines, which are virtualised with
qemu. It takes care of everything which is needed to control your VM: storage images, the network, the start and stop of the VMs, everything!
owncloud, any other web app, even a Microsoft Windows VM, you name it. But not everything is recommendable. See the security recommendations later in this post.
But there is also one huge issue with virtualization on IPFire:
With every VM and every service inside a VM, the number of possibilities to attack and compromise your server grows. It is not impossible that somebody breaks out of the VM and damages your network, so be careful what you do. This should not make you scared, but you should know the risk.
We did our best to make the use of
libvirt as safe as possible, but nothing can substitute a careful user. Of course this is an add-on as usual. So everyone can make the decision whether to use it or not on their own based on their risk evaluation which depends on the environment the IPFire system is running in. Of course a VM is cheaper to run than a second physical machine and sometimes you need an extra machine for testing and development; so there are good arguments on both sides.
If you now want to try out
qemu there are some things you should pay attention to:
And now, have fun with this great new feature!
We has rebuild core104 with Linux kernel 3.14.79 because there are some critical network and filesystem fixes.
If you have installed core104 before 14.Sep set /opt/pakfire/db/core/mine back to 103 and reinstall the update.