IPFire 2.13 Core Update 71 was released last week, so it is time to start the testing period for the next one, which is IPFire 2.13 Core Update 72. It comes with minor bug fixes and fixes for denial-of-service attacks in strongswan and squid. Please help us testing.
strongswan, the software package that is responsible for IPsec VPN connections, has been updated to version 5.1.0. This is a major version, which fixes various kinds of bugs and also fixes a denial-of-service bug, which is of very little priority for IPFire users (CVE-2013-5013).
It is now possible to use Elliptic Curve Cryptography (ECC) groups in the Internet Key Exchange (IKE) protocols in addition to the previously defined Diffie-Hellman groups. Advantages of using these include better efficiency because the underlying integer arithmetic is much faster than the binary field arithmetic MODP uses. Also ECC requires much smaller keys in order to achieve the same level of security than the Diffie-Hellman algorithm does. Therefore less entropy is consumed.
As it has often been pointed out, it is a problem to gather enough entropy on some computers. This makes it hard to do a proper key exchange, because you need to generate keys for that which are of a certain length of random data. The default settings for the key length have been very high since IPFire 2.13 and are now lowered, because of the reasons above. Instead of 8192 bits, the highest selected MODP group uses 4096 bits long keys.
More technical reasons are to be found in bug #10396.
The squid web proxy server has got two denial-of-service issues that are fixed in this Core Update. It was able to crash the cache manager when authenticating and it was possible to crash the entire proxy server with requests with over-long domain names (more information about this).
The OpenVPN GUI does now more precise validation of the subnet that is used as a transfer network for OpenVPN N2N connections. Incorrect data let the openvpnctrl binary crash when a new connection was started and no firewall rules were added.
It is now permitted to leave the “remote” field empty on a N2N server site, which makes creating connections with clients from dynamic IP addresses easier.
OpenVPN client connections with more than one space character in their names work again.
As always, please head to the testing branch and install this experimental version of Core Update 72. Please provide us any feedback – positive or negative.
This update is scheduled to be released within the next 14 days.
Posted: August 12, 2013 • 718 views