Michael Tremer

DNSSEC key rollover imminent
by Michael Tremer, September 9

ICANN will roll over the DNSSEC key signing key of the DNS root zone. All resolvers need to be updated so that DNS resolution will work after October 11, 2018 or no DNS entries can be resolved any more.

What do I need to do?

We have known about this key rollover for a long time and placed an automatic job that keeps the key up to date. But just to be sure, we are sending you this announcement.

IPFire needs to be at least on Core Update 106 or newer to have unbound, our new DNS proxy. No manual action is required.

What does this mean?

DNSSEC is used to verify DNS responses from any name server. With those signatures, anyone can trust that the DNS reply that was received was not forged and is the correct one to reach the web server of your bank and not somebody else.

Those signatures are generated from keys that are organised in a hierarchy starting from the DNS root zone . down to for example www.ipfire.org. Since nobody can hold all keys for all possible domains, signatures of those keys are put into the higher level of the hierarchy and signed again. But reaching the highest level, there is no higher authority available anymore. Therefore, every system that is using DNSSEC has a copy of the root key stored. Now, this key is being changed.

To repeat the most important part again: DNS resolution won’t be possible when recent updates have not been installed.

For the nerds

If you want to check if your system has already imported the new key, you can run the following command:

[root@ipfire ~]# dig @localhost trustanchor.unbound -c CH -t TXT

The output should show you two keys with ID 19036 and 20326.

ICANN is also presenting more information about checking if you have recent keys.

Michael Tremer

IPFire 2.21 - Core Update 123 is available for testing
by Michael Tremer, August 16

The next release of IPFire is available for testing. It is a house-keeping release and contains a large number of fixed and also closes some security vulnerabilities.

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!


This release ships a large number of microcode updates for various processors (linux-firmware 30.7.2018, intel-microcode 20180807). Most notable, vulnerabilities in Intel processors might have been fixed or mitigations applied. Microcodes are now also being loaded into the processor earlier to avoid any attacks on the system at boot time.

This update also comes with a large number of smaller changes that improve security and fix bugs:

Add-ons

Michael Tremer

Protect yourself better against Meltdown, Spectre and other attacks with IPFire on 64 bit
by Michael Tremer, August 2

With IPFire 2.21, we have rebased the distribution on the latest long-term supported branch of the Linux kernel: Linux 4.14. That allows us to get various bug and security fixes from the upstream kernel maintainers and we will be able to update the kernel quicker and more often.

This is especially important with the latest revelations about hardware vulnerabilities in latest Intel, AMD and ARM processors. Mainly I am talking about Meltdown and Spectre here, but I guess it is safe to expect many similar vulnerabilities to come. They cannot be fixed in the hardware, because they require major changes in the architecture and hardware that is once released can obviously not be changed any more.

The Linux kernel maintainers have been working on mitigations that will no longer allow to exploit those vulnerabilities, but those come at a price. There were various articles about how the processors are slowed down excessively for various workloads and there are more downsides to those mitigations. One of them is, that they were mainly developed and tested on x86_64. The port to the 32 bit x86 architecture (i586 for IPFire) is a lot behind the 64 bit version since most systems run on the latter one now. There is efforts to port the mitigations but significantly less man-power is going into that. Therefore, we would urge everyone who’s hardware supports it to re-install the 64 bit version of IPFire.

Additionally, we had to drop grsecurity from IPFire with the latest release. From a technical perspective, this hurts us since we have lost some pro-active measures to prevent vulnerabilities to be exploited. Some have been ported into the mainline kernel which we got to keep in IPFire, too. The kernel developers again pay most attention to the modern 64 bit architectures that have more hardware features that can be used to reduce any performance penalties because of extended work that has to be done to keep the system secure. Those things never come free of any cost.

Ergo, we would like to give the same advice again and ask you to use the 64 bit version of IPFire to gain best security from these features that they and us have built but only have the lower performance penalty possible.

Michael Tremer

IPFire 2.21 is available for testing
by Michael Tremer, June 24

Finally, the next major version of IPFire is ready for testing. IPFire 2.2 rebases the distribution on the long-term supported Linux kernel 4.14 and many more improvements and bug fixes have found their way into the distribution.

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!

Highlight: Linux 4.14

The distribution was rebased from our old long-term supported kernel to the new kernel 4.14.50.

Most importantly, this kernel improves the security of the system, increases performance and makes the core of IPFire more up to date and modern again. This update also enables mitigation against Meltdown and Spectre on some architectures. On Intel-based platforms, we update the microcode of the CPUs when the system boots up to avoid any performance penalties caused by the mitigation techniques.

Unfortunately, grsecurity is incompatible with any newer kernels and has been removed. This is connected to the decision of the grsecurity project to no longer open source their patches. Luckily the kernel developers have backported many features so that this kernel is still hardened and secure.

ARM systems won’t be able to install this update due to the kernel change which also requires changes on some bootloaders. For those users, we recommend to backup the system, reinstall and then restore the backup. The re-installed system will only come with a single ARM kernel instead of multiple for different platforms that we had before. It helps us to keep the distribution smaller and makes development efforts easier.

Misc.

Smaller images due to more efficient compression

We have tried to make the download of the distribution faster and make it use less space on our servers. As a first step, the flash images have been merged together and there is only one image that boots on systems with serial console and normal video output. Secondly, we now compress all images with the XZ algorithm so that they download faster and even decompress quicker, too.

New partition layout

This release also changes the partition layout of the distribution. We have dropped the /var partition which was used for log files and data that the system collected. This data is now located on a single partition together with the OS. The size of the /boot partition has been increased to 128MB in the default partition layout.

Add-ons

Updates Packages
Hottest posts 2018 2017 2016 2015 2014 2013 2012 2011