Dear all,
We do not wish to keep you from enjoying your summer time, but this is a recommended security update enriched with reliability fixes for the new 19.7 series. Of special note are performance improvements as well as a fix for a longstanding NAT before IPsec limitation.
Here are the full patch notes:
- system: do not create automatic copies of existing gateways
- system: do not translate empty tunables descriptions
- system: remove unwanted form action tags
- system: do not include Syslog-ng in rc.freebsd handler
- system: fix manual system log stop/start/restart
- system: scoped IPv6 "%" could confuse mwexecf(), use plain mwexec() instead
- system: allow curl-based downloads to use both trusted and local authorities
- system: fix group privilege print and correctly redirect after edit
- system: use cached address list in referrer check
- system: fix Syslog-ng search stats
- firewall: HTML-escape dynamic entries to display aliases
- firewall: display correct IP version in automatic rules
- firewall: fix a warning while reading empty outbound rules configuration
- firewall: skip illegal log lines in live log
- interfaces: performance improvements for configurations with hundreds of interfaces
- reporting: performance improvements for Python 3 NetFlow aggregator rewrite
- dhcp: move advanced router advertisement options to correct config section
- ipsec: replace global array access with function to ensure side-effect free boot
- ipsec: change DPD action on start to "dpdaction = restart"
- ipsec: remove already default "dpdaction = none" if not set
- ipsec: use interface IP address in local ID when doing NAT before IPsec
- web proxy: fix database reset for Squid 4 by replacing use of ssl_crtd with security_file_certgen
- plugins: os-acme-client 1.24[1]
- plugins: os-bind 1.6[2]
- plugins: os-dnscrypt-proxy 1.5[3]
- plugins: os-frr now restricts characters BGP prefix-list and route-maps[4]
- plugins: os-google-cloud-sdk 1.0[5]
- ports: curl 7.65.3[6]
- ports: monit 5.26.0[7]
- ports: openssh 8.0p1[8]
- ports: php 7.2.20[9]
- ports: python 3.7.4[10]
- ports: sqlite 3.29.0[11]
- ports: squid 4.8[12]
Stay safe and hydrated,
Your OPNsense team