Hi all,
After a longer pause we are back with considerable upgrades for IPsec, a new CSR feature for local CAs, PHP 7.2 migration and a number of other considerable third party updates.
These are the full patch notes:
- system: improve gateway status return when monitoring is off
- system: warn user about future deprecation of "user-config-readonly" privilege
- system: support certificate signing requests (contributed by nhirokinet)
- system: syslog does not need to do a background startup since it backgrounds itself
- system: invalidate Nextcloud URL with trailing slash (contributed by Fabian Franz)
- system: avoid double encoding cert name (contributed by Indrajit Raychaudhuri)
- interfaces: fix facility for rtsold log about dhcp6c (contributed by Thomas du Boys)
- interfaces: take all unknown arguments as real interfaces in interfaces_addresses()
- interfaces: optionally allow interfaces_addresses() to emit subnets instead of addresses
- interfaces: move mpd.script to new location (may require interface reconfigure)
- firewall: proper locking of aliases before config action on delete
- firewall: correctly set outbound NAT destination as network
- firewall: add support for DSCP in shaper (contributed by Michael Muenz)
- firewall: add support for IDN in aliases (contributed by Smart-Soft)
- captive portal: allow access to this host (contributed by Fredrik Ronnvall)
- firmware: fix parsing of packages in multi-repo env and revoked fingerprint message
- firmware: add University of Kent to the firmware mirrors
- ipsec: only use explicit reqid when using route-based interfaces
- ipsec: correctly set install policy option on newly created phase 1 entries
- ipsec: improve split DNS and INTERNAL_DNS_DOMAIN configuration
- ipsec: added IKEv2 DH group 31 / curve 25519 (contributed by Peter Stehlin)
- ipsec: properly quote UNITY_BANNER for multi-line support
- ipsec: support for dynamic remote gateways
- monit: add migration/validation for service/test type dependency (contributed by Frank Brendel)
- monit: added missing "not on" label
- openvpn: support static-challenge formatted password
- openvpn: properly load custom config field in exporter
- openvpn: cleanups in listening address handling
- web proxy: IP address not available when address set to none
- web proxy: add sortable support for PAC proxy lists (contributed by Fabian Franz)
- web proxy: add dash to allowed characters in description (contributed by Fabian Franz)
- backend: python 2->3 iteritems() conversion in core templates
- mvc: migrate config backup rotation to handle static and MVC pages (contributed by Smart-Soft)
- mvc: controller cleanups in cron, intrusion detection, routes
- mvc: obey "user-config-readonly" privilege in mutable controllers
- mvc: support overlays in setBase() / addBase()
- ui: remove jquery-bootgrid converters which are now included in the library
- plugins: os-acmle-client 1.23[1][2][3]
- plugins: os-dyndns 1.14 supports wildcards for Google Domains
- plugins: os-etpro-telemetry 1.3 uses HOME_NET to anonymization
- plugins: os-freeradius 19.1.0[4]
- plugins: os-frr 1.9[5]
- plugins: os-nginx 1.10[6]
- plugins: os-postfix 1.9[7]
- plugins: os-rspamd 1.5[8]
- plugins: os-telegraf 1.7.5[9]
- plugins: os-theme-cicada 1.15 (contributed by Team Rebellion)
- plugins: os-theme-tukan 1.14 (contributed by Team Rebellion)
- plugins: os-zabbix-agent 1.5[10]
- ports: ca_root_nss 3.43
- ports: curl 7.64.1
- ports: libucl 0.8.1
- ports: pcre 8.43
- ports: php 7.2.16
- ports: py-cryptography 2.6.1
- ports: phpseclib 2.0.15
- ports: python 2.7.16
- ports: unbound 1.9.1
A hotfix release was issued as 19.1.5_1:
- mvc: sync missing hasPrivilege()
Stay safe,
Your OPNsense team