▲ 144 r/opnsense
OPNsense 26.1.11 released
26.1.11_5:
- firmware: support for patch release matching
- openvpn: add a specific regex constraint for static keys to fix previous safeguarding
26.1.11_3:
- system: hasPrivilege() not merging user privs correctly (reported by iys8)
- firewall: fix some small issues in menu registration for legacy pages
- monit: re-allow spaces in start, stop and condition
26.1.11:
- system: configuration line injection via multiple GUI text fields (reported by lujiefsi)
- system: add missing legacy_html_escape_form_data() for $a_cert on administration settings (reported by Jonas Ampferl of Hacking Cult)
- system: lockout: address newline injection and correct IP parsing (reported by lujiefsi)
- system: add "local_uri" type in SanitizeFilter() and use it to avoid hardcoding
- system: several compatible adjustments for upcoming PHP 8.5
- system: fix ACL pattern for carp_status action (contributed by Etienne Girault)
- system: enhance live log widget (contributed by Greelan)
- firewall: safeguard ISO country codes in alias download (reported by Jonas Ampferl of Hacking Cult)
- firewall: escape user-controlled values in tooltip attributes (reported by Jonas Ampferl of Hacking Cult)
- firewall: add the same new rules GUI design to the MVC NAT pages
- firewall: add CSV download/upload to MVC NAT pages
- firewall: add migration for outbound NAT into source NAT page
- firewall: destination NAT: display effective port when local-port is omitted
- firewall: source NAT: allow empty target which means the interface address
- firewall: source NAT: skip rendering rules when mode is not advanced/manual or hybrid
- firewall: improve performance on MVC pages using virtualDOM
- firewall: allow WAN as "associated interface" for NPTv6 when prefix ID is set
- firewall: fix TypeError on alias getItem() with unknown UUID (contributed by haxorton)
- firewall: unify group names of OpenVPN, WireGuard and IPsec encapsulation
- firewall: show rule counts that can be exported and hide tab if no rules exist
- firewall: improve interface filter logic to include floating rules with multiple interfaces when they overlap with at least one interface in the interface filter request
- firewall: add validations for "No RDR" option to prevent target and local-port being set
- firewall: skip alias on new rules GUI apply
- interfaces: prohibit the use of advanced DHCP option settings by non-administrators
- interfaces: properly format API times to ISO format and convert timezone for display in automatic discovery
- captive portal: pass in ip_address as a set for accounting
- firmware: fix small glitch that re-prompts for showing community plugins
- kea: add widget to show DHCP leases
- kea: simplify model option values
- monit: use throwNotFullAdmin() to restrict monit GUI write access to full admins due to intended system wide execution rights
- network time: fix stored XSS in GPS init string display (reported by Jonas Ampferl of Hacking Cult)
- openvpn: prevent path traversal in "common_name" attribute (reported by lujiefsi)
- openvpn: escape client common_name in connection-status views (reported by Jan Kahmen of turningpoint and lujiefsi)
- openvpn: simplify model option values
- mvc: checkAndThrowValueInUse validate input token which may only contain alphanum and dashes (reported by Jonas Ampferl of Hacking Cult)
- mvc: guard BaseField::setNodes() against a list given for a scalar leaf (contributed by haxorton)
- mvc: DescriptionField: disable special and newline characters
- mvc: FileObject: fix exception bug (contributed by Greelan)
- mvc: also do not translate empty labels in grids
- mvc: give throwReadOnly() a sibling named throwNotFullAdmin()
- mvc: use camelCase for carp_status action
- ui: bootgrid: minor optimizations
- ui: add generic escaping function htmlSafe() for JavaScript
- plugins: os-cloudflared 1.1
- plugins: os-freeradius 1.10.2
- plugins: os-vnstat 1.4
- src: vm: use-after-free in device pager page list
- src: execve: local privilege escalation via execve(2) TOCTOU race
- src: openzfs: multiple vulnerabilities in OpenZFS
- src: libalias: bffer overflow in libalias RTSP handler
- src: unlinkat: unlinkat(2) ignores AT_RESOLVE_BENEATH flag
- src: tcp: use-after-free in TCP RACK stack option handler
- src: posixshm: multiple vulnerabilities in POSIX largepage objects
- src: audit: incorrect audit records for ptrace(2) syscall requests
- src: ktls: remote DOS via uninitialized memory access in KTLS receive
- src: linux: kernel stack disclosure in Linux compatibility layer
- src: iconf: multiple vulnerabilities in iconv(3)
- ports: curl 8.21.0
- ports: expat 2.8.2
- ports: ldns 1.9.2
- ports: lighttpd 1.4.84
- ports: phalcon 5.16.0
- ports: py-duckdb 1.5.4
- ports: syslog-ng 4.12.0
u/fitch-it-is — 5 days ago