u/fitch-it-is

▲ 144 r/opnsense

OPNsense 26.1.11 released

26.1.11_5:

  • firmware: support for patch release matching
  • openvpn: add a specific regex constraint for static keys to fix previous safeguarding

26.1.11_3:

  • system: hasPrivilege() not merging user privs correctly (reported by iys8)
  • firewall: fix some small issues in menu registration for legacy pages
  • monit: re-allow spaces in start, stop and condition

26.1.11:

  • system: configuration line injection via multiple GUI text fields (reported by lujiefsi)
  • system: add missing legacy_html_escape_form_data() for $a_cert on administration settings (reported by Jonas Ampferl of Hacking Cult)
  • system: lockout: address newline injection and correct IP parsing (reported by lujiefsi)
  • system: add "local_uri" type in SanitizeFilter() and use it to avoid hardcoding
  • system: several compatible adjustments for upcoming PHP 8.5
  • system: fix ACL pattern for carp_status action (contributed by Etienne Girault)
  • system: enhance live log widget (contributed by Greelan)
  • firewall: safeguard ISO country codes in alias download (reported by Jonas Ampferl of Hacking Cult)
  • firewall: escape user-controlled values in tooltip attributes (reported by Jonas Ampferl of Hacking Cult)
  • firewall: add the same new rules GUI design to the MVC NAT pages
  • firewall: add CSV download/upload to MVC NAT pages
  • firewall: add migration for outbound NAT into source NAT page
  • firewall: destination NAT: display effective port when local-port is omitted
  • firewall: source NAT: allow empty target which means the interface address
  • firewall: source NAT: skip rendering rules when mode is not advanced/manual or hybrid
  • firewall: improve performance on MVC pages using virtualDOM
  • firewall: allow WAN as "associated interface" for NPTv6 when prefix ID is set
  • firewall: fix TypeError on alias getItem() with unknown UUID (contributed by haxorton)
  • firewall: unify group names of OpenVPN, WireGuard and IPsec encapsulation
  • firewall: show rule counts that can be exported and hide tab if no rules exist
  • firewall: improve interface filter logic to include floating rules with multiple interfaces when they overlap with at least one interface in the interface filter request
  • firewall: add validations for "No RDR" option to prevent target and local-port being set
  • firewall: skip alias on new rules GUI apply
  • interfaces: prohibit the use of advanced DHCP option settings by non-administrators
  • interfaces: properly format API times to ISO format and convert timezone for display in automatic discovery
  • captive portal: pass in ip_address as a set for accounting
  • firmware: fix small glitch that re-prompts for showing community plugins
  • kea: add widget to show DHCP leases
  • kea: simplify model option values
  • monit: use throwNotFullAdmin() to restrict monit GUI write access to full admins due to intended system wide execution rights
  • network time: fix stored XSS in GPS init string display (reported by Jonas Ampferl of Hacking Cult)
  • openvpn: prevent path traversal in "common_name" attribute (reported by lujiefsi)
  • openvpn: escape client common_name in connection-status views (reported by Jan Kahmen of turningpoint and lujiefsi)
  • openvpn: simplify model option values
  • mvc: checkAndThrowValueInUse validate input token which may only contain alphanum and dashes (reported by Jonas Ampferl of Hacking Cult)
  • mvc: guard BaseField::setNodes() against a list given for a scalar leaf (contributed by haxorton)
  • mvc: DescriptionField: disable special and newline characters
  • mvc: FileObject: fix exception bug (contributed by Greelan)
  • mvc: also do not translate empty labels in grids
  • mvc: give throwReadOnly() a sibling named throwNotFullAdmin()
  • mvc: use camelCase for carp_status action
  • ui: bootgrid: minor optimizations
  • ui: add generic escaping function htmlSafe() for JavaScript
  • plugins: os-cloudflared 1.1
  • plugins: os-freeradius 1.10.2
  • plugins: os-vnstat 1.4
  • src: vm: use-after-free in device pager page list
  • src: execve: local privilege escalation via execve(2) TOCTOU race
  • src: openzfs: multiple vulnerabilities in OpenZFS
  • src: libalias: bffer overflow in libalias RTSP handler
  • src: unlinkat: unlinkat(2) ignores AT_RESOLVE_BENEATH flag
  • src: tcp: use-after-free in TCP RACK stack option handler
  • src: posixshm: multiple vulnerabilities in POSIX largepage objects
  • src: audit: incorrect audit records for ptrace(2) syscall requests
  • src: ktls: remote DOS via uninitialized memory access in KTLS receive
  • src: linux: kernel stack disclosure in Linux compatibility layer
  • src: iconf: multiple vulnerabilities in iconv(3)
  • ports: curl 8.21.0
  • ports: expat 2.8.2
  • ports: ldns 1.9.2
  • ports: lighttpd 1.4.84
  • ports: phalcon 5.16.0
  • ports: py-duckdb 1.5.4
  • ports: syslog-ng 4.12.0
forum.opnsense.org
u/fitch-it-is — 5 days ago

OPNsense 26.7-BETA images

Behind the scenes we were working on providing the first images for the upcoming 26.7 series. We aligned with the FreeBSD 15.1 release schedule and fixed all the installer compatibilities we've found. From early testing FreeBSD 15.1 behaves pretty well. The main difference from current community versions is PHP 8.5, OpenSSL 3.5 and that this image is only containing the development version. Upgrades to future versions are possible.

forum.opnsense.org
u/fitch-it-is — 10 days ago

OPNsense 26.4.1 business edition released

https://forum.opnsense.org/index.php?topic=52149.0

  • system: refactor dashboard to use User model instead of direct config access
  • system: throw UserException when dashboard size limit was reached on save
  • system: add notes dashboard widget (contributed by Konstantinos Spartalis)
  • system: fix traffic dashboard widget initialization race condition (contributed by Greelan)
  • system: avoid side effect rendering sysctl item in config.xml during console assignment
  • system: improve cron command and parameter escaping
  • system: support RADIUS NAS-IP-Address attribute for authentication
  • system: add compatibility layer to future route disable/enable migration
  • system: only split first colon when reading sysctls
  • system: revisit snapshot name validation (partially contributed by Konstantinos Spartalis)
  • system: fix missing newline when generating cron jobs due to a regression
  • system: fix missing base64_decode() in JsonField which prevented user settings from saving
  • system: link CA references after all changes
  • system: parse certificate "key_type" and "digest"
  • system: allow flushing legacy OpenVPN legacy config
  • system: audit "staticroute" config access
  • system: use safe config iteration in core_user_changed_groups()
  • system: tighten landing page redirect (contributed by Konstantinos Spartalis)
  • system: fix passing null into getRealInterface()
  • system: fix regression in selective group delete introduced previously
  • system: allow unregistered plugin cron actions to be deleted
  • system: disable MAILTO for cron jobs
  • system: dashboard: explicitly compact on layout shift if there is no predefined layout
  • system: dashboard: update result on default restore
  • reporting: render NaN values as empty values and omit leading empty records from data set for health graphs
  • reporting: add max on Y axis for traffic graphs
  • interfaces: refactor bridge reconfigure script
  • interfaces: add missing config locks in device controllers
  • interfaces: use safe iteration in backend code
  • interfaces: adjust and annotate interface_dhcpv6_id()
  • interfaces: account for multiple UUIDs in VIP deletion
  • interfaces: more safe iteration through config_read_array()
  • interfaces: fix wrong DUID-UUID format but keep accepting the wrong one
  • interfaces: fix regression in selective device delete introduced previously
  • interfaces: IAID selection and prefix range reservation for WAN DHCPv6
  • interfaces: parse ifconfig output despite exit error in legacy_interfaces_details()
  • interfaces: hostwatch: pin warning banner to enabled flag
  • firewall: live view: decode HTML where necessary to aid filtering
  • firewall: use save method from ApiMutableModelControllerBase for log command, move rule command and savepoint action
  • firewall: safe config access in list_legacy_rules.php
  • firewall: remove duplicated CSV button hook
  • firewall: fix NPTv6 validation for empty external subnet
  • firewall: make getRealInterface() a static utility function
  • firewall: refactor searchRuleAction() to use the same filtering and sorting logic on MVC and legacy data
  • firewall: fix inverted source/destination cosmetic issue in SNAT and One-to-One NAT grids
  • firewall: fix search for floating rules in new rules GUI
  • firewall: add an alias formatter to show content fields as "dynamic" when populated by other components
  • firewall: fix Tabulator regression with alias batch delete
  • firewall: use safe config iteration in interface registration
  • firewall: fix unintended change in filtering logic for new rules GUI
  • firewall: fix action, ipprotocol and protocol translations for legacy rules in new rules GUI
  • firewall: use safe iteration over rules in filter_core_rules_user()
  • firewall: add missing exclamation mark for "not" in scrub rules
  • firewall: fix interface sorting by value for live log and groups
  • firewall: add banner if no rules defined in new rules GUI to match legacy GUI
  • firewall: use strnatcasecmp() for interface list in new rules GUI
  • firewall: fix typo that prevented queues to be selectable in pf-based traffic shaping
  • firewall: escape shaper targets in rule edit (contributed by lujiefsi)
  • captive portal: remove redirection on HTTPS and ditch non-functional pass statement
  • dnsmasq: change DHCP tag to DescriptionField
  • dnsmasq: change widget link from settings to leases page
  • firmware: opnsense-bootstrap: add "-B" bare bootstrap mode
  • firmware: add repo configuration output to connectivity audit
  • firmware: stop buffering in sed to fix chunked update log output
  • firmware: retain ordering in update servers for connectivity check
  • firmware: allow "local" business mirror subscription
  • firmware: put clickable trailer for community plugins
  • firmware: fix return value masking during updates
  • firmware: opnsense-update: do not clean obsolete files on manual -r invokes
  • intrusion detection: fix drop and alert buttons on rules tab
  • ipsec: move swanctl.conf download button to the tab
  • ipsec: restyle the connections page for clarity
  • ipsec: disable scroll in authentication and children grids (contributed by Konstantinos Spartalis)
  • ipsec: validate the use of refid in CA certificates (reported by lujiefsi)
  • kea: fix "Delegated length must be longer than or equal to prefix length" validation
  • kea: add ddns-override-no-update, ddns-override-client-update and ddns-update-on-renew per subnet
  • kea: DDNS DNS server port can now be specified
  • kea: add explicit reverse DDNS zones support (contributed by XtraLarge)
  • kea: add DDNS manual config override
  • kea: remove depend constraint of ddns_reverse_zone
  • kea: plug socket into dynamic PD route installation script
  • kea: add prefix to reservations to allow for static PD allocations based on DUID/MAC
  • kea: infer IPv6 lease type in delete script via lease lookup so IA_NA/IA_PD can be deleted
  • kea: DDNS add ddns-conflict-resolution-mode per subnet (contributed by chaispaquichui)
  • kea: allow customizing "mac_sources" and change default to "ipv6-link-local"
  • kea: add user-context object to config to emit description
  • kea: fix option_data_autocollect mismatch in DHCPv6 page
  • kea: enable internalModelSafeDelete due to increased model relation field usage
  • kea: build reservation status from control socket output
  • kea: add subnet vltime (partially contributed by Brandan Giles)
  • kea: add client-id to DHCPv4 reservations
  • kea: use JSON_UNESCAPED_UNICODE when writing the JSON configuration
  • kea: dynamic prefix delegation support
  • kea: always start the prefix watcher when DHCPv6 is enabled
  • kea: cleanups for IntegerField using isSet() and no negative numbers allowed
  • kea: add decline_probation_period and set lower default to mitigate faulty client implementations to consume the whole pool
  • kea: add subnet allocator field (contributed by Marcos Della)
  • kea: add DHCPv4 compatibility options (contributed by Marcos Della)
  • kea: hook up reservation.next_server (contributed by Ian Munsie)
  • kea: fix missing visual cues for manual mode in DDNS and DHCPv4/6
  • network time: small cleanups in ntpd_configure_gps()
  • openvpn: add tls-crypt-v2 support
  • openvpn: allow restart action via cron
  • openvpn: fix client export not showing common names
  • openvpn: require an integer of at least 1 for "vpnid" field
  • radvd: allow user controlled hop limit (contributed by BPplays)
  • radvd: allow to start a manual configuration without primary IPv6
  • unbound: improve hostname/domain override validation
  • unbound: minor style/refactor for safe config access
  • unbound: hide unused tree row in form output for overrides
  • unbound: restyle statistics page
  • unbound: blocklists categorization and apply button message update (contributed by Konstantinos Spartalis)
  • wireguard: use getValues() consistently in control script
  • acl: some missing references and using camelCase pointers instead of snake_case
  • backend: configctl: properly quote parameters to avoid skipping empty ones (contributed by Majx)
  • backend: configctl: support -f cache flush parameter to fix cache invalidation preamble "!" pass
  • lang: numerous updates and fixes in existing languages
  • mvc: introduce JSON field type and refactor dashboard to use it
  • mvc: fixed a number of class import statements
  • mvc: remove unused UIModelGrid imports in IDS, Monit and Syslog controllers
  • mvc: remove Util imports where not needed
  • mvc: BaseField: add count() helper
  • mvc: fix validation to use getValue instead of plain string cast
  • mvc: UIModelGrid: remove flatten() method as getFlatNodes() is almost the same
  • mvc: add support for pluggable dynamic menu items and move some existing parts out of the MenuSystem class
  • mvc: stricter email address validation
  • mvc: OptionsField: use key as value if no value is set
  • mvc: unify migration message returns
  • mvc: add new validators to TextField: AllowSpaces, AllowNewlines, AllowSpecial and introduce new StrictTextField
  • mvc: strict alphanumeric-only regex for certificate refid (contributed by eev4n)
  • mvc: simplify assorted option values to reduce duplication
  • mvc: static header support for forms
  • rc: move system_powerd_configure() to bootup plugin hook
  • shell: config access refactor in password and setaddr scripts
  • shell: safe iteration for VLAN/LAGG in port assignment
  • shell: use safe config iteration in live mode banner
  • shell: fix syntax error in port assignment
  • ui: generalize placeholders between controllers and JS
  • ui: simplify and clean up debounce() usage
  • ui: trap generic error popup for specific API URLs such as /api/core/firmware/upgradestatus when it adds no value and known to be unstable
  • ui: add static dialog header support and fix bool/string compare
  • ui: add type_formatter keyword to form rendering
  • ui: add save/cancel button support to form rendering
  • ui: remove "event" use from bootgrid showSaveAlert()
  • ui: add support for binary file uploads
  • ui: bootgrid: onRendered executed in wrong spot
  • ui: clean up useRequestHandlerOnGet usage
  • ui: use space in apply box for the apply reminder
  • ui: improve form validation error append
  • ui: tab exclusion for SimpleActionButton
  • ui: split form button row render as some forms only use save
  • ui: override selectpicker defaults for translations
  • ui: hide apply button for specific tabs on multiple pages (contributed by Konstantinos Spartalis)
  • ui: bootgrid: align datakey with the rest of the options, but allow top-level placement
  • ui: bootgrid: mark state variables as such
  • ui: bootgrid: safeguard replace() function
  • ui: bootgrid: remove unused getTotalRowCount() method
  • ui: bootgrid: prevent NaN pagination values for non-ajax grids when row count is set to all
  • ui: bootgrid: clean up converter compatibility code
  • ui: bootgrid: replace "append" with "replace" for ajax: false grids
  • ui: bootgrid: adjust column persistence behavior to prevent horizontal dead space
  • ui: bootgrid: allow column selection exclusions
  • ui: allow passing of data attributes for select items in setFormData()
  • ui: remove banner on inline reload if applicable
  • ui: button padding when injecting next to apply button
  • ui: fix spurious padding in apply button section (contributed by Konstantinos Spartalis)
  • plugins: os-cloudflared 1.0 (contributed by Richard Aspden)
  • plugins: os-ddclient 1.31
  • plugins: os-frr 1.53
  • plugins: os-netbird 1.3
  • plugins: os-q-feeds-connector 1.6
  • plugins: os-rfc2136 1.10
  • plugins: os-stunnel fix for missing include in script
  • plugins: os-telegraf 1.12.15
  • plugins: os-tinc fixes evaluation of hosts enabled flag (contributed by Konstantinos Spartalis)
  • plugins: os-turnserver 1.3
  • plugins: os-zabbix-agent 1.9
  • plugins: os-zabbix-proxy 1.7
  • plugins: use safe config iteration in interface registration code
  • src: missing permission check in thr_kill2
  • src: arbitrary file overwrite via the KTLS receive path
  • src: multiple vulnerabilities in the sound mmap path
  • src: sigqueue missing capability mode restriction
  • src: use-after-free bug in the IPV6_MSFILTER socket option handler
  • src: flaw in Linuxulator execution of setugid binaries
  • src: ASLR bypass for setuid executables via procctl
  • src: integer overflow in vt CONS_HISTORY ioctl
  • src: openssl: fix multiple vulnerabilities
  • src: ldns: fix query response validation
  • src: netlink: fix lock leak in nl_find_nhop
  • src: pf: avoid taking the pf rules write lock in a couple of ioctls
  • src: ipfw: add ability to run ipfw binary with 15.0+ kernel module
  • src: ipfw: treat ipv6 address with zero mask as "any"
  • ports: curl 8.20.0
  • ports: dnsmasq 2.93
  • ports: filterlog 0.8 changes rule label fetch to libpfctl
  • ports: kea 3.0.3
  • ports: krb5 1.22.2
  • ports: libxml 2.15.3
  • ports: nss 3.124
  • ports: openssh 10.3p1
  • ports: openssl 3.0.21
  • ports: openvpn 2.7.4
  • ports: phalcon 5.14.2
  • ports: php 8.3.31
  • ports: phpseclib 3.0.55
  • ports: py-duckdb 1.5.3
  • ports: py-numpy 2.4.6
  • ports: py-requests 2.33.1
  • ports: python 3.13.14
  • ports: sqlite3 3.53.1
  • ports: strongswan 6.0.7
reddit.com
u/fitch-it-is — 20 days ago
▲ 162 r/opnsense

OPNsense 26.1.10 released

https://forum.opnsense.org/index.php?topic=52140.0

  • system: routing: changed "disable" option to "enable"
  • system: dashboard: explicitly compact on layout shift if there is no predefined layout
  • system: dashboard: update result on default restore
  • interfaces: parse ifconfig output despite exit error in legacy_interfaces_details()
  • interfaces: hostwatch: pin warning banner to enabled flag
  • firewall: always show automatic and legacy rules in new rules GUI
  • firewall: add banner if no rules defined in new rules GUI to match legacy GUI
  • firewall: use strnatcasecmp() for interface list in new rules GUI
  • firewall: fix typo that prevented queues to be selectable in pf-based traffic shaping
  • firewall: escape shaper targets in rule edit (contributed by lujiefsi)
  • dnsmasq: change widget link from settings to leases page
  • firmware: stop buffering in sed to fix chunked update log output
  • firmware: retain ordering in update servers for connectivity check
  • firmware: allow "local" business mirror subscription
  • firmware: put clickable trailer for community plugins
  • firmware: fix return value masking during updates
  • firmware: opnsense-update: do not clean obsolete files on manual -r invokes
  • intrusion detection: fix drop and alert buttons on rules tab
  • ipsec: disable scroll in authentication and children grids (contributed by Konstantinos Spartalis)
  • ipsec: validate the use of refid in CA certificates (reported by lujiefsi)
  • kea: prevent converting the decimal prefix_id using hexdec() for dynamic PD
  • openvpn: fix client export not showing common names
  • openvpn: require an integer of at least 1 for "vpnid" field
  • mvc: add new validators to TextField: AllowSpaces, AllowNewlines, AllowSpecial and introduce new StrictTextField
  • mvc: strict alphanumeric-only regex for certificate refid (contributed by eev4n)
  • mvc: simplify assorted option values to reduce duplication
  • mvc: static header support for forms
  • rc: move system_powerd_configure() to bootup plugin hook
  • ui: bootgrid: allow column selection exclusions
  • ui: allow passing of data attributes for select items in setFormData()
  • ui: remove banner on inline reload if applicable
  • ui: button padding when injecting next to apply button
  • ui: fix spurious padding in apply button section (contributed by Konstantinos Spartalis)
  • plugins: os-cloudflared 1.0 (contributed by Richard Aspden)
  • plugins: os-frr 1.53
  • plugins: os-rfc2136 1.10
  • plugins: os-stunnel fix for missing include in script
  • plugins: os-telegraf 1.12.15
  • src: missing permission check in thr_kill2
  • src: arbitrary file overwrite via the KTLS receive path
  • src: multiple vulnerabilities in the sound mmap path
  • src: sigqueue missing capability mode restriction
  • src: use-after-free bug in the IPV6_MSFILTER socket option handler
  • src: flaw in Linuxulator execution of setugid binaries
  • src: ASLR bypass for setuid executables via procctl
  • src: integer overflow in vt CONS_HISTORY ioctl
  • src: openssl: fix multiple vulnerabilities
  • src: ldns: fix query response validation
  • src: netlink: fix lock leak in nl_find_nhop
  • src: pf: avoid taking the pf rules write lock in a couple of ioctls
  • src: ipfw: add ability to run ipfw binary with 15.0+ kernel module
  • src: ipfw: treat ipv6 address with zero mask as "any"
  • ports: dnsmasq 2.93
  • ports: filterlog 0.8 changes rule label fetch to libpfctl
  • ports: openssl 3.0.21
  • ports: phalcon 5.14.2
  • ports: phpseclib 3.0.55
  • ports: py-duckdb 1.5.3
  • ports: py-numpy 2.4.6
  • ports: python 3.13.14
  • ports: sqlite3 3.53.1
  • ports: strongswan 6.0.7
reddit.com
u/fitch-it-is — 21 days ago
▲ 207 r/opnsense

OPNsense 26.1.9 released

  • system remove unused data-tooltip that is not properly escaped from certificates widget
  • system: tighten landing page redirect (contributed by Konstantinos Spartalis)
  • system: fix passing null into getRealInterface()
  • system: fix regression in selective group delete introduced previously
  • system: allow unregistered plugin cron actions to be deleted
  • system: disable MAILTO for cron jobs
  • reporting: render NaN values as empty values and omit leading empty records from data set for health graphs
  • reporting: add max on Y axis for traffic graphs
  • interfaces: dhclient.conf does not cope with multi-line request/require
  • interfaces: account for multiple UUIDs in VIP deletion
  • interfaces: more safe iteration through config_read_array()
  • interfaces: fix wrong DUID-UUID format but keep accepting the wrong one
  • interfaces: fix regression in selective device delete introduced previously
  • interfaces: IAID selection and prefix range reservation for WAN DHCPv6
  • firewall: fix for missing HTML escape in description render in legacy rules GUI
  • firewall: add an alias formatter to show content fields as "dynamic" when populated by other components
  • firewall: fix Tabulator regression with alias batch delete
  • firewall: use safe config iteration in interface registration
  • firewall: fix unintended change in filtering logic for new rules GUI
  • firewall: fix action, ipprotocol and protocol translations for legacy rules in new rules GUI
  • firewall: use safe iteration over rules in filter_core_rules_user()
  • firewall: add missing exclamation mark for "not" in scrub rules
  • firewall: fix interface sorting by value for live log and groups
  • captive portal: remove redirection on HTTPS and ditch non-functional pass statement
  • dnsmasq: change DHCP tag to DescriptionField
  • ipsec: move swanctl.conf download button to the tab
  • ipsec: restyle the connections page for clarity
  • kea: dynamic prefix delegation support
  • kea: always start the prefix watcher when DHCPv6 is enabled
  • kea: cleanups for IntegerField using isSet() and no negative numbers allowed
  • kea: add decline_probation_period and set lower default to mitigate faulty client implementations to consume the whole pool
  • kea: add subnet allocator field (contributed by Marcos Della)
  • kea: add DHCPv4 compatibility options (contributed by Marcos Della)
  • kea: hook up reservation.next_server (contributed by Ian Munsie)
  • kea: fix missing visual cues for manual mode in DDNS and DHCPv4/6
  • monit: sanitize monit output before offering it
  • network time: cleanse port option before use (reported by Konstantinos Spartalis)
  • network time: small cleanups in ntpd_configure_gps()
  • unbound: blocklists categorization and apply button message update (contributed by Konstantinos Spartalis)
  • acl: some missing references and using camelCase pointers instead of snake_case
  • mvc: add support for pluggable dynamic menu items and move some existing parts out of the MenuSystem class
  • mvc: stricter email address validation
  • mvc: OptionsField: use key as value if no value is set
  • mvc: unify migration message returns
  • mvc: do not translate empty strings
  • ui: clean up useRequestHandlerOnGet usage
  • ui: use space in apply box for the apply reminder
  • ui: improve form validation error append
  • ui: tab exclusion for SimpleActionButton
  • ui: split form button row render as some forms only use save
  • ui: override selectpicker defaults for translations
  • ui: hide apply button for specific tabs on multiple pages (contributed by Konstantinos Spartalis)
  • ui: bootgrid: align datakey with the rest of the options, but allow top-level placement
  • ui: bootgrid: mark state variables as such
  • ui: bootgrid: safeguard replace() function
  • ui: bootgrid: remove unused getTotalRowCount() method
  • ui: bootgrid: prevent NaN pagination values for non-ajax grids when row count is set to all
  • ui: bootgrid: clean up converter compatibility code
  • ui: bootgrid: replace "append" with "replace" for ajax: false grids
  • ui: bootgrid: adjust column persistence behavior to prevent horizontal dead space
  • plugins: use safe config iteration in interface registration code
  • plugins: os-tinc fixes evaluation of hosts enabled flag (contributed by Konstantinos Spartalis)
  • src: dhclient: improve server and filename validation
  • src: setcred: fix buffer overflow
  • src: kern: make sure to drain selinfo sleepers
  • src: fusefs: handle buggy server LISTXATTR response
  • src: ptrace: fix validation of PT_SC_REMOTE arguments
  • src: libcasper: switch from select(2) to poll(2)
  • src: cap_net: do not allow new limits to drop keys from the old ones
  • src: ipfw: fix parsing error in nat config port_range
  • src: ipfw: fix checksum after NAT
  • src: igmp: Avoid leaving dangling pointers in the state-change queue
  • src: vxlan: Update *m0 after a pullup
  • src: routing: use a better error number in sysctl_fibs()
  • src: routing: initialize V_rt_numfibs earlier during boot
  • src: pfsync: reject invalid SCTP states
  • src: pf: do not reject rules with colliding hashes
  • src: rtnetlink: check for allocation failure in nlattr_get_multipath()
  • src: rtnetlink: align RTA_MULTIPATH length validation in nlattr_get
  • ports: nss 3.124
  • ports: openvpn 2.7.4
  • ports: php 8.3.31
  • ports: py-numpy 2.4.4
  • ports: suricata 8.0.5
  • ports: unbound 1.25.1
forum.opnsense.org
u/fitch-it-is — 1 month ago
▲ 165 r/opnsense

OPNsense 26.1.8 released

26.1.8_5:

  • interfaces: follow up on DHCPv4 settings sanitization
  • firewall: fix search for floating rules in new rules GUI
  • kea: use JSON_UNESCAPED_UNICODE when writing the JSON configuration
  • shell: fix syntax error in port assignment
  • ui: bootgrid: onRendered executed in wrong spot

26.1.8:

  • system: properly escape username in sync_user.php command invoke (contributed by Konstantinos Spartalis)
  • interfaces: safeguard DHCPv4 settings against arbitrary command injection (reported by Kchigo)
  • system: fix XMLRPC sync with VIP and "nosync" option
  • system: link CA references after all changes
  • system: parse certificate "key_type" and "digest"
  • system: allow flushing legacy OpenVPN legacy config
  • system: audit "staticroute" config access
  • system: use safe config iteration in core_user_changed_groups()
  • interfaces: add missing config locks in device controllers
  • interfaces: use safe iteration in backend code
  • interfaces: adjust and annotate interface_dhcpv6_id()
  • firewall: use save method from ApiMutableModelControllerBase for log command, move rule command and savepoint action
  • firewall: safe config access in list_legacy_rules.php
  • firewall: remove duplicated CSV button hook
  • firewall: fix NPTv6 validation for empty external subnet
  • firewall: make getRealInterface() a static utility function
  • firewall: refactor searchRuleAction() to use the same filtering and sorting logic on MVC and legacy data
  • firewall: fix inverted source/destination cosmetic issue in SNAT and One-to-One NAT grids
  • captive portal: re-introduce hash lookup for accounting purposes
  • captive portal: reload IPFW on captive portal reconfigure too
  • dnsmasq: ignore DHCP names for "wpad" to fix CERT Vulnerability VU#598349
  • firmware: opnsense-bootstrap: add "-B" bare bootstrap mode
  • firmware: add repo configuration output to connectivity audit
  • kea: plug socket into dynamic PD route installation script
  • kea: add prefix to reservations to allow for static PD allocations based on DUID/MAC
  • kea: infer IPv6 lease type in delete script via lease lookup so IA_NA/IA_PD can be deleted
  • kea: DDNS add ddns-conflict-resolution-mode per subnet (contributed by chaispaquichui)
  • kea: allow customizing "mac_sources" and change default to "ipv6-link-local"
  • kea: add user-context object to config to emit description
  • kea: fix option_data_autocollect mismatch in DHCPv6 page
  • kea: enable internalModelSafeDelete due to increased model relation field usage
  • kea: build reservation status from control socket output
  • kea: add subnet vltime (partially contributed by Brandan Giles)
  • kea: add client-id to DHCPv4 reservations
  • network time: fix ACL definitions (contributed by Konstantinos Spartalis)
  • openvpn: reload configuration for group sync after successful authentication
  • openvpn: add tls-crypt-v2 support
  • openvpn: allow restart action via cron
  • radvd: allow to start a manual configuration without primary IPv6
  • unbound: minor style/refactor for safe config access
  • unbound: hide unused tree row in form output for overrides
  • unbound: restyle statistics page
  • wireguard: use getValues() consistently in control script
  • mvc: remove unused UIModelGrid imports in IDS, Monit and Syslog controllers
  • mvc: remove Util imports where not needed
  • mvc: BaseField: add count() helper
  • mvc: fix validation to use getValue instead of plain string cast
  • mvc: UIModelGrid: remove flatten() method as getFlatNodes() is almost the same
  • shell: safe iteration for VLAN/LAGG in port assignment
  • shell: use safe config iteration in live mode banner
  • ui: add static dialog header support and fix bool/string compare
  • ui: add type_formatter keyword to form rendering
  • ui: add save/cancel button support to form rendering
  • ui: remove "event" use from bootgrid showSaveAlert()
  • ui: add support for binary file uploads
  • plugins: os-ddclient 1.31
  • plugins: os-frr 1.52
  • plugins: os-netbird 1.3
  • plugins: os-q-feeds-connector 1.6
  • plugins: os-turnserver 1.3
  • ports: curl 8.20.0
  • ports: dnsmasq 2.92rel2
  • ports: expat 2.8.1
  • ports: kea 3.0.3
  • ports: krb5 1.22.2
  • ports: libxml 2.15.3
  • ports: nss 3.123.1
  • ports: openssh 10.3p1
  • ports: phalcon 5.12.1
  • ports: py-duckdb 1.5.2
  • ports: py-requests 2.33.1
  • ports: unbound 1.25.0
forum.opnsense.org
u/fitch-it-is — 2 months ago
▲ 152 r/opnsense

26.1.7_1:

  • system: fix missing newline when generating cron jobs due to a regression

26.1.7:

  • system: protect popen() with exec_safe()
  • system: lockout bypass fix (contributed by Konstantinos Spartalis)
  • system: refactor dashboard to use User model instead of direct config access
  • system: throw UserException when dashboard size limit was reached on save
  • system: add notes dashboard widget (contributed by Konstantinos Spartalis)
  • system: allow gateway load balance weights from 1 to 10 for more flexibility (contributed by Matthew Hall)
  • system: fix traffic dashboard widget initialization race condition (contributed by Greelan)
  • system: avoid side effect rendering sysctl item in config.xml during console assignment
  • system: improve cron command and parameter escaping
  • system: add "nosync" option to gateway configuration
  • system: support RADIUS NAS-IP-Address attribute for authentication
  • system: add compatibility layer to future route disable/enable migration
  • system: only split first colon when reading sysctls
  • system: revisit snapshot name validation (partially contributed by Konstantinos Spartalis)
  • interfaces: refactor bridge reconfigure script
  • firewall: live view: decode HTML where necessary to aid filtering
  • firewall: fix typo in alias update error log and make parser a bit more resilient
  • firmware: opnsense-update: handle FreeBSD.conf disable internally
  • kea: fix "Delegated length must be longer than or equal to prefix length" validation
  • kea: add ddns-override-no-update, ddns-override-client-update and ddns-update-on-renew per subnet
  • kea: DDNS DNS server port can now be specified
  • kea: add explicit reverse DDNS zones support (contributed by XtraLarge)
  • kea: add DDNS manual config override
  • kea: remove depend constraint of ddns_reverse_zone
  • radvd: allow user controlled hop limit (contributed by BPplays)
  • unbound: improve hostname/domain override validation
  • backend: configctl: properly quote parameters to avoid skipping empty ones (contributed by Majx)
  • lang: numerous updates and fixes in existing languages
  • mvc: introduce JSON field type and refactor dashboard to use it
  • mvc: fixed a number of class import statements
  • shell: config access refactor in password and setaddr scripts
  • ui: generalize placeholders between controllers and JS
  • ui: simplify and clean up debounce() usage
  • ui: trap generic error popup for specific API URLs such as /api/core/firmware/upgradestatus when it adds no value and known to be unstable
  • plugins: os-acme-client 4.16
  • plugins: os-zabbix-agent 1.9
  • plugins: os-zabbix-proxy 1.7
  • src: vm_fault: reset m_needs_zeroing properly
  • src: timerfd: Fix interval callout scheduling
  • src: tty: avoid leaving dangling pointers in tty_drop_ctty()
  • src: pkru: fix handling of 1GB largepage mappings
  • src: contrib/tzdata: import tzdata 2025c, 2026a and 2026b
  • src: amd64: fix INVLPGB range invalidation
  • src: pf: improve SCTP validation
  • src: execve: fix an operator precedence bug
  • src: dhclient: check for unexpected characters in some DHCP server options
  • src: dhclient: fix reallocation of dhclient script environments
  • src: libnv: switch fd_wait() from select(2) to poll(2)
  • src: libnv: fix heap overflow in nvlist_recv()
  • src: libpcap: update to 1.10.6
  • src: ipfw_nptv6: fix handling the ifaddr removal event
  • src: if_tuntap: make SIOCIFDESTROY interruptible
  • src: pfctl: parser must not ignore error from pfctl_optimize_ruleset()
  • src: pf: fix duplicate rule detection for automatic tables
  • src: openssl: update from 3.0.16 to 3.0.20
  • src: routing: fix use-after-free in finalize_nhop
  • src: ixgbe: fix MRQC register value
  • src: in_mcast: Fix a lock leak in inp_set_source_filters()
  • src: linuxkpi: fix an off-by-one error in the kfifo implementation
  • src: sctp: fix so_proto when peeling off a socket
  • ports: expat 2.8.0
  • ports: openvpn 2.6.20
  • ports: phpseclib 3.0.52
  • ports: strongswan 6.0.6
forum.opnsense.org
u/fitch-it-is — 2 months ago