@ July 02, 2015

A good evening to you all,

While the summer is hot, we push forward to what now is 15.7 -- nicknamed
'Brave Badger' -- right in front of you.  A lot of effort went into this
project during the past 6 months, and we dare say it has been worth all
of it.  We would like to thank our followers and friends and feedback
givers and forum lurkers and contributors and doubters and supporters that
helped to make 15.7 what it is.  We wouldn't be here without any of you.
Thank you.

In itself, 15.7 is a simple upgrade from 15.1.12 which we recommend to
everyone.  What changes is that development will move to a different
branch so that from now on regressions are less likely and therefore
stability will increase further.  The provided images may also be the only
ones for the next 6 months as we are confident in their longevity and the
online upgrade path.  We have also bumped the LibreSSL flavour to a
production-ready state and encourage everyone to try it out.  The installer's
import configuration tool coupled with a quick and easy installation can help
you move from OpenSSL to LibreSSL and back seamlessly.

The biggest addition is the intrusion detection integration (suricata) as
well as new local and remote blacklists options for the proxy server (squid).
Security-wise, it has been rather quiet with only a few CVEs in third-party
tools.  Please see the full patch notes for details and references:

o kernel: borrowed a dummynet / ipnat patch from m0n0wall to enable symmetric
  traffic shaping when NAT is involved
o kernel: fix recurse lock panic for tmpfs in conjunction with unionfs
o kernel: applied two stable patches that prevent squid from crashing[1]
o kernel: retired ALTQ support
o base: sendmail TLS/DH Interoperability Improvement[2]
o base: improved iconv(3) UTF-7 support[3]
o base: inconsistency between locale and rune locale states[4]
o notable ports updates: phalcon 2.0.3[5], curl 7.43.0_2[6],
  openssh 6.8p1_8, python 2.7.10[7], perl 5.20.2_5[8], ntp 4.2.8p3[9],
  libxml2 2.9.2_3[10], openldap24-server 2.4.41[11]
o opnsense-update: will no longer try to reinstall the istalled version
  after a fresh installation
o bsdinstaller: bring back cpdup to error out on low memory installation
  (you need 1 GB of RAM, or work around installation using the nano image)
o traffic shaper: removed legacy queues support in favour of the new traffic
  shaper functionality
o traffic shaper: allow direct enable/disable toggle
o proxy: fix the initial daemon start on bootup
o proxy: added LAN as the default interface configuration
o proxy: local and remote blacklists with regex support
o intrusion detection: initial release of our IDS GUI based on suricata
o gateways: monitoring mode gained IPv6 support
o captive portal: fix idle timeout bug
o captive portal: do not delete the wrong zone when having multiple
  configurations
o captive portal: removed include files from exposed web directory
o backend: always regenerate users and groups to avoid corruption after an
  unclean shutdown
o backend: wait for configd socket to come up to address a startup race issue
o backend: clean up configd socket on exit
o backend: fixed regression that prevented user scripts from being started
  via /etc/rc.conf
o gateways: only show apinger in services when monitoring is enabled for
  a gateway
o languages: brought Simplified Chinese to 49% completed, German to
  30% completed
o universal plug and play: make page invoke static to remove exploitability
  of the legacy packages framework
o crash reporter: finally enabled the send button and provides human-readable
  feedback whether the submission was complete
o console: added non-interactive interface assignment for headless deployments
o ssh: disable password authentication on factory reset to align with the
  standard configuration
o diagnostics: avoid duplicated calls of gethostbyaddr() in NDP table view
o users: prompt for old password on password change to prevent account
  hijacking
o users: stripped the impossible scponly user privileges since said utility
  has never been part of our ecosystem

Images can be found on any of our mirrors, but they may take a
few hours to sync.  The checksums are attached at the end of
this announcement for convenience.

https://opnsense.org/download/


Stay safe,
Your OPNsense team

--
[1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195802
[2] https://www.freebsd.org/security/advisories/FreeBSD-EN-15:08.sendmail.asc
[3] https://www.freebsd.org/security/advisories/FreeBSD-EN-15:10.iconv.asc
[4] https://www.freebsd.org/security/advisories/FreeBSD-EN-15:09.xlocale.asc
[5] https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.3
[6] https://curl.haxx.se/changes.html
[7] https://hg.python.org/cpython/raw-file/15c95b7d81dc/Misc/NEWS
[8] http://perldoc.perl.org/perl5202delta.html
[9] http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable
[10] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1819
[11] http://www.openldap.org/software/release/readme.html

# SHA256 (OPNsense-15.7_LibreSSL-cdrom-amd64.iso.bz2) = 2251b042f47c710e3f940f1fca417f46b3f1f437e37973ae0ba11aa396a38501
# SHA256 (OPNsense-15.7_LibreSSL-nano-amd64.img.bz2) = 52a94a8cd9ace6733a6e311445cccbb27360a97a7c8ec5f9c8fe303be59dcf99
# SHA256 (OPNsense-15.7_LibreSSL-serial-amd64.img.bz2) = cc9a9827548984f5fc2b10222207b7088919c2da91bcdd29cdcc0f9890696b94
# SHA256 (OPNsense-15.7_LibreSSL-vga-amd64.img.bz2) = ae5c9882202e859a17074dffe433e7b2e160b3a0317a14f8562287122f4daf03
# SHA256 (OPNsense-15.7_LibreSSL-cdrom-i386.iso.bz2) = cbb6398e841db4d69f33e7a837d64636d87648a98fba3f1adf267cc168591ff7
# SHA256 (OPNsense-15.7_LibreSSL-nano-i386.img.bz2) = cb6cb90811310a2d15100505603fe853bd4c5044704061549a1671e35b7dc3c2
# SHA256 (OPNsense-15.7_LibreSSL-serial-i386.img.bz2) = 7e0fd8138f8b3e416b3cd72d095a2f6821c41175e2e4b69500e4c7088847bd0b
# SHA256 (OPNsense-15.7_LibreSSL-vga-i386.img.bz2) = f0c6cc573e0afec7bc9252e91f9e9164f11eee1298f5ce84ec8ec84f87ae160e
# SHA256 (OPNsense-15.7_OpenSSL-cdrom-amd64.iso.bz2) = 35f2bea1791db432ec625d155852403a6d1bfed468ab35ee3d3c448005bf555e
# SHA256 (OPNsense-15.7_OpenSSL-nano-amd64.img.bz2) = 8352cf10edaaff5bd2fe9f7322e67acb4fbe76238b82d0b60d7222f34a0adf7e
# SHA256 (OPNsense-15.7_OpenSSL-serial-amd64.img.bz2) = c995407085b06b0d1f1a4c00e7962ba89e2a7daefb21a6a24519861d92403b2b
# SHA256 (OPNsense-15.7_OpenSSL-vga-amd64.img.bz2) = 5630a50e2c23ab49ff95f62d61993f3038652f1225baefe1a3cc7d641b70af30
# SHA256 (OPNsense-15.7_OpenSSL-cdrom-i386.iso.bz2) = b27053f6afe979fe4b682538457dd5f3993e02a44f3f30638874d9c58a1f3504
# SHA256 (OPNsense-15.7_OpenSSL-nano-i386.img.bz2) = 410cab97a35660033ab1572cfa7eb0f411e08abf7325261185b645e361e15a19
# SHA256 (OPNsense-15.7_OpenSSL-serial-i386.img.bz2) = 5c0eacd5fd13abd5b575d7cb085ea5c4ad7e08250d8aac1f264965a01554c8e9
# SHA256 (OPNsense-15.7_OpenSSL-vga-i386.img.bz2) = 7a525085fa7140e3561ed3336a11a27c8ceafcab24bf871fd88900a15c5b69b6
