@ March 29, 2017

Dear friends and followers,

The update finally addresses one of the larger issues with IPsec in
17.1 where traffic was not properly tracked by the packet filter and
therefore causing spurious connection drops in TCP sessions.  Another
cool addition is the merge of the HardenedBSD SafeStack work to
further harden our operating system application binaries.

Last but not least, the switch to the new virtual terminal driver
is now fully functional and we intend to release new images based
on 17.1.4 on Monday next week.  Note this does not affect running
installations.

Upgrading from a physical console may abort the firmware update due
to an incompatible switch in the TTY settings.  Simply log in again
and restart the update to continue.  Note this does not affect
upgrades via GUI or SSH.  Should problems arise, force a reinstall
of the core package from the shell with the following command:

# opnsense-revert opnsense

Here are the full patch notes:

o system: early installer switched for simpler config importer
o system: no longer set shell privileges on password reset
o system: avoid misinterpreting obsoleted options use_mfs_tmp_size
  and use_mfs_var_size
o system: do not prompt for password on user edit
o system: modernise console/tty settings
o interfaces: always wait for dhclient exit
o firewall: handle scheduled restarts via new plugin_cron() facility
o traffic shaper: exclude IP address when using 3G/4G modems
o dnsmasq: configure exclusively via plugin calls
o ipsec: remove filtertunnel workaround in light of bundled kernel fix
o ipsec: fix missing CA selection for mutual RSA
o ipsec: require authentication header as first file
o ipsec: include path consolidation
o openvpn: allow tunnel network overrides to contain host addresses
o openvpn: take client IP for topology subnet in CSC
o openvpn: include patch consolidation
o unbound: configure exclusively via plugin calls
o web proxy: harden SSL ciphers (contributed by Fabian Franz)
o mvc: fix multiple scoping issues in base volt templates
o lang: updates for Chinese, Czech, French, German, Portuguese
o plugins: Let's Encrypt 1.4[1][2] (contributed by Felix Kling
  and Frank Wall)
o plugins: HAproxy 1.13[3] (contributed by Frank Wall)
o src: tzdata version 2017b[4]
o src: HardenedBSD SafeStack for base applications[5]
o src: fix IPsec skip parameter handling in IPv4
o src: discard 3072 bytes in arc4_stir() (contributed by Codarren Velvindron)
o ports: ca_root_nss 3.30
o ports: php 7.0.17[6]
o ports: libarchive 3.3.1
o ports: ntp 4.2.8p10[7]

We are also happy to announce the availability of the renewed OPNsense 17.1
images based on this version.  Apart from the numerous improvements since
the initial release, the images have been switched to use the virtual
console driver vt(4) as a default to address boot issues.  They also feature
a new config importer and fix the serial console display of the installer.

For more than two years now, OPNsense is driving innovation through
modularising and hardening the code base, quick and reliable firmware
upgrades, multi-language support, fast adoption of upstream software
updates as well as clear and stable 2-Clause BSD licensing.

Download links, an installation guide[8] and the checksums for the images
can be found below.

o Europe: https://opnsense.c0urier.net/releases/17.1.4/
o US East Coast: http://mirrors.nycbug.org/pub/opnsense/releases/17.1.4/
o US West Coast: http://mirror.sfo12.us.leaseweb.net/opnsense/releases/17.1.4/
o Full mirror list: https://opnsense.org/download/


Stay safe,
Your OPNsense team

--
[1] https://github.com/opnsense/plugins/pull/91
[2] https://github.com/opnsense/plugins/pull/103
[3] https://github.com/opnsense/plugins/pull/94
[4] http://mm.icann.org/pipermail/tz-announce/2017-March/000046.html
[5] https://hardenedbsd.org/article/shawn-webb/2016-11-27/introducing-safestack
[6] https://php.net/ChangeLog-7.php#7.0.17
[7] https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable
[8] https://docs.opnsense.org/manual/install.html

# SHA256 (OPNsense-17.1.4-OpenSSL-cdrom-amd64.iso.bz2) = 911e4b343b0a7721a8c4f306ab0f84934a40d8829adb2fa808c4656a9a2ef7aa
# SHA256 (OPNsense-17.1.4-OpenSSL-nano-amd64.img.bz2) = ffedac68887b5c0dd619306058471e22c8f7f81c5eb14a566b788feb1d311b16
# SHA256 (OPNsense-17.1.4-OpenSSL-serial-amd64.img.bz2) = 53c270a8078f956dbc923962e82ea4bc9b95b7ed9f09f048fd7ad6c86d38c839
# SHA256 (OPNsense-17.1.4-OpenSSL-vga-amd64.img.bz2) = f9914405f6ca9f0947ccc63d1dac088ec778112ee3a431d4b44d4b400f991106
# SHA256 (OPNsense-17.1.4-OpenSSL-cdrom-i386.iso.bz2) = 23a60c0790848965df1b0596fcdea64fa14a67a8ed8ec9c93ca87b1bc3f6ce03
# SHA256 (OPNsense-17.1.4-OpenSSL-nano-i386.img.bz2) = 4ef91cc2f341dc39e356716f6b6d1e9dd646c9a3a30a7149978c79633639bb8f
# SHA256 (OPNsense-17.1.4-OpenSSL-serial-i386.img.bz2) = ead413845f83d4c112a7c7fbe79047effe78082d1530f1e5502d84d18f41dde0
# SHA256 (OPNsense-17.1.4-OpenSSL-vga-i386.img.bz2) = 8c928797fa21025cbb54df4274ba3d61eb37b3978ab5ae66f843fa8c75d829e8

# MD5 (OPNsense-17.1.4-OpenSSL-cdrom-amd64.iso.bz2) = 26a6110fad91b2b5105bbb1e9de2c299
# MD5 (OPNsense-17.1.4-OpenSSL-nano-amd64.img.bz2) = 7fd648124a6e9b6386174572aab237a8
# MD5 (OPNsense-17.1.4-OpenSSL-serial-amd64.img.bz2) = 34b3152ecde10e3869c4a3f0a0bb201d
# MD5 (OPNsense-17.1.4-OpenSSL-vga-amd64.img.bz2) = 6e1563a155a8715aa73e62be4cf0d542
# MD5 (OPNsense-17.1.4-OpenSSL-cdrom-i386.iso.bz2) = e2870d1b63cbca5aeead2b3148841e45
# MD5 (OPNsense-17.1.4-OpenSSL-nano-i386.img.bz2) = e7942c3af773f7a991d37b1a8391a60b
# MD5 (OPNsense-17.1.4-OpenSSL-serial-i386.img.bz2) = e6c3a6629a8c62d4a07d429f446f077a
# MD5 (OPNsense-17.1.4-OpenSSL-vga-i386.img.bz2) = 70cdb19b808b5b5ac522d02d8db911b9
