@ June 01, 2017

Hello again,

It is with pleasure that we announce the availability of SafeStack in
the OPNsense ports tree as our latest addition via our valued HardenendBSD
friendship.  While SafeStack is already deployed for the base operating
system, it had not previously been applied to the ports tree.

SafeStack is an exploit mitigation developed by clang/llvm.  It helps
mitigate stack-based buffer overflows.  SafeStack depends on Address
Space Layout Randomization (ASLR) in order to be effective.  OPNsense
fulfils that dependency by including the HardenedBSD ASLR implementation,
which follows the original PaX design.  Without ASLR, SafeStack is
ineffective as an attacker would know where the SafeStack lies in
memory and could use that information to her advantage.

It is still rather quiet security-wise.  Despite updating OpenSSL,
it does not contain any security updates this time.

Here are the full patch notes:

o system: tweak the HTTP_REFERER error message (contributed by Michael Muenz)
o system: IPv6 SSL cipher selection fix (contributed by Alexander Graf)
o system: only probe gateway monitor when it is running
o system: move web GUI to plugin framework
o system: improve ssh key newline write
o system: allow up to 8 name servers
o firewall: add CARP option "Disable preempt"
o firewall: move CARP preempt to later boot stage
o firewall: allow port ranges in the form of "80-100" in addition to "80:100"
o interfaces: track6 edge case requires HUP for either reload or linkup
o ipsec: fix widget count after strongSwan 5.5.2 update
o intrusion detection: add advanced feature default-packet-size
o firmware: new mirror for Dept. of CSE, Yuan Ze University, Taiwan[1]
o rc: advertise live mode just above the login prompt
o rc: improve the set IP menu option with far gateway selection,
  DHCP, DNS, track6, etc.
o mvc: send forms as type-safe JSON data
o mvc: correct multi-value sort in template helper
o mvc: fix validation issue when storing a value for the first time
o lang: minor updates for Chinese (contributed by Tianmo)
o lang: Japanese 100% completed (contributed by Chie and Takeshi Taguchi)
o plugins: quagga 1.2 with initial BGP support (contributed by
  Fabian Franz and Michael Muenz)
o plugins: zabbix-agent 1.0 (contributed by Frank Wall)
o plugins: haproxy 1.15 (contributed by Fabian Franz and Frank Wall)
o ports: enabled SafeStack for applicable amd64 packages, ported
  over by HardenedBSD
o ports: openssl 1.0.2l[2]


Stay safe,
Your OPNsense team

--
[1] https://www.cse.yzu.edu.tw
[2] https://www.openssl.org/news/cl102.txt
