IPFire 2.15 Core 80 发布

jopen 10年前

IPFire是一份Linux发行,它注重轻松的装备、方便的操作和高级别的安全。它通过一份直观的基于网页的界面来进行操作管理,该界面为新手级及老练 的系统管理员提供很多直观的配置选项。IPFire由一群关注安全及经常更新该产品以保持其安全的开发者来维护。IPFire带有一份定制的叫做 Pakfire的包管理器,系统也可以通过各种附件来进行扩展。

This is the official release announcement for IPFire 2.15 – Core Update 80. It comes with lots of new features, some bugfixes and some minor security fixes.

DNSSEC

There has been a crowdfunding on the IPFire wishlist which raised money for implementing a DNSSEC validating DNS proxy. The DNS proxy service that is running inside of IPFire has been forked and some features that were dropped in the upstream version have been backported.

IPFire now validates every DNS response of zones that are signed. If the DNSSEC signatures do not validate a DNS error is raised and therefore spoofing attacks are not longer possible. However, it is not sufficient for the internal DNS proxy to have DNSSEC enabled. Client systems should validate DNSSEC records, too, but we think that these changes block most spoofing attacks from the Internet and only DNS spoofing attacks from the local network are possible. The cache pool size has been increased so that dnsmasq is able to cache many DNS keys and signatures and that the verification does not harm the user experience.

It is required that the DNS servers from the Internet service providers validate DNSSEC as well. If not, you may change to one of those public DNS servers in this list. There is more information about DNS and IPFire on our wiki.

New dynamic DNS updater

A new tool to update dynamic DNS records has been written. It replaces the old, faulty and hard to maintain perl script setddns.pl. The new client is written in Python and portable to other distributions as well. It is easily extensible and avoids duplicating code. The sources can be found on our own git server or on GitHub and we are happy to receive improvements and patches that add support for new providers.

The user interface has been simplified and obsolete and deprecated features like wildcard support have been dropped.

There is support for all DNS providers that have been formerly supported. Providers that don’t exist any more have been removed and some new ones have been added: all-inkl.com, dhs.org, dns.lightningwirelabs.com, dnspark.com, dtdns.com, dyndns.org, dynu.com, easydns.com, enom.com, entrydns.net, freedns.afraid.org, namecheap.com, no-ip.com, nsupdate.info, opendns.com ovh.com, regfish.com, selfhost.de, spdns.org, strato.com, twodns.de, udmedia.de, variomedia.de, zoneedit.com.

Misc

  • The lzo libary has been updated to version 2.08 because of a potential, but very unlikely security issue filed under CVE-2014-4607.
  • wpa_supplicant has been updated to version 2.2.
  • strongswan has been updated to version 5.2.0
  • Ersan Yildirim submitted updates for the Turkish translation.
  • The dhcrelay binary and an initscript are shipped.
  • The bind tools have been updated to version 9.9.5 to support DNSSEC, too.
  • rng-tools have been updated to version 5 to support Intel processors that come with the RDRAND instruction, but without AES-NI.
  • squid web proxy: The minimum and maximum object size of objects that are put into the cache is no longer ignored.
  • Firewall hits by country: Fix chart for dial-up connections.
  • Static routes cannot be added twice into the configuration and must not be a part of any of the local networks.

Add-ons

New arrivals

Updates

  • clamav 0.98.4
  • hostapd 2.2
  • sane 1.0.24
  • tor 0.2.4.22
  • transmission 2.84