Howdy,

This update is released mainly due to the fact that FreeBSD-SA-25:12.rtsold[2] has impact on WAN-facing DHCPv6 connectivity being used, but also offers a mid-size batch of improvements like CARP VHID awareness for DHCRelay and a thorough cleanup and improvement pass over the Suricata integration we have been discussing during Suricon in November.

Of special note is that the captive portal accounting moves back to ipfw(4) from pf(4) because in larger deployments accounting rules are much faster this way and the use case of Ethernet-less captive portals such as on top of WireGuard now work properly again. The hook for pluggable pf(4) "ether" rules remains for now but will be removed in 26.1 as we do not intend to advocate its use.

Also, Python has reported security issues of which a DoS in http.client could potentially affect existing installations given that an HTTP server sends a malicious response which "can consume a large amount of memory and CPU time and cause swapping". Python has not released an update for version 3.11 at this point in time.

Here are the full patch notes:

• system: clean up and normalise the sample config.xml
• system: replace "realif" variables with "device" in gateway code
• system: replace exec() in live banner SSH probe
• interfaces: scan pltime/vltime in "ifconfig -L" mode
• firewall: live log: allow column modifications and combine hostname columns
• firewall: live log: add bigger table size options and simplify table update
• firewall: minor simplification in filter sync script
• reporting: health: add CPU temperature y-axis label (contributed by NOYB)
• dhcrelay: add CARP VHID tracking option to relays
• dhcrelay: use the new mwexecf() $format support
• firmware: opnsense-update: remove architecture pinning for -X option
• captive portal: re-introduce ipfw for accounting purposes only
• dnsmasq: add DHCP logging flags to influence log verbosity
• intrusion detection: refactor query scripts and deprecate params.py
• intrusion detection: increase maintainability of suricata.yaml file
• intrusion detection: add support for /usr/local/etc/suricata/conf.d directory
• intrusion detection: clean up views and controllers
• openvpn: openvpn: add AES-256-CBC cipher for legacy compat (contributed by Fabian Franz)
• openvpn: add support for verify-x509-name option (contributed by laozhoubuluo)
• openvpn: replace exec() in MVC code
• unbound: deprecate Blocklist.site blocklists (contributed by Drumba08)
• unbound: clean up blocklists update marker and size file handling
• mvc: ApiMutableModelControllerBase: add invalidateModel() method
• mvc: Config: use is_int()/array_key_first() in toArray() and fromArray()
• mvc: Config: mvc: use LIBXML_NOBLANKS when loading config files
• mvc: FilterBaseController: move shared automation rule logic here
• mvc: get translated services description from API (contributed by Tobias Degen)
• mvc: BaseField: provide asInt() method
• rc: bootstrap /var/lib/php/tests for upcoming test case use
• plugins: os-ndp-proxy-go 1.2[1]
• plugins: os-theme-rebellion 1.9.4 (contributed by Team Rebellion)
• src: e1000: do not enable ASPM L1 without L0s
• src: e1000: bump 82574/82583 PBA to 32K
• src: if_ovpn: use IFT_TUNNEL
• src: ifconfig: bring back -L for netlink
• src: igb: fix VLAN support on VFs
• src: irdma: fix potential memory leak on qhash cqp operation
• src: ix: add support for debug dump for E610 adapters
• src: netmap: fix error handling in nm_os_extmem_create()
• src: pf: reading rules with a read lock on ioctl
• src: pf: relax sctp v_tag verification
• src: pf: handle divert packets
• src: pfsync: fix incorrect unlock during destroy
• src: rtsold: remote code execution via ND6 router advertisements[2]
• ports: dpinger 3.4[3]
• ports: libucl 0.9.3
• ports: nss 3.119.1[4]
• ports: phpseclib 3.0.48

Stay safe,
Your OPNsense team