That was quick!

This includes all very recent FreeBSD SA/EN patches, a number of system improvements (how are you doing, Kea!) and third party updates for OpenVPN and StrongSwan.

It also includes one high and one medium advisory for our code. GitHub has not issued a CVE for this yet, unfortunately, but this announcement will be updated as soon as that happens. See below for details.

Here are the full patch notes:

• system: protect popen() with exec_safe()[1]
• system: lockout bypass fix[2] (contributed by Konstantinos Spartalis)
• system: refactor dashboard to use User model instead of direct config access
• system: throw UserException when dashboard size limit was reached on save
• system: add notes dashboard widget (contributed by Konstantinos Spartalis)
• system: allow gateway load balance weights from 1 to 10 for more flexibility (contributed by Matthew Hall)
• system: fix traffic dashboard widget initialization race condition (contributed by Greelan)
• system: avoid side effect rendering sysctl item in config.xml during console assignment
• system: improve cron command and parameter escaping
• system: add "nosync" option to gateway configuration
• system: support RADIUS NAS-IP-Address attribute for authentication
• system: add compatibility layer to future route disable/enable migration
• system: only split first colon when reading sysctls
• system: revisit snapshot name validation (partially contributed by Konstantinos Spartalis)
• interfaces: refactor bridge reconfigure script
• firewall: live view: decode HTML where necessary to aid filtering
• firewall: fix typo in alias update error log and make parser a bit more resilient
• firmware: opnsense-update: handle FreeBSD.conf disable internally
• kea: fix "Delegated length must be longer than or equal to prefix length" validation
• kea: add ddns-override-no-update, ddns-override-client-update and ddns-update-on-renew per subnet
• kea: DDNS DNS server port can now be specified
• kea: add explicit reverse DDNS zones support (contributed by XtraLarge)
• kea: add DDNS manual config override
• kea: remove depend constraint of ddns_reverse_zone
• radvd: allow user controlled hop limit (contributed by BPplays)
• unbound: improve hostname/domain override validation
• backend: configctl: properly quote parameters to avoid skipping empty ones (contributed by Majx)
• lang: numerous updates and fixes in existing languages
• mvc: introduce JSON field type and refactor dashboard to use it
• mvc: fixed a number of class import statements
• shell: config access refactor in password and setaddr scripts
• ui: generalize placeholders between controllers and JS
• ui: simplify and clean up debounce() usage
• ui: trap generic error popup for specific API URLs such as /api/core/firmware/upgradestatus when it adds no value and known to be unstable
• plugins: os-acme-client 4.16[3]
• plugins: os-zabbix-agent 1.9[4]
• plugins: os-zabbix-proxy 1.7[5]
• src: vm_fault: reset m_needs_zeroing properly[6]
• src: timerfd: Fix interval callout scheduling[7]
• src: tty: avoid leaving dangling pointers in tty_drop_ctty()[8]
• src: pkru: fix handling of 1GB largepage mappings[9]
• src: contrib/tzdata: import tzdata 2025c, 2026a and 2026b[10]
• src: amd64: fix INVLPGB range invalidation[11]
• src: pf: improve SCTP validation[12]
• src: execve: fix an operator precedence bug[13]
• src: dhclient: check for unexpected characters in some DHCP server options[14]
• src: dhclient: fix reallocation of dhclient script environments[15]
• src: libnv: switch fd_wait() from select(2) to poll(2)[16]
• src: libnv: fix heap overflow in nvlist_recv()[17]
• src: libpcap: update to 1.10.6
• src: ipfw_nptv6: fix handling the ifaddr removal event
• src: if_tuntap: make SIOCIFDESTROY interruptible
• src: pfctl: parser must not ignore error from pfctl_optimize_ruleset()
• src: pf: fix duplicate rule detection for automatic tables
• src: openssl: update from 3.0.16 to 3.0.20
• src: routing: fix use-after-free in finalize_nhop
• src: ixgbe: fix MRQC register value
• src: in_mcast: Fix a lock leak in inp_set_source_filters()
• src: linuxkpi: fix an off-by-one error in the kfifo implementation
• src: sctp: fix so_proto when peeling off a socket
• ports: expat 2.8.0[18]
• ports: openvpn 2.6.20[19]
• ports: phpseclib 3.0.52[20]
• ports: strongswan 6.0.6[21]

Stay safe,
Your OPNsense team