changelogs

2026-05-28 04:02:12 -04:00 · 2026-01-22 09:28:37 +01:00 · 2026-01-22 09:28:37 +01:00 · 057de89ae7
commit 057de89ae7
parent 98e5ca34cf
22 changed files with 151 additions and 38 deletions
--- a/source/CE_releases.rst
+++ b/source/CE_releases.rst
@ -8,7 +8,7 @@ Community Edition
    :width: 600px
    :align: center

-As of January 2015 there have been *329* releases leading to the latest version *25.7.10*
+As of January 2015 there have been *330* releases leading to the latest version *25.7.11*
 named "Visionary Viper".


--- a/source/releases/BE_19.1.rst
+++ b/source/releases/BE_19.1.rst
@ -106,7 +106,7 @@ Here are the full patch notes:
 * openvpn: add live-search to longer lists in server page
 * openvpn: support --cryptoapicert export `[1] <https://www.max-it.de/>`__  (sponsored by m.a.x. it)
 * opnevpn: correctly check for translation in get_carp_interface_status()
-* openvpn: use waitforpid() to properly wait for instanes to come up
+* openvpn: use waitforpid() to properly wait for instances to come up
 * openvpn: translate GUI error values when returning them
 * openvpn: revamp status page
 * unbound: leases watcher file rotation issue
--- a/source/releases/BE_21.4.rst
+++ b/source/releases/BE_21.4.rst
@ -91,7 +91,7 @@ Here are the full patch notes:
 * plugins: os-zabbix4-proxy is now a plugin variant
 * plugins: os-zabbix5-proxy is now a plugin variant
 * src: axgbe: make sure driver works on V1000 platform and remove unnecessary reset
-* src: axgbe: remove unneccesary packet length check
+* src: axgbe: remove unnecessary packet length check
 * ports: clog 1.0.2 fixes garbage header write on init
 * ports: curl 7.78.0 `[8] <https://curl.se/changes.html#7_78_0>`__ 
 * ports: filterlog adds CARP IPv6 support and moves label to previously reserved spot
--- a/source/releases/BE_22.10.rst
+++ b/source/releases/BE_22.10.rst
@ -31,7 +31,7 @@ Here are the full patch notes:
 * unbound: missing global so that cache is never flushed when requested
 * mvc: cleanse $record input in searchRecordsetBase() before usage
 * src: fix multiple OpenSSL vulnerabilities `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:03.openssl.asc>`__ 
-* src: geli: split the initalization of HMAC `[2] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:01.geli.asc>`__ 
+* src: geli: split the initialization of HMAC `[2] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:01.geli.asc>`__ 
 * src: fix ena driver crash after reset in 7th gen AWS instance types `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:03.ena.asc>`__ 
 * src: fix sdhci broken write-protect settings `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:02.sdhci.asc>`__ 
 * src: import tzdata 2022g `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:01.tzdata.asc>`__ 
@ -92,7 +92,7 @@ Here are the full patch notes:
 * firewall: remove extended VIP expansion from NAT rules
 * firewall: fix live view hostname lookup may result in HTTP 431 error
 * firewall: add category selection to aliases
-* firewall: sates page performance improvements and better address parsing in search
+* firewall: states page performance improvements and better address parsing in search
 * firewall: reuse "hostid" on filter reload events
 * firewall: show automated "port 0" rule as actual port "0" on PHP 8
 * reporting: fix incompatible regex syntax in FreeBSD 13.1 for firewall state health statistics
@ -226,7 +226,7 @@ Here are the full patch notes:
 * system: extend nameservers script return for debugging purposes, i.e. "configctl system list nameservers debug"
 * system: lighttpd obsoletion of server listing directive, disabled by default
 * system: decode stored CRL data before display (contributed by kulikov-a)
-* system: work around phpseclib 3 flagging RSA-PSS as an invalid key alogrithm
+* system: work around phpseclib 3 flagging RSA-PSS as an invalid key algorithm
 * system: check for existing X509 class before doing CRL update
 * system: enforce RFC 8446 by requiring TLS_AES_128_GCM_SHA256 for TLS 1.3
 * system: consider CRL end dates after 2050 as "lifetime" in GeneralizedTime format
--- a/source/releases/BE_23.10.rst
+++ b/source/releases/BE_23.10.rst
@ -609,7 +609,7 @@ A hotfix release was issued as 23.10_2:

 * system: detect a on/off password shift when syncing user accounts
 * firewall: when migrating aliases make sure that nesting does not fail
-* plugins: os-OPNWAF now requires a descrption for virtual servers
+* plugins: os-OPNWAF now requires a description for virtual servers
 * plugins: os-radsecproxy fixes for stale rc script / pidfile issues

 Migration notes, known issues and limitations:
--- a/source/releases/BE_24.4.rst
+++ b/source/releases/BE_24.4.rst
@ -469,7 +469,7 @@ A hotfix release was issued as 24.4_8:
 Migration notes, known issues and limitations:

 * Audits and certifications are requiring us to restrict system accounts for non-administrators (without wheel group in particular).  It will no longer be possible to use non-adminstrator accounts with shell access and permissions for sensitive files have been tightened to not be world-readable.  This may cause custom tooling to stop working, but can easily be fixed by giving these required accounts the full administration rights.
-* ISC DHCP functionality is slowly being deprecated with the introduction of Kea as an alternative.  The work to replace the tooling of ISC DHCP is ongoing, but feature sets will likely differ for a long time therefore.  ISC DHCP Relay has been replaced with an OpenBSD-based code alternative and is now found unter "DHCRelay".
+* ISC DHCP functionality is slowly being deprecated with the introduction of Kea as an alternative.  The work to replace the tooling of ISC DHCP is ongoing, but feature sets will likely differ for a long time therefore.  ISC DHCP Relay has been replaced with an OpenBSD-based code alternative and is now found under "DHCRelay".
 * The move to the FreeBSD ports version of OpenSSL 3.0 is included and may disrupt third party repository use until those have been fixed and rebuilt accordingly.  Please note that we do not vet third party repositories and do not have control over them so their response time may vary.
 * The Squid web proxy functionality moves to a plugin and will no longer be installed by default for new installations.  However, if you have Squid enabled the plugin will automatically be installed during the upgrade.  There is no code difference in the implementation and integration of the plugin compared to the core version.  The OPNProxy plugin is still available, but also moved to the community plugins due to this.

--- a/source/releases/BE_25.4.rst
+++ b/source/releases/BE_25.4.rst
@ -295,7 +295,7 @@ Here are the full patch notes:
 * src: ovpn: fix use-after-free of mbuf
 * src: pf: improve pf_state_key_attach() error handling
 * src: pfkey2: use correct value for a key length
-* src: routing: do not allow PINNED routes to be overriden
+* src: routing: do not allow PINNED routes to be overridden
 * src: sctp: fix double unlock in case adding a remote address fails
 * src: tcp: clear sendfile logging struct
 * src: udp: do not recursively enter net epoch
--- a/source/releases/CE_15.1.rst
+++ b/source/releases/CE_15.1.rst
@ -977,7 +977,7 @@ This is the official change log:
 * Fixed several OpenSSL invokes to use the latest port version as opposed to the base version.
 * Improved memory/disc/swap usage on the dashboard.
 * Properly set DNS Resolver Advanced defaults.
-* Fixed append of custom Unbound scrips.
+* Fixed append of custom Unbound scripts.
 * Modified the root menu shell to pass through to a real shell when arguments are given.
 * Zapped the spurious "Array" prefix in user-defined aliases.
 * Moved the bogons files fetch location to a local mirror.
--- a/source/releases/CE_15.7.rst
+++ b/source/releases/CE_15.7.rst
@ -35,7 +35,7 @@ tools.  Please see the full patch notes for details and references:
 * base: improved iconv(3) UTF-7 support `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:10.iconv.asc>`__ 
 * base: inconsistency between locale and rune locale states `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:09.xlocale.asc>`__ 
 * notable ports updates: phalcon 2.0.3 `[5] <https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.3>`__ , curl 7.43.0_2 `[6] <https://curl.haxx.se/changes.html>`__ , openssh 6.8p1_8, python 2.7.10 `[7] <https://hg.python.org/cpython/raw-file/15c95b7d81dc/Misc/NEWS>`__ , perl 5.20.2_5 `[8] <https://perldoc.perl.org/5.20.2/perldelta>`__ , ntp 4.2.8p3 `[9] <http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable>`__ , libxml 2.9.2_3 `[10] <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1819>`__ , openldap 2.4.41 `[11] <https://www.openldap.org/software/release/changes.html>`__ 
-* opnsense-update: will no longer try to reinstall the istalled version after a fresh installation
+* opnsense-update: will no longer try to reinstall the installed version after a fresh installation
 * bsdinstaller: bring back cpdup to error out on low memory installation (you need 1 GB of RAM, or work around installation using the nano image)
 * traffic shaper: removed legacy queues support in favour of the new traffic shaper functionality
 * traffic shaper: allow direct enable/disable toggle
@ -363,7 +363,7 @@ more roadmap items already finished for 16.1.
 Here are the full patch notes:

 * ports: sudo 1.8.15 `[1] <https://www.sudo.ws/releases/legacy/#1.8.15>`__ , sqlite 3.9.2 `[2] <https://sqlite.org/releaselog/3_9_2.html>`__ 
-* aliases: make url tables useable
+* aliases: make url tables usable
 * interfaces: fix faulty GUI caching issues `[3] <https://github.com/opnsense/core/issues/451>`__ 
 * ipsec: obey force nat traversal
 * ipsec: switch status page and widget from deprecated SMP to VICI interface for reliable output
@ -1060,7 +1060,7 @@ tools.  Please see the full patch notes for details and references:
 * base: improved iconv(3) UTF-7 support `[3] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:10.iconv.asc>`__ 
 * base: inconsistency between locale and rune locale states `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:09.xlocale.asc>`__ 
 * notable ports updates: phalcon 2.0.3 `[5] <https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.3>`__ , curl 7.43.0_2 `[6] <https://curl.haxx.se/changes.html>`__ , openssh 6.8p1_8, python 2.7.10 `[7] <https://hg.python.org/cpython/raw-file/15c95b7d81dc/Misc/NEWS>`__ , perl 5.20.2_5 `[8] <https://perldoc.perl.org/5.20.2/perldelta>`__ , ntp 4.2.8p3 `[9] <http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ChangeLog-stable>`__ , libxml 2.9.2_3 `[10] <https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1819>`__ , openldap 2.4.41 `[11] <https://www.openldap.org/software/release/changes.html>`__ 
-* opnsense-update: will no longer try to reinstall the istalled version after a fresh installation
+* opnsense-update: will no longer try to reinstall the installed version after a fresh installation
 * bsdinstaller: bring back cpdup to error out on low memory installation (you need 1 GB of RAM, or work around installation using the nano image)
 * traffic shaper: removed legacy queues support in favour of the new traffic shaper functionality
 * traffic shaper: allow direct enable/disable toggle
--- a/source/releases/CE_16.1.rst
+++ b/source/releases/CE_16.1.rst
@ -138,7 +138,7 @@ Here are the full patch notes:
 * dhcp: fixed and improved writing of dynamic DNS configuration
 * ports: python 2.7.11_3 `[2] <http://bugs.python.org/issue26171>`__ , unbound 1.5.9 `[3] <https://nlnetlabs.nl/projects/unbound/download/>`__ , curl 7.49.1 `[4] <https://curl.haxx.se/changes.html>`__ , openssl 1.0.2_14 `[5] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177>`__ , sudo 1.8.17p1 `[6] <https://www.sudo.ws/releases/legacy/#1.8.17p1>`__ , php 5.6.23 `[7] <https://www.php.net/ChangeLog-5.php#5.6.23>`__ , pcre 8.39 `[8] <http://www.pcre.org/original/changelog.txt>`__ , haproxy 1.6.6 `[9] <http://www.haproxy.org/download/1.6/src/CHANGELOG>`__ 
 * src: tzdata updated to 2016e `[10] <http://mm.icann.org/pipermail/tz-announce/2016-June/000039.html>`__ 
-* src: fix pf fragement timeout `[11] <https://lists.freebsd.org/pipermail/freebsd-pf/2016-May/008044.html>`__ 
+* src: fix pf fragment timeout `[11] <https://lists.freebsd.org/pipermail/freebsd-pf/2016-May/008044.html>`__ 



--- a/source/releases/CE_16.7.rst
+++ b/source/releases/CE_16.7.rst
@ -888,7 +888,7 @@ Here is our list of major features that were worked on since 16.1:
 * Added RFC 4638 support (MTU > 1492 in PPPoE)
 * NTP can now be disabled if required
 * New category-based remote ACL support in proxy server
-* ICAP configuration aded to proxy server
+* ICAP configuration added to proxy server
 * Pluggable service infrastructure
 * Pluggable syslog infrastructure
 * Finished a full sweep of visible GUI pages for improved look and feel
--- a/source/releases/CE_17.1.rst
+++ b/source/releases/CE_17.1.rst
@ -340,7 +340,7 @@ Here are the full patch notes:
 * web proxy: add extended file logging option
 * openssh: migrated to plugin framework code
 * openvpn: correctly export renegotiate time of zero
-* openvpn: reenable the XOR patch support
+* openvpn: re-enable the XOR patch support
 * dynamic dns: multiple fixes and migrated to plugin framework code
 * rfc2136: multiple fixes and migrated to plugin framework code
 * rfc2136: separated code from dynamic DNS
@ -561,7 +561,7 @@ for Chinese.  Xie xie!

 Furthermore, the shared forwarding between both packet filters introduced
 in OPNsense 17.1 has now been disabled by default and can be manually
-reenabled from the GUI on Firewall: Settings: Advanced.
+re-enabled from the GUI on Firewall: Settings: Advanced.

 Here are the full patch notes:

--- a/source/releases/CE_18.7.rst
+++ b/source/releases/CE_18.7.rst
@ -29,7 +29,7 @@ These are the most prominent changes since version 18.1:
 * Monit core integration to eventually replace the legacy notifications
 * OpenSSH access via group and shell selection instead of privilege
 * pluggable backup framework with new Nextcloud option
-* sytem tunables are now also used as loader tunables
+* system tunables are now also used as loader tunables
 * unrestricted VLAN usage for e.g. Xen
 * QinQ interface removal
 * firmware GUI speedup, improved error parsing and console reboot hint
@ -791,7 +791,7 @@ These are the most prominent changes since version 18.1:
 * Monit core integration to eventually replace the legacy notifications
 * OpenSSH access via group and shell selection instead of privilege
 * pluggable backup framework with new Nextcloud option
-* sytem tunables are now also used as loader tunables
+* system tunables are now also used as loader tunables
 * unrestricted VLAN usage for e.g. Xen
 * QinQ interface removal
 * firmware GUI speedup, improved error parsing and console reboot hint
--- a/source/releases/CE_19.1.rst
+++ b/source/releases/CE_19.1.rst
@ -106,7 +106,7 @@ Here are the full patch notes:
 * openvpn: add live-search to longer lists in server page
 * openvpn: support --cryptoapicert export `[1] <https://www.max-it.de/>`__  (sponsored by m.a.x. it)
 * opnevpn: correctly check for translation in get_carp_interface_status()
-* openvpn: use waitforpid() to properly wait for instanes to come up
+* openvpn: use waitforpid() to properly wait for instances to come up
 * openvpn: translate GUI error values when returning them
 * openvpn: revamp status page
 * unbound: leases watcher file rotation issue
--- a/source/releases/CE_21.1.rst
+++ b/source/releases/CE_21.1.rst
@ -21,7 +21,7 @@ now supports UEFI as well.

 For those wondering, the WireGuard plugin has been available since 2019 and
 receives continuous improvements by its maintainer and various users alike.
-And that is unlikey to change in the future.  ;)
+And that is unlikely to change in the future.  ;)

 As we continue to deprecate custom configuration inputs for a number of
 reasons, Dnsmasq has been switched to a pluggable file-based approach `[1] <https://docs.opnsense.org/manual/dnsmasq.html>`__ 
@ -439,7 +439,7 @@ Here are the full patch notes:
 Today we move ahead with the firmware UI and API rework as we are happy
 with the new user experience.  You will also notice the new plugin conflict
 dialog which will report that plugins have been installed previously but
-not registered in the configuration.  This can be easily amended by reseting
+not registered in the configuration.  This can be easily amended by resetting
 the local conflicts, which essentially accepts the current plugin
 configuration as the new default.  This necessary change introduces API
 incompatibilities with existing external tools.
@ -636,7 +636,7 @@ now supports UEFI as well.

 For those wondering, the WireGuard plugin has been available since 2019 and
 receives continuous improvements by its maintainer and various users alike.
-And that is unlikey to change in the future.  ;)
+And that is unlikely to change in the future.  ;)

 As we continue to deprecate custom configuration inputs for a number of
 reasons, Dnsmasq has been switched to a pluggable file-based approach `[1] <https://docs.opnsense.org/manual/dnsmasq.html>`__ 
--- a/source/releases/CE_21.7.rst
+++ b/source/releases/CE_21.7.rst
@ -397,7 +397,7 @@ Here are the full patch notes:

 A hotfix release was issued as 21.7.3_1:

-* openvpn: properly save new tls-crypt configuation
+* openvpn: properly save new tls-crypt configuration

 A hotfix release was issued as 21.7.3_3:

@ -466,7 +466,7 @@ Here are the full patch notes:
 * plugins: os-acme-client 3.0 `[1] <https://github.com/opnsense/plugins/blob/stable/21.7/security/acme-client/pkg-descr>`__ 
 * plugins: os-haproxy 3.5 `[2] <https://github.com/opnsense/plugins/blob/stable/21.7/net/haproxy/pkg-descr>`__ 
 * src: runtime RSS code preparations and assorted related upstream patches
-* src: axgbe: remove unneccesary packet length check
+* src: axgbe: remove unnecessary packet length check
 * src: iflib: fix partial length accounting error in netmap mode
 * src: lib: add libnetmap and related patches
 * src: dhclient: skip_to_semi() consumes semicolon already
--- a/source/releases/CE_22.1.rst
+++ b/source/releases/CE_22.1.rst
@ -49,7 +49,7 @@ it from the development version or reinstall from the provided images.

 A hotfix will be issued on the 28th to enable the upgrade path, but depending
 on testing and mirror availability this might be up to 24 hours after the
-intial image release of 22.7.
+initial image release of 22.7.

 Here are the full patch notes:

@ -156,7 +156,7 @@ A hotfix release was issued as 22.1.9_1:


 Small reliability update which also includes a rework for firewall alias
-handling and preformance.
+handling and performance.

 Later today we will also publish a call for testing for the upcoming 22.7
 operating system base using FreeBSD 13.1.  It is going to be compatible
@ -292,7 +292,7 @@ Here are the full patch notes:


 Due to popular demand the user experience for the revamped VLAN handling
-was improved in several areas.  Also incuded are a larger Unbound MVC
+was improved in several areas.  Also included are a larger Unbound MVC
 rework and DNS system route apply changes from one single spot.  Last but
 not least the zlib vulnerability was fixed in FreeBSD amongst others.

@ -1020,7 +1020,7 @@ Known issues and limitations:
 * MAC spoofing now only pertains to the configured interface and not the VLAN siblings or parent interface.  This can introduces unwanted configuration due to previous side effects in the code.  Make sure to assign and set the spoofed MAC for all interfaces that require a spoofed MAC.
 * Media settings are no longer shown for non-parent interfaces and need to be set individually to take effect.  This can introduce unwanted configuration due to previous side effects in the code.  If the parent interface was not previously assigned please assign it to reapply the required media settings.
 * Router advertisement static mode option is still subject to change in this release candidate series.
-* IPsec hash and cipher removals in FreeBSD 13 can affect existing setups as insecure cryptographic options have been removed upstream.  For more information see the FreeBSD commit in question `[21] <https://github.com/opnsense/src/commit/16aabb761c0a>`__ .  We will be adding an explict configuration check to 21.7 before its end of life.
+* IPsec hash and cipher removals in FreeBSD 13 can affect existing setups as insecure cryptographic options have been removed upstream.  For more information see the FreeBSD commit in question `[21] <https://github.com/opnsense/src/commit/16aabb761c0a>`__ .  We will be adding an explicit configuration check to 21.7 before its end of life.
 * Circular logging support has been removed.  No user interaction is required.
 * The migration notes are subject to change and will be extended as needed in the upcoming weeks.

--- a/source/releases/CE_22.7.rst
+++ b/source/releases/CE_22.7.rst
@ -90,7 +90,7 @@ Here are the full patch notes:
 * system: show and search ACL endpoints in privilege selector
 * system: replace a number of log_error() calls with log_msg() equivalent
 * system: improve SSH lockout behaviour
-* firewall: sates page performance improvements and better address parsing in search
+* firewall: states page performance improvements and better address parsing in search
 * firewall: reuse "hostid" on filter reload events
 * ipsec: allow to search all phase 2 entries via API call
 * openvpn: remove unused "pool_enable" attribute
@ -528,7 +528,7 @@ Here are the full patch notes:

 A hotfix release was issued as 22.7.3_2:

-* system: work around phpseclib 3 flagging RSA-PSS as an invalid key alogrithm
+* system: work around phpseclib 3 flagging RSA-PSS as an invalid key algorithm
 * system: check for existing X509 class before doing CRL update


--- a/source/releases/CE_23.1.rst
+++ b/source/releases/CE_23.1.rst
@ -637,7 +637,7 @@ Here are the full patch notes:
 * plugins: os-qemu-guest-agent 1.2 `[3] <https://github.com/opnsense/plugins/blob/stable/23.1/emulators/qemu-guest-agent/pkg-descr>`__ 
 * plugins: os-tayga fixes MVC interface registration
 * plugins: os-wireguard fixes MVC interface registration
-* src: geli: split the initalization of HMAC `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:01.geli.asc>`__ 
+* src: geli: split the initialization of HMAC `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-23:01.geli.asc>`__ 
 * src: fix ena driver crash after reset in 7th gen AWS instance types `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:03.ena.asc>`__ 
 * src: fix sdhci broken write-protect settings `[6] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:02.sdhci.asc>`__ 
 * src: import tzdata 2022g `[7] <https://www.freebsd.org/security/advisories/FreeBSD-EN-23:01.tzdata.asc>`__ 
--- a/source/releases/CE_23.7.rst
+++ b/source/releases/CE_23.7.rst
@ -83,7 +83,7 @@ A hotfix release was issued as 23.7.12_5:


 The final test phase for 24.1 is starting just as 23.7 strechtes towards
-its inevitable end of life.  At the moment it is unlcear if this release
+its inevitable end of life.  At the moment it is unclear if this release
 will be the last one or not so we shall refrain from stating something that
 may not be true in the coming weeks.  ;)

--- a/source/releases/CE_25.1.rst
+++ b/source/releases/CE_25.1.rst
@ -197,7 +197,7 @@ current implementation and what the software can still offer beyond that.
 Thank you for all the good feedback on this front!

 The FreeBSD kernel was updated with a number of upstream stable commits
-while we get closer to evaulating the jump to a newer FreeBSD release for
+while we get closer to evaluating the jump to a newer FreeBSD release for
 25.7.

 Lastly, we are preparing for a historic moment: offering privilege separation
@ -509,7 +509,7 @@ Here are the full patch notes:
 * src: pf: improve pf_state_key_attach() error handling
 * src: pf: only force state failure logging if logging was requested
 * src: pfkey2: use correct value for a key length
-* src: routing: do not allow PINNED routes to be overriden
+* src: routing: do not allow PINNED routes to be overridden
 * src: sctp: fix double unlock in case adding a remote address fails
 * src: tcp: clear sendfile logging struct
 * src: udp: do not recursively enter net epoch
@ -1117,7 +1117,7 @@ will follow in early January.

 Highlights over version 24.7 include:

-* system: restructure PPP to accomodate IPv6-only deployments
+* system: restructure PPP to accommodate IPv6-only deployments
 * system: implement persistent notifications banner
 * system: dashboard widget for certificate expiry and renew
 * system: high availablilty status MVC/API conversion
--- a/source/releases/CE_25.7.rst
+++ b/source/releases/CE_25.7.rst
@ -28,6 +28,119 @@ can be found below as well.
 * Full mirror list: https://opnsense.org/download/


+--------------------------------------------------------------------------
+25.7.11 (January 15, 2026)
+--------------------------------------------------------------------------
+
+
+25.7.11 comes at a strange point in time but we will try to offer a bit of
+familiarity and common sense as we probably all need more of this.  <3
+
+This release brings the new host discovery service which resolves and remembers
+MAC addresses for IPv4 and IPv6 hosts in your connected networks and provides
+this data for the firewall MAC aliases and captive portal clients.  It is now
+enabled by default, but you can choose to opt out by disabling the automatic
+discovery option.
+
+Note to people who were already on 25.7.11 and 27.7.11_1: a modified hostwatch
+version was published disabling two excessive log messages.  Applying the
+hotfix 25.7.11_2 will not restart hostwatch.  Please do so under Interfaces:
+Neighbors: Automatic Discovery by either using "apply" or the restart button
+in the service widget.  Other reported issues will be addressed shortly.
+
+A lot of work went into IPv6 improvements over the holidays as is tradition
+with the help of users debugging their networks during that time.  A number
+of kernel fixes have been supplied and dhcp6c will also receive a larger update
+in 26.1 soon.
+
+The changes are otherwise clustered around preparation for the major upgrade
+which brings an number of fundamental changes with the ongoing removal of
+ISC-DHCP from core.  A plugin is already available through the development
+version and should auto-install.  If not make sure you install it before
+attempting a reboot there.  For the stable version everything is as it was.
+
+That being said, 26.1-RC1 will be out early next week and RC2 likely follows
+quickly.  We are still set for a final release date of January 28.  See you on
+the other side!
+
+Here are the full patch notes:
+
+* system: add tooltip explaining active status in snapshots
+* system: add "lazy loading" model support on Trust\Cert
+* system: properly fill DNS SAN from existing certificates (contributed by Klaas Demter)
+* system: rename sudoers file to make it more sortable (contributed by David Jack Wange Olrik)
+* system: numerous safe execution changes
+* system: sort to retain order in syslog-ng source definitions
+* interfaces: fix comparison in PPP check code during assignment
+* interfaces: prefer longer lifetimes if multiple exist
+* interfaces: defer manual rtsold script execution
+* interfaces: use mwexecfb() in two instances
+* interfaces: move configure_interface_hardware() to main file
+* interfaces: migrate "sharednet" setting to its respective sysctls
+* interfaces: add and enable new host discovery feature for neighbours via hostwatch
+* firewall: automation: only show ICMP type when protocol is ICMP
+* firewall: automation: add multi-select ICMP6 options
+* firewall: use new host discovery in MAC type aliases
+* firewall: simplify port alias check
+* captive portal: assign empty array when "interface list arp json" returns invalid JSON
+* captive portal: use new host discovery service by default
+* dhcrelay: reload table to update relay status
+* intrusion detection: datakey hint was missing for rules edit
+* intrusion detection: replace "all" alert selection with explicit maximum choices
+* ipsec: most safe execution transformations done
+* isc-dhcp: interalize interfaces_staticarp_configure()
+* isc-dhcp: safeguard access to DHCPv6 "enable" property
+* kea: refactor daemon(8) call to mwexecfb()
+* network time: fix GPS coordinate display in status page (contributed by brotherla)
+* openvpn: add simple search functionality for accounts table in client export
+* openvpn: skip dynamic content when loading the model in client export
+* openvpn: convert two more exec() calls
+* openvpn: fix archive client export
+* unbound: remove delete selected button for single select overrides grid
+* unbound: add per-policy quick actions in reporting overview
+* unbound: add overrides reference counter for aliases
+* unbound: info section was larger than table width
+* backend: exec() removal in get_sysctl()/set_sysctl()
+* backend: exec() removal in auth scripts
+* mvc: reduce some call overheaad in BaseField/IntegerField
+* mvc: introduce defaultConfig property for AppConfig
+* mvc: uppercase all form labels
+* mvc: use asInt() in GidField and UidField
+* mvc: BaseField: add isSet()
+* tests: revamped config and base model tests
+* ui: bootgrid: allow conditional command rendering through a filter function
+* plugins: os-frr 1.50 `[1] <https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr>`__ 
+* plugins: os-ndp-proxy-go 1.3 `[2] <https://github.com/opnsense/plugins/blob/stable/25.7/net/ndp-proxy-go/pkg-descr>`__ 
+* plugins: os-telegraf 1.12.14 `[3] <https://github.com/opnsense/plugins/blob/stable/25.7/net-mgmt/telegraf/pkg-descr>`__ 
+* src: in6: modify address prefix lifetimes when updating address lifetimes
+* src: ipv6: fix off-by-one in pltime and vltime expiration checks
+* src: ipv6: do not complain when deleting an address with prefix length of 128
+* src: ifconfig: fix the -L flag when using netlink
+* src: netlink: do not directly access ifnet members
+* src: netlink: do not overwrite existing data in a linear buffer in snl_writer
+* src: netmap: Let memory allocator parameters be settable via loader.conf
+* src: pfsync: avoid zeroing the state export union
+* src: divert: fix removal of divert sockets from a group
+* src: divert: use a jenkins hash to select the target socket
+* src: divert: define semantics for SO_REUSEPORT_LB on divert sockets
+* src: divert: use CK_SLISTs for the divcb hash table
+* src: pf: rationalize the ip_divert_ptr test
+* src: pf: fix handling of IPv6 divert packets
+* src: rtsold: check RA lifetime before triggering the one-shot always script
+* ports: hostwatch 1.0.4
+* ports: suricata 8.0.3 `[4] <https://suricata.io/2026/01/13/suricata-8-0-3-and-7-0-14-released/>`__ 
+
+A hotfix release was issued as 25.7.11_1:
+
+* system: fix vsprintf() error on stray % invoke
+
+A hotfix release was issued as 25.7.11_2:
+
+* system: fix edge case in tunable reset with one single tunable in the default config
+* ports: hostwatch 1.0.5 disables two excessive log messages
+
+
+
 --------------------------------------------------------------------------
 25.7.10 (December 18, 2025)
 --------------------------------------------------------------------------
@ -129,7 +242,7 @@ Here are the full patch notes:
 * system: safe execution tweaks in rc.routing_configure
 * system: fix log keyword search regression introduced in 25.7.7
 * reporting: unbound: fix quick allow/blocklist actions by applying them to all blocklists
-* firewall: run filterlog directly after rules apply and remove promiscous mode
+* firewall: run filterlog directly after rules apply and remove promiscuous mode
 * firewall: allow setting a custom authentication HTTP header for alias URL fetch (contributed by nox-404)
 * firewall: for better IPv6 PMTU let "timex" and "paramprob" ICMP types through
 * firewall: do not allow nesting in GeoIP aliases
@ -153,7 +266,7 @@ Here are the full patch notes:
 * backend: use mwexecf(m) where possible
 * backend: extend mwexecfb() with PID and log file support
 * mvc: fix default sort order being ignored in fetchBindRequest()
-* shell: rewite timeout() using safe execution functions
+* shell: rewrite timeout() using safe execution functions
 * ui: refresh notification status after default apply button is done
 * ui: remove obsolete jQuery bootgrid files
 * plugins: os-acme-client 4.11 `[1] <https://github.com/opnsense/plugins/blob/stable/25.7/security/acme-client/pkg-descr>`__