changelogs

source/CE_releases.rst

@@ -8,7 +8,7 @@ Community Edition
     :width: 600px
     :align: center
 
-As of January 2015 there have been *338* releases leading to the latest version *26.1.5*
+As of January 2015 there have been *339* releases leading to the latest version *26.1.6*
 named "Witty Woodpecker".
 
 

source/releases/BE_25.10.rst

@@ -174,6 +174,20 @@ A hotfix release was issued as 25.10.2_4:
 
 * unbound: fix blocklist add in reporting page following POST-only fix
 
+A hotfix release was issued as 25.10.2_8:
+
+* interfaces: fix static neighbor apply button (contributed by Konstantinos Spartalis)
+* firewall: one-to-one NAT rendered rule missed "log" statement
+* ipsec: fix delete selected for SPD and SAD
+* mvc: ConfigMaintenance: when constructing class names use a safer way to strip .php extension
+* src: remote code execution via RPCSEC_GSS packet validation `[24] <https://www.freebsd.org/security/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc>`__ 
+* src: tcp: remotely exploitable DoS vector `[25] <https://www.freebsd.org/security/advisories/FreeBSD-SA-26:06.tcp.asc>`__ 
+
+A hotfix release was issued as 25.10.2_10:
+
+* system: escape LDAP username during search `[26] <https://www.cve.org/cverecord?id=CVE-2026-34578>`__  (reported by Matt Andreko)
+* unbound: limit duckdb to a single thread in write mode to reduce logger memory usage
+
 
 
 --------------------------------------------------------------------------
@@ -531,7 +545,7 @@ Here are the full patch notes against version 25.4.3:
 * kea-dhcp: honour IPv4 client specific reservation domain name option (contributed by NOYB)
 * kea-dhcp: expose lease expiration settings to the GUI (contributed by Konstantinos Spartalis)
 * kea-dhcp: support DHCP option 121 (classless static routes)
-* lang: add Greek as a new language (contributed by sopex)
+* lang: add Greek as a new language (contributed by Konstantinos Spartalis)
 * lang: make more strings translate-able (contributed by Tobias Degen)
 * lang: updates for Chinese, Czech, German and Greek
 * lang: new Ukrainian language and assorted updates
@@ -541,7 +555,7 @@ Here are the full patch notes against version 25.4.3:
 * radvd: refine checks that ignored 6rd and 6to4
 * wireguard: move backend scripts to proper location
 * unbound: fix error in edge case of initial model migration
-* unbound: configurable top domain list length in reporting view (contributed by sopex)
+* unbound: configurable top domain list length in reporting view (contributed by Konstantinos Spartalis)
 * unbound: remove unknown model reference and protect/simplify remaining one
 * unbound: add support for TXT records in host overrides
 * backend: trigger boot template reload without using configd
@@ -585,12 +599,12 @@ Here are the full patch notes against version 25.4.3:
 * ui: use snake_case for all API URLs and adjust ACLs accordingly
 * ui: move tooltip load event to single-fire mode
 * ui: add checkmark to SimpleActionButton as additional indicator
-* ui: improve menu icons/text spacing (contributed by sopex)
+* ui: improve menu icons/text spacing (contributed by Konstantinos Spartalis)
 * ui: bootgrid: clean up leftover compatibility bits
 * ui: bootgrid: add missing sortable option
 * ui: bootgrid: provide more styling possibilities from formatters
-* ui: fix language selection for low vertical resolution screens (contributed by sopex)
-* ui: hide header of the picture widget on the dashboard (contributed by sopex)
+* ui: fix language selection for low vertical resolution screens (contributed by Konstantinos Spartalis)
+* ui: hide header of the picture widget on the dashboard (contributed by Konstantinos Spartalis)
 * ui: bootgrid: add tabulatorOptions to translateCompatOptions()
 * ui: bootgrid: raise rowCount default to 50 and adjust selections accordingly for most pages
 * ui: bootgrid: simplify custom grid command additions

source/releases/CE_25.7.rst

@@ -785,7 +785,7 @@ Here are the full patch notes:
 * ipsec: deprecate legacy stroke and implement swanctl for overview
 * isc-dhcp: allow static mapping export for disabled entries
 * openvpn: add nopool directive
-* unbound: configurable top domain list length in reporting view (contributed by sopex)
+* unbound: configurable top domain list length in reporting view (contributed by Konstantinos Spartalis)
 * unbound: remove unknown model reference and protect/simplify remaining one
 * wireguard: move backend scripts to proper location
 * backend: added IPv6 bracket helper for templates (contributed by BPplays)
@@ -795,8 +795,8 @@ Here are the full patch notes:
 * mvc: modify existing and add missing descriptions in models
 * mvc: set default validation message for CertificateField
 * rc: make changes to php,var,tmp bootstrap
-* ui: fix language selection for low vertical resolution screens (contributed by sopex)
-* ui: hide header of the picture widget on the dashboard (contributed by sopex)
+* ui: fix language selection for low vertical resolution screens (contributed by Konstantinos Spartalis)
+* ui: hide header of the picture widget on the dashboard (contributed by Konstantinos Spartalis)
 * plugins: os-clamav 1.8.1 `[1] <https://github.com/opnsense/plugins/blob/stable/25.7/security/clamav/pkg-descr>`__ 
 * plugins: os-crowdsec 1.0.12 `[2] <https://github.com/opnsense/plugins/blob/stable/25.7/security/crowdsec/pkg-descr>`__ 
 * plugins: os-frr 1.46 `[3] <https://github.com/opnsense/plugins/blob/stable/25.7/net/frr/pkg-descr>`__ 
@@ -938,7 +938,7 @@ Here are the full patch notes:
 * isc-dhcp: hide IPv4 menu items when Dnsmasq DHCP is enabled to improve out of the box experience
 * isc-dhcp: add static mapping CSV export
 * kea-dhcp: add DNS field to Kea DHCP4 reservations (contributed by Gtt1229)
-* lang: add Greek as a new language (contributed by sopex)
+* lang: add Greek as a new language (contributed by Konstantinos Spartalis)
 * lang: make more strings translate-able (contributed by Tobias Degen)
 * openvpn: the server wizard functionality has been permanently removed as it required the old wizard implementation
 * openvpn: "keepalive_timeout" must be at least twice the interval value validation
@@ -959,7 +959,7 @@ Here are the full patch notes:
 * ui: add standard HTML color input support
 * ui: move tooltip load event to single-fire mode
 * ui: add checkmark to SimpleActionButton as additional indicator
-* ui: improve menu icons/text spacing (contributed by sopex)
+* ui: improve menu icons/text spacing (contributed by Konstantinos Spartalis)
 * plugins: replace variables in package scripts by default
 * plugins: os-acme-client 4.10 `[2] <https://github.com/opnsense/plugins/blob/stable/25.7/security/acme-client/pkg-descr>`__ 
 * plugins: os-bind 1.34 `[3] <https://github.com/opnsense/plugins/blob/stable/25.7/dns/bind/pkg-descr>`__ 

source/releases/CE_26.1.rst

@@ -34,6 +34,72 @@ can be found below as well.
 * Full mirror list: https://opnsense.org/download/
 
 
+--------------------------------------------------------------------------
+26.1.6 (April 09, 2026)
+--------------------------------------------------------------------------
+
+
+Yes, we are obviously still alive!  This update addresses a number of security
+issues -- first and foremost an injection into LDAP authentication that can
+bypass group restrictions during login.  Also included are Curl and OpenSSL
+third party updates as well as FreeBSD security advisories.
+
+Further UX tweaks reached the new firewall rules GUI, the MVC grid system and
+surprising movement in the Kea corner.  But maybe most importantly: the captive
+portal finally gained native IPv6 support.  Let us know what you think about
+it!
+
+Here are the full patch notes:
+
+* system: escape LDAP username during search `[1] <https://www.cve.org/cverecord?id=CVE-2026-34578>`__  (reported by Matt Andreko)
+* system: dashboard gauge improvements (contributed by Konstantinos Spartalis)
+* system: compress height of the log viewer grid
+* firewall: fix wrong "pass" on DNAT rule when using register rule
+* interfaces: configurable cleanups for automatic neighbor discovery via hostwatch
+* interfaces: refactor PPP CARP hook
+* firewall: adjust sort order in networks and aliases in new rules GUI
+* firewall: change sorting to interface/group name and stop caring about counted rules in new rules GUI
+* firewall: change category sorting using names instead of counted rules in new rules GUI
+* firewall: remove tokenizer from categories and use selectpicker instead in new rules GUI
+* dnsmasq: prevent "\*" from being collected as "client_id"
+* firmware: repeat the update after pkg reinstall
+* kea: add DDNS subnet-specific qualifying suffix and prevent updates if no server is set
+* kea: add sockets max-retries and retry-wait-time options
+* kea: add delete lease command and use socket for up-to-date lease collection
+* kea: move pool-in-subnet validation logic mostly to KeaPoolsField
+* kea: remove KeaCtrlAgent dependency on HA configuration
+* kea: use SetConstraint for match_data to allow 0 as valid value
+* ipsec: add 4 insecure proposals for compatibility (contributed by Bjoern Jakobsen)
+* captive portal: add IPv6 support (partially contributed by Alex Goodkind)
+* radvd: when adding a manual instance for an automatic "track6" interface do not ignore its settings
+* unbound: limit duckdb to a single thread in write mode to reduce logger memory usage
+* unbound: add harden below NXDOMAIN option (contributed by Konstantinos Spartalis)
+* unbound: consolidate override aliases into tree view
+* mvc: BaseListField: replace empty() check with isSet() for proper selection of value "0"
+* mvc: HostnameField: show string that failed validation by default
+* mvc: BaseField: add setValues() for generic use
+* mvc: add SetConstraint for problematic "0" value constraining
+* mvc: ApiMutableModelControllerBase: remove unused error returning in setActionHook()
+* ui: set visibility hidden for base_bootgrid_table
+* ui: upgrade Tabulator to version 6.4.0
+* ui: automatic grid height calculation
+* ui: bootgrid: maintain scrolling position for both datatree and command actions
+* plugins: os-acme-client 4.15 `[2] <https://github.com/opnsense/plugins/blob/stable/26.1/security/acme-client/pkg-descr>`__ 
+* plugins: os-turnserver 1.2 `[3] <https://github.com/opnsense/plugins/blob/stable/26.1/net/turnserver/pkg-descr>`__ 
+* src: remote code execution via RPCSEC_GSS packet validation `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc>`__ 
+* src: tcp: remotely exploitable DoS vector `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-26:06.tcp.asc>`__ 
+* src: pf: silently ignores certain rules `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-26:09.pf.asc>`__ 
+* src: vnet: ensure the space allocated by vnet_data_alloc() is sufficent aligned
+* src: ifnet: Fix decreasing the vnet interface count
+* src: e1000: Increase FC pause/refresh time on PCH2 and newer
+* src: net80211: fix VHT160/80P80/80 chanwidth selection in the "40-" case
+* ports: curl 8.19.0 `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc>`__ 
+* ports: hostwatch 1.0.13
+* ports: openssl 3.0.20 `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-26:06.tcp.asc>`__ 
+* ports: perl 5.42.2 `[6] <https://www.freebsd.org/security/advisories/FreeBSD-SA-26:09.pf.asc>`__ 
+
+
+
 --------------------------------------------------------------------------
 26.1.5 (March 24, 2026)
 --------------------------------------------------------------------------