diff --git a/source/CE_releases.rst b/source/CE_releases.rst index 7f3dd685..4fcf3fe1 100644 --- a/source/CE_releases.rst +++ b/source/CE_releases.rst @@ -8,7 +8,7 @@ Community Edition :width: 600px :align: center -As of January 2015 there have been *338* releases leading to the latest version *26.1.5* +As of January 2015 there have been *339* releases leading to the latest version *26.1.6* named "Witty Woodpecker". diff --git a/source/releases/BE_25.10.rst b/source/releases/BE_25.10.rst index 4698eec7..80052acb 100644 --- a/source/releases/BE_25.10.rst +++ b/source/releases/BE_25.10.rst @@ -174,6 +174,20 @@ A hotfix release was issued as 25.10.2_4: * unbound: fix blocklist add in reporting page following POST-only fix +A hotfix release was issued as 25.10.2_8: + +* interfaces: fix static neighbor apply button (contributed by Konstantinos Spartalis) +* firewall: one-to-one NAT rendered rule missed "log" statement +* ipsec: fix delete selected for SPD and SAD +* mvc: ConfigMaintenance: when constructing class names use a safer way to strip .php extension +* src: remote code execution via RPCSEC_GSS packet validation `[24] `__ +* src: tcp: remotely exploitable DoS vector `[25] `__ + +A hotfix release was issued as 25.10.2_10: + +* system: escape LDAP username during search `[26] `__ (reported by Matt Andreko) +* unbound: limit duckdb to a single thread in write mode to reduce logger memory usage + -------------------------------------------------------------------------- @@ -531,7 +545,7 @@ Here are the full patch notes against version 25.4.3: * kea-dhcp: honour IPv4 client specific reservation domain name option (contributed by NOYB) * kea-dhcp: expose lease expiration settings to the GUI (contributed by Konstantinos Spartalis) * kea-dhcp: support DHCP option 121 (classless static routes) -* lang: add Greek as a new language (contributed by sopex) +* lang: add Greek as a new language (contributed by Konstantinos Spartalis) * lang: make more strings translate-able (contributed by Tobias Degen) * lang: updates for Chinese, Czech, German and Greek * lang: new Ukrainian language and assorted updates @@ -541,7 +555,7 @@ Here are the full patch notes against version 25.4.3: * radvd: refine checks that ignored 6rd and 6to4 * wireguard: move backend scripts to proper location * unbound: fix error in edge case of initial model migration -* unbound: configurable top domain list length in reporting view (contributed by sopex) +* unbound: configurable top domain list length in reporting view (contributed by Konstantinos Spartalis) * unbound: remove unknown model reference and protect/simplify remaining one * unbound: add support for TXT records in host overrides * backend: trigger boot template reload without using configd @@ -585,12 +599,12 @@ Here are the full patch notes against version 25.4.3: * ui: use snake_case for all API URLs and adjust ACLs accordingly * ui: move tooltip load event to single-fire mode * ui: add checkmark to SimpleActionButton as additional indicator -* ui: improve menu icons/text spacing (contributed by sopex) +* ui: improve menu icons/text spacing (contributed by Konstantinos Spartalis) * ui: bootgrid: clean up leftover compatibility bits * ui: bootgrid: add missing sortable option * ui: bootgrid: provide more styling possibilities from formatters -* ui: fix language selection for low vertical resolution screens (contributed by sopex) -* ui: hide header of the picture widget on the dashboard (contributed by sopex) +* ui: fix language selection for low vertical resolution screens (contributed by Konstantinos Spartalis) +* ui: hide header of the picture widget on the dashboard (contributed by Konstantinos Spartalis) * ui: bootgrid: add tabulatorOptions to translateCompatOptions() * ui: bootgrid: raise rowCount default to 50 and adjust selections accordingly for most pages * ui: bootgrid: simplify custom grid command additions diff --git a/source/releases/CE_25.7.rst b/source/releases/CE_25.7.rst index c1c642d7..dda2a694 100644 --- a/source/releases/CE_25.7.rst +++ b/source/releases/CE_25.7.rst @@ -785,7 +785,7 @@ Here are the full patch notes: * ipsec: deprecate legacy stroke and implement swanctl for overview * isc-dhcp: allow static mapping export for disabled entries * openvpn: add nopool directive -* unbound: configurable top domain list length in reporting view (contributed by sopex) +* unbound: configurable top domain list length in reporting view (contributed by Konstantinos Spartalis) * unbound: remove unknown model reference and protect/simplify remaining one * wireguard: move backend scripts to proper location * backend: added IPv6 bracket helper for templates (contributed by BPplays) @@ -795,8 +795,8 @@ Here are the full patch notes: * mvc: modify existing and add missing descriptions in models * mvc: set default validation message for CertificateField * rc: make changes to php,var,tmp bootstrap -* ui: fix language selection for low vertical resolution screens (contributed by sopex) -* ui: hide header of the picture widget on the dashboard (contributed by sopex) +* ui: fix language selection for low vertical resolution screens (contributed by Konstantinos Spartalis) +* ui: hide header of the picture widget on the dashboard (contributed by Konstantinos Spartalis) * plugins: os-clamav 1.8.1 `[1] `__ * plugins: os-crowdsec 1.0.12 `[2] `__ * plugins: os-frr 1.46 `[3] `__ @@ -938,7 +938,7 @@ Here are the full patch notes: * isc-dhcp: hide IPv4 menu items when Dnsmasq DHCP is enabled to improve out of the box experience * isc-dhcp: add static mapping CSV export * kea-dhcp: add DNS field to Kea DHCP4 reservations (contributed by Gtt1229) -* lang: add Greek as a new language (contributed by sopex) +* lang: add Greek as a new language (contributed by Konstantinos Spartalis) * lang: make more strings translate-able (contributed by Tobias Degen) * openvpn: the server wizard functionality has been permanently removed as it required the old wizard implementation * openvpn: "keepalive_timeout" must be at least twice the interval value validation @@ -959,7 +959,7 @@ Here are the full patch notes: * ui: add standard HTML color input support * ui: move tooltip load event to single-fire mode * ui: add checkmark to SimpleActionButton as additional indicator -* ui: improve menu icons/text spacing (contributed by sopex) +* ui: improve menu icons/text spacing (contributed by Konstantinos Spartalis) * plugins: replace variables in package scripts by default * plugins: os-acme-client 4.10 `[2] `__ * plugins: os-bind 1.34 `[3] `__ diff --git a/source/releases/CE_26.1.rst b/source/releases/CE_26.1.rst index 0e5565b2..4f1567c3 100644 --- a/source/releases/CE_26.1.rst +++ b/source/releases/CE_26.1.rst @@ -34,6 +34,72 @@ can be found below as well. * Full mirror list: https://opnsense.org/download/ +-------------------------------------------------------------------------- +26.1.6 (April 09, 2026) +-------------------------------------------------------------------------- + + +Yes, we are obviously still alive! This update addresses a number of security +issues -- first and foremost an injection into LDAP authentication that can +bypass group restrictions during login. Also included are Curl and OpenSSL +third party updates as well as FreeBSD security advisories. + +Further UX tweaks reached the new firewall rules GUI, the MVC grid system and +surprising movement in the Kea corner. But maybe most importantly: the captive +portal finally gained native IPv6 support. Let us know what you think about +it! + +Here are the full patch notes: + +* system: escape LDAP username during search `[1] `__ (reported by Matt Andreko) +* system: dashboard gauge improvements (contributed by Konstantinos Spartalis) +* system: compress height of the log viewer grid +* firewall: fix wrong "pass" on DNAT rule when using register rule +* interfaces: configurable cleanups for automatic neighbor discovery via hostwatch +* interfaces: refactor PPP CARP hook +* firewall: adjust sort order in networks and aliases in new rules GUI +* firewall: change sorting to interface/group name and stop caring about counted rules in new rules GUI +* firewall: change category sorting using names instead of counted rules in new rules GUI +* firewall: remove tokenizer from categories and use selectpicker instead in new rules GUI +* dnsmasq: prevent "\*" from being collected as "client_id" +* firmware: repeat the update after pkg reinstall +* kea: add DDNS subnet-specific qualifying suffix and prevent updates if no server is set +* kea: add sockets max-retries and retry-wait-time options +* kea: add delete lease command and use socket for up-to-date lease collection +* kea: move pool-in-subnet validation logic mostly to KeaPoolsField +* kea: remove KeaCtrlAgent dependency on HA configuration +* kea: use SetConstraint for match_data to allow 0 as valid value +* ipsec: add 4 insecure proposals for compatibility (contributed by Bjoern Jakobsen) +* captive portal: add IPv6 support (partially contributed by Alex Goodkind) +* radvd: when adding a manual instance for an automatic "track6" interface do not ignore its settings +* unbound: limit duckdb to a single thread in write mode to reduce logger memory usage +* unbound: add harden below NXDOMAIN option (contributed by Konstantinos Spartalis) +* unbound: consolidate override aliases into tree view +* mvc: BaseListField: replace empty() check with isSet() for proper selection of value "0" +* mvc: HostnameField: show string that failed validation by default +* mvc: BaseField: add setValues() for generic use +* mvc: add SetConstraint for problematic "0" value constraining +* mvc: ApiMutableModelControllerBase: remove unused error returning in setActionHook() +* ui: set visibility hidden for base_bootgrid_table +* ui: upgrade Tabulator to version 6.4.0 +* ui: automatic grid height calculation +* ui: bootgrid: maintain scrolling position for both datatree and command actions +* plugins: os-acme-client 4.15 `[2] `__ +* plugins: os-turnserver 1.2 `[3] `__ +* src: remote code execution via RPCSEC_GSS packet validation `[4] `__ +* src: tcp: remotely exploitable DoS vector `[5] `__ +* src: pf: silently ignores certain rules `[6] `__ +* src: vnet: ensure the space allocated by vnet_data_alloc() is sufficent aligned +* src: ifnet: Fix decreasing the vnet interface count +* src: e1000: Increase FC pause/refresh time on PCH2 and newer +* src: net80211: fix VHT160/80P80/80 chanwidth selection in the "40-" case +* ports: curl 8.19.0 `[4] `__ +* ports: hostwatch 1.0.13 +* ports: openssl 3.0.20 `[5] `__ +* ports: perl 5.42.2 `[6] `__ + + + -------------------------------------------------------------------------- 26.1.5 (March 24, 2026) --------------------------------------------------------------------------