checkout changelogs

2026-05-28 04:02:12 -04:00 · 2021-11-23 17:08:11 +01:00 · 2021-11-23 17:08:11 +01:00 · bfa466904d
commit bfa466904d
parent 15be11c750
13 changed files with 236 additions and 103 deletions
--- a/source/CE_releases.rst
+++ b/source/CE_releases.rst
@ -8,7 +8,7 @@ Community Edition
    :width: 600px
    :align: center

-As of January 2015 there have been *210* releases leading to the latest version *21.7.3*
+As of January 2015 there have been *212* releases leading to the latest version *21.7.5*
 named "Noble Nightingale".


--- a/source/releases/BE_20.1.rst
+++ b/source/releases/BE_20.1.rst
@ -41,11 +41,11 @@ from this day forward.

 Here are the full patch notes:

-* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo)
+* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by Alphakilo)
 * firewall: validate if NAT destination contains a port
 * firewall: prevent config_read_array() from adding an empty lo0
-* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe)
-* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe)
+* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by mikahe)
+* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by mikahe)
 * mvc: LegacyLinkField not allowed to return null in __toString()
 * plugins: os-collectd 1.3 `[1] <https://github.com/opnsense/plugins/blob/stable/20.1/net-mgmt/collectd/pkg-descr>`__ 
 * plugins: os-dyndns 1.22 `[2] <https://github.com/opnsense/plugins/pull/1654>`__ 
--- a/source/releases/BE_20.7.rst
+++ b/source/releases/BE_20.7.rst
@ -540,7 +540,7 @@ Here are the full patch notes against 20.1.8_1:
 * system: add new "auth user changed" config event and hook it into LDAP updatePolicies()
 * system: adapt to 3wire serial console setting
 * system: figure out which sysctls are writeable before attempting to write them
-* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo)
+* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by Alphakilo)
 * system: disable PCRE JIT in PHP config
 * system: clean up start / stop beep handler
 * interfaces: improved VLAN handling and defaults for more stable netmap use on 12.1
@ -559,14 +559,14 @@ Here are the full patch notes against 20.1.8_1:
 * firmware: added fingerprint for 20.7 series
 * firmware: hint at missing plugins and request to install or dismiss
 * intrusion detection: extend rule search with metadata and show results on rule info
-* intrusion detection: updated pattern options (contributed by @Xeroxxx)
+* intrusion detection: updated pattern options (contributed by Xeroxxx)
 * intrusion detection: synchronize suricata.yaml with default template
-* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe)
-* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe)
+* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by mikahe)
+* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by mikahe)
 * unbound: integrate functionality formerly known as "unbound-plus" plugin (contributed by Michael Muenz)
 * web proxy: support for custom error pages (sponsored by Incenter Technology)
 * web proxy: add connect_timeout (contributed by Michael Muenz)
-* web proxy: allow PURGE on cache (contributed by @sazb)
+* web proxy: allow PURGE on cache (contributed by sazb)
 * web proxy: add missing IPv6 listener
 * mvc: add "S" option for AllowDynamic in InterfaceField type
 * mvc: LegacyLinkField not allowed to return null in __toString()
--- a/source/releases/BE_21.4.rst
+++ b/source/releases/BE_21.4.rst
@ -201,7 +201,7 @@ Here are the full patch notes:
 * ports: filterlog 0.4 adds label support to output if applicable
 * ports: libxml2 fix for CVE-2021-3541
 * ports: nss 3.65 `[16] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.65_release_notes>`__ 
-* ports: openssh-portable 8.6p1 `[17] <https://www.openssh.com/txt/release-8.6>`__ 
+* ports: openssh 8.6p1 `[17] <https://www.openssh.com/txt/release-8.6>`__ 
 * ports: php 7.3.28 `[18] <https://www.php.net/ChangeLog-7.php#7.3.28>`__ 
 * ports: py-yaml 5.4.1
 * ports: sqlite 3.35.5 `[19] <https://sqlite.org/releaselog/3_35_5.html>`__ 
--- a/source/releases/CE_15.1.rst
+++ b/source/releases/CE_15.1.rst
@ -298,15 +298,12 @@ out tomorrow including wary tweaks related to Logjam.

 Here is the full list of changes for 15.1.11:

-* core: removed unused package dependencies b42-fwcutter, bwi-firmware-kmod,
-  dmidecode, ifstated, pecl-ssh2
-* core: switched back from bind-tools to the latest full bind 9.10 package
-  due to various requests
+* core: removed unused package dependencies b42-fwcutter, bwi-firmware-kmod, dmidecode, ifstated, pecl-ssh2
+* core: switched back from bind-tools to the latest full bind 9.10 package due to various requests
 * src: fix panic in pf(4) in conjunction with ALTQ `[3] <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200222>`__ 
 * src: updated to FreeBSD 10.0-RELEASE-p10 `[4] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:04.freebsd-update.asc>`__  `[5] <https://www.freebsd.org/security/advisories/FreeBSD-EN-15:05.ufs.asc>`__ 
 * src: reverted two more custom patches to align with FreeBSD
-* ports: updated to ca_root_nss 3.19, sqlite 3.8.10.1, php 5.6.9 `[6] <https://php.net/ChangeLog-5.php#5.6.9>`__ ,
-  openssh-portable 6.8p1_7 `[7] <http://www.openwall.com/lists/oss-security/2015/05/16/3>`__ 
+* ports: updated to ca_root_nss 3.19, sqlite 3.8.10.1, php 5.6.9 `[6] <https://php.net/ChangeLog-5.php#5.6.9>`__ , openssh 6.8p1_7 `[7] <http://www.openwall.com/lists/oss-security/2015/05/16/3>`__ 
 * opnsense-update: exclude /etc/tty from the upgrade
 * bsdinstaller: reworked the internals to align to modern port standards
 * captive portal: switched rules generation to new template engine
@ -315,9 +312,7 @@ Here is the full list of changes for 15.1.11:
 * dashboard: fix disabled widgets dialog
 * nat: fixed delete of multiple item
 * nat: fix display of disabled rules
-* queues: the legacy ALTQ traffic shaper is now found under
-  "Firewall: Queues" to make room for the upcoming traffic shaper
-  reimplementation based on IPFW/dummynet
+* queues: the legacy ALTQ traffic shaper is now found under "Firewall: Queues" to make room for the upcoming traffic shaper reimplementation based on IPFW/dummynet
 * core: fix faulty read of /var/log/dmesg.boot

 The live upgrades are up for both LibreSSL and OpenSSL.  Images will follow
@ -667,17 +662,14 @@ Here is the change log for 15.1.9:

 * tools: install media live images now use the more flexible tmpfs(5)
 * tools: cxgbe(4) is now compiled into the kernel
-* ports: strongswan 5.3.0 `[1] <https://www.strongswan.org/blog/2015/03/30/strongswan-5.3.0-released.html>`__ , openssh-portable 6.8p1 `[2] <http://www.openssh.com/txt/release-6.8>`__ , ntp 4.2.8p2 `[3] <http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities>`__ 
-* src: reverted inconsistent carp(4) and pfsync(4) patches to retain
-  standard FreeBSD behaviour
+* ports: strongswan 5.3.0 `[1] <https://www.strongswan.org/blog/2015/03/30/strongswan-5.3.0-released.html>`__ , openssh 6.8p1 `[2] <http://www.openssh.com/txt/release-6.8>`__ , ntp 4.2.8p2 `[3] <http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities>`__ 
+* src: reverted inconsistent carp(4) and pfsync(4) patches to retain standard FreeBSD behaviour
 * src: fix multiple vulnerabilities of ntp `[4] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:07.ntp.asc>`__ 
 * src: fix denial of service with IPv6 router advertisements `[5] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:09.ipv6.asc>`__ 
 * core: console upgrade now also triggers the unused package removal
-* core: fix regression that caused a faulty config.xml when applying limiter
-  settings
+* core: fix regression that caused a faulty config.xml when applying limiter settings
 * core: refactored the configd command structure for clarity
-* core: fix for SMTP notifications that broke due to PHP 5.6's new default
-  SSL behaviour
+* core: fix for SMTP notifications that broke due to PHP 5.6's new default SSL behaviour
 * core: thorough unused java script purge under the hood
 * upnp: fix redeclaration error on main page shortcut click
 * user manager: consolidated the labels of all privileges, especially OpenVPN
--- a/source/releases/CE_15.7.rst
+++ b/source/releases/CE_15.7.rst
@ -110,15 +110,12 @@ Here are the full patch notes:
 * src: OpenSSH client information leak `[7] <https://www.freebsd.org/security/advisories/FreeBSD-SA-16:07.openssh.asc>`__ 
 * src: Invalid TCP checksums with pf(4) `[8] <https://www.freebsd.org/security/advisories/FreeBSD-EN-16:02.pf.asc>`__ 
 * src: YP/NIS client library critical bug `[9] <https://www.freebsd.org/security/advisories/FreeBSD-EN-16:03.yplib.asc>`__ 
-* ports: sqlite 3.10.0 `[10] <https://sqlite.org/releaselog/3_10_0.html>`__ , easy-rsa 3.0.1 `[11] <https://github.com/OpenVPN/easy-rsa/releases>`__ , openssh-portable 7.1p2 `[12] <http://www.openssh.com/txt/release-7.1p2>`__ 
+* ports: sqlite 3.10.0 `[10] <https://sqlite.org/releaselog/3_10_0.html>`__ , easy-rsa 3.0.1 `[11] <https://github.com/OpenVPN/easy-rsa/releases>`__ , openssh 7.1p2 `[12] <http://www.openssh.com/txt/release-7.1p2>`__ 
 * traffic graphs: fix truncation of IP address to 14 characters
-* firmware: EOL announcement for 15.7 added, ready for upgrading to
-  16.1 on January 28
+* firmware: EOL announcement for 15.7 added, ready for upgrading to 16.1 on January 28
 * firmware: added mirror provided by RageNetwork (Munich, DE)
-* menu: fix navigation after editing IPsec mobile clients (contributed
-  by Manuel Faux)
-* trust: properly reference CA in intermediate CAs (contributed by
-  Manuel Faux)
+* menu: fix navigation after editing IPsec mobile clients (contributed by Manuel Faux)
+* trust: properly reference CA in intermediate CAs (contributed by Manuel Faux)



@ -799,12 +796,10 @@ Here are the full patch notes:

 * src: Multiple integer overflows in expat (libbsdxml) XML parser `[1] <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:20.expat.asc>`__ 
 * src: bumped tzdata to 2015f `[2] <http://mm.icann.org/pipermail/tz-announce/2015-August/000033.html>`__ 
-* ports: curl 7.44.0 `[3] <https://curl.haxx.se/changes.html>`__ , ca_root_nss 3.20, openssh-portable 7.1p1_1 `[4] <http://www.openssh.com/txt/release-7.1>`__ ,
-  sqlite 3.8.11.1 `[5] <https://sqlite.org/releaselog/3_8_11_1.html>`__ , phalcon 2.0.7 `[6] <https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.7>`__ , pcre 8.37_4 `[7] <https://svnweb.freebsd.org/ports/head/devel/pcre/Makefile?revision=395178&view=markup>`__ 
+* ports: curl 7.44.0 `[3] <https://curl.haxx.se/changes.html>`__ , ca_root_nss 3.20, openssh 7.1p1_1 `[4] <http://www.openssh.com/txt/release-7.1>`__ , sqlite 3.8.11.1 `[5] <https://sqlite.org/releaselog/3_8_11_1.html>`__ , phalcon 2.0.7 `[6] <https://github.com/phalcon/cphalcon/releases/tag/phalcon-v2.0.7>`__ , pcre 8.37_4 `[7] <https://svnweb.freebsd.org/ports/head/devel/pcre/Makefile?revision=395178&view=markup>`__ 
 * crash reporter: create custom reports on demand
 * certificates: ca generation issues with recent LibreSSL
-* dns resolver: switched to ports-based Unbound (1.5.4) as per
-  FreeBSD handbook
+* dns resolver: switched to ports-based Unbound (1.5.4) as per FreeBSD handbook
 * menu: moved the crash reporter to system category for visibility
 * menu: added hot-plugging support for upcoming plugins
 * acl: added hot-plugging support for upcoming plugins
--- a/source/releases/CE_16.1.rst
+++ b/source/releases/CE_16.1.rst
@ -727,13 +727,10 @@ for our brave testers.  More explanations will follow soon.

 Here are the full patch notes:

-* ports: pecl-radius 1.3.0 `[1] <https://pecl.php.net/package-changelog.php?package=radius>`__ , bind 9.10.3-P4 `[2] <https://kb.isc.org/article/AA-01363/81/BIND-9.10.3-P4-Release-Notes.html>`__ , bsnmp-ucd 0.4.2 `[3] <https://github.com/trociny/bsnmp-ucd/blob/master/CHANGELOG>`__ ,
-  openssh-portable 7.2p2 `[4] <http://www.openssh.com/txt/release-7.2p2>`__ , sqlite 3.11.1 `[5] <https://sqlite.org/releaselog/3_11_1.html>`__ 
+* ports: pecl-radius 1.3.0 `[1] <https://pecl.php.net/package-changelog.php?package=radius>`__ , bind 9.10.3-P4 `[2] <https://kb.isc.org/article/AA-01363/81/BIND-9.10.3-P4-Release-Notes.html>`__ , bsnmp-ucd 0.4.2 `[3] <https://github.com/trociny/bsnmp-ucd/blob/master/CHANGELOG>`__ , openssh 7.2p2 `[4] <http://www.openssh.com/txt/release-7.2p2>`__ , sqlite 3.11.1 `[5] <https://sqlite.org/releaselog/3_11_1.html>`__ 
 * captive portal: add session timeout to status info
-* firewall: fix non-report of errors when filter reload errors
-  could not be parsed
-* pppoe server: make service control buttons work with multiple
-  instances
+* firewall: fix non-report of errors when filter reload errors could not be parsed
+* pppoe server: make service control buttons work with multiple instances
 * wake on lan: reworked pages for a polished look and feel
 * load balancer: reworked pages for a polished look and feel
 * dashboard: better colouring for widget status bars
@ -742,21 +739,16 @@ Here are the full patch notes:
 * igmp proxy: reworked pages for a polished look and feel
 * system: routes diagnostics page ported to MVC
 * proxy: adjust category visibility as not all of them were shown before
-* firmware: fix an overzealous upgrade run when the package tool only
-  changes options
-* firmware: fixed the binary upgrade patch from 15.7.x in FreeBSD's
-  package tool
+* firmware: fix an overzealous upgrade run when the package tool only changes options
+* firmware: fixed the binary upgrade patch from 15.7.x in FreeBSD's package tool
 * network time: reworked pages for a polished look and feel
 * system: removed NTP settings from general settings
 * snmp: refactored page for a polished look and feel
 * access: let only root access status.php as it leaks too much info
 * development: remove the automount features
-* development: added in-place package upgrades using the upstream
-  repository
-* development: addition of "opnsense-stable" package on our way to
-  nightly builds
-* development: opnsense-update can now install locally available base
-  and kernel sets
+* development: added in-place package upgrades using the upstream repository
+* development: addition of "opnsense-stable" package on our way to nightly builds
+* development: opnsense-update can now install locally available base and kernel sets



@ -781,33 +773,24 @@ Here are the full patch notes:

 * src: Fix multiple vulnerabilities of OpenSSL `[1] <https://github.com/freebsd/freebsd/commit/7d8d4cb5>`__ 
 * src: update tzdata to 2016a `[2] <http://mm.icann.org/pipermail/tz-announce/2016-January/000035.html>`__ 
-* ports: openssh-portable 7.2p1 `[3] <http://www.openssh.com/txt/release-7.2>`__ , isc-dhcp-43 4.3.3P1_1 `[4] <https://www.isc.org/blogs/isc-dhcp-4-3-0-is-live/>`__ ,
-  php 5.6.19 `[5] <https://php.net/ChangeLog-5.php#5.6.19>`__ , curl 7.41.1 `[6] <https://curl.haxx.se/changes.html>`__ 
-* firmware: mirror selection has been widened to include kernel/base
-  upgrades
-* firmware: bootstrap utility can now directly install e.g. the
-  development version
+* ports: openssh 7.2p1 `[3] <http://www.openssh.com/txt/release-7.2>`__ , isc-dhcp-43 4.3.3P1_1 `[4] <https://www.isc.org/blogs/isc-dhcp-4-3-0-is-live/>`__ , php 5.6.19 `[5] <https://php.net/ChangeLog-5.php#5.6.19>`__ , curl 7.41.1 `[6] <https://curl.haxx.se/changes.html>`__ 
+* firmware: mirror selection has been widened to include kernel/base upgrades
+* firmware: bootstrap utility can now directly install e.g. the development version
 * dhcp: all GUI pages have been reworked for a polished look and feel
-* proxy: added category-based remote file support if compressed file
-  contains multiple files
+* proxy: added category-based remote file support if compressed file contains multiple files
 * proxy: added ICAP support (contributed by Fabian Franz)
 * proxy: hook up the transparent FTP proxy
 * proxy: add intercept on IPv6 for FTP and HTTP proxy options
 * logging: syslog facilities, like services, are now fully pluggable
-* vpn: stripped an invalid PPTP server configuration from the standard
-  configuration
+* vpn: stripped an invalid PPTP server configuration from the standard configuration
 * vpn: converted to pluggable syslog, menu and ACL
 * dyndns: all GUI pages have been reworked for a polished look and feel
 * dyndns: widget now shows IPv6 entries too
-* dns forwarder: all GUI pages have been reworked for a polished
-  look and feel
-* dns resolver: all GUI pages have been reworked for a polished
-  look and feel
+* dns forwarder: all GUI pages have been reworked for a polished look and feel
+* dns resolver: all GUI pages have been reworked for a polished look and feel
 * dns resolver: rewrote the dhcp lease registration hooks
-* dns resolver: allow parallel operation on non-standard port when dns
-  forwarder is running as well
-* firewall: hide outbound nat rule input for "interface address" option
-  and toggle bitmask correctly
+* dns resolver: allow parallel operation on non-standard port when dns forwarder is running as well
+* firewall: hide outbound nat rule input for "interface address" option and toggle bitmask correctly
 * interfaces: fix problem when VLAN tags weren't generated properly
 * interfaces: improve interface capability reconfigure
 * ipsec: fix service restart behaviour from GUI
--- a/source/releases/CE_16.7.rst
+++ b/source/releases/CE_16.7.rst
@ -51,14 +51,12 @@ Until then, here are the full patch notes:
 * insight: fix downloading files in Chrome
 * mvc: consistently set locale (contributed by Alexander Shursha)
 * mvc: do not deliver content twice on API calls
-* python: downgraded to 2.7.12 in order to fix segmentation faults
-  within insight reporting
-* libressl: avoid possible side-channel leak of ECDSA private keys
-  when signing `[1] <https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/016_libcrypto.patch.sig>`__ 
+* python: downgraded to 2.7.12 in order to fix segmentation faults within insight reporting
+* libressl: avoid possible side-channel leak of ECDSA private keys when signing `[1] <https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/016_libcrypto.patch.sig>`__ 
 * ports: bind 9.10.4-P5 `[2] <https://deepthought.isc.org/article/AA-01447/0/BIND-9.10.4-P5-Release-Notes.html>`__ 
 * ports: perl 5.24.1 `[3] <https://perldoc.perl.org/5.24.1/perldelta>`__ 
 * ports: sqlite 3.16.2 `[4] <https://sqlite.org/releaselog/3_16_2.html>`__ 
-* ports: openssh-portable 7.4p1 `[5] <https://www.openssh.com/txt/release-7.4>`__ 
+* ports: openssh 7.4p1 `[5] <https://www.openssh.com/txt/release-7.4>`__ 
 * ports: sudo 1.8.19p2 `[6] <https://www.sudo.ws/stable.html#1.8.19p2>`__ 
 * ports: lighttpd 1.4.45 `[7] <https://www.lighttpd.net/2017/1/14/1.4.45/>`__ 
 * ports: php 5.6.30 `[8] <https://php.net/ChangeLog-5.php#5.6.30>`__ 
--- a/source/releases/CE_17.1.rst
+++ b/source/releases/CE_17.1.rst
@ -221,39 +221,30 @@ Here are the full patch notes:
 * system: fix default route display in diagnostics page
 * system: consistent precision display in gateway monitoring loss and RTT
 * system: correctly restart cron via backend call
-* system: use the internal RC script name instead file name to
-  load its variables
+* system: use the internal RC script name instead file name to load its variables
 * system: keep WAN DHCPv6 configuration option on console port reassign
-* system: unify the console yes/no prompts to indicate
-  their default behaviour
+* system: unify the console yes/no prompts to indicate their default behaviour
 * system: separate row and unhide button for 2FA OTP QR code display
 * system: prevent stripping of migrated configuration during factory reset
-* firmware: opnsense-bootstrap bare-mode addition for installing
-  repository metadata only
-* firmware: opnsense-bootstrap will never be deleted in case it is
-  required for recovery
+* firmware: opnsense-bootstrap bare-mode addition for installing repository metadata only
+* firmware: opnsense-bootstrap will never be deleted in case it is required for recovery
 * firmware: opnsense-revert now always properly reverts the core package
 * firmware: fix argument parsing in all update and development utilities
 * firewall: do not save range when end port is empty
 * firewall: do not automatically reload filter after alias delete
 * firewall: skip well-known ports for ranges
 * firewall: fetching bogon files should not use fetch internal auto-retry
-* interfaces: fix bug that prevented creation of IPv6 cache
-  IP files (contributed by @theq89)
+* interfaces: fix bug that prevented creation of IPv6 cache IP files (contributed by theq89)
 * interfaces: defer reload of the filter on IPv6 renewal and keep it local
 * interfaces: avoid potential configure loops in IPv4 renewal
 * interfaces: improve diagnostic messages on boot
-* interfaces: correct usage of interface cache files and properly
-  clear them during boot
+* interfaces: correct usage of interface cache files and properly clear them during boot
 * ipsec: enable CA field for hybrid and mutual RSA Xauth
 * dynamic dns: fix prototype declaration (contributed by Evgeny Bevz)
 * dynamic dns: add support for STRATO
-* mvc: fix iteration over several config nodes to avoid
-  "Node no longer exists" type warnings
-* plugins: quagga 1.1.1 fixes reload of BGPv4 tables and
-  modal closing (contributed by Fabian Franz)
-* plugins: monit 1.1 fixes import sender address and
-  validation (contributed by Frank Brendel)
+* mvc: fix iteration over several config nodes to avoid "Node no longer exists" type warnings
+* plugins: quagga 1.1.1 fixes reload of BGPv4 tables and modal closing (contributed by Fabian Franz)
+* plugins: monit 1.1 fixes import sender address and validation (contributed by Frank Brendel)
 * src: removed duplicate unbound from FreeBSD base system
 * src: added locales to e.g. allow tmux to start up correctly
 * src: Xen migration enhancements `[1] <https://www.freebsd.org/security/advisories/FreeBSD-EN-17:05.xen.asc>`__ 
--- a/source/releases/CE_20.1.rst
+++ b/source/releases/CE_20.1.rst
@ -41,11 +41,11 @@ from this day forward.

 Here are the full patch notes:

-* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo)
+* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by Alphakilo)
 * firewall: validate if NAT destination contains a port
 * firewall: prevent config_read_array() from adding an empty lo0
-* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe)
-* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe)
+* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by mikahe)
+* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by mikahe)
 * mvc: LegacyLinkField not allowed to return null in __toString()
 * plugins: os-collectd 1.3 `[1] <https://github.com/opnsense/plugins/blob/stable/20.1/net-mgmt/collectd/pkg-descr>`__ 
 * plugins: os-dyndns 1.22 `[2] <https://github.com/opnsense/plugins/pull/1654>`__ 
--- a/source/releases/CE_20.7.rst
+++ b/source/releases/CE_20.7.rst
@ -540,7 +540,7 @@ Here are the full patch notes against 20.1.8_1:
 * system: add new "auth user changed" config event and hook it into LDAP updatePolicies()
 * system: adapt to 3wire serial console setting
 * system: figure out which sysctls are writeable before attempting to write them
-* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by @Alphakilo)
+* system: Windows-friendly Nextcloud configuration backup file timestamp (contributed by Alphakilo)
 * system: disable PCRE JIT in PHP config
 * system: clean up start / stop beep handler
 * interfaces: improved VLAN handling and defaults for more stable netmap use on 12.1
@ -559,14 +559,14 @@ Here are the full patch notes against 20.1.8_1:
 * firmware: added fingerprint for 20.7 series
 * firmware: hint at missing plugins and request to install or dismiss
 * intrusion detection: extend rule search with metadata and show results on rule info
-* intrusion detection: updated pattern options (contributed by @Xeroxxx)
+* intrusion detection: updated pattern options (contributed by Xeroxxx)
 * intrusion detection: synchronize suricata.yaml with default template
-* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by @mikahe)
-* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by @mikahe)
+* network time: NMEA GPS clock messages latitude and longitude parsing fix (contributed by mikahe)
+* network time: prevent widget PHP warnings if no GPS fix was returned in NMEA message (contributed by mikahe)
 * unbound: integrate functionality formerly known as "unbound-plus" plugin (contributed by Michael Muenz)
 * web proxy: support for custom error pages (sponsored by Incenter Technology)
 * web proxy: add connect_timeout (contributed by Michael Muenz)
-* web proxy: allow PURGE on cache (contributed by @sazb)
+* web proxy: allow PURGE on cache (contributed by sazb)
 * web proxy: add missing IPv6 listener
 * mvc: add "S" option for AllowDynamic in InterfaceField type
 * mvc: LegacyLinkField not allowed to return null in __toString()
--- a/source/releases/CE_21.1.rst
+++ b/source/releases/CE_21.1.rst
@ -269,7 +269,7 @@ Here are the full patch notes:
 * ports: libressl 3.3.3 `[12] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.3-relnotes.txt>`__ 
 * ports: libxml2 fix for CVE-2021-3541
 * ports: nss 3.65 `[13] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.65_release_notes>`__ 
-* ports: openssh-portable 8.6p1 `[14] <https://www.openssh.com/txt/release-8.6>`__ 
+* ports: openssh 8.6p1 `[14] <https://www.openssh.com/txt/release-8.6>`__ 
 * ports: openvpn 2.4.11 `[15] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.11>`__ 
 * ports: php 7.3.28 `[16] <https://www.php.net/ChangeLog-7.php#7.3.28>`__ 
 * ports: sqlite 3.35.5 `[17] <https://sqlite.org/releaselog/3_35_5.html>`__ 
--- a/source/releases/CE_21.7.rst
+++ b/source/releases/CE_21.7.rst
@ -32,6 +32,180 @@ can be found below as well.
 * Full mirror list: https://opnsense.org/download/


+--------------------------------------------------------------------------
+21.7.5 (November 11, 2021)
+--------------------------------------------------------------------------
+
+
+FreeBSD security advisories and an issue with Intel-based ixgbe driver
+with "ifconfig -v" stalls keep this release rolling.  Also note that
+OpenSSH was updated to version 8.8 which deprecates ssh-rsa usage which
+is mainly an issue for client access from the OPNsense system to the
+outside and can be amended as per the suggestions in the respective
+release notes.
+
+And as promised the development version includes the upgrade path to
+the 22.1-BETA1 release.  This will be an online-beta with a few iterations
+over the FreeBSD 13 stable branch and eventually move to FreeBSD 13.1
+release as that becomes available.
+
+Highlights for 22.1 already include:
+
+* Suricata Netmap v14 support for multi-gigabit speed in IPS mode with RSS enabled
+* Separate VLAN MAC spoofing and permanent promiscuous mode setting
+* Tunable analytics provide automatic descriptions and type
+* IPsec tunnel overview ported to MVC with pagination
+* Proofpoint Emerging Threats rules for Suricata 5.0
+* Removed opportunistic interface address read functions
+* Console-based LAGG configuration support
+* Removed state killing on gateway failure feature
+* Improved firmware update capabilities
+* No-bind service awareness for virtual IPs
+* FreeBSD 13 stable branch
+* RFC 5424 and severity support in logs
+* Clog support has been removed
+* And more...
+
+Please note that the beta version will always be available for upgrade when
+switching to the development version.  At this point no stable packages
+are provided and this includes plugins.  These will become available as
+the release candidate is released in early January 2022.
+
+All feedback is welcome but keep in mind that there are still a number of
+moving parts ahead.  Upgrade responsibly.
+
+Here are the full patch notes for version 21.7.5:
+
+* system: remove support for obsolete "local" syslog socket plugin request
+* system: prevent setup wizard error in WAN-only configuration
+* system: properly extract keyid string (contributed by kulikov-a)
+* system: show all threads and correct WCPU in activity (contributed by kulikov-a)
+* system: fix display and sorting in activity (contributed by kulikov-a)
+* interfaces: remove obsolete link_interface_to_vlans() function
+* interfaces: inline legacy_interface_rename() function
+* interfaces: verbose output on test port (contributed by kulikov-a)
+* firewall: add live view templates page to respective ACL (contributed by kulikov-a)
+* firewall: replace pfInfo with statistics page
+* firewall: add rules to statistics page (contributed by kulikov-a)
+* firewall: remove defunct "block carp from self" CARP rule
+* dhcp: automatically set AdvRASrcAddress for link-local CARP address
+* dhcp: exclude link-local subnet router advertisements
+* firmware: remove unavailable Hostcentral mirror
+* firmware: opnsense-update: replace -A before -M and handle single directory -M independently
+* firmware: opnsense-verify: disable verification for repositories without signatures
+* firmware: opnsense-verify: let -l option properly discard duplicate repositories
+* firmware: opnsense-version: support -x effective ABI probing
+* ipsec: add sha256_96 flag (contributed by Patrick M. Hausen)
+* monit: add polltime to service settings (contributed by Frank Brendel)
+* ui: prevent event propagation to avoid click() events being forwarded
+* plugins: os-bind 1.19 `[1] <https://github.com/opnsense/plugins/blob/stable/21.7/dns/bind/pkg-descr>`__ 
+* plugins: os-dnscrypt-proxy 1.10 `[2] <https://github.com/opnsense/plugins/blob/stable/21.7/dns/dnscrypt-proxy/pkg-descr>`__ 
+* plugins: os-dyndns 1.26 `[3] <https://github.com/opnsense/plugins/blob/stable/21.7/dns/dyndns/pkg-descr>`__ 
+* plugins: os-freeradius 1.9.17 `[4] <https://github.com/opnsense/plugins/blob/stable/21.7/net/freeradius/pkg-descr>`__ 
+* plugins: os-frr 1.23 `[5] <https://github.com/opnsense/plugins/blob/stable/21.7/net/frr/pkg-descr>`__ 
+* plugins: os-haproxy 3.7 `[6] <https://github.com/opnsense/plugins/blob/stable/21.7/net/haproxy/pkg-descr>`__ 
+* plugins: os-nut 1.8.1 `[7] <https://github.com/opnsense/plugins/blob/stable/21.7/sysutils/nut/pkg-descr>`__ 
+* plugins: os-openconnect 1.4.1 `[8] <https://github.com/opnsense/plugins/blob/stable/21.7/security/openconnect/pkg-descr>`__ 
+* plugins: os-relayd 2.6 `[9] <https://github.com/opnsense/plugins/pull/2391>`__ 
+* plugins: os-telegraf 1.12.2 `[10] <https://github.com/opnsense/plugins/blob/stable/21.7/net-mgmt/telegraf/pkg-descr>`__ 
+* plugins: os-vnstat 1.3 `[11] <https://github.com/opnsense/plugins/blob/stable/21.7/net/vnstat/pkg-descr>`__ 
+* plugins: os-wireguard 1.8 `[12] <https://github.com/opnsense/plugins/blob/stable/21.7/net/wireguard/pkg-descr>`__ 
+* src: axgbe: correctly enable RSS driver support by default
+* src: ixgbe: prevent subsequent I2C bus read timeouts
+* src: fix kernel panic in vmci driver initialization `[13] <FREEBSD:FreeBSD-EN-21:28.vmci>`__ 
+* src: timezone database information update `[14] <FREEBSD:FreeBSD-EN-21:29.tzdata>`__ 
+* ports: lighttpd 1.4.61 `[15] <https://www.lighttpd.net/2021/10/28/1.4.61/>`__ 
+* ports: nss 3.72 `[16] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.72_release_notes>`__ 
+* ports: openssh 8.8p1 `[17] <https://www.openssh.com/txt/release-8.8>`__ 
+* ports: pcre2 10.39 `[18] <https://www.pcre.org/changelog.txt>`__ 
+* ports: php 7.4.25 `[19] <https://www.php.net/ChangeLog-7.php#7.4.25>`__ 
+* ports: phpseclib 2.0.34 `[20] <https://github.com/phpseclib/phpseclib/releases/tag/2.0.34>`__ 
+
+
+--------------------------------------------------------------------------
+21.7.4 (October 27, 2021)
+--------------------------------------------------------------------------
+
+
+This update features three new major things: optional receive side scaling
+(RSS) support in the kernel, asynchronous DNS resolving for aliases and
+configuration support for advanced LAGG settings.
+
+RSS is disabled by default but may be switched on by adding a tunable
+"net.inet.rss.enabled" with value "1" and rebooting the system.  While
+RSS can improve performance for certain hardware it should be used with
+care at this point and is not generally recommended yet!  The Suricata
+version bundled with the development release offers the upcoming API
+bindings to take advantage of the RSS-based multithreading.  Also please
+note that PPPoE cannot take advantage of RSS.
+
+On the side we are almost ready for our 22.1-BETA preview with rolling
+releases for the development release type which is something new to look
+forward to also.
+
+Here are the full patch notes:
+
+* system: prevent expired or intermediate CA certificates from being added to trust store by default
+* system: prevent XSS in LDAP attribute return in authentication tester (reported by Orange CERT-CC)
+* system: add product title to auth pages
+* system: fix log search ignoring first character
+* system: add xc0 entry video console entry if node exists
+* system: add automatic outbound NAT logging option
+* interfaces: let guess_interface_from_ip() find the best match on overlapping subnets (contributed by Jason Crowley)
+* interfaces: improve configurability with LAGG devices
+* firewall: fix non-sticky rule association in port forward
+* firewall: switch failover peer address acquire away from deprecated function
+* firewall: specify overload table on maximum new connections
+* firewall: add loaded item count and last update to aliases page
+* firewall: refactor getInterfaceGateway() to eliminate edge cases with IPsec route-to behaviour
+* firewall: allow alias to skip entry on EmptyLabel (contributed by James Golovich)
+* firewall: improve resolve performance by implementing asynchronous DNS lookups
+* dhcp: show static leases without IP address assignments in the lease pages
+* firmware: do not remove obsolete base files on major upgrades
+* firmware: support ABI hints in the file "firmware-upgrade"
+* firmware: opnsense-code utility now supports "-u" mode for automatic upgrade after fetch
+* firmware: opnsense-code utility fix for "-d" option (contributed by Patrick M. Hausen)
+* firmware: opnsense-update utility is now able to bootstrap its own configuration in "-d" mode
+* firmware: opnsense-update utility now supports "-ct package-name" check for type change
+* firmware: opnsense-update utility no longer assumes "-bkp" by default
+* firmware: opnsense-update utility adds separate clean option for obsolete base files
+* firmware: opnsense-update utility assorted cleanups
+* ipsec: add charon.max_ikev1_exchanges parameter
+* ipsec: add closeaction parameter (contributed by Patrick M. Hausen)
+* ipsec: rewrite netmask calculation for VTI tunnel setup
+* monit: add link event to alert settings (contributed by Frank Brendel)
+* openvpn: remove obsolete remnants of tun-ipv6
+* unbound: add Abuse.ch ThreatFox list
+* unbound: make so-reuseport conditional upon RSS status
+* backend: static parameters ignored when no dynamic ones exist
+* mvc: replace __toString() calls with string casts
+* plugins: os-acme-client 3.4 `[1] <https://github.com/opnsense/plugins/blob/stable/21.7/security/acme-client/pkg-descr>`__ 
+* plugins: os-c-icap log file fix (contributed by Michael Muenz)
+* plugins: os-dyndns 1.25 `[2] <https://github.com/opnsense/plugins/blob/stable/21.7/dns/dyndns/pkg-descr>`__ 
+* plugins: os-haproxy 3.6 `[3] <https://github.com/opnsense/plugins/blob/stable/21.7/net/haproxy/pkg-descr>`__ 
+* plugins: os-lldpd will now identify itself as Network Connectivity Device (contributed by Xeroxxx)
+* plugins: os-puppet-agent 1.0 `[4] <https://github.com/opnsense/plugins/blob/stable/21.7/sysutils/puppet-agent/pkg-descr>`__ 
+* plugins: os-qemu-guest-agent 1.1 `[5] <https://github.com/opnsense/plugins/blob/stable/21.7/emulators/qemu-guest-agent/pkg-descr>`__ 
+* plugins: os-theme-rebellion 1.8.8 (contributed by Team Rebellion)
+* src: include RSS kernel support defaulting to off
+* src: axgbe: properly multiplex on reading module signals
+* src: libnetmap: reset errno in nmreq_register_decode()
+* src: pf: remove side effect from nat logging patch
+* src: dummynet: fix mbuf tag allocation failure handling
+* src: aesni: avoid a potential out-of-bounds load in aes_encrypt_icm()
+* ports: curl 7.79.1 `[6] <https://curl.se/changes.html#7_79_1>`__ 
+* ports: dnspython 2.1.0 `[7] <https://dnspython.readthedocs.io/en/stable/whatsnew.html>`__ 
+* ports: jinja 3.0.1 `[8] <https://jinja.palletsprojects.com/en/3.0.x/changes/#version-3-0-1>`__ 
+* ports: libressl 3.3.5 `[9] <https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.5-relnotes.txt>`__ 
+* ports: lighttpd 1.4.60 `[10] <https://www.lighttpd.net/2021/10/3/1.4.60/>`__ 
+* ports: nss 3.71 `[11] <https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.71_release_notes>`__ 
+* ports: openvpn 2.5.4 `[12] <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn25#Changesin2.5.4>`__ 
+* ports: php 7.4.24 `[13] <https://www.php.net/ChangeLog-7.php#7.4.24>`__ 
+* ports: strongswan 5.9.4 `[14] <https://github.com/strongswan/strongswan/releases/tag/5.9.4>`__ 
+* ports: sudo 1.9.8p2 `[15] <https://www.sudo.ws/stable.html#1.9.8p2>`__ 
+
+
+
 --------------------------------------------------------------------------
 21.7.3 (September 22, 2021)
 --------------------------------------------------------------------------