It also resolves a remote code execution in the Web UI

May 3, 2016 08:45 GMT  ·  By

The development team behind the IPFire software have announced the general availability of the Core Update 101 of the IPFire 2.19 Linux kernel-based firewall distribution.

IPFire 2.19 Core Update 101 is here to patch a cross-site-scripting vulnerability, as well as a remote code execution issue in the web-based user interface, which have been discovered recently by Yann Cam, an independent security researcher. These security vulnerabilities could be used by an attacker under certain circumstances.

"These attacks are only possible to perform on an admin’s computer and only in that instance when the administrator is logged in to the web user interface. Of course, we recommend to install this update as soon as possible to close these vulnerabilities," said Michael Tremer in the release announcement.

IPFire 2.19 Core Update 101 also patches a security vulnerability discovered recently in the Squid open-source web proxy squid, which apparently can't be exploited in IPFire. Today's update to IPFire 2.19 also enables the connection tracking helpers by default on all migrated systems.

Updated packages and add-ons

Besides the security vulnerabilities mentioned above, IPFire 2.19 Core Update 101 brings new versions to some of the most important packages, such as BIND 9.10.3-P4, e2fsprogs 1.42.13, dma 0.11, pkg-config 0.29, gmp 6.0.1, texinfo 5.2, grep 2.23, pciutils 3.4.1, libxml2 2.9.3, nettle 3.2, mpfr 3.1.3, PCRE 8.38, patch 2.7.5, and paxctl 0.9.

Lastly, there are now two new add-on packages, iperf3 and mcelog, and several others have been updated, such as Asterisk 11.21.1 (also includes libsrtp 1.5.4), bwm-ng 0.6.1, ClamAV 0.99.1, Git 2.7.4, Htop 2.0.1, lcdproc 0.5.7, and nano 2.5.3. All existing users are urged to update their installations as soon as possible. New users can also download IPFire 2.19 Core Update 101 right now via our website.