IPFire 200th Core Update: Enhanced Security with New Domain Blocklist and Kernel Upgrade

Post Views: 4

IPFire Releases Core Update 200 with Enhanced Security Features and Kernel Upgrade

The IPFire project has announced the release of Core Update 200, marking the 200th incremental update to the 2.29 branch. This update bundles a kernel upgrade, a beta domain blocklist service, security patches for OpenSSL and glibc, and various component updates.

Kernel Upgrade

The kernel has been rebased on Linux 6.18.7 LTS, which brings updated hardware security mitigations and improvements in network throughput and latency. However, users running IPFire on the ReiserFS filesystem will need to reinstall on a supported filesystem before applying the update, as Linux developers have deprecated ReiserFS support in this kernel line.

Introducing IPFire DBL: A New Domain Blocklist

The release introduces IPFire DBL, a domain blocklist designed to replace the retired Shalla list. IPFire DBL is available in two forms: as a URL filter for proxy-based blocking and as a Suricata rules source. When used with Suricata, the blocklist enables deep packet inspection across DNS, TLS, HTTP, and QUIC connections. The project is soliciting community feedback on this early beta release.

Suricata and IPS Enhancements

A cache management fix addresses a bug introduced in the previous update, where Suricata’s pre-compiled signature cache grew without limit and consumed disk space. A backported patch now causes Suricata to clean up unused signatures automatically. Additionally, the Suricata reporter has been updated to surface hostname information and additional protocol metadata for alerts involving DNS, HTTP, TLS, and QUIC connections.

OpenVPN Configuration Updates

Several OpenVPN client configuration behaviors have changed. MTU values will now be pushed from the server rather than baked into client configs, giving administrators flexibility to adjust the value after deployment. The OTP authentication token will also be pushed server-side when OTP is enabled. Furthermore, the CA certificate has been removed from client configuration files, as it is already contained in the PKCS12 container.

DNS Proxy Performance Enhancement

Unbound, the DNS proxy component, will now launch one thread per CPU core, reducing response times under load.

Security Patches and Component Updates

OpenSSL has been updated to version 3.6.1, patching twelve CVEs: CVE-2025-11187, CVE-2025-15467, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, and CVE-2026-22796. The glibc library received patches for CVE-2026-0861, CVE-2026-0915, and CVE-2025-15281. Notable component versions in this release include Apache 2.4.66, BIND 9.20.18, cURL 8.18.0, OpenVPN 2.6.17, strongSwan 6.0.4, Suricata 8.0.3, Unbound 1.24.2, ClamAV 1.5.1, Samba 4.23.4, and Tor 0.4.8.21.