A fine day to you all,

This update is the obvious answer to recent reports throughout the ecosystem: There are 3 core security issues fixed, FreeBSD security advisories, third party updates as well as assorted fixes plus improvements in the new rules GUI.

The firmware page had a number of minor regressions that should be sorted out with this release. They did not affect updates, but made the process a bit less smooth than usual. Be assured that each minor update is tested quite extensively, but non-functional issues like these can always slip through a test cycle and will be found in the next one. In the worst case that means two stable releases: the issues appeared with 26.1.8 but were not visible before 26.1.9 was being tested.

Under the hood the preparation for Source NAT migration, MVC/API support for interface assignments and FreeBSD 15.1 support is underway. We expect a 26.7-BETA in the near future once we are satisfied with the overall quality.

Here are the full patch notes:

• system: routing: changed "disable" option to "enable"
• system: dashboard: explicitly compact on layout shift if there is no predefined layout
• system: dashboard: update result on default restore
• interfaces: parse ifconfig output despite exit error in legacy_interfaces_details()
• interfaces: hostwatch: pin warning banner to enabled flag
• firewall: always show automatic and legacy rules in new rules GUI
• firewall: add banner if no rules defined in new rules GUI to match legacy GUI
• firewall: use strnatcasecmp() for interface list in new rules GUI
• firewall: fix typo that prevented queues to be selectable in pf-based traffic shaping
• firewall: escape shaper targets in rule edit[1] (contributed by lujiefsi)
• dnsmasq: change widget link from settings to leases page
• firmware: stop buffering in sed to fix chunked update log output
• firmware: retain ordering in update servers for connectivity check
• firmware: allow "local" business mirror subscription
• firmware: put clickable trailer for community plugins
• firmware: fix return value masking during updates
• firmware: opnsense-update: do not clean obsolete files on manual -r invokes
• intrusion detection: fix drop and alert buttons on rules tab
• ipsec: disable scroll in authentication and children grids (contributed by Konstantinos Spartalis)
• ipsec: validate the use of refid in CA certificates[2] (reported by lujiefsi)
• kea: prevent converting the decimal prefix_id using hexdec() for dynamic PD
• openvpn: fix client export not showing common names
• openvpn: require an integer of at least 1 for "vpnid" field
• mvc: add new validators to TextField: AllowSpaces, AllowNewlines, AllowSpecial and introduce new StrictTextField
• mvc: strict alphanumeric-only regex for certificate refid[3] (contributed by eev4n)
• mvc: simplify assorted option values to reduce duplication
• mvc: static header support for forms
• rc: move system_powerd_configure() to bootup plugin hook
• ui: bootgrid: allow column selection exclusions
• ui: allow passing of data attributes for select items in setFormData()
• ui: remove banner on inline reload if applicable
• ui: button padding when injecting next to apply button
• ui: fix spurious padding in apply button section (contributed by Konstantinos Spartalis)
• plugins: os-cloudflared 1.0 (contributed by Richard Aspden)
• plugins: os-frr 1.53[4]
• plugins: os-rfc2136 1.10[5]
• plugins: os-stunnel fix for missing include in script
• plugins: os-telegraf 1.12.15[6]
• src: missing permission check in thr_kill2[7]
• src: arbitrary file overwrite via the KTLS receive path[8]
• src: multiple vulnerabilities in the sound mmap path[9]
• src: sigqueue missing capability mode restriction[10]
• src: use-after-free bug in the IPV6_MSFILTER socket option handler[11]
• src: flaw in Linuxulator execution of setugid binaries[12]
• src: ASLR bypass for setuid executables via procctl[13]
• src: integer overflow in vt CONS_HISTORY ioctl[14]
• src: openssl: fix multiple vulnerabilities[15]
• src: ldns: fix query response validation[16]
• src: netlink: fix lock leak in nl_find_nhop
• src: pf: avoid taking the pf rules write lock in a couple of ioctls
• src: ipfw: add ability to run ipfw binary with 15.0+ kernel module
• src: ipfw: treat ipv6 address with zero mask as "any"
• ports: dnsmasq 2.93[17]
• ports: filterlog 0.8 changes rule label fetch to libpfctl
• ports: openssl 3.0.21[18]
• ports: phalcon 5.14.2[19]
• ports: phpseclib 3.0.55[20]
• ports: py-duckdb 1.5.3[21]
• ports: py-numpy 2.4.6
• ports: python 3.13.14[22]
• ports: sqlite3 3.53.1[23]
• ports: strongswan 6.0.7[24]

Stay safe,
Your OPNsense team