22.10 Series
The OPNsense business edition transitions to this 22.10 release including the upgrade to FreeBSD 13.1, PHP 8.0, Phalcon 5, MVC/API conversions for IPsec, Unbound and notifications, firewall alias support for BGP ASN, new APCUPSD and CrowdSec plugins plus much more.
Please make sure to read the migration notes before upgrading.
Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.
https://downloads.opnsense.com/
22.10.2 (February 20, 2023)
This business release is based on the OPNsense 22.7.11 community version with additional reliability improvements.
Here are the full patch notes:
interfaces: fix VLAN missing a config lock on delete
firewall: do not switch gateway on bootup
intrusion detection: properly reset metadata response when no metadata is found
unbound: missing global so that cache is never flushed when requested
mvc: cleanse $record input in searchRecordsetBase() before usage
src: fix multiple OpenSSL vulnerabilities [1]
src: geli: split the initalization of HMAC [2]
src: fix ena driver crash after reset in 7th gen AWS instance types [3]
src: fix sdhci broken write-protect settings [4]
src: import tzdata 2022g [5]
src: x86: ignore stepping for APL30 errata
ports: openssl 1.1.1t [6]
A hotfix release was issued as 22.10.2_1:
firmware: added 23.4 series fingerprint
22.10.1 (February 01, 2023)
This business release is based on the OPNsense 22.7.11 community version with additional reliability improvements.
Here are the full patch notes:
system: fix getOID() call for phpseclib 3 while processing CSR
system: avoid error on installer user creation
system: show booting banner on dashboard
system: add statistics tree view containing vmstat memory characteristics
system: explicitly reopen main log file in case another log file was used and closed
system: tweak log_msg() to prepare log level adjustments migration away from log_error()
system: enforce config reload to fetch group membership in authentication tester
system: separate interface type icon from name column in interface widget
system: change system log default to “Notice”
system: UX tweaks on activity page
system: revised backend daemon startup delay
system: drop empty plugins_run() result
system: fix internal CRL check (contributed by kulikov-a)
system: add group (class) sync and user creation for RADIUS authentication
system: show and search ACL endpoints in privilege selector
system: replace a number of log_error() calls with log_msg() equivalent
system: improve SSH lockout behaviour
system: fix a few minor Coverity Scan reports in PHP and Python [1]
interfaces: show attached interface for VLAN device in overview
interfaces: packet capture MVC/API replacement
interfaces: fix ARP table name resolve backend issue (contributed by soif)
interfaces: migrate main clearing of interface data to ifctl
interfaces: fix display of special HTML characters in packet capture
interfaces: retain existing PPP settings on saving interface settings
interfaces: delete the correct lock of PPP device
interfaces: fix variable use in interface_proxyarp_configure()
interfaces: use get_interface_list() to identify hardware devices
interfaces: fix single ACL use for MVC/API interface pages
firewall: off-by-one in regex for target port range parse
firewall: support Maxmind unclassified “EU” as selectable country
firewall: fix possible race condition when changing limit in live log
firewall: fix sorting bug in aliases list
firewall: allow the use of “dynamic” interface types in shaper, e.g. IPsec devices
firewall: wrap user rule registration in new function filter_core_rules_user()
firewall: simplify rule lookup by using filter_core_rules_user()
firewall: allow external dynamic address in NPT
firewall: remove extended VIP expansion from NAT rules
firewall: fix live view hostname lookup may result in HTTP 431 error
firewall: add category selection to aliases
firewall: sates page performance improvements and better address parsing in search
firewall: reuse “hostid” on filter reload events
firewall: show automated “port 0” rule as actual port “0” on PHP 8
reporting: fix incompatible regex syntax in FreeBSD 13.1 for firewall state health statistics
reporting: bail DNS resolve in traffic graphs when resolver is not configured
captive portal: for static MAC assignments make sure that the IP address actually changed before updating it
dnsmasq: remove expired root trust anchor (contributed by Johnny S. Lee)
firmware: always fetch the signature file to avoid signature issues after upgrades
firmware: use effective ABI in changelog fetch
firmware: ignore automatic business plugin and license hint
ipsec: missing return in controller
ipsec: remove side effect host route removal from Phase 1 page
ipsec: allow to search all phase 2 entries via API call
ipsec: default log should be set to “basic” but PHP 8 disagreed
openvpn: use ifctl in link up/down scripts
openvpn: remove unused “pool_enable” attribute
unbound: move the removal of pluggable files above the configuration check
unbound: remove 127/8 from private-address block when rebind protection is enabled
unbound: make the default private-address items configurable via the advanced page
unbound: fix possible error while opening DoT page
unbound: do not stop on potential errors in start script
unbound: rework DNSBL implementation to Python module
unbound: fix blocklist use with DNS64 mode (contributed by kulikov-a)
unbound: change working directory before checking configuration
unbound: introduce blocklist module changes for upcoming 23.1
unbound: fix log message blocklist item count (contributed by kulikov-a)
unbound: also change working dir for unbound-checkconf in start script (contributed by kulikov-a)
unbound: fix missing query_reply property leading to an AttributeError
unbound: safeguard retrieval of blocklist shortcode
web proxy: fix broken “Google GSuite restricted” option
backend: wait 1 second for configd socket to become available
backend: clean up scripts/systemheath location
backend: moved log format definitions to new location for core and several plugins
mvc: when multiple validation messages are returned wrap each message in a div tag
mvc: translate a base field error
mvc: change default sorting to case-insensitive
mvc: move JavaScript and CSS imports to base controller
mvc: make sure HostnameField with ZoneRootAllowed accepts “@.” prefix
mvc: fix IntegerField minimum value (contributed by xbb)
rc: remove obsolete NAME_var_script and NAME_var_mfs support
ui: unicode content for tokenizer (contributed by kulikov-a)
plugins: migrate all plugins to NAME_setup script use
plugins: $verbose argument in plugins_run() is spurious
plugins: os-acme-client 3.15 [2]
plugins: os-apcupsd 1.1 [3]
plugins: os-clamav 1.8 [4]
plugins: os-ddclient IPv6 parsing fix [5]
plugins: os-freeradius is no longer available for LibreSSL to allow updates of FreeRADIUS software
plugins: os-frr 1.31 [6]
plugins: os-haproxy 3.12 [7]
plugins: os-maltrail 1.10 [8]
plugins: os-nginx 1.31 [9]
plugins: os-openconnect 1.4.3 [10]
plugins: os-rfc2136 1.7 fixes key format issue with latest bind-tools update
plugins: os-stunnel fixes missing include in certificate script
plugins: os-telegraf 1.12.7 [11]
plugins: os-theme-cicada 1.31 (contributed by Team Rebellion)
plugins: os-theme-vicuna 1.43 (contributed by Team Rebellion)
plugins: os-tor 1.9 enables hardware acceleration (contributed by haarp)
plugins: os-wireguard 1.13 [12]
ports: curl 7.87.0 [13]
ports: dnsmasq 2.88 [14]
ports: expat 2.5.0 [15]
ports: krb5 1.20.1 [16]
ports: libxml 2.10.3 [17]
ports: nss 3.87 [18]
ports: openssl 1.1.1s [19]
ports: openvpn 2.5.8 [20]
ports: pcre 10.42 [21]
ports: phalcon 5.1.4 [22]
ports: php 8.0.27 [23]
ports: phpseclib 3.0.18 [24]
ports: python 3.9.16 [25]
ports: sqlite 3.40.1 [26]
ports: strongswan 5.9.9 [27]
ports: suricata 6.0.9 [28]
ports: unbound 1.17.1 [29]
22.10 (October 26, 2022)
The OPNsense business edition transitions to this 22.10 release including the upgrade to FreeBSD 13.1, PHP 8.0, Phalcon 5, MVC/API conversions for IPsec, Unbound and notifications, firewall alias support for BGP ASN, new APCUPSD and CrowdSec plugins plus much more.
Please make sure to read the migration notes before upgrading.
Download link is as follows. An installation guide [1] and the checksums for the images can be found below as well.
https://downloads.opnsense.com/
This business release is based on the OPNsense 22.7.6 community version with additional reliability improvements.
Here are the full patch notes:
system: changed certificate revocation to use the phpseclib library
system: performance improvement for set_single_sysctl()
system: restart syslog fully and only once after all services have been started
system: new setting for deployment mode to control PHP error flow
system: /tmp MFS now uses a maximum of 50% of RAM by default and can be adjusted
system: /var MFS becomes /var/log MFS and uses a maximum of 50% of RAM by default and can be adjusted
system: previous special /var MFS content is now permanently stored under /var to ensure full operability
system: protect syslog-ng against out of memory kills
system: add filter to system log widget (contributed by kulikov-a)
system: disable RRD and NetFlow shutdown backups by default
system: render interfaces in convert_config()
system: move remote backup script to proper file system location
system: Net_IPv6::compress() should not compress “::” to “”
system: remove last bits of circular logging (CLOG) support
system: removed legacy Diffie-Hellman parameter handling
system: IXR_Library using incorrect constructor format for PHP 8
system: fix regression in config backup due to timestamp key rename
system: fix assorted warnings generated by PHP 8
system: do not reload Unbound/Dnsmasq hosts configuration by default
system: use proper CRL id-ce-cRLReasons extension keyword ‘unspecified’
system: remove dead code from login form
system: replace static notices system with a shared one based on MVC/API code
system: use new _setup script feature where setup.sh exists
system: PHP 8 issue when ldap_get_entries() returns false
system: wrong variable in scope addition on manual DNS server via link-local gateway
system: “passwordarea” support for sensitive backup values
system: migrate CRL handling to phpseclib 3
system: run monitor reload inside system_routing_configure()
system: fix IPv6 link-local HTTP_REFERER check (contributed by Maurice Walker)
system: fix assorted PHP 8 warnings in the codebase
system: extend nameservers script return for debugging purposes, i.e. “configctl system list nameservers debug”
system: lighttpd obsoletion of server listing directive, disabled by default
system: decode stored CRL data before display (contributed by kulikov-a)
system: work around phpseclib 3 flagging RSA-PSS as an invalid key alogrithm
system: check for existing X509 class before doing CRL update
system: enforce RFC 8446 by requiring TLS_AES_128_GCM_SHA256 for TLS 1.3
system: consider CRL end dates after 2050 as “lifetime” in GeneralizedTime format
system: revert the default CRL hashing back to what it was in phpseclib 2
system: match TLS cipher suites and commands in web GUI settings (contributed by kulikov-a)
system: improve error message of CRL validation failure (contributed by kulikov-a)
system: fix phpseclib 3 use for CSR parsing on certificates page
system: add the default “-c” option to backend pluginctl invokes for consistency
system: rework console port assignment regarding wireless handling
system: remove stray installer account from fresh 22.7 installations
system: only use withPadding() for RSA based public keys in CRL code
system: remove unnecessary crl_update() calls in CRL code
system: extend pool options support in gateway groups
system: move get_searchdomains() to ifctl use and allow FQDN
system: add replacement hook for rc.resolv_conf_generate script
system: replace “dns reload” backend call with portable alternative
system: remove obsolete rc.resolv_conf_generate script
system: bring back the buttons action in OpenVPN dashboard widget (contributed by kulikov-a)
system: assorted cleanups for IXR library used for XMLRPC
system: catch errors in RSS dashboard widget
system: stop reading product info from global $g variable in system information dashboard widget
system: structurally improve boot sequence with regard to hosts/resolv.conf generation
system: add keyUsage extension and follow RFC on basicConstraints in CA config (contributed by kulikov-a)
system: fix inconsistent is_crl_internal() implementation
system: make sure we always generate a CRL when saved
system: sandbox code handling CRL manipulation in the CRL manager page
system: wrap global product information handling into a singleton
system: move get_nameservers() to ifctl use
reporting: traffic graph polling interval selection and UX tweaks
interfaces: refactored LAGG, wireless and static ARP handling
interfaces: provide automatic startup of Loopback, IPsec, OpenVPN, VXLAN devices
interfaces: removed the side effect reliance on /var/run/booting file
interfaces: add dynamic reload of required devices
interfaces: add WPA enterprise configuration for infrastructure mode (contributed by Manuel Faux)
interfaces: auto-detect far gateway requirement for default route
interfaces: switch to MVC/API variant for DNS lookup page
interfaces: refactor DHCP and PPPoE scripts to use ifctl exclusively
interfaces: prevent the removal of default routes in dhclient-script
interfaces: fix inconsistencies in wireless handling
interfaces: fix unable to bring up multiple loopback (contributed Johnny S. Lee)
interfaces: fix unable to bring up multiple VXLAN
interfaces: check if int before passing to convert_seconds_to_hms()
interfaces: disable IPv6 inside 4in6 and 4in4 GIF tunnels (contributed by Maurice Walker)
interfaces: ping diagnostics tool must explicitly set IP version (contributed by Maurice Walker)
interfaces: remove other inconsistencies regarding ping utility changes in FreeBSD 13
interfaces: correct regex validation for dhcp6c expire statement (contributed by Josh Soref)
interfaces: fix issues with PPP uptime display in PHP 8
interfaces: add iwlwiwi(4) to wireless devices
interfaces: hide nonexistent MAC info on wireless edit page
interfaces: stop DHCP from calling rc.newwanip when no changes are being done
interfaces: bring routes back unconditionally after reconfiguring 6to4/6rd IPv6 connectivity
interfaces: GIF/GRE IPv6 default remote network size selection is now “128” instead of “64”
interfaces: fix wireless clone assignment regression in 22.7.1
interfaces: update ifctl utility to latest version
interfaces: update link-local matching pattern
interfaces: PPP is an exception, only created after interface configuration
interfaces: only remove known primary addresses in interface_bring_down()
interfaces: improve shell banner address return in prefix-only IPv6 case
interfaces: improve problematic <wireless/> node handling
interfaces: DHCP does not signal RELEASE
interfaces: web GUI locale sorts files differently when invoking ifctl
interfaces: improve legacy_interface_listget()
interfaces: only parse actual options in legacy_interfaces_details(), not nd6 options
interfaces: configure all hardware features for present devices
interfaces: bring up IPv6 device manually since SLAAC will not do that automatically
interfaces: merge DHCPv4 / DHCPv6 buttons on overview page (contributed by Maurice Walker)
interfaces: add support for requesting DNS info via stateless DHCPv6 (contributed by Maurice Walker)
interfaces: migrate wireless creation to legacy_interface_listget()
interfaces: port 6RD/6to4 to ifctl use
interfaces: optionally use reverse DNS resolution for ARP table hostnames (contributed by soif)
interfaces: allow user-configurable VLAN device names with certain restrictions [2]
interfaces: small cleanup on get_real_interface()
firewall: improved port alias performance
firewall: obsoleted notices inside the synchronization code
firewall: support logging in NPT rules
firewall: append missing link-local to inet6 :network selector
firewall: move inspect action into its own async API action to prevent long page loads
firewall: performance improvement for reading live log
firewall: add general firewall log for alias and filter system log messages
firewall: do not emit link-local address on IPv6 network outbound NAT
firewall: add BGP ASN type to aliases [3]
firewall: implement a router file read fallback for new ifctl :slaac suffix
firewall: stick-address only in effect with pool option and multiple routers
firewall: remove dead pptpd server code
firewall: support TOS/DSCP matching in firewall rules
firewall: add os-firewall alias paths in getAliasSource() to prevent removal when being used
firewall: get lockout interface from get_primary_interface_from_list()
firewall: fix PHP 8 error in port forwarding page
firewall: fix PHP 8 error in aliases (contributed by kulikov-a)
firewall: parse pftop internal data conversion (contributed by kulikov-a)
firewall: simplify port forward rule logic for delete and toggle and make sure to toggle firewall rule as well
firewall: various performance and usability improvements in live log
firewall: extend all firewall rules with a UUID to align with MVC code upon edit
captive portal: lighttpd deprecation of legacy SSL options, disabled by default
dhcp: no longer automatically add a link-local address to bridges if IPv6 service is running on it
dhcp: allow running relay service on bridges
dhcp: clean up IPv6 prefixes script
dhcp: include ddns-hostname and other cleanups (contributed by Sascha Buxhofer)
dhcp: remove duplicated ddnsupdate static mapping switch
dhcp: remove print_content_box() use
dhcp: switch to shell-based DHCPv6 lease watcher
dhcp: rewrite prefix merge for dynamic IPv6 tracking to support bitwise selection
dhcp: do not advertise DNS domain when DNS router advertisements are disabled (contributed by Patrick M. Hausen)
dhcp: extend search list pull from DHCPv6 in router advertisements DNS option
dhcp: improve UI for disabling DNS part of router advertisements (contributed by Patrick M. Hausen)
dhcp: pushed wrong server to zone definition on local DNS selection
dhcp: allow rapid-commit message exchange in IPv6 server (contributed by Maurice Walker)
dnsmasq: switch to a Python-based DHCP lease watcher
dnsmasq: restart during “newwanip” event
firmware: console script can now show changelog using “less” before update
firmware: disable crash reporter in development deployment mode
firmware: limit changelog-based update check on dashboard to release version
firmware: provide an upgrade log audit
firmware: opnsense-patch: only remove “.sh” suffix for installer and update repos
firmware: opnsense-update: only set packages marker after successful upgrade
firmware: opnsense-bootstrap: set correct packages marker
firmware: revoke 22.1 fingerprint
firmware: major upgrade “pkgs” set was still unknown to plugin sync
firmware: opnsense-update: return subscription key via -K if it exists
firmware: display license validity when applicable in business edition
firmware: remove faulty changelog to force a clean refetch
intrusion detection: fix enable rule button and present active detail overwrite if present
intrusion detection: missing OPNsense categories
ipsec: add “IPv4+6” protocol for mobile phase 1 entries (contributed by vnxme)
ipsec: mobile property boolean duplication in phase 2
ipsec: remember phase 1 setting for next action
ipsec: switch to MVC/API variants of SPD, SAD and connection pages
ipsec: small UX tweaks in status page
ipsec: fixed widget link (contributed by Patrik Kernstock)
ipsec: allow to set rightca in mobile phase 1 with EAP-TLS
ipsec: fix multiple phase 2 IP addresses on the same interface (contributed by Wagner Sartori Junior)
ipsec: ACL fix for sessions users
openvpn: pinned Diffie-Hellman parameter to RFC 7919 4096 bit key
unbound: do not start DHCP watcher immediately after daemonizing Unbound itself
unbound: improve FQDN handling when address is moving in DHCP watcher
unbound: prevent DNS rebinding check and DNSSEC validation on explicit forwarded domains
unbound: restrict creation of PTR records for both the system domain and host overrides
unbound: add AAAA-only mode (contributed by Maurice Walker)
unbound: account for hostname during PTR creation
unbound: maintain a consistent dnsbl cache state
unbound: reduce blocklist read timeout (contributed by kulikov-a)
unbound: support setting type value for DNS over TLS/Query Forwarding API (contributed by kulikov-a)
unbound: convert advanced settings to MVC/API
web proxy: update pattern to zst for the Arch packages (contributed by gacekjk)
console: store UUID for VLAN device
lang: bring back Italian and update all languages to latest available translations
lang: fix reported issues with Italian and French translations
lang: fix syntax errors in French translation (contributed by kulikov-a)
mvc: bugfix search and sort issues for searchRecordsetBase()
mvc: add support for non-persistent (memory) models
mvc: throw when no mount found in model (contributed by agh1467)
mvc: store configuration changes only when actual changes exist
mvc: remove stray error_reporting(E_ALL) calls
mvc: remove “clear all”, “copy” and “paste” options when only a single entry is allowed
mvc: fix typo in searchRecordsetBase()
mvc: prevent UserExceptions to end up in the crash reporter
ui: removed Internet Explorer support
ui: boostrap-select ignored header height
ui: merge option objects instead of replacing them in bootgrid (contributed by agh1467)
ui: correct required API for command-info in bootgrid (contributed by agh1467)
ui: add catch undefined TypeError in SimpleActionButton (contributed by agh1467)
ui: fix assorted typos in the code base (contributed by Josh Soref)
ui: handle HTTP 500 error gracefully in MVC pages
ui: fix type cast issue in Bootgrid
plugins: os-acme-client 3.13 [4]
plugins: os-apcupsd 1.0 [5] (contributed by David Berry, Dan Lundqvist and Nicola Pellegrini)
plugins: os-bind 1.24 [6]
plugins: os-boot-delay is no longer available [7]
plugins: os-crowdsec 1.0.1 [8]
plugins: os-ddclient 1.9 [9]
plugins: os-freeradius 1.9.21 [10]
plugins: os-frr 1.30 [11]
plugins: os-git-backup fixes git binary variable use and hides SSH keys by default
plugins: os-haproxy fixes deprecation notes in PHP 8 (contributed by Gavin Chappell)
plugins: os-haproxy 3.11 [12]
plugins: os-maltrail 1.9 [13]
plugins: os-munin-node 1.1 [14]
plugins: os-netdata 1.2 [15]
plugins: os-nginx 1.30 [16]
plugins: os-postfix disables GSSAPI for the time being [17]
plugins: os-tayga 1.2 [18]
plugins: os-web-proxy-useracl is no longer available, no updates since 2017
plugins: os-wireguard 1.12 [19]
plugins: os-zabbix-agent 1.13 [20]
plugins: os-zabbix-proxy 1.9 [21]
src: axgbe: also validate configuration register in GPIO expander
src: pf: ensure that pfiio_name is always nul terminated
src: pf: make sure that pfi_update_status() always zeros counters
src: igc: change default duplex setting
src: lib9p: remove potential buffer overwrite in l9p_puqids() [22]
src: vm_fault: shoot down shared mappings in vm_fault_copy_entry() [23]
src: elf_note_prpsinfo: handle more failures from proc_getargv() [24]
src: pam_exec: fix segfault when authtok is null [25]
src: kevent: fix an off-by-one in filt_timerexpire_l() [26]
src: cam: leep periph_links when restoring CCB in camperiphdone() [27]
src: pfctl: fix FOM_ICMP/POM_STICKYADDRESS clash
src: restrict default /root permissions to 750
src: rc: add ${name}_setup script support
src: zlib: fix a bug when getting a gzip header extra field with inflate() [28]
src: tzdata: import tzdata 2022b and 2022c [29]
src: FreeBSD 13.1-RELEASE [30]
src: ifconfig: print interface name on SIOCIFCREATE2 error
src: igc: do not start in promiscuous mode by default
src: tcp: correctly compute the retransmit length for all 64-bit platforms
src: tcp: fix cwnd restricted SACK retransmission loop
src: tcp: fix computation of offset
src: tcp: send ACKs when requested
ports: curl 7.85.0 [31]
ports: dnsmasq 2.87 [32]
ports: expat 2.4.9 [33]
ports: isc-dhcp 4.4.3P1 [34]
ports: ldns 1.8.3 [35]
ports: liblz4 1.9.4
ports: libxml 2.10.2 [36]
ports: lighttpd 1.4.67 [37]
ports: nss 3.83 [38]
ports: phalcon 5.0.3 [39]
ports: php 8.0.24 [40]
ports: phpseclib 3.0.16 [41]
ports: python 3.9.15 [42]
ports: rrdtool 1.8.0 [43]
ports: sqlite 3.39.3 [44]
ports: squid 5.7 [45]
ports: strongswan 5.9.8 [46]
ports: sudo 1.9.12p1 [47]
ports: suricata 6.0.8 [48]
ports: syslog-ng 3.38.1 [49]
ports: unbound 1.16.3 [50]
The following operating system hotfix was issued:
src: vxlan: check the size of data available in mbuf before using them
src: vm_page: fix a logic error in the handling of PQ_ACTIVE operations [51]
src: cam: provide compatibility for CAMGETPASSTHRU for periph drivers [52]
src: loader: fix elf lookup_symbol type filtering [53]
src: zfs: fix a pair of bugs in zfs_fhtovp() [54]
src: zfs: fix use-after-free in btree code [55]
src: tcp: finish SACK loss recovery on sudden lack of SACK blocks [56]
src: igc: remove unnecessary PHY ID checks
src: ixl: add support for I710 devices and remove non-inclusive language
src: ixl: fix SR-IOV panics
src: u3g: add more USB IDs
src: ixgbe: workaround errata about UDP frames with zero checksum
src: hpet: Allow a MMIO window smaller than 1K
src: ping: fix handling of IP packet sizes [57]
Known issues and limitations:
The DH parameter is no longer available in OpenVPN server configuration and now fixed to the RFC 7919 4096 bit key. The only downside may be lower performance on older machines.
The infamous /var MFS feature was reduced to the /var/log scope in order to avoid future issues with plugins requiring persistent storage under /var. In practice people who used /var MFS had no benefit over it with software that required persistent storage under /var to operate in the first place. Periodic configuration file writes to /var are negligible on SSD-based systems.
The os-dyndns plugin is still available due to the fact that ddclient did not release a non-development release so far since we started os-ddclient. Availability thereof might change later in 22.7.x.
The console firmware update will now display text-based changelogs for the update to be installed if available. Use the arrow keys to scroll the changelog and type “q” to resume the update process.
The manual DHCPv6 tracking mode now requires a proper prefix range given like its counterpart with a static address. If a previous prefix ID type input is detected only setting the lower 64 bits of an IPv6 address, a warning is emitted and the ID is treated as the upper 64 bits of an IPv6 address instead. If your DHCPv6 server does not start please properly fix the given range.
Empty CRLs (System: Trust: Revocation) created prior to this version were not stored correctly. This leads to non-working OpenVPN servers when these CLRs are used starting with this version. To fix this prior to upgrading remove the empty CRL from OpenVPN, or add a dummy certificate to it to populate the CRL properly, or add and remove a random existing certificate to correct the empty CRL.
The public key for the 22.10 series is:
# -----BEGIN PUBLIC KEY-----
# MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs9U1NFG2420gDDQO97iU
# S72sRdCaYCMoY2K8PpjrPGOkgDFN79YB+BYyUDZiO6aHJvy07yuDwhJcTiMWzuyF
# Ub6BqdB2ehjP0+/Sh2z9eOWecI6s7rDxJVwaZRSagA3f5pDYj2LKtAqIPnv3Avs1
# GTSHUZPR+V09UzUq/j0gRCNA+5hJrRwbyebaUGcp8QetUirmewAU5ArfXIBXvhn9
# L9i8+r0/M/QbueSA7mOA4v2BDZVMAo1X72O6GZmpt+SY6A2fA9uvgYU/19hlCJQY
# 6eL16U4TG2Z1tyR6TIsjGZ973UDAFdZqDO4nqPeW/Dm20fnY/X6ZJcU1McbeDftZ
# 10lquuZBrFgxVDB6zBYX5319p1ASeYnSdhvFlK02P8a6OJS6JWmCx5j1VRAU8Zh1
# W5xZRJJi6HmbX2b1ef2cy3ijtT/jviSNXEPR9V2otz9B+lc0g8P/hPwd7hpmdYj0
# +KYcPaa1kmR4/xf++hb5XbOLt2Wc4mbyBph4VPeXiLYUfYlpYNwfvuP56zdylk+p
# Mzw3XM1M36vA9oMXM9hLrrG67/UH6s4td//w4zdFPQ+A/rlVeF8EHsHICi6Salki
# Z+R9FCNM61wU9HdAPOSpDn1aPQdW3HPNVmeI0iHPg42jIT1n1T0720XgHRTfntyh
# E2+jioeukrqqEg1fzmszseMCAwEAAQ==
# -----END PUBLIC KEY-----
# SHA256 (OPNsense-business-22.10-OpenSSL-dvd-amd64.iso.bz2) = e1e3fb3186f599cb967bc957467e7c932ed9758c38ad443f10246dd63b36940b
# SHA256 (OPNsense-business-22.10-OpenSSL-nano-amd64.img.bz2) = 03a73277dbea8a1befb955dae39342aac6793ba4edca9418e5bfe0cb1e075f1c
# SHA256 (OPNsense-business-22.10-OpenSSL-serial-amd64.img.bz2) = 2774f6783d8a8cf944bcd5928899fb8c2fbe4659a7d18c9ca44df46b47a79c5d
# SHA256 (OPNsense-business-22.10-OpenSSL-vga-amd64.img.bz2) = de9527abb2831f09baf476b2c1db5ba8d4f39655cef37447b72fb2a34b341915