pfSense® software version 2.2.4 release is now available, bringing a number of bug fixes and some security updates.
Security Fixes and Errata
- pfSense-SA-15_07.webgui: Multiple Stored XSS Vulnerabilities in the pfSense WebGUI
- The complete list of affected pages and fields is listed in the linked SA.
- FreeBSD-SA-15:13.tcp: Resource exhaustion due to sessions stuck in LAST_ACK state. Note this only applies to scenarios where ports listening on pfSense itself (not things passed through via NAT, routing or bridging) are opened to untrusted networks. This doesn’t apply to the default configuration.
- Note: FreeBSD-SA-15:13.openssl does not apply to pfSense. pfSense did not include a vulnerable version of OpenSSL, and thus was not vulnerable.
- Further fixes for file corruption in various cases during an unclean shut down (crash, power loss, etc.). #4523
- Fixed pw in FreeBSD to address passwd/group corruption
- Fixed config.xml writing to use fsync properly to avoid cases when it could end up empty. #4803
- Removed the ‘sync’ option from filesystems for new full installs and full upgrades now that the real fix is in place.
- Removed softupdates and journaling (AKA SU+J) from NanoBSD, they remain on full installs. #4822
- The forcesync patch for #2401 is still considered harmful to the filesystem and has been kept out. As such, there may be some noticeable slowness with NanoBSD on certain slower disks, especially CF cards and to a lesser extent, SD cards. If this is a problem, the filesystem may be kept read-write on a permanent basis using the option on Diagnostics > NanoBSD. With the other above changes, risk is minimal. We advise replacing the affected CF/SD media by a new, faster card as soon as possible. #4822
- Upgraded PHP to 5.5.27 to address CVE-2015-3152 #4832
- Lowered SSH LoginGraceTime from 2 minutes to 30 seconds to mitigate the impact of MaxAuthTries bypass bug. Note Sshlockout will lock out offending IPs in all past, current and future versions. #4875
Bug Fixes and Change List
As always, you can upgrade from any previous version straight to 2.2.4. For those already running any 2.2x version, this is a low risk upgrade. This is a high priority upgrade for those using IPsec on 2.2x versions. For those on 2.1.x or earlier versions, there are a number of significant changes which may impact you. Pay close attention to the 2.2 Upgrade Notes for the details.
pfSense software is Open Source
For those who wish to review the source code in full detail, the changes are all publicly available in three repositories on GitHub:
- Main repository - the web GUI, back end configuration code, and build tools.
- FreeBSD source - the source code, with patches of the FreeBSD base.
- FreeBSD ports - the FreeBSD ports used.
Downloads are available on the mirrors as usual.
Downloads for New Installs and Upgrades to Existing Firewalls – note that it is typically easier to use the auto-update functionality, then there is no need to download anything manually. Check the Firmware Updates page for details.
Supporting the Project
Our efforts are made possible by the support of our customers and the community. You can support our efforts via one or more of the following.
- Official appliances direct from the source. Our appliances are the fast, easy way to get up and running with a fully-optimized firewall.
- Gold subscription – Immediate access to past hang out recordings as well as the latest version of the book after logging in to the members’ area.
- Commercial Support – Purchasing support from us provides you with direct access to Netgate Global Support.
- Professional Services – For more involved and complex projects outside the scope of support, our most senior engineers are available under professional services.