We are excited to announce the release of pfSense® software versions 2.4.2-p1 and 2.3.5-p1, now available for upgrades!
pfSense software versions 2.4.2-p1 and 2.3.5-p1 are maintenance releases bringing security patches and stability fixes for issues present in the pfSense 2.4.2 and 2.3.5 releases.
This release includes several important security patches:
- Updated OpenSSL for CVE-2017-3737 and CVE-2017-3738 / FreeBSD-SA-17:12.openssl (2.4.x and 2.3.x)
- Fixed a potential authenticated command execution issue in certificate data handling #8153 / pfSense-SA-17_10.webgui.asc (2.4.x and 2.3.x)
- Fixed a potential XSS issue in status_filter_reload.php #8143 / pfSense-SA-17_11.webgui.asc (2.4.x and 2.3.x)
- Fixed a potential clickjacking issue in the CSRF error page (2.3.x only, this fix was included in 2.4.2-RELEASE)
Aside from security updates, the new versions include a handful of beneficial bug fixes for various minor issues.
For a complete list of changes, see the 2.4.2-p1 Release Notes and 2.3.5-p1 Release Notes.
Important Package Updates
The AutoConfigBackup package has recently had several improvements. Many of these are on the server side but on the client side there is a new feature to ignore backups generated by Captive Portal voucher updates. These writes happen frequently and push updates to the ACB server with such high volume that more significant backups for that host may be pushed off the server. By setting the option to ignore updates from vouchers, the online backups are able to contain more useful history of manual changes.
The ACME package was recently updated to address issues with Standalone mode validation and the new multi-VA method used by Let’s Encrypt.
At this time, pfSense 2.3.x is a Security and Errata maintenance branch only. pfSense 2.4.x is the primary stable supported branch. If the firewall hardware is capable of running pfSense 2.4.x, consider upgrading to that release instead.
If you have not yet upgraded to pfSense version 2.4.0 or later, read the information in the 2.4.0 Release Announcement before updating for important information that may impact the ability of a firewall to upgrade to pfSense version 2.4.x.
If either by choice or by hardware limitations a firewall cannot be upgraded to pfSense 2.4.x, see the pfSense 2.3.5-RELEASE announcement for information on obtaining the latest 2.3.x release.
Upgrading to pfSense 2.4.2-RELEASE-p1
Updating from an earlier pfSense 2.4.x release to 2.4.2-RELEASE-p1 is possible via the usual methods:
From the GUI:
- Navigate to System > Update, Update Settings tab
- Set Branch to Latest stable version (2.4.x)
- Navigate back to the Update tab to see the pfSense 2.4.x update
From the console or ssh:
- Select option 13 OR select option 8 and run
Upgrading to pfSense 2.3.5-RELEASE-p1
Updating from an earlier pfSense 2.3.x release to pfSense 2.3.5-p1 on an amd64 installation that could otherwise use pfSense 2.4.x requires configuring the firewall to stay on pfSense 2.3.x releases as follows:
- Navigate to System > Update, Update Settings tab
- Set Branch to Legacy stable version (Security / Errata Only 2.3.x)
- Navigate back to the Update tab to see the latest pfSense 2.3.x update
The same change is required to see pfSense 2.3.x packages for users staying on pfSense 2.3.x.
Firewalls running 32-bit (i386) installations of pfSense software do not need to take any special actions to remain on 2.3.x as they are unable to run later versions.
If the update system offers an upgrade to pfSense but the upgrade will not proceed, ensure that the firewall is set to the correct update branch as mentioned above. If the firewall is on the correct branch, refresh the repository configuration and upgrade script by running the following commands from the console or shell:
pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade
In some cases, the repository information may need to be rewritten, this can be accomplished by switching to a development branch, checking for updates, and then switching back to the appropriate branch and checking for updates again.
This release is ready for a production use. Should any issues come up with pfSense 2.4.2-RELEASE-p1 or 2.3.5-RELEASE-p1, please post about them on the the forum, or on the /r/pfSense subreddit.
pfSense CE software is Open Source
For those who wish to review the source code in full detail, the changes are all publicly available in three repositories on GitHub:
- Main repository - the web GUI, back end configuration code, and build tools.
- FreeBSD source - the source code, with patches of the FreeBSD base.
- FreeBSD ports - the FreeBSD ports used.
Using the automatic update process is typically easier than reinstalling to upgrade. See the Upgrade Guide page for details.
Supporting the Project
Our efforts are made possible by the support of our customers and the community. You can support our efforts via one or more of the following.
- Official appliances direct from Netgate. Our appliances are the fast, easy way to get up and running with a fully-optimized firewall.
- Commercial Support – Purchasing support from us provides you with direct access to Netgate Global Support.
- Professional Services – For more involved and complex projects outside the scope of support, our most senior engineers are available under professional services.