Netgate Blog

pfSense 2.4.4-RELEASE-p1 now available

We are excited to announce the release of pfSense® software version 2.4.4-p1, now available for upgrades!

pfSense software version 2.4.4-p1 is a maintenance release, bringing security patches and stability fixes for issues present in the 2.4.4 release.

Highlights

The following lists are a brief summary of changes in pfSense 2.4.4. To see a complete list of changes and find more detail, see the Release Notes.

Security / Errata

This release includes several important security patches:

  • FreeBSD Errata Notice FreeBSD-EN-18:09.ip: IP fragment remediation causes IPv6 fragment reassembly failure #8934
  • FreeBSD Errata Notice FreeBSD-EN-18:10.syscall NULL pointer dereference in freebsd4_getfsstat system call (CVE-2018-17154)
  • FreeBSD Errata Notice FreeBSD-EN-18:11.listen Denial of service in listen syscall over IPv6 socket (CVE-2018-6925)
  • FreeBSD Errata Notice FreeBSD-EN-18:12.mem Small kernel memory disclosures in two system calls (CVE-2018-17155)
  • Fixed a potential authenticated command injection issue with PowerD settings. pfSense-SA-18_09.webgui #9061
  • Fixed handling of privileges on the All group that were previously ignored.

    Warning: Check the privileges on the All group before upgrading to avoid unintended privileges for accounts being respected that were not honored before.

Notable Bug Fixes

  • Fixed various sources of PHP 7.2 errors throughout the code base.
  • Updated Unbound to 1.8.1 to address issues with memory leaks, especially in DNS over TLS support.
  • Updated strongSwan to 5.7.1.
  • Improved IPsec VTI compatibility with third-party vendor implementations.
  • The filterdns daemon has been completely rewritten to address a number of issues.
  • Fixed issues with package reinstallation after restoring a configuration backup.
  • Fixed issues with Hyper-V hn(4) network interfaces and IPv6 as well as issues with ALTQ.

Notable New Features

  • Added GUI options to control sshguard sensitivity and whitelisting to allow users to fine-tune the behavior of the brute force login protection.
  • Added support for LDAP client certificates on authentication servers. (Factory only)
  • Added schedule (cron) support to AutoConfigBackup.

Upgrade Notes

Due to the significant nature of the changes in 2.4.4 and later, warnings and error messages, particularly from PHP and package updates, are likely to occur during the upgrade process. In nearly all cases these errors are a harmless side effect of the changes between FreeBSD 11.1 and 11.2 and between PHP 5.6 and PHP 7.2.

Always take a backup of the firewall configuration prior to any major change to the firewall, such as an upgrade.

Do not upgrade packages before upgrading pfSense! Either remove all packages or leave the packages alone before running the update.

The upgrade will take several minutes to complete. The exact time varies based on download speed, hardware speed, and other factors such installed packages. Be patient during the upgrade and allow the firewall enough time to complete the entire process. After the update packages finish downloading it could take 10-20 minutes or more until the upgrade process ends. The firewall may reboot several times during the upgrade process. Monitor the upgrade from the firewall console for the most accurate view.

Consult the Upgrade Guide for additional information about performing upgrades to pfSense software.

Important Information about Upgrading and Installing pfSense software version 2.4.0 and later

If you have not yet upgraded to pfSense version 2.4.0 or later, read the information in the 2.4.0 Release Announcement before updating for important information that may impact the ability of a firewall to upgrade to pfSense version 2.4.x.

Free pfSense Gold Content

As a reminder, as of the previous release of pfSense 2.4.4, all former pfSense Gold content is now free for all!

Upgrading to pfSense 2.4.4-RELEASE-p1

Updating from an earlier pfSense 2.4.x release to 2.4.4-RELEASE-p1 is possible via the usual methods:

From the GUI:

  • Navigate to System > Update
  • Set Branch to Latest stable version (2.4.x)
  • Click Confirm to start the upgrade process

From the console or ssh:

  • Select option 13 OR select option 8 and run pfSense-upgrade

Update Troubleshooting

See Upgrade Troubleshooting for the most up-to-date information on working around upgrade issues.

If the update system does not offer an upgrade to 2.4.4-p1, or the upgrade will not proceed, take the following steps:

  • Navigate to System > Updates
  • Set Branch to Latest stable version
  • Refresh the repository configuration and upgrade script by running the following commands from the console or shell:

    pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade
    

In some cases the repository information may need to be rewritten:

  • Navigate to System > Updates
  • Set the Branch to Latest Development Snapshots
  • Wait for the page to refresh
  • Set the Branch to Latest stable version

If the update still does not appear, run the commands above from the console or shell.

2.3.x EOL Reminder

The 2.3.x branch has passed its end of life (EOL) date and is no longer supported.

Upgrade to 2.4.x on compatible hardware as soon as possible. See pfSense® Release 2.3.x EOL Reminder for more information.

Reporting Issues

This release is ready for a production use. Should any issues come up with pfSense 2.4.4-RELEASE-p1, please post about them on the the forum or on the /r/pfSense subreddit.

Thanks!

pfSense software is Open Source

For those who wish to review the source code in full detail, the changes are all publicly available in three repositories on GitHub:

Download

Downloads for New Installs

Using the automatic update process is typically easier than reinstalling to upgrade. See the Upgrade Guide page for details.

Supporting the Project

Our efforts are made possible by the support of our customers and the community. You can support our efforts via one or more of the following.

  • Official appliances direct from the source. Our appliances are the fast, easy way to get up and running with a fully-optimized firewall.
  • Commercial Support – Purchasing support from us provides you with direct access to Netgate Global Support.
  • Professional Services – For more involved and complex projects outside the scope of support, our most senior engineers are available under professional services.