We are pleased to announce the release of pfSense® software version 2.4.4-p3, now available for new installations and upgrades!

pfSense software version 2.4.4-p3 is a maintenance release, bringing a number of security enhancements as well as a handful of fixes for issues present in the 2.4.4-p2 release.

pfSense 2.4.4-RELEASE-p3 updates and installation images are available now!

To see a complete list of changes and find more detail, see the Release Notes.

We had hoped to bring you this release a few days earlier, but given the announcement last Tuesday of the Intel Microarchitectural Data Sampling (MDS) issue, we did not have sufficient time to fully incorporate those corrections and properly test for release on Thursday. We felt that it was worth delaying for a few days, rather than making multiple releases within a week.

Highlights

Security / Errata

pfSense software release version 2.4.4-p3 addresses several critical security issues:

  • A privilege escalation issue where an authenticated user could have used a technique similar to directory traversal to gain access to pages for which they otherwise would not have privileges
  • A privilege escalation issue where an authenticated user granted access to the Dashboard or widgets could have gained access to pages for which they otherwise would not have privileges
  • A privilege escalation issue where an authenticated user granted access to edit OpenVPN servers, clients, or client-specific overrides could have executed shell scripts via OpenVPN advanced options to gain higher privileges

    A new set of privileges has been created to delegate access to edit the advanced options fields on these pages. Existing users who are not administrators, but only have access to the stated pages, can no longer edit advanced option fields until the new privileges have been granted.

  • Potential cross-site scripting (XSS) vectors in 10 GUI pages
  • The sshguard daemon which protects the GUI and ssh against brute force attacks was changed to use a single table to block offenders from reaching the GUI and SSH, which corrects previous unexpected inconsistencies in behavior.

  • Several FreeBSD security advisories:

  • DNS over TLS host verification has been added, thanks to support from a recent Unbound version that made it possible on systems without OpenSSL 1.1.x.

For complete details about these issues, see the see the Release Notes.

Upgrade Notes

Due to the significant nature of the changes in 2.4.4 and later, warnings and error messages, particularly from PHP and package updates, are likely to occur during the upgrade process. In nearly all cases these errors are a harmless side effect of the changes between FreeBSD 11.1 and 11.2 and between PHP 5.6 and PHP 7.2.

Always take a backup of the firewall configuration prior to any major change to the firewall, such as an upgrade.

Do not update packages before upgrading pfSense! Either remove all packages or do not update packages before running the upgrade.

The upgrade will take several minutes to complete. The exact time varies based on download speed, hardware speed, and other factors such installed packages. Be patient during the upgrade and allow the firewall enough time to complete the entire process. After the update packages finish downloading it could take 10-20 minutes or more until the upgrade process ends. The firewall may reboot several times during the upgrade process. Monitor the upgrade from the firewall console for the most accurate view.

Consult the Upgrade Guide for additional information about performing upgrades to pfSense software.

Important Information about Upgrading and Installing pfSense software version 2.4.0 and later

If you have not yet upgraded to pfSense version 2.4.0 or later, read the information in the 2.4.0 Release Announcement before updating for important information that may impact the ability of a firewall to upgrade to pfSense version 2.4.x.

Free pfSense Gold Content

As a reminder, as of the previous release of pfSense 2.4.4, all former pfSense Gold content is now free for all!

Upgrading to pfSense 2.4.4-RELEASE-p3

Updating from an earlier pfSense 2.4.x release to 2.4.4-RELEASE-p3 is possible via the usual methods:

From the GUI:

  • Navigate to System > Update
  • Set Branch to Latest stable version (2.4.x)
  • Click Confirm to start the upgrade process

From the console or ssh:

  • Select option 13 OR select option 8 and run pfSense-upgrade

Update Troubleshooting

See Upgrade Troubleshooting for the most up-to-date information on working around upgrade issues.

If the update system does not offer an upgrade to 2.4.4-p3 or the upgrade will not proceed, take the following steps:

  • Navigate to System > Updates
  • Set Branch to Latest stable version
  • Refresh the repository configuration and upgrade script by running the following commands from the console or shell:

    pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade
    

In some cases the repository information may need to be rewritten:

  • Navigate to System > Updates
  • Set the Branch to Latest Development Snapshots
  • Wait for the page to refresh
  • Set the Branch to Latest stable version

If the update still does not appear, run the commands above from the console or shell.

2.3.x EOL Reminder

The 2.3.x branch has passed its end of life (EOL) date and is no longer supported.

Upgrade to 2.4.x on compatible hardware as soon as possible. See pfSense® Release 2.3.x EOL Reminder for more information.

Planning for the upcoming 2.5.0 release

We are hard at work on the upcoming pfSense 2.5.0 release. Keep an eye on the draft copy of the 2.5.0 Release Notes for information about upcoming changes. 2.5.0 will bring a base OS upgrade to FreeBSD 12 as well as upgrades to OpenSSL 1.1.1, PHP 7.3, and Python 3.6.

The built-in load balancer has been deprecated from pfSense 2.5.0, and all related code has been removed, as it is not compatible with FreeBSD 12. Plan migrations to alternate solutions such as the HAProxy package now.

Please note that pfSense version 2.5.0 WILL NOT require AES-NI. The original plan was to include a RESTCONF API in pfSense version 2.5.0, which for security reasons would have required hardware AES-NI or equivalent support. Plans have since changed, and pfSense 2.5.0 does not contain the planned RESTCONF API, thus the removal of the AES-NI requirement.

Reporting Issues

This release is ready for a production use. Should any issues come up with pfSense 2.4.4-RELEASE-p3, please post about them on the the forum or on the /r/pfSense subreddit.

Thanks!

pfSense CE software is Open Source

For those who wish to review the source code in full detail, the changes are all publicly available in three repositories on GitHub:

Download

Downloads for New Installs

Using the automatic update process is typically easier than reinstalling to upgrade. See the Upgrade Guide page for details.

Supporting the Project

Our efforts are made possible by the support of our customers and the community. You can support our efforts via one or more of the following.

  • Official appliances direct from Netgate. Our appliances are the fast, easy way to get up and running with a fully-optimized firewall.
  • Commercial Support – Purchasing support from us provides you with direct access to Netgate Global Support.
  • Professional Services – For more involved and complex projects outside the scope of support, our most senior engineers are available under professional services.