Netgate Blog

Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities

We have incorporated fixes for some recently identified vulnerabilities, specifically:

NGINX: CVE-2018-16843, CVE-2018-16844, and CVE-2018-16845

libzmq4: CVE-2019-6250

curl: CVE-2018-16890, CVE-2019-3822, and CVE-2019-3823

As always, take a backup of the firewall configuration prior to any major change to the firewall.

To incorporate these security fixes you will need access to the operating system shell. You can do that by using either SSH or a local console. This procedure may NOT be performed via the pfSense web interface. From the pfSense command line interface (CLI). Choose option 8 “Shell”.

From the “/root:” prompt, type pkg update; pkg upgrade as shown in the screenshot below.

pkg-update

When prompted, choose y to proceed. (A reboot is not required.)

Warning: If you are running a version of pfSense prior to 2.4.4-p2 simply update to that version to benefit from these changes. Be sure to review the blog post and Release Notes prior to upgrading. Updating the packages from the command line of an earlier version will update your firewall to 2.4.4-p2. We do not recommend that option.

If you have chosen to install a version later than 2.4.4-p2 by following the “Latest development snapshots (Experimental 2.4.x DEVEL)” update channel, this procedure will NOT install the updated packages.

We encourage you to update your pfSense packages immediately. This is a small upgrade, but a major security update!