2.1.1 New Features and Changes¶
FreeBSD-SA-14:01.bsnmpd / CVE-2014-1452
FreeBSD-SA-14:02.ntpd / CVE-2013-5211
FreeBSD-SA-14:03.openssl / CVE-2013-4353, CVE-2013-6449, CVE-2013-6450
Note: This FreeBSD SA is only for the FreeBSD 10.x base, but we include that version of OpenSSL from ports.
The following FreeBSD Security Advisories were not relevant to pfSense:
Use HTTPS to get updates. #2952
Escape necessary chars to avoid XSS injection. #2952
Add escapeshellarg() calls on more exec parameters.
Replace some exec() calls by php functions like symlink, copy, unlink, etc.
Use HTTPS for pfsense.org URLs.
Protect output to browser by using htmlspecialchars. #3461
Improve checks for params ‘id’, ‘dup’ and other similar ones to make sure they are numeric integer, also, pass them through htmlspecialchars before printing.
Remove special characters that can lead to shell/XSS compromises from submitted input when installing packages. #3461
Ask for validation when real package operation will be done and ask for the operation with POST to get protection from CSRF. #3460
Use HTTPS for fetching packages.
- Updated em/igb/ixgb/ixgbe drivers that add support for i210 and i354
NICs and fix issues with
- Prevent assigned vlans from having their tag changed.
- Fix ifconfig error on gif in certain cases.
- If rc.newwanip is run on an interface that should not have an IP address, do not take any action. This could lead to certain interfaces bouncing link if they had no IP address.
- In rc.newwanip, if the interface is configured and not enabled, bail. We do not need to change settings for disabled interfaces. #3313
- Skip processing in rc.newwanip if the interface has no IP address.
- Fix pkg_edit.php to show interface description instead of interface name
- Make sure vlan interface exist when they are configured #3270
- Limit CIDR choices for IPv4 on GRE interface. #3277
- Do not destroy an interface when it’s being disabled #3350
- Prevent network or broadcast address to be set on interface (console, GUI and wizard). #3196
- Reduce unnecessary operations and other fixes to MTU code. This fixes slow boot times and proper handling of mtu for VLANs.
- Provide a dynamic gateway for GIF and GRE v6 tunnels so it can be used on firewall rules etc. #3484
- Bring up appropriate interface for GRE/GIF. #3281
- Prevent removing the IP from the underlying GRE interface in the OS when assigning GRE interface and configuring an IP address. #3280
- When an interface goes down try to shut the RAs and dhcpd6 service on that interface. #2627
- Sync up ALTQ-capable interfaces list
- Trigger rc.newwaipv6 from pppoe when it gets an inet6 configuration
- Update list of mobile service providers.
- Correct check to enable ieee8021x.
- Respect default gateway option when adding a gateway from interfaces page. #3230
- Use a more accurate error message when attempting to add/edit a gateway that does not have an appropriate IP address for the type. #3282
- Make return_gateways_array() return all disabled gateways when $disabled is true. #3291
- Don’t flush interface cache on each call of the function when looping through all gateways.
- Fix an issue that changes wrong gateway entry when items are hidden
- Delete static route when monitor IP is removed, also save monitor IP even when it’s disabled
- Return Gateway Group IP protocol version even when no gateway IP can be located.
- Remove broken ‘dynamic6’ gateway, we already have ipprotocol to tell us the IP version, leave it more simple using only ‘dynamic’
- Reload filter rules when activate or deactivate dhcpdv6 #3218
- Make sure no extra spaces end up in the parsed IP in the filter logs as it can lead to issues in other places (Easy Rule, etc)
- Use (self) rather than any as the destination for the lockout rules
- Use (self) instead of any for web lockout
- Avoid pf table names conflict. #3268
- Fix display of full URL in URL table listing as seen in an Alias popup. #3242
- Make it more explicit that ‘update freq.’ for URL table aliases unit is days
- Fix situation where removing an alias entry and then adding a new one resulted in an entry box with broken formatting. #3283
- Make sure pf rule labels never have more than 63 chars. #3208
- Rewrite the display_host_results() function to use spaces instead of tabs. It does a much better job of aligning the fields in each column and works in all the browsers, particularly chrome which doesn’t support the tab character.
- Handle comma-separated list of remote networks when making vpn_networks table
- Fix rules that pass out traffic for Proxy ARP VIP entries which had incorrect destination #3331
- Load only the options rather than clearing the whole ruleset.
- Validate IP address ranges correctly on Alias Bulk Import
- Fix display of CIDR/Update Freq in Alias Edit
- In the filter log, the protocol might also say “icmpv6” so account for that when making a rule using Easy Rule.
- Move ‘allow dhcpv6 client’ rules above block bogonsv6 ones. #3395
- Only add dhcpv6 client allow rules if ipv6allow is set
- Add all advanced options to rule table hover text.
- Open up Firewall Rules Advanced Options section if any values have been set.
- Validate rule Advanced Options numeric entries properly
- Disable default allow incoming rules for 6to4 and 6rd interfaces. This rule unintentionally allows all services on the interface.
- Skip OpenVPN interfaces when creating the first set of manual rules to be consistent with the behavior of Automatic Outbound NAT. #3528
- Try to restore last working ruleset rather than staying without configuration at all if an invalid ruleset is encountered.
- Fix days and weeks selection on schedules
- Prevent prevent putting an subnet in the IPv6 address field since it then breaks the filter generation process.
- Put a timeout of 30 seconds on the bogon update download. #3412
- Before downloading file to process urltable, there is a random wait time between 5 and 60 seconds. Because of this, the difference between file mtime and current time can be less than $freq * 86400 and it’ll be skipped. Add 90 seconds (60 of max random wait + 30 just to be sure) to avoid skipping a file that should be updated. #3469
- Validate if src OR dst have IP address set when protocol is IPv4+v6. #3499
- Fixed typo in CoDel wiki link
- Fix codel not being applied on non-priq queue types
- Fix saving and range checking of ‘Packet loss rate’ and ‘Bucket Size’ in limiters.
- Add previously missing DSCP VA.
- Clarify note on limiter queue weight to state that higher values get a larger share.
Dashboard & General GUI¶
- Convert mac address to lowercase when saving to avoid duplicates. It fixes #3195
- Include the CP zone in the form parameters if one is defined. Fixes access to concurrent graph on zones other than the first/default.
- Miscellaneous HTML cleanup
- Fix interface names shown in the traffic graphs widget. #3245
- Send the help links to HTTPS destinations on web servers that support HTTPS.
- Specify favicon in pages directly
- Add some missing privileges to the list. #3279
- Many fixes on privileges. #3216
- Allow setting a default scale type preference for the traffic graphs widget
- Account for a widget being null/not defined, and not just closed/open when deciding if a widget function should be called. This allows the system information dashboard widgets to update properly.
- Avoid dashboard divide by zero errors
- Detect Zones and Cores for thermal sensors using regex. #3337
- Do not sort users when adding privileges. It’s unnecessary and lead to unintentional edits to the wrong account.
- Add specific privilege for easyrule.
- Return all stats when all or remote is selected on Traffic Graph and make the default query return “Local” traffic.
- Update year, links for 2.1.1.
- Fix CP stats generation for concurrent users. #3225
- Remove redundant copies of getNasIP() #3234
- Set default captive portal RADIUS authentication value to radius_protocol during upgrade #3226
- Add Captive Portal Zones privileges definition. #3216
- Prevent a possible division by zero in Captive Portal. #3212
- Fix saving of voucher sync settings
- Reduce the total minutes by the remote minutes used, do not use the value directly. Otherwise the voucher will be cut short or listed invalid when it otherwise should have time left over.
- Make sure to give the Captive Portal zone a name during the upgrade, or else it comes through with a blank/null name.
- Properly set zone dedicated rules in the rules/pipes DBs to properly release when a zone is deactivated
- Don’t generate rules for disabled captive portal instances
- Do some more error checking and put secondary radius attributes only if configured on a Captive Portal instance.
- If set use the default bandwidth setting on the Captive Portal even for MAC passthrough.
- Fix various problems with Captive Portal voucher synchronization introduced during conversion to zones.
- Properly compile the Captive Portal database query to insert the values.
- Fix deletion of IPFW rules and pipes for passthru MAC. #3538
- Use the 11th column for the radius context rather than overriding the interim interval field with it. #3447
- Use descr as the field name for voucher description so it gets CDATA protection. #3441
- Consider setting of noconcurrent login for passthrough expiration of users. #3340
- Use the default bandwidth specification if configured even for allowed IP address and hostname.
- Properly detect when there are issues with communicating with syncip and to use the local DB for this. Otherwise detect if the remote says the voucher is not valid say its not valid.
- Fix find_service_by_openvpn_vpnid() on OpenVPN Status
- Allow special characters to be used on IPsec mobile login banner. #3247
- Fix cisco-avpair processing for IPsec and OpenVPN, and route processing from avpair replies.
- Fix logic in detecting if OpenVPN resync needed
- Fix vpn_pppoe_get_id and stop duplicating pppoeid for multiple servers. #2286
- Use env var provided by openvpn to determine if it’s tun or tap. #3475
- Add an option to verify IPsec peers_identifier when it’s ASN.1 distinguished name. #2904
- Certificate Manager, for ‘Create an internal Certificate’ use the correct ‘Digest Algorithm’
- OpenSSL does not like country codes longer than two letters, so remove entries that are not actually country codes.
- Perform a much more accurate comparison between two certificates to determine if they are identical when checking their revocation status. #3237
- Allow an “empty” CRL to be exported, since this is still a valid action.
- Fixes for “Alternative Names” on certificates.
- Fix issue with CSR generation. #2820
- Increase default openssl to bits 2048.
- Optimize DHCPv4 lease display online status for static leases. Do not re-parse complete ARP table for each lease, as it can be slow with large ARP tables.
- Add upgrade code to change the DHCP next-server value to nextserver since it was renamed sometime in 2.1 but upgrade code didn’t follow.
- Give clients the IPV6 address of the DNS server via DHCPv6 Server
- Check if dhcp start and end addresses are inside interface subnet. #3196
- Remove ‘deny unknown clients’ option from DHCPv6 since it’s not supported. #3364
- Fix DHCP lease time display, strftime already convert it to local timezone, so we no need to calc offset
- Use correct parameter (bootfile-url) to configure netboot on DHCPdv6. #3421
- Only use IPv4 DNS servers in IPv4 DHCP configuration. #3483
- Fix PHP error when saving DHCP settings if no manually configured DNS servers exist.
- Send a HUP to dhcp6 to signal a reload. #3514
- Prevent a Fall Back Pool from being selected when the DNS protocol is in use. If one is present in the config, ignore it. #3300
- Fix display of pools in the LB status widget and on the LB Virtual Server status.
- Allow multiple valid time servers to be entered in the wizard, as they are allowed under System > General
- Update time zone data to 2013i
- Teach system_timezone_configure() to deal with symlinks to avoid having timezone misconfigured. #3293
- Add ‘limited’ to ntpd restrict list to workaround FreeBSD-SA-14:02.ntpd/CVE-2013-5211. #3384
- Use “disable monitor” in NTP config to mitigate FreeBSD-SA-14:02.ntpd/CVE-2013-5211.
- Update ntp to ntp-devel for FreeBSD-SA-14:02.ntpd/CVE-2013-5211.
- Avoid placing an empty “interface listen” directive in ntpd.conf.
- Fix ALIX upgrade crash during RRD processing
- Fix “Could not open shared memory for read 1000” issue on Diagnostics > NanoBSD. #3235
- Fix ufslabels.sh logic to avoid trying to convert slices which are already using appropriate labels. Fixes #3207
- Fix removal of the first cron job entry in the list.
- We do not use nor include newsyslog, so remove the cron job from the default configuration and on upgrade.
- Split SSL/TLS into separate checkboxes so that plaintext connections can be made secured by using STARTTLS. Support for SMTPS connections should probably be done away with in future. #3180
- Add source address selection to syslog settings, so it can work more effectively over a VPN. #355
- Rework the usage of the shell i/o during stop_packages(), fixes the “Syntax error: bad fd number” for the remaining people who still saw it on shutdown
- Switch to rw mode before file operations on RFC2136 cache. Fixes #3201
- Make the RADIUS settings respect the description of the timeout field. If the timeout value is left blank, use 5 seconds, don’t print an error.
- Call conf_mount_rw before deleting a user. #3294
- Handle the reinstallall case with confirmation. #3548
- Do not list the same CARP ip as an option for its own Interface.
- Accept adding an IP Aliases on top of CARP VIP when the parent interface does have a valid IP address in the alias subnet.
- Simplify log filtering logic calling grep less times, as done on mail_reports.inc on 2c6efc9.
- Fix console recent config restore, allow restoration of the last backup listed. #3438
- Enhanced validation of general DNS servers and gateways
- Add a mechanism by which the serial port can be forced on always regardless of the config setting. (useful for nano+vga setups)
- Add a knob to let the user select which console (video or serial) is preferred in cases where there are multiple consoles present.
- Skip input validation when choosing an existing certificate in the User Manager. #3505
- pfSense_interface_deladdress() only knows how to delete an ip address, not a subnet. #3513
- Make is_linklocal case-insensitive. #3433
- Errors in in RRD graph calculations
- Delete /var/crash content when the user clicks ‘No’. #3486
- Make sure filesystem is read-write when operating on groups. #3492
- Fix OpenVPN XML section name for selective configuration backup.
- Remove TRIM_set and TRIM_unset support. This method isn’t very elegant and isn’t necessary in the long run. It’s better handled during the install process or while booted off other media (e.g. CD or Memstick).