2.2.5 New Features and Changes
Updated to FreeBSD 10.1-RELEASE-p24
Multiple vulnerabilities in NTP [REVISED]
Due to insufficient sanitization of the input patch stream, it is
possible for a patch file to cause patch(1) to run commands in
addition to the desired SCCS or RCS commands.
OpenSSH client does not correctly verify DNS SSHFP records when a
server offers a certificate.
OpenSSH servers which are configured to allow password
authentication using PAM (default) would allow many password
Due to insufficient sanitization of the input patch stream, it is
possible for a patch file to cause patch(1) to pass certain ed(1)
scripts to the ed(1) editor, which would run commands.
Multiple integer overflows have been discovered in the
XML_GetBuffer() function in the expat library.
If the kernel-mode IRET instruction generates an #SS or #NP
exception, but the exception handler does not properly ensure that
the right GS register base for kernel is reloaded, the userland GS
segment may be used in the context of the kernel exception
A programming error in the privileged monitor process of the
sshd(8) service may allow the username of an already-authenticated
user to be overwritten by the unprivileged child process. A
use-after-free error in the privileged monitor process of the
sshd(8) service may be deterministically triggered by the actions
of a compromised unprivileged child process. A use-after-free
error in the session multiplexing code in the sshd(8) service may
result in unintended termination of the connection.
Multiple Stored XSS Vulnerabilities in the pfSense WebGUI
The complete list of affected pages and fields is listed in the
Updated strongSwan to 5.3.3
Updated PHP to 5.5.30
Updated miniupnpd to 1.9.20150721 to address a potential
Added support for GUI auth from RADIUS to obtain group names from the
RADIUS reply attribute “Class” as a string (local groups must exist,
similar to LDAP).
#935 Added an LDAP server timeout field to address GUI access issues when
the LDAP server is down/unreachable.
#3383 Added support for LDAP RFC 2307 style group membership.
#4923 Worked around a chicken-and-egg problem in user syncing which was
preventing users from using ssh the first time the account was saved.
#5152 Prevent deletion of system users and groups by authenticated,
authorized users using manually crafted POSTs.
Fixed an incorrect netmask being sent to OpenVPN clients with static
IP addresses set in RADIUS.
#5129 Changed the calculation of the OpenVPN point-to-point server IP
address obtained from RADIUS to be consistent with CSC/Overrides
(Server should be one IP address below the Client)
strongSwan upgraded to 5.3.3.
log Fixed missing DH group 22-24.
#4918 Fixed handling of IPv4 IPsec Phase 1 endpoints that resolve to an
(Fixed by strongSwan update to 5.3.3) Brought back “auto” IKE version and fixed problems with its previous
Pre-shared keys configured as “any” under VPN>IPsec, Pre-Shared Keys
tab are added as %any to ipsec.secrets now, as described in the note
on the page.
#5246 Resolved memory leak by switching printf hooks to vstr.
#5149 Change to vstr to fix memory leak broke SMP status plugin. Switched
to vici for status output.
ID selectors omitted from ipsec.secrets for mobile PSK+XAuth
configurations. Fixes pre-shared key mismatches with Apple iOS Cisco
IPsec and other mobile clients.
#5245 Fixed logging default settings and ability to set logging to silent.
#5340 Logging settings applied correctly on clean start and stop/start of
#5242 Remove deleted CAs, certificates and CRLs from strongswan
#5238 Prevent over-matching of auto-added firewall rules for mobile IPsec
#5211 Added IPv6 virtual address pool support for mobile.
#5284 Allow both IPv4 and IPv6 in phase 2 entries on a single phase 1 when
#5305 Omit NAT rules for disabled phase 1 and 2 configurations.
#5320 Only display certificate authority field for methods where it’s
#5323 Only write out CA certificates for those specified in a Phase 1
#5243 Fixed Hybrid RSA + xauth.
#5207 Fixed configuration of split tunnel attribute.
#5327 Specify rightca in ipsec.conf where relevant.
#5241 Specify leftsendcert=always in ipsec.conf for mobile profiles using
IKEv2 to better accommodate iOS and OS X manual configurations.
#5353 Fix IKEv2 mobile client pool status display with small number of
Fixed handling of url_port alias types when processing items that
should be handled by filterdns.
#4888 Fixed handling of line endings when parsing a URL table ports file.
Fixed handling of empty bogon lists on NanoBSD.
Fixed handling of 6rd rules so they are only added when there is an
IPv4 IP defined for the gateway, otherwise the ruleset ends up
#4935 Added support for port ranges on Outbound NAT.
#5156 Added a check to prevent renaming an alias to an existing name.
#5162 Improved the fix for increasing the “self” table size in pf.
Imported fixes from FreeBSD for a situation that could result in a
panic/crash due to source address limits in pf rules (“pf_hashsrc:
unknown address family 0”).
Implemented an alternate method to find VIP targets that should be
allowed for Captive Portal.
#4903 Improved handling of the captive portal database files for zones in
cases when the database files may be corrupt or unreadable.
#4904 Improved handling of vouchers that are too short. In certain cases
they were not being properly rejected.
#4985 Fixed handling of voucher database files, initializing the database
properly when necessary.
#5113 Fixed loading of allowed hostnames at boot time.
Fixed handling of package install errors and connect timeouts during
the install process.
#4884 Improved package version comparison.
#4924 Fixed an issue with package editing where the default value was not
being populated for new fields.
Fixed removal of syslog.conf entries during package uninstall
Fixed handling of DHCP pools that are out of range, preventing them
from creating an invalid dhcpd configuration.
#4878 Added support for UEFI network booting with arch 00:09.
#5046 Fixed a situation where dhcpleases could miss updates for hostnames
in the leases file, delaying functional hostname resolution of new
and updated DHCP leases.
#4931 Automatically add firewall rules to permit DHCP traffic when DHCP
Relay is enabled, matching the behavior for DHCP Server.
Fixed identification of IPv6 interfaces with PPP-type interfaces and
#3670 Removed “Could not find gateway for interface…” log messages as
they were largely useless.
#4102 Added OpenVPN interfaces to the list of available interfaces when
reassignment is necessary during config.xml restoration.
Fixed interface assignment menus running off VGA screen.
Fixed preservation of MLPPP settings when saving interface settings.
#4568 Correct handling of SLAAC, DHCP6 and DHCP-PD with PPP interfaces.
Fixed Cloudflare support for Dynamic DNS updates.
Fixed GratisDNS support for hosts without subdomains.
Disabled DHS provider. It had never worked.
Fixed IPv4 dynamic DNS registrations on dual stack hosts to providers
with AAAA records.
#3858 Update Dynamic DNS using gateway groups upon enable and disable of
#5214 Fixed Dynamic DNS using gateway groups specifying a CARP IP.
Fixed the configuration version comparison in XMLRPC sync to prevent
more invalid synchronization cases.
#4902 Cleaned up old unused platforms referenced in a few areas of the code
that were no longer relevant.
Fixed killing of individual states in cases when the source and
destination were reversed.
#4907 Fixed killing of individual states for IPv6.
#4906 Changed the “enableallowallwan” script to also allow bogons, which
makes the use of RFC 5735 / RFC 6890 test networks easier in lab
Fixed handling of VIPs in source address selection for Diagnostics >
#4986 Updated status.php to include more information.
#5304 Fixed handling of the description in Traffic Shaping.
Fixed pfSense base version comparison.
#4925 Fixed handling of multiple notices in the same second.
#4879 Removed the routed service as it is being handled by the package.
Set MIME type for SVG in lighttpd configuration.
Improved handling of the cron service reconfiguration process.
Added option to display monitor IP on Gateways widget
#4782 Added “Description” as a display option on Traffic Graphs.
#4783 Fixed handling of L2TP server interface selection.
#4830 Added /usr/bin/dc back into the build.
#5111 Fixed a crash/panic “Sleeping thread owns a non-sleepable lock” in
ARP code when using Proxy ARP type VIPs.
#4685 Added support for Sierra Wireless 7355.
#4863 Updated time zones.
#5254 Added fsync of Unbound’s root.key to ensure the file isn’t corrupted
if power is lost shortly after writing of the file. Code added to
detect corrupt root.key and delete and recreate it.
#5334 Fix changing outbound NAT modes and uploading/downloading files on
exec.php with non-English languages.
#5343 Associate intermediate internal CA certificates with the signing CA.
Loading wikipedia summary...