pfSense 2.4.1 Security und Bugfix Update veröffentlicht

Kurz nach dem großen Update auf 2.4.0 der Open-Source Firewall, pfSense, wurde nun das Security und Bugfix Release 2.4.1 mit vielen Änderungen und Fehlerkorrekturen veröffentlicht.

pfSense 2.4.1 Release Notes

Security / Errata

• Fixes for the set of WPA2 Key Reinstallation Attack issues commonly known as KRACK #7951
• Changed upgrade handling to use the pkg-static binary to prevent errors when moving to new major FreeBSD version
• Fixed a VT console race condition panic at boot on VMware platforms (especially ESXi 6.5.0U1) #7925
• Fixed a bsnmpd problem that causes it to use all available CPU and RAM with the hostres module in cases where disk drives are present without media inserted #6882
• Fixed an upgrade problem due to FreeBSD 11 removing legacy ada aliases, which caused some older installs to fail when mounting root post-upgrade #7937
• Changed the boot-time fsck process the ensure the disk is mounted read-only before running fsck in the preen mode.

Known Issues

• The VLAN changes mentioned in the Interfaces section may prevent PPP sessions from working on VLANs in some cases, see #7981

Interfaces

• Changed the VLAN interface names to use the ‚dotted‘ format of FreeBSD, which is shorter and helps to keep the interface name smaller than the limit (16) This fixes the 4 digit VLAN issues when the NIC name is 6 bytes long.
• Improved the ‚Assign Interfaces‘ console process to automatically stop when there are no more interfaces to assign
• Improved the ‚Set interface IP address‘ console process to accept ‚IP/mask‘ notation
• Fixed wireless client interfaces so they do not reconfigure wireless on a link up event, or else they can get stuck in a loop #7960
• Fixed setting VLAN Priority in VLAN interface configuration #7748

Dashboard

• Fixed a problem with the Picture Dashboard widget when it does not have a picture defined #7896
• Fixed time display for UTC in the NTP Dashboard Widget #7714
• Fixed an IPsec widget error when it would get back null data after a session ended #6318
• Improved error checking to prevent dashboard widget parsing errors

DNS

• Added an option for the DNS Resolver (Unbound) to serve expired records from the cache after their TTL expires which can improve speed in some cases #7814
• Fixed the DNS Resolver (Unbound) to allow snoop from localhost by default, otherwise „dig +trace“ or „drill -T“ queries from the firewall itself fail #7884

XMLRPC

• Fixed XMLRPC Sync to prevent a lock that would never be unlocked
• Fixed XMLRPC sync to ensure a proper empty array is returned instead of NULL, so that the last item of a section can be removed without error #7953

Misc

• Fixed Captive Portal voucher test and expire pages #7939
• Added UEFI 32 and UEFI 64 filenames defined inside a pool to dhcpd.conf #7949
• Fixed operation of the „Reset All States on WAN IP Change“ GUI setting #7921
• Changed OpenVPN to retry client auth when it fails by default (auth-retry nointeract) #7506
• Changed the Cryptographic Accelerator module options to allow both the AES-NI and Crypto modules to be loaded at the same time #7810
• Added URL fingerprinting to the login page CSS
• Added the device serial/id to the console and SSH menu banner #7968
• Fixed „Unknown Step Values“ in certain RRD graph cases #6860

JARVIS

Interessiert in verschiedenste IT Themen, schreibe ich in diesem Blog über Software, Hardware, Smart Home, Games und vieles mehr. Ich berichte z.B. über die Installation und Konfiguration von Software als auch von Problemen mit dieser. News sind ebenso spannend, sodass ich auch über Updates, Releases und Neuigkeiten aus der IT berichte. Letztendlich nutze ich Taste-of-IT als eigene Dokumentation und Anlaufstelle bei wiederkehrenden Themen. Ich hoffe ich kann dich ebenso informieren und bei Problemen eine schnelle Lösung anbieten. Wer meinen Aufwand unterstützen möchte, kann gerne eine Tasse oder Pod Kaffe per PayPal spenden – vielen Dank.