pfSense 2.4.3 Security und Bugfix Release

Netgate hat das Update der Open-Source Firewall, pfSense, in Version 2.4.3 veröffentlicht. Das Update behebt kritische Sicherheitsprobleme und löst diverse Bugfixe. Insgesamt wurden 83 Tickets, gelistet im Bugtracker geschlossen. Zu den Sicherheitsupdates gehört auch die Installation der Microdes für die CPU gegen Meltdown und Spectre.

Bugtracker: https://redmine.pfsense.org/versions/42

pfSense 2.4.3 Release Notes

Security / Errata

• FreeBSD-SA-18:01.ipsec
• Kernel PTI mitigations for Meltdown (optional tunable) FreeBSD-SA-18:03.speculative_execution.asc
• IBRS mitigation for Spectre V2 (requires updated CPU microcode) FreeBSD-SA-18:03.speculative_execution.asc
• Added a CPU Microcode update mechanism (cpuctl module, sysutils/devcpu-data port)
• Imported a FreeBSD patch to fix boot issues when running as a hypervisor guest on AMD Family 15h processors (FreeBSD PR #213155)
• Added validation for RRD parameters to ensure passed filenames are valid #8269
• Fixed a potential XSS vector in RRD error output encoding #8269 pfSense-SA-18_01.packages
• Fixed a potential XSS vector in diag_system_activity.php output encoding #8300 pfSense-SA-18_02.webgui
• Fixed a potential XSS vector in traffic_graphs.widget.php settings #8302 pfSense-SA-18_03.webgui
• Fixed a potential CSRF issue in service control request processing #8296
• Enabled CSRF protection for all dashboard widgets #8301
• Added encoding for firewall schedule range descriptions #8259

• Changed sshd to use delayed compression #8245
• Increased PHP-FPM resources on systems with over 1GB RAM to improve performance #8125
• Imported a netstat fix for ARM platforms to improve performance and reduce CPU usage, especially on the Dashboard #8237
• Fixed a memory leak in the pfSense_getall_interface_addresses() function in the pfSense PHP module #8249
• Hardware support for the XG-7100, including:
  • C3000 NIC support (factory installations only)
  • C3000 SoC support (factory installations only)
  • Marvell 88E6190 switch support (factory installations only)

Traffic Shaping / Limiters

• Fixed hangs due to Limiters and pfsync in HA #4310
• Added the Chelsio cxl driver to the list of ALTQ capable interfaces #7607
• Fixed an issue with limiters that had fractional bandwidth values #8091
• Changed status_queues.php to provide ‚realtime‘ statistics #8185

IPsec

• Changed IPsec Phase 1 to allow selecting both IPv4 and IPv6 so the local side can allow inbound connections to either address family #6886
• Changed IPsec Phase 1 to allow configuration of multiple IKE encryption algorithms, key lengths, hashes, and DH groups #8186
• Fixed a problem when IPsec bypasslan was enabled while the LAN interface is disabled or doesn’t have an IP address #8239
• Added IPv6 LAN Network to the IPsec LAN bypass list #8321

OpenVPN

• Fixed an error message encountered by a few users when manually killing OpenVPN connections #8266
• Added an OpenVPN tap bridge configuration option to push the bridged interface address to clients as a route-gateway for routes/redirects #8267
• Added an option to the DNS Resolver which allows registering the CN of OpenVPN clients as hostnames #6847
• Added an option to OpenVPN clients and servers to suppress creation of IPv4 or IPv6 gateway addresses for an interface #6848
• Fixed issues with OpenVPN when using a /31 IPv4 Tunnel Network #8261
• Updated the OpenVPN wizard with the current UDP and TCP protocol selections #8298
• Added the interface for a VPN to the OpenVPN client and server list screens

Notifications

• Changed SMTP notifications handling so they are batched, to avoid sending multiple e-mail messages in a short amount of time #4031
• Added a notification when the firewall boot sequence is complete #7643

Dashboard

• Fixed issues with the IPsec dashboard widget causes GUI failure #6318
• Changed the Dynamic DNS Widget so it shows the description of custom entries to identify them #7843
• Fixed a reference to deprecated updateGatewayDisplays() function in the Gateways dashboard widget #8303
• Added a setting to the temperature widget to display readings in Fahrenheit 8205
• Changed the picture widget so the picture is stored on the firewall filesystem and not in config.xml to reduce the size of backup data #8371
  • On upgrade, pictures will be moved out of config.xml, so backup this file separately if it is important

DHCP

• Added an option to the DHCP Server Dynamic DNS configuration to set the server key algorithm #6621
• Added DDNS Client Updates option to DHCPv4 #7131
• Fixed handling of the DHCPv6 DDNS reverse zone key #6319
• Fixed DHCPv4 static mappings so that multiple MAC for same DHCP address or hostname are allowed #8220
• Fixed a potential issue in detecting primary/secondary node in a failover configuration
• Improved DHCP relay destination interface discovery
• Fixed DHCPv6 lease display for entries that were not parsed properly from the lease database #7413

Dynamic DNS

• Added an option for RFC 2136 Dynamic DNS server key algorithm #8244
• Added an option for RFC 2136 source address used to send updates #8278
• Fixed issues with Dynamic DNS updates using a gateway group when the primary route is down #8333
• Added GoDaddy Dynamic DNS provider

Interfaces / VIPs

• Fixed issues on assign_interfaces.php with large numbers of interfaces #6400
• Fixed handling of CARP VIPs on disabled interfaces at boot time #6677
• Fixed issues with radvd being enabled on a disconnected interface #6974
• Fixed issues with rtsold on VLAN interfaces #7412
• Fixed issues with dhcp6c lock files after unclean shutdown when using „Do not wait for an RA“ on IPv6 WAN interface #8106
• Added a feature to allow pppoe on a CARP VIP so it will only be active on whichever node is master #8184
• Fixed an error when editing PPP interfaces on a system with no VIPs #8322
• Added VLAN priority tagging for DHCPv6 client requests #8200
• Added support for configuring the DUID type for an IPv6 interfaces #8191
• Allow custom INIT string for PPP modem SIM Pin and APN settings
• Added an indicator for disabled interfaces on status_interfaces.php
• Fixed an issue with the PPP linkup and linkdown scripts and cellular modems
• Fixed an issue where the combination of CARP with bridging could lead to a deadlock #8056

Packages

• Fixed reinstall process for missing packages #8183

Captive Portal

• Fixed Pass-through MAC automatic additions so it does not add duplicate entries #8226
• Fixed a missing global definition in Captive Portal pass-through MAC removal #8238
• Fixed Captive Portal voucher sync errors when vouchers are expired or disconnected while the secondary node is master #8317
• Fixed Captive Portal voucher synchronization between HA nodes #7972

Certificates

• Fixed automatic SAN handling when the CN of a certificate contains a space #8252
• Fixed input validation for Certificate SAN values to disallow IP addresses for FQDN/Hostname entries #8275

Gateways/Routing

• Fixed handling of the Router Lifetime value on services_router_advertisements.php so it allows a value of 0 #7502
• Added ospf6d to the routing log
• Allow recursive aliases to be used with static routes

Rules/NAT

• Fixed various pf „busy“ errors when the ruleset is reloaded
• Fixed issues with editing firewall rules in non-English languages that contain single quotes in translated strings #8219
• Added an option to disable drag-and-drop of firewall and NAT rules
• Added a check to prevent 1:1 NAT rules with missing information from being added to the ruleset
• Added firewall rule tracking ID to rule list (in counter tooltip) and firewall rule edit page #8348
• Fixed cases where automatic or scripted rules were not getting tracking IDs #8353
• Added a check to prevent automatic outbound firewall rules with missing information from being added to the ruleset #8360

Users/Authentication

• Fixed issues with XMLRPC user account synchronization causing GUI inaccessibility on secondary HA nodes #7469
• Fixed an issue where a user with no privileges could not logout #8297
• Increased maximum username length from 16 to 32 characters to catch up to the current allowed length in FreeBSD
• Fixed required field markings on LDAP authentication server configuration fields #8337
• Fixed display of the LDAP host when testing the GUI authentication source #8338

Misc

• Fixed NTP Status server time for zones with minute offsets (fractions of an hour) #8129
• Added support for custom shutdown scripts in /usr/local/etc/rc.d #8182
• Fixed a references to an undefined function while restoring a config.xml file from an older version #8231
• Added support to diag_packet_capture.php to capture traffic on the loopback interface #8257
• Fixed an issue with the RAM disk warning pop-up appearing when no changes were made #8268
• Fixed an issue with the address familiy selection for remote syslog servers using IPv6 #8323
• Silenced warnings from sysctl that otherwise went to stderr
• Added a disk size check to ZFS to prevent it from being used on disk which are too small to contain the OS and swap space #7308
• Added a check to prevent pfSense-upgrade from running as a non-root user #7762
• Added an option to disable the IGMP Proxy service #8356
• Fixed an issue with package handling when restoring a configuration that contains a branch configuration that is not valid for the target system version #8208