pfSense Open-Source Firewall – Bugfix Future und Security Release 2.3.4-p1

Die Entwickler der Open-Source Firewall, pfSense, haben gestern das Update 2.3.4-p1, veröffentlicht. Dies ist ein reguläres kleineres Update das einige Fehler behebt und 3 Sicherheitslücken schließt. Insgesamt werden 38 Änderungen durchgeführt.

Auf Grund der drei XSS (Cross-Site-Scripting) Sicherheitslücken in der „diag_edit.php“, der „diag_table.php“ und der „fireall_nat_edit.php“, ist ein Update der Firewall umgehend zu empfehlen.

pfSense Release Notes Version 2.3.4-p1

Security / Errata

• pfSense Advisories
  • pfSense-SA-17_05.webgui:
    • Fixed a potential XSS issue in the diag_edit.php file browser #7650
    • Fixed a potential XSS in handling of the ‚type‘ parameter on diag_table.php #7652
    • Fixed validation and a potential XSS in interface names on firewall_nat_edit.php #7651
  • pfSense-SA-17_06.webgui:
    • Added a warning screen to the GUI and prevent access if the client IP address is currently in the lockout table, and also remove the client’s connection states #7693

Bug Fixes

Captive Portal

• Fixed Captive Portal RADIUS Authentication to only cache credentials when required to perform reauthentication #7528
• Restored the captive portal feature to view the captive portal page directly from the portal web server as an additional button #7646

Dynamic DNS

• Fixed issues with wildcard CNAME records disappearing from Loopia when doing a DNS update
• Fixed issues with CloudFlare Dynamic DNS
• Fixed Hover Dynamic DNS updates so they Verify the SSL Peer

Logging

• Added syslogd service definition to enable status display and control #4382
• Fixed issues with syslogd stopping when installing or uninstalling some packages #7256

Virtual IP Addresses

• Fixed issues with CARP status display overmatching some VIP numbers #7638
• Fixed pid file handling for choparp (Proxy ARP Daemon)
• Added the ability to sort the Virtual IP address list

DNS

• Fixed diag_dns.php so it will not create an empty alias if name does not resolve
• Fixed diag_dns.php to not show Add Alias if the user does not have privileges to add an alais
• Fixed diag_dns.php to change the update alias button text after adding an alias
• Fixed diag_dns.php to disable the Add Alias button when the host field is changed
• Fixed calls to unbound-control to have the full configuration path specified so they do not fail #7667
• Fixed handling of „redirect“ zone entries in the DNS Resolver so they do not produce invalid zones #7690
• Changed the way the DNS Resolver code writes out host entries, so the zones are more well-formed #7690
• Changed the way the DNS Resolver process (unbound) is stopped, to allow it to exit cleanly. #7326

Interfaces

• Fixed DHCPv6 to request a prefix delegation even if no interfaces are set to track6 #4544
• Updated handling of original MAC address retention for interfaces with spoofed MACs
• Fixed an array handling problem when working with gateway entries on the Interface configuration page #7659
• Fixed handling of MSS clamping values for PPPoE/L2TP/PPTP WANs #7675

DHCP

• Fixed an issue where some DHCP Lease information was encoded twice with htmlentities/htmlspecialchars
• Fixed an issue where in some edge cases, a variable was not properly set in a loop, leading to a previous value being reused

Misc

• Removed „/usr/local/share/examples“ from obsolete files list, some packages rely on the files being there
• Added a few more items to status.php for support purposes, such as a download button, socket buffer info, and the netgate ID
• Fixed status.php to redact BGP MD5 password/key in output #7642
• Fixed OpenVPN to use is_numeric() to make sure $prefix is not 0
• Changed the „Rule Information“ section so it is consistent between firewall and NAT rule pages
• Fixed APU2 detection for devices running coreboot v4.x
• Fixed the tunable description for net.inet.ip.random_id #6087
• Fixed some outdated links for help and support
• Fixed some issues with empty config tags in packages #7624
• Fixed issues with entry IDs after deleting Authentication Server instances #7682

Quelle: https://www.netgate.com/blog/pfsense-2-3-4-p1-release-now-available.html

JARVIS

Interessiert in verschiedenste IT Themen, schreibe ich in diesem Blog über Software, Hardware, Smart Home, Games und vieles mehr. Ich berichte z.B. über die Installation und Konfiguration von Software als auch von Problemen mit dieser. News sind ebenso spannend, sodass ich auch über Updates, Releases und Neuigkeiten aus der IT berichte. Letztendlich nutze ich Taste-of-IT als eigene Dokumentation und Anlaufstelle bei wiederkehrenden Themen. Ich hoffe ich kann dich ebenso informieren und bei Problemen eine schnelle Lösung anbieten. Wer meinen Aufwand unterstützen möchte, kann gerne eine Tasse oder Pod Kaffe per PayPal spenden – vielen Dank.