Menü Schließen

11 Jahre pfSense mit Release Update 2.2.5

pfSense Logo

Die Entwickler der OpenSource Firwall pfSense feiern 11 Jahre bestehen und veröffentlichen das Release Update in Version 2.2.5. Das Projekt startet im Sommer 2004 mit der Registrierung der Domain Am 5. November 2004 wurde das Projekt pfSense der Öffentlichkeit präsentiert und gestartet.

In der nun freigegebenen Version 2.2.5 wurden ein paar Fehler korrigiert und Sicherheitslücken geschlossen. Darunter diverse Cross-Site-Scripting (XSS) Lücken in der WebGUI, freeBSD wurde auf Version 10.1-Release-p24 aktualisiert, NTP, OpenSSH,Kernel und weitere Komponenten gefixt.

Release 2.2.5 Notes:

Komplette Liste der Änderungen und Features Version 2.2.5

<h2><span id="Security.2FErrata_Notices" class="mw-headline">Security/Errata Notices</span></h2>
	<li>Updated to FreeBSD 10.1-RELEASE-p24
	<li><a class="external text" href="" rel="nofollow">FreeBSD-SA-15:25.ntp</a> Multiple vulnerabilities in NTP [REVISED]</li>
	<li><a class="external text" href="" rel="nofollow">FreeBSD-SA-15:14.bsdpatch</a>: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to run commands in addition to the desired SCCS or RCS commands.</li>
	<li><a class="external text" href="" rel="nofollow">FreeBSD-SA-15:16.openssh</a>: OpenSSH client does not correctly verify DNS SSHFP records when a server offers a certificate. <a class="external text" href="" rel="nofollow">CVE-2014-2653</a> OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts.</li>
	<li><a class="external text" href="" rel="nofollow">FreeBSD-SA-15:18.bsdpatch</a>: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to pass certain ed(1) scripts to the ed(1) editor, which would run commands.</li>
	<li><a class="external text" href="" rel="nofollow">FreeBSD-SA-15:20.expat</a>: Multiple integer overflows have been discovered in the XML_GetBuffer() function in the expat library.</li>
	<li><a class="external text" href="" rel="nofollow">FreeBSD-SA-15:21.amd64</a>: If the kernel-mode IRET instruction generates an #SS or #NP exception, but the exception handler does not properly ensure that the right GS register base for kernel is reloaded, the userland GS segment may be used in the context of the kernel exception handler.</li>
	<li><a class="external text" href="" rel="nofollow">FreeBSD-SA-15:22.openssh</a>: A programming error in the privileged monitor process of the sshd(8) service may allow the username of an already-authenticated user to be overwritten by the unprivileged child process. A use-after-free error in the privileged monitor process of the sshd(8) service may be deterministically triggered by the actions of a compromised unprivileged child process. A use-after-free error in the session multiplexing code in the sshd(8) service may result in unintended termination of the connection.</li>
	<li><a class="external text" href="" rel="nofollow">pfSense-SA-15_08.webgui</a>: Multiple Stored XSS Vulnerabilities in the pfSense WebGUI
	<li>The complete list of affected pages and fields is listed in the linked SA.</li>
	<li>Updated strongSwan to 5.3.3</li>
	<li>Updated PHP to 5.5.30</li>
	<li>Updated miniupnpd to 1.9.20150721 to address a potential <a class="external text" href="" rel="nofollow">vulnerability in miniupnpd</a>.</li>
<h2><span id="User_Management.2FAuthentication" class="mw-headline">User Management/Authentication</span></h2>
	<li>Added support for GUI auth from RADIUS to obtain group names from the RADIUS reply attribute "Class" as a string (local groups must exist, similar to LDAP). <a class="external text" href="" rel="nofollow">#935</a></li>
	<li>Added an LDAP server timeout field to address GUI access issues when the LDAP server is down/unreachable. <a class="external text" href="" rel="nofollow">#3383</a></li>
	<li>Added support for LDAP <a class="external mw-magiclink-rfc" href="" rel="nofollow">RFC 2307</a> style group membership. <a class="external text" href="" rel="nofollow">#4923</a></li>
	<li>Worked around a chicken-and-egg problem in user syncing which was preventing users from using ssh the first time the account was saved. <a class="external text" href="" rel="nofollow">#5152</a></li>
	<li>Prevent deletion of system users and groups by authenticated, authorized users using manually crafted POSTs. <a class="external text" href="" rel="nofollow">#5294</a></li>
<h2><span id="OpenVPN" class="mw-headline">OpenVPN</span></h2>
	<li>Fixed an incorrect netmask being sent to OpenVPN clients with static IP addresses set in RADIUS. <a class="external text" href="" rel="nofollow">#5129</a></li>
	<li>Changed the calculation of the OpenVPN point-to-point server IP address obtained from RADIUS to be consistent with CSC/Overrides (Server should be one IP address below the Client)</li>
<h2><span id="IPsec" class="mw-headline">IPsec</span></h2>
	<li>strongSwan upgraded to 5.3.3. <a class="external text" href="" rel="nofollow">strongSwan's change log</a></li>
	<li>Fixed missing DH group 22-24. <a class="external text" href="" rel="nofollow">#4918</a></li>
	<li>Fixed handling of IPv4 IPsec Phase 1 endpoints that resolve to an IPv6 address. <a class="external text" href="" rel="nofollow">#4147</a> (Fixed by strongSwan update to 5.3.3)</li>
	<li>Brought back "auto" IKE version and fixed problems with its previous implementation.</li>
	<li>Pre-shared keys configured as "any" under VPN>IPsec, Pre-Shared Keys tab are added as %any to ipsec.secrets now, as described in the note on the page. <a class="external text" href="" rel="nofollow">#5246</a></li>
	<li>Resolved memory leak by switching printf hooks to vstr. <a class="external text" href="" rel="nofollow">#5149</a></li>
	<li>Change to vstr to fix memory leak broke SMP status plugin. Switched to vici for status output.</li>
	<li>ID selectors omitted from ipsec.secrets for mobile PSK+XAuth configurations. Fixes pre-shared key mismatches with Apple iOS Cisco IPsec and other mobile clients. <a class="external text" href="" rel="nofollow">#5245</a></li>
	<li>Fixed logging default settings and ability to set logging to silent. <a class="external text" href="" rel="nofollow">#5340</a></li>
	<li>Logging settings applied correctly on clean start and stop/start of service. <a class="external text" href="" rel="nofollow">#5242</a></li>
	<li>Remove deleted CAs, certificates and CRLs from strongswan configuration. <a class="external text" href="" rel="nofollow">#5238</a></li>
	<li>Prevent over-matching of auto-added firewall rules for mobile IPsec configurations. <a class="external text" href="" rel="nofollow">#5211</a></li>
	<li>Added IPv6 virtual address pool support for mobile. <a class="external text" href="" rel="nofollow">#5284</a></li>
	<li>Allow both IPv4 and IPv6 in phase 2 entries on a single phase 1 when using IKEv2. <a class="external text" href="" rel="nofollow">#5305</a></li>
	<li>Omit NAT rules for disabled phase 1 and 2 configurations. <a class="external text" href="" rel="nofollow">#5320</a></li>
	<li>Only display certificate authority field for methods where it's relevant. <a class="external text" href="" rel="nofollow">#5323</a></li>
	<li>Only write out CA certificates for those specified in a Phase 1 configuration. <a class="external text" href="" rel="nofollow">#5243</a></li>
	<li>Fixed Hybrid RSA + xauth. <a class="external text" href="" rel="nofollow">#5207</a></li>
	<li>Fixed configuration of split tunnel attribute. <a class="external text" href="" rel="nofollow">#5327</a></li>
	<li>Specify rightca in ipsec.conf where relevant. <a class="external text" href="" rel="nofollow">#5241</a></li>
	<li>Specify leftsendcert=always in ipsec.conf for mobile profiles using IKEv2 to better accommodate iOS and OS X manual configurations. <a class="external text" href="" rel="nofollow">#5353</a></li>
	<li>Fix IKEv2 mobile client pool status display with small number of active leases</li>
<h2><span id="Rules.2FNAT" class="mw-headline">Rules/NAT</span></h2>
	<li>Fixed handling of url_port alias types when processing items that should be handled by filterdns. <a class="external text" href="" rel="nofollow">#4888</a></li>
	<li>Fixed handling of line endings when parsing a URL table ports file.</li>
	<li>Fixed handling of empty bogon lists on NanoBSD.</li>
	<li>Fixed handling of 6rd rules so they are only added when there is an IPv4 IP defined for the gateway, otherwise the ruleset ends up invalid. <a class="external text" href="" rel="nofollow">#4935</a></li>
	<li>Added support for port ranges on Outbound NAT. <a class="external text" href="" rel="nofollow">#5156</a></li>
	<li>Added a check to prevent renaming an alias to an existing name. <a class="external text" href="" rel="nofollow">#5162</a></li>
	<li>Improved the fix for increasing the "self" table size in pf.</li>
	<li>Imported fixes from FreeBSD for a situation that could result in a panic/crash due to source address limits in pf rules ("pf_hashsrc: unknown address family 0"). <a class="external text" href="" rel="nofollow">#4874</a></li>
<h2><span id="Captive_Portal" class="mw-headline">Captive Portal</span></h2>
	<li>Implemented an alternate method to find VIP targets that should be allowed for Captive Portal. <a class="external text" href="" rel="nofollow">#4903</a></li>
	<li>Improved handling of the captive portal database files for zones in cases when the database files may be corrupt or unreadable. <a class="external text" href="" rel="nofollow">#4904</a></li>
	<li>Improved handling of vouchers that are too short. In certain cases they were not being properly rejected. <a class="external text" href="" rel="nofollow">#4985</a></li>
	<li>Fixed handling of voucher database files, initializing the database properly when necessary. <a class="external text" href="" rel="nofollow">#5113</a></li>
	<li>Fixed loading of allowed hostnames at boot time. <a class="external text" href="" rel="nofollow">#4746</a>, <a class="external text" href="" rel="nofollow">#5345</a></li>
<h2><span id="Packages" class="mw-headline">Packages</span></h2>
	<li>Fixed handling of package install errors and connect timeouts during the install process. <a class="external text" href="" rel="nofollow">#4884</a></li>
	<li>Improved package version comparison. <a class="external text" href="" rel="nofollow">#4924</a></li>
	<li>Fixed an issue with package editing where the default value was not being populated for new fields.</li>
	<li>Fixed removal of syslog.conf entries during package uninstall <a class="external text" href="" rel="nofollow">#5210</a></li>
<h2><span id="DHCP" class="mw-headline">DHCP</span></h2>
	<li>Fixed handling of DHCP pools that are out of range, preventing them from creating an invalid dhcpd configuration. <a class="external text" href="" rel="nofollow">#4878</a></li>
	<li>Added support for UEFI network booting with arch 00:09. <a class="external text" href="" rel="nofollow">#5046</a></li>
	<li>Fixed a situation where dhcpleases could miss updates for hostnames in the leases file, delaying functional hostname resolution of new and updated DHCP leases. <a class="external text" href="" rel="nofollow">#4931</a></li>
	<li>Automatically add firewall rules to permit DHCP traffic when DHCP Relay is enabled, matching the behavior for DHCP Server. <a class="external text" href="" rel="nofollow">#4558</a></li>
<h2><span id="Interfaces" class="mw-headline">Interfaces</span></h2>
	<li>Fixed identification of IPv6 interfaces with PPP-type interfaces and DHCP6 <a class="external text" href="" rel="nofollow">#3670</a></li>
	<li>Removed "Could not find gateway for interface..." log messages as they were largely useless. <a class="external text" href="" rel="nofollow">#4102</a></li>
	<li>Added OpenVPN interfaces to the list of available interfaces when reassignment is necessary during config.xml restoration.</li>
	<li>Fixed interface assignment menus running off VGA screen.</li>
	<li>Fixed preservation of MLPPP settings when saving interface settings. <a class="external text" href="" rel="nofollow">#4568</a></li>
	<li>Correct handling of SLAAC, DHCP6 and DHCP-PD with PPP interfaces. <a class="external text" href="" rel="nofollow">#5297</a></li>
<h2><span id="Dynamic_DNS" class="mw-headline">Dynamic DNS</span></h2>
	<li>Fixed Cloudflare support for Dynamic DNS updates.</li>
	<li>Fixed GratisDNS support for hosts without subdomains.</li>
	<li>Disabled DHS provider. It had never worked.</li>
	<li>Fixed IPv4 dynamic DNS registrations on dual stack hosts to providers with AAAA records. <a class="external text" href="" rel="nofollow">#3858</a></li>
	<li>Update Dynamic DNS using gateway groups upon enable and disable of gateways. <a class="external text" href="" rel="nofollow">#5214</a></li>
	<li>Fixed Dynamic DNS using gateway groups specifying a CARP IP. <a class="external text" href="" rel="nofollow">#4990</a></li>
<h2><span id="Misc" class="mw-headline">Misc</span></h2>
	<li>Fixed the configuration version comparison in XMLRPC sync to prevent more invalid synchronization cases. <a class="external text" href="" rel="nofollow">#4902</a></li>
	<li>Cleaned up old unused platforms referenced in a few areas of the code that were no longer relevant.</li>
	<li>Fixed killing of individual states in cases when the source and destination were reversed. <a class="external text" href="" rel="nofollow">#4907</a></li>
	<li>Fixed killing of individual states for IPv6. <a class="external text" href="" rel="nofollow">#4906</a></li>
	<li>Changed the "enableallowallwan" script to also allow bogons, which makes the use of <a class="external mw-magiclink-rfc" href="" rel="nofollow">RFC 5735</a> / <a class="external mw-magiclink-rfc" href="" rel="nofollow">RFC 6890</a> test networks easier in lab environments.</li>
	<li>Fixed handling of VIPs in source address selection for Diagnostics > Test Port. <a class="external text" href="" rel="nofollow">#4986</a></li>
	<li>Updated status.php to include more information. <a class="external text" href="" rel="nofollow">#5304</a></li>
	<li>Fixed handling of the description in Traffic Shaping.</li>
	<li>Fixed pfSense base version comparison. <a class="external text" href="" rel="nofollow">#4925</a></li>
	<li>Fixed handling of multiple notices in the same second. <a class="external text" href="" rel="nofollow">#4879</a></li>
	<li>Removed the routed service as it is being handled by the package.</li>
	<li>Set MIME type for SVG in lighttpd configuration.</li>
	<li>Improved handling of the cron service reconfiguration process.</li>
	<li>Added option to display monitor IP on Gateways widget <a class="external text" href="" rel="nofollow">#4782</a></li>
	<li>Added "Description" as a display option on Traffic Graphs. <a class="external text" href="" rel="nofollow">#4783</a></li>
	<li>Fixed handling of L2TP server interface selection. <a class="external text" href="" rel="nofollow">#4830</a></li>
	<li>Added /usr/bin/dc back into the build. <a class="external text" href="" rel="nofollow">#5111</a></li>
	<li>Fixed a crash/panic "Sleeping thread owns a non-sleepable lock" in ARP code when using Proxy ARP type VIPs. <a class="external text" href="" rel="nofollow">#4685</a></li>
	<li>Added support for Sierra Wireless 7355. <a class="external text" href="" rel="nofollow">#4863</a></li>
	<li>Updated time zones. <a class="external text" href="" rel="nofollow">#5254</a></li>
	<li>Added fsync of Unbound's root.key to ensure the file isn't corrupted if power is lost shortly after writing of the file. Code added to detect corrupt root.key and delete and recreate it. <a class="external text" href="" rel="nofollow">#5334</a></li>
	<li>Fix changing outbound NAT modes and uploading/downloading files on exec.php with non-English languages. <a class="external text" href="" rel="nofollow">#5342</a>, <a class="external text" href="" rel="nofollow">#5343</a></li>
	<li>Associate intermediate internal CA certificates with the signing CA. <a class="external text" href="" rel="nofollow">#5313</a></li>

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert