pfSense Open-Source Firewall – Bugfix Future und Security Release 2.3.4-p1

Die Entwickler der Open-Source Firewall, pfSense, haben gestern das Update 2.3.4-p1, veröffentlicht. Dies ist ein reguläres kleineres Update das einige Fehler behebt und 3 Sicherheitslücken schließt. Insgesamt werden 38 Änderungen durchgeführt.

Auf Grund der drei XSS (Cross-Site-Scripting) Sicherheitslücken in der “diag_edit.php”, der “diag_table.php” und der “fireall_nat_edit.php”, ist ein Update der Firewall umgehend zu empfehlen.

pfSense Release Notes Version 2.3.4-p1

Security / Errata

• pfSense Advisories
  • pfSense-SA-17_05.webgui:
    • Fixed a potential XSS issue in the diag_edit.php file browser #7650
    • Fixed a potential XSS in handling of the ‘type’ parameter on diag_table.php #7652
    • Fixed validation and a potential XSS in interface names on firewall_nat_edit.php #7651
  • pfSense-SA-17_06.webgui:
    • Added a warning screen to the GUI and prevent access if the client IP address is currently in the lockout table, and also remove the client’s connection states #7693

Bug Fixes

Captive Portal

• Fixed Captive Portal RADIUS Authentication to only cache credentials when required to perform reauthentication #7528
• Restored the captive portal feature to view the captive portal page directly from the portal web server as an additional button #7646

Dynamic DNS

• Fixed issues with wildcard CNAME records disappearing from Loopia when doing a DNS update
• Fixed issues with CloudFlare Dynamic DNS
• Fixed Hover Dynamic DNS updates so they Verify the SSL Peer

Logging

• Added syslogd service definition to enable status display and control #4382
• Fixed issues with syslogd stopping when installing or uninstalling some packages #7256

Virtual IP Addresses

• Fixed issues with CARP status display overmatching some VIP numbers #7638
• Fixed pid file handling for choparp (Proxy ARP Daemon)
• Added the ability to sort the Virtual IP address list

DNS

• Fixed diag_dns.php so it will not create an empty alias if name does not resolve
• Fixed diag_dns.php to not show Add Alias if the user does not have privileges to add an alais
• Fixed diag_dns.php to change the update alias button text after adding an alias
• Fixed diag_dns.php to disable the Add Alias button when the host field is changed
• Fixed calls to unbound-control to have the full configuration path specified so they do not fail #7667
• Fixed handling of “redirect” zone entries in the DNS Resolver so they do not produce invalid zones #7690
• Changed the way the DNS Resolver code writes out host entries, so the zones are more well-formed #7690
• Changed the way the DNS Resolver process (unbound) is stopped, to allow it to exit cleanly. #7326

Interfaces

• Fixed DHCPv6 to request a prefix delegation even if no interfaces are set to track6 #4544
• Updated handling of original MAC address retention for interfaces with spoofed MACs
• Fixed an array handling problem when working with gateway entries on the Interface configuration page #7659
• Fixed handling of MSS clamping values for PPPoE/L2TP/PPTP WANs #7675

DHCP

• Fixed an issue where some DHCP Lease information was encoded twice with htmlentities/htmlspecialchars
• Fixed an issue where in some edge cases, a variable was not properly set in a loop, leading to a previous value being reused

Misc

• Removed “/usr/local/share/examples” from obsolete files list, some packages rely on the files being there
• Added a few more items to status.php for support purposes, such as a download button, socket buffer info, and the netgate ID
• Fixed status.php to redact BGP MD5 password/key in output #7642
• Fixed OpenVPN to use is_numeric() to make sure $prefix is not 0
• Changed the “Rule Information” section so it is consistent between firewall and NAT rule pages
• Fixed APU2 detection for devices running coreboot v4.x
• Fixed the tunable description for net.inet.ip.random_id #6087
• Fixed some outdated links for help and support
• Fixed some issues with empty config tags in packages #7624
• Fixed issues with entry IDs after deleting Authentication Server instances #7682

Quelle: https://www.netgate.com/blog/pfsense-2-3-4-p1-release-now-available.html