CE Update Frequency
-
So I was looking at my phSense box today and it says I have 2.6 built on Jan 31 2022. The new 2.7 release has just recently happened, say 6/29/2023 with no bug fix releases in-between. That is about 1.5 years between releases for security software? That seems NOT right.
So I guess I can assume a bug fix update sometime towards the end of 2024?
I looked at the CE GitHub repository and there are no releases and no recent tags, although there is obviously activity.
I looked at the download page https://www.pfsense.org/download/ and there are no historical CE downloads. Are they all gone?
I think this means that phSense CE is essentially dead? Why would anyone continue to use this software? I know, I know switch over the 23.x.x versions which have proprietary code. I use pfSense because there was not any proprietary code.
Is Netgate just brain dead? There does not seem to be any reason to support pfSense CE. Please correct me if I am wrong!
-
@neiltiffin said in CE Update Frequency:
Is Netgate just brain dead? There does not seem to be any reason to support pfSense CE. Please correct me if I am wrong!
Reply
TBH, i dont think being insulting would get that many responses especially from the mods here who would be best in answering questions about the developoment lifecycle of pfsense.
Although 1.5 years between major updates may appear long, there were package updates if there were flaws found.
What specific flaw/vulnerability was found in 2.6 that wasnt addressed over the course of a year prior to the 2.7 release? If the answer is nothing then what update are you looking for in the security software? -
@neiltiffin install the System Patches package and watch for updates to the package.
Download old versions by making no selections on the page and submit the form. Recent versions are listed on the mirror.
-
@michmoor said in CE Update Frequency:
@neiltiffin said in CE Update Frequency:
Is Netgate just brain dead? There does not seem to be any reason to support pfSense CE. Please correct me if I am wrong!
Reply
TBH, i dont think being insulting would get that many responses especially from the mods here who would be best in answering questions about the developoment lifecycle of pfsense.
Although 1.5 years between major updates may appear long, there were package updates if there were flaws found.
What specific flaw/vulnerability was found in 2.6 that wasnt addressed over the course of a year prior to the 2.7 release? If the answer is nothing then what update are you looking for in the security software?TBH insulting the company for its decisions, strategy and allocation of resources has nothing to do with the non-senior-management people that work there. Nowhere did I insult any mods because I doubt the mods have anything to do with company direction, strategy and resource assignment. They are usually hard workers doing the best that they can.
FreeBSD had 13 security notices during the time frame of pfsense 2.6 to 2.7 and none were applicable to pfSense? How about openSSL, netmap, ioctl, elf, ping security notices? How about the 14 kernel changes? How about the 26 device driver updates? How about the 3 ipfilter updates?
Now I admit that not all of these may have been applicable to pfSense, but you have to have a really thick skull not to believe that some of them or at the very least one of them should have been ported to pfSense 2.6 CE.
If one is relying on pfSense CE I hope you're not trying to protect anything valuable?
Companies that do not listen to honest and true feedback fail. If my feedback is too honest for you, feel free to block me.
-
@SteveITS said in CE Update Frequency:
@neiltiffin install the System Patches package and watch for updates to the package.
Download old versions by making no selections on the page and submit the form. Recent versions are listed on the mirror.
Thanks, did not know that.
I tried it and only goes back 1 version to 2.6.0, no older versions.
-
@neiltiffin System Patches is version specific, and they issue a package update for new patches. Or they are usually posted in forum or from Redmine entries. Typically used for PHP code or non binary files.
https://docs.netgate.com/pfsense/en/latest/development/system-patches.html
-
@neiltiffin oh you meant the download. They had 2.5 a week or two ago, probably pulled it. I believe it’s usually been the one prior version.
-
@neiltiffin you can't have it both ways. First you complain that there were no releases between 2.6 and 2.7. (* as mentioned see System Patches). Then you question why you can't download a version older than 2.6. Pick a lane.
-
@neiltiffin FWIW there was no intermediate version to be a 2.6.1. 22.09 then 22.11 was skipped due to the OS change, 23.01 still had a lot of bugs/patches due to the PHP version change, and they fixed a few things in/with 23.05.1 when they released 2.7.
-
@neiltiffin I agree with everyone here, being insulting isn't the way to go in general and what you said was pretty rude regardless of who it was directed at.
But secondly, do some looking around at pfsense vulnerabilities, there aren't many, no all products need updates the way Microsoft does them because not all are swiss cheese. Smaller issues are also usually addressed via System Patches or package updates depending on what the issue applies to.
If you do some googling about it though there aren't really a lot of known security issues or POC exploits for it even historically speaking.
-
@SteveITS said in CE Update Frequency:
@neiltiffin System Patches is version specific, and they issue a package update for new patches. Or they are usually posted in forum or from Redmine entries. Typically used for PHP code or non binary files.
https://docs.netgate.com/pfsense/en/latest/development/system-patches.html
Thanks, that was non-obvious. I manage a number of Linux systems security updates are applied by doing a system update/upgrade. It seems rather annoying that there is no notification that I should be applying a System Patch. I can't even tell if there are any that are applicable. I sure hope the experience is better with the pfSense Plus.
So I went see if there are any System Patches on 2.6 CE and guess what? It does not work.
pfSense-pkg-System_Patches installation failed!
WARNING: Current pkg repository has a new PHP major
version. pfSense should be upgraded before
installing any new package.Look, It does not seem like anything posted here is changing my opinion. Version specific updates is a system problem that was solved decades ago, but it seems like the pfSense developers just don't get it and everyone here seems ok with that.
2.7 is too new and my experience with new major upgrades is that an upgrade will take me a day to get things working again, there are multiple forum entries with problems and no responses. Did I mention that my hardware is a Netgate appliance.
-
@neiltiffin said in CE Update Frequency:
If you would read the forum or doc , instead of "whining & nagging" , you would discover that pfSense is automatically switching update source to latest Branch , when it becomes available (here 2.7). As it is expecting you to upgrade to latest.There are a kazillion posts, about : DON'T upgrade packets before upgrading pfSense , when an upgrade is available.
If you want to stay on "previuous" update branch, you have to "manually" switch back to previous.
Then your system would also stop showing there is an update , and that you are on latest.
And if you didn't FSCK up your packages/system already, by trying (succeding) to install 2.7 packets on a 2.6 system
You should be able to install 2.6 (Previous) packets now.Did I mention that my hardware is a Netgate appliance.
So you could even have gotten Netgate to help out, instead of bashing them ...
SIGH ....
/Bingo
-
@planedrop said in CE Update Frequency:
@neiltiffin I agree with everyone here, being insulting isn't the way to go in general and what you said was pretty rude regardless of who it was directed at.
But secondly, do some looking around at pfsense vulnerabilities, there aren't many, no all products need updates the way Microsoft does them because not all are swiss cheese. Smaller issues are also usually addressed via System Patches or package updates depending on what the issue applies to.
If you do some googling about it though there aren't really a lot of known security issues or POC exploits for it even historically speaking.
Yep did that and found 2 major ones that apply to pfSense 2.6: CVE-2023-27100 (related to SSH) rated 9.8 out of 10, and CVE-2022-23993 rated 6.1. Now CVE-2022-23993 does not apply to me. CVE-2023-27100 does apply and not issuing a .x update is in my opinion not very responsible although the report is very new and I assume that Netgate's solution is to update to 2.7.
Secondly, most of the time security vulnerabilities are not published until after a fix has been issued. So yes, there is at least one major vulnerability that went un-resolved in pfSense 2.6.
FreeBSD lists 13 security vulnerabilities acknowledgments that were fixed in FreeBSD 12.4 that phSense skipped. Not sure how many apply to pfSense.
However there are at least 8 reported CVE vulnerabilities in FreeBSD 13.0. I wonder how may have been fixed on pfSense 2.7? Maybe we have to wait another 1.5 years for these fixes? Are they fixed in pfSense Plus in a more timely manner?
None of this gives me the feeling that Netgate is supporting pfSense CE in a way that I expect, which is issuing security updates in a reasonable time. Functionality is a different story, but firewall software needs to be secure and especially today when vulnerabilities are found daily.
-
@bingo600 said in CE Update Frequency:
@neiltiffin said in CE Update Frequency:
If you would read the forum or doc , instead of "whining & nagging" , you would discover that pfSense is automatically switching update source to latest Branch , when it becomes available (here 2.7). As it is expecting you to upgrade to latest.SIGH ....
/Bingo
The reason to use a UI is so that it does not allow one to "shoot yourself in the foot". Guess that does not work either?
-
@neiltiffin
Refresh Main Page a few times ???Should show this
And the Unable to check for update should go away
Edit: Don't bother answering ... You are now "Officially" on my Forum Block List
/Bingo
-
You seem very hostile to folks trying to help. You insulted a company from the very beginning, complained about the lack of security updates, whined about how you can’t get older versions of code with security vulnerabilities, admitted that you have a Netgate device so you continue to fund the company that you think is “brain dead”.
I don’t get you. You’re a contradiction.
I guess that’s what trolls do on the internet - cause controversy but don’t you think your time would be better utilized doing something else? You’re that bored you rather be a forum troll? Why? -
@neiltiffin if you have a Netgate unit and want faster updates just run Plus. 3x per year is the target there.
Don’t install packages for the wrong version; see my sig.
https://redmine.pfsense.org/issues/10464
https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html#upgrade-not-offered-library-errorsSystem Patches is relatively new, the last year or two. Might have been after 2.6.
-
@SteveITS said in CE Update Frequency:
@neiltiffin if you have a Netgate unit and want faster updates just run Plus. 3x per year is the target there.
Nah, I'll switch first. I originally used Netgate and pfSense because it was open source. I understand the need for support. I originally bought a Netgate appliance and paid yearly for the "gold" whatever it was. I would not mind paying $100 to $200 per year for security. But I no longer support proprietary code running on my key edge devices. If I wanted that I would just as easily go purchase a Juniper or Cisco firewall.
Don’t install packages for the wrong version; see my sig.
https://redmine.pfsense.org/issues/10464
https://docs.netgate.com/pfsense/en/latest/troubleshooting/upgrades.html#upgrade-not-offered-library-errorsSystem Patches is relatively new, the last year or two. Might have been after 2.6.
Yeah, thanks for the help.
My problem with System Patches, now that I am aware of them, is that I cannot find any source of notifications about them being published. I looked at GitHub and read the documentation at https://docs.netgate.com/pfsense/en/latest/development/system-patches.html.
Did I miss something? Or is the only way to know is to go into the firewalls patches UI and see if there is anything not applied?
-
@neiltiffin There will be a package update when new patches are added. Often they come from patches from Redmine reports or linked in forum posts.
Jim has posted pinned threads in https://forum.netgate.com/category/16/pfsense-packages for updates.
-
@michmoor said in CE Update Frequency:
You seem very hostile to folks trying to help. You insulted a company from the very beginning, complained about the lack of security updates, whined about how you can’t get older versions of code with security vulnerabilities, admitted that you have a Netgate device so you continue to fund the company that you think is “brain dead”.
No, I have a hostile opinion about a company that is not performing the way I think they should. I've not insulted any individuals or anyone that was willing to help.
My Netgate device is old, make that probably 2014. I need to replace it and it looks like I am going a different direction. Until pfSense Plus I was generally happy with pfSense except for the fact that the UI upgrades easily blew up.
Not happy any more, but I guess you and others that attack the form of the message are not interested in that and the facts.
I don’t get you. You’re a contradiction.
If you don't want to hear my opinions then block me. Won't hurt my feelings.
I guess that’s what trolls do on the internet - cause controversy but don’t you think your time would be better utilized doing something else? You’re that bored you rather be a forum troll? Why?
Nope, I am a frustrated user that is wondering why Netgate has chosen to move in a direction what will lose me as a customer.
If you're not going to help, why respond at all. Oh I get it, can't refute the facts so attack the messenger.
The fact remains that any edge security devices that have not received any security updates in 1.5 years in todays environment is a problem (which I just realized regarding pfsense 2.6 to 2.7 without any intervening updates).
The fact that updates are hidden away in patches is a problem. Normal people do not consider patches something that is done on a regular basis unless one is having problems.
Not saying there are not valid reasons for each, but as a user that is not a full time firewall monitoring person these reasons are not so important for my use case.
