No Update 2.8.0 available

pixel24

Hi all,

There was a security issue reported with pfSense on a German IT platform (Cross-Site Scripting: Security vulnerabilities in pfSense allow admin cookie theft). See:

https://www.heise.de/news/Cross-Site-Scripting-Sicherheitsluecken-in-pfSense-ermoeglichen-Admin-Cookieklau-9696756.html

Furthermore, it's mentioned here that there are already updates available to fix the problem. For the CE version, this would be version 2.8.0. However, this version is not offered in the web UI.

with best
pixel24

Gertjan

@pixel24

The Pathes package doesn't have a solution ready ?

patient0

@pixel24 there is no update to 2.8.0 yet, the pfSense Plus just came out and I assume it will take a while for CE to be updated.

But: the System_Patches package probably contains a fixes for it:

Fix potential stored XSS via services_acb_settings.php "frequency" paramter (pfSense-SA-24_02.webgui, Redmine #15224) 	
	
Fix potential XSS due to PHP error display formatting issues (After applying, reboot or use console/ssh menu options 11/16 to restart PHP and the GUI, pfSense-SA-24_03.webgui, Redmine #15263, Redmine #15264) 	
	
Fix Potential XSS from jquery-treegrid unit testing files (Once applied, this patch may not offer a revert option, pfSense-SA-24_04.webgui, Redmine #15265) 

SteveITS

See https://forum.netgate.com/topic/187622/system-patches-package-v2-2-10_1 for 2.7.2/23.09.1.

pixel24

@Gertjan I've never worked with the Pathes package before. I've always installed updates exclusively through the web UI.

slu

@pixel24
you can apply the patches over GUI.
Install System_Patches package and go to System / Patches and apply them all.

SteveITS

@pixel24 said in No Update 2.8.0 available:

@Gertjan I've never worked with the Pathes package before. I've always installed updates exclusively through the web UI.

That is for program updates. Netgate releases fixes in between version updates. They are normally included in the next version. They often backport security fixes.