Now Available: pfSense® CE 2.8.0-RELEASE

ramup

Add on to the update policy of pfSense CE:

I understand that maintaining CE software needs time and efforts and I am very fine with the update policy of pfSense itself (now two years since last bigger release) because I love pfSense and its stability since many years and do not consider to switch the product like others do and I don`t want to argue about update policy here.

The only thing I find a bit inconsequent in the upgrade policy is my following example in respect of security issues of pfSense product / packages.

I use SQUID package since years because of caching and ClamAV scanning (with MITM interception). I didnt notice that Netgate deprecated the package 1,5 years ago: [link Deprecation message](https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software) because I wasnt aware of and therefore proceeded using SQUID without awareness of security flaws.
The issue with SQUID were obvious some security flaws in SQUID software but they were fixed with 6.10 version. Although these circumstances the package on pfSense (which still could be installed by users) stayed on version 6.8.
I am happy that pfsense 2.8.0 now uses 6.12 SQUID version and I can proceed using pfSense with SQUID package.

What I want to say is that it is a bit inconsequent to stop developing because of security issues (but still provide the package) and not fixing it when the security issues have been resolved.

I know pfSense offers patches during lifetime for pfSense itself. But maybe you consider at least to offer also package updates during lifetime when security issues arise.

Otherwise great job and I hope pfSense 2.8.0 keep on to fulfill my firewall needs with stability the upcoming years!

Waqar.UK

Updated this morning. Using pfgblocker as an add on. Its service needed to be manually restarted and CPU was running at 52%. A restart of Pfsense and CPU usage went down to 1%. All so good so far.
RAM drive usage went up from 8% to 13%.

ramup

Further update on SQUID package. I just noticed that updating to 2.8.0 breaks SQUID package from running:

1. Received PHP error after update from LightSquid described above

2. System logs:

May 29 10:20:45 php-fpm 409 /rc.start_packages: The command '/usr/local/sbin/squid -f /usr/local/etc/squid/squid.conf' returned exit code '1', the output was 'ld-elf.so.1: /usr/local/sbin/squid: Undefined symbol "_ZTVNSt3__117bad_function_callE"'

May 29 10:20:44 php-fpm 409 /rc.start_packages: The command '/usr/local/libexec/squid/security_file_certgen -c -s /var/squid/lib/ssl_db -M 4MB' returned exit code '1', the output was 'ld-elf.so.1: /usr/local/libexec/squid/security_file_certgen: Undefined symbol "_ZTTNSt3__119basic_ostringstreamIcNS_11char_traitsIcEENS_9allocatorIcEEEE"'

3. Reinstalling SQUID package and Lightsquid package does not fix the issue.

b3rt

@ramup

@ramup said in Now Available: pfSense CE 2.8.0-RELEASE:

I use SQUID package since years because of caching and ClamAV scanning (with MITM interception). I didnt notice that Netgate deprecated the package 1,5 years ago: [link Deprecation message](https://www.netgate.com/blog/deprecation-of-squid-add-on-package-for-pfsense-software) because I wasnt aware of and therefore proceeded using SQUID without awareness of security flaws.
The issue with SQUID were obvious some security flaws in SQUID software but they were fixed with 6.10 version. Although these circumstances the package on pfSense (which still could be installed by users) stayed on version 6.8.

the squid security issues have been patched as of december 2024... i think the documentation needs to be updated

ramup

Fix for SQUID users updating from 2.7.2 to 2.8.0

Found here: Topic

Thanks to @JeGr

-> Login to SSH console as root:

mv /usr/lib/libc++.so.1 /root

Reinstall Squid package -> service runs!

ramup

@b3rt I am not 100% sure but I believe pfSense CE 2.7.2 users did not receive a package update.

b3rt

@ramup said in Now Available: pfSense CE 2.8.0-RELEASE:

@b3rt I am not 100% sure but I believe pfSense CE 2.7.2 users did not receive a package update.

I think there is no difference between CE / pfsense + package, it's all based on this package, no?
https://github.com/pfsense/FreeBSD-ports/commits/devel/www/pfSense-pkg-squid
And that by itself is behind the more up-to-date freebsd version.

fireodo

Hi,

the GUI update is offering me, when choosing 2.8.0 stable branch, the version 2.8.0.1500029 - is this correct?

Regards,
fireodo

Popolou

Great news and thank you. Two years is a looong time in this industry mind you but the mob will indeed be pleased (if not reassured!).

ramup

@b3rt
Yes there were differences between CE / plus users in respect of squid package.
CE users package stayed at 0.4.somewhat version while up-to-date-package was 0.5.3

ramup

@b3rt
pfsense 2.7.2 users stayed at "Config Rev 23.3"
pfSense Versions
while pfSense Plus users changed to "Config Rev 23.6" on 2024-11-25 and higher since then.
pfSense 2.8.0 now uses "Config Rev 24.0" equally to pfSense Plus

b3rt

@ramup said in Now Available: pfSense CE 2.8.0-RELEASE:

@b3rt
pfsense 2.7.2 users stayed at "Config Rev 23.3"
pfSense Versions
while pfSense Plus users changed to "Config Rev 23.6" on 2024-11-25 and higher since then.
pfSense 2.8.0 now uses "Config Rev 24.0" equally to pfSense Plus

right, that's all ok (:
are you sure this impacts the list of available packages? given these packages are by default not part of any pfsense version?

stephenw10

@fireodo said in Now Available: pfSense CE 2.8.0-RELEASE:

the version 2.8.0.1500029 - is this correct?

Yes, that's correct. The appended kernel version is the result of build system changes. The display code is fixed in 2.8.0 but 2.7.2 will still show that until you upgrade.

fireodo

@stephenw10 said in Now Available: pfSense CE 2.8.0-RELEASE:

@fireodo said in Now Available: pfSense CE 2.8.0-RELEASE:

the version 2.8.0.1500029 - is this correct?

Yes, that's correct. The appended kernel version is the result of build system changes. The display code is fixed in 2.8.0 but 2.7.2 will still show that until you upgrade.

Thanks!

nimrod

Is there going to be offline installation image ? I dont see it here:

https://atxfiles.netgate.com/mirror/downloads/

stephenw10

Not currently. New installs of 2.8.0 are via the Net Installer only.

nimrod

I just performed dirty update and it all worked without any issues. Good work guys and keep it up.

sTicKs23

@stephenw10 Did you guys atleast managed to include the other kernel drivers in the default kernels like iscsi or rs232? Or we need to compile it ourselves again?

stephenw10

For any specific driver? It's pretty much the same included drivers as 2.7.2.

kikuyu

@stephenw10
I performed today a fresh install on new SSD from 2.7.2 to 2.8.0 with restore configuration from media during install. All went smooth. Perfect !!!