Curl and ntp updates on pfSense 2.3.3-RELEASE-p1?

phil.davis

From the webGUI it says "The system is on the latest version."
But yes, from console menu item 13 it offers:

Installed packages to be UPGRADED:
        pfSense-upgrade: 0.20 -> 0.21 [pfSense]
        ntp: 4.2.8p9_1 -> 4.2.8p10_2 [pfSense]
        curl: 7.53.0 -> 7.53.1_1 [pfSense]

I guess that recent updates to these have come through to the "master" update server and so are being offered.
pfSense is no longer a "monolithic release" so there are various underlying packages that are "core" but could have "asynchronous" releases happen. If that is intended to happen (not just unintentional offering of these package updates), then it gets us in a situation where saying "I am running pfSense 2.3.3-p1" is not a complete well-defined way for others to know exactly what is running. It makes debugging a little more complex, because then, for example, if the issue is NTP-related, someone then has to check "and which version of ntp is it running?"

A bit of guidance about the intended policy and update workflow from those designing it would be useful…

kpa

Yep. The update process should be split into two parts where one offers a "firmware" update and another one that handles the micro-updates and shows the update status of individual packages that may have updates available.

dread

Hi,

"ntpd –version" :

ntpd 4.2.8p10@1.3728-o Wed Apr 12 17:38:38 UTC 2017 (1)

"pkg info ntp" :

Name          : ntp
Version        : 4.2.8p10_2

ntpd.log :

...
Apr 13 02:09:51 gateway ntpd[35839]: ntpd 4.2.8p10@1.3728-o Wed Apr 12 17:38:38 UTC 2017 (1): Starting
…

I did get the announcement/security note (FreeBSD-SA-17:03.ntp) for FreeBSD but I did not find any for pfSense.

And the webgui vs command line did not provide the same information.

I guess everything else is ok but we are missing announcements? Would be great to get security updates and security announcements for pfSense quickly after they have released for FreeBSD.

I'm running pfSense SG-4860. 1-year support period is over.

Thanks a lot,

johnpoz

So you want pfsense to announce every update for all the packages in the repository?  Going to be a lot of announcements ;)

phil.davis

@johnpoz:

So you want pfsense to announce every update for all the packages in the repository?  Going to be a lot of announcements ;)

pfSense is a "turnkey" firewall-router solution for which end-users do not even need to know that there is FreeBSD underneath, and do not need to know what other pieces (FreeBSD packages) make up the "core". So, IMO, there should be some way to announce parts of the pfSense "core" that have updates (tested and) released (with links to relevant FreeBSD or other security and release notes). Those maintaining the pfSense list of what FreeBSD packages/versions are offered for pfSense do need to do some level of testing to verify that a new/patch release of some "core" FreeBSD package does not cause regression/bugs in the pfSense software's use of that package.

Actually I would be inclined to bump the pfSense patch release number whenever a (set of) underlying core FreeBSD package(s) are made available - e.g. 2.3.3-p2 to 2.3.3-p3. Then that will show up on the webGUI as a pfSense "patch" release, and that patch release will be associated with a well-defined set of underlying "core" FreeBSD package+versions.

johnpoz

You could say the same thing about ubuntu or any other linux or bsd distro.. The overall system is "turn key" solution and the end user does not need to know what is underneath.. Same goes for windows or any other OS ;)

They don't bump their release number everytime a package or patch gets released/updated.

So we are going to be getting very high P numbers…  Oh your on p21, you need to make sure your on p23 ;)

You make a valid point of testing the packages as they pull them into the official pfsense repository, you have to assume they are being tested??  But are they?

dread

@johnpoz:

So you want pfsense to announce every update for all the packages in the repository?  Going to be a lot of announcements ;)

Thank you both for your reply.

I basically want an announcement of every security related package update if the package is included in the pfSense "base" or "core" (like ntpd). The update system should work both from Web GUI and command line as well, just if it's possible.

jimp

We haven't rolled a formal patch release for those since that would involve a lot more work, but we wanted to get the fixes out there for people to use if they were worried.

None of the vulnerabilities that I saw in NTP or cURL were critical in the way they are used on pfSense. The NTP issues were config parsing (irrelevant), a local crash from someone who can create a device (would have to already be root, so again irrelevant), and a remote DOS where someone would have to be able to spoof every configured time server (weird and maybe relevant but still just a DOS and difficult to exploit). cURL's was in command line parsing, which again, isn't relevant in how it's used on pfSense.

If we change our minds and make a patch release we'll put a note in the release announcement and whatnot, but for now, people concerned about those can get the pkg update.

johnpoz

"We haven't rolled a formal patch release for those since that would involve a lot more work"

lot more work I think is an understatement ;)

Sounds like they want pfsense to announce every time there is a release of a new package that is put into the pfsense repository..  You prob get hit from both sides.. If you don't include it in the pf repository then you will get people complaining that hey there was a new release of package xyz why was in not included.  And your getting hey I see you updated package xyz why was it not announced..

With some of the sub packages its even difficult to find the release notes of what was changed, etc. or why.. Lets use a popular linux distro as an example.  Is there one place I can go and look for every package update of say ubuntu?  If I am curious when I run apt-get update, and then apt-get upgrade and see packages that are updated I have to go track down the specific package on some place dedicated to that package to find out what was changed and or why etc..

If someone is aware of a list somewhere the popular distro's list the details of every package in chron order of update and details I would love to see that ;) And they sure don't update their release build number to include an incremental number everytime a package is updated.  It very well could be a bug fix the package maintainer released that has no security implications or might even be a simple typo fix or something, etc.

coxhaus

I run NTP on pfsense.  Do I need to track and perform separate updates to NTP?  I don't need every update just the critical ones.

dread

@jimp:

We haven't rolled a formal patch release for those since that would involve a lot more work, but we wanted to get the fixes out there for people to use if they were worried.

Thank you for your explanation. For me personally, it’s ok to get smaller updates and minor security fixes just by running pkg from command line. Thanks a lot for the patches. Good to know how this is going on.

For those concerned, please just check (my guess this is the issue here):

FreeBSD-SA-17:03.ntp

https://www.freebsd.org/security/advisories/FreeBSD-SA-17:03.ntp.asc

I really appreciate the availability of the patches anyway and the hard work you are doing for pfSense.

:)