Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities

redtech116 · Feb 20, 2019, 1:07 AM

noob questions ...
Will the 'reinstall packages' button under the Diagnostics>backup&restore....do that same thing?

Steve_B · Feb 20, 2019, 1:36 PM

The "Reinstall packages" button reinstalls user-selected/installed packages E.g.: Snort or pfBlockerNG. The packages that are the subject of this notice are required, built-in packages so the command line way is the only way for now.

MarekAndreansky · Feb 20, 2019, 6:27 PM

@redtech116 said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:

einstall packages' button under the Diagnosti

You can enable SSH via System -> Advanced - Secure Shell Server - tick enable then click save.

You will then be able to connect to your Firewall via putty. I disabled ssh after doing what needs to be done as I prefer to use the web gui instead and don't need another open path to my device.

Gertjan · Feb 21, 2019, 4:05 PM

@marekandreansky said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:

I prefer to use the web gui instead and don't need another open path to my device

Well ...
This time

(the RSS feed in the GUI)
and this :

(part of the Newsletter mail received today, Feb 21, 2019)

talks about using the console access.

Upgrading NGINX - as you might know, this is the web server of the GUI - shouldn't be done using the same GUI.
It might work of course - but if anything goes wrong, you're locked out.

The SSH (console access) is using worlds best protected access method (paired with some public/private keys) - the GUI is only and will always be next-best.
In this case, it's just a question of login using Putty - go option 8 and pasting the commands

pkg update; pkg upgrade

let it do its job, and
exit [enter]
and
0 [enter]

(test you GUI ^^)

inqq · Feb 23, 2019, 12:25 AM

It's a little problematic that the last 2.4.5 DEVEL version broke the backup functionality, and won't be updated until 2.5.0 snapshots come out -- but the instructions here are to backup the full config before the pkg update/upgrade.

https://redmine.pfsense.org/projects/pfsense/repository/revisions/e0b32eb9e6b040fd14025b5c32644959ba67250e

callen · Feb 24, 2019, 1:43 PM

Noob question: I'm currently on 2.4.4-RELEASE-p1. Does the warning message mean that by upgrading to 2.4.4-p2 these security related packages are updated as well?

Grimson · Feb 24, 2019, 1:49 PM

@callen said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:

Noob question: I'm currently on 2.4.4-RELEASE-p1. Does the warning message mean that by upgrading to 2.4.4-p2 these security related packages are updated as well?

@dennis_s said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:

Warning: If you are running a version of pfSense prior to 2.4.4-p2 simply update to that version to benefit from these changes.

It's even written in red, so improve your reading skills.

callen · Feb 24, 2019, 1:55 PM

@grimson thanks for not being a jerk about my message. Makes me want to continue to ask questions when I'm not sure.

JeGr · Feb 25, 2019, 12:08 PM

@callen If unsure ask away. Maybe it's clear but asking for clarification never hurts. Not everyone got up on the wrong side of bed ;)

Gil · Mar 4, 2019, 1:41 AM

I updated using the Diagnostics / Command Prompt as a lazy mans way around SSH or console access.

Execute Shell Command: pkg update; pkg upgrade -y

bcruze · Mar 9, 2019, 10:23 AM

Glad I saw this posted somewhere on the forum my box is updated, a little different as this time i upgraded from a Mac