2.4.5 date?
-
@jimp 2.4.4 was released in May, i.e. over half a year ago. That's a very long time to not have any security updates. FreeBSD itself, nginx, PHP, etc. have all had security updates since then. Hopefully none of them are exploitable in pfsense's usage, but it would be nice to have more frequent security updates.
In fact, running 'pkg audit -F' outputs a whole bunch of stuff:
expat-2.2.5 is vulnerable:
expat2 -- Fix extraction of namespace prefixes from XML names
WWW: https://vuxml.FreeBSD.org/freebsd/c5bd8a25-99a6-11e9-a598-f079596b62f9.htmlexpat-2.2.5 is vulnerable:
expat2 -- Fix extraction of namespace prefixes from XML names
WWW: https://vuxml.FreeBSD.org/freebsd/6856d798-d950-11e9-aae4-f079596b62f9.htmlcurl-7.64.0 is vulnerable:
curl -- multiple vulnerabilities
CVE: CVE-2019-5482
CVE: CVE-2019-5481
WWW: https://vuxml.FreeBSD.org/freebsd/9fb4e57b-d65a-11e9-8a5f-e5c82b486287.htmlcurl-7.64.0 is vulnerable:
curl -- multiple vulnerabilities
CVE: CVE-2019-5436
CVE: CVE-2019-5435
WWW: https://vuxml.FreeBSD.org/freebsd/dd343a2b-7ee7-11e9-a290-8ddc52868fa9.htmlphp72-7.2.10 is vulnerable:
php -- env_path_info underflow in fpm_main.c can lead to RCE
CVE: CVE-2019-11043
WWW: https://vuxml.FreeBSD.org/freebsd/6a7c2ab0-00dd-11ea-83ce-705a0f828759.htmllibnghttp2-1.32.0 is vulnerable:
nghttp2 -- multiple vulnerabilities
CVE: CVE-2019-9513
CVE: CVE-2019-9511
WWW: https://vuxml.FreeBSD.org/freebsd/121fec01-c042-11e9-a73f-b36f5969f162.htmlunbound-1.9.1 is vulnerable:
unbound -- parsing vulnerability
CVE: CVE-2019-16866
WWW: https://vuxml.FreeBSD.org/freebsd/108a4be3-e612-11e9-9963-5f1753e0aca0.htmlunbound-1.9.1 is vulnerable:
unbound -- parsing vulnerability
CVE: CVE-2019-18934
WWW: https://vuxml.FreeBSD.org/freebsd/ffc80e58-0dcb-11ea-9673-4c72b94353b5.htmlnginx-1.14.1,2 is vulnerable:
NGINX -- Multiple vulnerabilities
CVE: CVE-2019-9516
CVE: CVE-2019-9513
CVE: CVE-2019-9511
WWW: https://vuxml.FreeBSD.org/freebsd/87679fcb-be60-11e9-9051-4c72b94353b5.htmllibidn2-2.0.5 is vulnerable:
libidn2 -- roundtrip check vulnerability
CVE: CVE-2019-12290
WWW: https://vuxml.FreeBSD.org/freebsd/f04f840d-0840-11ea-8d66-75d3253ef913.htmloniguruma-6.8.1 is vulnerable:
oniguruma -- multiple vulnerabilities
CVE: CVE-2019-13225
CVE: CVE-2019-13224
WWW: https://vuxml.FreeBSD.org/freebsd/a8d87c7a-d1b1-11e9-a616-0992a4564e7c.htmlIt would be nice to have more frequent minor releases to address issues like there.
-
We are well aware of everything in that regard. We don't need convincing. They're coming, and we're working on them, but we aren't going to rush things.
-
Thanks for the fast reply. I didn't think you needed convincing on the what, but maybe on the when. :)
For sure there is a balance between: releasing too often, with too little testing; and cramming too much into a release and waiting too long.
pfsense 2.4.4 is 7 months old on Monday. That's a very long time. I've bought 3 appliances from netgate, but it's to the point now that I'm researching alternatives.
I can't help but contrast with OPNsense (which I've never used), which seems to act on security updates very quickly.
-
The 2.4.5 development snapshots is up, for the ones who haven't noticed :)
-
Now that the fixes are in for the sg-3100 and we are down to 15 issues, I am wondering if there is a better idea of a release date. Thanks
-
@techpro2004 said in 2.4.5 date?:
Now that the fixes are in for the sg-3100 and we are down to 15 issues, I am wondering if there is a better idea of a release date. Thanks
@MORGiON said in 2.4.5 date?:
@techpro2004 when itโs ready
Nothing changed. Why is this so hard to understand?
-
Jimp, anything
-
Soon.
-
Soon is a relative term. For example silicondust announced their prime 6 many years ago saying it would be out soon but it is still not available. Can you give us a better idea then that? thanks.
-
@techpro2004 follow the redmine
-
The redmine does not have an idea of a release date, only what is left. Also it went up not down since I last looked.
-
Possible solution? I suggest an "Ignore Thread" button for the forum...
-
@techpro2004 Correct, that's as close as your going to get to a date.
-
"I'm getting closer to my boat" The question is how close? There are more tickets open now then when I started this thread.
https://www.youtube.com/watch?v=fyF5J7au1jE
-
@techpro2004 said in 2.4.5 date?:
There are more tickets open now then when I started this thread.
Actually.. There were more than 15 open when you started and now only 13 open as you post this. So..
-
Can't understand people here. Are any of you thinking hitting F5 every 5 minutes and spamming "release when!?" and complaining about even more tickets will get you the release any sooner? They could release right this moment. And everyone would bitch back how they could do such ab shitty job releasing such a buggy release etc. etc. It's completely normal that when working on burning down the last tickets new issues arise and bugs pop up. Better now in testing then in production.
What do you really want? A stable and safe to upgrade 2.4.5 release or a rush-job so you get your new shiny version number on your dashboard? If it's the last one - just install the 2.4.5 snapshots. You'll even get a new release number every few hours when new releases were built -
Counting issues is a poor metric for how close we are to a release, especially when the count is this low.
A little trivia:
Of the 12 issues remaining open on 2.4.5:
- 6 are in feedback state in need of testing (And one of those is an issue in a package which is not a blocker)
- 4 are release-related tasks (write release notes, SAs, blog post, update docs) and are not bugs
- 2 are actual bugs that remain to be solved
As with any release, if you want to see it released faster, test the snapshots and report any issues you find.
Nothing short of confirming things work properly will speed up the release process.
-
Would love to test.
On a live system, with captive portal users ...
I'm waiting for Luiz .... -
And then there were only 5 issues left. Are we looking at this week or next? Thanks.
-
Still no ETA. There are some issues yet to work out for captive portal and our various hardware platforms. I would hope to at least see an RC sometime next week but don't quote me on that. We don't know how long it will take to iron out the remaining issues for certain.