Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense 2.5.0 release date?

    Scheduled Pinned Locked Moved
    General pfSense Questions
    5
    9
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      romor
      last edited by

      HI,

      do you know someone, when will be release date of new pfSense?
      Because of in current pfSense are 10 packages with vulnerabilities, which are updated only with pfSense Update and last pfSense release was in Juni 2020.

      Thx

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @romor
        last edited by

        And what packages are these specifically?

        The latest info I am aware of, is that 2.5 and the new + version hoping to be released in feb.. But as always pfsense is released when its ready..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        1 Reply Last reply Reply Quote 1
        • R
          romor
          last edited by

          libxml2-2.9.10 is vulnerable:
          libxml -- multiple vulnerabilities
          WWW: https://vuxml.FreeBSD.org/freebsd/f5abafc0-fcf6-11ea-8758-e0d55e2a8bf9.html

          curl-7.67.0 is vulnerable:
          curl -- multiple vulnerabilities
          CVE: CVE-2020-8177
          CVE: CVE-2020-8169
          WWW: https://vuxml.FreeBSD.org/freebsd/6bff5ca6-b61a-11ea-aef4-08002728f74c.html

          curl-7.67.0 is vulnerable:
          curl -- expired pointer dereference vulnerability
          CVE: CVE-2020-8231
          WWW: https://vuxml.FreeBSD.org/freebsd/b905dff4-e227-11ea-b0ea-08002728f74c.html

          curl-7.67.0 is vulnerable:
          cURL -- Multiple vulnerabilities
          CVE: CVE-2020-8286
          CVE: CVE-2020-8285
          CVE: CVE-2020-8284
          WWW: https://vuxml.FreeBSD.org/freebsd/3c77f139-3a09-11eb-929d-d4c9ef517024.html

          mpd5-5.8_10 is vulnerable:
          Multi-link PPP protocol daemon MPD5 remotely exploitable crash
          CVE: CVE-2020-7466
          CVE: CVE-2020-7465
          WWW: https://vuxml.FreeBSD.org/freebsd/cd97c7ca-f079-11ea-9c31-001b216d295b.html

          python37-3.7.7 is vulnerable:
          Python -- CRLF injection via the host part of the url passed to urlopen()
          CVE: CVE-2019-18348
          WWW: https://vuxml.FreeBSD.org/freebsd/ca595a25-91d8-11ea-b470-080027846a02.html

          python37-3.7.7 is vulnerable:
          Python -- multiple vulnerabilities
          CVE: CVE-2020-8492
          CVE: CVE-2019-18348
          WWW: https://vuxml.FreeBSD.org/freebsd/33c05d57-bf6e-11ea-ba1e-0800273f78d3.html

          python37-3.7.7 is vulnerable:
          Python -- multiple vulnerabilities
          CVE: CVE-2020-15523
          CVE: CVE-2020-14422
          WWW: https://vuxml.FreeBSD.org/freebsd/3fcb70a4-e22d-11ea-98b2-080027846a02.html

          python37-3.7.7 is vulnerable:
          Python -- Regular Expression DoS attack against client
          CVE: CVE-2020-8492
          WWW: https://vuxml.FreeBSD.org/freebsd/a27b0bb6-84fc-11ea-b5b4-641c67a117d8.html

          php72-7.2.29 is vulnerable:
          php72 -- use of freed hash key
          CVE: CVE-2020-7068
          WWW: https://vuxml.FreeBSD.org/freebsd/ee261034-b95e-4479-b947-08b0877e029f.html

          libnghttp2-1.40.0 is vulnerable:
          nghttp2 -- DoS vulnerability
          CVE: CVE-2020-11080
          WWW: https://vuxml.FreeBSD.org/freebsd/4bb56d2f-a5b0-11ea-a860-08002728f74c.html

          sudo-1.8.31 is vulnerable:
          sudo -- Multiple vulnerabilities
          CVE: CVE-2021-3156
          WWW: https://vuxml.FreeBSD.org/freebsd/f3cf4b33-6013-11eb-9a0e-206a8a720317.html

          sudo-1.8.31 is vulnerable:
          sudo -- Potential information leak in sudoedit
          CVE: CVE-2021-23239
          WWW: https://vuxml.FreeBSD.org/freebsd/6193b3f6-548c-11eb-ba01-206a8a720317.html

          unbound-1.10.1 is vulnerable:
          Unbound/NSD -- Denial of service vulnerability
          CVE: CVE-2020-28935
          WWW: https://vuxml.FreeBSD.org/freebsd/388ebb5b-3c95-11eb-929d-d4c9ef517024.html

          sqlite3-3.30.1 is vulnerable:
          several security issues in sqlite3
          CVE: CVE-2020-13632
          CVE: CVE-2020-13631
          CVE: CVE-2020-13630
          CVE: CVE-2020-13435
          CVE: CVE-2020-13434
          CVE: CVE-2020-11655
          WWW: https://vuxml.FreeBSD.org/freebsd/c4ac9c79-ab37-11ea-8b5e-b42e99a1b9c3.html

          devcpu-data-1.28 is vulnerable:
          Intel CPU issues
          CVE: CVE-2020-0543
          WWW: https://vuxml.FreeBSD.org/freebsd/fbcba194-ac7d-11ea-8b5e-b42e99a1b9c3.html

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @romor
            last edited by johnpoz

            Thanks.. Ok I thought you were talking about packages, like pfblocker or arpwatch, etc. sort of packages.

            The one that jumped out at me was the unbound one.. While your concern is valid.. I wouldn't think that unbound one is much of a risk
            "This could allow for a local symlink \ attack if an attacker has access to the user Unbound/NSD runs as."

            Who would have access to firewall to run such an attack?

            But those packages can and sometimes are updated without a full version update. You could install the 2.5 snapshot to see what versions of those packages are being used currently.. You could also look here https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.html for security fixes, etc. That included with the upgrade.

            Depending on what "package" uses specific "packages" ;) When the package is updated, those can be update. As well I do recall them posting that you could run pkg update to update some packages that had some vuln..

            Here is one time came up that I recall.
            https://www.netgate.com/blog/update-pfsense-packages-to-protect-against-vulnerabilities.html

            I would think if there was any vuln, that was of concern they would make sure it got updated prior to normal release, etc.

            edit: scanning through some of these.. Are you running L2TP for example
            " Installations not using L2TP clients nor L2TP server configuration were not affected."
            the mdp5 ones..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.03 | Lab VMs 2.7.2, 24.03

            1 Reply Last reply Reply Quote 0
            • R
              romor
              last edited by

              Hi,
              i did upgrade one of test pfSense to 2.5.0 and then i tried pkg audit to check vulnerabilities.
              All was ok without vulnerabilities.
              That mean, release of 2.5.0 is important for us :-)

              pkg update/upgrade on version 2.4.5.p1 i tested, but there is only a few updates, not all security updates.
              After install upgrades is count of vulnerabilities same (16 in 10 packages).

              H 1 Reply Last reply Reply Quote 0
              • H
                Harvy66 @romor
                last edited by

                Recent commit Welcome 2.5.0-RC

                It's time to move to 2.6.0-DEVELOPMENT

                1 Reply Last reply Reply Quote 3
                • P
                  peter-fyri
                  last edited by

                  2.5.0 released :)

                  R 1 Reply Last reply Reply Quote 2
                  • R
                    romor @peter-fyri
                    last edited by

                    @peter-fyri
                    Super :-)
                    I tried to upgrade it on our ST FW and all without problem.
                    Then i did upgrade of our second test FW (HA solution) and secondary node was upgraded successfully, but primary node after upgrade and reboot didn't start with error of unexisting KERNEL. :-/

                    Seondary node was in that time CARP MASTER, but OpenVPN connection was in terrible state (VPN was connect and disconnect unexptected.
                    I have to wait for first patch, of version 2.5.0 because it looks like, when we are using lot of components on pfSense, upgrade of PROD firewalls isn't so good idea :-)

                    GertjanG 1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @romor
                      last edited by

                      @romor said in pfSense 2.5.0 release date?:

                      but primary node after upgrade and reboot didn't start with error of unexisting KERNEL. :-/

                      The file - the kernel, wasn't there.
                      That's most probably a file system error, a situation that can happens when the power fails.
                      A preventive reboot just before upgrading will repair such a situation, as a 'fsck' is done before booting of the disk, repairing this issue (and DO check the boot log results before upgrading).
                      Bringing hidden issues into the upgrade process is a bad idea.
                      Not knowing what the state of a system is before upgrading is also not advisable.

                      ( also : prepare a backup config - prepar an USB 'B' key with 2.4.5-p1 to be ready to get back in case of doubts )

                      @romor said in pfSense 2.5.0 release date?:

                      upgrade of PROD firewalls isn't so good idea

                      Wasn't that the reason why you use a master slave set up ? ;)
                      It's actually a good idea to test the backup system.

                      Btw : I do not have a master slave set up, so for me, it's will be the preparation as mentioned and the upgrade will be done tomorrow or Sunday, when the company's activity is less critical.
                      @home, yesterday, things were way more easier, as I'm using a VM version.
                      It was a matter of "click on upgrade" and yelling go-go-go-go because I didn't want to miss the Youtube feeds about the Perseverance touchdown. It was done within 10 minutes (I guess, didn't actual watch the upgrade process, I'll analyse the upgrade log this evening for events).

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post