Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities

dennis_s · Feb 15, 2019, 9:34 PM

We have incorporated fixes for some recently identified vulnerabilities, specifically:

NGINX: CVE-2018-16843, CVE-2018-16844, and CVE-2018-16845

libzmq4: CVE-2019-6250

curl: CVE-2018-16890, CVE-2019-3822, and CVE-2019-3823

As always, [take a backup of the firewall configuration](link url) prior to any major change to the firewall.

To incorporate these security fixes you will need access to the operating system shell. You can do that by using either SSH or a local console. This procedure may NOT be performed via the pfSense web interface. From the pfSense command line interface (CLI). Choose option 8 “Shell”.

From the “/root:” prompt, type pkg update; pkg upgrade as shown in the screenshot below.

When prompted, choose y to proceed. (A reboot is not required.)

Warning: If you are running a version of pfSense prior to 2.4.4-p2 simply update to that version to benefit from these changes. Be sure to review the blog post and Release Notes prior to upgrading. Updating the packages from the command line of an earlier version will update your firewall to 2.4.4-p2. We do not recommend that option.

If you have chosen to install a version later than 2.4.4-p2 by following the “Latest development snapshots (Experimental 2.4.x DEVEL)” update channel, this procedure will NOT install the updated packages.

We encourage you to update your pfSense packages immediately. This is a small upgrade, but a major security update!

keen · Feb 16, 2019, 1:54 AM

done without any problem
thanks

MarekAndreansky · Feb 17, 2019, 9:49 PM

What is the point of new releases if we have to update manually?

Should these updates not be released as a new version?

TDGrant · Feb 17, 2019, 11:55 PM

@marekandreansky These are security related. You would not want to wait for a new version of PFSense to get these.

keen · Feb 18, 2019, 12:02 AM

@MarekAndreansky a new pfsense versione required a reboot with a minimun downtime, this upgrade not...

Stepinsky · Feb 18, 2019, 4:02 PM

Is there any newsletter we can subscribe to for getting security alerts like this one? It seems the Netgate newsletter didn't cover this issue. And there was no warning when logging into the backend.

MarekAndreansky · Feb 18, 2019, 6:52 PM

@stepinsky I am curious as well. Believe there was such a newsletter a few years ago but that no longer seems to be the case.

@TDGrant @keen I understand, but that brings up the issue with how are those users that do not check or are subscribed to the newsletter supposed to know if this security update does not show on their admin pages when checking for updates.

PfSense is primarily a firewall and security is it's most critical feature. New security patch = core feature update for a firewall.

Bump up the version update by 0.0.1 if a new patch is up. I don't see a reason why not to.

Grimson · Feb 18, 2019, 7:02 PM

@marekandreansky said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:

@TDGrant @keen I understand, but that brings up the issue with how are those users that do not check or are subscribed to the newsletter supposed to know if this security update does not show on their admin pages when checking for updates.

By following the forum or NetgateUSA on Twitter for example. It's up to the user to stay informed.

Steve_B · Feb 19, 2019, 7:50 PM

Enable the RSS widget on the dashboard and configure it to follow https://www.netgate.com/blog - That way you will see announcements such as this on the dashboard.

If we were to "Bump the version number" it would mean running a new build of the entire software suite which would then require a complete QC run before it could be released. This is at minimum a two week process. By releasing package updates we can get the changes out much more quickly.

If you consider the cost of a two week QC run involving about ten paid staff and the facilities they require, then divide that by the price you pay for each copy of pfSense you use, you will understand why there is a certain inertia involved in publishing a new release, no matter how small the change.

dennis_s · Feb 19, 2019, 3:23 PM

@stepinsky We do have a newsletter that you can subscribe to, however, it is published once a month and not just when there are updates. When we have updates like this one it will be published on the forum, pfSense and Netgate Reddit, our blog, and on the Netgate/pfSenseTwitter.

MarekAndreansky · Feb 19, 2019, 7:50 PM

@steve_b Thanks for the explanation, that makes sense. And did not know about the RSS widget, thanks again!

redtech116 · Feb 20, 2019, 1:07 AM

noob questions ...
Will the 'reinstall packages' button under the Diagnostics>backup&restore....do that same thing?

Steve_B · Feb 20, 2019, 1:36 PM

The "Reinstall packages" button reinstalls user-selected/installed packages E.g.: Snort or pfBlockerNG. The packages that are the subject of this notice are required, built-in packages so the command line way is the only way for now.

MarekAndreansky · Feb 20, 2019, 6:27 PM

@redtech116 said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:

einstall packages' button under the Diagnosti

You can enable SSH via System -> Advanced - Secure Shell Server - tick enable then click save.

You will then be able to connect to your Firewall via putty. I disabled ssh after doing what needs to be done as I prefer to use the web gui instead and don't need another open path to my device.

Gertjan · Feb 21, 2019, 4:05 PM

@marekandreansky said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:

I prefer to use the web gui instead and don't need another open path to my device

Well ...
This time
login-to-view
(the RSS feed in the GUI)
and this :
login-to-view
(part of the Newsletter mail received today, Feb 21, 2019)

talks about using the console access.

Upgrading NGINX - as you might know, this is the web server of the GUI - shouldn't be done using the same GUI.
It might work of course - but if anything goes wrong, you're locked out.

The SSH (console access) is using worlds best protected access method (paired with some public/private keys) - the GUI is only and will always be next-best.
In this case, it's just a question of login using Putty - go option 8 and pasting the commands

pkg update; pkg upgrade

let it do its job, and
exit [enter]
and
0 [enter]

(test you GUI ^^)

inqq · Feb 23, 2019, 12:25 AM

It's a little problematic that the last 2.4.5 DEVEL version broke the backup functionality, and won't be updated until 2.5.0 snapshots come out -- but the instructions here are to backup the full config before the pkg update/upgrade.

https://redmine.pfsense.org/projects/pfsense/repository/revisions/e0b32eb9e6b040fd14025b5c32644959ba67250e

callen · Feb 24, 2019, 1:43 PM

Noob question: I'm currently on 2.4.4-RELEASE-p1. Does the warning message mean that by upgrading to 2.4.4-p2 these security related packages are updated as well?

Grimson · Feb 24, 2019, 1:49 PM

@callen said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:

Noob question: I'm currently on 2.4.4-RELEASE-p1. Does the warning message mean that by upgrading to 2.4.4-p2 these security related packages are updated as well?

@dennis_s said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:

Warning: If you are running a version of pfSense prior to 2.4.4-p2 simply update to that version to benefit from these changes.

It's even written in red, so improve your reading skills.

callen · Feb 24, 2019, 1:55 PM

@grimson thanks for not being a jerk about my message. Makes me want to continue to ask questions when I'm not sure.

JeGr · Feb 25, 2019, 12:08 PM

@callen If unsure ask away. Maybe it's clear but asking for clarification never hurts. Not everyone got up on the wrong side of bed ;)