Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities
-
What is the point of new releases if we have to update manually?
Should these updates not be released as a new version?
-
@marekandreansky These are security related. You would not want to wait for a new version of PFSense to get these.
-
@MarekAndreansky a new pfsense versione required a reboot with a minimun downtime, this upgrade not...
-
Is there any newsletter we can subscribe to for getting security alerts like this one? It seems the Netgate newsletter didn't cover this issue. And there was no warning when logging into the backend.
-
@stepinsky I am curious as well. Believe there was such a newsletter a few years ago but that no longer seems to be the case.
@TDGrant @keen I understand, but that brings up the issue with how are those users that do not check or are subscribed to the newsletter supposed to know if this security update does not show on their admin pages when checking for updates.
PfSense is primarily a firewall and security is it's most critical feature. New security patch = core feature update for a firewall.
Bump up the version update by 0.0.1 if a new patch is up. I don't see a reason why not to.
-
@marekandreansky said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:
@TDGrant @keen I understand, but that brings up the issue with how are those users that do not check or are subscribed to the newsletter supposed to know if this security update does not show on their admin pages when checking for updates.
By following the forum or NetgateUSA on Twitter for example. It's up to the user to stay informed.
-
Enable the RSS widget on the dashboard and configure it to follow https://www.netgate.com/blog - That way you will see announcements such as this on the dashboard.
If we were to "Bump the version number" it would mean running a new build of the entire software suite which would then require a complete QC run before it could be released. This is at minimum a two week process. By releasing package updates we can get the changes out much more quickly.
If you consider the cost of a two week QC run involving about ten paid staff and the facilities they require, then divide that by the price you pay for each copy of pfSense you use, you will understand why there is a certain inertia involved in publishing a new release, no matter how small the change.
-
@stepinsky We do have a newsletter that you can subscribe to, however, it is published once a month and not just when there are updates. When we have updates like this one it will be published on the forum, pfSense and Netgate Reddit, our blog, and on the Netgate/pfSenseTwitter.
-
@steve_b Thanks for the explanation, that makes sense. And did not know about the RSS widget, thanks again!
-
noob questions ...
Will the 'reinstall packages' button under the Diagnostics>backup&restore....do that same thing? -
The "Reinstall packages" button reinstalls user-selected/installed packages E.g.: Snort or pfBlockerNG. The packages that are the subject of this notice are required, built-in packages so the command line way is the only way for now.
-
@redtech116 said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:
einstall packages' button under the Diagnosti
You can enable SSH via System -> Advanced - Secure Shell Server - tick enable then click save.
You will then be able to connect to your Firewall via putty. I disabled ssh after doing what needs to be done as I prefer to use the web gui instead and don't need another open path to my device.
-
@marekandreansky said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:
I prefer to use the web gui instead and don't need another open path to my device
Well ...
This time
(the RSS feed in the GUI)
and this :
(part of the Newsletter mail received today, Feb 21, 2019)talks about using the console access.
Upgrading NGINX - as you might know, this is the web server of the GUI - shouldn't be done using the same GUI.
It might work of course - but if anything goes wrong, you're locked out.The SSH (console access) is using worlds best protected access method (paired with some public/private keys) - the GUI is only and will always be next-best.
In this case, it's just a question of login using Putty - go option 8 and pasting the commandspkg update; pkg upgradelet it do its job, and
exit [enter]
and
0 [enter](test you GUI ^^)
-
It's a little problematic that the last 2.4.5 DEVEL version broke the backup functionality, and won't be updated until 2.5.0 snapshots come out -- but the instructions here are to backup the full config before the pkg update/upgrade.
https://redmine.pfsense.org/projects/pfsense/repository/revisions/e0b32eb9e6b040fd14025b5c32644959ba67250e
-
Noob question: I'm currently on 2.4.4-RELEASE-p1. Does the warning message mean that by upgrading to 2.4.4-p2 these security related packages are updated as well?
-
@callen said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:
Noob question: I'm currently on 2.4.4-RELEASE-p1. Does the warning message mean that by upgrading to 2.4.4-p2 these security related packages are updated as well?
@dennis_s said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:
Warning: If you are running a version of pfSense prior to 2.4.4-p2 simply update to that version to benefit from these changes.
It's even written in red, so improve your reading skills.
-
@grimson thanks for not being a jerk about my message. Makes me want to continue to ask questions when I'm not sure.
-
@callen If unsure ask away. Maybe it's clear but asking for clarification never hurts. Not everyone got up on the wrong side of bed ;)
-
I updated using the Diagnostics / Command Prompt as a lazy mans way around SSH or console access.
Execute Shell Command: pkg update; pkg upgrade -y
-
Glad I saw this posted somewhere on the forum my box is updated, a little different as this time i upgraded from a Mac
