2.4.5 date?

techpro2004

I was wondering seeing as how we cant get a release date for 2.5, maybe we can get a rough idea for 2.4.5. Thanks

MORGiON

@techpro2004 when it’s ready

provels

@techpro2004 Are you having a ton of problems with 2.4.4-p3? Actually, if you want to offer some real value, run the 2.5 dev beta and report issues. Or just wait for your free software...

jimp

Soon-ish. Before 2.5.0. :-)

We're doing internal testing, then will have some time for public testing.

We never give specific release dates, and rarely estimate. We don't know what will turn up in testing and potentially cause delays.

Most of the testing on 2.4.5 will likely need to focus on OS changes since it was bumped up to 11-STABLE. There are a number of bug fixes we have pending on it but most of those are minor and have already been tested on 2.5.0 and only need confirmation that they work on 2.4.5.

Once public snapshots are up, everyone will need to attack the 2.4.5 Feedback Issues list and test whatever they can to speed things up.

techpro2004

Is there any chance that soon-ish means next week. I will have some free time then.

Gertjan

Nooo. Next week is Christmas shopping.

jimp

@techpro2004 said in 2.4.5 date?:

Is there any chance that soon-ish means next week. I will have some free time then.

No

seanmcb

@jimp 2.4.4 was released in May, i.e. over half a year ago. That's a very long time to not have any security updates. FreeBSD itself, nginx, PHP, etc. have all had security updates since then. Hopefully none of them are exploitable in pfsense's usage, but it would be nice to have more frequent security updates.

In fact, running 'pkg audit -F' outputs a whole bunch of stuff:

expat-2.2.5 is vulnerable:
expat2 -- Fix extraction of namespace prefixes from XML names
WWW: https://vuxml.FreeBSD.org/freebsd/c5bd8a25-99a6-11e9-a598-f079596b62f9.html

expat-2.2.5 is vulnerable:
expat2 -- Fix extraction of namespace prefixes from XML names
WWW: https://vuxml.FreeBSD.org/freebsd/6856d798-d950-11e9-aae4-f079596b62f9.html

curl-7.64.0 is vulnerable:
curl -- multiple vulnerabilities
CVE: CVE-2019-5482
CVE: CVE-2019-5481
WWW: https://vuxml.FreeBSD.org/freebsd/9fb4e57b-d65a-11e9-8a5f-e5c82b486287.html

curl-7.64.0 is vulnerable:
curl -- multiple vulnerabilities
CVE: CVE-2019-5436
CVE: CVE-2019-5435
WWW: https://vuxml.FreeBSD.org/freebsd/dd343a2b-7ee7-11e9-a290-8ddc52868fa9.html

php72-7.2.10 is vulnerable:
php -- env_path_info underflow in fpm_main.c can lead to RCE
CVE: CVE-2019-11043
WWW: https://vuxml.FreeBSD.org/freebsd/6a7c2ab0-00dd-11ea-83ce-705a0f828759.html

libnghttp2-1.32.0 is vulnerable:
nghttp2 -- multiple vulnerabilities
CVE: CVE-2019-9513
CVE: CVE-2019-9511
WWW: https://vuxml.FreeBSD.org/freebsd/121fec01-c042-11e9-a73f-b36f5969f162.html

unbound-1.9.1 is vulnerable:
unbound -- parsing vulnerability
CVE: CVE-2019-16866
WWW: https://vuxml.FreeBSD.org/freebsd/108a4be3-e612-11e9-9963-5f1753e0aca0.html

unbound-1.9.1 is vulnerable:
unbound -- parsing vulnerability
CVE: CVE-2019-18934
WWW: https://vuxml.FreeBSD.org/freebsd/ffc80e58-0dcb-11ea-9673-4c72b94353b5.html

nginx-1.14.1,2 is vulnerable:
NGINX -- Multiple vulnerabilities
CVE: CVE-2019-9516
CVE: CVE-2019-9513
CVE: CVE-2019-9511
WWW: https://vuxml.FreeBSD.org/freebsd/87679fcb-be60-11e9-9051-4c72b94353b5.html

libidn2-2.0.5 is vulnerable:
libidn2 -- roundtrip check vulnerability
CVE: CVE-2019-12290
WWW: https://vuxml.FreeBSD.org/freebsd/f04f840d-0840-11ea-8d66-75d3253ef913.html

oniguruma-6.8.1 is vulnerable:
oniguruma -- multiple vulnerabilities
CVE: CVE-2019-13225
CVE: CVE-2019-13224
WWW: https://vuxml.FreeBSD.org/freebsd/a8d87c7a-d1b1-11e9-a616-0992a4564e7c.html

It would be nice to have more frequent minor releases to address issues like there.

jimp

We are well aware of everything in that regard. We don't need convincing. They're coming, and we're working on them, but we aren't going to rush things.

seanmcb

Thanks for the fast reply. I didn't think you needed convincing on the what, but maybe on the when. :)

For sure there is a balance between: releasing too often, with too little testing; and cramming too much into a release and waiting too long.

pfsense 2.4.4 is 7 months old on Monday. That's a very long time. I've bought 3 appliances from netgate, but it's to the point now that I'm researching alternatives.

I can't help but contrast with OPNsense (which I've never used), which seems to act on security updates very quickly.

bobbenheim

The 2.4.5 development snapshots is up, for the ones who haven't noticed :)

techpro2004

Now that the fixes are in for the sg-3100 and we are down to 15 issues, I am wondering if there is a better idea of a release date. Thanks

jahonix

@techpro2004 said in 2.4.5 date?:

Now that the fixes are in for the sg-3100 and we are down to 15 issues, I am wondering if there is a better idea of a release date. Thanks

@MORGiON said in 2.4.5 date?:

@techpro2004 when it’s ready

Nothing changed. Why is this so hard to understand?

techpro2004

Jimp, anything

jimp

Soon.

techpro2004

Soon is a relative term. For example silicondust announced their prime 6 many years ago saying it would be out soon but it is still not available. Can you give us a better idea then that? thanks.

MORGiON

@techpro2004 follow the redmine

techpro2004

The redmine does not have an idea of a release date, only what is left. Also it went up not down since I last looked.

provels

Possible solution? I suggest an "Ignore Thread" button for the forum...

MORGiON

@techpro2004 Correct, that's as close as your going to get to a date.