Extremly long time between updates
-
Is there a reason for the lack of updates to pfsense? I tried to look into it and found posts like this:
https://www.reddit.com/r/PFSENSE/comments/epjsg8/lack_of_updates_to_pfsense/
that pretty much just say its more stable this way. That isn't very convincing. The most recent version is based on FreeBSD 12.2-STABLE. Two major releases of FreeBSD have come out since 12.2. I skimmed the release notes for FreeBSD 12.3 and among other things they fixed a kernel panic issue and a radius DOS issue. Both seem pretty relevant to PFSense. This leads to several questions:
-
Is there a good reason to not worry about this?
-
Does netgate review vulnerabilities as they come out and decide if if a minor release is needed or are minor releases just not going to happen?
-
Is it possible for me to patch pfsense with updates made to FreeBSD or to run pfsense on an updated version of FreeBSD?
-
Is pfsense+ netgate's real focus and updates to pfsense are just not a concern anymore?
-
-
@sand7000 the next version of pfsense is on freebsd 12.3 and should drop really soon 2.6 or the 22.01
Its out in RC now if you want to update, etc.
12.3 just came out in dec 2021 did it not?
-
12.3 just came out in dec 2021 did it not?
That's almost 2 months ago, pretty long time to not be patched against known vulnerabilities. Last release of pfsense was in July. Hard to believe there hasn't been a single vulnerability since then that merited a timely patch.
-
pfSense is extremely cut-down compared to a standard FreeBSD install, it has a much smaller attack surface. Many (most?) of the vulnerabilites you see reported against FreeBSD are either not applicable or not exploitable in pfSense. If there was a critical vulnerability we would have a point release to address it. As has happened in the past.
Steve
-
^ exactly.. Lets take 2 major vulnerabilities of late, the log4j and PwnKit problems - they just not a concern on pfsense..
Or at least they shouldn't be - unless users took it upon themselves to side load stuff that should never be on a firewall..
-
I look at it differently from the outside. Careful addition of features and improvements coupled with solid testing can result is release delays and can also reduce hurried patches which can lead to a patch loop.
Plus, I prefer to upgrade as little as posable, there is always risk in an upgrade.
-
@sand7000 If you look back at the blog post about about Plus, it said, "pfSense Plus customers will be able to reliably manage their IT infrastructure changes around three releases per year - planned for January, May, and September." They had 21.2 and 21.5, and 21.9 was planned but eventually skipped, with multiple minor updates to the first two.
-
Thanks for this info. Is there any kind of documentation or periodic news release on vulnerabilities that were investigated and deemed not a threat?
Our company is audited regularly. If a network vulnerability scan reports that pfsense runs on old version of FreeBSD we would need documentation that it is not susceptible to the same vulnerabilities.
-
@sand7000 In my case, I always test and try to exploit every 1 of the published vulnerabilities
to confirm for myself that they are not applicable
Until now, it has been shown to be very, very reliable.