Advantages of upgrading to latest CE version
-
I am using the last 2.6.0-RELEASE (amd64) vesion of psSense without any problems.
The packages I am running without problems also are;
squid proxy
pfblockerNG
acme certificate manager.Of course the is no updates to these packages anymore.
My question is then:
Should I upgrade/follow the latest CE version?
I just don't see why.Thank you for your opinion.
-
@marchand-guy so your still running windows 95, because you don't see why you should upgrade?
Forgetting any new features, which there are many from 2.6 to 2.7.2 - your not going to get much help from anyone if you do run into problems because you are no longer on a supported version.
Here is the stuff that changed and is new in just 2.7
https://docs.netgate.com/pfsense/en/latest/releases/2-7-0.html
Not only is that version of pfsense no longer supported, neither is the freebsd 12.3 it runs on.
edit: this isn't well my printer or tv works, never had any issues with it no reason to upgrade its firmware.. This is your firewall.. There are quite a few CVEs address with updates. And I know php and openssl were major updates from 2.6..
-
To make it easier for you ...
General
- PHP has been upgraded from 7.4.x to 8.2.6
- The base operating system has been upgraded to FreeBSD 14-CURRENT
Security
pfSense CE 2.7.0-RELEASE includes fixes for the following potential vulnerabilities:
- pfSense-SA-22_05.webgui: A potential XSS vulnerability in firewall_aliases.php from URL table alias URLs.
- pfSense-SA-23_01.webgui: A potential XSS vulnerability in diag_edit.php from browsing directories containing specially crafted filenames on the filesystem.
- pfSense-SA-23_02.webgui: A potential XSS vulnerability in system_camanager.php and system_certmanager.php from specially crafted descriptions when editing entries.
- pfSense-SA-23_03.webgui: A potential authenticated arbitrary file creation vulnerability from the name parameter when creating or editing URL table aliases.
- pfSense-SA-23_04.webgui: A potential authenticated arbitrary command execution vulnerability in status.php from specially crafted filenames on the filesystem.
- pfSense-SA-23_05.sshguard: Anti-brute force protection bypass for GUI authentication requests containing certain proxy headers.
- pfSense-SA-23_06.webgui A potential Authenticated Command Execution vulnerability from the bridgeif parameter on interfaces_bridge_edit.php in the GUI.
General
- Kea DHCP Server has been added as an opt-in feature preview for IPv4 and IPv6 DHCP service. Kea will eventually replace the ISC DHCPD daemon which is EOL.
- OpenSSL has been upgraded to 3.0.12 from 1.1.1 in FreeBSD. This change was necessary as OpenSSL 1.1.1 reached its End of Life (EOL) on September 11, 2023. This means there will be no security patches for vulnerabilities affecting OpenSSL 1.1.1.
Security
In addition to OpenSSL and other concerns in the base OS and packages, this release addresses the following vulnerabilities in pfSense software:
- pfSense-SA-23_08.webgui (XSS in getserviceproviders.php, #14547)
- pfSense-SA-23_09.webgui (XSS in status_logs_filter_dynamic.php, #14548)
- pfSense-SA-23_10.webgui (Authenticated Command Execution in interfaces_gif_edit.php and interfaces_gre_edit.php, #14549)
- pfSense-SA-23_11.webgui (Authenticated Command Execution in packet_capture.php, #14809)
Security / Errata
This release includes corrections for several FreeBSD Errata Notices and Security Advisories, including:
- FreeBSD-SA-23:17.pf - TCP spoofing vulnerability in pf(4)
- FreeBSD-EN-23:16.openzfs - Potential ZFS Data Corruption
- For more information about ZFS data corruption, see ZFS Data Corruption Details later in this document.
- FreeBSD-EN-23:18.openzfs - High CPU usage by ZFS kernel threads
- FreeBSD-EN-23:17.ossl - ossl(4)’s AES-GCM implementation may give incorrect results
- FreeBSD-EN-23:20.vm - Incorrect results from the kernel physical memory allocator
- Performance issues in OpenSSL have also been identified and corrected, notably with acceleration such as AES-NI.
-
Yes, that list of security issues should convince you.
-
"so your still running windows 95, because you don't see why you should upgrade?"
What is wrong with you? Bad day?
Who the f*** was talking about windows 95? Why not windows 3.0 if you get some kicks outta your "argument"?Thanks to all the others who raised the security concerns for me to look at.
-
@marchand-guy it was an attempt at some fun, and to make a point.. Your running a version that is quite old, 2 years.. It is EOL, why would you think you should not update it?
"I just don't see why."
Why should someone need to point out to you to keep your security stuff updated?
-
@johnpoz No joke. I started using pfSense when 2.6 was current, pretty soon after its release, and I was getting concerned that no updates came out for like a year. It was a relief when 2.7 arrived and the two point releases that followed.
