Several security vulnerabilities have been patched

Jul 28, 2015 00:07 GMT  ·  By

Electric Sheep Fencing LLC., through Chris Buechler, has announced the immediate availability for download of the fourth maintenance release of the pfSense 2.2 FreeBSD-based firewall software.

According to the release notes, pfSense 2.2.4 is an important release that patches multiple stored XSS vulnerabilities in the software's web-based interface, fixes various issues with the tcp package, mostly related to a resource depletion issue that occurred when the session was stuck in the LAST_ACK state, but affecting only pfSense systems where the listening ports were open to untrusted networks.

Users are being informed by the pfSense developers that, while the upstream OpenSSL packages were updated, the pre-installed OpenSSL packages in pfSense were not affected, so they have not been updated in this release. Moreover, the PHP packages have been updated to version 5.5.27 in order to patch known vulnerabilities, and the SSH LoginGraceTime has been lowered from 2 minutes to 30 seconds in order to decrease the impact of the known MaxAuthTries bypass bug.

"pfSense software version 2.2.4 release is now available, bringing a number of bug fixes and some security updates," says Chris Buechler. "As always, you can upgrade from any previous version straight to 2.2.4. For those already running any 2.2x version, this is a low risk upgrade. This is a high priority upgrade for those using IPsec on 2.2x versions. For those on 2.1.x or earlier versions, there are a number of significant changes which may impact you."

Multiple issues have been fixed

Furthermore, pfSense 2.2.4 fixes multiple file corruption issues that occurred after an unclean shutdown of the firewall, such as power loss or a system crash, deals with issues with the pw package in FreeBSD related to an address group/passwd corruption, removes the 'sync' option from file systems on both new installs and full upgrades, fixes a writing issue with the config.xml file so that it take advantage of fsync properly, and removes the journaling and softupdates options from NanoBSD.

Last but not least, the pfSense developers inform all users that the forcesync patch for bug #2401 has been removed because it is still considered harmful to file systems. As a consequence, NanoBSD users will see noticeable slowness on various slow disk drivers, such as SD or CF cards. Users are being urged to replace the removable media with a new and faster one as soon as possible. Download pfSense 2.2.4 right now from Softpedia.