2.2.5 New Features and Changes¶
Updated to FreeBSD 10.1-RELEASE-p24
FreeBSD-SA-15:25.ntp Multiple vulnerabilities in NTP [REVISED]
FreeBSD-SA-15:14.bsdpatch: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to run commands in addition to the desired SCCS or RCS commands.
FreeBSD-SA-15:16.openssh: OpenSSH client does not correctly verify DNS SSHFP records when a server offers a certificate. CVE-2014-2653 OpenSSH servers which are configured to allow password authentication using PAM (default) would allow many password attempts.
FreeBSD-SA-15:18.bsdpatch: Due to insufficient sanitization of the input patch stream, it is possible for a patch file to cause patch(1) to pass certain ed(1) scripts to the ed(1) editor, which would run commands.
FreeBSD-SA-15:20.expat: Multiple integer overflows have been discovered in the XML_GetBuffer() function in the expat library.
FreeBSD-SA-15:21.amd64: If the kernel-mode IRET instruction generates an #SS or #NP exception, but the exception handler does not properly ensure that the right GS register base for kernel is reloaded, the userland GS segment may be used in the context of the kernel exception handler.
FreeBSD-SA-15:22.openssh: A programming error in the privileged monitor process of the sshd(8) service may allow the username of an already-authenticated user to be overwritten by the unprivileged child process. A use-after-free error in the privileged monitor process of the sshd(8) service may be deterministically triggered by the actions of a compromised unprivileged child process. A use-after-free error in the session multiplexing code in the sshd(8) service may result in unintended termination of the connection.
pfSense-SA-15_08.webgui: Multiple Stored XSS Vulnerabilities in the pfSense® WebGUI
The complete list of affected pages and fields is listed in the linked SA.
Updated strongSwan to 5.3.3
Updated PHP to 5.5.30
Updated miniupnpd to 1.9.20150721 to address a potential vulnerability in miniupnpd.
Added support for GUI auth from RADIUS to obtain group names from the RADIUS reply attribute “Class” as a string (local groups must exist, similar to LDAP). #935
Added an LDAP server timeout field to address GUI access issues when the LDAP server is down/unreachable. #3383
Added support for LDAP RFC 2307 style group membership. #4923
Worked around a chicken-and-egg problem in user syncing which was preventing users from using ssh the first time the account was saved. #5152
Prevent deletion of system users and groups by authenticated, authorized users using manually crafted POSTs. #5294
Fixed an incorrect netmask being sent to OpenVPN clients with static IP addresses set in RADIUS. #5129
Changed the calculation of the OpenVPN point-to-point server IP address obtained from RADIUS to be consistent with CSC/Overrides (Server should be one IP address below the Client)
strongSwan upgraded to 5.3.3. strongSwan’s change log
Fixed missing DH group 22-24. #4918
Fixed handling of IPv4 IPsec Phase 1 endpoints that resolve to an IPv6 address. #4147 (Fixed by strongSwan update to 5.3.3)
Brought back “auto” IKE version and fixed problems with its previous implementation.
Pre-shared keys configured as “any” under VPN>IPsec, Pre-Shared Keys tab are added as %any to ipsec.secrets now, as described in the note on the page. #5246
Resolved memory leak by switching printf hooks to vstr. #5149
Change to vstr to fix memory leak broke SMP status plugin. Switched to vici for status output.
ID selectors omitted from ipsec.secrets for mobile PSK+XAuth configurations. Fixes pre-shared key mismatches with Apple iOS Cisco IPsec and other mobile clients. #5245
Fixed logging default settings and ability to set logging to silent. #5340
Logging settings applied correctly on clean start and stop/start of service. #5242
Remove deleted CAs, certificates and CRLs from strongswan configuration. #5238
Prevent over-matching of auto-added firewall rules for mobile IPsec configurations. #5211
Added IPv6 virtual address pool support for mobile. #5284
Allow both IPv4 and IPv6 in phase 2 entries on a single phase 1 when using IKEv2. #5305
Omit NAT rules for disabled phase 1 and 2 configurations. #5320
Only display certificate authority field for methods where it’s relevant. #5323
Only write out CA certificates for those specified in a Phase 1 configuration. #5243
Fixed Hybrid RSA + xauth. #5207
Fixed configuration of split tunnel attribute. #5327
Specify rightca in ipsec.conf where relevant. #5241
Specify leftsendcert=always in ipsec.conf for mobile profiles using IKEv2 to better accommodate iOS and OS X manual configurations. #5353
Fix IKEv2 mobile client pool status display with small number of active leases
Fixed handling of url_port alias types when processing items that should be handled by filterdns. #4888
Fixed handling of line endings when parsing a URL table ports file.
Fixed handling of empty bogon lists on NanoBSD.
Fixed handling of 6rd rules so they are only added when there is an IPv4 IP defined for the gateway, otherwise the ruleset ends up invalid. #4935
Added support for port ranges on Outbound NAT. #5156
Added a check to prevent renaming an alias to an existing name. #5162
Improved the fix for increasing the “self” table size in pf.
Imported fixes from FreeBSD for a situation that could result in a panic/crash due to source address limits in pf rules (“pf_hashsrc: unknown address family 0”). #4874
Implemented an alternate method to find VIP targets that should be allowed for Captive Portal. #4903
Improved handling of the captive portal database files for zones in cases when the database files may be corrupt or unreadable. #4904
Improved handling of vouchers that are too short. In certain cases they were not being properly rejected. #4985
Fixed handling of voucher database files, initializing the database properly when necessary. #5113
Fixed handling of package install errors and connect timeouts during the install process. #4884
Improved package version comparison. #4924
Fixed an issue with package editing where the default value was not being populated for new fields.
Fixed removal of syslog.conf entries during package uninstall #5210
Fixed handling of DHCP pools that are out of range, preventing them from creating an invalid dhcpd configuration. #4878
Added support for UEFI network booting with arch 00:09. #5046
Fixed a situation where dhcpleases could miss updates for hostnames in the leases file, delaying functional hostname resolution of new and updated DHCP leases. #4931
Automatically add firewall rules to permit DHCP traffic when DHCP Relay is enabled, matching the behavior for DHCP Server. #4558
Fixed identification of IPv6 interfaces with PPP-type interfaces and DHCP6 #3670
Removed “Could not find gateway for interface…” log messages as they were largely useless. #4102
Added OpenVPN interfaces to the list of available interfaces when reassignment is necessary during config.xml restoration.
Fixed interface assignment menus running off VGA screen.
Fixed preservation of MLPPP settings when saving interface settings. #4568
Correct handling of SLAAC, DHCP6 and DHCP-PD with PPP interfaces. #5297
Fixed Cloudflare support for Dynamic DNS updates.
Fixed GratisDNS support for hosts without subdomains.
Disabled DHS provider. It had never worked.
Fixed IPv4 dynamic DNS registrations on dual stack hosts to providers with AAAA records. #3858
Update Dynamic DNS using gateway groups upon enable and disable of gateways. #5214
Fixed Dynamic DNS using gateway groups specifying a CARP IP. #4990
Fixed the configuration version comparison in XMLRPC sync to prevent more invalid synchronization cases. #4902
Cleaned up old unused platforms referenced in a few areas of the code that were no longer relevant.
Fixed killing of individual states in cases when the source and destination were reversed. #4907
Fixed killing of individual states for IPv6. #4906
Changed the “enableallowallwan” script to also allow bogons, which makes the use of RFC 5735 / RFC 6890 test networks easier in lab environments.
Fixed handling of VIPs in source address selection for Diagnostics > Test Port. #4986
Updated status.php to include more information. #5304
Fixed handling of the description in Traffic Shaping.
Fixed pfSense base version comparison. #4925
Fixed handling of multiple notices in the same second. #4879
Removed the routed service as it is being handled by the package.
Set MIME type for SVG in lighttpd configuration.
Improved handling of the cron service reconfiguration process.
Added option to display monitor IP on Gateways widget #4782
Added “Description” as a display option on Traffic Graphs. #4783
Fixed handling of L2TP server interface selection. #4830
Added /usr/bin/dc back into the build. #5111
Fixed a crash/panic “Sleeping thread owns a non-sleepable lock” in ARP code when using Proxy ARP type VIPs. #4685
Added support for Sierra Wireless 7355. #4863
Updated time zones. #5254
Added fsync of Unbound’s root.key to ensure the file isn’t corrupted if power is lost shortly after writing of the file. Code added to detect corrupt root.key and delete and recreate it. #5334
Associate intermediate internal CA certificates with the signing CA. #5313