The complete list of affected pages and fields is listed in the
Resource exhaustion due to sessions stuck in LAST_ACK state. Note
this only applies to scenarios where ports listening on pfSense
itself (not things passed through via NAT, routing or bridging) are
opened to untrusted networks. This doesn’t apply to the default
does not apply to pfSense. pfSense did not include a vulnerable
version of OpenSSL, and thus was not vulnerable.
Further fixes for file corruption in various cases during an unclean shut
down (crash, power loss, etc.).
Fixed pw in FreeBSD to address passwd/group corruption
Fixed config.xml writing to use fsync properly to avoid cases when
it could end up empty.
Removed the ‘sync’ option from filesystems for new full installs
and full upgrades now that the real fix is in place.
Removed softupdates and journaling (AKA SU+J) from NanoBSD, they
remain on full installs.
The forcesync patch for
#2401 is still
considered harmful to the filesystem and has been kept out. As such,
there may be some noticeable slowness with NanoBSD on certain slower
disks, especially CF cards and to a lesser extent, SD cards. If this
is a problem, the filesystem may be kept read-write on a permanent
basis using the option on Diagnostics > NanoBSD. With the other
above changes, risk is minimal. We advise replacing the affected
CF/SD media by a new, faster card as soon as possible.
Upgraded PHP to 5.5.27 to address CVE-2015-3152
Lowered SSH LoginGraceTime from 2 minutes to 30 seconds to mitigate
the impact of MaxAuthTries bypass bug. Note
Sshlockout will lock out offending IPs in all past,
current and future versions.
Changed the built-in certificate manager to specify keyUsage and
extendedKeyUsage in certificates. Windows will now correctly function
with IKEv2 using certificates from the built-in certificate manager
without disabling EKU.
Note: This change applies only to new certificates, created on
2.2.4 or newer, and the CN of the certificate must match the
hostname or IP address to which clients connect.
Added authorityKeyIdentifier to CRLs generated by the built-in
certificate manager. (strongSwan requires it to match.)
Fixed non-GCM AES modes with AES-NI enabled.
Fixed issues with keyid and some mobile IPsec identifiers.
Fixed includes so PHP shell session restartipsec script works.
Fix dashboard hardware crypto display where AES-NI is enabled.
Fixed issues with IPsec with certificates/ASN1.DN.
Added code to write out CRLs from the built-in certificate manager
for use by strongSwan.
Added option for enabling Strict CRL Checking (strictcrlpolicy in
Fixed saving Advanced IPsec options before IPsec is enabled.
Changed LAN bypass to be from “LAN subnet” to “LAN subnet” rather
than from “LAN subnet” to “LAN address” to allow it to work for VIPs
on the interface.
Remove “Auto” key exchange option, and change upgraded configurations
to IKEv2. #4873
Specify rightid for mobile IPsec non-PSK configurations. Add peer ID
option “any” for excluding peer identifier checks for mobile IPsec
circumstances where peer ID matching is impossible or undesirable.