2.7.2 New Features and Changes¶
This is a maintenance software release including new features and bug fixes.
Consult the Upgrade Guide before proceeding with any upgrade.
Security / Errata¶
This release includes corrections for several FreeBSD Errata Notices and Security Advisories, including:
FreeBSD-SA-23:17.pf - TCP spoofing vulnerability in pf(4)
FreeBSD-EN-23:16.openzfs - Potential ZFS Data Corruption
For more information about ZFS data corruption, see ZFS Data Corruption Details later in this document.
FreeBSD-EN-23:18.openzfs - High CPU usage by ZFS kernel threads
FreeBSD-EN-23:17.ossl - ossl(4)’s AES-GCM implementation may give incorrect results
FreeBSD-EN-23:20.vm - Incorrect results from the kernel physical memory allocator
Performance issues in OpenSSL have also been identified and corrected, notably with acceleration such as AES-NI.
EFI Issue on Proxmox® VE¶
Some users of pfSense® software running under Proxmox VE 7.4 have had issues booting Virtual Machines via EFI. This may also affect other versions of Proxmox VE and pfSense software as well as FreeBSD.
Adding a serial port to the VM hardware appears to work around the issue for the time being. A fix for the root cause is under investigation and development for future versions.
At this time the best practice to avoid potential problems is to add a serial port to the VM, then shutdown the VM and start it back up before beginning the pfSense software upgrade process.
See EFI Boot Issues for additional recommendations.
ZFS Data Corruption Details¶
Two data corruption bugs were recently reported against ZFS, including the version of ZFS in recent releases of pfSense software. These bugs have been corrected upstream in FreeBSD and the fixes have been imported into this release.
One bug was in block cloning, which is disabled by default on pfSense software, and thus is unlikely to be a significant concern on this platform. The other bug has been present in ZFS for years and was difficult to trigger.
Given the history of data corruption problems due to hole reporting in files, the corrections for this issue include a preventive measure to disable hole reporting. The downside of disabling hole reporting is the possibly increased disk space usage.
Users on previous releases of pfSense software can reduce the likelihood of
encountering the data corruption issue by creating a System Tunable for
vfs.zfs.dmu_offset_next_sync with a
Changes in this version of pfSense CE software.
Fixed: PHP error on
services_dhcpv6.phpif the configuration contains an empty
Added: Add an appropriately named file to install images to indicate what they are #14887