Software-update: pfSense 2.4.3

Versie 2.4.3 van pfSense is uitgekomen. Dit pakket is gebaseerd op het besturingssysteem FreeBSD en richt zich op router- en firewalltaken. Het is in 2004 begonnen als een afsplitsing van m0n0wall vanwege verschillende visies bij de ontwikkelaars en in de loop van de jaren uitgegroeid tot een router- en firewallpakket dat in zowel kleine als zeer grote omgevingen kan worden ingezet. Voor meer informatie verwijzen we naar deze pagina. De hoogtepunten voor deze uitgave zien er als volgt uit:

Highlights

This release includes several important security patches:

• Kernel PTI mitigations for Meltdown (optional tunable) FreeBSD-SA-18:03.speculative_execution.asc
• IBRS mitigation for Spectre V2 (requires updated CPU microcode) FreeBSD-SA-18:03.speculative_execution.asc
• Fixes for FreeBSD-SA-18:01.ipsec
• Fixed three potential XSS vectors, and two potential CSRF issues
• CSRF protection for all dashboard widgets
• Updated several base system packages to address CVEs

In addition to security fixes, pfSense software version 2.4.3 also includes important bug fixes.

Notable bug fixes in 2.4.3 include:

• Fixed hangs due to Limiters and pfsync in High Availability configurations
• Imported a netstat fix to improve performance and reduce CPU usage, especially on the Dashboard and ARM platforms
• Fixed a memory leak in the pfSense PHP module
• Fixed DHCPv6 lease display for entries that were not parsed properly from the lease database
• Fixed issues on assign_interfaces.php with large numbers of interfaces
• Fixed multiple issues that could result in an invalid ruleset being generated
• Fixed multiple Captive Portal voucher synchronization issues with HA
• Fixed issues with XMLRPC user account synchronization causing GUI inaccessibility on secondary HA nodes
• … and many more!

There are several new features in 2.4.3, some of the more important ones are:

• Changed IPsec Phase 1 to allow selecting both IPv4 and IPv6 so the local side can allow inbound connections to either address family
• Changed IPsec Phase 1 to allow configuration of multiple IKE encryption algorithms, key lengths, hashes, and DH groups
• Changed SMTP notifications handling so they are batched, to avoid sending multiple e-mail messages in a short amount of time
• Added options to RFC 2136 Dynamic DNS for server key algorithm and to change the source address used to send updates
• Added VLAN priority tagging for DHCPv6 client requests
• Hardware support for the new XG-7100 including C3000 SoC support, C3000 NIC support, and Marvell 88E6190 switch support (Factory installations only)
• … and more!

To see the rest of the changes, and find more detail, see the Release Notes.