Software-update: pfSense 2.4.4-p3

Het pfSense-project is in 2004 begonnen als een afsplitsing van m0n0wall vanwege verschillende visies bij de ontwikkelaars, en in de loop van de jaren uitgegroeid tot een router- en firewallpakket dat in zowel kleine als zeer grote omgevingen kan worden ingezet. Voor meer informatie verwijzen we naar deze pagina. Het ontwikkelteam heeft pfSense 2.4.4-p3 uitgebracht met de volgende veranderingen:

pfSense 2.4.4-RELEASE-p3 now available

We are pleased to announce the release of pfSense® software version 2.4.4-p3, now available for new installations and upgrades!

pfSense software version 2.4.4-p3 is a maintenance release, bringing a number of security enhancements as well as a handful of fixes for issues present in the 2.4.4-p2 release.

pfSense 2.4.4-RELEASE-p3 updates and installation images are available now!

To see a complete list of changes and find more detail, see the Release Notes.

We had hoped to bring you this release a few days earlier, but given the announcement last Tuesday of the Intel Microarchitectural Data Sampling (MDS) issue, we did not have sufficient time to fully incorporate those corrections and properly test for release on Thursday. We felt that it was worth delaying for a few days, rather than making multiple releases within a week.

Highlights

SECURITY / ERRATA
pfSense software release version 2.4.4-p3 addresses several critical security issues:

• A privilege escalation issue where an authenticated user could have used a technique similar to directory traversal to gain access to pages for which they otherwise would not have privileges
• A privilege escalation issue where an authenticated user granted access to the Dashboard or widgets could have gained access to pages for which they otherwise would not have privileges
• A privilege escalation issue where an authenticated user granted access to edit OpenVPN servers, clients, or client-specific overrides could have executed shell scripts via OpenVPN advanced options to gain higher privileges
  A new set of privileges has been created to delegate access to edit the advanced options fields on these pages. Existing users who are not administrators, but only have access to the stated pages, can no longer edit advanced option fields until the new privileges have been granted.
• Potential cross-site scripting (XSS) vectors in 10 GUI pages
• The sshguard daemon which protects the GUI and ssh against brute force attacks was changed to use a single table to block offenders from reaching the GUI and SSH, which corrects previous unexpected inconsistencies in behavior.
• Several FreeBSD security advisories:
  • FreeBSD-SA-19:03.wpa
  • FreeBSD-SA-19:04.ntp
  • FreeBSD-SA-19:05.pf
  • FreeBSD-SA-19:06.pf
  • FreeBSD-SA-19:07.mds
  • FreeBSD-EN-19:08.tzdata
• DNS over TLS host verification has been added, thanks to support from a recent Unbound version that made it possible on systems without OpenSSL 1.1.x.

For complete details about these issues, see the see the Release Notes.