Software update: pfSense 2.3.4-p1

The pfSense project started in 2004 as a fork of m0n0wall due to differing views among the developers and over the years has evolved into a router and firewall package that can be deployed in both small and very large environments. For more information, we refer you to this page. The development team has released pfSense 2.3.4-p1 with the following changes:

2.3.4-p1 New Features and Changes

The 2.3.4-p1 errata release is a minor release after 2.3.4 and contains beneficial security and bug fixes.

Security / Errata

• pfSense-SA-17_05.webgui:
  • Fixed a potential XSS issue in the diag_edit.php file browser
  • Fixed a potential XSS in handling of the ‘type’ parameter on diag_table.php
  • Fixed validation and a potential XSS in interface names on firewall_nat_edit.php
• pfSense-SA-17_06.webgui:
  • Added a warning screen to the GUI and prevent access if the client IP address is currently in the lockout table, and also remove the client’s connection states

Bug Fixes

Captive Portal

• Fixed Captive Portal RADIUS Authentication to only cache credentials when required to perform reauthentication
• Restored the captive portal feature to view the captive portal page directly from the portal web server as an additional button

Dynamic DNS

• Fixed issues with wildcard CNAME records disappearing from Loopia when doing a DNS update
• Fixed issues with CloudFlare Dynamic DNS
• Fixed Hover Dynamic DNS updates so they Verify the SSL Peer

Logging

• Added syslogd service definition to enable status display and control
• Fixed issues with syslogd stopping when installing or uninstalling some packages

Virtual IP Addresses

• Fixed issues with CARP status display overmatching some VIP numbers
• Fixed pid file handling for choparp (Proxy ARP Daemon)
• Added the ability to sort the Virtual IP address list

DNS

• Fixed diag_dns.php so it will not create an empty alias if name does not resolve
• Fixed diag_dns.php to not show Add Alias ​​if the user does not have privileges to add an alais
• Fixed diag_dns.php to change the update alias button text after adding an alias
• Fixed diag_dns.php to disable the Add Alias ​​button when the host field is changed
• Fixed calls to unbound-control to have the full configuration path specified so they do not fail
• Fixed handling of “redirect” zone entries in the DNS Resolver so they do not produce invalid zones
• Changed the way the DNS Resolver code writes out host entries, so the zones are more well-formed
• Changed the way the DNS Resolver process (unbound) is stopped, to allow it to exit cleanly.

Interfaces

• Fixed DHCPv6 to request a prefix delegation even if no interfaces are set to track6
• Updated handling of original MAC address retention for interfaces with spoofed MACs
• Fixed an array handling problem when working with gateway entries on the Interface configuration page
• Fixed handling of MSS clamping values ​​for PPPoE/L2TP/PPTP WANs

DHCP

• Fixed an issue where some DHCP Lease information was encoded twice with htmlentities/htmlspecialchars
• Fixed an issue where in some edge cases, a variable was not properly set in a loop, leading to a previous value being reused

misc

• Removed “/usr/local/share/examples” from obsolete files list, some packages rely on the files being there
• Added a few more items to status.php for support purposes, such as a download button, socket buffer info, and the netgate ID
• Fixed status.php to redact BGP MD5 password/key in output
• Fixed OpenVPN to use is_numeric() to make sure $prefix is ​​not 0
• Changed the “Rule Information” section so it is consistent between firewall and NAT rule pages
• Fixed APU2 detection for devices running coreboot v4.x
• Fixed the tunable description for net.inet.ip.random_id
• Fixed some outdated links for help and support
• Fixed some issues with empty config tags in packages
• Fixed issues with entry IDs after deleting Authentication Server instances