Linux News Today: pfSense 2.3.1 FreeBSD Firewall Update Patches Web GUI Security Issue, Seven Bugs
Released a week ago as the first maintenance build in the 2.3 stable series, pfSense 2.3.1 has received its first update, bringing a patch for a major security issue in the Web GUI, as well as seven other bug fixes.
pfSense 2.3.1 was a major point release of the FreeBSD-based network firewall distribution that introduced over 100 changes, but pfSense 2.3 brought a new pkg system that lets the project’s maintainers update only individual parts of the system.
Thus, they can patch single security issues without the need to make a new release of the BSD firewall. pfSense 2.3.1 Update 1 (2.3.1_1) is now live, and all users of the pfSense 2.3.1-RELEASE are urged to apply it as it patches a major security issue.
The issue (pfSense-SA-16_05.webgui) has been discovered by Patrick Ungeheuer in pfSense’s Web GUI (Graphical User Interface), as command-injection vulnerabilities in the diag_smart.php and diag_routes.php files.
The respective vulnerabilities could have allowed authenticated Web GUI users with elevated privileges to execute commands as root (system administrator). A detailed report is available, and the issue can be patched if you apply the pfSense 2.3.1_1 update.
Save of “IPv6 over IPv4 Tunneling” address now works
As mentioned, this first update to pfSense 2.3.1 also resolves several other bugs that have been reported by users in the last week, such as an issue that occurred when attempting to save “IPv6 over IPv4 Tunneling” address, or some problems with the use of URL IP type aliases in firewall rules.
Last but not least, the LDAP timeout has been lowered from 25 seconds to only 5 to control the Lightweight Directory Access Protocol (LDAP) requests promptly, and “504 gateway error” issues can now be prevented. Please apply pfSense 2.3.1 Update 1 as soon as possible to fix the issues mentioned above. The update will reboot your system.