March 26, 2020
pfSense software version 2.4.5 is now available.
This update includes security fixes, several new features and stability fixes.
In this article, we take a look at the highlights of this update.
The major new features are as follows:
- Operating system upgraded to FreeBSD 11.3 ;
- Added the ability to search and filter across multiple pages, including the Certificate Management page (System > Cert. Manager), the DHCP Leases view page (Status > DHCP Leases), the ARP Table view page (Diagnostics > ARP Table) ;
- Added IPsec DH and PFS groups 25, 26, 27 and 31 ;
- Changed the default configuration of the UFS file system to
noatimefor new installations (this setting is not applied if you upgrade your pfSense). This reduces unnecessary writes to the disk ;
- Set the parameter
autocomplete=new-passwordon web interface forms containing authentication fields. This avoids auto-completion by the browser ;
- Added Gandi and Linode in the list of available Dynamic DNS providers (Services > Dynamic DNS)
The major security updates are as follows:
- Reinforcement against cross-site scripting (XSS) attacks on several pages of the web interface ;
- Solved a privilege escalation problem: an authenticated user, who was authorized to access the image widget, could execute arbitrary PHP code or access pages for which he normally had no rights ;
- Fixed the format of XMLRPC authentication failure messages (used for replication on a pfSense cluster installation). These messages can now be processed by sshguard ;
- Updated the Cross-site request forgery (CSRF) error page
Several important bugs have also been fixed.
- The default lifetime of the web interface certificate has been reduced to 398 days. This is much more in line with current standards. A certificate with a too long lifetime resulted in errors on a number of platforms (mainly iOS 13 and macOS 10.15). If you are on an upgrade and not on a new installation, you can generate a new certificate from the console or SSH with the command:
pfSsh.php playback generateguicert;
- Fixed several bugs on IPsec VTI (routed IPsec) ;
- Fixed several display bugs with custom views on the monitoring page (Status > Monitoring) ;
- Fixed redirection bug for users (other than admin account) who were redirected to the wrong page when they wanted to access the user management page (System > User Manager) ;
- Fixed a problem when resolving FQDN entries in aliases where some entries could be missing.
Due to the important nature of the changes in this upgrade, alerts or error messages may be displayed during the upgrade process. These should not be specially taken into account. Especially if you see errors concerning PHP or package updates.
Therefore, only errors which persist after the upgrade are significant.
In any case, remember to make a backup before launching the upgrade, and follow our complete tutorial: [pfSense] Upgrading pfSense (how-to).
Finally, you can consult the complete list of changes by visiting the following page: 2.4.5 New Features and Changes