Security / Errata
pfSense software release version 2.4.4-p3 addresses several critical security issues:
A privilege escalation issue where an authenticated user could have used a technique similar to directory traversal to gain access to pages for which they otherwise would not have privileges
A privilege escalation issue where an authenticated user granted access to the Dashboard or widgets could have gained access to pages for which they otherwise would not have privileges
A privilege escalation issue where an authenticated user granted access to edit OpenVPN servers, clients, or client-specific overrides could have executed shell scripts via OpenVPN advanced options to gain higher privileges
A new set of privileges has been created to delegate access to edit the advanced options fields on these pages. Existing users who are not administrators, but only have access to the stated pages, can no longer edit advanced option fields until the new privileges have been granted.
Potential cross-site scripting (XSS) vectors in 10 GUI pages
The sshguard daemon which protects the GUI and ssh against brute force attacks was changed to use a single table to block offenders from reaching the GUI and SSH, which corrects previous unexpected inconsistencies in behavior.
Several FreeBSD security advisories:
DNS over TLS host verification has been added, thanks to support from a recent Unbound version that made it possible on systems without OpenSSL 1.1.x.
For complete details about these issues, see the see the Release Notes.
Due to the significant nature of the changes in 2.4.4 and later, warnings and error messages, particularly from PHP and package updates, are likely to occur during the upgrade process. In nearly all cases these errors are a harmless side effect of the changes between FreeBSD 11.1 and 11.2 and between PHP 5.6 and PHP 7.2.
Always take a backup of the firewall configuration prior to any major change to the firewall, such as an upgrade.
Do not update packages before upgrading pfSense! Either remove all packages or do not update packages before running the upgrade.
The upgrade will take several minutes to complete. The exact time varies based on download speed, hardware speed, and other factors such installed packages. Be patient during the upgrade and allow the firewall enough time to complete the entire process. After the update packages finish downloading it could take 10-20 minutes or more until the upgrade process ends. The firewall may reboot several times during the upgrade process. Monitor the upgrade from the firewall console for the most accurate view.