pfSense® software 2.2.1 release is now available, bringing a number of bug fixes and some security fixes.

Security Fixes

pfSense-SA-15_02.igmp: Integer overflow in IGMP protocol (FreeBSD-SA-15:04.igmp)

pfSense-SA-15_03.webgui: Multiple XSS Vulnerabilities in the pfSense WebGUI

pfSense-SA-15_04.webgui: Arbitrary file deletion vulnerability in the pfSense WebGUI

FreeBSD-EN-15:01.vt: vt(4) crash with improper ioctl parameters

FreeBSD-EN-15:02.openssl: Update to include reliability fixes from OpenSSL

A note on the OpenSSL “FREAK” vulnerability:

Does not affect the web server configuration on the firewall as it does not have export ciphers enabled.

pfSense 2.2 already included OpenSSL 1.0.1k which addressed the client-side vulnerability.

If packages include a web server or similar component, such as a proxy, an improper user configuration may be affected. Consult the package documentation or forum for details.

Bug Fixes

Upgrade Guidance

As always, you can upgrade from any previous version straight to 2.2.1. For those already running any 2.2 version, this is a low risk upgrade. For those on 2.1.x or earlier versions, there are a number of significant changes which may impact you. Pay close attention to the 2.2 Upgrade Notes for the details.

pfSense software is Open Source

For those who wish to review the source code in full detail, the changes are all publicly available in three repositories on GitHub:

Main repository - the web GUI, back end configuration code, and build tools.

FreeBSD source - the source code, with patches of the FreeBSD base.

FreeBSD ports - the FreeBSD ports used.

Download

Downloads for New Installs

Using the automatic update process is typically easier than reinstalling to upgrade. See the Upgrade Guide page for details.

Supporting the Project

Our efforts are made possible by the support of our customers and the community. You can support our efforts via one or more of the following.