I’m happy to announce the release of pfSense 2.0.3. This is a maintenance release with some bug and security fixes since 2.0.2 release. You can upgrade from any previous release to 2.0.3.

Security Fixes

Updated to OpenSSL 0.9.8y to address FreeBSD-SA-13:03.

Fix below XSS in IPsec log possible from users possessing shared key or valid certificate

Below S.M.A.R.T. input validation fix isn’t security relevant in the vast majority of use cases, but it could lead to privilege escalation for an administrative user with limited rights who can access the S.M.A.R.T. pages but cannot access any of the pages that allow command execution by design.

PPP

Fix obtaining DNS servers from PPP type WANs (PPP, PPPoE, PPTP, L2TP)

Captive Portal

Fix Captive Portal Redirect URL trimming

Voucher sync fixes

Captive portal pruning/locking fixes

Fix problem with fastcgi crashing which caused CP issues on 2.0.2

OpenVPN

Clear the route for an OpenVPN endpoint IP when restarting the VPN, to avoid a situation where a learned route from OSPF or elsewhere could prevent an instance from restarting properly

Always clear the OpenVPN route when using shared key, no matter how the tunnel network “CIDR” is set

Use the actual OpenVPN restart routine when starting/stopping from services rather than killing/restarting manually

Allow editing an imported CRL, and refresh OpenVPN CRLs when saving. [#2652]

Fix interface assignment descriptions when using > 10 OpenVPN instances

Logging

Put syslogd into secure mode so it refuses remote syslog messages

If syslog messages are in the log, and the hostname does not match the firewall, display the supplied hostname

Fix PPP log display to use the correct log handling method

Run IPsec logs through htmlspecialchars before display to avoid a potential persistent XSS from racoon log output (e.g. username)

Traffic Shaper

Fix editing of traffic shaper default queues. [#1995]

Fix wording for VoIP address option in the shaper. Add rule going the other direction to catch connections initiated both ways

Dashboard & General GUI

Use some tweaks to PHP session management to prevent the GUI from blocking additional requests while others are active

Remove cmd_chain.inc and preload.php to fix some issues with lighttpd, fastcgi, and resource usage

Firmware settings manifest (Site list) now bolds and denotes entries that match the current architecture, to help avoid accidental cross-architecture upgrades

Add header to DHCP static mappings table

When performing a factory reset in the GUI, change output style to follow halt.php and reboot.php so the shutdown output appears in the correct location on the page

Better validation of parameters passed during S.M.A.R.T. operations for testing HDDs

Fixed SNMP interface binding glitch (Setting was active but not reflected when viewed in GUI)

Add a new class called addgatewaybox to make it easier to respect custom themes [#2900]

Console Menu Changes

Correct accidental interface assignment changes when changing settings on the console menu

Console menu option 11 now kills all active PHP processes, kills lighttpd, and then restarts the GUI. This is a more effective way to restart the GUI since if a PHP process is hung, restarting lighttpd alone will not recover from that

Fix port display after LAN IP reset

Misc Changes

Change how the listening address is passed to miniupnpd, the old method was resulting in errors for some users

Fix “out” packet count reporting

Be a little smarter about the default kernel in rare cases where we cannot determine what was in use

Pass -S to tcpdump to avoid an increase in memory consumption over time in certain cases

Minimise rewriting of /etc/gettytab (forum reference)

Make is_pid_running function return more consistent results by using isvalidpid

Fix ataidle error on systems that have no ATA HDD. [#2739]

Update Time Zone database zoneinfo to 2012.j to pick up on recent zone/DST/etc changes

Fix handling of LDAP certificates, the library no longer properly handles files with spaces in the CA certificate filename

Bring in the RCFILEPREFIX as constant fixes from HEAD, since otherwise rc.stop_packages was globbing in the wrong dir and executing the wrong scripts. Also seems to have fixed the “bad fd” error

NTP restart fixes

Gitsync now pulls in git package from pfSense package repository rather than FreeBSD

Fixed handling of RRD data in config.xml backups when exporting an encrypted config [#2836]

Moved apinger status to /var/run instead of /tmp

Fixes for FTP proxy on non-default gateway WANs

Fixes for OVA images

Use new pfSense repository location (http://github.com/pfsense/pfsense/)

Add patch to compensate apinger calculation for down gateways by time taken from other tasks like rrd/status file/etc

lighttpd changes

Improve tuning of lighttpd and php processes

Use separate paths for GUI and Captive Portal fastcgi sockets

Always make sure php has its own process manager to make lighttpd happy

Make mod_fastcgi last to have url.rewrite work properly

Enable mod_evasive if needed for Captive Portal

Simplify lighttpd config

Send all lighttpd logs to syslog

Binary changes

dnsmasq to 2.65

rsync to 3.0.9

links 2.7

rrdtool to 1.2.30

PHP to 5.2.17_13

OpenVPN 2.2 stock again (Removed IPv6 patches since those are only needed on 2.1 now)

Fix missing “beep” binary on amd64

Fix potential issue with IPsec routing of client traffic

Remove lighttpd spawnfcgi dependency

Add splash device to wrap_vga kernels (It’s in GENERIC so full installs already have it). [#2723]

filterdns

Correct an issue with unallocated structure

Avoid issues with pidfiles being overwritten, lock the file during modifications

Make filterdns restartable and properly cleanup its tables upon exit or during a reconfiguration

dhcpleases

Correct use after free and also support hostnames with other DNS suffix

Reinit on any error rather than just forgetting. Also the difftime checks are done after having complete view, no need to do them every time

Typo fixes

Log that a HUP signal is being sent to the pid file submitted by argument

Prevent bad parsing of empty hostnames in lease file. Add an f option to run dhcplease in foreground. The only option needed while in foreground is h parameter and the only usable one as well

Upgrade Information

As always, upgrade information can be found in the Upgrade Guide.

Download

Downloads for new installs and upgrades can be found on the mirrors here.

Note some of the mirrors are still syncing, it will be several hours before they’re all up to date.