2.1.4 New Features and Changes¶
pfSense® software version 2.1.4 follows very shortly after 2.1.3 and is primarily a security release. Refer to the 2.1.1 release notes, 2.1.2 release notes, and 2.1.3 release notes for other recent changes.
Security Fixes¶
Packages also had their own independent fixes and need updating. During the firmware update process the packages will be reinstalled properly. Otherwise, uninstall and then reinstall packages to ensure that the latest version of the binaries is in use.
Other Fixes¶
Patch for Captive Portal pipeno leaking issue which leads to the ‘Maximum login reached’ on Captive Portal. #3062
Remove text not relevant to Allowed IPs on the Captive Portal. #3594
Remove units from burst as it is always specified in bytes. (Per ipfw(8)).
Add column for internal port on UPnP status page.
Make listening on interface rather than IP optional for UPnP.
Fix highlighting of selected rules. #3646
Add guiconfig to widgets not including it. #3498
/etc/version_kernel and /etc/version_base no longer exist, use php_uname to get the version for XMLRPC check instead.
Fix variable typo. #3669
Delete all IP Aliases when an interface is disabled. #3650
Properly handle RRD archive rename during upgrade and squelch errors if it fails.
Convert protocol ssl:// to https:// when creating HTTP headers for XMLRPC.
Show disabled interfaces when they were already part of an interface group. This avoids showing a random interface instead and letting the user add it by mistake. #3680
The client-config-dir directive for OpenVPN is also useful when using OpenVPN’s internal DHCP while bridging, so add it in that case also.
Use curl instead of fetch to download update files. #3691
Escape variable before passing to shell from stop_service().
Add some protection to parameters that come through _GET in service management.
Escape argument on call to is_process_running, also remove some unnecessary mwexec() calls.
Do not allow interface group name to be bigger than 15 chars. #3208
Be more precise to match members of a bridge interface, it should fix #3637
Do not expire already disabled users, it fixes #3644
Validate starttime and stoptime format on firewall_schedule_edit.php
Be more careful with host parameter on diag_dns.php and make sure it’s escaped when call shell functions
Escape parameters passed to shell_exec() in diag_smart.php and elsewhere
Make sure variables are escaped/sanitized on status_rrd_graph_img.php
Replace exec calls to run rm by unlink_if_exists() on status_rrd_graph_img.php
Replace all `hostname` calls by php_uname(‘n’) on status_rrd_graph_img.php
Replace all `date` calls by strftime() on status_rrd_graph_img.php
Add $_gb to collect possibly garbage from exec return on status_rrd_graph_img.php
Avoid directory traversal in pkg_edit.php when reading package xml files, also check if file exists before try to read it
Remove id=0 from miniupnpd menu and shortcut
Remove . and / from pkg name to avoid directory traversal in pkg_mgr_install.php
Fix core dump on viewing invalid package log
Avoid directory traversal on system_firmware_restorefullbackup.php
Re-generate session ID on a successful login to avoid session fixation
Protect rssfeed parameters with htmlspecialchars() in rss.widget.php
Protect servicestatusfilter parameter with htmlspecialchars() in services_status.widget.php
Always set httponly attribute on cookies
Set ‘Disable webConfigurator login autocomplete’ as on by default for new installs
Simplify logic, add some protection to user input parameters on log.widget.php
Make sure single quotes are encoded and avoid javascript injection on exec.php
Add missing NAT protocols on firewall_nat_edit.php
Remove extra data after space in DSCP and fix pf rule syntax. #3688
Only include a scheduled rule if it is strictly before the end time. #3558