2.3.1 New Features and Changes

Security/Errata

• FreeBSD Security Advisories

  • FreeBSD-SA-16:17 OpenSSL

  • FreeBSD-SA-16:18 atkbd

  • FreeBSD-SA-16:19 sendmsg

• OpenVPN upgraded from 2.3.10 to 2.3.11. Fixes two potential security issues.

  • OpenVPN 2.3.11 Change Log

• pfSense® Software Advisories

  • pfSense-SA-16_03.webgui

  • pfSense-SA-16_04.filterlog

  • 2.3.1 update 1 patches pfSense-SA-16_05.webgui.

Config Upgrade

• Fixed config upgrade for CARP VIPs on gateway groups, GRE and gif for uniqid format. #6222

• Fixed config upgrade for IP aliases with CARP IP parent. #6164

• Correct OpenVPN topology config upgrade to retain 2.2.x and prior net30 topology. #6140

• Correct and adjust apinger parameters to dpinger parameters automatically on upgrade. #6142

Gateways

• Fix static route for IPv6 monitor IP with link-local gateway. #6353

• Fix default gateway switching with IPv6 and link-local gateways. #6258

OS / Backend

• NanoBSD is now permanent read-write, to avoid issues with slow rw->ro mount times and systems getting stuck read-only mounted. #6184

• Systems using a RAM disk for /var/ have their alias tables backed up and restored during bootup. #6189

• Set console settings (serial configuration, password protection, etc.) post-upgrade. #6120

• Ensure package repo is updated with latest metadata when checking for latest version. #6115

• Display consistent firmware version on dashboard and in update checker. #6320

• Correct description of update branch options. #6136

• Prevent update checking failures from killing webGUI. #6177

• Make pkg use configured proxy server settings where they exist. #6149

Web GUI

• Fix row delete button on unsaved aliases, NTP, UPnP and other screens. #6101

• Captive portal MAC passthrough credits waiting period box restored. #6290

• Outbound NAT edit screen destination field alias auto-completion restored. #6287

• Captive portal allowed IPs direction selection on edit fixed. #6267

• Restored input validation on port forwards to prohibit IPv6. #6265

• Restored input validation on firewall rules to prohibit IPv6 IPs in IPv4 rules and vice versa. #6211

• Fixed PHP error on edit of PPP interfaces. #6264

• Fixed radio button placement on gateways dashboard widget settings. #6259

• Fixed display post-refresh of system information dashboard widget. #6251

• Restored in/out bytes counters on Status>Interfaces. #6244

• Correctly show and hide OpenVPN topology field as applicable. #6236 #6214

• Correct voucher character set input validation. #6231

• Disable background update checking on dashboard update check is disabled. #6212

• Restore input validation of IP address family and rule type, verifying IPv6 IPs with IPv6 rules, and IPv4 for IPv4 rules. #6218

• Add validation of address family and protocol combinations on packet capture page. #6219

• Add validation of IP aliases with CARP parent interfaces to ensure matching address family. #6218

• Restore GET parameters on status_graph.php. #6192

• Fixed PHP error on input validation failure with floating rules in some cases. #6175

• Use CDATA for firewall rule separator descriptions so non-English characters work. #6174

• Fix port forward edit destination field filling when virtual IPs configured. #6173

• Fix load balancer monitor edit. #6171

• Restore “none” in load balancer fall-back pool. #6170

• Restore use of aliases in load balancer. #6169

• Fix duplicate for load balancer pools and virtual servers. #6168

• Restore description field on lagg edit page. #6163

• Fix saving of bogons update frequency. #6162

• Restore description field on captive portal IP passthrough. #6161

• Fix saving of sticky connections timeout field. #6146

• Show all restore areas in backup/restore screen. #6144

• Fix moving of rule separator before saving. #6128

• Use consistent up and down arrow formats on dashboard widgets. #6123

• Fix typo on OpenVPN server description. #6102

• Fix missing string on notification “mark as read” button. #6104

• Fix firewall rule separator positioning with easy rule addition. #6105

• Prevent closing of info box on monitoring page. #6106

• Add custom date range option to monitoring page.

• Use infoblock on IPsec PSK screen. #6107

• Fixed loss of “Do not NAT” enable on edit on outbound NAT. #6112

• Correct label of 1:1 NAT edit screen. #6114

• Add AJAX updates to NTP status page. #6117

• Fix button spacing on Edit File and Command pages. #5995

• Fix specification of port in DNS Resolver domain overrides. #6091

• Fix moving of multiple items to bottom of list on firewall, NAT and IPsec screens. #6092

• Fix setup wizard with only WAN assigned and using static IP. #6093

• Remove logo from wizard since it’s now redundant. #6095

• Fix gateway widget cut-off with 3 column dashboard. #6096

• Fixed force update on RFC 2136 DDNS. https://redmine.pfsense.org/issues/6359

• Fix reboot prompt when changing RAM disk setting and encountering an input error. #6349

• Fix highlighted tab when editing IPsec mobile P1. #6341

• Fix selection of configured speed and duplex on interface page. #6331

• Fix division by zero in status_queues.php. #6329

• Fix alignment issues in forms. #6327

• Fix entry of CIDR range in host aliases for conversion to IPs. #6322

• Allow use of # and ! again in DNS Forwarder domain overrides. #6310

• Restored hostname infobox in menu bar. #6306

• Fixed editing and deleting of additional DHCP pools. #6303

• Fixed requests to diag_system_activity.php piling up on slow systems. #6166

Interfaces

• Unset LAN DHCPv6/RA configuration if LAN interface is removed. #6152

IPsec

• Fix starting of strongswan twice. #6160

DNS Resolver

• Switched domain overrides from stub-zone to forward-zone so domain overrides don’t require the target server provide recursion. #6065

• Allow adding 0.0.0.0/0 to access lists. #6073

• Added 100,000 and 200,000 options for Unbound cache limit. #6230

• Fix Unbound startup where both DNS Forwarder and Resolver are enabled. #6354

DHCP Server

• Hostnames now allowed for NTP servers. #6239

IPsec

• Fixed LAN interfaces stopping functioning when IPsec is in use. #6296

• Mobile PSK matching issue with multiple PSKs fixed. #6286

• leftsendcert=always specified for all RSA types. #6082

• rc.newipsecdns fixed to check correct enabled status. #6351

Notifications

• Fixed growl notifications to unresolvable hostname generating crash report. #6187

• Fixed growl notification test with no password. #6221

Captive Portal

• Fixed error handling captive portal username with single quote. #6203

• Fixed issues with mixed-case zone names. #6278

OpenVPN

• Prevent leading space in tunnel network configuration causing invalid configuration. #6198

User Manager

• Fix RADIUS login with attribute class (25) when the server returns multiple attribute entries with different data. #6086

• Honor deny config write for RADIUS users. #6088

Package System

• Uninstall all packages pre-upgrade from <= 2.2.x to 2.3 to avoid problems from old packages. Reinstall them post-upgrade. #6137

• Fix reinstall of renamed packages post-upgrade to 2.3. #6118

• Fix package reinstallation getting stuck in loop when there is no Internet connectivity post-upgrade. #6180

Other

• Removed lua support from nginx to not deprecate old CPUs lacking CMOV support. #6185

• Added validation to console menu interface assignment to prevent creating duplicate VLANs. #6183

• Blacklisted S.M.A.R.T. options with Hyper-V to prevent crash. #6147

• Silence SSH host key log spam. #6143

• Fix order of gateway and gateway group name in gateway down log message. #6134

• Allow use of @ in hostname field for Namecheap DDNS. #6122

• Fix console error where $nat_if_list isn’t an array. #6307

• Include patch number in version display. #6309

• Fix pw groupdel error in log during boot. #6352

• Fixed stale xmlrpc.lock preventing config sync from functioning. #6328

• Fixed failed chown on startup with /var as a RAM disk. #6131

• Crash reporter now ignores warnings in release versions. #6178

• Fixed crash reporter to show full PHP warnings in development versions. #6097

Update 1

2.3.1 update 1 (2.3.1_1) was released on May 25, 2016 with the following fixes/changes since 2.3.1-RELEASE.

• Security issue pfSense-SA-16_05.webgui patched.

• Lowered default LDAP timeout from 25 seconds to 5 seconds. #6367

• Fixed handling of IPsec negotiation mode with IKE version set to auto. #6360

• Increase PHP’s memory limit to 512 MB on 64 bit versions to better accommodate systems with a large number of active states. #6364

• Set request_terminate_timeout the same as max_execution_time to prevent many possible circumstances of “504 gateway error” from occurring. #6396

• Fix use of URL IP type aliases in firewall rules. #6403

• Fix show/hide fields Javascript in Chrome on Mac OS X. #6401

• Fixed save of “IPv6 over IPv4 Tunneling” address on System>Advanced, Networking. #6381

Update 2 through 4

These were internal-only versions that weren’t publicly-released.

Update 5

2.3.1 update 5 (2.3.1_5) was released on June 16, 2016 with the following fixes/changes since 2.3.1_1.

• Fixed command injection vulnerability in auth.inc via User Manager. #6475

• Fixed command injection vulnerability in pkg_mgr_install.php id parameter. #6474

• Upgraded PHP to 5.6.22

• Fixed Captive Portal redirect hangs caused by longer keepalive_timeout in nginx. #6421

• Fixed DDNS PTR zone in dhcpd.conf with third octet of 0. #6413

• Fixed save and reset buttons on load balancer status page. #6254

• Fixed schedule editing on firewall rules page. #6428

• Allow “-” character in TFTP server field on DHCP Server page. #6433

• Allow “-” and “_” characters in system tunables. #6438

• Fixed changing of link type on PPPs edit screen. #6439

• Fixed setting of “RADIUS issued IPs” on L2TP page. #6440

• Restored apply changes button for interface mismatch post-config restore. #6460

• Fixed display of Outbound NAT port aliases. #6463

• Fixed schedule edit allowing invalid time range. #6468