Headline
CVE-2020-19203: Releases — 2.4.4-p3 New Features and Changes
An authenticated Cross-Site Scripting (XSS) vulnerability was found in widgets/widgets/wake_on_lan_widget.php, a component of the pfSense software WebGUI, on version 2.4.4-p2 and earlier. The widget did not encode the descr (description) parameter of wake-on-LAN entries in its output, leading to a possible stored XSS.
The pfSense Documentation
pfSense® software version 2.4.4-p3 addresses security and other issues found in 2.4.4-p2.
Warning
The upcoming pfSense release version 2.5.0 deprecates the built-in load balancer, and all related code has been removed as it is not compatible with FreeBSD 12. Plan migrations to alternate solutions such as the HAProxy package now.
See the 2.5.0 release notes for more information.
Security / Errata¶
Changed sshguard to block both ssh and the GUI using a single table, and removed the unnecessary manual scheduled table expiration pfSense-SA-19_02.sshguard #9223
Fixed potential XSS vectors
pfSense-SA-19_01.webgui : Fixed potential XSS vectors in system_advanced_admin.php, interfaces_assign.php, firewall_rules_edit.php, firewall_shaper.php, services_igmpproxy_edit.php, services_ntpd_gps.php and diag_traceroute.php #9294
pfSense-SA-19_03.webgui : Fixed potential XSS vector in status_filter_reload.php #9499
pfSense-SA-19_04.webgui : Fixed potential XSS vector in the WOL widget #9507
pfSense-SA-19_05.webgui : Fixed potential XSS vector in services_acb.php #9508
Fixed privilege issues
pfSense-SA-19_06.webgui : Restrict edit access to OpenVPN-related advanced settings, and added new privilege to delegate edit permissions #9511
pfSense-SA-19_07.webgui : Strengthen widget privilege matching to avoid a potential privilege bypass for users granted access to widgets #9512
pfSense-SA-19_08.webgui : Strengthen path privilege check to avoid a potential directory-traversal-like bypass method #9513
Added privileges for Auto Config Backup pages #9519
Updated privileges: Added misc missing pages, removed obsolete pages
Addressed FreeBSD Security Advisories:
FreeBSD-SA-19:03.wpa
FreeBSD-SA-19:04.ntp
FreeBSD-SA-19:05.pf
FreeBSD-SA-19:06.pf
FreeBSD-SA-19:07.mds
FreeBSD-EN-19:08.tzdata
Added DNS over TLS host verification #8602
- Configure hostnames for DNS over TLS servers under System > General
sqlite updates #9205
Backup / Restore¶
Fixed issues with output buffering causing configuration backup download failures #9390
Fixed automatic package reinstallation after restoring config.xml from the installer #9214
Force <enableserial> when restoring a backup on a device with serial only console
Certificates¶
Added missing countries from CA list on certificate pages #9308
Fixed an error when adding a new user and choosing to generate a certificate #9317
DNS¶
Fixed input validation on diag_dns.php to allow a trailing dot on hostnames #9276
Removed non-functional tools links from diag_dns.php #9275
Fixed rewriting of the DNS Resolver file remotecontrol.conf if it is present but empty #9470
Firewall Rules / NAT / Aliases¶
Fixed intermittent pf errors when NAT reflection is enabled #9446
Fixed reserved pf keyword matching when creating and editing aliases #9231
Fixed duplicate entries showing on diag_tables.php from lockout tables #9359
Fixed a PHP error deleting an imported NAT rule with no firewall rules present #9193
Do not show scheduler icon when scheduler tag is empty
Gateways / Routing¶
- Fixed issues with the default IPv4 gateway set to a group failing after restart #9004
Interfaces¶
- Fixed PHP error from interface groups when editing QinQ entries
IPsec¶
- Fixed IPsec Phase 1 entries on upgrade to have their protocol field populated properly #9207
Operating System¶
Fixed support for ZFS encrypted+mirrored swap #9281
Fixed problems saving crash dumps when /var is a RAM disk #9409
Traffic Shaping¶
Fixed a PHP error when loading a limiter that does not exist #9313
Fixed limiter selection validation
Fixed Queues menu items ending with “:” in certain languages #8970
WebGUI¶
Numerous optimizations and improvements for status.php diagnostics output #9290
Fixed a PHP error on system_advanced_network.php when disabling “IPv6 over IPv4 Tunneling” #9264
Improved handling of large captures on diag_packet_capture.php and disabled viewing of captures larger than 50MiB. #9239
Added hostname to login page title if the user has enabled Show hostname on login banner #9096
Centralized the list of country codes used by multiple areas #9308
Updated translation files
XMLRPC¶
- Clarified conditions for synchronizing certificates in HA Sync options #9283
Additional Resources v: latest