2.1.4 RELEASE Now Available

2.1.4 follows very shortly after 2.1.3 and is primarily a security release. Refer to the 2.1.1 release notes, 2.1.2 release notes, and 2.1.3 release notes for other recent changes.

Security Fixes

Packages also had their own independent fixes and need updating. During the firmware update process the packages will be reinstalled properly. Otherwise, uninstall and then reinstall packages to ensure that the latest version of the binaries is in use.

Other Fixes

  • Patch for Captive Portal pipeno leaking issue which leads to the ‘Maximum login reached’ on Captive Portal. #3062
  • Remove text not relevant to Allowed IPs on the Captive Portal. #3594
  • Remove units from burst as it is always specified in bytes. (Per ipfw(8)).
  • Add column for internal port on UPnP status page.
  • Make listening on interface rather than IP optional for UPnP.
  • Fix highlighting of selected rules. #3646
  • Add guiconfig to widgets not including it. #3498
  • /etc/version_kernel and /etc/version_base no longer exist, use php_uname to get the version for XMLRPC check instead.
  • Fix variable typo. #3669
  • Delete all IP Aliases when an interface is disabled. #3650
  • Properly handle RRD archive rename during upgrade and squelch errors if it fails.
  • Convert protocol ssl:// to https:// when creating HTTP headers for XMLRPC.
  • Show disabled interfaces when they were already part of an interface group. This avoids showing a random interface instead and letting the user add it by mistake. #3680
  • The client-config-dir directive for OpenVPN is also useful when using OpenVPN’s internal DHCP while bridging, so add it in that case also.
  • Use curl instead of fetch to download update files. #3691
  • Escape variable before passing to shell from stop_service().
  • Add some protection to parameters that come through _GET in service management.
  • Escape argument on call to is_process_running, also remove some unecessary mwexec() calls.
  • Do not allow interface group name to be bigger than 15 chars. #3208
  • Be more precise to match members of a bridge interface, it should fix #3637
  • Do not expire already disabled users, it fixes #3644
  • Validate starttime and stoptime format on firewall_schedule_edit.php
  • Be more careful with host parameter on diag_dns.php and make sure it’s escaped when call shell functions
  • Escape parameters passed to shell_exec() in diag_smart.php and elsewhere
  • Make sure variables are escaped/sanitized on status_rrd_graph_img.php
  • Replace exec calls to run rm by unlink_if_exists() on status_rrd_graph_img.php
  • Replace all `hostname` calls by php_uname(‘n’) on status_rrd_graph_img.php
  • Replace all `date` calls by strftime() on status_rrd_graph_img.php
  • Add $_gb to collect possibly garbage from exec return on status_rrd_graph_img.php
  • Avoid directory traversal in pkg_edit.php when reading package xml files, also check if file exists before try to read it
  • Remove id=0 from miniupnpd menu and shortcut
  • Remove . and / from pkg name to avoid directory traversal in pkg_mgr_install.php
  • Fix core dump on viewing invalid package log
  • Avoid directory traversal on system_firmware_restorefullbackup.php
  • Re-generate session ID on a successful login to avoid session fixation
  • Protect rssfeed parameters with htmlspecialchars() in rss.widget.php
  • Protect servicestatusfilter parameter with htmlspecialchars() in services_status.widget.php
  • Always set httponly attribute on cookies
  • Set ‘Disable webConfigurator login autocomplete’ as on by default for new installs
  • Simplify logic, add some protection to user input parameters on log.widget.php
  • Make sure single quotes are encoded and avoid javascript injection on exec.php
  • Add missing NAT protocols on firewall_nat_edit.php
  • Remove extra data after space in DSCP and fix pf rule syntax. #3688
  • Only include a scheduled rule if it is strictly before the end time. #3558

Share this Post:

8 Responses to “2.1.4 RELEASE Now Available”

  1. nimamhd Says:

    Well Done team.

  2. Bipin Says:

    did this update break the console, 2 things seem broken, first when u boot the alix the message that says u got 5 seconds to hit any key for shell and second when it says bootup complete, the rest of the part that shows console commands and interface ips never show

  3. andrea Says:

    Great Works! thanks

  4. Vocatus Says:

    What is the order of upgrade for a CARP cluster? Secondary first? Primary first?

    Thanks for the great work!

  5. Jim Says:

    Seems to work so far. Updated my HA Cluster by doing the secondary first then the primary and all is well. Seeing some odd things with Snort but will report them once confirmed.

  6. Bobby Says:

    Cool Beans!

  7. Balong @PH Says:

    Many thanks to all…. Keep up the Good Works!!!

  8. Havary Says:

    I m having some trouble with ifconfig-pool-persist, wich is not working for my configuration setup. I export the pfsense 2.0.1 backup file, restored in the 2.1.4. with conf is the only thing that is not working right now!

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply