2.0.1 release now available!

December 20th, 2011 by Chris Buechler

pfSense 2.0.1 release is now available. This is a maintenance release with some bug and security fixes since 2.0 release. This is the recommended release for all installations. As always, you can upgrade from any previous release to 2.0.1, so if you haven’t upgraded to 2.0 yet, just upgrade straight to 2.0.1. For those who use the built in certificate manager, pay close attention to the notes below on a potential security issue with those certificates.

Change list


The following changes were made since 2.0 release.

  • Improved accuracy of automated state killing in various cases (#1421)
  • Various fixes and improvements to relayd
    • Added to Status > Services and widget
    • Added ability to kill relayd when restarting (#1913)
    • Added DNS load balancing
    • Moved relayd logs to their own tab
    • Fixed default SMTP monitor syntax and other send/expect syntax
  • Fixed path to FreeBSD packages repo for 8.1
  • Various fixes to syslog:
    • Fixed syslogd killing/restarting to improve handling on some systems that were seeing GUI hangs resetting logs
    • Added more options for remote syslog server areas
    • Fixed handling of ‘everything’ checkbox
    • Moved wireless to its own log file and tab
  • Removed/silenced some irrelevant log entries
  • Fixed various typos
  • Fixes for RRD upgrade/migration and backup (#1758)
  • Prevent users from applying NAT to CARP which would break CARP in various ways (#1954)
  • Fixed policy route negation for VPN networks (#1950)
  • Fixed “Bypass firewall rules for traffic on the same interface” (#1950)
  • Fixed VoIP rules produced by the traffic shaper wizard (#1948)
  • Fixed uname display in System Info widget (#1960)
  • Fixed LDAP custom port handling
  • Fixed Status > Gateways to show RTT and loss like the widget
  • Improved certificate handling in OpenVPN to restrict certificate chaining to a specified depth – CVE-2011-4197
  • Improved certificate generation to specify/enforce type of certificate (CA, Server, Client) – CVE-2011-4197
  • Clarified text of serial field when importing a CA (#2031)
  • Fixed MTU setting on upgrade from 1.2.3, now upgrades properly as MSS adjustment (#1886)
  • Fixed Captive Portal MAC passthrough rules (#1976)
  • Added tab under Diagnostics > States to view/clear the source tracking table if sticky is enabled
  • Fixed CARP status widget to properly show “disabled” status.
  • Fixed end time of custom timespan RRD graphs (#1990)
  • Fixed situation where certain NICs would constantly cycle link with MAC spoofing and DHCP (#1572)
  • Fixed OpenVPN ordering of client/server IPs in Client-Specific Override entries (#2004)
  • Fixed handling of OpenVPN client bandwidth limit option
  • Fixed handling of LDAP certificates (#2018, #1052, #1927)
  • Enforce validity of RRD graph style
  • Fixed crash/panic handling so it will do textdumps and reboot for all, and not drop to a db> prompt.
  • Fixed handling of hostnames in DHCP that start with a number (#2020)
  • Fixed saving of multiple dynamic gateways (#1993)
  • Fixed handling of routing with unmonitored gateways
  • Fixed Firewall > Shaper, By Queues view
  • Fixed handling of spd.conf with no phase 2′s defined
  • Fixed synchronization of various sections that were leaving the last item on the slave (IPsec phase 1, Aliases, VIPs, etc)
  • Fixed use of quick on internal DHCP rules so DHCP traffic is allowed properly (#2041)
  • Updated ISC DHCP server to 4.2.3 (#1888) – this fixes a denial of service vulnerability in dhcpd.
  • Added patch to mpd to allow multiple PPPoE connections with the same remote gateway
  • Lowered size of CF images to again fix on newer and ever-shrinking CF cards.
  • Clarified text for media selection (#1910)

Notes for certificate generation vulnerability

Certificates generated with the built-in certificate manager in all 2.0 versions prior to 2.0.1 are excessively permissive for non-CA certificates. These certificates can be used as a certificate authority, meaning a user can use their own certificate to create chained certificates. We have defaulted OpenVPN on 2.0.1 and newer versions to not accept chained certificates, which mitigates this. However, if untrusted users have certificates generated from 2.0 release, we suggest re-generating all your certificates and issuing new ones. Certificates generated by easy-rsa and imported into 2.0 are not affected.
If using certificates generated on pfSense for other purposes, you should revoke those and issue new certificates generated on 2.0.1. You must utilize a CRL in that case. To be on the safe side, you may want to start from scratch with a new CA and certificates after deleting all your existing ones if this applies to you.
Thanks to Florent Daigniere for bringing this issue to our attention and helping confirm our resolution.

Upgrade considerations

It is very important to read the upgrade guide before performing an upgrade for those still on 1.2.x versions.

Download

Files for new installs available here on the mirrors.

NOTE: With 2.0 release and newer versions, we’re now also building the oft-requested nanobsd embedded version with VGA! You’ll find alternate builds with VGA in the filename, which are the VGA-enabled versions. Only use these on hardware with VGA video. The regular serial version must be used on all hardware that has only a serial port, like the popular PC Engines and Soekris models amongst others, as they will not boot or function correctly otherwise.

Update files for upgrades available here on the mirrors.

Questions

Please take questions to the forum or mailing list only, where far more people will see them.

 

49 Responses to “2.0.1 release now available!”

  1. Fernando Says:

    Awesome guys!
    Good Job pfsense team!

  2. Bart Grefte Says:

    “Fixed situation where certain NICs would constantly cycle link with MAC spoofing and DHCP (#1572)”

    Was that bug already present in v1.2.3? Since that would probably explain why pfSense (both v1.2.3 and v2) suddenly started sending out so much DHCP requests in a certain amount of time that my ISP pulled the plug temporarily…

    Weird something if the above bug was indeed the cause: clean install of v2(.0) did not solve it, switched to IPFire because of this problem.

  3. gugaBSD » Lançada versão 2.0.1 do Pfsense Says:

    [...] http://blog.pfsense.org/?p=633 [...]

  4. sirWest Says:

    Is it possible to upgrade NanoBSD console version from 2.0 to 2.0.1 using gitsync? I have customized it for a bit and don’t want to lose all changes when upgrading as it overwrites the whole slice. Also re-configuring snort from scratch(again) is a nuisance ;)

  5. Andrea Says:

    Very good job, as always!

  6. Tommao Says:

    This is a great news!

  7. pfSense 2.0.1 ya está disponible! | Jiubens BSD Says:

    [...] Más información; Me gusta:LikeSé el primero en decir que te gusta esta post. By Jiubens • Publicado en BSD, pfSense, UNIX • Tagged BSD, pfSense, UNIX 0 [...]

  8. pfSense 2.0.1 released - Open News Says:

    [...] Release Notes: http://blog.pfsense.org/?p=633 [...]

  9. Chris Buechler Says:

    sirWest: no, you have to do an upgrade to get the binary changes. Most of the listed items would be fixed by only gitsyncing, but not nearly all.

  10. Chris Buechler Says:

    Bart: that one was not present in 1.2.3. I didn’t see it generate a large volume of DHCP requests as it effectively took down the NIC entirely under that circumstance, but that’s somewhat dependent on NIC driver, it potentially could.

  11. Joshua Says:

    Great job guys!

  12. pfSense Digest » Blog Archive » 2.0.1 release now available! | Network and System Blog Says:

    [...] pfSense Digest » Blog Archive » 2.0.1 release now available! Posted on 21 décembre 2011 by brujah10 pfSense Digest » Blog Archive » 2.0.1 release now available!. [...]

  13. phil Says:

    anywhere we can get more info regarding the Certificate Generation Vulnerability?

    thanks for the great work.

  14. Chris Buechler Says:

    phil: what is described here is the extent of it, not sure what info you’re looking for?

  15. Fabio Says:

    Chris, do you know if Bug #1629 is already fixed on this version?

  16. Bart Grefte Says:

    Chris: Not in 1.2.3? Hmm, then the cause is still unknown… Here’s the topic I made with some log-info: http://forum.pfsense.org/index.php/topic,42837.0.html
    The NIC’s are from Intel, 82574L, not sure if that matters.

  17. Quan Says:

    Thanks for hard working.

    I tested pfsense version 2.0.1 and I have tried Packet haproxy but it has a capacity problem is a layer 7(http) load balancer can not feature add to the cookie (example:cookie SERVERID insert indirect….)

    Regards

  18. Jeff Says:

    Does this fix the issue with the WebUI? The dashboard causes the slow down when going back to the main System page with the dashboards; even the default dashboards with no customizations.

  19. Zeeshan Hashmi Says:

    well done PF Sense Team excellent job

  20. Mark Says:

    Thanks a lot. My first christmas gift ;)

  21. Ryan Says:

    The 2.0.1 update not only blew up our current 2.0 pfSense system, totally corrupting pfsense, (not to mention the a loss/corruption of all packages) but it won’t run after clean install from the i386 iso. Looks like it needs more work. And where did the install option for a single core cpu go?

  22. Chris Buechler Says:

    Jeff: there are no such known issues, definitely something we would have encountered long ago if it were a general problem. Please post details to the forum or list.

    Ryan: none of the 2.0.1 changes would do anything remotely close to something along those lines, but I’m sure what’s happening is you have a mess of unstable packages on there that caused havoc for you. There are no major changes in 2.0.1 vs. 2.0, definitely not anything that would cause that kind of issue. There is no longer a uniprocessor kernel because it’s unnecessary.

    Good time to again remind people – watch VERY closely what packages you install. If they aren’t labeled as “stable”, they can very easily regress your entire system to beta or alpha or completely destroy it. The bulk of them are not developed by us, they’re from outside contributors who generally don’t have anywhere near the level of QA and review we have on the base system.

  23. John Adam Says:

    We run the psense firewall utilizing PFSYNC Master and Slave nodes for redundancy with redundant WAN links to boot.
    Both instances are VMWare 5.0 virtual machines.
    To test the new version, I created two new Virtual Machines with 2.0.1 and then Restored the last saved configurations from 2.0.
    As usual, this takes some time and does seem to cause installed packages to be uninstalled and reinstalled.
    However, no problems were encountered.
    I would always encourge testing, with a backup and recovery strategy ready to go before applying any patch or upgrade to anything.

  24. nima Says:

    Well done team.

  25. Mariusz Says:

    Just upgraded from 2.0 to 2.0.1. All went as expected. Many thanks to pfSense team!

  26. Fredrik Says:

    Brilliant! I have been affected by issue 1993 and now I can’t wait to get home to try the update! Thank you all!

  27. Acoustiq / eXiGe Says:

    Just updated 2.0 to 2.0.1 x86 – smooth, everything’s running as it should.
    Excellent job, thanks a lot! Have a brilliant new year!

  28. chs Says:

    Updated from 2.0 to 2.0.1 (nanobsd).

    Everything fine. Thanks for the good work guys.

  29. Ryan Says:

    No unstable packages. All were release and stable. While the auto downloaded update was botched for whatever reason, we did partially find the cause of not being able to install. Bad ide cable or drive. We replaced both and it installed and restored fine. That might have caused the botched upgrade too. Hate it when hardware failure happens right when you update/upgrade something.

  30. Chris Buechler Says:

    Thanks for the follow up, Ryan. Drive failure would definitely cause a failed upgrade, actually it isn’t too uncommon when you have a drive failure to not discover it until you try to upgrade. Depending on what packages you have installed, the disk may almost never get touched short of boot time and upgrades. And a good lesson for all – don’t be so quick to assume the software is to blame. ;)

  31. Glenn Says:

    Update went smoothly.
    You folks are fantastic.
    Thanks very much and a Happy New Year to all.

  32. Gabriel Zellmer Says:

    Excellent job everyone involved, just updated from 2.0 to 2.0.1 with zero problems including packages!!

  33. Aydın Says:

    Nice work guys. Thank you..

  34. Roy Says:

    Update was easily done and running as expected.

    Just a question: Is there any plan to be able to do traffic shaping while having transparent proxy?
    Thanks so much and happy new year!

  35. Thomas Says:

    I upgraded recently to 2.0.1 from 2.0 using the auto-upgrade feature and ran into a big problem.

    I have installed the amd64 version, but the auto-install installed the i386 version over top. I had to run a console upgrade of amd64 twice to get the system working properly again.

    I have disabled auto-update on my pfsense servers since this is a major problem. It happened with my 1.2.x upgrade to 2.0 as well.

  36. Chris Buechler Says:

    Thomas: auto-update pulls from where you tell it to pull from, you picked the i386 update URL manually if you upgraded amd64 and it went to i386. The default auto-update URL keeps you on the same architecture. 1.2.3 is i386-only, so not sure how you’re thinking it changed architectures, its auto-update will keep you on the same architecture as well (i386 only in that case).

  37. Krezalis Says:

    Great Job!

  38. Morrison Says:

    I upgraded recently to 2.0.1 from 1.2.3 by using the auto-upgrade feature in the WebUI. It was smooth and perfect. No issue was encountered at all.
    Great job. Congratulations. You never disappoint us, guys.

  39. Lo Zio Says:

    Upgraded several 1.2.3 and 2.0 to 2.0.1, both nano and standard.
    No one single problem.
    Great, great job. Thanks

  40. Paul M Says:

    Hello,
    I changed jobs recently and am unfortunately managing some Cisco PIX.

    When we move offices I would like to build new firewalls using pfSense, but we need some level of PCI-DSS compliance. As far as I can see pfSense ticks the right boxes, but I would like some confirmation that there is no reason not to use it.

  41. Chris Buechler Says:

    Paul: Yes, pfSense does serve as the firewalls in numerous PCI compliant environments, including some very high transaction level ones that get the highest levels of auditor scrutiny, so it’s definitely a suitable platform. PCI is about a lot more than what firewall you use though. Post to the forum or list to get into more detailed discussion, and maybe get some feedback from users who have PCI compliant networks.

  42. Ernest Says:

    I’m still love it, great Job PFSense Team! ;-)

  43. mahmut ay Says:

    good job , thanks to everybody

  44. Arcel de Ocampo Says:

    Once again, great work! The biggest question for me is When IPV6 will be officially included?

    thanks!!!

  45. Chris Buechler Says:

    Arcel: http://doc.pfsense.org/index.php/Is_there_IPv6_support_available

  46. Rexhepi Says:

    Great job , thanks

  47. james bruce Says:

    are there simple basic downloads for the uninformed?

  48. Pieter Jordaan Says:

    Brilliant!

    I love seeing pfSense kick Cisco butt.

    I just configured Site-to-Site VPN with compression, linked into a gateway group for fail-over. It is awesome!

    Keep up the good work guys.

  49. George Mathieson Says:

    I can confirm that the Traffic Graph does not save it’s refresh interval.

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply