2.0.3 Release Now Available!

I’m happy to announce the release of pfSense 2.0.3. This is a maintenance release with some bug and security fixes since 2.0.2 release. You can upgrade from any previous release to 2.0.3.

Change List

Security Fixes

  • Updated to OpenSSL 0.9.8y to address FreeBSD-SA-13:03.
  • Fix below XSS in IPsec log possible from users possessing shared key or valid certificate
  • Below S.M.A.R.T. input validation fix isn’t security relevant in the vast majority of use cases, but it could lead to privilege escalation for an administrative user with limited rights who can access the S.M.A.R.T. pages but cannot access any of the pages that allow command execution by design.


  • Fix obtaining DNS servers from PPP type WANs (PPP, PPPoE, PPTP, L2TP)

Captive Portal

  • Fix Captive Portal Redirect URL trimming
  • Voucher sync fixes
  • Captive portal pruning/locking fixes
  • Fix problem with fastcgi crashing which caused CP issues on 2.0.2


  • Clear the route for an OpenVPN endpoint IP when restarting the VPN, to avoid a situation where a learned route from OSPF or elsewhere could prevent an instance from restarting properly
  • Always clear the OpenVPN route when using shared key, no matter how the tunnel network “CIDR” is set
  • Use the actual OpenVPN restart routine when starting/stopping from services rather than killing/restarting manually
  • Allow editing an imported CRL, and refresh OpenVPN CRLs when saving. [#2652]
  • Fix interface assignment descriptions when using > 10 OpenVPN instances


  • Put syslogd into secure mode so it refuses remote syslog messages
  • If syslog messages are in the log, and the hostname does not match the firewall, display the supplied hostname
  • Fix PPP log display to use the correct log handling method
  • Run IPsec logs through htmlspecialchars before display to avoid a potential persistent XSS from racoon log output (e.g. username)

Traffic Shaper

  • Fix editing of traffic shaper default queues. [#1995]
  • Fix wording for VoIP address option in the shaper. Add rule going the other direction to catch connections initiated both ways

Dashboard & General GUI

  • Use some tweaks to PHP session management to prevent the GUI from blocking additional requests while others are active
  • Remove cmd_chain.inc and preload.php to fix some issues with lighttpd, fastcgi, and resource usage
  • Firmware settings manifest (Site list) now bolds and denotes entries that match the current architecture, to help avoid accidental cross-architecture upgrades
  • Add header to DHCP static mappings table
  • When performing a factory reset in the GUI, change output style to follow halt.php and reboot.php so the shutdown output appears in the correct location on the page
  • Better validation of parameters passed during S.M.A.R.T. operations for testing HDDs
  • Fixed SNMP interface binding glitch (Setting was active but not reflected when viewed in GUI)
  • Add a new class called addgatewaybox to make it easier to respect custom themes [#2900]

Console Menu Changes

  • Correct accidental interface assignment changes when changing settings on the console menu
  • Console menu option 11 now kills all active PHP processes, kills lighttpd, and then restarts the GUI. This is a more effective way to restart the GUI since if a PHP process is hung, restarting lighttpd alone will not recover from that
  • Fix port display after LAN IP reset

Misc Changes

  • Change how the listening address is passed to miniupnpd, the old method was resulting in errors for some users
  • Fix “out” packet count reporting
  • Be a little smarter about the default kernel in rare cases where we cannot determine what was in use
  • Pass -S to tcpdump to avoid an increase in memory consumption over time in certain cases
  • Minimise rewriting of /etc/gettytab (forum reference)
  • Make is_pid_running function return more consistent results by using isvalidpid
  • Fix ataidle error on systems that have no ATA HDD. [#2739]
  • Update Time Zone database zoneinfo to 2012.j to pick up on recent zone/DST/etc changes
  • Fix handling of LDAP certificates, the library no longer properly handles files with spaces in the CA certificate filename
  • Bring in the RCFILEPREFIX as constant fixes from HEAD, since otherwise rc.stop_packages was globbing in the wrong dir and executing the wrong scripts. Also seems to have fixed the “bad fd” error
  • NTP restart fixes
  • Gitsync now pulls in git package from pfSense package repository rather than FreeBSD
  • Fixed handling of RRD data in config.xml backups when exporting an encrypted config [#2836]
  • Moved apinger status to /var/run instead of /tmp
  • Fixes for FTP proxy on non-default gateway WANs
  • Fixes for OVA images
  • Use new pfSense repository location (http://github.com/pfsense/pfsense/)
  • Add patch to compensate apinger calculation for down gateways by time taken from other tasks like rrd/status file/etc

lighttpd changes

  • Improve tuning of lighttpd and php processes
  • Use separate paths for GUI and Captive Portal fastcgi sockets
  • Always make sure php has its own process manager to make lighttpd happy
  • Make mod_fastcgi last to have url.rewrite work properly
  • Enable mod_evasive if needed for Captive Portal
  • Simplify lighttpd config
  • Send all lighttpd logs to syslog

Binary changes

  • dnsmasq to 2.65
  • rsync to 3.0.9
  • links 2.7
  • rrdtool to 1.2.30
  • PHP to 5.2.17_13
  • OpenVPN 2.2 stock again (Removed IPv6 patches since those are only needed on 2.1 now)
  • Fix missing “beep” binary on amd64
  • Fix potential issue with IPsec routing of client traffic
  • Remove lighttpd spawnfcgi dependency
  • Add splash device to wrap_vga kernels (It’s in GENERIC so full installs already have it). [#2723]


  • Correct an issue with unallocated structure
  • Avoid issues with pidfiles being overwritten, lock the file during modifications
  • Make filterdns restartable and properly cleanup its tables upon exit or during a reconfiguration


  • Correct use after free and also support hostnames with other DNS suffix
  • Reinit on any error rather than just forgetting. Also the difftime checks are done after having complete view, no need to do them every time
  • Typo fixes
  • Log that a HUP signal is being sent to the pid file submitted by argument
  • Prevent bad parsing of empty hostnames in lease file. Add an f option to run dhcplease in foreground. The only option needed while in foreground is h parameter and the only usable one as well

Upgrade Information

As always, upgrade information can be found in the Upgrade Guide.


Downloads for new installs and upgrades can be found on the mirrors here.

Note some of the mirrors are still syncing, it will be several hours before they’re all up to date.

Share this Post:

79 Responses to “2.0.3 Release Now Available!”

  1. QuebecOS » pfSense 2.0.3 Says:

    […] aux serveurs DNS à partir de PPP de type WAN (PPP, PPPoE, PPTP, L2TP);….  » Voir l’annonce de sortie détaillée pour une liste complète des mises à jour de sécurité et des corrections de bugs. […]

  2. Darryl Mackay Says:

    Thanks for the hard work. Have been using since v2.0 to protect the forum I am running locally. Rock solid and stable (excluding my mistakes I made in the setup and upgrade processes). I have modified dyndns.class, services_dyndns.php and services_dyndns_edit.php files, for inclusion in a newer release that has ActiveDNS (www.activedns.co.za) as a DynDNS provider included for South African users who wish to use pfSense.

    Keep up the good work.


  3. Jansson Says:

    Thanks! Keep up the excellent work!

  4. Jelmer de Reus Says:

    Nice to see a firm bugfix release. Thanks and keep up the good work!


  5. Gordon Says:

    I also would like to say thanks for all the work. One thing that I did not see in the fixes was one for the problem with restoring from backup. Has that been fixed in this release.

    Thanks Gord

  6. Marco Says:

    Help: I started automatic firmware upgrade from 2.0.3 prerelease to 2.0.3. But the update process is running from hours……. Whant can I do?
    Thank you in dvance: any help will be appreciated.

  7. Chris Buechler Says:

    Gord: the only restore issue I’m aware of is the “Fixed handling of RRD data in config.xml backups when exporting an encrypted config”, which is fixed in this release. There haven’t been any other restore problems in many years that I can recall.

  8. Jan Says:

    Thanks! Love it.

  9. notyet Says:

    thanks !

  10. Goliator Says:

    Thanks team PfSense !!!!

    Eight machines updates, zero problems !!!!

  11. rashedix Says:

    Thanks for the hard work.

  12. Lynn Says:

    Excellent product – great work…

  13. Klaws Says:

    Thanks you (again) for the (again) exellent work!

    One question: what happens to System Patches (added via the System Patches package) when doing a firmware upgrade? I see the PPP patch still in the list of active patches. The documentatio of the System Patches package is no help…

  14. Robert Says:

    As said before, we do appreciate a real bug-fix release. Working on the next major revision is nice, but you have to have something solid for production work.

  15. Fabrizio Says:

    Excellent product, I used it for CP – Thanks for all the work

  16. Raspail Says:

    Thanks from Belgium.

  17. Stig Henning Says:

    Great work! I use pfsense with ALIX board. Works great and have not have any downdown other when power (lights goes off) or I reboot it 🙂

  18. TLDUGUE Says:

    I will give try. Thank you very much for your great effort, your time and all

  19. Yonas Yanfa Says:

    Great job guys! pfSense is #1.

  20. DigitalJer Says:

    Been looking forward to the new release – many thanks!

    -proud supporter

  21. Andrew Rimmer Says:

    Many thanks, another upgrade to the most flexible and adaptable firewall platform I have used. Ease and stability of upgrades (and migrations to different platforms) put the so called professional grade distros to shame.

  22. Dwight Raymond Baylon Says:

    It seems all issue and bugs has been corrected. Thank you so much development team! Two Thumbs up!

  23. Fgarcia Says:

    Well done! Thank you to all Pfsense Team.

  24. Jordan Says:


    Did you guys change developers for 2.x for IPSEC portion? It seems quite error prone compared to 1.2.3 in every sense. AS a heavy user of IPSEC, it is very obvious there are issues with stability and performance on 2.x. this includes 2.1 RC latest snapshots.

  25. Chris Buechler Says:

    Jordan: there are no known IPsec issues in 2.x. Our code is much better in 2.x than 1.x. The underlying ipsec-tools version has changed, but it’s very widely used and we haven’t seen any regressions. We manage a lot of systems with heavy use of IPsec with 0 problems, and have hundreds of support customers in the same scenario. Things like DPD that didn’t work right in 1.x work fine in 2.x, it’s without question better. It’s possible something that was fixed broke a specific setup, like if it was relying on the fact DPD was broken to function and it now works. You should post info on your scenario to the forum or mailing list.

  26. edi Says:

    very very good product
    use it 2 years with 0 problems

  27. Chaminda Says:

    Thanks for the entire team. Great job has made great product !!!

  28. NIGZ Says:

    thnxs 🙂

  29. Evier Says:

    Rock Solid! thanks for all the hard work!

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply