2.0.3 Release Now Available!

April 15th, 2013 by Chris Buechler

I’m happy to announce the release of pfSense 2.0.3. This is a maintenance release with some bug and security fixes since 2.0.2 release. You can upgrade from any previous release to 2.0.3.

Change List

Security Fixes

  • Updated to OpenSSL 0.9.8y to address FreeBSD-SA-13:03.
  • Fix below XSS in IPsec log possible from users possessing shared key or valid certificate
  • Below S.M.A.R.T. input validation fix isn’t security relevant in the vast majority of use cases, but it could lead to privilege escalation for an administrative user with limited rights who can access the S.M.A.R.T. pages but cannot access any of the pages that allow command execution by design.

PPP

  • Fix obtaining DNS servers from PPP type WANs (PPP, PPPoE, PPTP, L2TP)

Captive Portal

  • Fix Captive Portal Redirect URL trimming
  • Voucher sync fixes
  • Captive portal pruning/locking fixes
  • Fix problem with fastcgi crashing which caused CP issues on 2.0.2

OpenVPN

  • Clear the route for an OpenVPN endpoint IP when restarting the VPN, to avoid a situation where a learned route from OSPF or elsewhere could prevent an instance from restarting properly
  • Always clear the OpenVPN route when using shared key, no matter how the tunnel network “CIDR” is set
  • Use the actual OpenVPN restart routine when starting/stopping from services rather than killing/restarting manually
  • Allow editing an imported CRL, and refresh OpenVPN CRLs when saving. [#2652]
  • Fix interface assignment descriptions when using > 10 OpenVPN instances

Logging

  • Put syslogd into secure mode so it refuses remote syslog messages
  • If syslog messages are in the log, and the hostname does not match the firewall, display the supplied hostname
  • Fix PPP log display to use the correct log handling method
  • Run IPsec logs through htmlspecialchars before display to avoid a potential persistent XSS from racoon log output (e.g. username)

Traffic Shaper

  • Fix editing of traffic shaper default queues. [#1995]
  • Fix wording for VoIP address option in the shaper. Add rule going the other direction to catch connections initiated both ways

Dashboard & General GUI

  • Use some tweaks to PHP session management to prevent the GUI from blocking additional requests while others are active
  • Remove cmd_chain.inc and preload.php to fix some issues with lighttpd, fastcgi, and resource usage
  • Firmware settings manifest (Site list) now bolds and denotes entries that match the current architecture, to help avoid accidental cross-architecture upgrades
  • Add header to DHCP static mappings table
  • When performing a factory reset in the GUI, change output style to follow halt.php and reboot.php so the shutdown output appears in the correct location on the page
  • Better validation of parameters passed during S.M.A.R.T. operations for testing HDDs
  • Fixed SNMP interface binding glitch (Setting was active but not reflected when viewed in GUI)
  • Add a new class called addgatewaybox to make it easier to respect custom themes [#2900]

Console Menu Changes

  • Correct accidental interface assignment changes when changing settings on the console menu
  • Console menu option 11 now kills all active PHP processes, kills lighttpd, and then restarts the GUI. This is a more effective way to restart the GUI since if a PHP process is hung, restarting lighttpd alone will not recover from that
  • Fix port display after LAN IP reset

Misc Changes

  • Change how the listening address is passed to miniupnpd, the old method was resulting in errors for some users
  • Fix “out” packet count reporting
  • Be a little smarter about the default kernel in rare cases where we cannot determine what was in use
  • Pass -S to tcpdump to avoid an increase in memory consumption over time in certain cases
  • Minimise rewriting of /etc/gettytab (forum reference)
  • Make is_pid_running function return more consistent results by using isvalidpid
  • Fix ataidle error on systems that have no ATA HDD. [#2739]
  • Update Time Zone database zoneinfo to 2012.j to pick up on recent zone/DST/etc changes
  • Fix handling of LDAP certificates, the library no longer properly handles files with spaces in the CA certificate filename
  • Bring in the RCFILEPREFIX as constant fixes from HEAD, since otherwise rc.stop_packages was globbing in the wrong dir and executing the wrong scripts. Also seems to have fixed the “bad fd” error
  • NTP restart fixes
  • Gitsync now pulls in git package from pfSense package repository rather than FreeBSD
  • Fixed handling of RRD data in config.xml backups when exporting an encrypted config [#2836]
  • Moved apinger status to /var/run instead of /tmp
  • Fixes for FTP proxy on non-default gateway WANs
  • Fixes for OVA images
  • Use new pfSense repository location (http://github.com/pfsense/pfsense/)
  • Add patch to compensate apinger calculation for down gateways by time taken from other tasks like rrd/status file/etc

lighttpd changes

  • Improve tuning of lighttpd and php processes
  • Use separate paths for GUI and Captive Portal fastcgi sockets
  • Always make sure php has its own process manager to make lighttpd happy
  • Make mod_fastcgi last to have url.rewrite work properly
  • Enable mod_evasive if needed for Captive Portal
  • Simplify lighttpd config
  • Send all lighttpd logs to syslog

Binary changes

  • dnsmasq to 2.65
  • rsync to 3.0.9
  • links 2.7
  • rrdtool to 1.2.30
  • PHP to 5.2.17_13
  • OpenVPN 2.2 stock again (Removed IPv6 patches since those are only needed on 2.1 now)
  • Fix missing “beep” binary on amd64
  • Fix potential issue with IPsec routing of client traffic
  • Remove lighttpd spawnfcgi dependency
  • Add splash device to wrap_vga kernels (It’s in GENERIC so full installs already have it). [#2723]

filterdns

  • Correct an issue with unallocated structure
  • Avoid issues with pidfiles being overwritten, lock the file during modifications
  • Make filterdns restartable and properly cleanup its tables upon exit or during a reconfiguration

dhcpleases

  • Correct use after free and also support hostnames with other DNS suffix
  • Reinit on any error rather than just forgetting. Also the difftime checks are done after having complete view, no need to do them every time
  • Typo fixes
  • Log that a HUP signal is being sent to the pid file submitted by argument
  • Prevent bad parsing of empty hostnames in lease file. Add an f option to run dhcplease in foreground. The only option needed while in foreground is h parameter and the only usable one as well

Upgrade Information

As always, upgrade information can be found in the Upgrade Guide.

Download

Downloads for new installs can be found on the mirrors here.

Upgrades can be found here.

Note some of the mirrors are still syncing, it will be several hours before they’re all up to date.

79 Responses to “2.0.3 Release Now Available!”

  1. srk3461 Says:

    Thanks, for your hard work cmb & crew!
    Thanks guys!

  2. Bayu Krisnawan Says:

    Aha… Finally..
    After downgrade back to 2.0.1,
    i think this release will fixed various CP problem.

    Thanks Pfsense

  3. Dennis Says:

    Sooo.. where is IPv6?

  4. JayD Says:

    Awesome, well done! :)

  5. DeSastro Says:

    Incredible.
    Thanks.. very much for the team,
    who have bothered to tune pfsense.

    Desastro – Indonesia

  6. Nimamhd Says:

    This is awesome. thanx

  7. NETGUIDES Says:

    Hope they fixed the problem with traffic graphs on the dashboard not saving.

  8. pfSense Firewall Version 2.0.3 als Update erhältlich - Seraphyn Blog Says:

    [...] Das komplette Changelog lässt sich auf dem pfSense Digest Artikel 2.0.3 Release Now Available! [...]

  9. Thomas Moser Says:

    Built On: Fri Dec 7 16:30:51 EST 2012

    Errrr. Whahhhh?

  10. stephenw10 Says:

    Only once you’ve read through the change log do you really start to appreciate the amount of work going on behind the scenes. Keep it up!

  11. Caapsoft Says:

    Nice one!
    Congrats to all pfsense team!

  12. Daniel Moraes Says:

    Thank you Guys, for your energy invested in this awesome project!!!

  13. pfSense 2.0.3 | Gustavo Pimentel's GNU/Linux Blog Says:

    [...] El equipo de desarrollo ha anunciado la liberación de la versión 2.0.3, que es una versión de mantenimiento que incorpora algunos patc…. [...]

  14. adhi Says:

    thanksssssssssssss !!!

  15. BSD Release: pfSense 2.0.3 - JTN Gadget-Tech Says:

    [...] or elsewhere could prevent an instance from restarting properly….” See the detailed release announcement for a complete list of security and bug [...]

  16. pfSense 2.0.3 dostępny « Network & Security Blog Says:

    [...] Cały wpis z listą zmian tutaj. [...]

  17. Chris Buechler Says:

    Thomas: that’s the built-on date of 2.0.2, 2.0.3′s built on date is Friday April 12, 2013.

  18. Chris Buechler Says:

    Dennis: in 2.1, which is coming to RC1 soon.

  19. Stone T. Overholt Says:

    I appreciate the work you guys do!

    Thanks much for the update and fixes!

  20. ArcticLab.org Says:

    Out of our test networks that run pfSense, systems have been upgraded from 2.0.2 to 2.0.3. We will soon update production segments. The upgrade went smoothly on our Soekris 5501s and our custom build servers with Dual Xeon Quads with Intel Server NICs. All our pfSense based systems use the NanoBSD “embedded” images and boot from CF.

    Thanks to all for everyone’s contributions.

    Note: Our other similar systems run OpenBSD and we use flashrd & NSH ( from http://www.nmedia.net/flashrd & http://www.nmedia.net/nsh ) for similar embedded systems on Soekris and other Servers for other large installs.

  21. Robin Says:

    Thank you for this upgrade!!
    This is the best router PC factor that i ever had!!!

    Keep ut the good WORK!!!

    Thanks again to all pfsense team!

  22. Andreas Says:

    Thanks a lot, pfSense really rocks!

  23. Hollander Says:

    I am extremely grateful for all you are doing for us, thank you very, very, very, much(!) I will donate some money for you to have a nice beer on my behalf :-)

  24. netsysadmin Says:

    Are all the updates and bug fixes also in the latest snapshots of version 2.1?

  25. Chris Buechler Says:

    All the same fixes went into 2.1 the same time they went in the 2_0 branch, if you’re running a recent 2.1 snapshot you already have all the fixes listed here.

  26. Chris Buechler Says:

    The traffic graph saving issue isn’t one we’re going to fix in 2.0.x, it was an involved, potentially risky fix that’s only in 2.1.

  27. J Gavin Says:

    Just slightly off topic, has the Hyper-V virtual network interface drivers been integrated into any of the currently available builds?

  28. McDuck Mallard Says:

    Thank you guys, for your hard work !

  29. Xavier Says:

    Thank you for this good jog

  30. traxxus Says:

    Thanky you guys for the excellent work!

  31. Simon Says:

    Just a minor issue:

    The “pfSense-2.0.3-RELEASE-i386-20130412-1022.ova” does NOT have a corresponding MD5 file, whereas all the others do…

  32. Vince Says:

    Staying put at the most stable release of 1.2.3 until next 2.1x stable is available; IPV6.

  33. Frank Schneider Says:

    Thanks a lot, pfSense is the best!

  34. pfSense 2.0.3 available | FreeBSD News Says:

    [...] Check the announcement for a long list with improvements and updates: pfSense 2.0.3 Release Now Available! [...]

  35. ubu_fan Says:

    Thnx for this security/bugfix update release..
    Appreciate the effort you guys put into this Project
    Keep up the good work!

  36. Links 16/4/2013: Xen in Linux Foundation, Fuduntu Overhaul | Techrights Says:

    [...] [pfSense] 2.0.3 Release Now Available! [...]

  37. Waqar Nadeem Says:

    Pfsense simply the best.

  38. Noah Darby Says:

    Great work guys!! Just very surprised amount of fixes that are present in this release. Made my night :)

  39. Webtyro Says:

    Been busy. Did not see this one coming. Pleasant surprise at the GUI. Your labors are appreciated. Your welcome at our campfire anytime. hmm. that’s when the snow finally disappears here. :(

  40. Andrea Says:

    Very good job! thanks!

  41. Alden Says:

    Glad to see another release, hope it will solve my problems with CP.
    Just a consideration regarding distribution: I suppose the various 1g/2g/4g nano images only differ for a bunch of bytes in the disk image.
    This makes me think: why do not distribute (in addition to existing) some diff files and a “base 1/g” image? Depending on the connection/cf 150mb X 4 sizes will make difference!
    Bye

  42. lareosing Says:

    thanks for hard work pfsense team..
    awsome goodjob

  43. Pierre Wieder Says:

    Great work!

  44. Chris Buechler Says:

    Vince: why? Every release post-1.2.3 has less bugs than 1.2.3, especially the 2.0.1/2.0.2/2.0.3 releases. The only time that’s not true is the very rare cases where you have hardware that works well with FreeBSD 7.x and doesn’t with 8.x for some reason. Unless it’s a box you never touch or change anything on at all, you’re *far* more likely to have problems running 1.2.3 than 2.0.3 at this point.

  45. Chris Buechler Says:

    Alden: that’s just because of the way nanobsd works, there has to be a diff image just for the extra empty bytes. May be something we can change at some point in the future, but definitely not a priority.

  46. John Pelletreau Says:

    Excellent work, just upgraded my production site supporting 40+ VLans for an office environment. Changed over without a hitch. Thanks much guys.

  47. MC Says:

    I work in the industry for while now. Have been using pretty much any major firewall out there. PF is one of the best, hands down.
    Keep up god work.
    MC

  48. Paul Borowicz Says:

    Thanks for the hard work. The 2.0.x family is way better then the old 1.2.3 version. I am running it on everything from a tiny alix box, to old computers, to VM instances. It rocks!

  49. Tom Allen Says:

    Keep up the good work. Love the product!

  50. Jannik Ebbe Brich Says:

    Been dealing with several types of firewall in my career, and one flaw I often find is that complexity tends to be the “key” factor.

    If a firewall is complex – and expensive – It must be good.

    That asumption is very far from the truth imo, and it actually introduces a higher risk for misconfigurations through human error.

    Pfsense is the ideal solution for SOHO and SMB size companies. Easy to implement, and since it’s opensource – there is no “secret setting” in order to get it up and running.

    On top of this obvious and fundamental feature – the firewall is packed with cool features. There is one very cool feature which I have used many times in private homes and that is the ability to limit “teens” acces to gaming and streaming services. This is easily done via scheduled blocks on certains ports (close WOW after 22:00h) and/or limit bandwidth – (Kids can still do homework at 512k – but Netflix is rather uncool at that speed).

    All that is free of charge – and fairly easy to configure.

    So – please keep up the good work of giving the world an alternative to vendor dictated security appliances.

    I have nothing but praises for Pfsense.

    Jannik Ebbe Brich
    GSNA, GCWN

  51. QuebecOS » pfSense 2.0.3 Says:

    [...] aux serveurs DNS à partir de PPP de type WAN (PPP, PPPoE, PPTP, L2TP);….  » Voir l’annonce de sortie détaillée pour une liste complète des mises à jour de sécurité et des corrections de bugs. [...]

  52. Darryl Mackay Says:

    Thanks for the hard work. Have been using since v2.0 to protect the forum I am running locally. Rock solid and stable (excluding my mistakes I made in the setup and upgrade processes). I have modified dyndns.class, services_dyndns.php and services_dyndns_edit.php files, for inclusion in a newer release that has ActiveDNS (www.activedns.co.za) as a DynDNS provider included for South African users who wish to use pfSense.

    Keep up the good work.

    Darryl

  53. Jansson Says:

    Thanks! Keep up the excellent work!

  54. Jelmer de Reus Says:

    Nice to see a firm bugfix release. Thanks and keep up the good work!

    Jelmer

  55. Gordon Says:

    I also would like to say thanks for all the work. One thing that I did not see in the fixes was one for the problem with restoring from backup. Has that been fixed in this release.

    Thanks Gord

  56. Marco Says:

    Help: I started automatic firmware upgrade from 2.0.3 prerelease to 2.0.3. But the update process is running from hours……. Whant can I do?
    Thank you in dvance: any help will be appreciated.

  57. Chris Buechler Says:

    Gord: the only restore issue I’m aware of is the “Fixed handling of RRD data in config.xml backups when exporting an encrypted config”, which is fixed in this release. There haven’t been any other restore problems in many years that I can recall.

  58. Jan Says:

    Thanks! Love it.

  59. notyet Says:

    thanks !

  60. Goliator Says:

    Thanks team PfSense !!!!

    Eight machines updates, zero problems !!!!

  61. rashedix Says:

    Thanks for the hard work.

  62. Lynn Says:

    Excellent product – great work…

  63. Klaws Says:

    Thanks you (again) for the (again) exellent work!

    One question: what happens to System Patches (added via the System Patches package) when doing a firmware upgrade? I see the PPP patch still in the list of active patches. The documentatio of the System Patches package is no help…

  64. Robert Says:

    As said before, we do appreciate a real bug-fix release. Working on the next major revision is nice, but you have to have something solid for production work.

  65. Fabrizio Says:

    Excellent product, I used it for CP – Thanks for all the work

  66. Raspail Says:

    Thanks from Belgium.

  67. Stig Henning Says:

    Great work! I use pfsense with ALIX board. Works great and have not have any downdown other when power (lights goes off) or I reboot it :-)

  68. TLDUGUE Says:

    I will give try. Thank you very much for your great effort, your time and all

  69. Yonas Yanfa Says:

    Great job guys! pfSense is #1.

  70. DigitalJer Says:

    Been looking forward to the new release – many thanks!

    -proud supporter

  71. Andrew Rimmer Says:

    Many thanks, another upgrade to the most flexible and adaptable firewall platform I have used. Ease and stability of upgrades (and migrations to different platforms) put the so called professional grade distros to shame.

  72. Dwight Raymond Baylon Says:

    It seems all issue and bugs has been corrected. Thank you so much development team! Two Thumbs up!

  73. Fgarcia Says:

    Well done! Thank you to all Pfsense Team.

  74. Jordan Says:

    Chris,

    Did you guys change developers for 2.x for IPSEC portion? It seems quite error prone compared to 1.2.3 in every sense. AS a heavy user of IPSEC, it is very obvious there are issues with stability and performance on 2.x. this includes 2.1 RC latest snapshots.

  75. Chris Buechler Says:

    Jordan: there are no known IPsec issues in 2.x. Our code is much better in 2.x than 1.x. The underlying ipsec-tools version has changed, but it’s very widely used and we haven’t seen any regressions. We manage a lot of systems with heavy use of IPsec with 0 problems, and have hundreds of support customers in the same scenario. Things like DPD that didn’t work right in 1.x work fine in 2.x, it’s without question better. It’s possible something that was fixed broke a specific setup, like if it was relying on the fact DPD was broken to function and it now works. You should post info on your scenario to the forum or mailing list.

  76. edi Says:

    thanks
    very very good product
    use it 2 years with 0 problems

  77. Chaminda Says:

    Thanks for the entire team. Great job has made great product !!!

  78. NIGZ Says:

    thnxs :)

  79. Evier Says:

    Rock Solid! thanks for all the hard work!

Please don’t post technical questions or off-topic comments. It is far more likely that your questions and concerns will be addressed effectively through one of our support channels.

Leave a Reply