pfSense Update Cycle

Netgate, the vendor of pfSense, received reports about the three flaws on July 3, 2023, and released security updates that addressed them on November 6 (pfSense Plus 23.09) and November 16 (pfSense CE 2.7.1).

Does netgate typically just wait for the next update cycle to patch privately disclosed bugs/vulnerabilities? I am guessing so. I imagine this also includes publicly disclosed bugs/vulnerabilities found in one of the many packages & libraries they rely on?

This slow update cadence has some drawbacks that are often brushed over.

Not a slow update, CVE notice date was 11/13/2023 & 11/14/2023 and they had patches available via their patch system plugin. It’s fully fixed in latest version update.

Also worth noting that this requires both an exposed web interface and valid user as pre-requisites for the exploit.

They have a forum post on this as well.

@LTS_Tom that’s interesting while I have the patch package installed I never noticed there was an update. While I do inspect it from time to time is there a way to set up some kind of notification for this ?

But they were notified of this four months earlier, right? Seems like they sitting on fixes to ship with update cycle. Which only makes sense, they have a ton of libraries and packages that are being patched a lot faster than their update cycle.

I am just saying this is a draw back. Most likely a minor one if you hide away the GUI properly.

I’ve noticed with a couple firewalls that were on 23.05.1 that said no updates were available. I had to go to the update options, change the update train from 23.09.1 to 23.05.1 and then back to 23.09.1 before I could get the 23.09.1 update.

They were notified on July 3rd 2023 and had the patched done and available on July 5th 2023 per the security researchers web site pfSense Security: Sensing Code Vulnerabilities with SonarCloud

I also did a video to cover this and explain what Bleeping computer got wrong.

Well that is good to know. Good on netgate. I didn’t think to challenge the dates they provide - of course, I am not challenging your dates either. Life is too short.

My cynicism for the news is reaching new lows.