Netgate, the vendor of pfSense, received reports about the three flaws on July 3, 2023, and released security updates that addressed them on November 6 (pfSense Plus 23.09) and November 16 (pfSense CE 2.7.1).
Does netgate typically just wait for the next update cycle to patch privately disclosed bugs/vulnerabilities? I am guessing so. I imagine this also includes publicly disclosed bugs/vulnerabilities found in one of the many packages & libraries they rely on?
This slow update cadence has some drawbacks that are often brushed over.
Not a slow update, CVE notice date was 11/13/2023 & 11/14/2023 and they had patches available via their patch system plugin. It’s fully fixed in latest version update.
Also worth noting that this requires both an exposed web interface and valid user as pre-requisites for the exploit.
@LTS_Tom that’s interesting while I have the patch package installed I never noticed there was an update. While I do inspect it from time to time is there a way to set up some kind of notification for this ?
But they were notified of this four months earlier, right? Seems like they sitting on fixes to ship with update cycle. Which only makes sense, they have a ton of libraries and packages that are being patched a lot faster than their update cycle.
I am just saying this is a draw back. Most likely a minor one if you hide away the GUI properly.
I’ve noticed with a couple firewalls that were on 23.05.1 that said no updates were available. I had to go to the update options, change the update train from 23.09.1 to 23.05.1 and then back to 23.09.1 before I could get the 23.09.1 update.
Well that is good to know. Good on netgate. I didn’t think to challenge the dates they provide - of course, I am not challenging your dates either. Life is too short.
