Security Fixes and Errata
pfSense-SA-15_07.webgui: Multiple Stored XSS Vulnerabilities in the pfSense WebGUI
The complete list of affected pages and fields is listed in the linked SA.
FreeBSD-SA-15:13.tcp: Resource exhaustion due to sessions stuck in LAST_ACK state. Note this only applies to scenarios where ports listening on pfSense itself (not things passed through via NAT, routing or bridging) are opened to untrusted networks. This doesn’t apply to the default configuration.
Note: FreeBSD-SA-15:13.openssl does not apply to pfSense. pfSense did not include a vulnerable version of OpenSSL, and thus was not vulnerable.
Further fixes for file corruption in various cases during an unclean shut down (crash, power loss, etc.). #4523
Fixed pw in FreeBSD to address passwd/group corruption
Fixed config.xml writing to use fsync properly to avoid cases when it could end up empty. #4803
Removed the ‘sync’ option from filesystems for new full installs and full upgrades now that the real fix is in place.
Removed softupdates and journaling (AKA SU+J) from NanoBSD, they remain on full installs. #4822
The forcesync patch for #2401 is still considered harmful to the filesystem and has been kept out. As such, there may be some noticeable slowness with NanoBSD on certain slower disks, especially CF cards and to a lesser extent, SD cards. If this is a problem, the filesystem may be kept read-write on a permanent basis using the option on Diagnostics > NanoBSD. With the other above changes, risk is minimal. We advise replacing the affected CF/SD media by a new, faster card as soon as possible. #4822
Upgraded PHP to 5.5.27 to address CVE-2015-3152 #4832
Lowered SSH LoginGraceTime from 2 minutes to 30 seconds to mitigate the impact of MaxAuthTries bypass bug. Note Sshlockout will lock out offending IPs in all past, current and future versions. #4875
Πηγή : https://blog.pfsense.org