pfSense is a project we work with quite a bit and we just got word that pfSense 2.2.6 was released. This new version has several security and bug fixes. If you are already on a 2.2.x release (e.g. 2.2.5) then the pfSense team considers it a low risk upgrade. We already have some firewalls running pfSense 2.2.6 including the SG-4860 and 1U version.
From your dashboard you should see updates available. From there, you can use the auto-upgrade mechanism to install. After confirmation, this will download the necessary files and update the system.
The firewall will have to reboot after the update which is a consideration for many users as you do have to plan upgrades especially in a single-firewall setup. While the firewall reboots, network services that pfSense is supplying will go down.
After the reboot, the dashboard should be updated with the new 2.2.6-RELEASE version. One can see this on a test machine we have.
Security Fixes and Errata
- pfSense-SA-15_09.webgui: Local File Inclusion Vulnerability in the pfSense WebGUI
- pfSense-SA-15_10.captiveportal: SQL Injection Vulnerability in the pfSense captive portal logout
- pfSense-SA-15_11.webgui: Multiple XSS and CSRF Vulnerabilities in the pfSense WebGUI
- Updated to FreeBSD 10.1-RELEASE-p25
- FreeBSD-SA-15:26.openssl Multiple vulnerabilities in OpenSSL
- Updated strongSwan to 5.3.5_2
- Includes fix for CVE-2015-8023 authentication bypass vulnerability in the eap-mschapv2 plugin.
Certainly quite a few fixes in this minor revision. We are getting excited for the next version of pfSense, version 2.3 which should have an updated UI among other improvements.