I’ve noticed that pfSense hasn’t come with any updates to it’s stable release since May of last year, the 2.4.5 release is 99 % done so we will probably see that soon but I’m wondering if the less frequent releases should be a security concern?
There are a few CVE’s for the current release, they mostly appear to apply to already authenticated users and privilege escalation so perhaps not an immediate problem for most but something worth addressing nevertheless. What are your thoughts?
Pretty common with router appliances in general. For the most part, they have one admin user, so privilege escalation isn’t that relevant or is less of a concern than the stability that comes with infrequent updates.
Then again the issues are very noobish, (same is true for other routers), I wouldn’t be surprised if someone could craft a network packet with some JavaScript payload, or a VPN config, or a DNS name that would allow someone to take over the pfsense box first time an admin looks at the web UI.
I’d expect a more frequent release cycle for pfsense.
The one or two times a year that I need to take a look at my router, I might do an update if I feel like it but overall I only want updates if there is a real security issue. I really don’t care about features in my router.
