pfSense Plus RELEASE 26.03.1

This is a software maintenance release focused on security fixes, stability improvements, and targeted usability enhancements for pfSense Plus 26.03:

• Security and WebGUI hardening: Addresses multiple potential XSS vulnerabilities across the WebGUI, including diag_arp.php when using ISC DHCP, RSS Widget feed content post titles, and the Captive Portal widget. These fixes strengthen administrative interface security and reduce exposure to stored or reflected script injection risks.
• FreeBSD and base system security updates: Includes several security and errata fixes merged from FreeBSD, including DHCP client vulnerability fixes, along with updated base system packages to address upstream security issues.
• Authentication and user management fixes: Corrects LDAP shell authentication so configured group DN restrictions are properly enforced, and fixes an issue where creating a new user could ignore the certificate checkbox value when certificate fields were populated.
• Captive Portal reliability improvements: Restores logging of Captive Portal authentication messages and includes security fixes for the Captive Portal dashboard widget, improving both visibility and safety for environments using portal-based access control.
• Firewall, NAT, and alias enhancements: Improves alias list visibility by increasing the amount of system alias content displayed. Adds MAP-E port set (PSID) support to manual outbound NAT rules and fixes duplication behavior for floating rules using the “This Firewall (self)” source option.
• VPN stability and usability fixes: Fixes an IPsec daemon crash that could occur if a peer initiated two rekeys for the same child SA. OpenVPN behavior is also improved by restoring missing OpenVPN networks in the automatically generated vpn_networks table and preventing all OpenVPN instances from restarting when applying changes to a single assigned interface.
• System stability improvements: Resolves a kernel panic caused by a race condition on a bpf device, improving overall platform reliability under affected network capture or filtering conditions.
• Dynamic DNS, PHP, console, and Wake on LAN fixes: Adds improved RFC2136 Dynamic DNS error logging, fixes PHP errors caused by NULL bytes in IP addresses, prevents repeated Ctrl-C actions from entering the password change flow in the console menu, and improves consistency when sending Wake on LAN packets.

 

These updates reinforce pfSense Plus 26.03.1 as a security-focused maintenance release, improving platform stability, VPN reliability, firewall rule handling, and administrative interface protection.