UTM Up2Date 9.503 Released

Hi Everyone,

Today we've released UTM 9.503. The release will be rolled out in phases. In phase 1 you can download the update package from our FTP server, in phase 2 we will spread it via our Up2Date servers.

Update 2017-08-25: Unfortunately the update package has an issue with a missing config file for Samba and we needed to pull the update package down from the FTP server. We are working on a replacement urgently.

Update 2017-08-31: New update files with the fix for the missing Samba config (NUTM-8702) are available on our FTP server. There are two update files available now:

Update 2017-09-07: Update is available for all via Up2Date servers.


Up2Date Information


  • Maintenance Release
  • Configuration will be upgraded
  • Connected REDs will perform firmware upgrade
  • Connected Wifi APs will perform firmware upgrade


  • System will be rebooted


  • NUTM-7891 [AWS] awslogsd.log is beeing flooded with logmessages
  • NUTM-3196 [Access & Identity] Overlapping backend user prefetches may not be executed
  • NUTM-7943 [Basesystem] Ntpd permanently restarting on slave node
  • NUTM-8130 [Basesystem] Linux vulnerability ‘The Stack Clash’
  • NUTM-8442 [Basesystem] Network Monitor heavily logs “Writing static route to” in fallback log
  • NUTM-8431 [Configuration Management] Privilege escalation via insecure directory permissions
  • NUTM-8167 [Configuration Management] Stored XSS in UTM
  • NUTM-8229 [Configuration Management] Expiring certificate check still send notifications even after CA is regenerated
  • NUTM-8300 [Configuration Management] Expiring certificate check error fails for incomplete date in certificate
  • NUTM-8160 [Email] \N in Password of bind request causes account log out
  • NUTM-8173 [Email] UTM fails to apply DKIM signature to outbound mail with reason RC -102
  • NUTM-8339 [Email] Avira scanner in single or dual scan still results in SMTP proxy AV scanner unreachable errors on 9.414/9.501
  • NUTM-8364 [Email] S/MIME encryption - automatic certificate extraction causing high load
  • NUTM-8464 [Email] worker_do_get_file req content parsing error or missing parameters when mime header “From” in blank  
  • NUTM-8455 [Hardware] Fix hardware detection for SG230nc
  • NUTM-6981 [Network] No multicast packets visible on bridge with 10 Gbit interfaces
  • NUTM-7187 [Network] Prefix Delegation does not work correctly during a PPPoE reconnect
  • NUTM-7502 [Network] Wireless client hostname not displayed/updated
  • NUTM-7749 [Network] Filter list with hosts didn’t work in BGP and should not be possible to configure
  • NUTM-7754 [Network] WAF permanently restarts on slave node
  • NUTM-8556 [Network] SNMP - Error allocating more space for arpcache
  • NUTM-8017 [REST API] REST API not returning expected objects from API Explorer
  • NUTM-8137 [WAF] URL hardening prevents login to succeed as side effect of “Redirect to requested URL” feature
  • NUTM-8174 [WAF] Increase LimitRequestLine
  • NUTM-8169 [WebAdmin] Certain WebAdmin search fields not usable after upgrade to 9.414/9.5
  • NUTM-5797 [Web] Winbindd: Exceeding 16000 client connections
  • NUTM-7070 [Web] In Advanced Protection statistics, email count number for “Awaiting result” displayed in web field
  • NUTM-8102 [Web] Standard SSO AD issue after updating to 9.5 - IE/Chrome failing/slow to load sites
  • NUTM-8191 [Web] SSL exception matched for a specific website but didn’t work
  • NUTM-8352 [Web] Add patch for CVE-2017-11103 “Orpheus’ Lyre”
  • NUTM-8353 [Web] HTTP proxy AD-SSO authentication failing on 9.502 with more than 5,000 users or groups in AD
  • NUTM-8387 [Web] UTM registering all of it’s IPs in DNS when joining a domain
  • NUTM-8702 [Web] After 9.503-3 Update: net: error while loading shared libraries
  • NUTM-8105 [Wireless] Wireless network connected issue with Bridge to AP LAN
  • Can't rejoin to domain, after this update.

  • Seems that the IPv6 ICMP issue is back...

    This is where the " Allow ICMP through Gateway from external networks" is unticked, destination machines are still visible by ICMP.

    I have the results from "ip6tables -vnL AUTO_FORWARD" and " cc get icmp" and will drop them directly to you now.


  • The libraries for Kerberos and Samba are missing in the shared libraries. Sophos seems to have missed something there. After manually copying those libraries from /opt/samba/usr/lib/samba and /opt/samba/usr/lib/samba/private to /usr/lib works quite well, but this should not be the solving of this issue. As it won't sync throughout a HA Cluster.

    Please make a Revision of this update.

  • Hey .

    We had the same issue with the update like you. According to the sophos support the better workaround is to create a file with the needed library paths in /etc/ld.so.conf.d/

    Workaround command:

    echo -e "/opt/samba/usr/lib/samba\n/opt/samba/usr/lib/samba/private" > /etc/ld.so.conf.d/samba.conf && ldconfig -f /etc/ld.so.conf -C /etc/ld.so.cache

  • Is there a small possibility that theupdates run through a complete quality check before throwing them "on the market"?

    All of the last 3 or 4 updates since 9.413 were broken in some functionality...

  • Aaaaaaand it's gone, pulled ......

  • Talex was it buggy since it's been removed?

  • When can we expect a fixed release of the update package?

  • Hello,

    has anyone these pulled Update downloaded and can send me this via Mail or FTP?

    We need a quick solution for our Sophos.


  • Hi, there are new updates available. Please see the updated post above.

  • Has anyone already tested the new Updates?

  • Hi,

    we are currently on 9.413-4. Will this update force us to rejoin the device into the active directory again as mentioned in the KB article community.sophos.com/.../126819 ?

    All these buggy updates lateley are not much encouraging to just go and do it "quickly"...

  • @MarcelLiechti

    We installed the update 2 days ago and it is working well so far. We had several issues with locked active directory users when there applications were using our proxy and this is history now. I think NUTM-8353 was the issue for that. Authentication was failing and locking the users in active directory.

  • Still haven't fixed the long boot times with entry level UTMs. Case ID: [#7432293] - Please fix!

  • After patching, the clients in LAN aren't able to ping our ISPs Default Gateway.

    Running a traceroute shows it listed.

    ICMP settings are enabled. External I can ping the GW, also with support tools in the UTM I can ping directly from the UTMs External interface to the GW.

    But with selecting a client on internal interface it's not possible.

    Before patching we had 9.501 no issuses there, same config.

    Any ideas?

    Btw we use the ping to default gateway with our monitoring software ....