PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
Today we've released UTM 9.506. The release will be rolled out in phases. In phase 1 you can download the update package from our FTP server, in phase 2 we will spread it via our Up2Date servers.
NUTM-8651 [AWS] AWS Permission for "Import Via Amazon Credentials"
NUTM-7678 [Access & Identity] Pluto dies with coredump at L2TP connections
NUTM-8211 [Access & Identity] SSL VPN connection issue with prefetched AD groups
NUTM-8756 [Access & Identity] AUA debug log contains plain text passwords
NUTM-8889 [Access & Identity] ESPdump with algorithm GCM does not work
NUTM-8912 [Access & Identity] HTML5 VPN: keyboard input not working on Android devices
NUTM-7670 [Basesystem] Update to BIND 9.10.6
NUTM-8427 [Basesystem] postgres[xxxxx]: [x-x] FATAL: could not create shared memory segment: No space left on device
NUTM-8769 [Basesystem] Small models of SG105 / SG115 / SG125 / SG135 take over 5 minutes to accept network connection
NUTM-9063 [Configuration Management] Regenerating the Web Proxy CA breaks all SSL VPN clients
NUTM-8313 [Email] POP3 Proxy generate core dumps in versions v9.414 and v9.501
NUTM-8509 [Email] Remove 3DES and SHA1 from SMIME
NUTM-8645 [Email] MIME Type Detection 9.5
NUTM-9061 [Email] User cannot open the SMTP Routing tab
NUTM-8419 [Logging] "Search Log Files" has different search result in spite of same time frame
NUTM-8783 [Logging] SMBv1 still required for remote logging to a smb share
NUTM-8341 [Network] Network monitor core dump
NUTM-8685 [Network] Some clients display an "Unknown" vendor on the wireless client list
NUTM-8738 [Network] Error messages in fallback log about damaged static routes
NUTM-8838 [Network] Watchdog consumes constantly 100% CPU
NUTM-7396 [RED] UTM RED kernel log shows "seq invalid" messages
NUTM-6968 [REST API] Insert REFs of new objects into single REF node
NUTM-7981 [Reporting] WAF-reporter logs irrelevant information
NUTM-8359 [Reporting] SMTP log on Mail Manager is empty after upgrading postgres to 64bit
NUTM-7802 [Sandboxd] If using a ' character in the email address, postgres is not able to insert this to the TransactionLog (Sandbox)
NUTM-8715 [UI Framework] Unable to access "Manage Computers" page
NUTM-8061 [WAF] WAF still reporting virus found when AV engine on the UTM is updating
NUTM-8751 [WAF] Newly created web server listens on the slave node instead of the master node
NUTM-8806 [WAF] Issue with TLS settings for virtual webserver
NUTM-8861 [WAF] Leftover of shm files cause a WAF restart loop
NUTM-5964 [WebAdmin] Support Access: WebAdmin not properly displayed after login via APU
NUTM-8512 [WebAdmin] Can't use string ("0") as a HASH ref while "strict refs" in use at /wfe/asg/modules/asg_ca.pmline 1105
NUTM-8571 [WebAdmin] User with only "Report Auditor" rights receives strict refs error after login into WebAdmin
NUTM-8807 [WebAdmin] External link to Sophos UTM Knowledge Base is not correct
NUTM-8871 [WebAdmin] Year of Single Time Events cannot be later than 2019
NUTM-7994 [Web] Customized templates do not allow to accept quota and access site
NUTM-8037 [Web] HA: Low disk space alert from slave
NUTM-8107 [Web] CONFD.PLX is taking high CPU load
NUTM-8502 [Web] HTTP Proxy coredumps with CentralFreeList in v9.413
NUTM-8687 [Web] Segfault and coredump from HTTP proxy
NUTM-8691 [Web] Certificate error on accessing sites with https scanning enabled
NUTM-8752 [Web] NTLM Issue with AD SSO in Transparent Mode
NUTM-8771 [Web] Wrong country showing up in Web proxy requests
NUTM-8826 [Web] Teamviewer via Standard Mode with AD-SSO not possible since v9.502
NUTM-8834 [Web] iOS11 user agent string is not detected as iOS
NUTM-8849 [Web] Can't download Traveler_90119_Win.zip with HTTP proxy in Transparent Mode
NUTM-3129 [Wireless] SG125w failed to create interface wifi0: -23 (Too many open files in system)
NUTM-4720 [Wireless] Issues with 2.4 GHz channel 12 and 13 / inconsistent channel availibility / AWE_DEVICE_CHANNEL_INVALID
NUTM-8288 [Wireless] Roaming issues with iPhone7 and RADIUS authentication
NUTM-8391 [Wireless] AP55C/AP100X disconnecting from UTM repeatedly
and again no waf support for exchange 2016 with more than one real server -.-
is this the Up2Date to end all those AD SSO problems?
So far so good, everything updated on our Test UTM. I have noticed the web interfaces is snappy/faster than before. Also it appears the internet browsing through the web proxy appears faster (but this could be due to the fact after a fresh reboot). However, there is definitely speed improved for the web interface. Loading menu items is almost instant.
I can confirm that the slow boot up bug for the lower end SG models is now fixed. My test 105w booted up in 2 minutes 30 seconds, whereas before it would take 6 minutes.
Where can I download this update? On the FTP it cannot be found (Status: 27-11-2017 - 12:25 CET)
have a look at this location: ftp.astaro.com/.../u2d-sys-9.505004-506002.tgz.gpg
Also no IPv6 fixes.
I am not sure if this is a bug (it could be the update reacting to a misconfiguration) but it just occurred right after the above update, so I thought I'd better note it, just in case it is a genuine problem and someone wishes to investigate it:
I've been using Sophos UTM with a Draytek V120 [PPPoE to PPPoA] modem to connect to ADSL. After the 9.506 update (just yesterday) I discovered that a DNAT rule wasn't working, and after quite some time investigating things, I noted that when looking at the interfaces, the WAN one was showing a different public IP address to the IP that had been assigned by my ISP. I tried a few enable/disable of the WAN interface (and reboots of the UTM) and it the IP shown in the WAN interface seemed to toggle between two different ones (neither were the one issued by the ISP, so perhaps previous ones, cached somewhere by Sophos UTM).
I tried numerous things including setting up the WAN interface again (changing to Ethernet, then back to PPPoE and re-entering the ISP credentials), reverting to previous configurations, reverting to previous configurations and rebooting, but nothing fixed it (the shown address was different to the one issued) so to get around the problem, I have just swapped the V120 modem for an old router (with Sophos UTM in its DMZ) and changed the WAN interface back to a plain old Ethernet interface, so with the WAN now having a fixed address [internal range, but not from the ranges that I use LAN side] that has sorted the DNAT rule.
Hope that is of some use or interest, but I will just leave it double-NATted for now and re-test after the next firmware update.
Just before reverting to a double-NAT arrangement, I SSH'd into the unit and running ifconfig showed that no IP address against the WAN interface (whereas I am sure it used to show the ISP issued one).
The DNAT rule is to permit public access to a R Pi running DarkIce and IceCast to stream audio from a microwave radio beacon receiver.
NB Further to the above notes, I should add that:
-The ISP assigned IP address changes at every re-connection (I do not have a static public IP address).
-I am a home user running Sophos UTM on a J1900 based fanless PC (Alibaba sourced 'industrial router')
-It worked after the initial post-update reboot (and the stream was publicly accessible) but I had to again reboot (due to mains power re-arrangement requirement) and that's when the above issues started to occur.
I wonder if this could be vaguely related to KIL issue NUTML-11909 (Cable Modem: every renew of the ip address adds a new ip address to the dhcp interface) but I didn't see any evidence of multiple WAN addresses (or anything in the additional addresses list)?
is the AD SSO Issue sorted? Its like Russian roulette every time you do an update!
Thanks for the time events after 2019
Does this mean you took away the ability to select the TLS level?
SSO problem was solved in my case by adding "local" to the domain name in the SSO activation window. I've done that when updating from 9.501 to 9.505. Up2date from 9.505 to 9.506 no more problems with SSO.