Sophos UTM update 9.411-3 released

complete Changelog:

Up2Date 9.411003 package description:

Remarks:
System will be rebooted
Configuration will be upgraded
Connected REDs will perform firmware upgrade
Connected Wifi APs will perform firmware upgrade

News:
Maintenance Release

Bugfixes:
Fix [NUTM-534]: [AWS] Template update notification
Fix [NUTM-6178]: [AWS] pg_xlog directory filling up on AWS deployments
Fix [NUTM-6186]: [AWS] Make all UTM logs available in AWS CloudWatch
Fix [NUTM-6224]: [AWS] awslogs daemon init script: restart broken
Fix [NUTM-6296]: [AWS] REST API doesn't work in cluster mode
Fix [NUTM-6402]: [AWS] [RESTD] Session is not closed after token is deleted
Fix [NUTM-6804]: [AWS] Update breaks HVM standalone installations
Fix [NUTM-5846]: [Access & Identity] IPsec Remote Access use the IP address instead of the username in the log
Fix [NUTM-6174]: [Access & Identity] [RED] mobile_network config part not pushed to prov
Fix [NUTM-6218]: [Access & Identity] HTML5 VPN: Comma not working on Portuguese (Brazil) keyboard
Fix [NUTM-6374]: [Access & Identity] REDs with static WAN config are offline after update to v9.409
Fix [NUTM-6375]: [Access & Identity] Cisco VPN with iOS doesn't work after update to 9.409
Fix [NUTM-6647]: [Access & Identity] [IPsec] Pluto dies in UTM 9.4 MR-7 (9.4xx) HA with Remote Access PSK w/o Xauth
Fix [NUTM-3152]: [Basesystem] libxml2 security update (CVE-2013-2877)
Fix [NUTM-5158]: [Basesystem] glibc security update
Fix [NUTM-5726]: [Basesystem] Follow up NUTM-5403 - Sometimes slave stuck in syncing indefinitely after failover
Fix [NUTM-5800]: [Basesystem] curl security update
Fix [NUTM-6127]: [Confd] Expired license loaded after reboot even if the valid license was imported already
Fix [NUTM-6396]: [Confd] Character ">" or "<" for password will change to "&lt;"
Fix [NUTM-5447]: [Documentation] Japanese description has the wrong vocabulary of black list at "Sender Blacklist" in user portal
Fix [NUTM-3515]: [Email] [SPX] Using 'ß' and ',' as windows-1252 in form breaks utf-8 conversion
Fix [NUTM-4932]: [Email] Password protected file passes SMTP proxy
Fix [NUTM-6196]: [Email] E-Mail with Sandstorm supported and unsupported files will be moved into quarantine
Fix [NUTM-6256]: [Email] SPX inserts Backslashes into nicename of receipient address
Fix [NUTM-6747]: [Email] SAVI scanner coredumps permanently in MailProxy after update to 9.410
Fix [NUTM-5656]: [Endpoint, Web] Sandstorm feature does not work if SEC managed endpoints with Full Web Control are used
Fix [NUTM-5756]: [Network] Remove empty log lines coming from the firewall subsystem
Fix [NUTM-6202]: [SUM] After update to v9.358 the "guid" was recreated
Fix [NUTM-5717]: [Sandboxd] Respect "file OK" error responses from get/score for SB Proxy API 1.2
Fix [NUTM-6165]: [WAF] Additional cookie from WAF is added without HttpOnly detail
Fix [NUTM-6356]: [WebAdmin] AD User Test fails after first creation of an authentication server
Fix [NUTM-4118]: [Web] Still coredumps from httpproxy since installation of rpms from NUTM-3119
Fix [NUTM-5399]: [Web] httpproxy[xxxx]: segfault at 4 ip 00000000080c2113 sp 00000000ea8aee90 error 6 in httpproxy
Fix [NUTM-5561]: [Web] URL category name "Potiental Unwanted Programs" spelling mistake
Fix [NUTM-5663]: [Web] HTTP proxy restarted with core dumps in 9.407
Fix [NUTM-5834]: [Web] 'Force caching for Sophos Endpoint updates' doesn't seem to force caching
Fix [NUTM-5956]: [Web] UTM breaks auto-update on SAV for Mac
Fix [NUTM-6310]: [Web] Corrected ownership and permission of sandboxd db files
Fix [NUTM-6802]: [Web] New coredumps from httpproxy after update to v9.410
Fix [NUTM-5366]: [WiFi] Wireless Protection Manager doesn't have sufficient rights to edit time definitions
Fix [NUTM-5567]: [WiFi] APs remain inactive after being accepted on UTM
Fix [NUTM-6125]: [WiFi] Customized login page displays invalid characters

Update of a active-passive SW-Cluster 9.408-4 -> 9.411003:

It ended up in a split brain cluster,  master on 9.411, slave on 9.408. After manually updating slave to 9.411  HA is still not working and I have to downgrade to 9.408-4

Any other beta-testers with cluster-update experiences?

Update of a active-passive SW-Cluster 9.408-4 -> 9.411003:

It ended up in a split brain cluster,  master on 9.411, slave on 9.408. After manually updating slave to 9.411  HA is still not working and I have to downgrade to 9.408-4

Any other beta-testers with cluster-update experiences?

Worked fine here, 9.409 to 9.411, HA Active/Passive Cluster.  I think what you ran across was one of the bugs that is now fixed (the fix wouldn't have helped you avoid the situation -- it's for future HA upgrades I believe:

Fix [NUTM-5726]: [Basesystem] Follow up NUTM-5403 - Sometimes slave stuck in syncing indefinitely after failover

I've seen this at a customer site.  Fix was to kill the slave that was stuck, manually re-add it to the HA.

Hi Bruce

Thank you for your information. I will do a factory reset to the slave and then try to reconstruct the cluster with 9.411

Regards, Peter

Hi all,

I had scheduled an update for our UTMs for 9.30 pm today (via SUM). We can't do that earlier because many of our employees work remote via Citrix for one of our customers.
After reading the comments about 9.411-3 I've cancelled the update.

What about Sophos? What do you say? We need a functionally fix for 9.410 ASAP. Sorry, but I don't want to play "beta-tester" for the bugs in 9.410...

Greets,

Manu

Pebo, I've had this happen at random in the past, but rarely.  In addition to re-imaging the Slave and Up2Dating it to the correct level, I disabled HA and then started it anew.  It worked both times that I remember.  Did you do that?

Cheers - Bob

.

I've updated our HA-systems today to 9.411-3. Sunday is the only day we can do so things when we are afraid something went wrong. Everything seems to work. Let's see tomorrow...

Hi Bob

Yes, after factory reset of the slave it could re-join the cluster and until now everything works fine.

Regards, Peter