We'd love to hear about it! Click here to go to the product suggestion community
Up2Date 9.414002 package description:Remarks: System will be rebooted Configuration will be upgraded Connected REDs will perform firmware upgrade Connected Wifi APs will perform firmware upgradeNews: Maintenance ReleaseBugfixes: Fix [NUTM-6646]: [AWS, REST API] REST API panic when unlocking unlocked mutex Fix [NUTM-6868]: [AWS, REST API] Missing trailing slash in Swagger URLs Fix [NUTM-6887]: [AWS, REST API] REST API panic when inserting into node which is not of type array Fix [NUTM-7173]: [AWS, REST API] [RESTD] Selfmon cannot (re)start restd Fix [NUTM-6503]: [AWS] Migrate to new iaas_* functions Fix [NUTM-6708]: [AWS] Cloud update not working with conversion deployments Fix [NUTM-6727]: [AWS] AWS_CONVERSION_PRE_CHECK_FAILED (Pre-check failed: 127.) Fix [NUTM-6814]: [AWS] Rest API is accessible with default password if basic setup has not completed Fix [NUTM-7032]: [AWS] SignalException not handled for SecurityGroupsManagement#update Fix [NUTM-7055]: [AWS] queen_configuration_management / aws_resource_management SIGUSR1 handling Fix [NUTM-7056]: [AWS] LocalJumpError Fix [NUTM-7057]: [AWS] aws_set_sd_check AWS::EC2::Errors::RequestLimitExceeded Fix [NUTM-7061]: [AWS] Connection refused - connect(2) for "localhost" port 4472 Fix [NUTM-7374]: [AWS] Link to RESTful API documentation Fix [NUTM-7442]: [Access & Identity, RED] [RED] 3G Failback with RED15(w) not working if DHCP server is shutting down Fix [NUTM-3240]: [Access & Identity] Update RED10, RED15, RED50 OpenSSL to most current version Fix [NUTM-4852]: [Access & Identity] [RED] flock() on closed filehandle $fhi at /</var/confd/confd.plx>Object/itfhw/red_server.pm line 563. Fix [NUTM-5925]: [Access & Identity] [RED] prevent configuration for VLAN for Split modes Fix [NUTM-6387]: [Access & Identity] HTML5 VNC connection not disconnecting Fix [NUTM-6504]: [Access & Identity] OpenVPN 2.4.0 deprecated option "tls-remote" Fix [NUTM-6606]: [Access & Identity] Re-occuring issues with the Sophos UTM Support access Fix [NUTM-6668]: [Access & Identity] [IPsec] L2TP/Cisco policy changes do not update ipsec.conf Fix [NUTM-6749]: [Access & Identity] RED15w does not send split DNS traffic over RED tunnel Fix [NUTM-7111]: [Access & Identity] Multiple open vulnerabilities in libvncserver Fix [NUTM-7157]: [Access & Identity] VPN users not being created when backend AD group is used Fix [NUTM-7295]: [Access & Identity] HTML5 VPN: Comma not working on Portuguese (Brazil) keyboard Fix [NUTM-7350]: [Access & Identity] [RED] USB stick E3372 does not work with RED 15 Fix [NUTM-7377]: [Access & Identity] Remote Access tab won't load after selecting the OTP Token tab in the User Portal Fix [NUTM-7774]: [Access & Identity] HTML5 - Mouse not working on Touch Devices Fix [NUTM-7874]: [Access & Identity] Openvpn: DoS due to Exhaustion of Packet-ID counter (CVE-2017-7479) Fix [NUTM-5965]: [Basesystem] Sensors command on SG125w doesn't show hardware fan RPM Fix [NUTM-6468]: [Basesystem] BIND Security update (CVE-2016-9131, CVE-2016-9147, CVE-2016-9444) Fix [NUTM-6718]: [Basesystem] Update NTP to 4.2.8p9 Fix [NUTM-6847]: [Basesystem] BIND Security update (CVE-2017-3135) Fix [NUTM-6956]: [Basesystem] Hardware LCD screen: IP address of ports other than eth0 cannot be changed through LCD Fix [NUTM-7626]: [Basesystem] BIND Security update (CVE-2017-3136, CVE-2017-3137) Fix [NUTM-7646]: [Basesystem] NTP Security update (CVE-2017-6458, CVE-2017-6460) Fix [NUTM-7742]: [Basesystem] Update Appctrl (184.108.40.206) Fix [NUTM-5658]: [Confd] Stripped restore unaccessable if default internal interface is removed Fix [NUTM-6976]: [Confd] Privilege escalation though LOGAUDITOR and REPORTAUDITOR Fix [NUTM-7160]: [Confd] "&" sign in RADIUS secret will be converted into "&" Fix [NUTM-7636]: [Confd] If changing name in REF_DefaultSuperAdmin 'Admin reset password' page is not presented Fix [NUTM-7976]: [Confd] [TA] - If changing name in REF_DefaultSuperAdmin 'Admin reset password' page is not presented Fix [NUTM-3062]: [Email] Mails from mail spool get quarantined because of "500 Max connection limit reached" in cssd Fix [NUTM-3513]: [Email] MIME type filter doesn't detect real mime type Fix [NUTM-3516]: [Email] POP3 prefetch sometimes stops working Fix [NUTM-3669]: [Email] SMTP Proxy vulnerable by TLS renegotiation (CVE-2011-1473) Fix [NUTM-3671]: [Email] SPX encrypted messages are vulnerable to access without proper authentication Fix [NUTM-3677]: [Email] Maildrop locked for account_id Fix [NUTM-4324]: [Email] Changing Email Protection settings fails with Sandstorm enabled and trial expired Fix [NUTM-5350]: [Email] Per user blacklist does not apply until smtp service restarts Fix [NUTM-5545]: [Email] Quarantine report can't be enabled under some circumstances Fix [NUTM-5823]: [Email] Scanner timeout or deadlock for all mails with a .scn attachment Fix [NUTM-5892]: [Email] SMTP Exception doesn't allow '&' sign within the email address Fix [NUTM-6135]: [Email] DLP custom expression doesn't get triggered if the email body contains certain strings Fix [NUTM-6355]: [Email] Email not blocked with expression list Fix [NUTM-6379]: [Email] Frequent cssd coredumps Fix [NUTM-6986]: [Email] Sender blacklist doesn't allow '&' sign within the email address Fix [NUTM-7220]: [Email] WAF reporting virus found when AV engine on the UTM is updating Fix [NUTM-7625]: [Email] SMTP DLP expressions do not trigger under specific condition Fix [NUTM-7722]: [Email] mailbox_size_limit is smaller than message_size_limit in notifier log Fix [NUTM-4474]: [Kernel] Kernel panic - not syncing: Fatal exception in interrupt Fix [NUTM-6358]: [Kernel] Kernel: unable to handle kernel NULL pointer dereference at 0000000000000018 Fix [NUTM-3170]: [Network] Time-base access for wireless is dropping ipsec-routes and not creating them again Fix [NUTM-4969]: [Network] Uplink does not recover from error state Fix [NUTM-5314]: [Network] 10gb SFP+ flexi module interface fails when under load Fix [NUTM-6077]: [Network] Static route on bridge interface disappears after rebooting the UTM Fix [NUTM-6807]: [Network] SSL VPN not being redistributed into OSPF Fix [NUTM-6901]: [Network] Eth0 is removed while configuring bridge interface Fix [NUTM-6992]: [Network] OSPF re-announcing static routes Fix [NUTM-7044]: [Network] Disable a VLAN associated with the WAN interface breaks the complete communication Fix [NUTM-7439]: [Network] nf_ct_dns: dropping packet: DNS packet of insuffient length: 25 Fix [NUTM-7395]: [RED] [RED] Split networks/domains fields not shown when editing RED10/15 Fix [NUTM-7491]: [RED] WARNING: CPU: 0 PID: x at net/core/dst.c:293 dst_release+0x30/0x51() Fix [NUTM-7060]: [Reporting] Search in reports doesn't work if the username contains only numbers Fix [NUTM-6651]: [Sandboxd] All sandstorm tagged mails get stuck in "Sandstorm scan pending" Fix [NUTM-6930]: [WAF] WAF not responding after reboot of the AWS UTM Fix [NUTM-6522]: [WebAdmin] SMC Test failed after Settings are applied Fix [NUTM-6617]: [WebAdmin] Search for Network Definitions breaks in Chrome with over 1000 objects Fix [NUTM-7203]: [WebAdmin] Issue with password field UTM - SMC WebAdmin configuration Fix [NUTM-7652]: [WebAdmin] Not possible to download different SSL VPN User Profiles in one Firefox Session Fix [NUTM-7870]: [WebAdmin] Comment not displayed for Time Period definition Fix [NUTM-5794]: [Web] IPv6 fallback to IPv4 doesn't work Fix [NUTM-6467]: [Web] FTP connection fails when using transparent FTP Proxy Fix [NUTM-6502]: [Web] HTTP Proxy coredumping with EC CA certificate Fix [NUTM-6532]: [Web] AD Users are prefetched in lowercase letters Fix [NUTM-6809]: [Web] URL category name "Potiental Unwanted Programs" spelling mistake on sophostest.com Fix [NUTM-6848]: [Web] HTTPS warn behaviour when "Block all content, except..." is selected Fix [NUTM-6867]: [Web] New httpproxy coredumps after update to v9.411 - ReleaseToCentralCache Fix [NUTM-7076]: [Web] UTM not updating AD group definition Fix [NUTM-7167]: [Web] OTP Using AD Backend Membership - duplicates user when capital letters are used in the username Fix [NUTM-7321]: [Web] Non existent or non proxy users are able to create SSL webfilter exceptions Fix [NUTM-7367]: [Web] Difference between web_filter templates and default templates in web filter Fix [NUTM-5612]: [WiFi] Manual channel selection not possible in both bands for SG W appliances Fix [NUTM-5638]: [WiFi] RED15w - integrated AP isn't shown as pending in transparent / split mode Fix [NUTM-5786]: [WiFi] RED15w - if more then one SSID is configured only one is working correctly Fix [NUTM-6215]: [WiFi] Issue when roaming between wireless with some clients Fix [NUTM-6335]: [WiFi] VLAN fallback not working for integrated AP from RED15w Fix [NUTM-6448]: [WiFi] AP55 stuck as inactive Fix [NUTM-6511]: [WiFi] AP does not get IP address on 100 Mbit ethernet linkRPM packages contained: libsensors4-3.3.0-220.127.116.110.ga281026.rb11.i686.rpm libudev0-147-0.84.1.1676.gf3268b9.rb4.i686.rpm libvncserver-0.9.11-0.g483b9a9.rb12.i686.rpm awslogs-agent-1.3.9-0.250867252.g4df7c06.rb5.noarch.rpm client-openvpn-9.40-15.g34ad98f.rb4.noarch.rpm firmwares-bamboo-9400-0.253109868.ge2f1a38.rb9.i586.rpm freerdp-1.0.2-9.gae4b426.rb2.i686.rpm gtk2-libs-2.18.9-0.23.1.1463.ga6e6ff9.rb5.i686.rpm jq-1.5-0.233418733.gd9cd757.rb7.i686.rpm perf-tools-3.12.58-78.g225d710.rb5.i686.rpm perl-Date-Calc-5.4-1.1246.gb797af7.rb9.i686.rpm perl-File-LibMagic-0.96-1.952.ga51b3e8.rb9.i686.rpm perl-Net-SSLeay-1.49-1.761.gd1bee20.rb13.i686.rpm postfix-2.11.0-16.gbdc4d92.rb3.i686.rpm red-firmware2-5043-0.256377517.g0623fa8.rb1.noarch.rpm red15-firmware-5043-0.256393916.g3aedd09.rb5.noarch.rpm rubygem-addressable-2.5.0-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-airbrake-5.7.1-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-airbrake-ruby-1.7.1-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-aws-sdk-1.66.0-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-aws-sdk-v1-1.66.0-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-celluloid-0.17.3-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-celluloid-essentials-0.20.5-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-celluloid-extras-0.20.5-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-celluloid-fsm-0.20.5-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-celluloid-pool-0.20.5-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-celluloid-supervision-0.20.6-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-crack-0.4.3-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-diff-lcs-1.2.5-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-docile-1.1.5-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-hashdiff-0.3.2-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-hitimes-1.2.4-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-json-1.8.3-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-little-plugger-1.1.4-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-logging-2.1.0-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-mini_portile2-2.0.0-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-multi_json-1.12.1-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-nokogiri-18.104.22.168-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-pg-0.19.0-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-pidfile-0.3.0-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-public_suffix-2.0.5-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-retries-0.0.5-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-rspec-3.5.0-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-rspec-core-3.5.4-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-rspec-expectations-3.5.0-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-rspec-mocks-3.5.0-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-rspec-support-3.5.0-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-safe_yaml-1.0.4-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-sequel-4.42.0-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-simplecov-0.12.0-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-simplecov-html-0.10.0-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-sophos-iaas-1.0.0-0.255611249.g062b817.rb3.i686.rpm rubygem-thor-0.19.4-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-timers-4.1.2-0.253186261.g62d8cf9.rb6.i686.rpm rubygem-webmock-2.3.2-0.253186261.g62d8cf9.rb6.i686.rpm sensors-3.3.0-22.214.171.1240.ga281026.rb11.i686.rpm udev-147-0.84.1.1676.gf3268b9.rb4.i686.rpm uma-9.40-20.gcfb3eac.rb7.i686.rpm ep-reporting-9.40-34.gca719d9.rb11.i686.rpm ep-reporting-c-9.40-33.g6f3bc54.rb8.i686.rpm ep-reporting-resources-9.40-34.gca719d9.rb11.i686.rpm ep-aua-9.40-46.gb28c908.rb4.i686.rpm ep-awed-9.40-57.g38b1e1e.rb6.i686.rpm ep-confd-9.40-1047.g10e7f95.rb9.i686.rpm ep-cssd-9.40-31.g6d49dc9.rb3.i686.rpm ep-ha-aws-9.40-452.g062b817.rb3.noarch.rpm ep-init-9.40-18.g8f5b664.rb5.noarch.rpm ep-libs-9.40-32.gec3964b.rb4.i686.rpm ep-logging-9.40-10.g53bc615.rb3.i686.rpm ep-mdw-9.40-629.g5e9ce4f.rb9.i686.rpm ep-notifier-9.40-12.gbdc4d92.rb3.i686.rpm ep-postgresql92-9.40-72.gb9e9e79.rb4.i686.rpm ep-restd-9.40-0.258123434.g77e71da.i686.rpm ep-sandboxd-9.40-0.255720458.g1651d76.rb2.i686.rpm ep-screenmgr-9.40-3.g07035cc.rb12.i686.rpm ep-service-monitor-1.0-47.gba07d2e.rb5.i686.rpm ep-up2date-9.40-22.ga2267a9.rb4.i686.rpm ep-up2date-downloader-9.40-22.ga2267a9.rb4.i686.rpm ep-up2date-pattern-install-9.40-22.ga2267a9.rb4.i686.rpm ep-up2date-system-install-9.40-22.ga2267a9.rb4.i686.rpm ep-utm-watchdog-9.40-59.g5545460.rb5.i686.rpm ep-webadmin-9.40-889.g32b7a44.rb9.i686.rpm ep-webadmin-contentmanager-9.40-53.g1feba9f.rb2.i686.rpm ep-webadmin-spx-9.40-3.g459bf94.rb6.i686.rpm u2d-ipsbundle2-9-70.i686.rpm ep-cloud-ec2-9.40-70.g4015b27.rb6.i686.rpm ep-chroot-httpd-9.40-25.g5858fbe.rb5.noarch.rpm ep-chroot-ipsec-9.40-6.gd4695e2.rb6.noarch.rpm ep-chroot-smtp-9.40-150.gacdc2a1.rb2.i686.rpm chroot-bind-9.10.4_P8-0.258574549.g00918f3.rb3.i686.rpm chroot-clientlessvpn-9.40-1.g975c7e9.rb3.i686.rpm chroot-ftp-9.40-6.g6cca7ba.rb8.i686.rpm chroot-ntp-4.2.8p10-0.ge44e0f0.rb2.i686.rpm chroot-openvpn-9.40-28.g67a99ed.rb2.i686.rpm chroot-reverseproxy-2.4.10-257.g75cd21d.rb2.i686.rpm chroot-smtp-9.40-17.g30651a7.rb2.i686.rpm ep-chroot-pop3-9.40-18.gda2541b.rb2.i686.rpm ep-httpproxy-9.40-426.gf7cedd9.rb5.i686.rpm kernel-smp-3.12.58-78.g225d710.rb5.i686.rpm kernel-smp64-3.12.58-78.g225d710.rb5.x86_64.rpm ep-release-9.414-2.noarch.rpm
Any feedback on this one before I schedule an upgrade?
In reply to rrosson:
would also like to know before rolling the dice
Don't upgrade! We have 6 UTMs and after upgrading, Web Filtering authentication stopped working. No one could get to the Internet. I had to create a Web Filtering exception for everyone, to bypass Authentication and URL filtering.
In reply to SteveLindley:
We are in the same situation with our 2 UTMs. Could you tell me more about the exception you created because I have just disabled it completely for the time being.
Thanks for the info. Sad that this keeps happening after having this product for several years. can never trust updates.
In reply to ChrisP Chicken:
Under Web Protection > Filtering Options, we created a rule called All Out (but call it what you want) and checked Authentication, URL Filtering and Content Removal (Authentication may be the only thing necessary, but we selected all 3, just in case). We then selected "Coming from these networks" and added subnet for all of our internal networks.
Hopefully Sophos will release a fix soon!
Normally, I wait until they release 2 or 3 fixes before upgrading, but we've been having some weird issues with our phone system since the last set of upgrades (mostly around SMTP, even though our firewall rules all for all internal traffic to/from each other). After exhausting all other options, I'm thinking the Sophos is the source of the problem, so I rolled the dice. We use these as internal routers, as well as a firewall, proxy and URL filtering, but I'm now going to add a second internal router for internal WAN communication, and just use these as firewalls/proxy servers.
I would use a separate broadband line for VoIP altogether, that's what I do myself and treat main leased line as a failover only.
We have 2 UTMs and I upgraded last night and the only issue I had was the Single Sign-on for Active Directory was broken. I had to re-enter my credentials and the error message I was receiving went away ([WARN-531] Directory Services synchronization).
In reply to Eric Cowen:
I'll give it a shot after hours. Thanks, Eric!
I have the same problem with my 2 UTM.
Thanks to your solution...
Just an FYI, per Eric's comments, I did the following:
- Re-Joined the Sophos to the domain under SSO
- Re-Entered the passwords for both DCs under Authentication Services (after the upgrade, I performed a Test of the servers, but didn't update the password and Save the settings...after reading Eric's comments, I updated the password, clicked Test and then Saved the settings)
Doing one or both of the above seemed to solve the problem last night, but this morning, we're having the same issues again. I went back and did the same thing and it worked again, but a number of employees also had to restart their PCs for it to work (some, but not all).
It seems that updating the password under authentication services and/or re-joining the Sophos to the domain provides a temporary fix (about 12 hours), but then it stops working again.
I have a ticket open with Sophos, so I'll repost once I talk with them.
We have an SG330 and an SG210. Same issue outlined by others: after updating to 9.414-2, SSO for HTTP proxy fails. Rejoining the devices to the domain works temporarily, but the issue returns. There is another thread talking about this for both 9.414-2 and 9.501-5:
In reply to Blake Hensley:
Hi, Blake, and welcome to the UTM Community!
A recent post reported success by simply rejoining with valid credentials - neither deleting the Account in AD nor un-joining in the UTM was needed.Also, note the command line trick.
Cheers - Bob
Several SW-Versions from 9.411 -> 9.414: IPSec-VPN, SSL-VPN, Wireless Prot., WAF, SUM, IPS/ATP, no SSO/AD -> No issues
SG310-Cluster from 9.411 -> 9.414: IPSec-VPN, SSL-VPN, Wireless Prot., RED, SUM, WAF, IPS/ATP, no SSO/AD -> No issues
Also no cores
In reply to pebo:
I've just one SG115 at 9.414: Web Protection without SSO: OK, adirectory Auth-Server with AD-Users on WebAdmin, UserPortal, SSL-VPN: OK.
keep on watchin.