UTM Up2Date 9.414 Released

Up2Date 9.414002 package description:

Remarks:
 System will be rebooted
 Configuration will be upgraded
 Connected REDs will perform firmware upgrade
 Connected Wifi APs will perform firmware upgrade

News:
 Maintenance Release

Bugfixes:
 Fix [NUTM-6646]: [AWS, REST API] REST API panic when unlocking unlocked mutex
 Fix [NUTM-6868]: [AWS, REST API] Missing trailing slash in Swagger URLs
 Fix [NUTM-6887]: [AWS, REST API] REST API panic when inserting into node which is not of type array
 Fix [NUTM-7173]: [AWS, REST API] [RESTD] Selfmon cannot (re)start restd
 Fix [NUTM-6503]: [AWS] Migrate to new iaas_* functions
 Fix [NUTM-6708]: [AWS] Cloud update not working with conversion deployments
 Fix [NUTM-6727]: [AWS] AWS_CONVERSION_PRE_CHECK_FAILED (Pre-check failed: 127.)
 Fix [NUTM-6814]: [AWS] Rest API is accessible with default password if basic setup has not completed
 Fix [NUTM-7032]: [AWS] SignalException not handled for SecurityGroupsManagement#update
 Fix [NUTM-7055]: [AWS] queen_configuration_management / aws_resource_management SIGUSR1 handling
 Fix [NUTM-7056]: [AWS] LocalJumpError
 Fix [NUTM-7057]: [AWS] aws_set_sd_check AWS::EC2::Errors::RequestLimitExceeded
 Fix [NUTM-7061]: [AWS] Connection refused - connect(2) for "localhost" port 4472
 Fix [NUTM-7374]: [AWS] Link to RESTful API documentation
 Fix [NUTM-7442]: [Access & Identity, RED] [RED] 3G Failback with RED15(w) not working if DHCP server is shutting down
 Fix [NUTM-3240]: [Access & Identity] Update RED10, RED15, RED50 OpenSSL to most current version
 Fix [NUTM-4852]: [Access & Identity] [RED] flock() on closed filehandle $fhi at /</var/confd/confd.plx>Object/itfhw/red_server.pm line 563.
 Fix [NUTM-5925]: [Access & Identity] [RED] prevent configuration for VLAN for Split modes
 Fix [NUTM-6387]: [Access & Identity] HTML5 VNC connection not disconnecting
 Fix [NUTM-6504]: [Access & Identity] OpenVPN 2.4.0 deprecated option "tls-remote"
 Fix [NUTM-6606]: [Access & Identity] Re-occuring issues with the Sophos UTM Support access
 Fix [NUTM-6668]: [Access & Identity] [IPsec] L2TP/Cisco policy changes do not update ipsec.conf
 Fix [NUTM-6749]: [Access & Identity] RED15w does not send split DNS traffic over RED tunnel
 Fix [NUTM-7111]: [Access & Identity] Multiple open vulnerabilities in libvncserver
 Fix [NUTM-7157]: [Access & Identity] VPN users not being created when backend AD group is used
 Fix [NUTM-7295]: [Access & Identity] HTML5 VPN: Comma not working on Portuguese (Brazil) keyboard
 Fix [NUTM-7350]: [Access & Identity] [RED] USB stick E3372 does not work with RED 15
 Fix [NUTM-7377]: [Access & Identity] Remote Access tab won't load after selecting the OTP Token tab in the User Portal
 Fix [NUTM-7774]: [Access & Identity] HTML5 - Mouse not working on Touch Devices
 Fix [NUTM-7874]: [Access & Identity] Openvpn: DoS due to Exhaustion of Packet-ID counter (CVE-2017-7479)
 Fix [NUTM-5965]: [Basesystem] Sensors command on SG125w doesn't show hardware fan RPM
 Fix [NUTM-6468]: [Basesystem] BIND Security update (CVE-2016-9131, CVE-2016-9147, CVE-2016-9444)
 Fix [NUTM-6718]: [Basesystem] Update NTP to 4.2.8p9
 Fix [NUTM-6847]: [Basesystem] BIND Security update (CVE-2017-3135)
 Fix [NUTM-6956]: [Basesystem] Hardware LCD screen: IP address of ports other than eth0 cannot be changed through LCD
 Fix [NUTM-7626]: [Basesystem] BIND Security update (CVE-2017-3136, CVE-2017-3137)
 Fix [NUTM-7646]: [Basesystem] NTP Security update (CVE-2017-6458, CVE-2017-6460)
 Fix [NUTM-7742]: [Basesystem] Update Appctrl (4.4.1.21)
 Fix [NUTM-5658]: [Confd] Stripped restore unaccessable if default internal interface is removed
 Fix [NUTM-6976]: [Confd] Privilege escalation though LOGAUDITOR and REPORTAUDITOR
 Fix [NUTM-7160]: [Confd] "&" sign in RADIUS secret will be converted into "&amp;"
 Fix [NUTM-7636]: [Confd] If changing name in REF_DefaultSuperAdmin 'Admin reset password' page is not presented
 Fix [NUTM-7976]: [Confd] [TA] - If changing name in REF_DefaultSuperAdmin 'Admin reset password' page is not presented
 Fix [NUTM-3062]: [Email] Mails from mail spool get quarantined because of "500 Max connection limit reached" in cssd
 Fix [NUTM-3513]: [Email] MIME type filter doesn't detect real mime type
 Fix [NUTM-3516]: [Email] POP3 prefetch sometimes stops working
 Fix [NUTM-3669]: [Email] SMTP Proxy vulnerable by TLS renegotiation (CVE-2011-1473)
 Fix [NUTM-3671]: [Email] SPX encrypted messages are vulnerable to access without proper authentication
 Fix [NUTM-3677]: [Email] Maildrop locked for account_id
 Fix [NUTM-4324]: [Email] Changing Email Protection settings fails with Sandstorm enabled and trial expired
 Fix [NUTM-5350]: [Email] Per user blacklist does not apply until smtp service restarts
 Fix [NUTM-5545]: [Email] Quarantine report can't be enabled under some circumstances
 Fix [NUTM-5823]: [Email] Scanner timeout or deadlock for all mails with a .scn attachment
 Fix [NUTM-5892]: [Email] SMTP Exception doesn't allow '&' sign within the email address
 Fix [NUTM-6135]: [Email] DLP custom expression doesn't get triggered if the email body contains certain strings
 Fix [NUTM-6355]: [Email] Email not blocked with expression list
 Fix [NUTM-6379]: [Email] Frequent cssd coredumps
 Fix [NUTM-6986]: [Email] Sender blacklist doesn't allow '&' sign within the email address
 Fix [NUTM-7220]: [Email] WAF reporting virus found when AV engine on the UTM is updating
 Fix [NUTM-7625]: [Email] SMTP DLP expressions do not trigger under specific condition
 Fix [NUTM-7722]: [Email] mailbox_size_limit is smaller than message_size_limit in notifier log
 Fix [NUTM-4474]: [Kernel] Kernel panic - not syncing: Fatal exception in interrupt
 Fix [NUTM-6358]: [Kernel] Kernel: unable to handle kernel NULL pointer dereference at 0000000000000018
 Fix [NUTM-3170]: [Network] Time-base access for wireless is dropping ipsec-routes and not creating them again
 Fix [NUTM-4969]: [Network] Uplink does not recover from error state
 Fix [NUTM-5314]: [Network] 10gb SFP+ flexi module interface fails when under load
 Fix [NUTM-6077]: [Network] Static route on bridge interface disappears after rebooting the UTM
 Fix [NUTM-6807]: [Network] SSL VPN not being redistributed into OSPF
 Fix [NUTM-6901]: [Network] Eth0 is removed while configuring bridge interface
 Fix [NUTM-6992]: [Network] OSPF re-announcing static routes
 Fix [NUTM-7044]: [Network] Disable a VLAN associated with the WAN interface breaks the complete communication
 Fix [NUTM-7439]: [Network] nf_ct_dns: dropping packet: DNS packet of insuffient length: 25
 Fix [NUTM-7395]: [RED] [RED] Split networks/domains fields not shown when editing RED10/15
 Fix [NUTM-7491]: [RED] WARNING: CPU: 0 PID: x at net/core/dst.c:293 dst_release+0x30/0x51()
 Fix [NUTM-7060]: [Reporting] Search in reports doesn't work if the username contains only numbers
 Fix [NUTM-6651]: [Sandboxd] All sandstorm tagged mails get stuck in "Sandstorm scan pending"
 Fix [NUTM-6930]: [WAF] WAF not responding after reboot of the AWS UTM
 Fix [NUTM-6522]: [WebAdmin] SMC Test failed after Settings are applied
 Fix [NUTM-6617]: [WebAdmin] Search for Network Definitions breaks in Chrome with over 1000 objects
 Fix [NUTM-7203]: [WebAdmin] Issue with password field UTM - SMC WebAdmin configuration
 Fix [NUTM-7652]: [WebAdmin] Not possible to download different SSL VPN User Profiles in one Firefox Session
 Fix [NUTM-7870]: [WebAdmin] Comment not displayed for Time Period definition
 Fix [NUTM-5794]: [Web] IPv6 fallback to IPv4 doesn't work
 Fix [NUTM-6467]: [Web] FTP connection fails when using transparent FTP Proxy
 Fix [NUTM-6502]: [Web] HTTP Proxy coredumping with EC CA certificate
 Fix [NUTM-6532]: [Web] AD Users are prefetched in lowercase letters
 Fix [NUTM-6809]: [Web] URL category name "Potiental Unwanted Programs" spelling mistake on sophostest.com
 Fix [NUTM-6848]: [Web] HTTPS warn behaviour when "Block all content, except..." is selected
 Fix [NUTM-6867]: [Web] New httpproxy coredumps after update to v9.411 - ReleaseToCentralCache
 Fix [NUTM-7076]: [Web] UTM not updating AD group definition
 Fix [NUTM-7167]: [Web] OTP Using AD Backend Membership - duplicates user when capital letters are used in the username
 Fix [NUTM-7321]: [Web] Non existent or non proxy users are able to create SSL webfilter exceptions
 Fix [NUTM-7367]: [Web] Difference between web_filter templates and default templates in web filter
 Fix [NUTM-5612]: [WiFi] Manual channel selection not possible in both bands for SG W appliances
 Fix [NUTM-5638]: [WiFi] RED15w - integrated AP isn't shown as pending in transparent / split mode
 Fix [NUTM-5786]: [WiFi] RED15w - if more then one SSID is configured only one is working correctly
 Fix [NUTM-6215]: [WiFi] Issue when roaming between wireless with some clients
 Fix [NUTM-6335]: [WiFi] VLAN fallback not working for integrated AP from RED15w
 Fix [NUTM-6448]: [WiFi] AP55 stuck as inactive
 Fix [NUTM-6511]: [WiFi] AP does not get IP address on 100 Mbit ethernet link

RPM packages contained:
 libsensors4-3.3.0-2.7.13.1880.ga281026.rb11.i686.rpm
 libudev0-147-0.84.1.1676.gf3268b9.rb4.i686.rpm    
 libvncserver-0.9.11-0.g483b9a9.rb12.i686.rpm      
 awslogs-agent-1.3.9-0.250867252.g4df7c06.rb5.noarch.rpm
 client-openvpn-9.40-15.g34ad98f.rb4.noarch.rpm    
 firmwares-bamboo-9400-0.253109868.ge2f1a38.rb9.i586.rpm
 freerdp-1.0.2-9.gae4b426.rb2.i686.rpm             
 gtk2-libs-2.18.9-0.23.1.1463.ga6e6ff9.rb5.i686.rpm
 jq-1.5-0.233418733.gd9cd757.rb7.i686.rpm          
 perf-tools-3.12.58-78.g225d710.rb5.i686.rpm       
 perl-Date-Calc-5.4-1.1246.gb797af7.rb9.i686.rpm   
 perl-File-LibMagic-0.96-1.952.ga51b3e8.rb9.i686.rpm
 perl-Net-SSLeay-1.49-1.761.gd1bee20.rb13.i686.rpm
 postfix-2.11.0-16.gbdc4d92.rb3.i686.rpm           
 red-firmware2-5043-0.256377517.g0623fa8.rb1.noarch.rpm
 red15-firmware-5043-0.256393916.g3aedd09.rb5.noarch.rpm
 rubygem-addressable-2.5.0-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-airbrake-5.7.1-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-airbrake-ruby-1.7.1-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-aws-sdk-1.66.0-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-aws-sdk-v1-1.66.0-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-celluloid-0.17.3-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-celluloid-essentials-0.20.5-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-celluloid-extras-0.20.5-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-celluloid-fsm-0.20.5-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-celluloid-pool-0.20.5-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-celluloid-supervision-0.20.6-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-crack-0.4.3-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-diff-lcs-1.2.5-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-docile-1.1.5-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-hashdiff-0.3.2-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-hitimes-1.2.4-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-json-1.8.3-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-little-plugger-1.1.4-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-logging-2.1.0-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-mini_portile2-2.0.0-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-multi_json-1.12.1-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-nokogiri-1.6.7.2-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-pg-0.19.0-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-pidfile-0.3.0-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-public_suffix-2.0.5-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-retries-0.0.5-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-rspec-3.5.0-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-rspec-core-3.5.4-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-rspec-expectations-3.5.0-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-rspec-mocks-3.5.0-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-rspec-support-3.5.0-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-safe_yaml-1.0.4-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-sequel-4.42.0-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-simplecov-0.12.0-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-simplecov-html-0.10.0-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-sophos-iaas-1.0.0-0.255611249.g062b817.rb3.i686.rpm
 rubygem-thor-0.19.4-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-timers-4.1.2-0.253186261.g62d8cf9.rb6.i686.rpm
 rubygem-webmock-2.3.2-0.253186261.g62d8cf9.rb6.i686.rpm
 sensors-3.3.0-2.7.13.1880.ga281026.rb11.i686.rpm  
 udev-147-0.84.1.1676.gf3268b9.rb4.i686.rpm        
 uma-9.40-20.gcfb3eac.rb7.i686.rpm                 
 ep-reporting-9.40-34.gca719d9.rb11.i686.rpm       
 ep-reporting-c-9.40-33.g6f3bc54.rb8.i686.rpm      
 ep-reporting-resources-9.40-34.gca719d9.rb11.i686.rpm
 ep-aua-9.40-46.gb28c908.rb4.i686.rpm              
 ep-awed-9.40-57.g38b1e1e.rb6.i686.rpm             
 ep-confd-9.40-1047.g10e7f95.rb9.i686.rpm          
 ep-cssd-9.40-31.g6d49dc9.rb3.i686.rpm             
 ep-ha-aws-9.40-452.g062b817.rb3.noarch.rpm        
 ep-init-9.40-18.g8f5b664.rb5.noarch.rpm           
 ep-libs-9.40-32.gec3964b.rb4.i686.rpm             
 ep-logging-9.40-10.g53bc615.rb3.i686.rpm          
 ep-mdw-9.40-629.g5e9ce4f.rb9.i686.rpm             
 ep-notifier-9.40-12.gbdc4d92.rb3.i686.rpm         
 ep-postgresql92-9.40-72.gb9e9e79.rb4.i686.rpm     
 ep-restd-9.40-0.258123434.g77e71da.i686.rpm       
 ep-sandboxd-9.40-0.255720458.g1651d76.rb2.i686.rpm
 ep-screenmgr-9.40-3.g07035cc.rb12.i686.rpm        
 ep-service-monitor-1.0-47.gba07d2e.rb5.i686.rpm   
 ep-up2date-9.40-22.ga2267a9.rb4.i686.rpm          
 ep-up2date-downloader-9.40-22.ga2267a9.rb4.i686.rpm
 ep-up2date-pattern-install-9.40-22.ga2267a9.rb4.i686.rpm
 ep-up2date-system-install-9.40-22.ga2267a9.rb4.i686.rpm
 ep-utm-watchdog-9.40-59.g5545460.rb5.i686.rpm     
 ep-webadmin-9.40-889.g32b7a44.rb9.i686.rpm        
 ep-webadmin-contentmanager-9.40-53.g1feba9f.rb2.i686.rpm
 ep-webadmin-spx-9.40-3.g459bf94.rb6.i686.rpm      
 u2d-ipsbundle2-9-70.i686.rpm                      
 ep-cloud-ec2-9.40-70.g4015b27.rb6.i686.rpm        
 ep-chroot-httpd-9.40-25.g5858fbe.rb5.noarch.rpm   
 ep-chroot-ipsec-9.40-6.gd4695e2.rb6.noarch.rpm    
 ep-chroot-smtp-9.40-150.gacdc2a1.rb2.i686.rpm     
 chroot-bind-9.10.4_P8-0.258574549.g00918f3.rb3.i686.rpm
 chroot-clientlessvpn-9.40-1.g975c7e9.rb3.i686.rpm
 chroot-ftp-9.40-6.g6cca7ba.rb8.i686.rpm           
 chroot-ntp-4.2.8p10-0.ge44e0f0.rb2.i686.rpm       
 chroot-openvpn-9.40-28.g67a99ed.rb2.i686.rpm      
 chroot-reverseproxy-2.4.10-257.g75cd21d.rb2.i686.rpm
 chroot-smtp-9.40-17.g30651a7.rb2.i686.rpm         
 ep-chroot-pop3-9.40-18.gda2541b.rb2.i686.rpm      
 ep-httpproxy-9.40-426.gf7cedd9.rb5.i686.rpm       
 kernel-smp-3.12.58-78.g225d710.rb5.i686.rpm       
 kernel-smp64-3.12.58-78.g225d710.rb5.x86_64.rpm   
 ep-release-9.414-2.noarch.rpm                    

  • In reply to BAlfson:

    Rejoining to the domain does work, but only temporarily. This morning, both devices had stopped working again and had to be re-rejoined.

    I'm not sure that adding a chron job is the best solution for this. For one thing, Sophos specifically says this in their shell access help file:

    "Any modifications done by root will void your support"

    Sophos needs to fix this problem. Unfortunately, at this point they completely stopped responding to my support ticket. I guess, if you think about it, that makes the idea of voiding your support a moot point.

  • In reply to Blake Hensley:

    Blake, in the USA, if your reseller is a Sophos Gold/Platinum Solution Partner, they should be helping you to get Support to respond.

    In any case, adding a line to /etc/crontab-static will not void your support.  Once you've done that, cause the system to rebuild /etc/crontab by going to 'Management >> Up2Date' and changing the 'System Download Interval', [Apply], change it back and [Apply].

    Cheers - Bob

  • In reply to Blake Hensley:

    I talked to support today and they are working on a fix, but there is no ETA.

    As a workaround, he suggested the following, although, #3 is the way to go.  It seems like updating the password (one of my previous posts) does work, but only for about 8-12 hours, then you have to do it again.  The tech also forwarded some instructions on adjusting the krb5.conf files for Kerberos, but that solution also only works for about 8-12 hours, so I won't post it (only referencing, incase they suggest to anyone else...it's not worth doing.  You could also try disabling web filtering and just open up the ports on the firewall, but if you have browsers configured with proxy settings, then this may be a pain.

    My recommendation is to do #3, but here is what they suggested:

    1. Downgrade Firmware (which is complicated and not worth doing)
    2. Disable Transport Mode and use only Standard Mode (you must set browser proxy settings and point them to the UTM, which most of us probably do, but I've had issues with Outlook and other programs that cannot have proxy settings manually added)
    3. Create an Exception to bypass Authentication (my recommendation)
    4. Use Mozilla Firefox (issue impacts IE/Chrome only)

  • In reply to BAlfson:

    Use this KnowledgeBase article with my suggestion in my previous post above: https://community.sophos.com/kb/en-us/126819.

    Cheers - Bob