Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Hi Everyone,

Today we've released UTM 9.508. The release will be rolled out in phases. In phase 1 you can download the update package from our FTP server, in phase 2 we will spread it via our Up2Date servers.

Note:

  • When installing the update packages manually, please make sure to upload both update packages 9.507 and 9.508.
  • S/MIME Encryption updates: This release brings changes to the S/MIME feature to fully conform with new GDPR regulatory requirements for encryption. Core to these changes are new algorithms to perform encryption and signatures within S/MIME. Due to the changes in the signature algorithms, older implementations of S/MIME - including previous Sophos UTM releases - can no longer verify signatures produced with the new algorithms. Encryption and decryption of emails is not affected by this change. For details, please read the following KBA at https://community.sophos.com/kb/en-us/131727.

Up2Date Information

News

  • Maintenance Release

Remarks

  • System will be rebooted
  • Configuration will be upgraded
  • Connected APs will perform firmware upgrade

Bugfixes

  • NUTM-8739 [Access & Identity] Argos segfault and coredump after update to v9.502
  • NUTM-9164 [Access & Identity] SSLVPN installation packages fail to copy user profile during installation
  • NUTM-9344 [Access & Identity] All users are locked when a lockout policy via GPO was set
  • NUTM-9047 [Basesystem] VLAN interface on the bridge doesn't come up when slave becomes the master
  • NUTM-9296 [Configuration Management] Report Auditor is unable to open the dashboard in UTM
  • NUTM-9397 [Configuration Management] Log Remote Archiving via SCP fails when used with OpenSSH >= 7.0
  • NUTM-9497 [Documentation] ATP - Invalid status display on Webadmin for Japanese,Russian,Spanish language
  • NUTM-4174 [Email] POP3 spool cleanup does not work
  • NUTM-8794 [Email] Wrong MIME Type detection
  • NUTM-8937 [Email] Upgrade SMIME
  • NUTM-9046 [Email] SPX binary error with Office365
  • NUTM-9098 [Email] Mail stuck in work queue
  • NUTM-9252 [Email] Patch Exim for CVE-2014-2972 and CVE-2016-9963
  • NUTM-9259 [Email] POP3 Proxy coredump in "libc_start_main"
  • NUTM-9337 [Email] Selecting an AD Server for AD Recipient Verification in SMTP isn't possible after update to v9.506
  • NUTM-9382 [Email] WebAdmin user not able to disable the "Recipient Verification" in SMTP Routing
  • NUTM-9303 [HA/Cluster] HA "max_nodes" option set to 3 causes named to fail to start
  • NUTM-9405 [HA/Cluster] Interface MAC addresses shouldn't get replicated on slave node if virtual_mac is set to 0
  • NUTM-3497 [Network] BGP soft-reconfiguration not working
  • NUTM-8118 [Network] After upgrading to 9.500 "Service Monitor not running - restarted" notifications being received
  • NUTM-8432 [Network] Local Privilege Escalation via confd Service
  • NUTM-8604 [Network] Changing a bridge IP address causes bridge to go down when using vlans
  • NUTM-8887 [Network] DNS group objects doesn't delete old IP addresses
  • NUTM-9064 [Network] Network monitoring daemon constantly restarts since upgrade to 9.503
  • NUTM-9177 [Network] Disabled static routes are being put into the routing table
  • NUTM-9465 [Network] Wrong/Old IPv6 Tunnel Broker URLs in Webadmin
  • NUTM-8759 [Sandboxd] Add support for Sandstorm's Asia data centre
  • NUTM-9006 [UI Framework] Not possible to download different SSLVPN User Profiles in one Firefox session
  • NUTM-6955 [WebAdmin] Error text appears in dialog when trying to view user object usage
  • NUTM-8567 [WebAdmin] Update to ImageMagick-7.0.7-11
  • NUTM-9116 [WebAdmin] Object information can't be displayed for specific objects
  • NUTM-9128 [WebAdmin] PCI Scan failing on UserPortal due to missing HSTS and CSP
  • NUTM-9430 [WebAdmin] Issue with X-Content-Type-Options header presented by UTM
  • NUTM-7201 [Web] HTTP Proxy connections hang in CLOSE_WAIT state
  • NUTM-8638 [Web] Add group visibility in log with unlimited AD groups
  • NUTM-8746 [Web] After changing group membership, old one is still available from winbind
  • NUTM-8886 [Web] TLS Input/output error when connecting to web site
  • NUTM-9113 [Web] HTTP Proxy coredump on 9.505
  • NUTM-9166 [Web] HTTP Proxy coredump on function deny_ntlm_auth
  • NUTM-9332 [Web] DNSExpire coredump causes slow browsing
  • NUTM-9416 [Web] HTTP Proxy coredump on 9.506 with signal SIGFPE Arithmetic Exception
  • NUTM-3127 [Wireless] AP55/100 connection issues - disconnected due to excessive missing ACKs
  • NUTM-6640 [Wireless] Fix visibility of Fast Transition option in different security modes
  • NUTM-7013 [Wireless] Frequent disconnects on guest wifi network after >1 week
  • NUTM-8243 [Wireless] Update dropbear SSH Server to fix CVE-2016-7409, CVE-2016-7408, CVE-2016-7407, CVE-2016-7406
  • NUTM-8299 [Wireless] UTM stops broadcasting SSIDs for the built-in wireless after upgrade to 9.5
  • NUTM-8781 [Wireless] W-appliance - wireless network connection issue with Bridge to AP LAN
  • NUTM-8827 [Wireless] Internal wireless not broadcasting SSID after updating to 9.503
  • NUTM-8832 [Wireless] Integrated wireless adapter can be deleted
  • NUTM-8930 [Wireless] Unable to see the SSID and connect to local wifi on 2.4 Ghz band
  • NUTM-8940 [Wireless] kernel: [ xxxx.xxxxx] CPU: 0 PID: 13902 Comm: iw Tainted: G W O 3.12.74-0.265397234.g263c982.rb6-smp64 #1
  • NUTM-8945 [Wireless] SG115w SSID not broadcasted since updated to 9.503

 

Up2Date Information for Wireless Firmware 11.0.003

As part of UTM 9.508, the wireless firmware is updated to 11.0.003.

Bugfixes

  • NUTM-9338 [Wireless] Client is not getting disconnected if MAC address is removed from whitelist
  • This breaks AWS VPC. By all accounts it’s a known issue and sophos have a patch but not realeased yet. They really should have pulled the update. So angry.

  • After update to UTM 9.508, AWS VPN tunnels failed.

    After the update, I have site to site vpn connection issue. The vpn connection status is up, but i cant reach our amazon vpc server. I have tried to delete the connection and setup again. But still cant access.

    No roll back issue, only restore from backed up AMI solve the issue.

  • Updated from 9.506 to 9.508, MTU auto discovery previously disabled on WAN interface. After applying up2date's, MTU auto discovery is still disabled on WAN interface.

    TLDR -> Interface MTU settings retained after applying this update.

  • Hi all,

    Researching the upgrade path from 9.506-2 to 9.508-10 to see what problems to expect and would love a fill in on the MTU issue described here. You can change the MTU setting in interfaces, so not sure what you are referring to. If there is an issue with MTU directly impacting web browsing then I could very well be suffering from the same issue.

    I have noticed that our UTM performs better for browsing sites after a reboot, so much so that I scheduled a reboot to occur every night. Even had users compliment how fast the internet was when they were not aware that I had implemented the workaround. A single HTTP file download such as speed test will be fine, however browsing is sluggish and times out - gets worse over time. There is definitely an issue with an underlying service somewhere, and it has existed for a long time.

    I will be remote upgrading our UTM so want to avoid having to reimage the system as much as possible.

  •  Thanks for the feedback, we will look into adding a UI option for disabling auto_mtu_discovery feature.

    Re-imaging your system enables auto_mtu_discovery feature which was previously disabled.

    The question I have is, prior to re-imaging your UTM did you update to 9.508 and run into this issue or did you run into this after re-imaging your UTM and then updating to 9.508? What was the original reason for re-imaging your UTM to 9.5?