Hi Everyone,

Today we've released UTM 9.508. The release will be rolled out in phases. In phase 1 you can download the update package from our FTP server, in phase 2 we will spread it via our Up2Date servers.

Note:

  • When installing the update packages manually, please make sure to upload both update packages 9.507 and 9.508.
  • S/MIME Encryption updates: This release brings changes to the S/MIME feature to fully conform with new GDPR regulatory requirements for encryption. Core to these changes are new algorithms to perform encryption and signatures within S/MIME. Due to the changes in the signature algorithms, older implementations of S/MIME - including previous Sophos UTM releases - can no longer verify signatures produced with the new algorithms. Encryption and decryption of emails is not affected by this change. For details, please read the following KBA at https://community.sophos.com/kb/en-us/131727.

Up2Date Information

News

  • Maintenance Release

Remarks

  • System will be rebooted
  • Configuration will be upgraded
  • Connected APs will perform firmware upgrade

Bugfixes

  • NUTM-8739 [Access & Identity] Argos segfault and coredump after update to v9.502
  • NUTM-9164 [Access & Identity] SSLVPN installation packages fail to copy user profile during installation
  • NUTM-9344 [Access & Identity] All users are locked when a lockout policy via GPO was set
  • NUTM-9047 [Basesystem] VLAN interface on the bridge doesn't come up when slave becomes the master
  • NUTM-9296 [Configuration Management] Report Auditor is unable to open the dashboard in UTM
  • NUTM-9397 [Configuration Management] Log Remote Archiving via SCP fails when used with OpenSSH >= 7.0
  • NUTM-9497 [Documentation] ATP - Invalid status display on Webadmin for Japanese,Russian,Spanish language
  • NUTM-4174 [Email] POP3 spool cleanup does not work
  • NUTM-8794 [Email] Wrong MIME Type detection
  • NUTM-8937 [Email] Upgrade SMIME
  • NUTM-9046 [Email] SPX binary error with Office365
  • NUTM-9098 [Email] Mail stuck in work queue
  • NUTM-9252 [Email] Patch Exim for CVE-2014-2972 and CVE-2016-9963
  • NUTM-9259 [Email] POP3 Proxy coredump in "libc_start_main"
  • NUTM-9337 [Email] Selecting an AD Server for AD Recipient Verification in SMTP isn't possible after update to v9.506
  • NUTM-9382 [Email] WebAdmin user not able to disable the "Recipient Verification" in SMTP Routing
  • NUTM-9303 [HA/Cluster] HA "max_nodes" option set to 3 causes named to fail to start
  • NUTM-9405 [HA/Cluster] Interface MAC addresses shouldn't get replicated on slave node if virtual_mac is set to 0
  • NUTM-3497 [Network] BGP soft-reconfiguration not working
  • NUTM-8118 [Network] After upgrading to 9.500 "Service Monitor not running - restarted" notifications being received
  • NUTM-8432 [Network] Local Privilege Escalation via confd Service
  • NUTM-8604 [Network] Changing a bridge IP address causes bridge to go down when using vlans
  • NUTM-8887 [Network] DNS group objects doesn't delete old IP addresses
  • NUTM-9064 [Network] Network monitoring daemon constantly restarts since upgrade to 9.503
  • NUTM-9177 [Network] Disabled static routes are being put into the routing table
  • NUTM-9465 [Network] Wrong/Old IPv6 Tunnel Broker URLs in Webadmin
  • NUTM-8759 [Sandboxd] Add support for Sandstorm's Asia data centre
  • NUTM-9006 [UI Framework] Not possible to download different SSLVPN User Profiles in one Firefox session
  • NUTM-6955 [WebAdmin] Error text appears in dialog when trying to view user object usage
  • NUTM-8567 [WebAdmin] Update to ImageMagick-7.0.7-11
  • NUTM-9116 [WebAdmin] Object information can't be displayed for specific objects
  • NUTM-9128 [WebAdmin] PCI Scan failing on UserPortal due to missing HSTS and CSP
  • NUTM-9430 [WebAdmin] Issue with X-Content-Type-Options header presented by UTM
  • NUTM-7201 [Web] HTTP Proxy connections hang in CLOSE_WAIT state
  • NUTM-8638 [Web] Add group visibility in log with unlimited AD groups
  • NUTM-8746 [Web] After changing group membership, old one is still available from winbind
  • NUTM-8886 [Web] TLS Input/output error when connecting to web site
  • NUTM-9113 [Web] HTTP Proxy coredump on 9.505
  • NUTM-9166 [Web] HTTP Proxy coredump on function deny_ntlm_auth
  • NUTM-9332 [Web] DNSExpire coredump causes slow browsing
  • NUTM-9416 [Web] HTTP Proxy coredump on 9.506 with signal SIGFPE Arithmetic Exception
  • NUTM-3127 [Wireless] AP55/100 connection issues - disconnected due to excessive missing ACKs
  • NUTM-6640 [Wireless] Fix visibility of Fast Transition option in different security modes
  • NUTM-7013 [Wireless] Frequent disconnects on guest wifi network after >1 week
  • NUTM-8243 [Wireless] Update dropbear SSH Server to fix CVE-2016-7409, CVE-2016-7408, CVE-2016-7407, CVE-2016-7406
  • NUTM-8299 [Wireless] UTM stops broadcasting SSIDs for the built-in wireless after upgrade to 9.5
  • NUTM-8781 [Wireless] W-appliance - wireless network connection issue with Bridge to AP LAN
  • NUTM-8827 [Wireless] Internal wireless not broadcasting SSID after updating to 9.503
  • NUTM-8832 [Wireless] Integrated wireless adapter can be deleted
  • NUTM-8930 [Wireless] Unable to see the SSID and connect to local wifi on 2.4 Ghz band
  • NUTM-8940 [Wireless] kernel: [ xxxx.xxxxx] CPU: 0 PID: 13902 Comm: iw Tainted: G W O 3.12.74-0.265397234.g263c982.rb6-smp64 #1
  • NUTM-8945 [Wireless] SG115w SSID not broadcasted since updated to 9.503

 

Up2Date Information for Wireless Firmware 11.0.003

As part of UTM 9.508, the wireless firmware is updated to 11.0.003.

Bugfixes

  • NUTM-9338 [Wireless] Client is not getting disconnected if MAC address is removed from whitelist
  • "The issue you described may not be related to updating to 9.508. It could be due to re-imaging your UTM."

    As I stated in my original comment:

    "So yesterday I factory imaged 2 Sophos units to 9.5 and the bug was gone."

    I was advised by Sophos Support that re-imaging using the ISO 9.5 was the best way to remove this bug.

    They were right, re-imaging gets rid of this bug, I was very happy.

    What made me very unhappy was updating from 9.502 to 9.508-10 re-introduced this bug.

    What really upsets me is that this bug took me months to find as Sophos Support had no idea what was causing all my problems.

    Until one clever person finally realised it was the MTU problem.

    This was fixed in the 9.5 ISO, Sophos have now brought it back.

    Please, for the sake of all our sanity, enable the MTU setting in the GUI!

  •  I sent you a private message regarding your issue.

    The issue you described may not be related to updating to 9.508. It could be due to re-imaging your UTM.

    By default MTU auto discovery feature is enabled and if your ISP DHCP server broadcast a small MTU size you may run into the issue you described. Please see my message for further details on the issue,

  • The UTM 576 Bug is back :(

    My first Sophos was plagued with problems, slow or non-existent loading of sites like the BBC, Google Maps or Reddit. It took months of emails, research and support tickets before we found the problem was an MTU setting.

    The 9.4 series firmware introduced a bug where it would only allow whatever MTU your ISP sent. In many cases this was 576, however this caused the browsing problems described above.

    I’ve been speaking with Sophos Support and they said this problem can be worked around in CLI or do a factory image of 9.5.

    The first fix was to modify the backend via CLI to ignore the ISP MTU, this worked.

    Once the WAN MTU was set to 1500 all the problems went away.

    But I was advised re-imaging to 9.5 would fix the problem for good.

    So yesterday I factory imaged 2 Sophos units to 9.5 and the bug was gone

    Today I updated my test SG 135 to 9.508-10 and the bug has returned!

    So now I have to refuse all future updates from the Factory ISO of 9.5, or presumably hack a workaround in CLI again?

    What should I do?

  • Markus,

    Article  community.sophos.com/.../131727  captured the information on how to deal with (optional) certificate regeneration.

  • Will all the s/mime certificates for email encryption automatically be regenerated?

    If not- how to export a list with email encryption users and comments? And then how to import this list for automatically regenerate smime certificates?