This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Up2Date 9.405005 available

Got an Up2Date Msg on our SG 230 just an hour ago:

Remarks:
System will be rebooted
Configuration will be upgraded
Connected REDs will perform firmware upgrade
Connected Wifi APs will perform firmware upgrade

News:
Maintenance Release

Bugfixes:
Fix [NUTM-2840]: [AWS] UTM ignores MTU sent by DHCP server
Fix [NUTM-3064]: [AWS] Confd info shows wrong instance_role for ha warm&as
Fix [NUTM-4426]: [AWS] Allow root login with SSH per default on AWS
Fix [NUTM-4516]: [AWS] factory reset doesn't clean up completly on AWS
Fix [NUTM-1775]: [Access & Identity] 35668: DHCP Broadcast over all RED LAN ports causing wrong IP address assignment
Fix [NUTM-4129]: [Access & Identity] Update OpenSSL in SSLVPN client
Fix [NUTM-4216]: [Access & Identity] STAS related argos coredumps in v9.403
Fix [NUTM-4258]: [Access & Identity] RED15/RED50 standard / split doesn't work if the RED initiates the connection over 3G
Fix [NUTM-4263]: [Access & Identity] [RED] DNS resolution stopped working for RED15 in transparent / split mode after updated to v9.4
Fix [NUTM-4332]: [Access & Identity] Vulnerabilities after deploying RED
Fix [NUTM-4336]: [Access & Identity] RED50 split DNS does not work properly in transparent split mode and static uplink
Fix [NUTM-4342]: [Access & Identity] Since update to 9.4 SSL VPN remote access not working with client with more than one TAP adapter
Fix [NUTM-4387]: [Access & Identity] WARN-070 notfication won't be send if "Drop packets from blocked hosts" is not used
Fix [NUTM-4390]: [Access & Identity] STAS: User network objects are not working as expected in several conditions due to AUA cache bug
Fix [NUTM-4424]: [Access & Identity] red_client fails to reconnect after HA takeover on server UTM
Fix [NUTM-4494]: [Access & Identity] red15: logread debug output on usb stick is circular
Fix [NUTM-4499]: [Access & Identity] [RED Provisioning] Disable RED if its not bound to UTM anymore to avoid push_config
Fix [NUTM-4527]: [Access & Identity] Disable TLS compression in IO::Socket::SSL
Fix [NUTM-4612]: [Access & Identity] Failover back from 3g fallback to WAN is not working
Fix [NUTM-4668]: [Access & Identity] IPv6 AUTO_INPUT table empty after update to 9.404
Fix [NUTM-3174]: [Basesystem, Network] It is not possible to start the webadmin GUI anymore
Fix [NUTM-1746]: [Basesystem] "Allowed networks for SNMP queries are missing" pop up after first time enabling SNMP
Fix [NUTM-3580]: [Basesystem] SNMPv2c traps contain wrong snmpTrapOID.0
Fix [NUTM-4576]: [Basesystem] SNMP MIB: change descriptors to be standard conformant, add NOTIFICATION-GROUPs
Fix [NUTM-4645]: [Confd, Email] character ">" or "<" for smarthost password will change to "&lt;"
Fix [NUTM-4159]: [Confd] name="FUNCTION_DENY (Zugriff verweigert beim Aufruf der Confd-Funktion 'trigger'.)
Fix [NUTM-3519]: [Email] S/MIME AES256 encrypted mails cannot be decrypted
Fix [NUTM-3856]: [Email] Update Sophos Outlook Add-in to 1.3.1
Fix [NUTM-3132]: [HA/Cluster] Additional address - Assigned to Node feature not working like expected
Fix [NUTM-4661]: [HA/Cluster] postgres database rebuild needs to trigger mdw and repctl
Fix [NUTM-1957]: [Network] 28457: Name resolution not working on HA Slave if BGP is configured
Fix [NUTM-1959]: [Network] 35541: IPFIX not working with SolarWinds
Fix [NUTM-3168]: [Network] IRQd not running - restarted (Value too large for defined data type)
Fix [NUTM-3169]: [Network] changing a bridge with enabled VLAN interface causes bridge to become disabled indefinitely
Fix [NUTM-3761]: [Network] Software UTM fails to complete booting process after updating to version 9.4
Fix [NUTM-4026]: [Network] MTU change on a VLAN interface leads to MTU change of the real interface
Fix [NUTM-3304]: [Release Management] nic-naming: Provide a fix for delayed 210r2 software support
Fix [NUTM-4660]: [Release Management] HyperV u2d hook for NUTM-3028 was not included in 9.404
Fix [NUTM-2059]: [WAF] Multi-threading race condition causes "AH01842: decrypt session failed, wrong passphrase?" errors
Fix [NUTM-4122]: [WAF] Issue with URL hardening
Fix [NUTM-4362]: [WAF] Creating AUTO_OUTPUT rules for all real webserver IPs in autoscaling group fails
Fix [NUTM-4385]: [WAF] Webserver Protection reporting doesn't work / no entries for WAF in reporting database
Fix [NUTM-4582]: [WebAdmin] Unable to select the WAN interface with the initial setup wizard of v9.4xx
Fix [NUTM-2418]: [Web] HTTP proxy core dump on confd
Fix [NUTM-3110]: [Web] Proceed button not working when authentication is set to browser for warn pages
Fix [NUTM-3404]: [Web] Unable to load YouTube when YouTube for schools is enabled
Fix [NUTM-3485]: [Web] HTTP Proxy profile matching doesn't work for DNS groups which contain IPv6 addresses
Fix [NUTM-3920]: [Web] Sandbox: cleaning up old data in TransactionLog on slave nodes raises postgres errors
Fix [NUTM-4053]: [Web] Unknown repeatingly log line: 2016:05:09-08:46:47 utm-1 [user:notice] "
Fix [NUTM-4141]: [Web] sandboxd should use upstream proxy
Fix [NUTM-4163]: [Web] Httpproxy EpollWorker segfault in strncmp () from /lib/libc.so.6
Fix [NUTM-4295]: [Web] STAS is not working as expected together with httproxy
Fix [NUTM-4381]: [Web] Malicious file with patience page does not give -3 message in http.log
Fix [NUTM-4412]: [Web] Policies tab under Web Procetion -> Web Filtering won't be displayed correctly
Fix [NUTM-4152]: [WiFi] RED15w not broadcasting TKIP networks
Fix [NUTM-4190]: [WiFi] SMC MAC filters aren't applied by local wifi
Fix [NUTM-4425]: [WiFi] awed unable to process connections timely
Fix [NUTM-4596]: [WiFi] Awed leak sockets leads to no more AP's are accepted

RPM packages contained:
client-openvpn-9.40-14.gada5e18.rb2.noarch.rpm
firmware-wifi-9400-0.230200226.g80f1105.rb8.i586.rpm
firmware-wifi-stable-9400-0.234966053.ge8e6d3b.rb4.i586.rpm
irqd-0.7.0-1.0.228416290.g7ef8e7e.rb4.i686.rpm
modauthnzaua-9.40-79.ge1b2593.rb2.i686.rpm
modsecurity2-2.7.4-277.gb6f5bdf.rb5.i686.rpm
perf-tools-3.12.48-0.233766410.gba768e5.rb4.i686.rpm
perl-IO-Socket-SSL-1.953-1.659.g2559319.rb8.noarch.rpm
red-firmware2-5031-0.235131781.g7987f42.rb1.noarch.rpm
red15-firmware-5031-0.235131857.g877fd69.rb3.noarch.rpm
sophos-wifi-0.1-1.0.230200323.gb9ecf2f.rb1.i686.rpm
ulogd-2.1.0-132.g5c62b7f.rb8.i686.rpm
ep-aua-9.40-28.gbdc3665.rb5.i686.rpm
ep-awed-9.40-51.g7997621.rb2.i686.rpm
ep-branding-ASG-afg-9.40-40.g8d42bae.rb4.noarch.rpm
ep-branding-ASG-ang-9.40-40.g8d42bae.rb4.noarch.rpm
ep-branding-ASG-asg-9.40-40.g8d42bae.rb4.noarch.rpm
ep-branding-ASG-atg-9.40-40.g8d42bae.rb4.noarch.rpm
ep-branding-ASG-aug-9.40-40.g8d42bae.rb4.noarch.rpm
ep-confd-9.40-693.g02eb320.i686.rpm
ep-confd-tools-9.40-651.g9244f52.rb11.i686.rpm
ep-endpoint-0.5-0.231441348.g608e799.rb4.i686.rpm
ep-ha-9.40-11.g2b0cc80.rb4.i686.rpm
ep-mdw-9.40-430.g6c953e6.rb9.i686.rpm
ep-notifier-9.40-11.ga2aa9a0.rb2.i686.rpm
ep-postgresql92-9.40-39.g8fd6d3f.rb2.i686.rpm
ep-red-9.40-14.gcc09a45.rb2.i686.rpm
ep-repctl-0.1-0.234283635.g8de5bc3.rb2.i686.rpm
ep-sandboxd-9.40-0.230949944.g3f3aef2.rb4.i686.rpm
ep-tools-9.40-1.gde2fb4c.rb2.i686.rpm
ep-utm-watchdog-9.40-5.g8e7d9f6.rb1.i686.rpm
ep-webadmin-9.40-632.g5c65d26.rb9.i686.rpm
ep-webadmin-contentmanager-9.40-39.gf509182.rb4.i686.rpm
ep-cloud-ec2-9.40-14.g764066d.rb2.i686.rpm
ep-chroot-dhcpc-9.40-2.gbc69780.rb7.noarch.rpm
ep-chroot-quagga-9.40-0.200137106.g6b2c195.rb9.noarch.rpm
ep-chroot-smtp-9.40-94.gd009606.rb2.i686.rpm
chroot-httpd-2.4.18-0.gaf88f5f.rb6.i686.rpm
chroot-reverseproxy-2.4.10-229.g9a46f65.rb2.i686.rpm
ep-httpproxy-9.40-343.g821fcb5.rb7.i686.rpm
quagga-chroot-0.99.23-336.gaff9cd8.rb9.i686.rpm
kernel-smp-3.12.48-0.233766410.gba768e5.rb6.i686.rpm
kernel-smp64-3.12.48-0.233766410.gba768e5.rb6.x86_64.rpm
ep-release-9.405-5.noarch.rpm



This thread was automatically locked due to age.
Parents
  • I've been a home user for many years, since ASG 4-5 i think?, and as home user, I know my limitation as far as support is concerned. However, even if only home user(s), we are a valuable pool of resources for information when things go south. Astaro didn't come this far by all paid support; there were/are many home users who put in tons of hours helping with troubleshooting, debugging, and doing RCAs.

    Yes, we're home users, we're free, we're cheap but we help out, too, and we should not be readily discounted or treated less when we have concerns or issues, even if sometimes we look like we're spoiled.

    This particular issue hasn't been too painful for me since I was able to restore from backup and got me back to a current version without that MTU problem. I like that about Sophos; the simplicity to revert back using a backup and get me up and running in short time.

    I'll continue to use Sophos fw and help where I can...besides, every FW appliance/software out there have their own problems too. : )

  • Home users have done a great job for Sophos, and is still doing it - that's also why my company started selling it - UTM was free to test out! :-)

    Sashing Gurung has just responded here, so fix is underway:

    https://community.sophos.com/products/unified-threat-management/f/52/t/79288

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • Sashing Gurung responded - community.sophos.com/.../79208

    "To all, the workaround on this issue is to disable "Pharming" in the Web Protection > Filtering options > Misc >  Pharming."

    Is anyone tried if this MTU issue is related with above setting?

  • Rok said:

    Sashing Gurung responded - community.sophos.com/.../79208

    "To all, the workaround on this issue is to disable "Pharming" in the Web Protection > Filtering options > Misc >  Pharming."

    Is anyone tried if this MTU issue is related with above setting?

    Pharming disabled does not help the MTU DHCP challenge. There is no reason for it to help, but I tested non the less.
    The DHCP MTU challenge comes from the DHCP client accepting a valid, but badly configured, MTU value from the DHCP server.
    A MTU of 576, as most have been getting, is a very bad combination with VPN's.
    I'm having a hard time seeing how Pharming protection can provide challenges for a VPN establishment, except if the implementation is very bad.
Reply
  • Rok said:

    Sashing Gurung responded - community.sophos.com/.../79208

    "To all, the workaround on this issue is to disable "Pharming" in the Web Protection > Filtering options > Misc >  Pharming."

    Is anyone tried if this MTU issue is related with above setting?

    Pharming disabled does not help the MTU DHCP challenge. There is no reason for it to help, but I tested non the less.
    The DHCP MTU challenge comes from the DHCP client accepting a valid, but badly configured, MTU value from the DHCP server.
    A MTU of 576, as most have been getting, is a very bad combination with VPN's.
    I'm having a hard time seeing how Pharming protection can provide challenges for a VPN establishment, except if the implementation is very bad.
Children
No Data