Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9.408-4 released


Up2Date 9.408004 package description:

Remarks:
System will be rebooted
Configuration will be upgraded
Connected REDs will perform firmware upgrade

News:
Maintenance Release

Bugfixes:
Fix [NUTM-5349]: [AWS] Restore fails if UTM is created with backup file in user data
Fix [NUTM-5466]: [AWS] ssh disabled - No connection to stack instances
Fix [NUTM-5546]: [AWS] UTM Cloud Update does not work in GovCloud
Fix [NUTM-5654]: [AWS] Conversion should not be visible for HA and AS
Fix [NUTM-3203]: [Access & Identity] [RED] If creation of RED device fails, certificates are not deleted
Fix [NUTM-4948]: [Access & Identity] [RED] Enabling wireless on RED15w causes 'link down'
Fix [NUTM-5068]: [Access & Identity] [RED] TCP Vulnerability (CVE-2016-5696)
Fix [NUTM-5173]: [Basesystem] Memory (swap) leak in RAID monitor
Fix [NUTM-5407]: [Basesystem] OpenSSL security update (1.0.1u)
Fix [NUTM-5461]: [Basesystem] BIND Security update (CVE-2016-2776)
Fix [NUTM-5714]: [Basesystem] CVE-2016-5195 - Linux Kernel - Dirty Cow
Fix [NUTM-3042]: [Configuration Management] Advanced Threat Protection page error when login as Network Protection Auditor
Fix [NUTM-4215]: [Documentation, Email] POP3 Proxy reporting source IP of 0.0.0.0
Fix [NUTM-4840]: [Email] Email is automatically released after timeout from Sandstorm
Fix [NUTM-5285]: [Email] SMTP file extension filter is case sensitive
Fix [NUTM-5599]: [Email] Mails with the same recipient set twice lead to corrupt mail queue
Fix [NUTM-4938]: [Endpoint] Customers who expand their EP license do not get EP Protection enabled
Fix [NUTM-5049]: [Endpoint] Liveconnect Connectivity Issue
Fix [NUTM-4400]: [HA/Cluster] pg_ctl: PID file "/var/storage/pgsql92/data/postmaster.pid" does not exist
Fix [NUTM-3158]: [Kernel] Kernel freeze when running Web Proxy in full transparent mode
Fix [NUTM-3490]: [Network] Ethernet Bridge with dynamic IP looses connectivity after IP renewal
Fix [NUTM-4592]: [Network] OSPF: SSL VPN route injection still not working in 9.404
Fix [NUTM-5147]: [Network] Kernel panic on several SG135 - Kernel Fixes
Fix [NUTM-5542]: [SUM] Availability Group is unresolved after it was re-deployed without a real change
Fix [NUTM-5207]: [Sandboxd] Sandbox error when downloading a file with an umlaut in file name
Fix [NUTM-5209]: [Sandboxd] sandboxd is unable to open database file due to wrong ownership
Fix [NUTM-4816]: [Up2Date] Up2Date downloader logs errors in uplink balancing setups
Fix [NUTM-488]: [Virtualization] Fix unstable NIC ordering on VMWare
Fix [NUTM-5334]: [WebAdmin] Authenticated users might gain access to stored passwords (CVE-2016-7397, CVE-2016-7442)
Fix [NUTM-4167]: [Web] Web Protection Reporting filtered by departments doesn't provide all data
Fix [NUTM-4806]: [Web] sandboxd is unable to insert into TransactionLog on HA setup
Fix [NUTM-4876]: [Web] URL request to parent proxy seems to be send as http request instead of https
Fix [NUTM-5136]: [Web] Web proxy in transparent mode removes authentication header
Fix [NUTM-5082]: [WiFi] IPSec traffic is not routed properly if the client is connected over Hotspot
Fix [NUTM-5303]: [WiFi] Characters in Hotspot terms of use not encoded correctly

RPM packages contained:
libopenssl1_0_0-1.0.1k-377.g141d7d0.rb6.i686.rpm
libopenssl1_0_0_httpproxy-1.0.1k-377.g141d7d0.rb6.i686.rpm
libudev0-147-0.84.1.1627.ge0459ac.rb3.i686.rpm
awslogs-agent-1.3-0.239376395.g5d4adea.rb3.noarch.rpm
cm-nextgen-agent-9.40-12.gb09699e.rb2.i686.rpm
openssl-1.0.1k-377.g141d7d0.rb6.i686.rpm
perf-tools-3.12.58-0.242991202.g6d80412.i686.rpm
red-firmware2-5035-0.239114881.gbf961ff.rb1.noarch.rpm
red15-firmware-5035-0.242907480.g0c31ce4.noarch.rpm
udev-147-0.84.1.1627.ge0459ac.rb3.i686.rpm
vmware-tools-10.0.5.3227872-4.ga4d6c51.rb4.i686.rpm
ep-aua-9.40-37.g1ed9537.rb4.i686.rpm
ep-branding-ASG-afg-9.40-48.g7e7ac40.rb4.noarch.rpm
ep-branding-ASG-ang-9.40-48.g7e7ac40.rb4.noarch.rpm
ep-branding-ASG-asg-9.40-48.g7e7ac40.rb4.noarch.rpm
ep-branding-ASG-atg-9.40-48.g7e7ac40.rb4.noarch.rpm
ep-branding-ASG-aug-9.40-48.g7e7ac40.rb4.noarch.rpm
ep-confd-9.40-813.g1f7ad66.rb1.i686.rpm
ep-confd-tools-9.40-759.g324aec8.rb10.i686.rpm
ep-ha-aws-9.40-217.g381995a.rb2.noarch.rpm
ep-logging-9.40-3.gc1acc31.rb2.i686.rpm
ep-mdw-9.40-504.g56eb6d4.i686.rpm
ep-raidtools-9.40-1.gc070d91.rb3.i686.rpm
ep-repctl-0.1-0.239828293.gcd71515.rb3.i686.rpm
ep-restd-9.40-0.243093672.gaf004a9.rb1.i686.rpm
ep-sandboxd-9.40-0.239754530.g04924b1.rb2.i686.rpm
ep-up2date-9.40-15.gacd1c39.rb5.i686.rpm
ep-up2date-downloader-9.40-15.gacd1c39.rb5.i686.rpm
ep-up2date-pattern-install-9.40-15.gacd1c39.rb5.i686.rpm
ep-up2date-system-install-9.40-15.gacd1c39.rb5.i686.rpm
ep-webadmin-9.40-674.gc39ecfa.rb6.i686.rpm
ep-cloud-ec2-9.40-35.ga95c9eb.rb2.i686.rpm
ep-chroot-httpd-9.40-20.g92cce9f.rb4.noarch.rpm
ep-chroot-smtp-9.40-116.g9971304.rb2.i686.rpm
chroot-bind-9.10.4_P3-0.240528799.g5a47ed3.rb5.i686.rpm
chroot-httpd-2.4.18-1.g2b998a8.rb6.i686.rpm
chroot-openvpn-9.40-27.g2d31a41.rb3.i686.rpm
ep-chroot-pop3-9.40-11.g1291cd5.rb2.i686.rpm
ep-httpproxy-9.40-357.g7e74ab8.rb5.i686.rpm
kernel-smp-3.12.58-0.242991202.g6d80412.i686.rpm
kernel-smp64-3.12.58-0.242991202.g6d80412.x86_64.rpm
ep-release-9.408-4.noarch.rpm



This thread was automatically locked due to age.
Parents Reply Children
  • Yes, MTU issue was addressed in 407.  Check it's thread for how to implement the fix.

  • I would say it was patched more than fixed. I think a better question would be, do we still need to manually edit files rather than just ticking the box in the GUI. If I apply this update will I need to edit the network config again?

  • think you need to fix it with ssh as described.. no gui option do it for you atm...

    greets

    zaphod
    ___________________________________________

    Home: Zotac CI321 (8GB RAM / 120GB SSD)  with latest Sophos UTM
    Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...

  • Sophos cannot control what your ISP is delivering in the DHCP options.  I every case I have helped on, the ISP was sending the DHCP option to  set MTU to 576.  The UTM was simply honoring that setting rather than overriding it.  If the ISP was not sending it (it is a default setting, they should disable it), it would not need a workaround.  I agree, though, it would be nice if you could just set it in the GUI and not have to SSH into the box to address the issue.

  • No one is disputing that the ISP should not be sending the MTU option, however I would say that this firewall never had issues for years going back to Astaro days until someone thought it was needed to start honoring the MTU option from the DHCP servers. I can understand that there may have been a driver to do this but really would it have killed them to add an option to disable it if needed through the GUI? It can't be that hard. These ISP's have tones of devices on there network that are not having these issues. The issue is that no ISP is going to turn it off just because Sophos started using it and all there other customers are not and not having issues. They should just add an option in the GUI to enable or disable so there is no need to go to the console of SSH into the firewall and run some commands to change the object.

    I did upgrade to this latest version and DID NOT have to re due the MTUI setting so it would seem that upgrade does not over write that setting in the object.

  • @MarkMurphy - Isn't that a rather long worded reply that could have simply been summed up as "we agree"?  I am not sure what you read into my response, but we basically said the same thing.  Nothing I said was disputed in your post.  Nothing I said contradicts anything you said in your post.  Amirite?  :)

  • No we agree. Sorry if I miss read..