Up2Date 9.408004 package description:
Remarks: System will be rebooted Configuration will be upgraded Connected REDs will perform firmware upgrade
News: Maintenance Release
Bugfixes: Fix [NUTM-5349]: [AWS] Restore fails if UTM is created with backup file in user data Fix [NUTM-5466]: [AWS] ssh disabled - No connection to stack instances Fix [NUTM-5546]: [AWS] UTM Cloud Update does not work in GovCloud Fix [NUTM-5654]: [AWS] Conversion should not be visible for HA and AS Fix [NUTM-3203]: [Access & Identity] [RED] If creation of RED device fails, certificates are not deleted Fix [NUTM-4948]: [Access & Identity] [RED] Enabling wireless on RED15w causes 'link down' Fix [NUTM-5068]: [Access & Identity] [RED] TCP Vulnerability (CVE-2016-5696) Fix [NUTM-5173]: [Basesystem] Memory (swap) leak in RAID monitor Fix [NUTM-5407]: [Basesystem] OpenSSL security update (1.0.1u) Fix [NUTM-5461]: [Basesystem] BIND Security update (CVE-2016-2776) Fix [NUTM-5714]: [Basesystem] CVE-2016-5195 - Linux Kernel - Dirty Cow Fix [NUTM-3042]: [Configuration Management] Advanced Threat Protection page error when login as Network Protection Auditor Fix [NUTM-4215]: [Documentation, Email] POP3 Proxy reporting source IP of 0.0.0.0 Fix [NUTM-4840]: [Email] Email is automatically released after timeout from Sandstorm Fix [NUTM-5285]: [Email] SMTP file extension filter is case sensitive Fix [NUTM-5599]: [Email] Mails with the same recipient set twice lead to corrupt mail queue Fix [NUTM-4938]: [Endpoint] Customers who expand their EP license do not get EP Protection enabled Fix [NUTM-5049]: [Endpoint] Liveconnect Connectivity Issue Fix [NUTM-4400]: [HA/Cluster] pg_ctl: PID file "/var/storage/pgsql92/data/postmaster.pid" does not exist Fix [NUTM-3158]: [Kernel] Kernel freeze when running Web Proxy in full transparent mode Fix [NUTM-3490]: [Network] Ethernet Bridge with dynamic IP looses connectivity after IP renewal Fix [NUTM-4592]: [Network] OSPF: SSL VPN route injection still not working in 9.404 Fix [NUTM-5147]: [Network] Kernel panic on several SG135 - Kernel Fixes Fix [NUTM-5542]: [SUM] Availability Group is unresolved after it was re-deployed without a real change Fix [NUTM-5207]: [Sandboxd] Sandbox error when downloading a file with an umlaut in file name Fix [NUTM-5209]: [Sandboxd] sandboxd is unable to open database file due to wrong ownership Fix [NUTM-4816]: [Up2Date] Up2Date downloader logs errors in uplink balancing setups Fix [NUTM-488]: [Virtualization] Fix unstable NIC ordering on VMWare Fix [NUTM-5334]: [WebAdmin] Authenticated users might gain access to stored passwords (CVE-2016-7397, CVE-2016-7442) Fix [NUTM-4167]: [Web] Web Protection Reporting filtered by departments doesn't provide all data Fix [NUTM-4806]: [Web] sandboxd is unable to insert into TransactionLog on HA setup Fix [NUTM-4876]: [Web] URL request to parent proxy seems to be send as http request instead of https Fix [NUTM-5136]: [Web] Web proxy in transparent mode removes authentication header Fix [NUTM-5082]: [WiFi] IPSec traffic is not routed properly if the client is connected over Hotspot Fix [NUTM-5303]: [WiFi] Characters in Hotspot terms of use not encoded correctly
RPM packages contained: libopenssl1_0_0-1.0.1k-377.g141d7d0.rb6.i686.rpm libopenssl1_0_0_httpproxy-1.0.1k-377.g141d7d0.rb6.i686.rpm libudev0-147-0.84.1.1627.ge0459ac.rb3.i686.rpm awslogs-agent-1.3-0.239376395.g5d4adea.rb3.noarch.rpm cm-nextgen-agent-9.40-12.gb09699e.rb2.i686.rpm openssl-1.0.1k-377.g141d7d0.rb6.i686.rpm perf-tools-3.12.58-0.242991202.g6d80412.i686.rpm red-firmware2-5035-0.239114881.gbf961ff.rb1.noarch.rpm red15-firmware-5035-0.242907480.g0c31ce4.noarch.rpm udev-147-0.84.1.1627.ge0459ac.rb3.i686.rpm vmware-tools-10.0.5.3227872-4.ga4d6c51.rb4.i686.rpm ep-aua-9.40-37.g1ed9537.rb4.i686.rpm ep-branding-ASG-afg-9.40-48.g7e7ac40.rb4.noarch.rpm ep-branding-ASG-ang-9.40-48.g7e7ac40.rb4.noarch.rpm ep-branding-ASG-asg-9.40-48.g7e7ac40.rb4.noarch.rpm ep-branding-ASG-atg-9.40-48.g7e7ac40.rb4.noarch.rpm ep-branding-ASG-aug-9.40-48.g7e7ac40.rb4.noarch.rpm ep-confd-9.40-813.g1f7ad66.rb1.i686.rpm ep-confd-tools-9.40-759.g324aec8.rb10.i686.rpm ep-ha-aws-9.40-217.g381995a.rb2.noarch.rpm ep-logging-9.40-3.gc1acc31.rb2.i686.rpm ep-mdw-9.40-504.g56eb6d4.i686.rpm ep-raidtools-9.40-1.gc070d91.rb3.i686.rpm ep-repctl-0.1-0.239828293.gcd71515.rb3.i686.rpm ep-restd-9.40-0.243093672.gaf004a9.rb1.i686.rpm ep-sandboxd-9.40-0.239754530.g04924b1.rb2.i686.rpm ep-up2date-9.40-15.gacd1c39.rb5.i686.rpm ep-up2date-downloader-9.40-15.gacd1c39.rb5.i686.rpm ep-up2date-pattern-install-9.40-15.gacd1c39.rb5.i686.rpm ep-up2date-system-install-9.40-15.gacd1c39.rb5.i686.rpm ep-webadmin-9.40-674.gc39ecfa.rb6.i686.rpm ep-cloud-ec2-9.40-35.ga95c9eb.rb2.i686.rpm ep-chroot-httpd-9.40-20.g92cce9f.rb4.noarch.rpm ep-chroot-smtp-9.40-116.g9971304.rb2.i686.rpm chroot-bind-9.10.4_P3-0.240528799.g5a47ed3.rb5.i686.rpm chroot-httpd-2.4.18-1.g2b998a8.rb6.i686.rpm chroot-openvpn-9.40-27.g2d31a41.rb3.i686.rpm ep-chroot-pop3-9.40-11.g1291cd5.rb2.i686.rpm ep-httpproxy-9.40-357.g7e74ab8.rb5.i686.rpm kernel-smp-3.12.58-0.242991202.g6d80412.i686.rpm kernel-smp64-3.12.58-0.242991202.g6d80412.x86_64.rpm ep-release-9.408-4.noarch.rpm
Has the MTU issues been fixed yet?????
Yes, MTU issue was addressed in 407. Check it's thread for how to implement the fix.
I would say it was patched more than fixed. I think a better question would be, do we still need to manually edit files rather than just ticking the box in the GUI. If I apply this update will I need to edit the network config again?
think you need to fix it with ssh as described.. no gui option do it for you atm...
greets
zaphod___________________________________________
Home: Zotac CI321 (8GB RAM / 120GB SSD) with latest Sophos UTMWork: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...
Sophos cannot control what your ISP is delivering in the DHCP options. I every case I have helped on, the ISP was sending the DHCP option to set MTU to 576. The UTM was simply honoring that setting rather than overriding it. If the ISP was not sending it (it is a default setting, they should disable it), it would not need a workaround. I agree, though, it would be nice if you could just set it in the GUI and not have to SSH into the box to address the issue.
No one is disputing that the ISP should not be sending the MTU option, however I would say that this firewall never had issues for years going back to Astaro days until someone thought it was needed to start honoring the MTU option from the DHCP servers. I can understand that there may have been a driver to do this but really would it have killed them to add an option to disable it if needed through the GUI? It can't be that hard. These ISP's have tones of devices on there network that are not having these issues. The issue is that no ISP is going to turn it off just because Sophos started using it and all there other customers are not and not having issues. They should just add an option in the GUI to enable or disable so there is no need to go to the console of SSH into the firewall and run some commands to change the object.
I did upgrade to this latest version and DID NOT have to re due the MTUI setting so it would seem that upgrade does not over write that setting in the object.
@MarkMurphy - Isn't that a rather long worded reply that could have simply been summed up as "we agree"? I am not sure what you read into my response, but we basically said the same thing. Nothing I said was disputed in your post. Nothing I said contradicts anything you said in your post. Amirite? :)
No we agree. Sorry if I miss read..