Release Notes CSG 7.0.20
Collax Security Gateway
08.02.2018
Installation Notes
Update Instructions
To install this update please follow the following steps:
Procedure
- It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
- In the administration interface go to System → System Operation → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
- Click Get Packages to download the update packages.
- Click Install. This installs the update. The end of this process is indicated by the message Done!.
- A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.
New in this Version
GUI: Updatehistory
In the dialog “History” in the menu “Software -> System update” from this release on the date can be seen when which version was installed. The function is available from the update and not retrospectively.
Net: Quality of Service (QoS)
“Quality of Service” (QoS) refers to procedures used to guarantee a specific connection quality for individual services. The increasing use of real-time data connections makes such procedures ever more important. The Collax Server enables the realization of QoS. The implementation is unidirectional, i.e. support by the remote party is not necessary or not possible. QoS is only applied to outgoing data (egress); the receipt of data (ingress) can only be limited. The new function replaces the previous bandwidth management and can be found under “Network -> Links -> QoS”. to be activated.
Issues Fixed in this Version
Security: ClamAV
In the source code of the virus scanner ClamAV security holes have been discovered. These holes will be closed within this software update to the version 0.99.3.
Security: Meltdown and Spectre - Serious processor security hole
Security researchers have discovered massive security holes in processors that were developed by security experts These holes were published under the name Meltdown or Spectre. Meltdown is the vulnerability, that allowed unprivileged processes the reading of kernel memory. Spectre is the security hole that exploits that CPUs execute many commands speculatively in advance, resulting in memory areas, that can be tapped. This update installs a feature against Spectre Variant 2 called Retpoline “Return Trampoline” Support. Information about Retpoline can be found here .
More information on Meltdown and Spectre here .
Security: Internet Domain Name Server Bind
In the source code of the internet domain name server BIND security holes have been discovered. These holes will be closed within this Collax software update to bind 9.9.11-P1
Assigned Common Vulnerabilities and Exposures (CVE) number: CVE-2017-3145
Security: Improved Protection for Cross-site scripting Attacks
Within this Update the Apache directive TraceEnable has been disabled. The TRACE command could be used in XSS attacks and should be disabled. Assigned Common Vulnerabilities and Exposures (CVE) number: CVE-2004-2320
GUI: Event adminpage logout
In the dialog in the menu “Logging / Monitoring -> Event Log”, for certain events, the system can generate an e-mail to the administrator. Due to an error in the program code In the adminpage logout email, no username appeared, as opposed to logging into the system. This update will correct the error.
Notes
E-Mail: Collax Virus Protection powered by Kaspersky prior Version 7
Version 7 of the Collax C servers has updated the anti-virus engine and the format of the patterns. This was done to respond to new threats with the best possible protection. Patterns for versions prior to 7.0.0 will be available until December 31, 2017. From 01.01.2018 Kaspersky will not update the patterns for Collax version 5 and older. All installations using the Collax Virus Protection module should therefore, be brought up to date.