Release Notes CSG 7.0.8

Collax Security Gateway
28.06.2017

Installation Notes

Update Instructions

To install this update please follow the following steps:

Procedure

  1. It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
  2. In the administration interface go to System → System Operation → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
  3. Click Get Packages to download the update packages.
  4. Click Install. This installs the update. The end of this process is indicated by the message Done!.
  5. A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.

New in this Version

VPN: Integration of OpenVPN

With this Collax software update the support for OpenVPN is going to be implemented through the Collax administration interface. The update of OpenVPN 2.4.3 will be installed through the system update, if it has already been installed before. When installing from version 5.8.100 through version 7, OpenVPN has to be removed first. Then you can install the new Collax acn. Please mind to activate the whole configuration. More info here

VPN: Integration of OpenVPN

With this Collax software update the support for OpenVPN is going to be implemented through the Collax administration interface. The update of OpenVPN 2.4.3 will be installed through the system update, if it has already been installed before. When installing from version 5.8.100 through version 7, OpenVPN has to be removed first. Then you can install the new Collax acn. Please mind to activate the whole configuration. More info here

System Management: expiry date of CRL

A CRL (Certificate Revocation List) is a blacklist of certificates signed by a CA but revoked before to the expiry date. The dialog Usage Policy -> Certificates -> X.509 Certificates can be used to generate a CRL for a CA administered on the system. The CRL is then automatically used by all local services. Within this service the expiry date is set to 3650 days for new generated CRLs.

Issues Fixed in this Version

Security: Stack Clash Attack

A security advisory researched various security flaws. These holes have been published as the “Stack Clash” and are going to be fixed within this release. Various patches for the kernel and the C-library glibc are included with this software update. See here .

Assigned Common Vulnerabilities and Exposures (CVE) numbers:

CVE-2017-1000364 CVE-2017-1000365 CVE-2017-1000366 CVE-2017-1000367 CVE-2017-6891

Security: patched Kernel 4.4.70

Several flaws regarding “The Stack Clash” were detected in the kernel. This update installs a patched kernel 4.4.70 where these flaws are fixed.

Security: Bug in Intel Skylake/Kaby Lake processors

Systems with the Intel processors code-named “Skylake” and “Kaby Lake” could, in some situations, dangerously misbehave. The microcode Update microcode-20170511 fixed this issue with this update for Intel Skylake processors. When using Kaby Lake processors, it’s recommended to disable Hyper-Threading in the BIOS. Also see here :

Security: Strongswan IKE Daemon for VPN Connections

In the source code of Strongswan, the IKE Daemon for VPN Connections security holes have been discovered. These holes are going to be closed with this software update to Strongswan version 5.5.3

Assigned Common Vulnerabilities and Exposures (CVE) numbers:

CVE-2017-9022 CVE-2017-9023

Security: Archivmanager unrar

In the source code of unrar security holes have been discovered. These holes will be closed within this software update to unrar 5.5.5. See CVE-2012-6706

GUI: Display of System Log Files

The action “Display” located under Monitoring/Analysis → Log Files → System Log Files displays the log-file entries. Due to an change in the program loggrep, the log-file entries couldn’t be displayed under certain circumstances for a specific interval. With this release the view is fixed.

Notes

Hardware: Boot Setup for HP/Compaq Smart Array Controllers

The existing Smart Array CCISS-driver is replaced with the new HP Smart Array SCSI (HPSA) driver during the upgrade. If a HP/Compaq Smart Array controller is used, the correct device in selected within this update.