Release Notes CSG 7.1.8
Collax Security Gateway
28.11.2019
Installation Notes
Update Instructions
To install this update please follow the following steps:
Procedure
- It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
- In the administration interface go to System → System Operation → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
- Click Get Packages to download the update packages.
- Click Install. This installs the update. The end of this process is indicated by the message Done!.
- A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.
New in this Version
New Add-on module - Collax Central
With this version, the new add-on module “Collax Central” is available. It helps to keep track of all Collax servers, making administration easier and points out early on emerging problems. The Collax Central Dashboard is a tool to make the administration efficient and the place where all the threads come together. This can be problems to be recognized at a glance in a large server landscape. Sporadic and regular maintenance tasks go quickly by the hand. Collax Central is available as a module for the Collax C servers (eg Collax Business Server). If you are interested, please contact your dealer, distributor or Collax distributor.
VPN: Distribution of CRLs via OCSP or CRL URL
Previously, CRLs had to be individually and with each change by exporting and importing to the respective servers be distributed. With the new options OCSP URL and CRL URL the CRLs can be distributed automatically. Either an existing network OCSP server can be used or a CRL URL will be generated and configured together with the certificates on the participating servers. Currently this function is supported only by the local service for IPSec VPN (IKEv1, IKEv2).
System Management: Linux Kernel 4.9.202
This update installs Linux kernel 4.9.202.
File: Samba 4.9
Samba has been updated to the new version 4.9. The Samba developers have, among other things, closed critical security holes.
Issues Fixed in this Version
Security: Important security relevant System Components
This update will also install/update the following important system components:
- libxslt 1.1.33
- sqlite 3.28.0
- Apache Tomcat 9.0.22
- libexpat
- Curl 7.65.3
- Apache 2.4.41
- PHP 7.2.23
- OpenLDAP 2.4.48
- libsasl2 2.1.27
- microcode-20191115
- heimdal kerberos libraries
CVE-2019-11068 CVE-2019-13117 CVE-2019-13118 CVE-2019-5018 CVE-2019-8457 CVE-2019-9936 CVE-2019-9937 CVE-2019-10072 CVE-2019-0221 CVE-2019-0232 CVE-2018-20843 CVE-2019-15903 CVE-2019-5435 CVE-2019-5436 CVE-2019-10081 CVE-2019-9517 CVE-2019-10098 CVE-2019-10092 CVE-2019-10097 CVE-2019-10082 CVE-2019-11042 CVE-2019-11041 CVE-2019-13057 CVE-2019-13565 CVE-2018-16860 CVE-2019-12098 CVE-2018-12207 CVE-2019-11135 CVE-2018-16860 CVE-2019-12098
Security: SWAPGS
Experts have discovered critical security holes. SWAPGS refers to an attack on Intel processors, much like Meltdown and Spectre.
Assigned Common Vulnerabilities and Exposures (CVE) number:
Security: Intel has fixed security holes
Experts have discovered and fixed critical security holes on Intel processors.
See here .
Collax Advanced Networking: Brute Force Protection: Status
In the brute force protection status dialog, blocked IP addresses are listed. This dialog is located under Status / Maintenance -> Status -> Brute Force Protection Status. Under certain circumstances, the call could result in a timeout. This behavior is fixed within this update.
VPN: VPN connection after certificate update
The VPN component Charon has shown unexpected behavior and VPN connections with a certificate renewed by Let’s Encrypt have not been reloaded, causing the connection not to establish anymore. This update will provide the renewed certificate for the link to be reread again.
System Management: Amavis - Recipient notification
AMaViS (A Mail Virus Scanner) is a high-performance and reliable interface between the mailer (MTA) and one or more virus scanners. If infected or unverifiable messages can be detected, it can be controlled, whether the recipient receives a warning via e-mail. Due to an error in the configuration file Amavis has set the sender domain of the recipient notification incorrectly, causing certain e-mail servers not to address the message. This will be fixed with this release.
Notes
E-Mail: Avira AntiVir prior Version 7.1.6
From Avira, an automatic update of the core components of Avira has been carried out. In this context, a new dependency of the libraries has been added, the next time the virus scanner is not started can be resolved. The result is that the virus scanner does not work during a reboot or configuration change is restarted. For security reasons, emails will no longer be delivered. To solve the problem, please update your server to version 7.1.6. Note: As long as the virus scanner is not restarted, it works in its entirety.