Release Notes CSG 7.2.20
Collax Security Gateway
19.09.2023
Installation Notes
Update Instructions
To install this update please follow the following steps:
Procedure
- It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
- In the administration interface go to Menu → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
- Click Get Packages to download the update packages.
- Click Install. This installs the update. The end of this process is indicated by the message Done!.
- A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.
New in this version
Security: Intel Microcode Update for Downfall
Downfall attacks target a critical vulnerability found in modern processors. Affected are servers based on Intel Core processors of the 6th Skylake to (including) 11th Tiger Lake generation. This vulnerability, named CVE-2022-40982, allows a user to access and steal data from other users sharing the same computer. For protection, it is necessary to update the microcode. With this update, this is done automatically without having to update the BIOS.
The new microcode is updated to microcode-20230512.
Security: AMD Microcode Update for Zenbleed
Potential security vulnerabilities under the name AMD ‘Zenbleed’ have been discovered in some AMD processors. Therefore it is necessary to update the microcode. With this update this happens automatically without the need to update the BIOS.
An update to AMD microcode 20230719 is carried out.
System Management: Linux Kernel 5.10.194
This update installs the Linux kernel 5.10.194.
Security: Important security-relevant system packages
Security vulnerabilities have been discovered in the source code of important system packages. These are closed with this software update.
The bug fixes refer to the packages:
- php-7.4.33
- openssh-9.3p2
- redis-6.2.13
- cmake-3.27.4
- poppler-23.08.0
- requests-2.31.0
- Postgresql-15.4
- libwebp-1.2.4
- tiff-4.5.1
- ImageMagick-7.1.1-15
- bind-9.16.43
- ghostscript-10.0.0
- openssl-1.1.1v
- tzdata-2023c
- libmxl2: Update to 2.9.14+dfsg-1.3~deb12u1
- cpio: update to 2.12+dfsg-9+deb10u1
- Update to clamav 1.0.2, latest version of LTS
- some security fixes from Debian
Enclosed is an excerpt of the most known packages and CVE numbers:
- CVE-2022-31631
- CVE-2023-0568
- CVE-2023-0662
- CVE-2022-4900
- CVE-2023-3247
- CVE-2023-38408
- CVE-2017-16516
- CVE-2022-24795
- CVE-2023-33460
- CVE-2023-39417
- CVE-2023-39418
- CVE-2020-35523
- CVE-2020-35524
- CVE-2022-0561
- CVE-2022-0562
- CVE-2022-0865
- CVE-2022-0891
- CVE-2022-0907
- CVE-2022-0908
- CVE-2022-0909
- CVE-2022-0924
- CVE-2022-22844
- CVE-2022-4304
- CVE-2022-4450
- CVE-2023-0215
- CVE-2023-0286
System Management: Monitoring the RAID status on Broadcom controllers
With this release, the StorCli management tool is updated to the current version StorCli SAS Customization Utility Ver 007.2408. Among other things, this improves the monitoring of certain RAID controllers via Active Monitoring.
Additional software: Bitdefender SDK
This version updates the Bitdefender Software Development Kit (SDK) to the latest version 3.3.2.294.
Issues fixed in this version
GUI: Group permission and membership
Due to a bug in the previous version, a regular expression (regex) for removing users’ group membership has been fixed.
SSL VPN: Installations with many users
The SSL-VPN function allows remote access via the user side to a desktop or console in the local network. This is done with the help of the open source software Apache Guacamole. In the configuration file of Guacamole, the maximum number of search results that can be returned from a single LDAP query was too low. Large installations with a large number of LDAP queries, exceeding this maximum number failed. This has been corrected with this software update.
Two-factor authentication: Accept previous token.
To make life easier for users, most 2FA login sites allow the previous token as well. In the new version, we have also implemented this ease for users.
Notes
Additional software: Bitdefender - Proxy for updates
The virus pattern updates are carried out according to a set cycle. For the pattern update of the Bitdefender virus and spam filter, the use of an http proxy is currently not possible.
Additional software: Bitdefender - pattern update after start-up
After the start-up of the Collax Antivirus powered by Bitdefender module, it may take a few minutes until the current virus patterns have been downloaded. If you click on Update Bitdefender in the virus scanner form during this time, an error message “Error connecting to server at /opt/lib/bitdefender//bdamsocket: -3” appears, because the background process has not yet been fully executed.
GUI: Running Jobs Hang Sporadically
The progress of the configuration jobs is displayed in the upper right corner of the web administration. In the case of extensive changes in the area network, especially in the area of country locks (geo-ip), the job display of the activation can hang in rare cases and lead to a timeout. For updates up to release 7.2.14, the message “ipset v7.11: Set cannot be destroyed: it is in use by a kernel component” also appeared. which could lead to uncertainty. The changes are all correctly applied and this is only a cosmetic problem. Until the error is completely fixed, you can help yourself by reloading the browser window.
VPN: Fix for IKEv2 with Microsoft Windows breaks after 7.6 hours
VPN connections with IKEv2 and the on-board tools of Microsoft Windows are interrupted after exactly after exactly 7.6 hours. The error occurs because Microsoft Windows suggests different algorithms during the IKE re-encryption than during the first first connection. The problem can be solved with a registry fix, by changing the value “NegotiateDH2048_AES256” under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters to 1 is set to 1.
Under the following Link you will find a REG file (registry entry) which adds the registry key. Collax accepts no liability for system errors resulting from this.