Release Notes CSG 7.2.30

Collax Security Gateway
16.07.2024

Installation Notes

Update Instructions

To install this update please follow the following steps:

Procedure

  1. It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
  2. In the administration interface go to Menu → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
  3. Click Get Packages to download the update packages.
  4. Click Install. This installs the update. The end of this process is indicated by the message Done!.
  5. A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.

New in this version

Let’s Encrypt - Automatic port opening

Let’s Encrypt is a certification authority that offers free X.509 certificates for SSL encryption. Activation of the account requires access to the HTTP port for the challenge-response procedure and unlocks it for the Internet. The Collax server carries out the renewal process automatically. As soon as a renewal takes place, the HTTP port 80/TCP on the firewall is temporarily opened for external access and closed again immediately after completion.

Let’s Encrypt - Country blocking

Let’s Encrypt could collide with the country block. However, we have found a clever solution. Since Let’s Encrypt carries out the challenge-response procedure for renewing a certificate from globally distributed servers, it is not known where these servers are located for security reasons. A country block could therefore prevent the certificates from being renewed.

With this update, the firewall will only open port 80 during the renewal process and close it again immediately afterwards. The port will be opened for all IP addresses regardless of the country block.

Mail: Port 465 now uses SMTPS

Outgoing emails can be sent via a relay server. Providers usually offer ports 25 and 587 with the StartTLS procedure. Port 465, on the other hand, is used for sending via SMTPS. With this release, Collax servers now use SMTPS when using port 465. The “Test e-mail” button in the “Usage guidelines -> Administrator” form for receiving status e-mails has also been adjusted accordingly.

System Management: Network UPS Tools 2.8.2

This update installs the current release of the Network UPS Tools (NUT) in version nut-2.8.2.

Various software packages have been updated in this release. In addition to security-related updates, general maintenance and care updates were also carried out.

The updates and bug fixes affect the following packages<p

  • Apache 2.4.59
  • Openssl: patches
  • Squid: 6.10
  • Ghostscript: Patches

Problems fixed in this version

System management: Linux kernel 6.6.32 and SMB protocols

A bug in the last kernel led to increased resource consumption and a higher server load in certain installations, up to a complete standstill when backing up large files to SMB-based backup targets (classic NAS). Only backups that used the old SMB protocol SMB1 and SMB2 were affected. Servers with the newer SMB3, which has been supported since Windows 8 and Windows Server 2012, were not affected by this problem. We would like to take this opportunity to once again strongly advise against using SMB1, as this older protocol has known security vulnerabilities that may be associated with ransomware and other malware. We therefore strongly recommend that you check your backup targets (NAS) accordingly. SMB3 also supports AES-based encryption of data transfer and offers the possibility to combine multiple SMB actions into a single request.

The Linux Kernel 6.6.32 is installed with this update.

Network: RegreSSHion

Experts have discovered critical security vulnerabilities in the OpenSSH server and published them under the name “RegreSSHion”. This vulnerability, a race condition in the signal handler of sshd, allows Remote Code Execution (RCE) with root privileges. This software update installs the package ssh_9.3p2, which closes the vulnerabilities.

Network: Fixing rare DNS dropouts after configuration changes

Changes in the web interface are not implemented directly in the system. Instead, a configuration must be explicitly “activated”. This makes it possible to create a complex configuration via the web interface and then activate it completely. Due to an anomaly in the DNS service Bind, this could lead to a disruption of the DNS service in rare cases. This software update installs the package bind-9.18.27.

Notes

Additional software: Bitdefender - Proxy for updates

The virus pattern updates are carried out according to a set cycle. It is currently not possible to use an http proxy for the pattern update of the Bitdefender virus and spam filter.

Additional software: Bitdefender - pattern update after commissioning

After starting up the Collax Antivirus powered by Bitdefender module, it may take a few minutes for the current virus patterns to be downloaded. If you click on Update Bitdefender in the virus scanner form during this time, you will receive an error message “Error connecting to server at /opt/lib/bitdefender//bdamsocket: -3”, because the background process has not yet been fully executed.

GUI: Sporadic hangs during running jobs

The progress of configuration jobs is displayed in the top right-hand corner of the web administration. In the case of extensive changes in the network area, especially with country locks (geo-ip), it can happen in rare cases that the job display hangs during activation. As of release 7.2.28, you will now receive the message “Network connection has been interrupted: Messages may be lost until the connection can be re-established.” informs you about such situations.

VPN: Fix for IKEv2 with Microsoft Windows crashes after 7.6 hours

VPN connections with IKEv2 and the on-board tools of Microsoft Windows are interrupted after interrupted after exactly 7.6 hours. The error occurs because Microsoft Windows proposes different algorithms during the IKE re-encryption than during the first connection. The problem can be solved with a registry fix by the value “NegotiateDH2048_AES256” under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters to 1 is set.

Under the following link you will find a REG file (registry entry) that adds the registry key. Collax accepts no liability for system errors resulting from this.