Release Notes CPS 7.1.0

Collax Platform Server
28.02.2019

Installation Notes

Update Instructions

To install this update please follow the following steps:

Procedure

  1. It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
  2. In the administration interface go to System → System Operation → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
  3. Click Get Packages to download the update packages.
  4. Click Install. This installs the update. The end of this process is indicated by the message Done!.
  5. A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.

New in this Version

Authentication: memberOf Attribut

The OpenLDAP package contains a modified version of the nis.schema, which allows to search for the group affiliation of posixAccounts with the memberOf attribute.

E-Mail: Check recipient address on target server

Starting with this version, the system checks whether the mail server to which the mail is forwarded knows the mail addresses of all recipients. If an address is unknown, the e-mail is rejected. Only if all recipients are known will the e-mail be accepted and forwarded. For verification, an SMTP connection is established and the recipients are queried using the RCPT-TO command. All checks are stored in a cache. A cache entry for a known recipient is valid for 31 days, for an unknown recipient for 3 days.

E-Mail: New Version Webmail Roundcube 1.3.8

With this Collax software update the new version 1.3.8 of Roundcube is going to be installed. Please find Roundcube details here:

Roundcube Changelog

Collax SSL-VPN: SSL-VPN with HMTL5

The new version of the SSL-VPN module replaces the previous SSL VPN. This will be the basic technology of RDP applications and will replace the Java-based technology completely. The new technology works as a completely clientless remote desktop gateway and allows remote access via the webaccess to a desktop or a console in the local network. That means, that no other components need to be installed next to a browser. The graphical user interface or the console is displayed and operated in the browser. It supports standard protocols such as VNC, RDP, SSH and telnet. Additional functions such as uploading and downloading files, zoom or connection sharing are also possible.

Collax Web Security: Squid 4.4 and better system resource utilization

The squid Web proxy will be upgraded to version 4.0.24 with this update. Newly added options will cause squid to fork more processes to better utilize system resources. The “number of worker processes” can be increased to use more processes in parallel. Also, the maximum amount of RAM squid uses to cache websites can be adjusted. The dialog is located under Networking -> Web Proxy -> Options.

Collax Web Security: New Web Proxy Blacklists

With this version, the currently installed Web Proxy Blacklists from urlblacklist.com will be replaced, as they are no longer maintained and available. The new lists are from the University of Toulouse and are provided and updated regularly. Please note that the categories and entries were adjusted. If entries are not correct or missing, they can be reported via a web form. You can find the link here . For a comprehensive solution, which also takes into account German-language offers in particular, is still the Protection of Collax Surf Protection powered by Cobion available.

Kopano Groupware: DeskApp

Due to the upgrade of the webserver, it is necessary to use the current community version 2.1.24 of the Deskapp. The latest versions for your desktop operating system can be found here:

Download Deskapp Community-Version

Kopano Groupware: New version of Z-Push

With this Collax software update, Z-Push 2.4.5 is going to be installed. More information on:

Z-Push 2.4.5 Release

StrongSwan IPSec

Strongswan, the software for establishing VPNs via IPsec, is being updated to version 5.7.1. The crypto Linux modules now load better, so the best hardware support is automatically used. Furthermore, it is now possible to use the encryption algorithm twofish for IKEv1 connections.

File: webserver Apache

Upgrading to 2.4 from 2.2

Überprüfen Sie im Vorfeld, ob ihre Webanwendung angepasst werden muss.

With this software release the version of Apache makes a release change to Apache 2.4.34.

File: PHP7

Migration von PHP 5.6.x nach PHP 7.0.x / Migration von PHP 7.0.x nach PHP 7.1.x / Migrating from PHP 7.1.x to PHP 7.2.x

Überprüfen Sie im Vorfeld, ob ihre Webanwendung angepasst werden muss.

This update replaces the previous PHP5 with PHP7. This PHP version 7.2.15 is used. Please note that applications using these packages probably need to be modified for these new versions.

System Management: Additional network services

Within this update the list of all known services is extended. It is about the allocation of an IP protocol to associated source and destination ports that can be selected under the service name in the system in other dialogs.

Hardware: Additional hardware support

This update brings support for SmartRAID Storage Controllers from Microsemi Adaptec. These include the SmartRAID 315x RAID adapters. Please also update to the latest firmare, (1.60B0 at the moment) otherwise performance and instabilitiy problems may occur.

Collax Information & Security Intelligence: Apply retention now

Newly set retention times are not applied until the scheduled process is run for the first time. Using this action, all indexes that are older than the retention time can be closed and deleted immediately.

Issues Fixed in this Version

Security: Important security relevant System Components

This update will also install/update the following important system components:

  • apt
  • SQLite 3.26.0
  • strongSwan 5.7.1

CVE-2019-3462 / SQLite Release 3.26.0 / CVE-2018-16151 / CVE-2018-17540

Misc: Network-/Self-Monitoring

For self-monitoring of the system, Nagios monitoring is installed. The behavior of the Nagios notification was incorrect and generated incorrect alerts when the server was configured to not respond to ICMP echo requests (ping). With this update, a meaningful detection takes place and no unsettling warning messages are sent.

Collax Information & Security Intelligence: Report as PDF period wrong

There are a number of ready-made reports available. If you view a report in the browser, the set period is taken. However, if you download the report as PDF, the period is always set back to 7 days. This will be fixed with this update.

Notes

E-Mail: Increased required space when using IMAP and full-text index

The option “Generate full-text index” in the options of the dialog “Mail and Messaging -> Mail Storage -> IMAP and POP3” generates a full-text index of the local IMAP folders which accelerates the search within the IMAP folders and e-mails. While activated, the system could use up to 20% more space compared to the former release (also with activated index) for the service cyrus. Please check the space requirements of the service cyrus in advance. Under the dialog “Status -> System -> Statistics” the graph “filesystem/data” shows further details.

E-Mail: Collax Virus Protection powered by Kaspersky prior Version 7

Version 7 of the Collax C servers has updated the anti-virus engine and the format of the patterns. This was done to respond to new threats with the best possible protection. Patterns for versions prior to 7.0.0 will be available until December 31, 2017. From 01.01.2018 Kaspersky will not update the patterns for Collax version 5 and older. All installations using the Collax Virus Protection module should therefore, be brought up to date.

E-Mail: Release already deleted emails in IMAP mailboxes

In the dialog “Mail and Messaging -> Mail Storage -> IMAP and POP3” the IMAP server can be activated for the users to get access to their IMAP mailboxes. Due to a modified standard directive within the Cyrus IMAP mail server since the release V7, e-mails already deleted by the mail client have not been completely released from the harddisc. Since release 7.0.22, cyr_expire will free up memory for already deleted emails. Please note that already after restarting the IMAP service during the update, the process is started and proceeded after restarting the server and thus start the IMAP service.

E-Mail: Collax Avira AntiVir prior Version 7.0.24

Version 7.0.24 of the Collax C servers has updated the anti-virus engine and the format of the patterns. This was done to respond to new threats with the best possible protection. Patterns for versions prior to 7.0.24 will be available until December 31, 2018. From 01.01.2019 Avira will not update the patterns for Collax version 7.0.22 and older. All installations using the Collax Avira AntiVir module should therefore, be brought up to date.

Collax Information & Security Intelligence: Modified mapping of the indices

When updating Elastic Stack to 6.4.0, the mapping of the indexes was changed. This prevents Filebeat to write the data to the same index before and after the update. Therefore, after the update has been performed, the resulting data will no longer be included in the index. From 0:00 clock on, Elastic Stack will create a new index and all data from this point will be written again to the index. The data between the end of the update and midnight will be lost. If it is better to renounce to the data before the update, from 0:00 until the end of the update, the index for the current day can be deleted after the update via the administration interface. Then all data will be lost after 0:00 and the deletion of the index.

Collax Information & Security Intelligence: Schema change

A schema change in Release 7.1.0 requires that the elastic stack and beats be updated at the same time. To do this, update the server with the elastic stack and the server with the filebeats one after the other.