Release Notes CSG 5.0.2

Collax Security Gateway
29.06.2008

Installation Notes

Accomplish Upgrade to Version 5.0.2

To install this update please follow these steps:

  • Please do a backup of all server data.
  • Go to System -> System Operation -> Software -> System Update and click Upgrade-Information. Please read the information carefully. For further questions please contact Collax GmbH before accomplishing the upgrade.
  • Click Start upgrade. The successful update of the package list is indicated by the detail message Please continue with downloading package list. and the final message Done!.
  • For updating the packet list click Get Package List. The successful update of the package list is indicated by the message Done!.
  • Click Get Packages for downloading the listed update packages. Important: If you download the packages over a slow connection (ISDN, analog, etc.), the browser may drop the connection to the administration interface. However, the download will continue in the background. Continue with the next step. If you get an error message, wait a few minutes and try again.
  • Click Install. This action installs the update. The end of this process is indicated by the message Done!.
  • Please Note that a reboot automated will be executed to engage the new kernel.

Installation Notes

Upgrade from Version less than 4.1.26

To accomplish the upgrade to version Collax Business Server 5.0.2 the prior version 4.1.26 needs to be installed. To install the version 4.1.26 please follow the steps “Get Package List”, “Get Packages” and “Install”.

Please follow the steps “Accomplish Upgrade to Collax Business Server Version 5.0.2” if the version 4.1.26 is installed. Please read the release notes to the appropriate version.

Check File System

Before upgrading the server a check of the file system should be carried out. The file system check is available in the boot menu of the server. To lead the check by, a display and a keyboard must be connected to the server and afterwards a restart needs to be executed. After loading the BIOS the file system check can be selected in the boot menu. As a result the file system is checked and suitable state messages are displayed. If the file system is in order the server starts and the upgrade can be carried out. Technical questions to the file system check can be placed to your certificated Collax partner or to the support team by Collax.

Duration of Upgrade

Depending on your existing server installation up to 320 software components will be downloaded and replaced. So the total duration of the upgrade process will take between 45 minutes and 180 minutes.

New in this Version

Security: Firewall Tftp Connection Tracker

If services use undeterminable ports for the data transfer connection tracker are used for the firewall to establish and track such connections. With this update the connection tracker for the trivial file transfer protocol (tftp) can be activated in the firewall when required. Connections about this protocol can be set up and logged with it.

Add-on Software: New Version of Collax Virus Protection

The virus scanner Collax Virus Protection offers comprehensive antivirus protection for email services. Within this Collax system update the scanner is updated to the newest version.

The options for “Email disinfection”, “Damaged Email” and “Alerts” are omitted from this update on. Emails can additionally be copied to quarantine (mail queue for hold mails) if they had been cleaned or before they shall be deleted.

Attention: Please start a manual pattern update by clicking the button “Get Updates” at the bottom of the form in Settings -> Filter -> Collax Virus Protection, Tab Mail. This update is necessary to start the services successfully.

System Management: Monitoring of Services

All enabled services of the Collax servers are checked on their working mode, f.e.: running or stopped. The status is indicated in the form “System-> monitoring / evaluation-> state-> services”. If the active monitoring is switched on, the services are also tested qualitatively. The status whether the function of the service is all right, or whether problems occured during operation have appeared (Bsp: OK, WARNING, CRITICAL). Configuration -> Monitoring" is indicated in the new column “Test”.

System Management: Extension of System Information

Up to now information about CPU, RAM and hard disks were displayed as system information. From this update it is possible to gather detailed graphic information about file system, hard disks and network interfaces.

System Management: Logging of Firewall Rules

It is regulated within the Firewall matrix which network connections running thru the Collax server are permitted or are forbidden. To simplify the logging of these regulated network connections the option “Logging for the Firewall Matrix” can be set now in the form “Settings->Networking->Firewall->General->Options”. Up to now this setting needed to be activated for each single connection. The logging of permissible or forbidden connections will be applied in general on all firewall rules, explicitly or implicitly, and thereby it eases the use and the reporting of the rules.

System Management: Extended Active-Directory Integration

Up to now the integration of Collax server in Microsoft ActiveDirectory was used to authenticate the users against in the ActiveDirectory. This function is going to be extended with this software version to read user-related data from the ActiveDirectory, this data is going to be used within the Collax services to provide a full centralized user management via Microsoft ActiveDirectory. This function can be activated via Settings -> Usage Policy -> PDC/ADS -> Enable Active Directory proxy.

Hardware: iSCSI Initiator

iSCSI makes the use of the SCSI protocol on a TCP/IP network possible. From this version the function of the controller, the iSCSI initiator, is implemented in the Collax server. With the iSCSI initiator storage devices in the network (iSCSI Targets) are integrated transparent as local storage devices. To the functions of the iSCSI initiator counts the target discovery, to integrate storage devices fast on the network, as well as the possibility of the authentication to establish a reliable connection to the iSCSI-Target.

Hardware: Driver for 10GB Network Interface Cards

The driver for 10gigabit network interface cards will be implemented within kernel version 2.6.25.20. These driver support the following NICs: Chelsio 10Gb Ethernet, Chelsio Communications T3 10Gb Ethernet, Intel(R) 10GbE PCI Express, Intel(R) PRO/10GbE PCI-X, S2IO 10Gbe XFrame NIC, NetXen Multi port (1/10) Gigabit, Sun Neptune 10Gbit, Tehuti Networks 10G, Broadcom NetXtremeII 10Gb.

Issues Fixed in this Version

Security: Cryptography Toolkit OpenSSL

In the source code of the cryptography toolkit OpenSSL 0.9.8k security holes have been discovered. These holes will be closed within this Collax software update.

Assigned Common Vulnerabilities and Exposures (CVE) numbers:

CVE-2009-0590 CVE-2009-0591 CVE-2009-0789

Security: GNU TLS and SSL implementation

In the source code of GnuTLS security holes have been discovered. These holes will be closed within this Collax software update.

GnuTlS 2.6.6 is going to be installed and fixes the assigned Common Vulnerabilities and Exposures (CVE) numbers:

CVE-2008-4089 CVE-2009-1415 CVE-2009-1416 CVE-2009-1417

Security: Udev, Dynamic Device Management

In the source code of GnuTLS security holes have been discovered. These holes will be closed within this Collax software update.

A patch for udev 126 is going to be installed and fixes the assigned Common Vulnerabilities and Exposures (CVE) numbers:

CVE-2009-1185

Security: VPN IKE Daemon Pluto

In the source code of the IKE daemon Pluto security holes have been discovered. These holes will be closed within this Collax software update.

A patch for Pluto 2.4.9 is going to be installed and fixes the assigned Common Vulnerabilities and Exposures (CVE) numbers:

CVE-2009-0790

Security: GNU data type library glib2

In the source code of glib2 security holes have been discovered. These holes will be closed within this Collax software update.

A patch for glib2 2.18.2 is going to be installed and fixes the assigned Common Vulnerabilities and Exposures (CVE) numbers:

CVE-2008-4316

Security: Authentification library libsasl2

In the source code of system library libsasl2 security holes have been discovered. These holes will be closed within this Collax software update.

A patch for libsasl2 is going to be installed and fixes the assigned Common Vulnerabilities and Exposures (CVE) numbers:

CVE-2009-0688

Security: System library libfreetype

In the source code of system libraries libfreetyp security holes have been discovered. These holes will be closed within this Collax software update.

A patch for libfreetype is going to be installed and fixes the assigned Common Vulnerabilities and Exposures (CVE) numbers:

CVE-2009-1416

Security: SquirrelMail Web Mail

In the source code of web mailer SquirrelMail security holes have been discovered. These holes will be closed within this Collax software update.

SquirrelMail 1.4.18 is going to be installed and fixes the assigned Common Vulnerabilities and Exposures (CVE) numbers:

CVE-2009-1578 CVE-2009-1579 CVE-2009-1580 CVE-2009-1581

Security: Samba, Windows SMB/CIFS Server for UNIX

In the source code of the Windows SMB/CIFS fileserver Samba security holes have been discovered. These holes will be closed within this Samba software patch for version 3.0.34.

Assigned Common Vulnerabilities and Exposures (CVE) numbers:

CVE-2009-1888

Notes

Collax SSL-VPN: Behaviour change of objects

With the new version of SSL-VPN the network permissions of all objects will be checked. Thus, the corresponding networks should be added to the group permissions. The port or interface for the SSL-VPN service does not have to be configured with this version.