Release Notes CSG 7.2.0

Collax Security Gateway
30.11.2021

Installation Notes

Update Instructions

To install this update please follow the following steps:

Procedure

  1. It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
  2. In the administration interface go to Menu → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
  3. Click Get Packages to download the update packages.
  4. Click Install. This installs the update. The end of this process is indicated by the message Done!.
  5. A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.

New in this version

The upgrade

Version 7.2 is a platform upgrade, where all packages are replaced and brought up to date. Most of the open source projects are updated to a new major version (Postfix, Cyrus, BIND, OpenSSL, MariaDB, Nagios, strongSwan and many more). Also the Linux kernel got a major update and runs now with version 5.10 (before 4.9).

Installation notes

Download and package installation will take significantly longer than usual. After the installation of 7.2.0 there will be an automatic reboot of the server. The subsequent boot process will also take longer than usual. On small systems, such as embedded systems, the entire process can take an hour or more.

During the upgrade, the administration interface cannot be used to its full extent. Since some components are temporarily on the system with non-compatible versions, calling forms can lead to errors or the connection between browser and server is lost.

In some cases, the progress of the upgrade may not be updated. It is only the output, but the upgrade continues in the background. Do not restart the server under any circumstances during the upgrade. We apologize for the rare occurrence of this case and ask you to be patient.

System Management: Linux Kernel 5.10.80

This update installs the Linux Kernel 5.10.80.

GUI: New Iconset and intuitive Theme

The administration interface gets a visibly new look. With this update, a new icon set is introduced and the theme is adapted to make the web interface of Collax Server V7.2 distinguishable from the previous one. In addition, the operation is made more intuitive. The structure has been left unchanged. With one exception: to gain more space for more important things, the top bar with the logout button was dissolved. The logout button and the information about the logged in administrator is now located on the left side, at the bottom of the box of the main menu.

Miscellaneous: TLSv1.3

This update installs OpenSSL 1.1.1i. The OpenSSL version includes support for TLSv1.3 by default, making TLS 1.3 the official standard for transport encryption. All services will attempt to establish a connection with TLS 1.3 or request that the connection be established with TLS 1.3. If this is not supported by the other side, TLS 1.2 is used. No more connections with TLS 1.1 or older are allowed. If this is still desired, the affected service can be reconfigured for TLS 1.1.

Security: Important security relevant system packages

With the Collax Server V7.2 update all system packages are updated. Security vulnerabilities were discovered in the source code of important system packages. These are closed with this software update. Enclosed is an excerpt of the most known packages and CVE numbers.

BIND 9.16.21

  • CVE-2020-8616 - remote DOS or reflection attack with recursive queries
  • CVE-2020-8622 - possible DOS with TSIG
  • CVE-2020-8624 - upsate privilege escalation
  • CVE-2020-8619 - potential DOS
  • CVE-2020-8616 - remote DOS or reflection attack with recursive queries
  • CVE-2020-8617 - remote triggered inconstent state
  • CVE-2019-6477 - resource exhaustion with pipelined queries

roundcubemail 1.4.11

  • CVE-2020-35730 - cross-site scripting (XSS) via HTML or Plain text messages
  • CVE-2020-16145 - cross-site scripting (XSS) via HTML messages with malicious svg content
  • CVE-2020-12625 - XSS issue in handling of CDATA in HTML messages
  • CVE-2020-12640 - local file inclusion (and code execution) via crafted ‘plugins’ option
  • CVE-2020-12626 - CSRF bypass that could be used to log out an authenticated user

OpenSSL 1.1.1i

  • CVE-2020-1971 - possible DOS with CRLs
  • CVE-2020-1967 - possible DOS with TLS 1.3

SQLite 3.34.1

  • CVE-2020-15358 - Malicious SQL statement causes an read past the end of a heap buffer.
  • CVE-2020-13871 - Malicious SQL statement causes a read-only use-after-free memory error.
  • CVE-2020-13632 - Malicious SQL statement causes a read of a NULL pointer in FTS3 extension
  • CVE-2020-13631 - Malicious SQL statement causes an infinite loop.
  • CVE-2020-13435 - Malicious SQL statement causes a read access to a NULL pointer
  • CVE-2020-13434 - Malicious SQL statement integer overflow which can overwrite the stack, DOS
  • CVE-2020-11655 - Malicious SQL statement causes a read using an uninitialized pointer
  • CVE-2020-9327 - Malicious SQL statement causes a read using an uninitialized pointer
  • CVE-2020-6405 - Malicious SQL statement causes a NULL pointer dereference
  • CVE-2019-20218 - Malicious SQL statement causes an uninitialized pointer read
  • CVE-2019-19959 - Malicious SQL statement causes a NULL pointer dereference in the Zipfile extension
  • CVE-2019-19926 - Malicious SQL statement causes an uninitialized pointer read
  • CVE-2019-19925 - Malicious SQL statement causes a NULL pointer dereference and in the Zipfile extension
  • CVE-2019-19924 - Malicious SQL statement causes a uninitialized pointer reference
  • CVE-2019-19923 - Malicious SQL statement causes a NULL pointer dereference

curl 7.74.0

  • CVE-2020-8231: libcurl: wrong connect-only connection
  • CVE-2020-8286: Inferior OCSP verification
  • CVE-2020-8285: FTP wildcard stack overflow
  • CVE-2020-8284: trusting FTP PASV responses

Samba 4.9.18

  • CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD Directory not automatic.
  • CVE-2019-14907: Crash after failed character conversion at log level 3 or above.
  • CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
  • CVE-2020-10704: A flaw was found when using samba as an Active Directory Domain Controller
  • CVE-2020-10730: This flaw allows an authenticated user to possibly trigger a use-after-free or NULL pointer dereference
  • CVE-2020-10745: This flaw allows a remote attacker could to cause the Samba server to consume excessive CPU use, resulting in a denial of service.
  • CVE-2020-10760: A Samba LDAP user could use this flaw to crash samba.
  • CVE-2020-14303: A samba user could send an empty UDP packet to cause the samba server to crash.
  • CVE-2020-14318: An authenticated user could use this flaw to gain access to certain file and directory information which otherwise would be unavailable to the attacker.
  • CVE-2020-14323: A local user could use this flaw to crash the winbind service causing denial of service.
  • CVE-2020-14383: Samba is prone to a denial of service vulnerability.
  • CVE-2021-20254: A coding error converting SIDs to gids could allow unexpected group entries in a process token.

NodeJS v16.9.1

  • CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service
  • CVE-2019-9512: Fixed HTTP/2 flood using PING frames results in unbounded memory growth
  • CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service.
  • CVE-2019-9514: Fixed HTTP/2 implementation that is vulnerable to a reset flood, potentially leading to a denial of service
  • CVE-2019-9515: Fixed HTTP/2 flood using SETTINGS frames results in unbounded memory growth
  • CVE-2019-9516: Fixed HTTP/2 implementation that is vulnerable to a header leak, potentially leading to a denial of service (bsc#1146090).
  • CVE-2019-9517: Fixed HTTP/2 implementations that are vulnerable to unconstrained interal data buffering (bsc#1146097).
  • CVE-2019-9518: Fixed HTTP/2 implementation that is vulnerable to a flood of empty frames, potentially leading to a denial of service

Notes

Discontinuations

As we have already reported in the newsletters, some features will be removed with the upgrade. If you rely on any of the features, please contact us.

  1. ISDN no longer plays a role for internet access. For fax and telephone it only plays a role in exceptions. The Linux kernel which is installed with version 7.2 does not offer the used ISDN support any more.
  2. the Spotlight administration tool has been replaced by Collax Central.
  3. PPTP is considered insecure and obsolete. For road warrior connections, a simpler, more modern and more secure method is available with IPsec VPN with IKEv2.
  4. the network printer support CUPS.
  5. the chat server Jabber
  6. the file synchronization method Unison. The second method Rsync will remain.
  7. the watchdog timer

VPN: Fix for IKEv2 with Microsoft Windows breaks after 7.6 hours.

VPN connections with IKEv2 and Microsoft Windows’ on-board means are interrupted after exactly 7.6 hours. The error occurs because Microsoft Windows proposes different algorithms during the IKE re-encryption than during the first connection. The problem can be solved with a registry fix by changing changing the value “NegotiateDH2048_AES256” under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters to 1 is set.

At the following link you can find a REG file (registry entry) that adds the registry key. Collax assumes no liability for system errors resulting from this.