cglinux changelog ================= this file contains … · cglinux changelog ===== this file...

CgLinux Changelog=================

This file contains the new features, changed features and bugs thathave been fixed for this version of the CgLinux OS products. Foradditional tips and information, see the Online Help and/or UserGuide.

5.2.3 :-------

Bugfixes

o kernel: backport bnx2 patches from upstream

5.2.2 :-------

Bugfixes

o glibc: fix stack extension attack in fnmatch (CVE-2011-1071)

5.2.1 :-------

New and improved

o update tzdata to 2010l

Bugfixes

o asc: fix asc-enable/disable scripts

o bzip2: fix CVE-2010-0405

o heartbeat: raise priority of ressource agent

o kernel:

o sync with 2.6.18-238.5.1.el5

o fix unix socket local dos (CVE-2010-4249)

o core: clear allocs for privileged ethtool actions (CVE-2010-4655)

o limit socket backlog add operation to prevent DoS (CVE-2010-4251)

o igb: only use vlan_gro_receive if vlans registered (CVE-2010-4263)

o [fs] exec: copy fixes into compat_do_execve paths

(CVE-2010-4243)

o [fs] exec: make argv/envp memory visible to oom-killer (CVE-2010-4243

o [misc] binfmts: kill bprm->argv_len (CVE-2010-4243)

o [net] filter: make sure filters don't read uninit memory (CVE-2010-4158)

o [net] limit sendto/recvfrom/iovec total length to INT_MAX (CVE-2010-3859)

o [ipc] shm: fix information leak to userland (CVE-2010-4072)

o [ipc] initialize struct memory to 0 for compat functions (CVE-2010-4073)

o [serial] serial_core: clean data before filling it (CVE-2010-4075)

o [misc] futex: replace LOCK_PREFIX in futex.h (CVE-2010-3086)

o [ipc] sys_semctl: fix kernel stack leakage (CVE-2010-4083)

o [net] rds: fix local privilege escalation (CVE-2010-3904)

o [misc] make compat_alloc_user_space incorporate access_ok (CVE-2010-3081)

o [mm] accept an abutting stack segment (CVE-2010-2240)

o [net] sched: fix some kernel memory leaks (CVE-2010-2942)

o [mm] pass correct mm when growing stack (CVE-2010-2240)

o [mm] fix up some user-visible effects of stack guard page (CVE-2010-2240)

o [mm] fix page table unmap for stack guard page properly (CVE-2010-2240)

o [mm] fix missing unmap for stack guard page failure case (CVE-2010-2240)

o [mm] keep a guard page below a grow-down stack segment (CVE-2010-2240)

o [misc] futex: handle futex value corruption gracefully (CVE-2010-0622)

o [misc] futex: handle user space corruption gracefully (CVE-2010-0622)

o [misc] futex: fix fault handling in futex_lock_pi (CVE-2010-0622)

o [mm] keep get_unmapped_area_prot functional (CVE-2010-0291)

o [mm] switch do_brk to get_unmapped_area (CVE-2010-0291)

o [mm] take arch_mmap_check into get_unmapped_area (CVE-2010-0291)

o [mm] unify sys_mmap* functions (CVE-2010-0291)

o [mm] fix pgoff in have to relocate case of mremap (CVE-2010-0291)

o [mm] fix the arch checks in MREMAP_FIXED case (CVE-2010-0291)

o [mm] fix checks for expand-in-place mremap (CVE-2010-0291)

o [mm] add new vma_expandable helper function (CVE-2010-0291)

o [mm] move MREMAP_FIXED into its own header (CVE-2010-0291)

o [mm] move locating vma code and checks on it (CVE-2010-0291)

o [netlink] connector: delete buggy notification code (CVE-2010-0410)

o [scsi] megaraid_sas: update driver to version 4.31

o [net] bnx2: update firmware to 6.0.x

o [net] bnx2: update to v2.0.8+ with new 5709 firmware j15

o [net] tg3: update to 3.108+ and add 5718 B0, 5719 support

o [net] e1000e: update to upstream version 1.2.7-k2

o [net] bnx2x: update bnx2x version to 1.52.53-4

o [net] ixgbe: update to upstream version 2.0.84-k2 (Andy Gospodarek) [568602]

o [message] fusion: update to 3.4.15

o [net] be2net: update to v2.102.348r with SR-IOV support

o [net] tcp: fix shrinking windows with window scaling

o [net] clusterip: check allocation before freeing memory

o [misc] kernel: restrict unprivileged access to dmesg

o [net] bnx2: Increase max rx ring size from 1K to 2K

o [net] ixgbe: add option to control interrupt mode

o [misc] intel: support for Intel Cougar Point Chipset

5.2.0 :-------

New and improved

o cg-startup: capture output of firstboot scripts

o update openldap to 2.3.43

o added Intel Active System Console for MWG4000, MWG4500, MWG5000 and MWG5500

Bugfixes

o kernel:

o sync with 2.6.18-194.8.1.el5

o tg3: fix panic in tg3_interrupt

o tg3: fix INTx fallback when MSI fails

o e1000/e1000e: implement simple interrupt moderation

o fix various PI futex operations (CVE-2010-0622)

o fix multiple denial of service vulnerabilities in mmap/mremap (CVE-2010-0291)

o firmware and driver updates for bnx2 and bnx2x

o driver update for tg3

o driver update for igb

o netlink connector: delete buggy notification code (CVE-2010-0410)

o fix sys_move_pages infoleak (CVE-2010-0415)

o fix kernel info leak with print-fatal-signals=1 (CVE-2010-0003)

o emergency route cache flushing fixes (CVE-2009-4272)

o fasync: split 'fasync_helper()' into separate add/remove functions (CVE-2009-4141)

o ipv6: fix ipv6_hop_jumbo remote system crash (CVE-2007-4567)

o respect flag in do_coredump (CVE-2009-4036)

o gdth: prevent negative offsets in ioctl (CVE-2009-3080)

o pipe.c null pointer dereference (CVE-2009-3547)

o require root for mmap_min_addr (CVE-2009-2695)

o AF_UNIX: deadlock on connecting to shutdown socket (CVE-2009-3621)

o ipmi: add HP message handling

o openssh: don't do pam with empty password if empty passwords are switched off (#81148)

5.1.9 : Part Number 91-0950405-A--------------------------------

Bugfixes

o kernel:

o futex: Handle user space corruption gracefully (CVE-2010-0622)

o OOM/crash in drivers/connector (CVE-2010-0410)

o [net] sctp: backport cleanups for ootb handling V2 (Neil Horman) [555666 555667] (CVE-2010-0008)

o [fs] ext4: Avoid null pointer dereference when decoding EROFS w/o a journal (Jiri Pirko) [547256 547257] (CVE-2009-4308)

o [mm] fix sys_move_pages infoleak (Eugene Teo) [562589 562590] (CVE-2010-0415)

o [x86_64] wire up compat sched_rr_get_interval (Danny Feng) [557684 557092]

o [net] netfilter: enforce CAP_NET_ADMIN in ebtables (Danny Feng) [555242 555243] (CVE-2010-0007)

o [misc] fix kernel info leak with print-fatal-signals=1 (Danny Feng) [554583 554584] (CVE-2010-0003)

o [net] ipv6: fix OOPS in ip6_dst_lookup_tail (Thomas Graf) [559238 552354]

o [kvm] pvclock on i386 suffers from double registering (Glauber Costa) [561454 557095]

o [pci] VF can't be enabled in dom0 (Don Dutile) [560665 547980]

o [kvm] kvmclock won't restore properly after resume (Glauber Costa) [560640 539521]

o [mm] prevent performance hit for 32-bit apps on x86_64 (Larry Woodman) [562746 544448]

o [fs] fix possible inode corruption on unlock (Eric Sandeen) [564281 545612]

o [gfs2] careful unlinking inodes (Steven Whitehouse ) [564288 519049]

o [gfs2] gfs2_delete_inode failing on RO filesystem (Abhijith Das ) [564290 501359]

o [net] e1000e: fix broken wol (Andy Gospodarek) [559335 557974]

o [net] gro: fix illegal merging of trailer trash (Herbert Xu) [561417 537876]

o [xen] hook sched rebalance logic to opt_hardvirt (Christopher Lalancette ) [562777 529271]

o [xen] crank the correct stat in the scheduler (Christopher Lalancette ) [562777 529271]

o [xen] whitespace fixups in xen scheduler (Christopher Lalancette ) [562777 529271]

o [scsi] cciss: ignore stale commands after reboot (Tomas Henzl ) [562772 525440]

o [scsi] cciss: version change (Tomas Henzl ) [562772 525440]

o [scsi] cciss: switch to using hlist (Tomas Henzl ) [562772 525440]

o [net] bonding: allow bond in mode balance-alb to work (Jiri Pirko ) [560588 487763]

o [net] e1000e: fix WoL on 82577/82578 (Jiri Pirko ) [543449 517593]

o [net] e1000: fix rx length check errors (Neil Horman) [552137 552138] (CVE-2009-4536)

o Revert: [net] e1000, r9169: fix rx length check errors (Cong Wang ) [550914 550915]

o [fs] jbd: fix race in slab creation/deletion (Josef Bacik) [553132 496847]

o openssl: always check return value of bn_wexpand (CVE-2009-3245)

5.1.8 : Part Number 91-0950278-A--------------------------------

New and improved

o pciutils: update to 2.2.3 with newer hwdata

Bugfixes

o cgconfig: use correct umask when creating new files (#79731)

o kernel:

o [fs] fix pipe null pointer dereference (CVE-2009-3547)

o [security] require root for mmap_min_addr (CVE-2009-2695)

o [net] r8169: balance pci_map/unmap pair, use hw padding (CVE-2009-3613)

o [nfs] knfsd: fix NFSv4 O_EXCL creates (CVE-2009-3286)

o [md] prevent crash when accessing suspend_* sysfs attr (CVE-2009-2849)

o [net] udp: socket NULL ptr dereference (CVE-2009-2698)

o [net] make sock_sendpage use kernel_sendpage (CVE-2009-2692)

o [net] tun/tap: open /dev/net/tun and then poll() it fix (CVE-2009-1897)

o [net] tg3: 5785F and 50160M support

o [scsi] qla2xxx: updates 25xx firmware to 4.04.09

o [scsi] qla2xxx: updates 24xx firmware to 4.04.09

o [net] e1000e: update to upstream version 1.0.2-k2

o [net] bnx2x: update to 1.48.105

o [scsi] megaraid: update megasas to 4.08-RH1

o [scsi] aacraid: update to 1.1.5-2461

o [scsi] MPT fusion: update version 3.04.07rh v2

o [net] bonding: update to upstream version 3.4.0

o [net] ixgbe: update to upstream version 2.0.8-k2

o [net] igb: update to upstream version 1.3.16-k2

o [agp] zero pages before sending to userspace

o [net] tg3: update to version 3.96

o [scsi] MPT Fusion: update to version 3.04.07rh

o [net] bnx2: update to latest upstream - 1.9.3

o [net] forcedeth: update to upstream version 0.62

o [misc] hrtimer: fix a soft lockup (CVE-2007-5966)

o [net] r8169: fix crash when large packets are received (CVE-2009-1389)

o [ptrace] fix do_coredump vs ptrace_start() deadlock (CVE-2009-1388)

o [net] e1000: fix skb_over_panic (CVE-2009-1385)

o [nfs] v4: client handling of MAY_EXEC in nfs_permission (CVE-2009-1630)

o [fs] cifs: fix pointer and checks in cifs_follow_symlink (CVE-2009-1633)

o [fs] cifs: fix error handling in parse_DFS_referrals (CVE-2009-1633)

o [sched] accurate task runtime accounting (CVE-2007-3719)

o [sched] rq clock (CVE-2007-3719)

o [x86] scale cyc_2_nsec according to CPU frequency (CVE-2007-3719)

o [i386] untangle xtime_lock vs update_process_times (CVE-2007-3719)

o [x86_64] clean up time.c (CVE-2007-3719)

o [misc] add some long-missing capabilities to CAP_FS_MASK (CVE-2009-1072)

o [fs] cifs: unicode alignment and buffer sizing problems (CVE-2009-1439)

o [fs] rebase ext4 and jbd2 to 2.6.29 codebase (CVE-2009-0745 CVE-2009-0746 CVE-2009-0747 CVE-2009-0748)

o [misc] exit_notify: kill the wrong capable check (CVE-2009-1337)

o [ptrace] audit_syscall_entry to use right syscall number (CVE-2009-0834)

o [net] memory disclosure in SO_BSDCOMPAT gsopt (CVE-2009-0676)

o [misc] minor signal handling vulnerability (CVE-2009-0028)

o [security] keys: introduce missing kfree (CVE-2009-0031)

o [block] enforce a minimum SG_IO timeout (CVE-2008-5700)

o [fs] ext[234]: directory corruption DoS (CVE-2008-3528)

o sysklogd: fix handling of SIGHUP (#80800)

o wget: update to 1.11.4 (CVE-2009-3490)

5.1.7 : Part Number 91-0950139-A--------------------------------

New and improved

o cg-startup: save system time to hardware clock on shutdown

o iproute2: allow adjusting of initial congestion window size

Bugfixes

o kernel:

o [fs] ecryptfs: check tag 11 packet literal data buffer size (CVE-2009-2406)

o [fs] ecryptfs: check tag 3 packet encrypted key size (CVE-2009-2407)

o [misc] personality handling: fix PER_CLEAR_ON_SETID (CVE-2009-1895)

o [misc] hrtimer: fix a soft lockup (CVE-2007-5966)

o [net] r8169: fix crash when large packets are received (CVE-2009-1389)

o [ptrace] fix do_coredump vs ptrace_start() deadlock (CVE-2009-1388)

o [net] e1000: fix skb_over_panic (CVE-2009-1385)

o fix unintialised sendpage ops resulting in null pointer dereference (CVE-2009-2692)

o build pppoe as module, disable SCTP

o [net] prevent null pointer dereference in udp_sendmsg (CVE-2009-2698)

o [net] make sock_sendpage use kernel_sendpage (CVE-2009-2692)

o fix possible crash in udp (CVE-2009-2698)

o fix information leak in llc (CVE-2009-3001)

o fix information leak in various protocols (CVE-2009-3002)

o libxml2: Fix a couple of crashes (CVE-2009-2414, CVE-2009-2416)

o openssh: add fix for syslog inside signal handler (CVE-2008-4109)

o pyton:

o Multiple integer overflows in python core (CVE-2008-2315)

o Multiple integer overflows discovered by Google (CVE-2008-3143)

o Multiple buffer overflows in unicode processing (CVE-2008-3142)

o Potential integer underflow and overflow in the PyOS_vsnprintf C API function (CVE-2008-3144)

o imageop module multiple integer overflows (CVE-2008-4864)

o stringobject, unicodeobject integer overflows (CVE-2008-5031)

o imageop module heap corruption (CVE-2007-4965)

5.1.6 : Part Number 91-0950009-A--------------------------------

Bugfixes

o bind: fix denial of service (server crash) caused by receipt of a specific remote dynamic update message (CVE-2009-0696)

o cgconfig:

o re-create extlinux config on syslinux update

o restore old tcp_rmem settings (#80517)

o kernel:

o fix PER_CLEAR_ON_SETID (CVE-2009-1895)

o nfs v4: client handling of MAY_EXEC in nfs_permission (CVE-2009-1630)

o cifs: fix pointer and checks in cifs_follow_symlink (CVE-2009-1633)

o cifs: fix error handling in parse_DFS_referrals (CVE-2009-1633)

o cifs: buffer overruns when converting strings (CVE-2009-1633)

o cifs: unicode alignment and buffer sizing problems (CVE-2009-1439)

o add some long-missing capabilities to CAP_FS_MASK (CVE-2009-1072)

o zero pages before sending to userspace (CVE-2009-1192)

o syslinux: correct kernel ordering in extlinuxconfig

5.1.5 : Part Number 91-0949971-A--------------------------------

Bugfixes

o fixed bootloader problem on some appliances (#80475)

o fixed cache for clean installation (#80480)

o fixed stack overflow in dhcp client

5.1.4 : Part Number 91-0949871-A--------------------------------

New and improved

o support cciss hard disks

o switch bootloader to extlinux

o update to kernel 2.6.18

Bugfixes

o heartbeat: make IPaddr2 more robust (#80075, #80176)

5.1.3 : Part Number 91-0949770-A--------------------------------

Bugfixes

o openssl: - Fix crash in ASN1_STRING_print_ex (CVE-2009-0590)

o kernel:

o fix 4 bit apicid assumption

o asn1: additional sanity checking during BER decoding (CVE-2008-1673)

o TCP: Fix shrinking windows with window scaling

o fix SMP ordering hole in fcntl_setlk() (CVE-2008-1669)

o mm: trim more holes (CVE-2008-0598)

o ruby: fix memory leak in regex module

o krb5: fix multiple vulnerabilities:

o MITKRB5-SA-2007-004 kadmind affected by multiple RPC library vulnerabilities (CVE-2007-2442, CVE-2007-2443)

o MITKRB5-SA-2007-005 kadmin vulnerable to buffer overflow (CVE-2007-2798)

o MITKRB5-SA-2007-006 kadmind RPC lib buffer overflow, uninitialized pointer (CVE-2007-3999)

o MITKRB5-SA-2008-001 double-free, uninitialized data vulnerabilities in krb5kdc (CVE-2008-0062, CVE-2008-0063)

o MITKRB5-SA-2008-002 array overrun in RPC library used by kadmin (CVE-2008-0947, CVE-2008-0948)

o MITKRB5-SA-2009-002 fix denial of service via memory corruption (CVE-2009-0846)

5.1.2 : Part Number 91-0949621-A--------------------------------

Bugfixes

o openssl: Fix certificate verification bypass for DSA and ECDSA keys (CVE-2008-5077)

5.1.1 : Part Number 91-0949483-A--------------------------------

New and improved

o added hsmagent

o add support for bonding devices

o add support for port forwarding

o NCipher HSM support

Bugfixes

o kernel: update tg3 driver to v3.86b (#79207)

o libxml2:

o fix recursive entities handling (CVE-2008-3281)

o fix two integer overflow vulnerabilities (CVE-2008-4225, CVE-2008-4226)

o repair serial console access (#79682)

5.1.0 : Part Number 91-0948835-A--------------------------------

New and improved

o socks proxy

o openrdate

o htop

o ifstat

Bugfixes

o bind: update to 9.3.5-P1 including query port randomization (CVE-2008-1447)

o openldap: fix flaw in ASN.1 decoder (CVE-2008-2952)

o openntpd:

o update to 3.9p1

o do settimeofday unconditionally on startup

o openssh: support key blacklisting

o ruby:

o WEBrick CGI source disclosure (CVE-2008-1891)

o Integer overflow in rb_str_buf_append() (CVE-2008-2662)

o Integer overflow in rb_ary_store() (CVE-2008-2663)

o Unsafe use of alloca in rb_str_format() (CVE-2008-2664)

o Integer overflow in rb_ary_splice() (CVE-2008-2725)

o Integer overflow in rb_ary_splice() (CVE-2008-2726)

o fix regressions caused by security fixes

5.0.11 : Part Number 91-0949021-A---------------------------------

Bugfixes

o kernel: randomize UDP source port (#79288)

5.0.10 : Part Number 91-0948905-A---------------------------------

Bugfixes

o kernel:

o fix crash when unplugging USB-PS/2 adapter (#79171)

o fix crash when handling fragmented esp packets (CVE-2007-6282)

o net-snmp:

o fix authentication bypass (#79201) (CVE-2008-0960)

o fix buffer overflow in perl module (CVE-2008-2292)

5.0.9 : Part Number 91-0948708-B--------------------------------

Bugfixes

o gnutls: fix three security issues in gnutls handshake (CVE-2008-1948, CVE-2008-1949, CVE-2008-1950)

5.0.9 : Part Number 91-0948708-A--------------------------------

Bugfixes

o bind: fix off by one in inet_network (CVE-2008-0122)

o boost: regular expression input validation fix (CVE-2008-0171, CVE-2008-0172)

o bzip2: update to 1.0.5 (fixes CVE-2008-1372)

o cgconfig: fix cgctl not disabling heartbeat daemon

o e2fsprogs: update to 1.40.4-owl1 (fixes CVE-2007-5497)

o gnupg: update to 1.4.9

o glibc:

o fix glob stack overflow (#78847)

o update timezone data to tzcode2008a and tzdata2008b (#78999)

o net-snmp: pull latest updates from centos 5, includes fix for CVE-2007-5846 and others:

o fix crash when smux communication fails

o fix icmpStatsTable

o fix snmpwalk / bulkwalk on TCP scalars

o fix bulkwalk security flaw (CVE-2007-5846)

o fix IP address size on 64 bit platforms

o fix compilation of new MIBs on non-intel architectures

o fix -M option of net-snmp-utils

o fix sending SNMPv1 traps on v2 connections

o build with rpm-devel to support HOST-RESOURCES-MIB::hrSWInstalled

o store pid in /var/run/snmpd.pid

o fix wrong sprintf in path generation

o fix too verbose snmpassert

o fix perl bulkwalk

o extend ipv6 support of some MIBs

o openssh: don't use X11 port which can't be bound on all IP families (CVE-2008-1483)

o perl: fix a heap overflow in the UTF-8 regexp compiler (CVE-2008-1927)

o python:

o fix buffer overflow in PyString_FromStringAndSize

(CVE-2008-1887)

o fix buffer overflow in zlib module (CVE-2008-1721)

o sed: update to 4.1.5 (from openwall-stable)

o unzip:

o fix invalid pointer flaw (CVE-2008-0888). Discovered by Travis Ormandy of the Google Security Team.

o fix race condition that allows local users to modify permissions of arbitrary files (CVE-2005-2475)

o fix buffer overflow with long filenames (CVE-2005-4667)

5.0.8 : Part Number 91-0948617-A--------------------------------

New and improved

o heartbeat support

o iptables: add CLUSTERIP support

o kernel:

o add IP virtual server support

o netfilter: add CLUSTERIP support

o SCSI/SATA/SAS backports (aacraid, aic7xxx, aic94xxx, cciss, ICH9, megaraid, MPT Fusion, qla2xxx)

o driver updates (e1000, tg3, bnx2)

o add bonding driver support

o vesa framebuffer console support

Bugfixes

o kernel: update to 2.6.16.60 including the following changes:

o wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)

o Use access mode instead of open flags to determine needed permissions (CVE-2008-0001)

o aacraid: fix security weakness

o lm87: fix division by zero

o tmpfs: restore missing clear_highpage (CVE-2007-6417)

o Handle bogus %cs selector in single-step instruction decoding (CVE-2007-3731)

o vfs: coredumping fix (CVE-2007-6206)

o libxml2: fix denial of service vulnerability (CVE-2007-6284)

o ncurses: make xterm-new the default xterm entry in terminfo

o pcre: several reliability fixes (CVE-2006-7224, CVE-2006-7225, CVE-2006-7226, CVE-2006-7230)

o ruby: fix directory permissions

o vim: disallow system() function in modelines (CVE-2007-2438)

5.0.7 : Part Number 91-0948023-A--------------------------------

Bugfixes

o cpio: fix stack overflow in safer_name_suffix (CVE-2007-4476)

o curl: update to 7.17.1

o elinks: don't reveal POST data to HTTPS proxy (CVE-2007-5034)

o kernel: Update to 2.6.16.57, including following changes:

o Reset current->pdeath_signal on SUID binary execution (CVE-2007-3848)

o random: several fixes (CVE-2007-2453, CVE-2007-3105)

o sysfs: store sysfs inode nrs in s_ino to avoid readdir oopses (CVE-2007-3104)

o NET: Zero length write() on socket should not simply return 0.

o hugetlb: fix prio_tree unit (CVE-2007-4133)

o Don't allow the stack to grow into hugetlb reserved regions (CVE-2007-3739)

o IPv6: fix slab corruption

o IPv6: send ICMPv6 error on scope violation according to RFC 4007

o Use default 32768-61000 outgoing port range in all cases

o Netfilter: nf_conntrack: don't track locally generated special ICMP error

o Enable message signaled interrupts

o Fix security hole in aacraid (CVE-2007-4308)

o openssl:

o Fix off-by-one buffer overflow in SSL_get_shared_ciphers() (CVE-2007-5135)

o Fix Montgomery multiplication to prevent side-channel attack to retrieve private RSA keys. (CVE-2007-3108)

o ncurses: make xterm-new the default xterm entry in terminfo

o pcre: fix regular expression parsing flaws. (CVE-2007-1659, CVE-2007-1660)

o perl: fix regular expression engine flaw found by Tavis Ormandy and Will Drewry (CVE-2007-5116)

o python: fix possible exploitable integer overflow (CVE-2007-4965)

o rpm: set default 0022 umask value always

o rsync:

o update to 2.6.9

o Applied patch from Sebastian Krahmer to fix two off by one stack overflows (CVE-2007-4091).

o ruby: update to 1.8.6p111, fixes Net::HTTPS Vulnerability (CVE-2007-5162)

o tar: fix stack overflow in safer_name_suffix (CVE-2007-4476)

o util-linux: drop privileges properly when calling helpers in (u)mount. (CVE-2007-5191)

o vim:

o Fix format string vulnerability. (CVE-2007-2953)

o Dissallow system() function in modelines (CVE-2007-2438)

5.0.6 : Part Number 91-0947719-A--------------------------------

New and improved

o installer: Support for multiple hard disks

o kernel: add oprofile support for newer CPUs

Bugfixes

o bind: update to 9.3.4-P1, resolves weakness in query id generator (CVE-2007-2926)

o tcpdump: update to 3.9.7

o fixes CVE-2007-3798: BGP dissector integer overflow

o fixes CVE-2007-1218: potential buffer overflow in ieee802.11 printer

5.0.5 : Part Number 91-0947176-A--------------------------------

New and improved

o Installer:

o Use first hard disk instead of biggest one for installing the base system

o Separate /var and /tmp partitions, drop /var/log/dump partition, mount /var and /tmp with nosuid,nodev

Bugfixes

o cgconfig:

o add sanity checks for timezone setting

o don't overwrite configuration files without preserving content (#77949)

o file: Fix potential heap overflow in file_printf of libmagic (CVE-2007-1536)

o kernel: Update to 2.6.16.yy, including following changes:

o util-linux: several bugfixes

o fix potential null pointer dereference in umount (CVE-2007-0822)

o fix potential pam modules bypass in login (CVE-2006-7108)

o fix nologin segfault

o backported flock(1) from util-linux-2.13-pre7

o correct cal -3 formatting

5.0.4 : Part Number 91-0947113-A--------------------------------

Bugfixes

o elinks: Don't look for gettext message catalogs in relative pathes (CVE-2007-2027)

o grep: several reliability fixes

o kernel: Update to 2.6.16.51, including the following changes:

o netfilter: do not modify/corrupt GREv0 packets through NAT

o IPv6: Disallow RH0 by default (CVE-2007-2242)

o Infinite recursion in netlink (CVE-2007-1861)

o Update to 2.6.16.49, including following changes:

o hrtimer: prevent overrun DoS in htrtimer_forward()

o skge/sky2: turn carrier off when down

o NET_SCHED cls_basic: fix memory leak in basic_destroy

o Fix UDP checksum issue in net poll mode

o tty_io: fix race in master pty close/slave pty close path

o python: Fix strxfrm leak (CVE-2007-2052)

5.0.3 : Part Number 91-0946965-A--------------------------------

New and improved

o kernel: add support for kprobes

o glibc: add nscd package

Bugfixes

o bash: fix redundant RLIMIT_LOCKS

o cgconfig: handle static host routes correctly

o gnupg: update to 1.4.7, including fix for an unsigned data injection vulnerability (CVE-2007-1263)

o kernel: update to 2.6.16.46, including the following changes:

o Fix NULL pointer derefrence in cls_basic

o Fix endless loop caused by inaccurate qlen counter

o Fix madvise infinite loop

o Fix multiple md bugs

o TCP: Fix sorting of SACK blocks

o TCP: skb is unexpectedly freed.

o Fix bad_inode_ops memory corruption (CVE-2006-5753)

o Fix key serial number collision handling (CVE-2007-0006)

o Prevent pseudo garbage in SYN's advertized window

o Fix ext3 block bitmap leakage

o IPv6: Handle np->opt being NULL in ipv6_getsockopt_sticky(). (CVE-2007-1000)

o IPV6: Fix for ipv6_setsockopt NULL dereference

o IPV6: fix ipv6_getsockopt_sticky copy_to_user leak

o Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005)

o Netfilter: fix several null pointer derefences, leaks and bugs

o krb5: fix multiple vulnerabilities (CVE-2007-0956, CVE-2007-0957, CVE-2007-1216)

5.0.2 : Part Number 91-0946623-A--------------------------------

New and improved

o kernel: add PAE support to make use of NX/XD

o kernel: add MCE checks

Bugfixes

o bash: update to 3.1 patchlevel 17

o bind: update to 9.3.4 (CVE-2007-0493, CVE-2007-0494)

o glibc: update timezone data to tzdata 2007a

o gnupg: update to 1.4.6, fixing stack overwrite vulnerability (CVE-2006-6235) and buffer overflow in openfile.c (CVE-2006-6169)

o kernel:

o Fix fdset memleak

o Fix race condition in usermodehelper

o Fix ip6_tables extension header bypass bug (CVE-2006-4572)

o Fix ip6_tables protocol bypass bug (CVE-2006-4572)

o Fix lockup via /proc/net/ip6_flowlabel (CVE-2006-5619)

o TCP: Don't use highmem in tcp hash size calculation.

o IPv4: Limit rt cache size properly

o Don't allow chmod() on the /proc/<pid>/ files

o TG3: Fix array overrun in tg3_read_partno().

o security/seclvl.c: fix time wrap (CVE-2005-4352)

o Reduce ACPI verbosity on null handle condition

o Fix possible overflow in bridge code (CVE-2006-5751)

o Fix checks for bad address in binfmt_elf

o Fix bridge-netfilter memory overwrite

o Fix possible deadloop in ipv4 fib_semantics.c

o Handle corrupted cramfs filesystems (CVE-2006-5823)

o Handle ext3 directory corruption better (CVE-2006-6053)

o From MOKB: handle corrupted ext2 better (CVE-2006-6054)

o From MOKB: handle corrupted hfs filesystem (CVE-2006-6056)

o Fix ipv4/ipv6 device initialization

o grow_buffers infinite loop fix (CVE-2006-5757/CVE-2006-6060)

o Save/restore eflags in context switch (CVE-2006-5173)

o Fix incorrect user space access locking in mincore() (CVE-2006-4814)

o krb5: update to 1.4.4 + fixes (CVE-2006-3083, CVE-2006-3084, CVE-2006-6143)

o openssh: Unspecified vulnerability in the sshd Privilege

Separation Monitor (CVE-2006-5794), LoginGraceTime denial of service (CVE-2004-2069), Signal handler race condition (CVE-2006-5051)

o openssl: Buffer overflow in the SSL_get_shared_ciphers (CVE 2006-3738), get_server_hello denial of service (CVE-2006-4343)

o python: fix unicode repr bug (CVE-2006-4990)

o rpm: fix buffer overflow in showQueryPackage (CVE-2006-5466), fix check-prereqs

o ruby: update to 1.8.5p2 (CVE-2006-5467, CVE-2006-6303)

o screen: fix UTF-8 combining characters handling (CVE-2006-4573)

o tar: fix symlink vulnerability (CVE-2006-6097)

o texinfo: fix heap overflow in texindex (CVE-2006-4810)

o wget: fix double free, denial of service in ftp (CVE-2006-6719)

o Use update proxy for appliance updates (77154)

5.0.1 : Part Number 91-0946552-A--------------------------------

Bugfixes

o cgconfig: wait a small period of time for usbstick on boot when applying external config.xml (77271)

o Set symlinks to LDAP libraries (77067)

5.0.0 : Part Number 91-0946258-A--------------------------------

New and Improved

o First release of CgLinux 5 Series

o Kernel 2.6.16

o Glibc 2.3.6

o gcc 3.4.6

o Online package update mechanism based on rpm/yum

McAfee Web Gateway 6.x======================

This file contains the new features, changed features and bugs thathave been fixed for version 6.x of the McAfee Web Gateway product. For

additional tips and information, see the Webwasher Online Help and/orUser Guide.

6.9.1 build 12571: Part Number 91-0950194-E-------------------------------------------

New and Improved

Bugs Fixed

o Big sqlite database "wwwp" causes welcome page to fail (81760)

o System crash, an unhandled ACCESS_VIOLATION exception (81755)

o With SafeSearch enabled, some cookied were removed from the request (81754)

o Failure of log transfer over FTP may create duplicate files at the FTP server (81747)

o Dashboard not shown in IE6 (81740)

o Internal error while accessing a website with SSL Scanner enabled using self signed certificates (81737, 81739)

o "wwauth still busy" error messages appear in the logs (81734)

o Custom header gets duplicated (81733)

o Incorrect command syntax in system configuration documentation for removing stale nodes (81702)

o Valid archive blocked as corrupt (81689)

o "Can not load CRL" messages appear in the logs (81660)

o Proactive Scanning Database version in Overview always set to zero (81549)

6.9.0 build 11742: Part Number 91-0950194-D-------------------------------------------

New and Improved

o RootCA certificate handling (81703)

o New help page added explaining the update server concept (81629)

Bugs Fixed

o No revoked certificates for some CAs (81662)

o Can not load CRL error for CRLs which work in the browser (81660)

o System crash, an unhandled ACCESS_VIOLATION exception (81643)

o MWG on Windows crashes frequently (81678)

o POST protocol failure with 100 continue (81624)

o server_ip is not logged in proxy with HTTP 502 response (81683)

o max-age in 304 response not used for cache time (81701)

o SpamEquator update failed: Could not find all the files (81655)

o Too many "Cannot load CRL" entries in errors.log (81676)

o Valid archive blocked as corrupt (81689)

o A specific file which cannot be scanned by Avira engine is not blocked (81692)

o SNMP counter issue (81649)

o Upgrade Trusted source library to 2.0.6.01 (81724)

6.9.0 build 11282: Part Number 91-0950194-C-------------------------------------------

New and Improved

Bugs Fixed

o After upgrade clients are not following redirect to auth server (81675)

o 6.9 upgrade breaks CM site instances (81673)

o Unable to Join Central Management After Upgrading to 6.9 (81670)

6.9.0 build 10927: Part Number 91-0950194-B-------------------------------------------

New and Improved

Bugs Fixed

o Cannot load legacy AV after upgrade to 6.9 (81647)

o Customer Upgraded to 6.9 and Now the Application Terminates with termsignal=11 (81641)

o MWG sends 502 could not connect when accessing cached file (81636)

o Win7 clients NTLM auth fails through MWG 6.9 (81633)

o Incorrect Behavior of "Cache Revalidation Rules" (81597)

o Central Management update failing, sites unsubscribed (81572)

o License change can lead to disabled AV scanning (81557)

6.9.0 build 10636: Part Number 91-0950194-A-------------------------------------------

New and Improved

o The following procedure must be completed to install MWG 6.9.0:

o - install the repository for MWG 6.9.0:

o - from a system console, log on to the appliance using SSH

o - run the following command:

o yum install yumconf-6.9

o - perform an update on the user interface or from a system console:

o - to update on the user interface:

o - go to Configuration > Appliance > Update

o - click the "Contact" button in section "Check for Updates"

o - from a system console, log on to the appliance using SSH

o - run the following command:

o yum upgrade

o

o Process of delayed login after login failure improved (81461)

o Load AV updates in background (81307, 81351)

o Remove tar files after centralized update (81239)

o Trusted Source Cloud Support (81111)

o Single automatic AV engine restart after "cannot load AV" error (80819, 81252, 81256)

o Prevent AV update being cancelled while it still downloads files (81121)

o Add option to ignore base McAfee AV engine although licensed (81120)

o Input validation for 'content-length greater than' whitelist entry (81109)

o Handle eDirectory synchronization in background (81113)

o AV engine: possibility to re-start AV engine via SSH implemented (81036)

o Add system alert if Mailshell LiveFeed is not activated (81008)

o Memory Defragmentation and MP ICAP servers in maintenance mode cause "Cold Restart" SNMP Trap to be sent (80966)

o Attempt to recover connection to AD taking longer than 3 minutes (80942)

Bugs Fixed

o MWG adding extra line between headers and body (81540)

o Authentication server wwparam causes Ajax site to make bad request (81533)

o Quota issues (81499, 81431)

o Overload handling prints overload message mistakenly (81444)

o Override accounts are not visiable (81491)

o Auto-pushing failed sometimes (81472)

o McAfee Gateway Anti-Malware on Windows does not detect Eicar (81432)

o Central management deleting last ip mapping entry (81416)

o Downloaded exe file saved as zip archive on windows 7 (81413)

o Vulnerability CVE-2010-0405 (81399)

o Overload issue - Enhanced IFP worker & Output threads to be created with custom stack size (81395)

o Inspect certificate not working correctly (81393)

o Respmod Bypass List not working with assignment of a policy to a proxy port (81361)

o Client Certificate handling does not allow sending certificate chain (81282)

o Wrong media type detection with gmail (81330, 81348, 81364)

o High memory under low load caused by big dashboard-database (81312)

o Threads in close_wait cause memory overload (81291)

o McAfee Gateway Anti-Malware Engine fails to load on debian (81287)

o Archive blocked because "content size greater than the defined size limit" (81274)

o ICAP Processes fail to load URL Filter list (81264)

o FTP communication problem - MWG closes connection after entering pasv mode (81269)

o Wrong media typ for embedded images in .ppt file (81258)

o Media type detection for URLs that can result in dynamic content (81240)

o MIB Browser not working on SLES 9 & 10 installation (81230)

o Unpacked archive size grows with defined limit (81221)

o Extended list manager unable to read "&" symbol (81201)

o Upload of jpg to cms fails (81188)

o Hanging actions: Cluster Node Job Queue and Persistent Quota Info Sync (81179)

o Google searches do not work with safesearch enforcer enabled (81171)

o Dashboard data not sticking within IE (6,7,8) (81167)

o WW requests -web.washer- were send to next hop (81150)

o The same CRL download url was added multiple times (81149)

o Centralized Management: after upgrading to 6.8.7, 3 of 8 nodes not subscribed to master (81144)

o Flag in the NTLMSSP_NEGOTIATE message (81143)

o Site UI port changed by Master when joined despite being exempted (81124)

o Blank known certificates authorities showing after upgrade (81103)

o Cache Settings mysteriously change in web interface when switching between tabs using Firefox (81101)

o LDAP authentication: spaces break ldap browser (81100)

o Appliance crashing child process exited (termsignal=7) unable to start due to frequent failures (81099)

o Webwasher-csm.install contains unnecessary check if /usr is writeable (81092)

o MWG blocks a couple of LZH archives (81088)

o DNS Cache usages causes slow web performance (81063)

o Lot of application/ogg traffic (81062)

o Files in /opt/webwasher-csm mysteriously are deleted (81051)

o Less than character (<) breaking JIS encoding (81042)

o MP: IFP block page content not working with multiprocess (81034)

o Overload handling not kicking in, though enabled (81028)

o Welcome page: welcomeack.html only available for default policy (81025)

o Error template: http hard coded in connectnotallowed.html template (81021)

o Newly added CAs are not pushed to site instances properly (80817)

o Media Type Filter blocks .css files as application/x-pn-realmedia (81015)

o Crash during Cab archive processing (81011)

o Media type application/x-www-form-urlencoded could not get whitelisted (80997)

o Media type filter: application/x-msregedit files not detected correctly (80996)

o No Block_res code for embedded Objects filter (80987)

o Safesearch enforcer breaks google preferences (80972)

o Snmp category activity is incorrect (80967)

o Progress Page: Own Host Name -> Use other host or URL not working (80965)

o Memory Overload occurred with minimal load (80958)

o LDAP wizard creating "$attrlist$" and "Error: 0. Error

description: " (80947)

o Authentication Server redirect does not work as expected for HTTPS pages on first redirect (80932)

o SQLITE database corrupted: No traffic passing through WebWasher (80931)

o Corrupt timeseries.ww causes non-recoverable termsignal 11 (80930)

o MWG detecting cab file as corrupt, able to extract with WinZIP 80929)

o GUI: Routes not displayed properly (80919)

o Authentication: threads stuck in 'Status=kAuthenticate', MWG eventually hangs (80873)

o FTP-over-HTTP fails with anonymous user if blank password is specified (80864)

o Archive as corrupted blocked (80850)

o MWG crashing with termsignal=11 on Suse9 (80715)

o Safe search breaks google trends (78574)

6.8.7 build 5820: Part Number 91-0950194-A------------------------------------------

New and Improved

Bugs Fixed


New and Improved

o Improved stack size handling for auth server and end user port (80676)

o Change default settings for TrustedSource Web Reputation (80624)

o Home->Support should link to McAfee (80576)

o Improved Welcome Page functionality (80547, 79063)

o Add new certificates and hosts to SSL Scanner lists (80352, 80527)

Bugs Fixed

o SSL Scanner bypass vulnerability on wildcard certificate check (80680)

o Endless loop in Cab archive (80652)

o SNMP traps for URL list updates not working (80648)

o Receiving "Download Cancelled" after clicking download button in IE7 (80647)

o Document Inspector System Alert will not disappear (80646)

o Prevent DOS attack to authentication server (80642)

o WW prints internal messages to errors log (80629)

o Advertising filter destroys JavaScript (80627)

o MP: Inconsistent IP mapping with Multi Process mode (80623)

o Microsoft Project file (.mpp extension) blocked as audio/mpeg (80622)

o WWoB: on master blade feedback scripts (started with "2") shows "lsof" related warnings (80615)

o Memory defrag script (80610)

o Download of gmx eMail attachments failed (80609)

o MPClusterControl unable to update nodes when Web Interface has IP restrictions (80608)

o Native NTLM: Group memberships get mixed up (80607)

o Crash when talking to ePO server (80606)

o "Detect unsolicited POSTs" will break forms (80591)

o Archive blocked as corrupted (80581)

o SSL-Scanner - HSM-Agent: Root CA key cannot be loaded on startup (80571, 80578)

o Must be able to handle multiple 100-Continue messages from web server (80567)

o Update from 6.7.6 to 6.8.5 broke settings.xml (80540)

o Long text causing page display issues (80539)

o Content type "application x-ms-application" is changed to "text/xml" (80530)

o Real-time classifier blocks words containing unicode characters (80508)

o SNMP statistics are not accurate after multi-process is enabled (80479)

o Outdated Dynablocator directory and file is copied to all ICAP processes in MP (80474)

o Redirect via query string parameter on gui login page (80444)

o Potential cross-site scripting vulnerabilities in web UI (80442, 80443)

o Certain Generic Header Filter combination may crash MWG(80430)

o URL Executive Summary (80398)

o Drop downs for dashboards not displayed right in IE (80392)

o WCCP and overload protection not playing nice together (80342)

o Quota reset does not work from secure admin shell (80287)

o SafeSearch enforcer produces false positives (79898)

o Known Root CAs not synchronized in Cluster (79513)

o Download Canceled page always displayed in English (79326)

o eDirectory settings broken by cluster (78709)

o HTTP links in HTTPS blockpages (78634)

o Unwanted red warning for anonymous ldap bind (78612)

o Time and Date in web interface is reset after reboot (78085)

o WebUpload Filter active, even though not enabled (77079)

o Src_ip and auth_user are not working in the security.log (76236)

6.8.5 build 5330: Part Number 91-0949869-E------------------------------------------

Bugs Fixed

o Native NTLM: Group memberships get mixed up (80607)

o SSL-Scanner - HSM-Agent: Root CA key cannot be loaded on startup (80571)

o Various crashes in SSH command line interface (80522, 80524, 80523, 80616, 80621)

6.8.5 build 5141: Part Number 91-0949869-D------------------------------------------

Bugs Fixed

o Memory is getting filled up in 3 minutes (80535)

o Incorrect group mapping using native NTLM-authentication (80528)

o Authentication problem with NTLM-agent (80515)

o Problems related to TCP window scaling occur for some sites after upgrading (80517)

o Problem with centralized A/V updates (80516)

o Role allows reading logs, but Webwasher is forbidding it (80504)

o Auto-pushing fails when using domain\user for the username field in the common push target (80495)

o Escape character for shockwave-flash media type not being treated properly (80490)

o Mpcluster control jumping between stati (80485)

o Files over 4 GB shows wrong size over FTP (80412)

6.8.5 build 5094: Part Number 91-0949869-C------------------------------------------

Bugs Fixed

o Not possible to initialise Generic Body Filter if Anti-Malware is not licensed (80513, 80521)

6.8.5 build 5051: Part Number 91-0949869-B------------------------------------------

New and Improved

o Ability to disable exploit protection against double Content-Length headers (80459)

Bugs Fixed

o FTP over FTP Client is not working after upgrade on 6.8.5 (80476)

o Option to add leading Slash in FTP Retr Command (78400)

o Download fails sporadically using Progress Pages (80041)

o Log pusher attempts to push files that no longer exist (80468)

o Problems with log rotation and merging (80473)

o For clean installations on WW2900E cache cannot be enabled (80480)

o WW500 failed to boot after upgrade (80475)

o Sporadic Authentication Popup with Native NTLM (79684)

o Webwasher crashes in Authenticode Filter (80487)


New and Improved

o Support Anti Malware engine with Proactive NG (79968) (NOTE: Requires an AV and a Proactive update after version upgrade)

o Log Manager: Ability to configure pushed log filename (80360)

o ICAP client: workaround for incompatible DLP servers (79839)

o Incremental update for McAfee AV engine (80333)

o Support WCCP "Weight" functionality (80423)

Bugs Fixed

o Too many 407 responses when using NTLM cache (80251, 79988)

o Central Management: running feedback from GUI froze master and sites (80385)

o Log Manager: Several improvements (80386, 80378, 80374, 80367, 80360, 80370, 80345, 80339, 80361)

o GUI: filter option overwrites routes (80369)

o SSL Scanner: error behavior in case of unicode encoded cn in transparent environment

o ICAP client: Reponse time increased after enabling multi processing (80363)

o TrustedSource: score still applied even though domain is whitelisted for spam filter (8035)

o Proxy: Improved Timeout values (79958)

o Welcome page may incorrectly build the submit action link (80285)

o Overload issues persist with 6.8.4 (80407, 80406, 80393)

o Problem with custom action in Multi Process mode (80405)

o MP Control stopped maintanance after icap server crash (80415)

o Interrupted requests should be logged in proxy's access.log (80422)

o HA cluster is not working as expected (80176, 80075)


New and Improved

o Increase performace on WW1900 and WW2900 (79911, 79912, 79913, 79915 79921, 79922, 79923)

o Reduced Memory consumption per open connection (80113)

o Support McAfee's ePolicy Orchestrator (ePO) (79918)

o Rebranding to McAfee (79924)

o Increase robustness against AV update issues (79920, 79939, 79940, 79975)

o Log file push enhancements (79914)

o Execute feedback.sh from the GUI (77850)

o Memory Defragmentation options added (79871)

o Support cache_status and block_res in custom logfiles (78232)

o Parent proxy policy enhancement for URL AND IP subnet (79803)

o NTLM Cache should be a GUI option (79900)

o Show time interval length in Dashboard (78977)

o Default Respmod Whitelist for problematic sites (80293)

Bugs Fixed

o Too many 407 responses when using NTLM cache (80251, 79988)

o SNMP variables do not reset automatically (80026)

o Login page is missing error message when bad credentials are entered (80020)

o Breaking connection to AD on error STATUS_INVALID_WORKSTATION (80023)

o Authentication failing with mutilple NTLM agents (80017)

o File incorrectly identified as audio/mpeg (79961)

o E-Mail attachments(.XLS or .PPT) are blocked by Media Type Filter as mpeg (79938)

o Cannot join WW to domain with trusted credentials (79878)

o RADIUS password limits at 16 characters (79845)

o Web Upload Filter: size limit without effect (79925)

o Web Upload Filter works although Media Type Filter is switched of (79869)

o SNMP: unexpected CPU idle values (79751)

o New timeout for initial request on a connection (80066)

o Obfuscate username/password in authorized override url (80024)

o Usernames with umlauts or rings cannot authenticate via native NTLM (79999)

o FTP-Problem Webwasher loses the credentials (79989)

o WebWasher problems due to hanging action - Mobile Code Filter Update (79907)

o SSLScanner: No timeout when upstream proxy is used (79906)

o Crash in document inspector (79902)

o Old av updates not getting deleted (secure antimalware) (79876)

o Not all 'Certificate Subject Alt Name' entries passed, resulting in certificate prompt in browser (79867)

o AV license bug - update fails when the first AV module runs out of date (79826)

o Crash during multi-threading processing of Rar archive (79814)

o CCacheSocket::ReadPreviewData corrupts content when called more than once (79811)

o webwasher delivering truncated content (79809)

o Crash in Cache::CWebObject::~CWebObject (79793)

o Termsignal 11 crashes related to CLI access under heavy load (79775)

o WW delivers corrupt tar archive even when policy is set to block corrupted archives (79765)

o asctime, ctime, gmtime && localtime not threadsafe (79761)

o AntiVirus update didn't abort in time (79753)

o Termsignal 11 backtrace points to CCabDecoder::GetLzxBitsBuffer (79748)

o Termsignal 7: Bus error during Sophos update (79742)

o crash (termsig=11) in std::_Rb_tree_rotate_right (79706)

o Read-Only User Accounts can't access log files via web access (79701)

o LRU blocks after restart with full cache and constant load (79700)

o Webwasher unable to start another thread, termsignal=6 (79665)

o Cannot load certificate for web interface IP address (79625)

o WW is crashing with termsignal=7 directly after start (79623)

o HTTP Error 401.2 when NTLM Auth on Webwasher and Webserver (79612)

o Content Type ".ods/mimetype" is changed to "." (79609)

o Unwanted Mediatype not blocked when in TAR Archive (79606)

o Secure Administration Shell fails to accept large input files (79544)

o Raw post option doesn't stick (79509)

o Webwasher changed response body (79236)

o XML parsing error because of header modification (78989)

o Web reputation level not always logged correctly (79897)

o Invalid Proxy Request when downloading HTTPS file with enabled volume quota and transparent proxy (80034)

o Office 2007 Excel files blocked by magic bytes (79102)


New and Improved

o Ability to downgrade to HTTP/1.0 on a per url basis (79205)

o SSL Scanner: Different redirect handling for CERTVERIFY requests when transparent authentication has expired (79841)

o Additional RESPMOD bypass options (80001)

Bugs Fixed

o Policymapping: Problem with policy names (79864)

o Proxy/ICAP Server: Hanging threads (79840)

o AV-Update: New updates should not abort old updates too early (79975)

o SSL-Scanner: No timeout when upstream proxy is used (79906)

o Archiver: Crash during multi-threading processing of Rar-Achive (79814)

o Document Inspector: Crash in Document inspector (79902)

o Filter Engine: Wewasher crashed with termsignal 11 (79945)

o ICAP Server: "Send Body in one Frame" not always working (79978)

o ICAP Server: Optimized 204 response messages (79890)


New and Improved

o openssl: Address CVE-2008-5077

o Webcache: Accelerate Webwasher restart

Bugs Fixed

o GUI: Problems with check boxes in user based mapping (79822)

o Authentication: In special cases NTLM authentication causes browser loop (79821)


New and Improved

o HSM module support for nCipher

o Proxy: WCCP L2 Mask assignment support

o Built-in resilience in spike overload situations

o Authentication: Native NTLM support for Windows Server 2008 AD (79567)

o Authentication: Better handling for wrong NTLM messages based on a Windows problem described in http://support.microsoft.com/kb/312176/en-us (79723)

o Prevent XSS with Progress Pages (79531)

o Proxy: Prevent connect to http://0.0.0.0:xx (79530)

o Close download connection for proxy.pac files right after delivering (79709)

o Feedback Script: New log level for collecting statistical information

Bugs Fixed

o Webcache: Hanging connections if client or server dies (79599)

o Webcache: Increasing number of threads causing memory exhaustion (79573)

o Webcache: Sporadic race condition (79719)

o Configuration: After upgrade to 6.8.2 serial console access unavailable (79682)

o GUI: Timezone selection (78556)

o SNMP: Crash in SNMP if file handle over 1024 (79775)

o Proxy: Webwasher crashes with Termsignal 11 (79671)

o Proxy: FTP over HTTP can't handle some symbols in file/folder names (79451)

o Proxy: Crash in IFP server for invalid request (79760)

o Proxy: Sporadic problems with early web server connection close (e.g. www.iltalehti.fi) (79417)

o ICAP Server: Communication error when transparent auth session expired + CERTVERIFY request (79675)

o ICAP Server: Cannot download huge files (79514, 79699)

o ICAP Server: Download via Progress Page results to 0 Byte download (79556)

o Anti Malware: Failover does not work if engine could not be loaded (79677)

o Authentication: WW can't join AD domain if DCs allow only NTLMv2 (79533)

o Authentication: NTLM with Authserver - taking 5 seconds to authenticate (79508)

o Authentication: Selecting RADIUS as "accepted authentication method" causes failed authorization (79101)

o Authentication: Handle failed group lookups better for Native NTLM (79223)

o Authentication: Sporadic Authentication Popup with Native NTLM (79684)

o Document Inspector: Webwasher crashed, Backtrace points to CXMLTypeChecker (79669)

o Document Inspector: Cab file inside of MSI blocked as corrupted (79560,79384)

o Document Inspector: Endless loop in document inspector (77966)

o Document Inspector: Special Powerpoint documents not recognized (78755)

o Document Inspector: Text categorization does not work for pdf files (79744)

o Document Inspector: Webwasher crashed during unload of XML parser (78981)

o Archiver: Archive is claimed to be over allowed size limit (79595)

o Archiver: Crash if zip archive larger than 2GB (79596)

o GUI: Cannot load certificate for web interface IP address (79625)

o Secure Administration Shell: Crash in shutdown under circumstances (79600)

o Mail Gateway: Inbound queue overflowed result in crash (79650)

o Mail Gateway: Deleting parts from email (79319)

o Embedded Objects: ActiveX controls not getting blocked (79648)

o Central Management: Hanging Cluster Node Job Queue action (79641)

o Central Management: Cluster Node Job Queue action hangs (79683)

o Mediatype Filter: Detection of streaming media improved (79594)

o SSL Scanner: Send whole certificate chain for incoming TLS connections (79591)

o SSL Scanner: Timeout for tunneled SSL connections (79603)

o URL Filter: Ignored if policy has spaces in it (79332)

o URL Filter: Safe Search Enforcer does not handle video.google correctly(79487)

o Termsignal 11 on Solaris 10 (79472)

6.8.2 build 3994: Part Number 91-0949324-C

New and Improved

o Feedback Script: New parameter to prevent pausing Webwasher while getting backtrace

Bugs Fixed

o Anti Virus: Crash during update of McAfee engine (79160)

o ICAP Client: Termsignal 11 or 6 while recreating "internal" ICAP service (79559, 79475, 79111)


Bugs Fixed

o Webcache: Restarting with Termsignal=11 (79537, 79545, 79160, 79547, 79548, 79526)


Bugs Fixed

o Anti Virus: Crash during update of McAfee engine (79160, 79315)

o Proxy: Under circumstances threads will not be ended if the server connection dies (79224)


New and Improved

o Secure Cache: consistency check for cache database on startup

Bugs Fixed

o Secure Cache: Webwasher doesn't close connections (79477)

o SMTP Gateway: TLS email delivery fails (79463)

o Authentication: 6.8 Native ntlm auth fails (79452)

o Authentication: Native NTLM user in too many groups (79412)

o Proxy: HTTP 1.0 without host header does not work for WCCP (79456)

o Archiver: Crash in Microsoft CAB archives under circumstances (79443)

o SMTP Gateway: Mails delivered but mailbody was changed to Cannot Load AV Engine (79232)


New and Improved

Performance improvements

o Proxy: WCCP MAC address rewrite L2 redirect (78562)

o Proxy: WCCP multi router support incl. multicast (78105)

o SSL Scanner: Tunnel SSL on expression to enhance transparent deployments

o SSL Scanner: Enhancements for interoparability with Sidewinder

o Authentication: LDAP/V3 support with SLDAP (73779)

o Authentication: Security setting that allows to turn SMB signing off if server doesn't support it (79157, 79235)

o Authentication: Support for NTLM: Local Nested Groups (79087)

o Authentication: Support for NTLM: Trusted Domains

o Authentication: Support for NTLM: Possibility to search Domain Controllers via DNS lookup

o Filter: Enhancement for file size limit (78182)

o Filter: Whitelist by ContentLenght Header (74820)

o Anti Malware: Option to completely fail open when AV cannot load (79272)

o Configuration: Distribution of configuration for Secure Mobile Web Filter

o Reporting: New log file field "auth_group" to print the group name (73656, 75031, 76928)

o Reporting: Write custom parameters as result of Generic Header Filter (79126)

o Reporting: Log FTP Proxy Username in proxy access log (79286)

o Reporting: Optionally add domain as prefix to user name in access log when authenticating via NTLM (79070, 76832)

o Safe Search Enforcer: reduce false positives

Bugs Fixed

o Proxy: Not possible to do a redirect for site http://www.intierra.com/ (79057)

o Proxy: FTP-over-HTTP error message without Slash at the end (79188)

o Filter Engine: Action 'Library Cache' is hanging (79164)

o ICAP Server: URL Filter feedback does not send any URLs (78396)

o ICAP Server: Fetch group name from HTTP header (79127)

o SSL Scanner: Entries disappearing (78718)

o URL FIlter: Sometimes Smartfilter update has to be triggered twice (78951)

o Mediatype Filter: mp3 file handling (79007)

o Mediatype Filter: XHTML Mobile not detected properly (78063)

o Mediatype Filter: Problem with type detection for special gif images (78909)

o Mediatype Filter: Office 2007 Excel files (xlsx)blocked by magic bytes (79102)

o Settings are getting changed on the site without changes on master (79097)

o Central Management: Administrator SSH public keys are not completely synchronized in cluster (79058)

o Configuration: Wrong location of "authorized_keys" file results in losing admin keys (79084)

o Configuration: Wrong file permissions after configuration restore and ww restart (75362)

o Authentication: Add domain name to group name disappears (79248)

o Subject Filter broken (79065)

o Addressing Internet Explorer bug that can lead to ICAP communication problem (79214)

o HTML Filter: in rare cases crashes Webwasher (79189)

o Archiver: multipart archive was detected as corrupted (79159)

o Secure Administration Shell: Action "SSH Idle Connection Cleanup" hangs (79297)

o Generic Header Filter: Illegal HTTP header when custom param creation is intended (79350)

o Engine Update failed if customer set archive size limit to 1 Mb (79317)

o URL Filter: Safe Search Enforcer breaks google-insight (79403)

o Anti Malware: JPEG exploit is not getting blocked anymore (79337, 79360)


Bugs Fixed

o Proxy: ICAP errors with web reputation disabled (79122)

o Native NTLM: SMB connection will fail if DC not support SMB signing (79235)

o ProActive: Crash downloading ISO > 4 GB (79268)

o Proxy: Crash due to hanging threads (79224)

o Webcache: Crash under circumstances (79239)


Bugs Fixed

o Proxy: POST request fails, connection is reseted (79095, 79055, 78819)

o ProActive: Streaming of flash videos vidoe/flv broken (79182)

o Authentication: Username not written to Logfiles if NTLM Cache is activated (79141)


Bugs Fixed

o Anti Spam: Memory leak in Mailshell library (78680)

o SSL Scanner: SSL handshake error (79151, 79185)

o SNMP: Authentication bypass in net-snmp/wwsnmp (79201)

o Webcache: Webwasher crashes under circumstances (79054)


Bugs Fixed

o Document Inspector: False Positive in XML files for McAFee virus scanner (79086)

o Authentication: Encrypted file cannot be loaded if file length is exactly X kb (79153)

o Authentication: Segfault occured if server returned RPC packet of FAULT type (79139)


New and Improved

o SSL Scanner: Preinstalled root CA's updated

o Media Type Detection: Detection of quicktime containers enhanced (78988)

o Proxy.pac file with customizable caching age (78749)

o Authentication: Multi packet response support for Native NTLM (79061)

o Authentication: NTLM machine name field limited to 15 characters for compatibility reasons (79015)

o Authentication: Test page for NTLM configuration in GUI

o SSL Scanner: Problem with new SSL Scanner licensing (78945, 78946)

Bugs Fixed

o ICAP client error (79036)

o Inconsistent progress page interface (78998)

o Trusted Source: Rating under Solaris always 50 (78584)

o Proxy: Proxy.pac file corrupted when delivered to site instance (78681)

o Proxy: HTTP pipelining not working (79010)

o GUI: Correct use of certificate chain for webinterface (77784)

o Document Inspector: PDF file is blocked when "Embedded Script" enabled (78982, 79035)

o Document Inspector: Error with scanning PDFs in certain circumstances (78273, 79032, 78901, 78448, 79046)

o SMTP Gateway: Crash in mail queue handling (78980)

o SMTP Gateway: Queue overview link doesn't contain port (78904)

o URL Filter: SafeSearch Enforcer blocks Google Maps (79033)

o Authentication: LDAP E-mail mapping and attributes with commas (78626)


Bugs Fixed

o Document Inspector: Not Working with MSOOXML (78916, 78866)

o Migration: Some Whitelist entries are deleted after update (79020)

o Authentication: IP-mapping mixed up or lost under load (78793, 78943)

o Authentication: eDirectory only uses first result for authenticating a User by IP address (78940)

o Authentication: Native NTLM limited to 10 group memberships (79011)

o Authentication: NativeNTLMv2 broken (79031)

o Authentication: Native NTLM Setup fails under circumstances (79009, 79042)

6.7.0 build 3295 : Part Number 91-0948352-A

-------------------------------------------

New and Improved

o High Availability support according to Linux HA

o Available under Red Hat Enterprise Linux 5.0 and Suse Linux Enterprise Server 10

o Native NTLM support

o Enhancements for "Ensured Streaming Media May Bypass AV"

o Proactive: Enhancements to decrease false positives in script code

o Authentication: Support of Radius fallback server

o Authentication: Support of Radius group mapping

o Authentication: Promptless authentication outside Webwasher subnet (78545)

o Reporting: Sort log files alphabetically (76663)

o SMTP Gateway: Different languages for digests depending on domains (78614)

o Authentication: RADIUS fallback enhancement for Admin authentication (78476)

o Archiver: Support for non-standard tar files (78783)

o SmartFilter SDK 4.3.1.06

Bugs Fixed

o WebCache: Enabled caching results in broken connections (78778)

o SMTP Gateway: "Tab" character inside header field causes address mapping to fail (78516)

o SMTP Gateway: Attachment broken when Mail Footer is added by Webwasher (78729)

o Document Inspector: Thread needs 79% CPU (78649)

o Exceptions for TLS cannot be defined (78659)

o Logging: unix_epoch variables for blockpages display incorrectly (78665)

o GUI: Backup fails because of too many server certs (78677)

o RealAudio streaming not working (78596)

o GUI: Backup includes addressmapping.txt (78720)

o SSL Scanner: Common Name displayed weird when inspecting certificate (78695)

o SSL Scanner: IP address is truncated when inserted in the certificate list (78802)

o Upload Filter: Malformed multipart/form-data upload crashes Webwasher (78722)

o Media Type Detector: HTML file detected as text/xml (78708)

o Media Type Detector: WebWasher does not recognize Powerpoint document (78755)

o Centralized Management: Cluster does not synchronize (78591)

o Proxy: Webwasher closes connection even though it sends "Proxy-Connection: keep-alive" (78889)

o Anti Malware: Settings are active though not licensed (78896)

o Unable to download large .exe file (78856)

o Proxy: Change FTP Command Filter for partial downloads when "REST 0 (78817)

o Proxy: Problem if 2 authentication methods are configured for FTP proxy(78660)

o Anti Spam: Mail Footer modifies Outlook Calendar entries (77238)

o Authentication: LDAP login prompt freezes after entering the credentials (78803)

o URL Filter: Faulting module sfcontrol.dll (78655, 78927, 78652)

o Central Management: Radius "Shared Secret" breaks on site (78824)

o Reporting: Log file structure set back to default for site instances (78883, 78829)


Bugs Fixed

o Linux vulnerability fixed (78837)

o Authentication: LDAP login prompt freezes after entering the credentials (78803)


Bugs Fixed

o Proxy: Illegally closing connection breaks web server NTLM authentication (78742)


New and Improved

o Reporting: Feedback generation without certain logs (78519)

o Reporting: Sort logfiles alphabetically (76663)

o OS sanity check for restore function (78468)

o Ad-aware updates through webwasher fail (78492)

Bugs Fixed

o Generic Body Filter: UI has problems with specific chars(78490)

o SSL Scanner: CN mismatch if CN is in unicode (78534)

o Proxy: Server authentication problem if authentication canceled (78480)

o Proactive: Update is greyed out if AV but not AntiMalware is licensed (78532)

o Problem with parameters in URL redirect custom action (78375)

o Reporting: %BR field not working for syslog action (78565)

o Reporting: Corrupted log file structure definition (76449, 78357, 78538)

o Web Reputation: Whitelist entry for sun.com does not work (78564)

o Whitelist: Not working for office documents and form data (78315)

o Authentication: Issues when admin account uses RADIUS authentication (78645)

o Authentication: Allow Internet access when auth server is down" does not work (78557)

o Document Inspector: Thread needs 79% CPUand webwasher is not responding (78649)

o Document Inspector: Endless loop in corrupted Excel document (78592)

o Anti Malware: Problems with Sophos engine (78550, 78540, 78513)

o Upload Filter: Crash under special circumstances (78606)

o Proxy: Malformed upstream proxy requests (78575)

o WebCache: Crash under special circumstances (78641)


Bugs Fixed

o GUI: Not possible to use full stops in administartor names (77331)

o LDAP: Problems with support for "Umlaute" (78537)

o WebCache: Crash under high load (78578)


Bugs Fixed

o Anti Spam: Memory leak during update (78453, 78357)

o Anti Spam: Webwasher crashes if there are no spamfingerprint*.dat files (78525)

o LDAP: Problems with "Umlaut" (78461)

o WebCache: Cache content inconsistent (78521)


New and Improved

o Logging: write update log information also to syslog (78351)

o GUI: hit rate displayed in "webwasher" dashboard (78348)

o Transparent IP based authentication with eDirectory

o Secure Admin Shell: Add function to reload policy (78159)

Bugs Fixed

o If custom hostname is used, ports are not added (78399)

o Action for known CAs not executed (78402)

o Content-Length Header not updated upon POST body modification (78344)

o Wrong helpfile for mail footer (78397)

o Broken files cached when bigger download is canceled (78172)

o Java application not working via Webwasher (78366)

o SSL Scanner: problems with time server certificate (78373)

o Cannot add proxy ports in Windows (78361)

o Media Type mismatch on 302 redirect (78320)

o Logging: writing garbage into access log (78289)

o Problem white listing embedded objects (78324)

o Fixed crashing bug (78325)

o "Send to Support" not working when HTTP GUI disabled (76433)

o Malformed executable causes a crash in PEParser (78391)

o Proactive Scanning: Scrambled letters on some multi-byte character set web pages (78129, 78090)

o Deleting email from digest web interface doesn't move it to trash queue (78318)

o Problems with more than one Content-length header (78352)

o Documentinspector: Deadlocks / Crashes on Windows (77995, 78003, 78161, 78274)

o GUI response slow or doesnt work (78425, 78439)

o Anti Spam: wrong Mailshell results if online query fails (78000)

o Sustain sessions in WCCP enabled load balancing deployment scenario (78335)

o WebCache: Whitelisting cache does not work (78444)

o WebCache: Too many x-cache headers (78392)


New and Improved

o Possibility to whitelist web reputation filter

o Possibility to whitelist media type adaptation (fixes: 78277, 78257, 78291)

o Dashboard: New tab "Webwasher" (77463)

o Actions: New option to set HTTP status code

o Add settings to adapt to thread/connection usage in a URL Filter only deployment

Bugs Fixed

o Web reputation and enabled cache break streaming (e.g. youtube) (78262)

o Document Inspector: Malformed Word document causes crash (78255)

o Centralized Mmgt: routing rules not sync'd completely (77932)

o Logging: Webwasher looses or forgets log lines (78170)

o Map does not load (78184)

o Anti Spam: TrustedSource ratings too high (78271)

o Anti Spam: Mail Footer modifies Outlook Calendar entries (77238)

o Progress Pages for HTTPS requests: Links to embedded objects are http (78278)

o Dashboard: Corrupt display when lists contain very long URLs (78163)

o Web Cache: problems when setup as transparent proxy (78340, 78296)

o Change permissions of lib/files directory to enable uploading of online help files via GUI (78231)


New and Improved

o Webcaching engine

o Own "DNS Cache" implementation

o Radius Authentication

o Support for scanning of large files (> 2GB) (only Appliance, Deb4.0 and RHEL 4 )

o Additional SmartFilter options (CGI parameters, categorizing embedded URLs, categorization of a search engine requests by keywords)

o SmartFilter SDK 4.3.1.02

o Generic Body Filter on Raw POST bodies (78034)

o Integrated authentication with vista against UserDB (77981)

Bugs Fixed

o Incremental update of the URL Filter doesn't work (78253)

o Connection to NTLM Agent are closed too often (77926)

o Cluster: Problems in Master/Submaster configuration (77905)

o Archiver: *.ram attachment in email is blocked by "Magic Byte Mismatch" (77965)

o SMTP Gateway: Multiple recipient mail gets released/deleted for all recipients over Digest Interface (77976)

o Progress Page: The Browser save dialog presents wrong name of PDF files (77992)

o SMTP Gateway: eMail crashing Webwasher 6.5.3 (78022)

o Authentication Pop-Up doesn't show up through Webwasher (75951, 76988)

o SSL Scanner: CERTVERIFY error with www.viqtest.com (endless loop) (77889)

o NTLM-Agent: Crash on shutdown (78014)

o NTLM Agent: timeout issue (78087)

o Proxy does not log auth_user when using transparent authentication (78197)

o New media type application/xml (78199)

o NTLM Agent: timeout issue (78087)

o Select Timezone field resets to UTC after reboot (78086)

o ldap libraries not installed with webwasher debian 4.0 package (78082)

o Problem with libxml2 under solaris (78038)

o Clean up obsolete lib dependencies under solaris 10 (78032)

o Stream not passing webwasher (78115)

6.5.3 build 2760 : Part Number 91-0947174-A--------------------------------------------

New and Improved

o Roles: Support delegated creation of new admin accounts

o Secure Admin Shell: interface to User Database (77817)

o Cluster: possible to make Web / E-Mail mapping private

o GUI: Added "Add Domain Name to Group Name" box on policy mapping rules page (77835)

o Improved performance for download of pages with numerous objects via IE

o GUI function to various Url Filter features added (77788)

o Media Type Filter: Added Media Type application/xhtml+xml to Media Type Catalogue (77743)

o URL Filter: Enhanced mapping of Unicode URL parameters to Basic Access Control Filter list

o Language Packs: Support for error message templates in Korean, Portuguese, Chinese, Spanish, Italian

o Support for Debian 4.0

Bugs Fixed

o Dashboard: Empty Anti Malware Quick Snapshot (77907)

o Roles for manipulating WW UserDB (77844)

o Roles: Second administrator is not able to apply certain settings (77733)

o Roles: Way to bypass read only queue access (77837)

o Document Inspector: Detection of embedded excel files (77823)

o Embedded Object Filter: reason written for mail blocked by embedded scripts filter (77673, 76702)

o HTTP(S) Proxies: RFC compliance for Via header (77867)

o Document Inspector: Endless loop for certain PDF files (77849)

o WW stops parsing HTTP headers when a header starts with "--" (77816)

o Prefix Filter: Webwasher freezes due to hanging threads (77863)

o GUI: Correct handling of list entries with blank fields (77762)

o ProActive Scanning:: allow actions with comma in name (77732)

o Embedded Scripts Filter: Scripts with Language="JavaScript1.1" are not regognized as JavaScript (77740)

o Logging: Invalid category entry in access.log for certain data (77748)

o Logging: Log file push can lead to never ending timed action (77815)

o Logging: Tab not working as delimiter in logfile definition (77834)

o Archiver: Content Type does not match only when file is zipped (77806)

o Policy Mapping: Usermapping applies to Username and Domainname (77808)

o URL Filter updates with Anti Spam only license fail (77783)

o URL Filter: volume quota not counted (77819)

o URL Filter: Block during work hours does not work (77758)

o exiting WW during update of Smartfilter results in hanging WW (77957)

o Rare crash (77683)

o UTF 16 encoded xml file not detected correctly (77795)

o Anti Spam: Own Hostname broken for End user Requests (77821)

o Java Application does not work over WebWasher with authentication (74390)

o Feedback Script: strange problem with feedback.cmd (75662)

o Mediatypes for appliance NICs are not complete(77724)

o Dashboard: Network utilization not shown (77838)


New and Improved

o Improve next proxy handling with HTTP 1.0 next-hop proxies (77674)

o SmartFilter SDK 4.3.02

o Logging: Support logging of filter engine information in proxy log file (includes all custom parameters and filter results) (77720)

o Updated Default Settings in clean installations to enhance out-of the box security policy while being compliant to common data protection requirements

o RBL check for intermediate mail server not working (77193)

o Support configuration of host routes (77705)

Bugs Fixed

o Centralized Mmgt: Reboot in cluster not working (77355)

o Centralized Mmgt: Inconsequent behaviour of centralized update (77678)

o ShellExpression Error (77193)

o URL Filter: Inappropriate Category Scheme notification (77672)

o Dashboard: System alerts are not correct (77707)

o Progress Page: Force Invalid Proxy Request notification (77702)

o FTP Proxy: Multi-line FTP replies through proxy (77679)

o Archiver: AES-encrypted Zip-archive was detected as corrupted (76880)

o Archiver: Incomplete detection of spanned zip archive (77715)

o high values in dashboard - Network Utilization (77603)

o Bypass streaming media does not work for URLs without extension (77716)

o GUI: NIC configuration page displays description field (77703)


New and Improved

o support GUI configuration of more than 2 NICs

o Centralized Mmgt: site can be configured to periodically request full configuration from master (77261 )

Bugs Fixed

o Centralized Mmgt: Cluster out of sync after changing account password (77312)

o Centralized Mmgt: Exception for Ports in Clusterdistribution (74419)

o progresspage only shows 2Gb (77628)

o UUE encoded file handled incorrectly (77532)

o Dashboard: read-only GUI account is allowed to reset "Quicksnapshot" stats and Live Reports (77561, 77564)

o SMTP Gateway will not be started if HTTP and FTP proxy is disabled (77601)

o SSL Scanner: "Inspect Certificate" produces error when next-hop proxy is TSP, Sidewinder or ISA Server (77505)

o Post request results in 407 Proxy Authentication Required (77472)

o Wrong system alert "Progressive Lockout is used in an action but is not activated yet" (77595)

o HEAD response with content lenght header (77615)

o TimeScheme "Non-working hours" (77653)

o Centralized update: Spamequator update broken on sites (77400)

o Mail Gateway: Plain text mails are getting blocked (77625, 77620)

o Mail Gateway: Mails with content type message/delivery-status not recognized (77620)

o Generic Header Filter: Could not be used to detect missing header (77652)

o 'delete selected' not working correctly with static routes (77538)

o specifying media on network interface (77559)


New and Improved

o GUI: Dashboard and Quick Snapshots

o Initial Streaming media support

o URL Reputation System

o Welcome page

o URL Filter: Adoption of the SmartFilter SDK

o New action "Delay"

o New action "Progressive lock-out"

o New action "Authorized Override"

o Proxy: Allow actions on HTTP/FTP commands and methods

o Proxy: Proxy.pac support

o Proxy: Multiple listener ports per protocol

o Proxy: Allow to substitute IP address in FTP Port command

o Authentication: Support nested Active Directory groups

o Add URL Feedback system for uncategorized URL

o Document Inspector: XML Parser

o Document Inspector: Support Open Document Format

o Document Inspector: Support Microsoft Office Open XML

o Document Inspector: Support SOAP

o Logging: more information on actions in audit.log

o support WCCP

o GUI: Configuration of NTP

o GUI: Configuration of static routes

o GUI: Port forwarding in transparent proxy setup

Bugs Fixed

o Webwasher looses configuration (76494)

o Embedded Scripts: Executable script content was not stripped out of emails and web pages if nested <script> tags were used (77373)

o Crash with termsignal 11 (77159, 77310)

o missing session information in incident manager (77482)

o Crash because of special cab file (77452)

o Setting (Enduser) User Interface Port to 80 does not work (77445)

o Small pdf blocked by Webwasher with error File is Larger Than 2 GB (77410)

o Released mail does not go through release policy (77397)

o Multiple recipient spam emails do not get released properly (77396)

o no values for spam_res+spam_level in smtpfilter.log (77053)

o URI in Service Name List gets truncated when ending in any combination of 0 & 1s (77210)

o Centralized updates seems to avoid spamequator update on sites (77400)

o Policy mapping via IP Mapping based on X-Client-IP (77556)

o Mp3 media type detection false positives (77520)


Bugs Fixed

o Setting (Enduser) User Interface Port to 80 does not work (77445)


Bugs Fixed

o sporadic crashes when SSLScanner not licensed (77129,77134,77243,77270,77273)

o Handling of encapsulated postscripts (77327)


New and Improved

o Detect malformed MIME parts in text attachments


New and Improved

o Next Hop Proxy handling

o GUI improvements

o New ssl libs, fixes CVE-2006-2937 and CVE-2006-2940

o Read-only admin can now change his own pwd (76863)

o Support to bind End User Port to port 443 (77058)

o Progress Pages resize window if a download popup to small

o Enhance Progress Page to work with Internet Explorer 7

Bugs Fixed

o Quotas not synced in cluster (76972)

o Fixed NTLM authentication at a webserver (76988)

o Wrong status code 500 instead of 502/504 if server can't be reached (76976)

o SSL Scanner: Rare crashes with Progress Pages (76931)

o IFP Server implementation more robust (77007)

o SMTP Gateway: A malformed mail contained an attachment of type message/rfc822 that had a sinle section of type message/rfc822 that had a single section of type message/rfc822 4771 times causes a crash (77017)

o GUI: Secure/Unsecure mix of images in internal request and error messages (77040)

o GUI: limited administrator role not correct (77173)

o SSL-Scanner: SSL handshake fails on server with pkcs1 padding error (76057)

o Fixed "Use other host or URL" on Queue View (77051)

o URL Filter: Filter by Expression list looses it's settings (77065)

o Links in Overal Summary Reports lead to empty Policy Reports (77066)

o Smtp Gateway: Digest buttons show sometimes wrong deposited URL's (77063)

o Crash if embedded object is referenced by a large URL > 1023 with

whitelisted Mediatype Filter (77064)

o Next Proxy settings not reachable when Next Proxies down (77078)

o Un-justified System Alert on Site when using "Centralized Update" (77080)

o Improved stability under Solaris 10

o

6.0 build 2455 : Part Number 91-0946256-A------------------------------------------

New and Improved

o New product Anti Malware including Secure Anti-Malware engine

o User Database added to support authentication without need of external directory services

o User Database: Allow new users to add themselves if they can authenticate at the LDAP Server

o Support transparent authentication with internal challenge/response method, basic authentication, basic authentication over SSL or login page (76081)

o Support of the Internet Filtering Protocol IFP

o Proactive: Enhanced heuristic for Windows executables

o Proactive: Execution Path Disassembler (PE parser)

o Proactive: Identify client computers that may have Potentially Unwanted Programs (PUP) installed

o Proactive: Enhanced VB and Java Script detection

o Proactive: Split rules set for JavaApplets and Java Application

o Proactive: Special rules for Trusted Sites to avoid false positives (75932)

o Proactive: Script engine for special rules (e.g. jpeg, WMF vulnerability)

o Anti Spam: Fingerprinting of mails to avoid misclassification

o Anti Spam: Automatic whitelisting of sender information (74376)

o Anti Spam: Automatic whitelisting on release from Spam Queue (74780)

o Anti Spam: More MailShell options in GUI

o Anti Spam: On site training of MailShell filter by customer spam and ham messages

o Anti Spam: Support of TrustedSource as new Spam method

o Mail Gateway: Support of TrustedSource in the SMTP dialog to reject mail directly

o Mail Gateway: Centralized queue management (e.g. replication/fallback)

o Mail Gateway: Centralized queue view in cluster

o Mail Gateway: Resend Digest

o Mail Gateway: TLS Support for SMTP

o Mail Gateway: Address mapping for sender and recipients in incoming and outgoing mails

o Message Filter: Offer filter action "Remove Attachments"

o Message Filter: Enhanced Phishing Filter

o GUI: Redesigned for improved usability

o GUI: Ajax support for realtime values (e.g. Life Reports, update status, statistics)

o GUI: Sessions support with automatic logout (73948)

o GUI: Audit logging to track configuration changes

o GUI: Click history for smarter GUI navigation

o GUI: Import/Export for error templates

o GUI: Alert when leaving a page without "Apply Changes"

o GUI: Improved list views

o GUI: Optional display of Web and/or Mail settings

o Cluster: Synchronization of Quota data (74977)

o Queue based feedback system for Spam and Malware

o Content Security: Improved detection of unknown embedded scripts (75515)

o Own port for end user operations like Digest or password changes in User Database (74782)

o Proxies: Failover and routing rules for all parent proxies

o Proxies: Individual authentication processes for each proxy (76343)

o Secure Administration Shell: Different public key for every admin (76342)

o Archive Handler: Can be switched off (76344)

o Distributed Updates for all subscription based data in cluster (74515,76040)

o Increased granularity in White List for Content Security filters (76396)

Bugs Fixed

o Crashes with termsignal 6 and 11 in CHTTPSConnection (76281)

o Archive Handler: Email attachment is filtered from Archive Handler Web section (76316)

o Archive Handler: Zip Files perilously detected as corrupted Archive (76391)

o Logging: "spam-res" and "spam-level" print mail subject in custom log file (76418)

o Password containing "Umlauts" do not work - No Access (76428)

o Document Inspector: Encrypted PowerPoint documents are treated as simple OLE2 Structured Storage files (76476)

o ProActive: damages PDF file (76567)

o Error message with wrong language (76613)

o smtp helo displays tailing ";" on the helo name (76652)

o Progress Page: download of big files named with blanks (76740)

cglinux changelog ================= this file contains … · cglinux changelog ===== this file...

Documents