------------------------------------------------------------------------------- visonysAirlock Update ------------------------------------------------------------------------------- This update is applicable to the following versions of visonysAirlock: 4.1-10.36 4.1-10.35 4.1-10.28 4.1-10.20 4.1-10.18 4.1-10.17 UPDATE ------ An update is a cumulative set of all changes (updates and hotfixes) which have been released up to the current version. An update increases the buildcode of a visonysAirlock system. Urgency Levels -------------- SECURITY: This update/hotfix addresses security issues. HIGH: The installation is recommended to all customers using the affected Airlock version. MEDIUM: The installation of the update/hotfix is recommended to customers doing often config changes in the affected area. LOW: The installation is recommended to customers who have problems related to the issues fixed in the update/hotfix. WARNING ------- Visonys recommends to apply the update using a console (kvm or serial). In some situations a network connection (as used for SSH) may break the update process, especially if the connection is routed. Changes ------- 4.1-10.36 [E] urgency: HIGH - FIX: UD-1873 Eliminated a race condition in backend host management that could lead to a service outage in version 4.1-10.35 (CASE-4439, CASE-4597, CASE-4601, CASE-4603) ******************************************************************************* Incompatibility Warning for High Availability Clusters The High Availability (HA, failover) protocol starting with 4.1-10.35 is not compatible with previous versions. If you use incompatible versions in a clus- ter, both hosts will be active. Visonys recommends the following procedure to avoid two active hosts during update installation: 1) download the script airlockstate.sh from the download page 2) copy it into /var/tmp of the passive host and make sure it has the execu- tion bit set with "chmod 010 /var/tmp/airlockstate.sh" 3) execute "/var/tmp/airlockstate.sh offline" to set the passive host offline. When offline, the passive host won't become active when you update the active host. 4) install the new update onto the active host. 5) check whether the updated host works fine. In case you encounter a problem with the update, you can take the active host offline by executing the command "/opt/slt/ses/netcfg/airlockstate.sh offline" and taking the passive host back online with "/var/tmp/airlockstate.sh online". 6) install the update onto the passive host, which is still offline 7) after the update the passive host will automatically be online and observe the active host. NOTE: Your servers will not be reachable during installation of the update in step 4). The break depends on your hardware and can take up to a couple of minutes. If this is inacceptable for you and you need assistance for other transition paths, please contact support@visonys.com. ******************************************************************************* NOTE: Applying this update will restart some services and terminate all user sessions. ------------------------------------------------------------------------------- IMPORTANT: You MUST manually activate your configuration in the Web GUI after installing this update. ------------------------------------------------------------------------------- 4.1-10.35 [D] urgency: HIGH - NEW: UD-1803 Support for hidden virtual hosts (useful in special network environments only, see http://techzone.visonys.com/hidden-virtual-hosts) - NEW: UD-1804 Encrypted storage of token-passwords for server authentication via PKCS#11 - NEW: UD-1808 Allow invalid HTTP responses that consist only of HTTP body (CASE-4108) - NEW: UD-1809 Allow request URLs that are longer than 2kb - NEW: UD-1810 Mapping-based integration mode for better admin support during configuration and less verbose production mode - NEW: UD-1811 Exhaustive log messages per block reason and a summary message per request (CASE-4215) - NEW: UD-1817 Enhanced all request log messages with searchable elements: session ID, request ID, IP address and mapping - NEW: UD-1821 Fast access links from virtual host, mapping and rules configuration pages to Log Viewer - NEW: UD-1824 Update installation produces a logfile - NEW: UD-1834 Added drivers FJSVqed and FJSVfed for Sparc systems (new installations only) - NEW: UD-1836 Support for ipge network interface driver in localsettings-nicspeed - NEW: UD-1844 Automatic line-wrapping within long words in Log Viewer - NEW: UD-1849 Integration mode log message WR-SG-COOKIE-050 on Info-Level when cookie is added to cookie store - NEW: UD-1857 Integrated VMware tools installation during system installation and via menu under "Expert Settings" - NEW: UD-1866 Perform self check and repair on passive HA host - NEW: UD-1867 Deep health check on partner HA host that guarantees that web requests will be processed by filter engine - NEW: UD-1863 Added script airlockstate.sh to manually control "online"/"offline" status of HA hosts - NEW: UD-1872 Implicitly encode illegal spaces in queries of URLs that will be encrypted during response rewriting (CASE-4324) - CHG: UD-1796 Introduced prefix for encrypted cookie values: "$xc/" (CASE-3344) - CHG: UD-1806 Increased size of HTTP-header-store from 4kb to 32kb per session (CASE-4283) - CHG: UD-1813 Improved responsiveness of Log Viewer display dialog - CHG: UD-1815 Do not apply filter rules on form-protection signature (_758_xprot) - CHG: UD-1818 Cleaned up log messages, such that logging is less verbose especially in production mode - CHG: UD-1820 Reduced components in Log Viewer to System and Web-Requests - CHG: UD-1823 Make more serious internal errors visible in Log Viewer - CHG: UD-1828 Wording change in Configuration Center menu: "Log settings" -> "Glob log settings" - CHG: UD-1833 Do not send form protection signature to backend applications - CHG: UD-1835 Separation of Log Viewer event configuration performed by users and updates - CHG: UD-1840 Enabled automatic update of multiple CRLs on a virtual host - CHG: UD-1841 More user-friendly logging of session fingerprinting - CHG: UD-1845 Updated list of TOR gateways - CHG: UD-1851 Keep Log Viewer display settings for 8 hours only - CHG: UD-1852 Improved user-friendliness of pivot function in Log Viewer - CHG: UD-1853 Prevent invalid ARP broadcasts for configured DNS servers - CHG: UD-1855 Wording change on configuration page for virtual hosts: "Path rewrite" -> "Path Redirect" - CHG: UD-1860 Facilitate analysis of core dumps - CHG: UD-1862 Upgraded web listeners to Apache 2.2.6 and 2.0.61 - CHG: UD-1864 Use HTTP to check partner host in a HA cluster to improve stability under heavy load (used to be HTTPS) - CHG: UD-1865 Add timestamps to SMF log messages for network configurator and failover contoller - FIX: UD-1802 Proper handling of 100-Continue HTTP responses from backend server (CASE-4297) - FIX: UD-1805 Improved handling of session changes by parallel requests (CASE-4111) - FIX: UD-1812 Improved overall system performance and logviewer responsiveness - FIX: UD-1814 Reduced need for resources to considerably increase number of possible virtual hosts (CASE-3927) - FIX: UD-1816 General Content Rewriting without Backend HTML Rewriting could cause wrong Content-Length for some large files (CASE-4291) - FIX: UD-1819 Proper domain handling for backend cookies (CASE-3934, CASE-4002, CASE-4150, CASE-4163) - FIX: UD-1822 Proper handling of server certificates with long names in configuration center (CASE-4138) - FIX: UD-1825 Better handling of invalid URLs in mappings with activated URL-encryption and threat-handling "Notify" - FIX: UD-1826 Support for URL encryption through typed regular expressions in backend html content rewriting for URIs - FIX: UD-1827 Corrected Allow Rule settings in template mapping for "SSL VPN Applet" - FIX: UD-1829 Eliminated error "cannot find Transport for DST100" in push mechanism of log events - FIX: UD-1830 Show log messages from global zone in Log Viewer - FIX: UD-1831 Fixed occasional problem with Configuration Center login after update installation - FIX: UD-1832 Properly handle regular expressions with more than 10 sub-expressions - FIX: UD-1837 Leave double quotes in header values unchanged / fixed bug with ETag-header (CASE-4235, CASE-4270) - FIX: UD-1838 Allow use of client certificates without output compression (CASE-4092) - FIX: UD-1839 Corrected /etc/hosts of log zone - FIX: UD-1842 Removed unused sendmail queue managment from log-zone - FIX: UD-1843 Corrected log events EVENT_SY-Y-SSH-LOGIN-OK and EVENT_SY-Y-SSH-LOGIN-FAILED - FIX: UD-1846 Corrected permissions to allow ssh pki login for user log (CASE-3990, CASE-3991) - FIX: UD-1847 Improved timings in failover mechanism to reduces false positives - FIX: UD-1848 Improved scalability for use on high-performance hardware (CASE-3907) - FIX: UD-1850 Corrected integration of error page 502 (needed by ICAP only) - FIX: UD-1856 Fixed typo in license guard, which wrote to /dev/nul (CASE-4072) - FIX: UD-1858 Allow Configuration Center access for user "log" (CASE-4195) - FIX: UD-1859 Improved stability of ICAP client for small ICAP responses in fast networks - FIX: UD-1861 Prevent loss of session information updates (CASE-4111,CASE-4274) - FIX: UD-1868 Corrected crontab entry for metacheck that caused mail queue to slowly fill up (CASE-4373) - FIX: UD-1869 Prevent failover-switch to passive host during activation of active host in a HA cluster (CASE-4410) - FIX: UD-1870 Let passive host fully take over if web listener of active host does not respond anymore in a HA cluster to prevent active-active situations (CASE-4271, CASE-4272, CASE-4290, CASE-4344, CASE-4381) - FIX: UD-1871 Eliminated race condition in the context of highly parallel session terminations due to user logouts, which could lead to a service interruption (CASE-4380) 4.1-10.28 [C] urgency: LOW - NEW: UD-1751 Allow definition of additional Configuration Center users (see http://techzone.visonys.com/admin-users) - NEW: UD-1752 Show information about concurrent Configuration Center users - NEW: UD-1753 Added automated update of Certificate Revocation Lists (see http://techzone.visonys.com/crl-update) - NEW: UD-1757 Added framework for detection and prevention of session hijacking (see http://techzone.visonys.com/client-fingerprint) - NEW: UD-1758 Enhanced syslog transport methods to use UDP, TCP and SSL (see http://techzone.visonys.com/syslog-forwarding) - NEW: UD-1760 Added basic support for server authentication via PKCS#11 using NSS - NEW: UD-1780 Added UTC to the supported timezones - NEW: UD-1785 Added error page 502 needed by ICAP - NEW: UD-1789 Extended control API to insert customized HTTP headers into HTTP requests belonging to a session - NEW: UD-1790 Added hyperlinks from log messages to TechZone-Entries - CHG: UD-1754 Improved set of predefined Log Viewer filters - CHG: UD-1759 Reorganized activation process to reduce memory footprint - CHG: UD-1761 Increased ratio of web listener to filter processes - CHG: UD-1762 Removed "No, I'll do it later" option during activation - CHG: UD-1763 Automatically convert multiline patterns to single line in Configuration Center - CHG: UD-1768 Restricted logging of configuration details during activation to trace mode - CHG: UD-1770 Reclassify filter engine log messages - CHG: UD-1776 Improved various event descriptions - CHG: UD-1778 Updated VpnApplet signature - CHG: UD-1783 Unified network configuration files generated by installation and re-ip - CHG: UD-1788 Updated list of TOR gateways - CHG: UD-1791 Removed unnecessary log messages (stopper, su, syslog) - FIX: UD-1755 Restrict trace warn message to appear in trace mode only - FIX: UD-1756 Fixed failover mechanism when frontend and backend use same NIC (CASE-3926) - FIX: UD-1764 Fixed notification channels in trace mode - FIX: UD-1765 Corrected occasional newline insertion bug in ICAP response parser - FIX: UD-1766 Fixed race condition that could lead to deadlock during request processing - FIX: UD-1767 Improved automatic filter selection and deselection in Log Viewer - FIX: UD-1769 Corrected %uXXXX-to-utf8 conversion - FIX: UD-1771 Corrected log-space guard and its notification - FIX: UD-1772 Imposed a strict limit on the number of mappings visonysAirlock can handle. The limit is between 256 and 512 depending on HTTP/HTTPS use in virtual hosts. If the number of configured mappings exceeds this limit, error message WR-SG-MAPP-401 will be generated. (CASE-3739) - FIX: UD-1773 Fixed handling of non-standard HTTP response status codes such as 449 (MS ActiveSync) (CASE-3785) - FIX: UD-1774 Removed basic-auth value from control API error message - FIX: UD-1775 Corrected event handling for recurring events - FIX: UD-1777 Whitespace around URLs in HTML-links is now ignored by rewrite engine - FIX: UD-1779 Corrected restart script for guards - FIX: UD-1781 Lengthened expiry time of the LogViewer settings to one week - FIX: UD-1782 Fixed rewriting of cookie-domain for pass-through cookies - FIX: UD-1784 Improved usability of quick access links in Log Viewer - FIX: UD-1792 Corrected syslog messaging for events - FIX: UD-1793 Improved handling of defunct event notification processes - FIX: UD-1794 Fixed broken "keep config" for direct upgrade from version 3.5 - FIX: UD-1795 Corrected handling of illegal failover state passive/passive (CASE-4025, CASE-4060) - FIX: UD-1797 Improved detection of blocking backend requests (CASE-3971) - FIX: UD-1799 Corrected error handling in cookie decryption (CASE-3344) 4.1-10.20 [B] urgency: HIGH - FIX: UD-1750 Fixed deadlock in filter process termination (CASE-3907, CASE-3886) 4.1-10.18 [A] urgency: HIGH - FIX: UD-1746 Corrected cookie based session tracking - FIX: UD-1747 Apply deny rules to GET forms with enabled form protection - FIX: UD-1748 Improved ICAP-REQMOD response headers handling - FIX: UD-1749 Improved ICAP-REQMOD response HTTP status codes handling How To Install -------------- 1) Use the configuration application to upload the complete update.zip (System admin -> Upload Airlock update file) 2) Apply the update by logging in as user 'menu' either on console or by ssh: Example: ssh menu@my-airlock.domain.com The password for user 'menu' is the same as for the administrator. 3) Press activate in config GUI for using the changed rules and patterns. Visonys Contact --------------- If you have further questions, please contact Visonys technical support: Email: support@visonys.com Hotline: +41 44 366 88 77 Internet: http://www.visonys.com