Jobs (DE)Terms of UsePrivacy PolicyImprint

Mail attachment filter and password protected RAR archives

The attachment filter fails to process emails with password protected RAR archives, if the option to check ZIP and RAR archives is enabled. After a timeout the email will be rejected with a temporary error.
The problem particularly affects German virus email, disguised as application, frequently received since beginning of November. If your system receives mails via SMTP, the bug prevented delivery of virus mails. If however mails are retrieved from a POP server, the virus mails are waiting in the mailbox and will be delivered after the update. We recommend to inform all employees or block RAR archives at least temporarily with the MIME filter before installing the update.

SSH server

The update fixes two less critical security problems in the SSH server. First, CBC block ciphers are no longer accepted. Second a timing attack against older versions revealed if a certain user account is available in the system.

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Update of the Linux kernel

This kernel contains minor improvements and fixes regarding the recently introduced protection for the Intel CPU vulnerability "L1 Terminal Fault" (L1TF).
On virtual hosts, the vulnerability allows guest systems to access data of the host or of other guests. Please make sure that actions have been taken on the host to protect itself and its guests.

Reverse-Proxy

Since updating the Reverse Proxy in 7.0-4.3, it has been possible that parts of the process can continue in an endless loop if clients unexpectedly disconnect. This can lead to an exceptionally high load and influence the entire system.
If the system is already under high load, it makes sense to restart the reverse proxy service or possibly the entire system before the update, which would otherwise unnecessarily slow down the update process.

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Update of the Linux kernel

The kernel protects against the next Intel CPU vulnerability "L1 Terminal Fault" (L1TF).
On virtual hosts, the vulnerability allows guest systems to access data of the host or of other guests. Please make sure that actions have been taken on the host to protect itself and its guests.

Samba Windows client library

The update fixes a buffer overflow in the windows client library which could be triggered by extra long filenames in a directory listing.

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Update of the Linux kernel

The update includes microcode updates for the Intel-CPUs of devices shipped since January 2010 (19" server) and January 2012 (thin server). The new microcodes protect against the "Spectre-NG" processor vulnerabilities "Spectre V3a" and "Spectre V4". In addition, the microcodes improve protection against the "old" vulnerability "Spectre V2".
Protection against "Spectre V1", "Spectre V2" and "Meltdown" (V3) has been distributed with the releases 7.0-3.3 and 7.0-3.4.

Intrusion prevention and firewall

The intrusion prevention occasionally dropped TCP reset packets. As a result, the firewall encountered more "invalid" packets. Since 7.0-4.0 the dynamic firewall was triggered by these packets due to a modification in its scoring system, sometimes blocking IP address by mistake.
In the context of the bugfixes, logging of invalid packets has been improved. Less critical cases will only be logged in case of exceptional accumulations.

Reverse-Proxy

The new version includes improved protective functions and supports WebSocket connections.

Web proxy content filter

With some clients problems occured especially when downloading very large files. The connection was already closed by the proxy before the last data packets had been transmitted.

Bridging of interface "wlan0"

Minor bugfixes and improvements

Reboot required

When finished, the system will reboot automatically. Please do not reboot manually.

Update of the Linux kernel

A vulnerability in Intel processors allows an attacker who can execute his own code to gain access to sensible data in the floating point unit (FPU). The FPU is e.g. used for hardware accelerated cryptographic operations. Instead of the affected lazy FPU mode, the eager FPU mode is used after the update.

Recommendation to block additional filename extensions

We recommend to additionally block "iqy" and "slk" in the mail server "MIME filter" configuration and in the web proxy URL filter list "standard". Both extensions are currently used by malware. You can find the complete list of extensions we recommend to block in the online help of the corresponding list.

After changing the timezone, the old timezone was still displayed

New release of greylist filter with data protection compliant storage

Minor bugfixes and improvements

Interactive update

Systems updated to 7.0-4.0 before 2018-06-15 10:00 will not display the protocol while updating, if the "interactive" update mode has been selected. Only "Updating..." is shown. The system update is complete when the message "An automatically update is scheduled for: No pending auto update job!" appears. Next, the administration interface is updated in the background. You may encounter problems when accessing the administration interface during this stage.
You can still follow the update progress, if you click the menu "System > Update" again just after the update has been started. With "View latest update log" a new browser window with the update protocol will open. Use the "Refresh" button of your browser to update the log.

IPsec server connections with preshared key

In 7.0-4.0 inbound IPsec connections initiated by third-party routers have been rejected if the authentication method is preshared key, a static peer IP has been configured and the peer signals support for XAuth but doesn't use it.

URL filter database

Since the URL filter database update in 7.0-4.0 some Google URLs have been mistakenly categorized as "porn".

Firewall configuration in administration interface

The tab "Transp. proxy" which should have been visible in the firewall configuration of LAN and RAS interfaces was hidden in release 7.0-4.0. The proper functioning of the firewall was not impaired.

Minor bugfixes and improvements

Secure

DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.

Flexible

Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple internet connections of small companies, for headquarters / branch office WANs, as well as for complex multi-tiered firewall systems.

More good reasons

  • No backdoors
  • More than 15 years of Internet security experience
  • Award-winning product
  • Support by our development engineers
  • Reseller loyalty
  • Made in Germany