Update 7.0-4.8
Reboot required
When finished, the system will reboot automatically. Please do not reboot manually.
Update of the Linux kernel
The new kernel includes a few less critical security bugfixes.
F-Secure malfunction
On the afternoon of 2019-04-10 the F-Secure antivirus scanner stopped working due to missing access permissions to a new library
file which was installed as part of the signature updates.
User synchronization from ActiveDirectory
In release 7.0-4.7 the synchronisation fails on most sites.
Update of the IPsec server
The new release fixes problems with IKEv2 re-keying.
Option to disable WLAN IP isolation
Minor bugfixes and improvements
F-Secure Antivirus
Since 2019-02-05 the scanner erroneously reports "Scanner test failed" and "F-Secure Linux Security out of function". The
scanner is tested by scanning an EICAR test file. The test fails as the scanner output format has changed.
Despite of the messages the scanner works as expected.
Minor bugfixes and improvements
Mail attachment filter and password protected RAR archives
The attachment filter fails to process emails with password protected RAR archives, if the option to check ZIP and RAR archives
is enabled. After a timeout the email will be rejected with a temporary error.
The problem particularly affects German virus email, disguised as application, frequently received since beginning of November.
If your system receives mails via SMTP, the bug prevented delivery of virus mails. If however mails are retrieved from a POP
server, the virus mails are waiting in the mailbox and will be delivered after the update. We recommend to inform all employees
or block RAR archives at least temporarily with the MIME filter before installing the update.
SSH server
The update fixes two less critical security problems in the SSH server. First, CBC block ciphers are no longer accepted. Second
a timing attack against older versions revealed if a certain user account is available in the system.
Minor bugfixes and improvements
Reboot required
When finished, the system will reboot automatically. Please do not reboot manually.
Update of the Linux kernel
This kernel contains minor improvements and fixes regarding the recently introduced protection for the Intel CPU vulnerability
"L1 Terminal Fault" (L1TF).
On virtual hosts, the vulnerability allows guest systems to access data of the host or of other guests. Please make sure that
actions have been taken on the host to protect itself and its guests.
Reverse-Proxy
Since updating the Reverse Proxy in 7.0-4.3, it has been possible that parts of the process can continue in an endless loop
if clients unexpectedly disconnect. This can lead to an exceptionally high load and influence the entire system.
If the system is already under high load, it makes sense to restart the reverse proxy service or possibly the entire system
before the update, which would otherwise unnecessarily slow down the update process.
Reboot required
When finished, the system will reboot automatically. Please do not reboot manually.
Update of the Linux kernel
The kernel protects against the next Intel CPU vulnerability "L1 Terminal Fault" (L1TF).
On virtual hosts, the vulnerability allows guest systems to access data of the host or of other guests. Please make sure that
actions have been taken on the host to protect itself and its guests.
Samba Windows client library
The update fixes a buffer overflow in the windows client library which could be triggered by extra long filenames in a directory
listing.
Reboot required
When finished, the system will reboot automatically. Please do not reboot manually.
Update of the Linux kernel
The update includes microcode updates for the Intel-CPUs of devices shipped since January 2010 (19" server) and January 2012
(thin server). The new microcodes protect against the "Spectre-NG" processor vulnerabilities "Spectre V3a" and "Spectre V4".
In addition, the microcodes improve protection against the "old" vulnerability "Spectre V2".
Protection against "Spectre V1", "Spectre V2" and "Meltdown" (V3) has been distributed with the releases 7.0-3.3 and 7.0-3.4.
Intrusion prevention and firewall
The intrusion prevention occasionally dropped TCP reset packets. As a result, the firewall encountered more "invalid" packets.
Since 7.0-4.0 the dynamic firewall was triggered by these packets due to a modification in its scoring system, sometimes blocking
IP address by mistake.
In the context of the bugfixes, logging of invalid packets has been improved. Less critical cases will only be logged in case
of exceptional accumulations.
Reverse-Proxy
The new version includes improved protective functions and supports WebSocket connections.
Web proxy content filter
With some clients problems occured especially when downloading very large files. The connection was already closed by the
proxy before the last data packets had been transmitted.
Bridging of interface "wlan0"
Minor bugfixes and improvements
Reboot required
When finished, the system will reboot automatically. Please do not reboot manually.
Update of the Linux kernel
A vulnerability in Intel processors allows an attacker who can execute his own code to gain access to sensible data in the
floating point unit (FPU). The FPU is e.g. used for hardware accelerated cryptographic operations. Instead of the affected
lazy FPU mode, the eager FPU mode is used after the update.
Recommendation to block additional filename extensions
We recommend to additionally block "iqy" and "slk" in the mail server "MIME filter" configuration and in the web proxy URL
filter list "standard". Both extensions are currently used by malware. You can find the complete list of extensions we recommend
to block in the online help of the corresponding list.
After changing the timezone, the old timezone was still displayed
New release of greylist filter with data protection compliant storage
Minor bugfixes and improvements
Interactive update
Systems updated to 7.0-4.0 before 2018-06-15 10:00 will not display the protocol while updating, if the "interactive" update
mode has been selected. Only "Updating..." is shown. The system update is complete when the message "An automatically update
is scheduled for: No pending auto update job!" appears. Next, the administration interface is updated in the background. You
may encounter problems when accessing the administration interface during this stage.
You can still follow the update progress, if you click the menu "System > Update" again just after the update has been started.
With "View latest update log" a new browser window with the update protocol will open. Use the "Refresh" button of your browser
to update the log.
IPsec server connections with preshared key
In 7.0-4.0 inbound IPsec connections initiated by third-party routers have been rejected if the authentication method is preshared
key, a static peer IP has been configured and the peer signals support for XAuth but doesn't use it.
URL filter database
Since the URL filter database update in 7.0-4.0 some Google URLs have been mistakenly categorized as "porn".
Firewall configuration in administration interface
The tab "Transp. proxy" which should have been visible in the firewall configuration of LAN and RAS interfaces was hidden
in release 7.0-4.0. The proper functioning of the firewall was not impaired.
Minor bugfixes and improvements
Secure
DEFENDO forces a collection of best-of-breed security modules like firewall, VPN, proxies, virus scanner and anti spam system to
interact for one purpose:
To be protected from all online threats and unwanted contents like malicious code, spam and hacker attacks.
Flexible
Each IT scenario is different. The DEFENDO product family will adapt precisely to your demands.
DEFENDO applies for simple internet connections of small companies, for headquarters / branch office WANs, as well as for complex
multi-tiered firewall systems.
More good reasons
- No backdoors
- More than 15 years of Internet security experience
- Award-winning product
- Support by our development engineers
- Reseller loyalty
- Made in Germany