Reboot required
When finished, the system will reboot automatically. Please do not reboot manually.
Update of the Linux kernel and CPU microcodes
The update contains mitigations against the Intel CPU security vulnerabilities subsumed under the term "Microarchitectural
Data Sampling" (MDS). To exploit the vulnerability, an attacker would have to execute own malicious code on the system.
On virtual hosts, the vulnerability allows guest systems to access data of the host or of other guests. Please make sure that
actions have been taken on the host to protect itself and its guests.
The system is fully protected only if Hyperthreading is disabled, but this has a significant impact on performance. We don't
think this is really necessary, as normally only code from trusted source is executed on the system. Feel free to disable
Hyperthreading in the BIOS yourself.
Minor bugfixes and improvements
F-Secure Antivirus
Since 2019-02-05 the scanner erroneously reports "Scanner test failed" and "F-Secure Linux Security out of function". The
scanner is tested by scanning an EICAR test file. The test fails as the scanner output format has changed.
Despite of the messages the scanner works as expected.
Minor bugfixes and improvements
Mail attachment filter and password protected RAR archives
The attachment filter fails to process emails with password protected RAR archives, if the option to check ZIP and RAR archives
is enabled. After a timeout the email will be rejected with a temporary error.
The problem particularly affects German virus email, disguised as application, frequently received since beginning of November.
If your system receives mails via SMTP, the bug prevented delivery of virus mails. If however mails are retrieved from a POP
server, the virus mails are waiting in the mailbox and will be delivered after the update. We recommend to inform all employees
or block RAR archives at least temporarily with the MIME filter before installing the update.
SSH server
The update fixes two less critical security problems in the SSH server. First, CBC block ciphers are no longer accepted. Second
a timing attack against older versions revealed if a certain user account is available in the system.
Minor bugfixes and improvements
Reboot required
When finished, the system will reboot automatically. Please do not reboot manually.
Update of the Linux kernel
This kernel contains minor improvements and fixes regarding the recently introduced protection for the Intel CPU vulnerability
"L1 Terminal Fault" (L1TF).
On virtual hosts, the vulnerability allows guest systems to access data of the host or of other guests. Please make sure that
actions have been taken on the host to protect itself and its guests.
Reverse-Proxy
Since updating the Reverse Proxy in 7.0-4.3, it has been possible that parts of the process can continue in an endless loop
if clients unexpectedly disconnect. This can lead to an exceptionally high load and influence the entire system.
If the system is already under high load, it makes sense to restart the reverse proxy service or possibly the entire system
before the update, which would otherwise unnecessarily slow down the update process.
Reboot required
When finished, the system will reboot automatically. Please do not reboot manually.
Update of the Linux kernel
The kernel protects against the next Intel CPU vulnerability "L1 Terminal Fault" (L1TF).
On virtual hosts, the vulnerability allows guest systems to access data of the host or of other guests. Please make sure that
actions have been taken on the host to protect itself and its guests.
Samba Windows client library
The update fixes a buffer overflow in the windows client library which could be triggered by extra long filenames in a directory
listing.
Reboot required
When finished, the system will reboot automatically. Please do not reboot manually.
Update of the Linux kernel
The update includes microcode updates for the Intel-CPUs of devices shipped since January 2010 (19" server) and January 2012
(thin server). The new microcodes protect against the "Spectre-NG" processor vulnerabilities "Spectre V3a" and "Spectre V4".
In addition, the microcodes improve protection against the "old" vulnerability "Spectre V2".
Protection against "Spectre V1", "Spectre V2" and "Meltdown" (V3) has been distributed with the releases 7.0-3.3 and 7.0-3.4.
Intrusion prevention and firewall
The intrusion prevention occasionally dropped TCP reset packets. As a result, the firewall encountered more "invalid" packets.
Since 7.0-4.0 the dynamic firewall was triggered by these packets due to a modification in its scoring system, sometimes blocking
IP address by mistake.
In the context of the bugfixes, logging of invalid packets has been improved. Less critical cases will only be logged in case
of exceptional accumulations.
Reverse-Proxy
The new version includes improved protective functions and supports WebSocket connections.
Web proxy content filter
With some clients problems occured especially when downloading very large files. The connection was already closed by the
proxy before the last data packets had been transmitted.
Bridging of interface "wlan0"
Minor bugfixes and improvements