Release note 1.2.6 Tornaborate 2015-09-10
Contents 1 Summary 4 2 Additional important information about this release 5 3 Upgrade 6 3.1 Prerequisites................................... 6 3.2 How to apply the patch............................. 6 3.2.1 Create a restore point.......................... 6 3.2.2 Checking if your IDAT is ready for the upgrade........... 7 3.2.3 Applying the upgrade.......................... 7 3.2.4 Validating the upgrade result...................... 9 4 Changes 10 4.1 Resolved Issues................................. 10 4.2 Implemented Features............................. 10 4.3 Known Issues................................... 10 2
List of Figures 3.1 Creating a snapshot............................... 6 3.2 Checking the previous release......................... 7 3.3 Uploading the patch file............................. 8 3.4 Waiting on the patch to be applied...................... 8 3.5 Refreshing the page............................... 9 3.6 Checking the target release: correct version displays after the upgrade. 9 3
1 Summary This software has been released on 2015-09-10. 4
2 Additional important information about this release If you upgrade a running system to this release, please note the following things: 1. After the migration, you may need to log in again because your session context might have been lost. 5
3 Upgrade The upgrade process will stop the processing of IDAT except the Syslog service which will still collect incoming Syslog messages from the Ignition server. The Syslog buffer can keep up to 1500 event authentication messages. All these buffered messages will be processed after the upgrade. The upgrade process requires between 15 second up to 5 minutes depend on hard disk IO performance. 3.1 Prerequisites IDAT patch file of the current release to be upgraded to has to be in place upfront. Please have a look at www.tornaborate.net/idat/ for more details. 3.2 How to apply the patch 3.2.1 Create a restore point Make a snapshot of your Virtual Machine (VM) as a potential restore point in case of any unpredicted issues. Figure 3.1: Creating a snapshot 6
3.2. HOW TO APPLY THE PATCH CHAPTER 3. UPGRADE Important NOTE Creating a backup file of the previous release will not yet be restorable on the IDAT release to be installed. That s why an ESXi snapshot is mandatory to have a safe restore point. 3.2.2 Checking if your IDAT is ready for the upgrade Login as administrator and check which current IDAT release runs on your Virtual Machine (VM). Figure 3.2: Checking the previous release 3.2.3 Applying the upgrade Load the new upgrade file like this: 7
3.2. HOW TO APPLY THE PATCH CHAPTER 3. UPGRADE 1. Select the Setup section 2. Select the Support section Figure 3.3: Uploading the patch file 3. Browse and pick up the target upgrade file IDAT_patch_... 4. Start loading and processing the upgrade Please monitor the upgrade process via WEB browser to make sure when it is finished. Figure 3.4: Waiting on the patch to be applied 8
3.2. HOW TO APPLY THE PATCH CHAPTER 3. UPGRADE 3.2.4 Validating the upgrade result To make sure that the upgrade is properly applied, please refresh the browser and log in again if you are requested to do so. Figure 3.5: Refreshing the page Figure 3.6: Checking the target release: correct version displays after the upgrade 9
4 Changes 4.1 Resolved Issues The following issues have been resolved in this issue: Item Content 656 Nessus 65821/CVE-2013-2566+CVE-2015-2808: Apache: disable SSL RC4 cipher suites The remote host supports the use of RC4 in one or more cipher suites. The RC4 cipher is flawed in its generation of a pseudo-random stream of bytes so that a wide variety of small biases are introduced into the stream, decreasing its randomness. 657 Nessus 70658/CVE-2008-5161: SSH: support Cipher Block Chaining (CBC) disabled The SSH server is configured to support Cipher Block Chaining (CBC) encryption. This may allow an attacker to recover the plaintext message from the ciphertext. 658 Nessus 71049: SSH: MD5 or 96-bit MAC disabled The SSH server is configured to allow either MD5 or 96-bit MAC algorithms, both of which are considered weak. 659 Nessus 77200/openSSL issues This bug covers these openssl incidents: 1) CVE-2010-5298 - ssl3_read_bytes function 2) CVE-2010-5298 - ECDSA flush+reload 3) CVE-2014-0195 - invalid DTLS fragment handling 4) CVE-2014-0198 - do_ssl3_write function 5) CVE-2014-0221 - DTLS handshake handling 6) CVE-2014-3470 - dtls1_get_message_fragment 662 TCP timestamps disabled in Linux Possible attackers may gain an impression of the uptime of a *nix based system. This can be used to guess the patch level of the operation system and exploit it afterwards. 663 Apache hardening Several apache webserver settings were optimized in order to make the IDAT as less vulnerable as possible. 4.2 Implemented Features The following features have been implemented in this release: Item Content 4.3 Known Issues The following issues are already known and will be fixed in one of the following releases: 10
4.3. KNOWN ISSUES CHAPTER 4. CHANGES Item Content 253 After upgrade by loading patch, the About message box still shows the old version. It needs a logout/login cycle to update the release. 617 "Change of system maintainer time" appears twice in auditlog and is UTC The change message appears twice in the auditlog. Also, the time is shown in already UTC converted time. 644 license management change to new concept The license structure change to this model order code type Radius-Srv Authenticators WLAN-9100 Aps Clients IDAT-0110 Basic (free) 1 5 75 500 IDAT-0120 Advanced 2 20 300 1.500 IDAT-0140 Professional 4 50 750 5.000 IDAT-0190 Enterprise 100 10.000 150.000 1.000.000 The license management have to cover WLAN-9100 Access Points form Avaya, which have to be separate counted as WLAN Authenticator. The enforcement is already implemented, is just the presentation missing. 649 About box content cleanup The about box shows Pure PHP radius which isn t used anymore. The line should be removed. 652 Avoid restore of newer DB backups to older systems Currently, it s still possible to load new database backups to old releases. 655 Expired licenses are not displayed In current releases, only non-expired licenses are displayed. 661 SNMPv3 access violation not well reported as clear error message If SNMPv3 configured and IDAT access a device configured with SNMPv2 only or if the user for SNMPv3 not exist on device, an error message is displayed which isn t well understandable. The message looks like this: 2015-09-02 06:39:27 127.0.0.1 err daemon dcollect: A-3487 SNMP 192.168.1.8 determineoid Received usmstatsunknownusernames.0 Report-PDU with value 272 during synchronization 11