Sophos UTM 9.2 Update verfügbar - 9.201-23 Heart bleed Patch

Unter findet sich die Datei
u2d-sys-9.109001-200011.tgz.gpg, mit der die Version 9.109-1  15 Minuten

auf 9.200-11 upgedatet werden kann, falls Up2Date die Datei nicht automatisch lädt.

WebAdmin - neues (Wildcard)Zertifikat - OpenSSL Heart bleed Patch
OpenSSL Heart bleed Patch

Die Datei kann man sich per FTP herunterladen und dann unter
Management -> Up2Date |Advanced| "Manual Up2Date package upload" einspielen

Das Update dauert keine 5 Minuten, erfordert aber einen Reboot der UTM. Vorher ein Backup erstellen und lokal speichern:
Management -> Backup/Restore |Backup/Restore| "Create backup now"

Sophpos UTM Backup Download


Update to 9.200 



·  Major Features
·  Web: New UI policy model
·  Mail: SPX encryption support
·  Mail: DLP support
·  Network: Botnet/C&C traffic detection and blocking
·  Network: Major IPS performance improvements
·  Authentication: Dual-factor authentication with OATH TOTP
·  WAF: Authentication support
·  Smaller Features
·  Web: AD SSO in transparent mode
·  Web: Warn action
·  Web: Transparent HTTPS filtering w/o full SSL scanning
·  Web: URL categorization override
·  Web: PUA blocking
·  Web: Enhanced log search
·  Web: Policy tester
·  Web/Endpoint: Web Control for SEC-managed endpoints
·  Endpoint: Proxy support for LiveConnect
·  Wifi: Hotspot: Fully customizable login page
·  Wifi: Hotspot: Fully customizable vouchers
·  Wifi: Hotspot: New hotspot type with authentication against UTM/Backends
·  RED: optional tunnel compression
·  RED: RED50: improve LCD output
·  RED: RED50: VLAN configuration for switch ports
·  WAF: Extended threat filtering
·  WAF: Fallback hosts
·  WAF: HTTP to HTTPS redirection
·  Network: Support more DynDNS providers
·  Remarks
·  System will be rebooted
·  Configuration will be upgraded
·  Connected Wifi APs will perform firmware upgrade
·  Connected RED devices will perform firmware upgrade

17609 User Portal: whitelist is completely ignored if blacklist matches
22646 Bridge: Use the MAC address of the converted interface instead of the smallest one
23810  System & UTM Backups ignore backup limits
23950  Wildcard Domains for SMTP Routing (Regression)
24127  Full NAT from internal network to external address dropped on bridge interface
24331  [UBB][9.070] Mail Notification contain antivirus footer
24358  Manual speed settings have no effect on HA link
24652  Wireless: Client is listed on wrong AP in Webadmin "Wireless status"
24739  cluster SMTP distribution not working
25199  Kernel Oops when lowering MTU for USB netcard
25476  Increase default WebAdmin logout time (for new installations)
25676  [UBB][9.100] Executive Report - Wrong charts displayed on Apple Devices
25952  Country blocking exception doesn't work
26225  Damaged graphic in the wireless reporting in French language
26544  DNS host definitions with non-ascii chars and underscore cause dns-resolver to fail
26640  Not possible to activate more than 62 virtual webserver
27742  Standard mode in deployment helper incorrectly named
28150  Sophos Authentication Agent does not work with MacOS X 10.6
28201  User Portal webpage doesn't get fully loaded while using Internet Explorer
28383  SSL VPN disconnects when transferring large amounts of data
28866  Essential Firewall: Not possible to use HA reserved interface eth3
29354  [Update Rule:] SSL VPN routes are not distributed correctly over OSPF
29584  "Department Reports" in Web Sec Reporting does not work for host objects
30016  Mix SSL and WAF and SharePoint 2013 will no longer allow you to save files (file is opened write protected)



Seit dem 10.04.2014 gibt es ein Update zu 9.2, 9.201-23, hauptsächlich wird der Open SSL Bug damit behoben, es wird dringend geraten das Update einzuspielen. Name: u2d-sys-9.200011-201023.tgz.gpg

Sophos empfiehlt folgendes Vorgehen:
1. Install the patch
2. Print your configuration
3. Change your passwords
4. Reboot the UTM
5. Regenerate Certificates

Mit der Version 9.201-23 werden folgende Bugfixes durchgführt:

·  Official 9.2 GA Release - update from 9.200
·  Fix: OpenSSL vulnerability: TLS heartbeat read overrun (CVE-2014-0160)

·  Remarks
·  System will be rebooted
·  Configuration will be upgraded
·  Connected Wifi APs will perform firmware upgrade
·  Connected RED devices will perform firmware upgrade

28439  vpn site2site overwiev is missing ipsec respondOnly connections
28953  Object Changelog PopUp can not be closed in IE9
29356  [BETA] RED50 reconnects all the time
29419  [BETA] Web Policy tester and http.log do not display modifications by local site list
29501  Transparent AD SSO conflicts with WAF (port 80)
29748  [BETA] changing OTP has no effect on WAF
29843  [BETA] Changing AV Scanners cause memory spikes in http proxy
30389  [BETA] http cache fills up partition
30441  [BETA] SPX encryption has higher priority than SMIME or PGP encryption
30446  [BETA] SPX: some characters in mail subject lead to broken subject in pdf
30561  [BETA] Username with \ is seen in sAMAccountName with \\
30571  Add option to disable OTP for Webadmin/SSH from front panel LCD of UTM appliance
30637  [BETA] Handling Filter actions used in multiple policies
30701  [BETA] SPX: labels of original message are not correctly encoded in spx reply
30723  RED 10 stops working while handling large packets
30869  [BETA] DLP: Region selector of "Sophos CCL Rules" doesn't show the first element
30898  OTP: Token may be created for wrong user if remote/local user differ in case
30925  SPX: character sets other than UTF-8 break PDF and portal
30934  Incorrect Certificate used during Transparent HTTPS
30940  Wireless: Some SSIDs are shown as HASH(...) in WebAdmin
30945  ATP Dashboard Link & Reporting Issue (72h not visible)
30949  smtp scanner dies in combination with SPX and regular email encryption
30951  Outgoing mails get quarantined as "UNSCANNABLE" although "Quarantine unscannable and encrypted content" is disabled
31368  CVE-2014-0160: TLS heartbeat read overrun [9.2]

Auch diese Version kann im FTP Bereich downgeloaded werden und manuell installiert werden.


Münster AD 2014