Jump to content


Photo

END OF SUPPORT - Firmware Release 7.0.x HOTFIXES

7.0

  • This topic is locked This topic is locked
22 replies to this topic

#1 Markus Lang

Markus Lang
  • Moderators
  • 395 posts

Posted 25 May 2016 - 04:14 AM

This topic is used to announce new hotfixes for firmware release 7.0 and future 7.0.x releases.
Please subscribe to this topic if you are interested in availability of new hotfixes for firmware release 7.0.x only.
If you are interested in general announcements of new firmware releases (e.g. 8.0.0) please subscribe to the following forum topic "Firmware Release Announcements" which can be found one level up.

Director, Product Management


#2 Tim Warr

Tim Warr
  • Members
  • 49 posts

Posted 06 July 2016 - 12:36 AM

Hotfix 785 - Cumulative Hotfix
 
Summary Resolved various DNS Sinkhole, BGP, OSPF, and VPN issues
Publication date Jul 5, 2016
Type Hotfix
Version 785-7.0.0-109267
Size 55.0 MB
 
Applies to
7.0.0 (NextGen Firewall F-Series and Control Center)
 
Obsoletes package
Hotfix 782 - Cumulative Hotfix
 
Components
Forwarding Firewall (NextGen Firewall F-Series and Control Center)
Virus Scanner (NextGen Firewall F-Series and Control Center)
CC VPN (NextGen Firewall F-Series and Control Center)
VPN (NextGen Firewall F-Series and Control Center)
OSPF/RIP/BGP (NextGen Firewall F-Series and Control Center)
Host Firewall (NextGen Firewall F-Series and Control Center)
 
Properties
Might trigger a reboot.
 
Description
This hotfix includes the following improvements:
 
  • Block access rules using the DNS Sinkhole dynamic network object now work as expected.
  • The Botnet and Spyware database now receives updates from the Barracuda Update servers.
  • The VPN service now uses assembler ciphers only for AES128 and AES256.
  • Add a multipath route when learning a single route with multiple hops via OSPF.
  • BGP routes are no longer flushed when a VPN transport becomes active, enabling a transparent fallback for BGP over multi-transport VPN tunnels.
  • Client-to-site IPsec IKEv1 VPN connections with the native IPsec client on Android 6.0 now work as expected.
  • The VPN Accounting database has been temporarily disabled due to a library incompatibility that may lead to stability problems (will be re-enabled shortly).


#3 Markus Lang

Markus Lang
  • Moderators
  • 395 posts

Posted 25 August 2016 - 04:21 AM

Hotfix 789 - Cumulative Hotfix

 

Summary Resolved various DNS Sinkhole, BGP, OSPF, VPN and TAP2 issues

 

Publication date Aug 24, 2016
Type Hotfix
Version 789-7.0.0-111971
Size 68.4 MB
 
Applies to
7.0.0 (NextGen Firewall F-Series and Control Center)
 
Blocks packages on NG Control Center
Hotfix 785 - Cumulative Hotfix
Hotfix 788 - Cumulative Hotfix
 
Blocks packages on F-Series Firewall
Hotfix 785 - Cumulative Hotfix
Hotfix 788 - Cumulative Hotfix
 
Obsoletes packages
Hotfix 782 - Cumulative Hotfix
Hotfix 785 - Cumulative Hotfix
Hotfix 788 - Cumulative Hotfix
 
Components
Forwarding Firewall (NextGen Firewall F-Series and Control Center)
Virus Scanner (NextGen Firewall F-Series and Control Center)
CC VPN (NextGen Firewall F-Series and Control Center)
VPN (NextGen Firewall F-Series and Control Center)
OSPF/RIP/BGP (NextGen Firewall F-Series and Control Center)
Host Firewall (NextGen Firewall F-Series and Control Center)
 
Properties
Might trigger a reboot.
 
Description
This hotfix includes the following improvements:
  • Block access rules using the DNS Sinkhole dynamic network object now work as expected.
  • The Botnet and Spyware database now receives updates from the Barracuda Update servers.
  • The VPN service now uses assembler ciphers only for AES128 and AES256.
  • Add a multipath route when learning a single route with multiple hops via OSPF.
  • BGP routes are no longer flushed when a VPN transport becomes active, enabling a transparent fallback for BGP over multi-transport VPN tunnels.
  • Client-to-site IPsec IKEv1 VPN connections with the native IPsec client on Android 6.0 now work as expected.
  • The VPN Accounting database has been temporarily disabled due to a library incompatibility that may lead to stability problems (will be re-enabled shortly).
  • IPv6 autoconfiguration now works as expected.
  • Unusual HTTP trailing header fields are now handled correctly.
  • Transparent redirection for traffic which is virus scanned or SSL intercepted now works as expected.
  • Intial DHCP request propagation using multiple bridging groups now works as expected.
  • Network activation no longer fails when switching between a static and a dhcp inteface without changing the IP address.
  • Added option to disable VPN replay protection for IPsec VPN tunnels.
  • Schedule objects with a large number of objects (>128) now works as expected.
  • FTP traffic virus scanning improvements.
  • Firewall service stablilty improvements.

Note:  “Replay Protection” for IPSEC can be disabled with an updated NGAdmin (hotfix) by configuring an IPSEC Tunnel / TI – VPN Envelope Policy / Replay Window Size of ‘-1’. 


Director, Product Management


#4 Markus Lang

Markus Lang
  • Moderators
  • 395 posts

Posted 27 September 2016 - 10:36 AM

Hotfix 799 - OpenSSL Vulnerability
 
Summary Update OpenSSL to resolve security vulnerability
Publication Date Sep 27, 2016
Type Hotfix
 
Size 17.2 MB
 
CVEs
CVE-2016-6304
 
Applies to
7.0.0 (NextGen Firewall F-Series and Control Center)
 
Blocks package on Control Center
Hotfix 789 - Cumulative Hotfix
 
Blocks package on F-Series Firewall
Hotfix 789 - Cumulative Hotfix
 
Obsoletes packages
Hotfix 801 - OpenSSL
Hotfix 800 - OpenSSL
 
Components
  • HTTP Proxy (NextGen Firewall F-Series and Control Center)
 
Properties
Enforces a reboot.
 
Description
This hotfix includes the following improvements:
 
Update OpenSSL to version 1.0.1u due to security vulnerability CVE-2016-6304.
 
Note: A reboot will be performed to finalize the installation.

Director, Product Management


#5 Marco Miska

Marco Miska
  • Barracuda Team Members
  • 61 posts
  • LocationInnsbruck

Posted 27 October 2016 - 10:04 AM

Hotfix 803 - HTTP Proxy

 

Summary Improved connection error handling

Publication Date Oct 27, 2016
Type Hotfix
 
Size 4.2 MB
 
Applies to
7.0.1 (NextGen Firewall F-Series)
 
Obsoletes packages
Hotfix 802 - HTTP Proxy
 
Components
  • HTTP Proxy (NextGen Firewall F-Series)
 
Description
Updated HTTP Proxy to fix connection error handling


#6 Markus Lang

Markus Lang
  • Moderators
  • 395 posts

Posted 15 November 2016 - 03:19 AM

Hotfix 809 - Public Cloud VPN Service
 
Summary Resolves a client-to-site VPN configuration issue
Publication Date Nov 10, 2016
Type Hotfix
 
Size 13.8 MB
 
Applies to
7.0.1 (NextGen Firewall F-Series and Control Center)
 
Components
Box Configuration (NextGen Firewall F-Series and Control Center)
CC Configuration Service (NextGen Firewall F-Series and Control Center)
 
Description
This hotfix includes the following improvements:
 
The client-to-site VPN configuration dialog now works as expected.

Director, Product Management


#7 Markus Lang

Markus Lang
  • Moderators
  • 395 posts

Posted 17 November 2016 - 10:59 AM

Hotfix 808 - Firewall
Summary Resolves issues with asynchronous ATD download page
Publication Date Nov 17, 2016
Type Hotfix
 
Size 33.3 MB
 
Applies to
7.0.1 (NextGen Firewall F-Series and Control Center)
 
Blocks package on Control Center
Hotfix 806 - Firewall
 
Blocks package on F-Series Firewall
Hotfix 806 - Firewall
 
Components
Forwarding Firewall (NextGen Firewall F-Series and Control Center)
Virus Scanner (NextGen Firewall F-Series and Control Center)
CC VPN (NextGen Firewall F-Series and Control Center)
VPN (NextGen Firewall F-Series and Control Center)
Control (NextGen Firewall F-Series and Control Center)
Host Firewall (NextGen Firewall F-Series and Control Center)
 
Properties
Might trigger a reboot.
 
Description
This hotfix includes the following improvements:
 
Resolves problems with asynchronous ATD download page
Sensor data for F800 Rev C and F900 Rev B are now displayed correctly.
Resolves problems with firewall memory consumption and hostname network object resolution

Director, Product Management


#8 Markus Lang

Markus Lang
  • Moderators
  • 395 posts

Posted 17 November 2016 - 11:15 AM

Hotfix 811 - SSL VPN
Summary Code signing certificate update for SSL VPN Java applets.
Publication Date Nov 17, 2016
Type Hotfix
 
Size 8.1 MB
 
Applies to
7.0.1 (NextGen Firewall F-Series and Control Center)
 
Components
VPN (NextGen Firewall F-Series and Control Center)
Access Control Service (NextGen Firewall F-Series and Control Center)
 
Description
This hotfix updates the code signing certificate required to validate integrity of the SSL VPN Java applets.

Director, Product Management


#9 Markus Lang

Markus Lang
  • Moderators
  • 395 posts

Posted 23 November 2016 - 04:57 AM

Hotfix 812 - DNS Server Vulnerability (CVE-2016-8864)
 
Summary Update BIND to fix security vulnerability CVE-2016-8864
Publication Date Nov 22, 2016
Type Hotfix
 
Size 4.0 MB
 
CVEs CVE-2016-8864
 
Applies to
7.0.0 (NextGen Firewall F-Series and Control Center)
7.0.1 (NextGen Firewall F-Series and Control Center)
 
Blocks packages on Control Center
Update package for NextGen F-Series from 6.X to 7.0.1
Update package for NextGen F-Series from 6.X to 7.0.1 with 2 Hotfixes
 
Blocks packages on NextGen Firewall F-Series
Update package for NextGen F-Series from 6.X to 7.0.1
Update package for NextGen F-Series from 6.X to 7.0.1 with 2 Hotfixes
 
Components
Caching DNS (NextGen Firewall F-Series and Control Center)
DNS Server (NextGen Firewall F-Series and Control Center)
 
Description
This hotfix includes the following improvements:
 
Updates BIND to version 9.9.9-p4 to fix the following security vulnerability: CVE-2016-8864.

Director, Product Management


#10 Markus Lang

Markus Lang
  • Moderators
  • 395 posts

Posted 13 December 2016 - 10:03 AM

Hotfix 817 - Cumulative Hotfix
 
Summary Control Centers pattern update, client-to-site configuration dialog, and cluster migration fixes
Publication Date Dec 13, 2016
Type Hotfix
 
Size 14.6 MB
 
Applies to
7.0.1 (NextGen Firewall F-Series and Control Center)
 
Blocks package on Control Center
Hotfix 809 - Public Cloud VPN Service
 
Blocked by package on Control Center
Hotfix 822 - License Update Routine
 
Blocks package on F-Series Firewall
Hotfix 809 - Public Cloud VPN Service
 
Blocked by package on F-Series Firewall
Hotfix 822 - License Update Routine
 
Obsoletes package
Hotfix 809 - Public Cloud VPN Service
 
Obsoleted by package
Hotfix 822 - License Update Routine
 
Components
Box Configuration (NextGen Firewall F-Series and Control Center)
CC Configuration Service (NextGen Firewall F-Series and Control Center)
 
Description
This hotfix includes the following improvements:
  • Updating patterns and definitions for a large number of managed firewalls no longer overloads the Control Center.
  • The client-to-site VPN configuration dialog now works as expected.
  • Repository linked global firewall objects no longer prevents cluster migration to firmware version 7.0

Director, Product Management


#11 Markus Lang

Markus Lang
  • Moderators
  • 395 posts

Posted 13 February 2017 - 05:27 AM

Hotfix 823 - Cumulative Hotfix
 
Summary Multiple VPN, Firewall and ATD improvements
Publication Date Feb 13, 2017
Type Hotfix
 
Size 168.9 MB
 
Applies to
7.0.1 (NextGen Firewall F-Series and Control Center)
 
Blocks packages on Control Center
Hotfix 806 - Firewall
Hotfix 808 - Firewall
Hotfix 821 - Virscan Service
Hotfix 822 - License Update Routine
Hotfix 820 - Firewall
Hotfix 815 - Firewall
Hotfix 816 - VPN
 
Blocks packages on F-Series Firewall
Hotfix 806 - Firewall
Hotfix 808 - Firewall
Hotfix 821 - Virscan Service
Hotfix 822 - License Update Routine
Hotfix 820 - Firewall
Hotfix 815 - Firewall
Hotfix 816 - VPN
 
Obsoletes packages
Hotfix 808 - Firewall
Hotfix 815 - Firewall
Hotfix 816 - VPN
 
Components
Forwarding Firewall (NextGen Firewall F-Series and Control Center)
Virus Scanner (NextGen Firewall F-Series and Control Center)
CC VPN (NextGen Firewall F-Series and Control Center)
VPN (NextGen Firewall F-Series and Control Center)
Control (NextGen Firewall F-Series and Control Center)
Host Firewall (NextGen Firewall F-Series and Control Center)
 
Properties
Might trigger a reboot.
 
Description
This hotfix includes the following improvements:
  • Added option to disable preview mails of pending ATD email scans in the Virus Scanner Settings
  • It is now possible to override the Scan Fail, Large File and Archive policies for SMTP and SMTPS connections in the Virus Scanner Settings
  • Improves issues with the UDP session timer
  • Resolves issues with custom block page delivery
  • Added advanced configuration parameters to improve vendor interoperability
  • Added option to enforce UDP encapsulation for ESP packets (port 4500)
  • Added support for negotiation of Traffic Selectors and Cipher Suite Proposals
  • Upgraded strongSwan to 5.4.0
  • Fixed an issue that potentially results in intermittent connectivity problems during CHILD_SA rekeying
  • Dead Peer Detection (DPD) is now enabled by default
  • Resolved various stability issues with site-to-site VPN tunnels to the Microsoft Azure VPN Gateway
  • Added support for creating dedicated SAs for each subnet pair (Cisco ASA)
  • Allow coexistence of multiple SAs with identical Traffic Selectors
  • It is now possible to use hostnames as the remote gateway
  • Added support for Elliptic Curve-based DH Groups (NIST, Brainpool)
  • ESP Lifetimes are now reliably enforced in all cases
  • Rekeying is no longer disabled if the ESP lifetime is too low
  • VPN routes for disabled IKEv2 tunnels are removed immediately
  • Rekeying management tunnels on a Secure Access Concentrator now works as expected
  • Resolves issue that may lead to incorrect routing for Dynamic Mesh VPN tunnels

Director, Product Management


#12 Markus Lang

Markus Lang
  • Moderators
  • 395 posts

Posted 27 April 2017 - 09:13 AM

Hotfix 826 - Anti Virus Service
 
Summary Resolved issues for Avira virus scanning engine
Publication Date Apr 27, 2017
Type Hotfix
 
Size 118.1 MB
 
Applies to
7.0.2 (NextGen Firewall F-Series and Control Center)
 
Components
Virus Scanner (NextGen Firewall F-Series and Control Center)
 
Description
File scanning results from the Avira virus scanning engine containing mulitple result messages are now interpreted correctly. It is now possible to configure the number of days after which quarantined files are deleted in the Advanced View of the Avira Virus Scanner Settings. Scanning archives containing a very large number of files, no longer causes the system to stall. Resolved issue where moving files to the virus scanning quarantine resulted in duplicate files on the firewall.

Director, Product Management


#13 Gernot Strasser

Gernot Strasser
  • Members
  • 7 posts

Posted 03 May 2017 - 03:58 AM

I am still missing Hotfix 825 here.



#14 Manuel Huber

Manuel Huber
  • Members
  • 155 posts

Posted 26 May 2017 - 04:20 AM

I´d like to see announcement of hotfixes when they are released, with a short explanation what they fix.

I follow this thread to get information about new releases, so I don´t have to actively check every other day.

 

We have maintenance windows and if I know in advance that a hotfix is available, I might be able to install it at the particular date.

 

Barracuda, you have set up this great forum to announce hotfixes, so please us it.

Thank you!



#15 Manuel Huber

Manuel Huber
  • Members
  • 155 posts

Posted 26 May 2017 - 04:20 AM

I´m referring to hotfixes 825 and 828 which didn´t get any announcement.


  • SW likes this

#16 SW

SW
  • Members
  • 1 posts

Posted 20 June 2017 - 06:02 AM

I´d like to see announcement of hotfixes when they are released, with a short explanation what they fix.

I follow this thread to get information about new releases, so I don´t have to actively check every other day.

 

We have maintenance windows and if I know in advance that a hotfix is available, I might be able to install it at the particular date.

 

Barracuda, you have set up this great forum to announce hotfixes, so please us it.

Thank you!

Same here - what's up Cuda? 825 and 828 still missing....



#17 Peter Simon

Peter Simon
  • Members
  • 5 posts

Posted 30 June 2017 - 07:30 AM

Seem's like the thread is dead ... :(



#18 Jbo

Jbo
  • Members
  • 69 posts

Posted 25 July 2017 - 11:10 AM

Recommend NOT installing 7.1.0-371+1hotfix right now. Several bug issues DHCP and VPN for our boxes. 



#19 Ben T

Ben T
  • Members
  • 2 posts
  • LocationNew York

Posted 30 July 2017 - 12:34 PM

Recommend NOT installing 7.1.0-371+1hotfix right now. Several bug issues DHCP and VPN for our boxes. 

FYI, I had DHCP issues (DHCP server not sending replies) after applying the hotfix. Had to get Tech Support involved. They replaced a "vlan_hotswap"and all was better. 



#20 Oliver Braekow

Oliver Braekow
  • Moderators
  • 165 posts
  • LocationInnsbruck, Austria

Posted 03 August 2017 - 08:03 AM

Important Security Hotfix

 

Summary:

Security hotfix to address an issue that could lead to unauthorized, low privilege access via the management IP addresses.

 

Description:

Several hotfixes were released on Aug 3rd 2017 to address an internally discovered logic error in the configuration process which could allow an attacker to gain unauthorized low privilege access to the NextGen Firewall via the management IP addresses.

 

Affected products:

The logic error exists in the following versions of the NextGen Firewall F series firewalls as well as NextGen Control Centers since firmware 5.2.3:

  • 5.2.x - end of support reached - please upgrade to newer firmware
  • 5.4.x - end of support reached - please upgrade to newer firmware
  • 6.0.x - resolved in Hotfix 837
  • 6.1.x - end of support reached - please upgrade to newer firmware
  • 6.2.x - resolved in Hotfix 836
  • 7.0.0 - resolved in Hotfix 838
  • 7.0.1 - resolved in Hotfix 834
  • 7.0.2 without Hotfix 825 - resolved in Hotfix 834
  • 7.0.2 with Hotfix 825 - resolved in Hotfix 839
  • 7.0.3 The issue is resolved in maintenance release 7.0.3 released on Aug 3rd. 2017.
  • 7.1.0 - resolved in Hotfix 835

Mitigation:

The Hotfixes released today fully mitigate the issue in the affected versions. Hotfixes are available in the download portal: https://dlportal.barracudanetworks.com.

Additionally, with firmware release 7.0.0 or newer the hotfix corresponding to the current fimware release will be displayed in the UPDATES section of the General Dashboard on NextGen Firewalls F-Series.

Additionally, with firmware release 7.0.0 or newer the hotfixes will be available from the Download Portal tab of the CONTROL -> Firmware Updates section on NextGen Control Centers.

 

 

We further recommend that customers isolate the management IP addresses to a trusted local network. The NextGen Firewall supports setting additional ACLs for accessing the management interface that can further increase security. Finally, we also recommend setting strong passwords on all accounts or configuring key based authentication and disabling password authentication.

 

Instructions on setting up ACLs and key based authentication are available here:

How to Change the Root Password and Management ACL

How to Configure Key-Based SSH Authentication for the Root User

How to Configure Certificate Based Authentication for the Root User