Netsweeper 7.2.7 EA is now available for early adopters. This release includes more security improvements and advancements made for the Client Filter.
Customers running 7.2 should upgrade to the 7.2.7 release as we continue to fix major defects and improve stability. Netsweeper is now focused on making progress toward a GA milestone so all customers can upgrade to the 7.2 release. We hope over the next month or two we will be able to deliver the 7.2 GA release and move onto the development of Netsweeper 8.1.
The Netsweeper 7.2 release is available on both EL6 and EL8. Over the course of the 7.2 release cycle, we will be finalizing the EL8 release. Moving forward to Netsweeper 8 releases, we will no longer be releasing new features for the EL6 builds. Netsweeper will continue to provide security fixes to the EL6 builds but will not provide new features to the EL6 based release. Customers are expected to plan a migration to EL8 between now and 2023 if they desire the new features we are introducing.
New Features Summary
Active-Active WebAdmin Features
- Reporter will not run Reports on a database that has not yet been upgraded
- Directory Sync does not run unless the database version matches the version required by the DirSync service
Report Export for UTF16
- A new report instance export format CSV (UTF16), that supports Unicode characters, has been added
Client Filter Branding Permissions
- New Client Filter Brand permissions added for SysOps to perform Client Filter Settings Brand Management
- nMonitor Config setting added to the WebAdmin Client Filter Settings
- WebAdmin Settings now loads from external applications to support loading settings, passwords, and other settings from external secure systems
- Example settings_override.php of how to call external script and cache result are now provided
Change Log 7.2.7
|Deny Page Reflected Cross Site scripting problem has been resolved.
|The 'Show Groups with No Policies' did not work correctly.
|Setting failure shutdown in the Policy Service would make "auxlist_failure" be processed as a Deny Page and not allow.
|The database upgrade page now redirects to the home page if no error exists.
|Policy Service did not include Intermediate Certificates in the cert chain for SSL/TLS, causing Lets Encrypt generated certificates to display certificate error on MacOS and other operating systems.
|The 14 MED WebAdmin "Use of hard-coded credentials" has been fixed.
|The Reporter now will not run Reports on a database that has not yet been upgraded.
|Do not allow the ns_webadmin, ns_reporter or ns_directorysync packages to be made unless the /sql/XXXX_XXX.sql versions are properly set in the code.
|Added escaping for table request arguments.
|GetTableVars in ajaxtable did not escape elements it is forming with a URL.
|The AD Directory Sync, after an upgrade, did not sync unless restarted.
|Fixed the WebAdmin security issue, missing authorization check.
|Fixed the WebAdmin security issues for Open Redirect.
|Review the WebAdmin security issues for Unrestricted external entity references.
|Fixed the WebAdmin security issues for Unchecked origin of message event.
|Fixed the WebAdmin security issues for Unrestricted External Entity References.
|In Linux, a memory corruption vulnerability was discovered that would allow any unprivileged user to gain full root privileges on a vulnerable host by exploiting this vulnerability in its default configuration.
|The Dashboard Monitoring Graphs would get an error when changing timeframes.
|There was a database error when searching the Group Name in Lists > Policies > View Table.
|For the timesegment_add API, the error message has been corrected.
|The upgrade through from 7.2.3 to 7.2.6 required the root password to be properly set and maintained if done via the WebAdmin. The root password maxdays requirement has been removed.
|A duplicate List would appear for a SysOp who is owned by a SysOp.
|Directory Sync should not run unless the database version matches the version required by the DirSync service.
|Netsweeper 7.2.7 EL8 includes the PHP APCu cache. Netsweeper EL8 can now cache many things in memory for increased WebAdmin performance.
|WebAdmin Settings can now load from external applications to support loading settings, passwords, and other settings from external secure systems.
|Users can override WebAdmin Settings in /webadmin/config/settings_override.php allowing for external systems to do queries to load settings.
|A warning message has been added to nsup2d managed files in order to avoid customers modifying these files.
|The timesegment_query API did not work if the stopday was 0 or Sunday.
|Fixed minor logging security issues.
|Review WebAdmin Security issues.
|A new instance export format CSV (UTF16), that supports Unicode characters, has been added.
|Setting failure shutdown in the nsd.conf will make 'auxlist_failure' be processed as a Deny Page and it will not be allowed.
|New Client Filter Brand permissions have been added to allow the SysOp to perform Brand Management.
|All EL8 base packages have been updated to the latest packages.
|Deactivate Hosts in Services did not work properly.
|The Deny Page editing framework had possible JSON escape XSS attack.
|The 5 MED DirSync "Risky cryptographic SSL protocol" and disable SSLv3 in BindSSL has been fixed.
|The Reporter did not properly encode the CSV format causing problems with the Search Keyword functionality.
|Updated extended support for RPM on EL6 nss-3.44.0-7.0.2.el6_10. Fix CVE-2021-43527 [Orabug:33627334].
|WebAdmin tables could have possible Reflected Cross Site Scripting attack. This has been fixed.
|Updated extended support for RPM on EL6 dhcp-4.1.1-63.P1.0.2.el6_10. Fix for CVE-2021-25217 Orabug:33005948.
|Reporter in 7.2.5 and 7.2.6 may not start after a fresh install as the Reporter database may not have been created yet. The 7.2.7 release will recheck on an interval and start to run once database is created with the proper version.
|There was a database error when searching in Session Settings.
|DENY response headers in certain places in the WebAdmin. This has been fixed.
|The 'Client nMonitor Config' setting has been added to the Client Filter Settings page in the WebAdmin.
|The Client nMonitor Config can now be loaded into the Client Settings in the WebAdmin and can be processed as part of the hash for change detection.
|The Client Filter Global Uninstall Password had no description in Client Filter Settings.
|The Directory Sync 'Test Connection' did not work in EL8 for SSL/TLS enabled connections. The 'Test Connection' for 7.2.6 in both EL6/EL8 did not check certificate validation if "Disable Certificate Validation" was unchecked.
|Example settings_override.php on how to call external script and cache result are now provided.
|Unable to login to WebAdmin without a Reporter database connection. If a database connection error occurs, we do not check the version as a different error will occur in this case.
|The Netsweeper version information from the /etc/issue.net has been removed and added to the /etc/motd to maintain version information secure. Console /etc/issue has versioning information maintained.
|In EL 8, using a hostname instead of IP as a WebDB host caused timeout issues on 7.1.1 to 7.2.6.
|If the logger connection is idle, that logger server closes the connection after 60 sec idling. But the LogMod5 remove connection module (client) in such case logs the error message and reconnects again. The reconnect is OK but the error message is annoying because it is not an error, but the server expected behavior. And if it is idle for hours the LogMod5 fills the error log with such useless messages. This ticket removes this message for the "remote server closed connection" event and leaves it only for real errors.
|Administration > Security Labels Search caused a database error.
|DNS filtering did not work in 7.2.1 to 7.2.6 due to policy service squid25udp processing failure. All UDP processing in policy service was unstable.
|The API Test Tool now uses the settings_override.php instead of settings_nsup2d.php to set authentication type to make sure it is not overwritten.
|If the Group name was empty, it could cause a log session to segfault.
|New CSV UTF16 formats have been added to the Custom Reports and Report view API.
|Client Filter protocol denied URLS, had unnecessary data appended to the end of the denied URLs.
|The Policy Server 7.2.5 to 7.2.6 could cause Client Filter version and brand name corruption in Client Filter cookie and protocol requests.
|Security Label Mismatch, while a password change is required, caused an error in the table display.
|Report View API Account Owner permissions were not being checked.
|Account Perms List did not check if the user had permission before checking if the Account exists.
|readcns could crash the Policy Service in the 7.2.1 to 7.2.2 release causing a segfault and Policy Service abort.
|Netsweeper RPMs can now be installed on top of Rocky Linux, a EL8 based operating system.
|The Policy Server was not reloading a blank Exceptions List in Client Filter Settings.