zorp 3.1.15a Fri, 12 Sep 2008 11:37:14 +0200 Changes since 3.1.15 Proxies: Pssl: * Corrected a memory leak. zorp 3.1.15 Fri, 22 Aug 2008 17:37:14 +0200 Changes since 3.1.14b Core: * Corrected a race condition that caused Zorp to stop processing UDP packets under certain conditions. * Corrections in the method of looking up zones: certain zones were not correctly found in some rare cases. * Under large load, reloading the configuration of Zorp caused an abnormal program termination in certain cases. This has been corrected. * Zorp now works with Python 2.5 as well. * The CONFIG_BRIDGE_NETFILTER kernel option has been disabled, because it caused problems when the bridge interface was used in failover mode. * The tproxy module marked unnecessary packets. This has been corrected. * TCP keep-alive packets can be enabled for every service, both on the client and the server side. * Corrections in the handling of ZAAuthentication. * Various security fixes in the kernel. Proxies: Ftp: * Corrections in the handling of multiline responses. Http: * Corrected a possible memory leak. * When processing HTTP v1.1 Connect headers, Zorp closed the connection when a Connect header with unknown value was received. Now such headers are interpreted as keep-alive headers. This solves the problem of applications (e.g., APT) that send multiple HTTP requests without waiting for response to the first request, and do not handle properly the case when they do not receive response to every request. Mime: * The MIME_TPE_DROP_ONE proxy action was handled incorrectly in certain cases, causing the proxy to drop not only the attachment affected by the MIME_TPE_DROP_ONE proxy action, but also every subsequent attachment. This behavior has been corrected. Pssl: * Information (Issuer, subject, etc.) about the certificates used in the connection is logged at log level 4. Smtp: * When ZCV is stacked into the SmtpProxy but the ZCV service is not available, the proxy returned a permanent error message (error code 500 - Invalid command). This has been changed to error code 421 - Service not available. Ssh: * Connections using version 0.60 of the Putty client-application running on 64bit systems were terminated. This has been corrected. zorp 3.1.14a Fri, 18 Jul 2008 10:37:14 +0200 Changes since 3.1.14 Core: * Fixed a possible abnormal program termination in Zorp. zorp 3.1.14 Fri, 18 Apr 2008 17:37:14 +0200 Changes since 3.1.13b Core: * DBIface interfaces with two alias IP addresses could bind only to one of the addresses. This behavior has been corrected. * The frequency of e-mail alerts that Zorp sends to the administrator if it detects deadlock is limited to avoid spamming the administrators mailbox. * Fixed a possible abnormal program termination in the blob subsystem. * Fixed an abnormal program termination that occurred after reloading Zorp in certain situations. * Fixed an abnormal program termination that occurred when the client failed to authenticate to ZAS using the GSSAPI authentication method. * When the client application terminated while copying multiple large file transfers (e.g., SFTP), the threads handling the transfers were not properly closed, leading to memory leaks. This has been corrected. * Zorp creates a core file when a deadlock is detected. * Time intervals in the PermitTime policy are correctly validated. Proxies: Ftp: * Fixed a possible abnormal program termination. Http: * Corrections in the handling of one-time passwords. * The proxy exits with an RST packet when a timeout occurs. Mime: * Corrections in the handling of spaces at the end of headers. * The default value of the max_header_line_length attribute has been increased to 4096. MSRpc: * Corrected a race condition that caused segmentation faults in the proxy. Smtp: * When multiple subsequent lines of a message contained only the dot ('.') character, the proxy handled escaping incorrectly. This has been corrected. * Fixed an abnormal program termination that occurred when the server closed the connection after a DATA command, or when a DATA command followed another DATA command that the server has rejected. SQLNet: * Fixed a memory leak. * Fixed parsing of redirect packets where the address of the server is embedded into the description. * The proxy did not properly handle the timeout proxy attribute settings. This has been corrected. Ssh: * The SSH proxy in Zorp 3.1.13 handled public-key authentication incorrectly, crashing Zorp in certain situations. This has been corrected. * Clarified the log message sent in case of hostkey mismatch. * When using nontransparent mode, simple usernames that did not contain the address of the remote server were not accepted. This has been corrected. * SCP supports the PSCP Windows client. * The maximum accepted length of the SSH name (usernam@server_fqdn) has been increased from 32 to 64 characters. * Added new proxy attribute (ssh_userauth_proxy_authenticate) to specify when the authentication occurs. It is now possible to request authentication before building the server-side connection. * When the proxy rejects a session request, it is now possible to close the channel using the SSH_REQ_ABORT_CHANNEL action. * Corrections in the handling of text before the ID string. * The SSH proxy does not send unnecessary packet dumps any more. VBuster: * The subject of the e-mail sent after updating the virus-filtering databases has been corrected. Other: * The ´zorpctl --help´ command did not display every option (e.g., the ´-v´ option). zorp 3.1.13b Tue, 18 December 2007 10:33:47 +0100 Changes since version 3.1.13a Http: * Implemented a new proxy attribute called reset_on_close. If this option is enabled, the proxy sends an RST message instead of a normal FIN message whenever a connection is terminated without a proxy generated error message. This behavior causes some client applications to automatically reconnect to the server. Smtp: * Fixed a possible abnormal program termination that occurred in certain rare situations. zorp 3.1.13a Fri, 14 December 2007 10:33:47 +0100 Changes since version 3.1.13 Core: * Fixed a possible abnormal program termination that occasionally occurred when using inband authentication. Ssh: * Fixed a possible abnormal program termination in publickey authentication. zorp 3.1.13 Fri, 30 November 2007 10:33:47 +0100 Changes since version 3.1.12 Http: * Added a new attribute (self.max_auth_time) to invalidate cached one-time-passwords. If the time specified in this attribute expires, Zorp requests a new authentication from the client browser even if it still has a password cached. Ssh: * Fixed a possible segmentation fault in publickey authentication. * Corrected a problem that crashed the SSH proxy if it was not able to parse the response of the server for a port forwarding request. Miscellaneous: * Fixed various memory leaks. zorp 3.1.12.4 Wed, 21 November 2007 10:33:47 +0100 Changes since version 3.1.12.3 Ssh: * Fixed a possible segmentation fault in publickey authentication. * Corrected a problem that crashed the SSH proxy if it was not able to parse the response of the server for a port forwarding request. Miscellaneous: * Fixed various memory leaks. zorp 3.1.12 Mon, 8 October 2007 10:33:47 +0100 Changes since version 3.1.11c Core: * It is possible to create core dumps while Zorp is running using the 'zorpctl dump-core' command. The 'enable-core' attribute must be enabled for the instance using ZMC, or editing the 'zorpctl.conf' file if ZMS is not used to manage the host. * Zorp returns a log message if the license file is unaccessible or invalid. Auditing: * If an error is detected during auditing, Zorp automatically terminates the connection, so no unaudited traffic can pass. Ftp: * The BounceCheck function became an attribute that can be separately enabled and disabled for the protected zones (e.g., intranet) and the unprotected zone (e.g., Internet). * Multiline responses that did not include the parameter of the response in the last line were handled incorrectly; in certain cases the connection was closed. This behavior has been corrected. Http: * The hostname of the target host is included in the log if access to the server is denied by the policy. Imap: * The default value of the 'max_literal_count' parameter has been changed to 32. Ssh: * Corrected the behavior of the 'greeting' attribute; modified greetings were not always sent to the clients. * Increasing the width of terminal windows above 255 characters caused Zorp to close the connection. This behavior has been corrected. Vbuster: * Fixed a possible abort when blob creation failed or the /var/lib/zorp/tmp directory was unaccessible. zorp 3.1.12 Mon, 8 October 2007 10:33:47 +0100 Changes since version 3.1.11c Core: * It is possible to create core dumps while Zorp is running using the 'zorpctl dump-core' command. The 'enable-core' attribute must be enabled for the instance using ZMC, or editing the 'zorpctl.conf' file if ZMS is not used to manage the host. * Zorp returns a log message if the license file is unaccessible or invalid. Auditing: * If an error is detected during auditing, Zorp automatically terminates the connection, so no unaudited traffic can pass. Ftp: * The BounceCheck function became an attribute that can be separately enabled and disabled for the protected zones (e.g., intranet) and the unprotected zone (e.g., Internet). * Multiline responses that did not include the parameter of the response in the last line were handled incorrectly; in certain cases the connection was closed. This behavior has been corrected. Http: * The hostname of the target host is included in the log if access to the server is denied by the policy. Imap: * The default value of the 'max_literal_count' parameter has been changed to 32. Ssh: * Corrected the behavior of the 'greeting' attribute; modified greetings were not always sent to the clients. * Increasing the width of terminal windows above 255 characters caused Zorp to close the connection. This behavior has been corrected. Vbuster: * Fixed a possible abort when blob creation failed or the /var/lib/zorp/tmp directory was unaccessible. zorp 3.1.11c Fri, 10 August 2007 10:33:47 +0100 Changes since version 3.1.11b Core: * Corrected an error in the port allocation introduced in version 3.1.11b. zorp 3.1.11b Fri, 20 July 2007 10:33:47 +0100 Changes since version 3.1.11a Core: * Port allocation is handled by Zorp. Earlier versions used the port allocation of the kernel, which could not properly handle the situation when large number of connections were opened in a short time. Ftp: * Corrected an error that blocked certain FTP-client applications when trying to list the contents of an empty directory. Http: * Fixed a race condition in http stacking that caused Zorp to switch to chunked encoding when stacking ZCV. Pssl: * Corrected an abnormal connection termination. zorp 3.1.11a Thu, 3 May 2007 10:33:47 +0100 Changes since 3.1.11 Core: * The timeout before restarting Zorp if a deadlock is detected has been increased to 60 seconds. Plug: * Fixed the behavior of the 'packet_stats_interval_time' and 'packet_stats_interval_packet' attributes. zorp 3.1.11 Wed, 5 Apr 2007 16:33:47 +0100 Changes since 3.1.10 Core: * Fixed a race condition in the authentication caches that possibly caused Python tracebacks. Http: * Implemented a separate timeout attribute (´timeout_response´) that applies to HTTP responses. * HTTP requests (including POST data) can be resent to the server if the server closes the connection before the request is sent, or if no response is received. This behavior can be enabled using the ´rerequest_attempts´ attribute. Smtp: * Fixed a memory leak in the filtering of SMTP extensions. Ssh: * When requested to use the ´cast´ cipher algorithm, the Ssh proxy used the ´blowfish´ algorithm instead. This behavior has been fixed. Sqlnet: * Added support for fragmented REDIRECT packages. Ssl: * Fixed a possible abnormal program termination that occurred when the server requested the renegotiation of the connection. zorp 3.1.10 Thu, 22 Feb 2007 15:36:58 +0100 Changes since 3.1.9 Core: * Fixed a possible memory leak in remote stacking. * Fixed the handling of the ´backlog´ parameter. * Fixed a memory leak in the Service_Props SZIG. Ftp: * Fixed the handling of status code 150 messages having multiple lines. * Zorp consumed the CPU if the data channel was open when the client closed the command channel. This behavior has been fixed. Http: * Fixed a possible memory leak when sending a formatted CONNECT request to the parent proxy fails. * Fixed the handling of the data part of messages having the 304 response code. * Fixed the handling of zero-byte POST messages. Ssh: * Fixed a possible abnormal termination when the client uses an unsupported publickey type (like x509v3-sign-rsa). * Fixed the handling of the ´self.greeting´ attribute. * Added the possibility to send banner to the client before login. * Removed invalid channel data from audit trails. * Fixed a possible abnormal program termination occuring when an audit trail was started dynamically and the audit-trail option was not included in the license file. zorp 3.1.9 Fri, 12 Jan 2007 15:36:58 +0100 Changes since 3.1.8 Core: * Added support for internationalization of user-visible proxy messages. zorpctl: * Fixed the erroneous removal of the --threads Zorp option. Pop3: * Messages containing viruses or other malware are rejected with a constructed email message instead of using protocol elements, as several clients handle ERR responses incorrectly. Infected emails are put into the quarantine and deleted from the server. To restore the proxy to its original functionality, set the reject_by_mail attribute to FALSE. Http: * Fixed content-length hinting with HTTP_STK_MIME. * User-visible proxy messages are available in German and Hungarian. Ftp: * Added the possibility to send reject message about unwanted content. Pssl: * Added default to X509KeyBridge cache_directory parameter. VBuster: * Fixed archive scanning problem with VBuster engine v4.3 Mime: * Fixed processing the permit_bad_continuous_line attribute. zorp 3.1.8 Thu, 14 Dec 2006 09:17:42 +0100 Changes since 3.1.7 Core: * Zone, dispatch, and access control cache parameters made configurable through the config module. * Fixed some 64bit compatibility issues. zorpctl: * Added more details to zorpctl status output by adding a -v argument. Http: * Support the 125 status code from FTP servers to confirm data channels. * Fixed error reporting in response to HEAD requests. Mime: * Fixed an incorrectly set zero timeout, that could result in mail data loss at a high message rate. MSRpc: * Fixed a possible abort when msrpc data channels are opened. VBuster: * Added support for VirusBuster 4.3 engine. * Fixed threshold_oversize support. zorp 3.1.7 Tue, 14 Nov 2006 11:47:35 +0100 Changes since 3.1.6 Core: * Fixed SZIG communication. zorp 3.1.6 Tue, 07 Nov 2006 15:19:54 +0100 Changes since 3.1.5 Core: * Fixed a possible audit trail corruption problem when several parallel connections logged to the same audit trail and the audit trail was encrypted or compressed. * Zorp uses full-duplex connections for remote stacking, because the small CONNTRACK timeout of half-closed connections led to content-scanning timeouts with ZCV. zad: * Fixed the handling of the follow argument. Http: * Fixed a possible abnormal program termination when a PSSL proxy was stacked into the HTTP CONNECT method. Mime: * Fixed the processing of lines longer than the input buffer size. zorp 3.1.5 Mon, 25 Sep 2006 13:59:23 +0200 Changes since 3.1.4 Core: * Fixed a deadlock when lots of UDP packages arrived. * Added support for per-session audit trail files. * Fixed a syntax error that prevented Inband authentication. * Fixed a memory leak in the secondary connection handshake. Imap: * Added server authentication support. Mime: * For compatibility reasons both 'error' and 'error_action' attributes access the same action hash. zorpctl: * Added support for specifying a file instead of an instance-list. zorp 3.1.4 Fri, 21 Jul 2006 17:37:14 +0200 Changes since 3.1.3 Core: * Fixed a possible abnormal program termination encountered when Zorp was under heavy load and stacking was used. * Fixed a proxy startup race condition which caused abnormal program termination, primarily with multiple processors. Ftp: * Fixed a bug that caused 'AttributeError' log messages when the control channel was closed early. Http: * Fixed a possible interoperability problem with webservers returning a data entity in a 205 response. Although this is explicitly prohibited in the RFC, Zorp will permit such responses. Imap: * Fixed a problem in SEARCH command parsing. Mime: * Changed a misleading log message about exceeding the overall header size limit to: 'Header is too long'. Nntp: * Added group filtering capabilities. zorp 3.1.3 Fri, 16 Jun 2006 16:17:38 +0200 Changes since 3.1.2 Core: * Fixed a memory leak in various proxies caused by a change in the core in 3.1.2. * Fixed audit trail encryption support. * Added more robust handling of failed thread creation. Imap: * Added username and password length checking with 32 characters default limit. Http: * Fixed displaying the error page when the request content is rejected. * Fixed a possible interoperability problem with HTTP/0.9 servers when keep_persistent is enabled. * Fixed a possible interoperability problem with Firefox 1.5.0.4 and possibly later when the proxy forces a HTTP/1.0 response to chunked mode. Ssh: * Fixed a flow control problem possibly causing lost connections while a lot of data is being transmitted. Pssl: * Use inter-instance locking on the KeyBridge database to make it possible to use the same KeyBridge objects in multiple instances. zorp 3.1.2 Tue, 23 May 2006 15:45:42 +0200 Changes since 3.1.1 Core: * Fixed a memory leak and an internal error when a service name was longer than 32 character. * Fixed a SZIG deadlock which caused the queue of SZIG events to consume memory, effectively causing a memory leak and a stall in providing internal information through SZIG. Only affects Zorp deployments with non-unlimited licenses. * Added multiple interval support to PermitTime authorization class. Ssh: * Added support for publickey authentication. * Fixed a possible interoperability problem with SSH Secure Client. Zorp did not handle key exchange algorithm guesses correctly. MSRpc: * Added missing imports from Python module which caused the MSRpc proxy not to load properly. Rsh: * Fixed a possible SIGSEGV during rsh protocol handshake. Http: * Fixed a possible abnormal program termination with files over 2GB. * Fixed a possible memory leak when shutting down the peer streams failed. VBuster: * Fixed a possible segmentation fault when the first trickle attempt happened without any received data. Ldap: * Implemented a workaround for SASL. SQLNet: * Added support for CONNECT strings which only contain ADDRESS tags and no ADDRESS_LISTs in non-transparent mode. zorp 3.1.1 Fri, 31 Mar 2006 12:33:00 +0200 First release of Zorp 3.1