Release Notes CSG 7.2.24

Collax Security Gateway

Installation Notes

Update Instructions

To install this update please follow the following steps:


  1. It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
  2. In the administration interface go to Menu → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
  3. Click Get Packages to download the update packages.
  4. Click Install. This installs the update. The end of this process is indicated by the message Done!.
  5. A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.

New in this version

Security: Linux Kernel 5.10.200

This update installs the Linux kernel 5.10.200. It fixes some errors that we believe could be exploited by attackers.

Security: Web proxy Squid 6.5

Critical security vulnerabilities have been discovered in the source code of the Squid web proxy. These will be closed with this software update.

Further information can be found here.

System Management: Network UPS Tools 2.8.1

This update installs the current release of the Network UPS Tools (NUT) in version nut-2.8.1.

Add-on software: Avira Savapi 4.15.20

Several components have been updated in the source code of the Avira Anti-Malware SDK. This software update installs the package anti-malware-sdk-savapi-v4.15.20.

Issues fixed in this version

Security: Retbleed vulnerability - Intel Microcode Update

Experts have discovered critical security vulnerabilities and published them under the name “Reptar”. These so-called out-of-band (OOB) attacks target critical vulnerabilities found in modern processors. A potential vulnerability in some Intel® processors may allow privilege escalation and/or information disclosure and/or denial of service via local access. Intel is releasing firmware updates to mitigate this potential vulnerability. For protection, it is necessary to update the microcode. With this update, this is done automatically without having to update the BIOS.

Further information can be found here.

Security: Cachewarp vulnerability - AMD microcode update

AMD has the “CacheWarp” vulnerability, which is now also prevented with new microcode. For protection, it is also necessary to update the microcode. With this update, this is done automatically without having to update the BIOS.


Additional software: Bitdefender - Proxy for updates

The virus pattern updates are carried out according to a set cycle. For the pattern update of the Bitdefender virus and spam filter, the use of an http proxy is currently not possible.

Additional software: Bitdefender - pattern update after start-up

After the start-up of the Collax Antivirus powered by Bitdefender module, it may take a few minutes until the current virus patterns have been downloaded. If you click on Update Bitdefender in the virus scanner form during this time, an error message “Error connecting to server at /opt/lib/bitdefender//bdamsocket: -3” appears, because the background process has not yet been fully executed.

GUI: Running Jobs Hang Sporadically

The progress of the configuration jobs is displayed in the upper right corner of the web administration. In the case of extensive changes in the area network, especially in the area of country locks (geo-ip), the job display of the activation can hang in rare cases and lead to a timeout. For updates up to release 7.2.14, the message “ipset v7.11: Set cannot be destroyed: it is in use by a kernel component” also appeared. which could lead to uncertainty. The changes are all correctly applied and this is only a cosmetic problem. Until the error is completely fixed, you can help yourself by reloading the browser window.

VPN: Fix for IKEv2 with Microsoft Windows breaks after 7.6 hours

VPN connections with IKEv2 and the on-board tools of Microsoft Windows are interrupted after exactly after exactly 7.6 hours. The error occurs because Microsoft Windows suggests different algorithms during the IKE re-encryption than during the first first connection. The problem can be solved with a registry fix, by changing the value “NegotiateDH2048_AES256” under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters to 1 is set to 1.

Under the following Link you will find a REG file (registry entry) which adds the registry key. Collax accepts no liability for system errors resulting from this.