Release Notes CSG 7.2.8

Collax Security Gateway

Installation Notes

Update Instructions

To install this update please follow the following steps:


  1. It is highly recommended to backup of all server data with the Collax backup system before proceeding. Check that the backup was successful before proceeding with the update (this can be done within the backup information email).
  2. In the administration interface go to Menu → Software → System Update and press Get Package List. This will download the listed update packages. If successful the message Done! will be displayed on the screen.
  3. Click Get Packages to download the update packages.
  4. Click Install. This installs the update. The end of this process is indicated by the message Done!.
  5. A new kernel will now be installed. The system will reboot automatically after installing the update. An appropriate note will be shown if the update process is completed.

New in this version

Additional Software: Deactivation of Kaspersky Virus Scanner

With this update the virus scanner from Kaspersky is deactivated. Customers who had previously used it should switch on Avira’s scanner immediately after the update. Corresponding licenses will be provided automatically.


The following steps will seamlessly integrate Avira’s solution and immediately provide maximum protection against threats from the Internet.

  1. Go to “Menu → Software → Licenses and modules” and click on “Update license status”.

  2. Go back and click on the “Additional modules” tab and install the Avira AntiVir Protection package.

  3. Click on “Menu → Mail and Messaging →Antivirus Mail Filtering” and check “Avira AntiVir”.

  4. If available, proceed identically for Antivir Web and Antivir File.

  5. Activate the configuration

System Management: Linux Kernel 5.10.109

This update installs the Linux kernel 5.10.109.

Mail: IMAP Extension date

The IMAP extension “date” for the IMAP service Cyrus is activated with this update. For this the value “date” had to be added to the configuration file imapd.conf in the section “sieve_extensions:”.

Problems fixed in this version

Security: Dirty Pipe

Software developer Max Kellermann has discovered a critical vulnerability in the Linux kernel. This could allow an unprivileged process of a normal user to inject data into the output of a process with higher privileges. The vulnerability relates to CVE-2022-0847.

See also here

This updates the new kernel to version 5.10.109.

There is another security fix included in the new kernel. This refers to CVE-2022-25636

Security: Microcode Update

Potential security vulnerabilities have been discovered in some Intel processors. Therefore it is necessary to update the microcode. With this update this happens automatically without the need to update the BIOS.

There is an update to Intel Microcode 20220207

The security vulnerabilities relate to the following CVEs: CVE-2021-0146: Fixed a potential security vulnerability in some Intel Processors may allow escalation of privilege CVE-2021-0127: Intel Processor Breakpoint Control Flow CVE-2021-0145: Fast store forward predictor - Cross Domain Training CVE-2021-33120: Out of bounds read for some Intel Atom processors

and the following Intel Processor Advisories

INTEL-SA-00528 INTEL-SA-00532

Security: Cryptography tool OpenSSL

Security vulnerabilities have been discovered in the source code of the OpenSSL cryptography tool. These are closed with this software update.

See also here

The fix refers to the CVE number CVE-2022-0778

Security: IMAP service Cyrus

Security vulnerabilities have been discovered in the source code of the IMAP service Cyrus. These are closed with this software update.

The fix refers to the CVE number CVE-2022-24407

Port redirections are used to redirect incoming requests to specific services to another server. If a port redirection was set up and the Internet dial-up was done over 2 Internet connections via DSL and one route, the port forwarding did not work for the PPPoE link did not work. This is fixed with this update.

File: Samba and backup access to subdirectories

Backup access to subdirectories could not be performed successfully in certain cases. This is related to DFS (global name space support) and has been fixed with this software update.


Update: Error while trying to download the package list.

In the system update dialog a current package list is downloaded from the update server. In some cases an update is not possible and an error message occurs when trying to fetch the package list.

E: Repository ‘custom:// csg72 Release’ changed its ‘Codename’ value from ‘v72_stable’ to ‘v7’. Cannot retrieve package db checking for updates failed.

Experienced Collax administrators can use the console as root to fix the problem:

rm /var/lib/apt/lists/update*

Afterwards, the system update can be performed as usual.

We apologize for the rare occurrence of this case. If you have any further questions, please do not hesitate to contact our support.

VPN: Fix for IKEv2 with Microsoft Windows breaks after 7.6 hours.

VPN connections with IKEv2 and Microsoft Windows’ on-board means are interrupted after exactly 7.6 hours. The error occurs because Microsoft Windows proposes different algorithms during the IKE re-encryption than during the first connection. The problem can be solved with a registry fix by changing changing the value “NegotiateDH2048_AES256” under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters to 1 is set.

At the following link you can find a REG file (registry entry) that adds the registry key. Collax assumes no liability for system errors resulting from this.