Hi XG Community!

We've finished SFOS v17.1.2 MR2. This release is available in stages. In first stage it will be available at MySophos. We then start with a small amount of slots and will increase those over time. Later it will be available to all other installations as well.

Please see the following link for further information regarding upgrade - KBA 123285 Sophos Firewall: How to upgrade the firmware.

Issues Resolved

Code has been optimized for the internal CSC service. Code optimizations have resulted in a reduced memory footprint. The reduced memory consumption supports SFOS v17.1.2 MR2 on the XG85 series.

Important security issues have been resolved in this release and we strongly recommend our customers to upgrade. Please see the following link for further information regarding these issues - KBA 132637 Advisory: Sophos XG Firewall Vulnerabilities reported by Kaspersky Labs.

NC-31276 [Access] SFM Compatibility with v17.1 - Getting error messages in event viewer when clicking on Authentication - Users

NC-33640 [API] Unauthenticated shell escape vulnerability

NC-31701 [ATP] Clicking on ATP widgets doesn't redirect to ATP results when ATP widget doesn't have data

NC-30220 [Authentication] Auto-created Radius users are not live on first login

NC-30521 [Authentication] Not able to create eDirectory server with password

NC-32392 [Authentication] Properly handle Radius SSO requests that also contain the user domain

NC-29537 [Base System] Logviewer not working due to sqlite issues

NC-31573 [Base System] Empty values returned for certain SNMP queries

NC-32399 [Base System] Change of the XG Firewall login screen (again)

NC-32481 [Base System] XG85 got reboot due to memorydump

NC-32559 [Base System] u2d_client writes to /content/u2d/pattern multiple times with the same data

NC-33672 [Base System] On demand CSC worker execution

NC-34087 [Base System] Garner segfault - multiple modules being reported

NC-32491 [Clientless Access] HTML5 VPN portal connections periodically stop working until service restarted

NC-28034 [Email] Unable to block email with specific mime type

NC-29590 [Email] AV pattern updates are failing while service is restarting

NC-29761 [Email] Strict RDNS is not working as expected when a record has more then 10 IP addresses with specific scenario

NC-29994 [Email] Attachments with iso-2022-jp encoding are not getting filtered

NC-31664 [Email] MTA service getting DEAD state when reboot appliance after full configuration import

NC-32005 [Email] Awarrenmta sporadically lose connection

NC-27866 [Firewall] 802.1Q header is not forward while re-assemble packet in bridge mode

NC-29963 [Firewall] Appliance rebooting with kernel dump

NC-31027 [Firewall] HTTP to HTTPS conversion not working for CR backups imported to SF

NC-31043 [Firewall] DNAT rule is not working in case IP range is used as Destination Host for reflexive rule

NC-31268 [Firewall] DNAT rule is not saved when TCP and UDP combination services are created at the time of rule creation

NC-32239 [Firewall] Packet Capture: HEX/ASCII lines appear next to an existing line

NC-32686 [Firewall] Firewall rule showing "in 0B" and "out 0B" in Webadmin

NC-26446 [Hardware] 125/135 series - upper 4 port LED's at front and rear side not behaving as expected

NC-30689 [Hotspot] Custom hostname is not displayed when hotspot login through QR Scanning

NC-28813 [IPsec] Second PSK input form is not limited to 64 characters as the first one

NC-29322 [IPsec] VirtualIP tunnel with CiscoVPN configuration is failing at Phase 2 with PFS

NC-29365 [IPsec] IPSec tunnel fails when there is whitespaces at the begin or end of the PSK

NC-29436 [IPsec] Failover group cannot be deactivated

NC-29599 [IPsec] Disable DPD action check for "Respond Only" connection when IKEv1 IPSec profile has DPD disabled

NC-29702 [IPsec] Remote Access VPN does not connect with VPN Tracker when connected with PSK + XAUTH

NC-29760 [IPsec] Child SA not killed, if re-keying is disabled and key life time is reached

NC-29892 [IPsec] L2TP connection can't be activated if the CA name contains a space character

NC-30541 [IPsec] HA - charon hangs in shutdown on AUX when killed via signal

NC-30571 [IPsec] HA - Restart VPN Service from CLI menu doesn't start on AUX machine

NC-30752 [IPsec] HA - old primary takes the connection after shutdown received

NC-31361 [IPsec] IPSec connections are randomly sorted each time the page is refreshed

NC-31616 [IPsec] Cisco VPN client issue with iOS device

NC-32640 [Logging] Log viewer is not loading on some devices after adding any filter and read/write goes high after activity

NC-31277 [Network Services] Interface name mapping failed during backup-restore for DHCP server on Alias over VLAN Interface

NC-32265 [Network Services] XG doesn't use the same name for the FQDN Host Group as configured via SFM

NC-32434 [Networking] LAG Member shows different MAC Address after editing via GUI

NC-29112 [RED] RED tunnel is fluctuating randomly

NC-30520 [RED] HA: RED interfaces are not correctly shown on AUX UI

NC-31174 [RED] Loading a huge number of RED devices leads to failsafe mode on backup restore

NC-31273 [RED] Interfaces page take 2-3 minutes time to load

NC-28794 [Reporting] Even after removing the email address aux node is sending the scheduled executive report

NC-33638 [Reporting] Post authentication remote code execution via shell escape

NC-30767 [Routing] Policy route not applied on PPPoE connect/disconnect events

NC-30288 [SecurityHeartbeat] HA: Failing heartbeat service stops startup from other services after fail over

NC-31015 [SSLVPN] SSLVPN client connections always start after reboot

NC-31433 [SSLVPN] SSLVPN server config contains routes for disabled s2s server connections

NC-29373 [UI Framework] Mitigate possible XSS vulnerability - JQuery

NC-34142 [UI Framework] Authenticated remote command execution in WebAdmin

NC-29991 [WAF] Authentication templates: Not possible to delete images/stylesheets

NC-30130 [WAF] Variable expansion is missing in "path too long" error message

NC-28470 [Web] NTLM logon over HTTP not being passed

NC-28950 [Web] Empty tooltip in Policy Tester

NC-29295 [Web] Content Filter details are not displayed with languages other than English

NC-29297 [Web] Custom images show blanks on blockpage preview before saving

NC-29545 [Web] Captive Portal shows guest user link after logout although guest user registration is not enabled

NC-31208 [Web] Proxy sends the warn.html with the HA interface IP

NC-31908 [Web] Application filter policy rule does not apply on SF device through SFM group level

NC-27281 [Wireless] Violations of Qatar regulatory requirements regarding the permitted 5 GHz bands

NC-28812 [Wireless] Connected clients are not showing in clients page after backup restore

NC-29281 [Wireless] Localwifi update shows successful green status message twice

NC-30489 [Wireless] AP is not coming to active status after full configuration export and import

NC-30652 [Wireless] Permissions for wireless protection are not exported correctly

NC-32653 [Wireless] Backup import failed for WirelessLocalAP

Downloads

You can find the firmware for your appliance from in MySophos portal