Changelog Airlock Gateway 8.2 and 8.2.1
Changelog 8.2.1 – maintenance release
This maintenance release (link to Techzone download page) contains all of the previously released hotfixes for Airlock Gateway 8.2. Additional updates and changes are listed in the changelog below. Maintenance release 8.2.1 is a requirement for the installation of further hotfixes for Airlock Gateway 8.2 and, hence, highly recommended for all installations.
This update is applicable to the following versions of Airlock Gateway 8.1, 8.1.1, and 8.2.
On 31.10.2024, the update archive airlock_update_8.2.1.zip (with SHA256 2d8e3ffa456fac7b7e7f98ab226de3c4d58653c36a508b1ad375d0d0e531d617) has been replaced with a version that relaxes checks regarding disk space requirements for the update.
If you have already successfully applied the previously available update, no further steps are necessary. If you encountered problems applying the update regarding disk space requirements, please download the currently available version and re-run the update.
The following list shows the changes from Airlock Gateway 8.2 to 8.2.1:
CHG: AP-35639 Change default search template to "Requests - GATEWAY All Requests" in Kibana log viewer
UPD: AP-35533 Upgrade Elasticsearch/Kibana to 8.15.2
UPD: AP-35813 Update to OpenSSH 8.7p1-38.el9_4.4
UPD: AP-35665 Update to OpenSSL 3.0.15
UPD: AP-35805 Update to OpenJDK 11.0.24.0.8-2.el9
UPD: AP-35677 Update to Tomcat 9.0.96
UPD: AP-35683 Update to libcurl 8.10.1
UPD: AP-35909 Update to Linux kernel 5.14.0-427.37.1.el9_4
Changes from included hotfixes (may already be installed):
FIX: AP-34794 Fixes a critical Open Forward Proxy / SSRF vulnerability in the Gateway Configuration Center
FIX: AP-35431 ext-apache: Better question mark tracking in mod_rewrite to avoid UnsafeAllow3F (CASE-35366)
UPD: AP-34861 Reduce false positives in Anomaly Shield for certain request patterns
UPD: AP-34895 Update to nghttp2 1.61.0
UPD: AP-35430 Update to httpd 2.4.62
UPD: AP-35774 Recreate possibly compromised keys in systems based on cloud images
Applying this update will reboot the system. User sessions will be preserved in a cluster scenario.
Changelog 8.2
The following list shows the changes from Airlock Gateway 8.1 to 8.2:
CHG: AP-28595 Alphabetic sort of IP listnames
CHG: AP-33156 Default Reponse Action Feature-Policy replaced with Permissions-Policy header
CHG: AP-34002 Support for Thales Luna Network HSM 7
CHG: AP-34021 Optimized deny rules (DOR_005, AS_015, SQL_065) with reduced false positives
CHG: AP-34245 Allowlist for bot detection updated
CHG: AP-34555 Improve performance of WIN_015 deny rule
FIX: AP-11079 Only log interactive SSH logins
FIX: AP-30130 Apache configuration improved for large environments with websocket connections
FIX: AP-32324 Suggested exception was encoded incorrectly when using policy learning
FIX: AP-33378 airlock-ssl-certificate-tool had issues with non-ascii characters
FIX: AP-33431 Case insensitive handling of header names in OpenAPI specification enforcement
FIX: AP-33708 OpenAPI was not set to log only if set on Mapping
FIX: AP-33846 Exception when auditor users access an anomaly shield application
FIX: AP-33867 Match Content-Type case-insensitive for OpenAPI Spec. enforcement
FIX: AP-33941 Create header token if one-shot has failed
FIX: AP-33997 Persist locking for access tokens and rewrite response body (JSON only)
FIX: AP-34005 Locking for JWKS providers
FIX: AP-34027 Improve handling of client aborts to avoid Apache log message AH01236
FIX: AP-34060 Entrust HSM setup script fixed
FIX: AP-34296 The Request details tab in Policy Learning is not displayed under some circumstances
FIX: AP-34297 Wrong values were initialized when editing policy learning suggestions
FIX: AP-34384 Memory leak in mod_http2 module
FIX: AP-34503 Improve performance of UNIX deny rules
FIX: AP-34505 Improve performance of SQL_030 deny rule
FIX: AP-34556 Installation from USB stick works again on UEFI systems
FIX: AP-34578 OpenAPI multipleOf works with negative values
FIX: AP-7530 Disallow server alias being configured in other virtual hosts as FQDN
NEW: AP-22940 OpenAPI support for content-type application/www-form-urlencoded
NEW: AP-33540 Example script for REST API to create deny rule exceptions
NEW: AP-33855 Kibana dashboards and saved searches include GraphQL blocks
NEW: AP-33883 Policy learning extended with filter for header name and value
NEW: AP-33930 Additional deny and allow header list can be enabled/disabled
NEW: AP-34140 Path exception pattern for JSON parser
NEW: AP-34145 REST API extension and button in Configuration Center to terminate sessions
NEW: AP-34194 Introduce default Rules and Triggers for Anomaly Shield Applications
NEW: AP-34533 Added nano editor
SEC: AP-33249 DHE-Ciphers removed from default ciphers list for virtual hosts
UPD: AP-33197 Update to libmicrohttpd 1.0.0
UPD: AP-34050 Updated nghttp2 to 1.57.0
UPD: AP-34075 Update to httpd 2.4.58
UPD: AP-34156 Update slf4j-api to 2.0.12
UPD: AP-34341 Update to Elasticsearch/Kibana 8.12.2
UPD: AP-34342 Update OS components
UPD: AP-34343 Update to OpenSSL 3.0.13
UPD: AP-34344 Update to PCRE2 10.43
UPD: AP-34345 Update to Rhonabwy 1.1.13
UPD: AP-34348 Update to Kerberos 1.21.2
UPD: AP-34350 Update to jsoncons 0.173.4
UPD: AP-34352 Update to expat 2.6.0
UPD: AP-34354 Update misc Javascript libraries
UPD: AP-34355 Update misc Python libraries (scikit-learn 1.2.2, scipy 1.10.1, numpy 1.24.3, pandas 2.0.2, redis 4.5.5, msgpack 1.0.5)
UPD: AP-34356 Update to zlib 1.3.1
UPD: AP-34357 Update BrightCloud Threat Intelligence SDK to 5.36.1
UPD: AP-34358 Update to libcurl 8.6.0
UPD: AP-34359 Update to Redis 7.2.4
UPD: AP-34360 Update to syslog-ng 4.6.0-1
UPD: AP-34361 Update to libnet 1.3
UPD: AP-34362 Update to libmaxminddb 1.9.1
UPD: AP-34363 Update to Protobuf 25.2
UPD: AP-34364 Update to Boost 1.84.0
UPD: AP-34366 Update to SQLite 3.45.1, SQLite-jdbc 3.45.1.0
UPD: AP-34367 Update to c-icap 0.6.2
UPD: AP-34368 Update to nghttp2 1.59.0
UPD: AP-34369 Update geolocation data (DB-IP)
UPD: AP-34370 Update to statsd-exporter 0.26.0
UPD: AP-34371 Update to brotli 1.1.0