Changelog

The following lists show the changes from Airlock Gateway 8.3 to 8.4.

NEW: AP-19021 Introduce session lifetime for Configuration Center
NEW: AP-23453 Support NVMe disks (CASE-27856, CASE-36048)
NEW: AP-25505 New REST endpoints and properties to manage request/response actions
     (CASE-31121, CASE-31756, CASE-32180, CASE-34520)
NEW: AP-25518 Support custom deny rules and groups in REST interface
NEW: AP-28136 Support Redis authentication (CASE-35923)
NEW: AP-33640 Support multiple OpenAPI specifications on one mapping based on path (CASE-31610)
NEW: AP-35848 Validate regex mappings to avoid usage of custom deny rules that use percent variables
NEW: AP-35862 Add Security Gateway Expert Settings for maximum connection lifetime
NEW: AP-35884 Publish Machine images for Azure and GCP as part of a release
NEW: AP-35984 Enable configuration of Prometheus metrics via REST log-settings (CASE-35761)
NEW: AP-36065 Anomaly Shield can be evaluated in log-only mode without additional license
NEW: AP-36081 Anomaly Shield can now train models even for applications without
     sufficient data with the mechanism called Transfer Learning
NEW: AP-36272 Add Custom Log Data collector type ICAPSERVICE
NEW: AP-36280 Anomaly Shield has now a quick start wizzard for easy initial setup
NEW: AP-36420 Support to override messages.properties for Configuration Center authentication
NEW: AP-36038 Brute force protection

FIX: AP-21817 Show correct title on deny rule exception edit page (CASE-33871, CASE-34056, CASE-34981)
FIX: AP-25187 Config hardening: Disable the option "FollowSymLinks" for ext-apache
FIX: AP-25782 Limits configuration: Support request body sizes bigger than 2 GB (CASE-34394, CASE-35900)
FIX: AP-29317 Don't abort the installation of an update if CTRL-C is pressed (CASE-31050, CASE-35721)
FIX: AP-29485 Show "Authenticated Sessions" instead of "Number of Sessions" in license details (CASE-31357)
FIX: AP-30044 Cleanup the pattern cache of the Security Gateway on config reload
FIX: AP-30495 Apache Expert Setting "CustomLog" had no effect for virtual hosts (CASE-31587)e
FIX: AP-34146 Support the Security Gateway expert setting "ControlCookieName" also on mappings (CASE-35047) 
FIX: AP-34970 Increase root partition size to 10 GB
FIX: AP-35651 "Modify mapping labels" bulk-action is usable with roles airlock-app-admin and airlock-config-editor
FIX: AP-35748 Fix the event EVENT_SY-N-failo-pchk
FIX: AP-35850 Show notification channels in summary page
FIX: AP-35861 "Enforce client cookie support" did not work with parallel requests
FIX: AP-35866 Mitigate connection handshake issues when using nCipher HSM (CASE-35527)
FIX: AP-35967 Make sure changed lock states are persisted when unlocking a mapping
FIX: AP-35982 Logging of custom data: Fix logging of cookies that contain percent signs or ampersands (CASE-35655)
FIX: AP-35997 Serialize concurrent requests on REST API (CASE-35677)
FIX: AP-36001 Fix ACME certificate retrieval to not require a "Location" header
FIX: AP-36006 Serve the HTTP-01 ACME challenge without trailing newline (CASE-35750, CASE-35876)
FIX: AP-36109 mgt-apache configuration hardening
FIX: AP-36126 Error Page Replacement: Improve the extraction of the HTTP status code from the filename (CASE-35847)
FIX: AP-36154 Error handling after an ACME timeout (CASE-35876)
FIX: AP-36252 Prevent potential OOM when merging ColdDB from failover partner (CASE-35850)
FIX: AP-36309 Idle Timeout with Anomaly Shield Client Behavior pattern
FIX: AP-36430 Set the log level of the Apache log message AH01236 to DEBUG (CASE-36054)
FIX: AP-36496 Configuration Center: Ensure correct representation of multiple roles in session context
FIX: AP-36541 Fill in the SUMMARY log fields "time_req_icap" and "time_resp_icap" correctly
FIX: AP-36621 Correct detection of duplicate attributes in content-type header
FIX: AP-36729 Remove duplicated Kibana visualizations
Fix: AP-35652 Compare parameter names case-insensitively for HTTP parameter pollution (CASE-35475)
Fix: AP-36232 Trim trailing slash from server URLs in OpenAPI spec
Fix: AP-36311 OpenAPI schema validation: Allow null values when no type is specified (CASE-35991)
Fix: AP-36408 Prevent crashes of Security Gateway when using Custom Log Data with certain conflicting target paths

CHG: AP-19075 ICAP Path Condition replaces ICAP URL Condition - see "Actions required when upgrading"
     (CASE-29590, CASE-35821)
CHG: AP-20263 Support rewrite variables for ICAP service patterns
CHG: AP-23593 Extend configuration import over REST with import resolution options
CHG: AP-23650 Extend automated scanning rules with common SQL injection patterns
CHG: AP-27137 Default response header allow list: add "Permissions-Policy" and "Referrer-Policy",
     remove "Proxy-Authenticate"
CHG: AP-34125 Except header Sec-Websocket-Extensions from SQL_050 (CASE-34610)
CHG: AP-35001 Anomaly Shield: Default endpoint for Client Behavior analysis results has been changed
CHG: AP-35644 Improve accuracy of LDAP deny rules
CHG: AP-35726 In OpenAPI percent decode query parameter names
CHG: AP-35895 Remove special Apache Server settings for old versions of Internet Explorer
CHG: AP-35920 Hide empty tenants in configuration summary
CHG: AP-35934 Reduce false positive rate when parsing numbers in SQL_025
CHG: AP-35940 Improve handling of UNIX control flow elements in UNIX deny rules
CHG: AP-35971 Adjust deny rule group processing order: Automated Scanning & Bot Detection
     are processed as the first two groups
CHG: AP-35977 Improve UNIX deny rules to detect shell parameters in path expressions
CHG: AP-36023 Anomaly Shield: ColdDB will be enhanced with four additional fields
CHG: AP-36026 Anomaly Shield: Query Parameter model now additionally considers request parameters
     sent within the request body
CHG: AP-36030 Enhance the Anomaly Shield rule "Default: Hard action on sessions"
     to also consider malicious parameter probings
CHG: AP-36092 Except destination header in SSRF deny rules
CHG: AP-36105 Improve detection of fake HTML attributes in HTML_001 
CHG: AP-36153 Increase timeouts to wait for ACME server from 30 seconds to 5 minutes (CASE-35801)
CHG: AP-36176 Extend the log message WR-SG-STAT-002 with "queue" and "posttransfer" measurements
CHG: AP-36191 Renew the example certificate "test.certificate"
CHG: AP-36199 SAN deny rules now block the byte order mark U+FEFF
CHG: AP-36240 Set "SameSite=Strict" by default on CSRF cookie (CASE-35986)
CHG: AP-36432 Change the cookie check path from "/cookie-check" to "/cookie-check-d973"
     to avoid collisions with paths of back-end applications
CHG: AP-36504 Show certificate validity date in ISO 8601 format
CHG: AP-36518 The PID file /run/airlock-gatekeeper/security_gate.pid is not created anymore

UPD: AP-35528 Update miscellaneous Python libraries
     (scikit-learn 1.5.2, scipy 1.13.1, numpy 1.26.4, pandas 2.2.3, redis 5.0.2, msgpack 1.1.0)
UPD: AP-35609 Update allowlist for bot detection
UPD: AP-35876 Update RapidJSON to commit 24b5e7a8b2
UPD: AP-36215 Update to httpd 2.4.63
UPD: AP-36283 Update to libcurl 8.13.0
UPD: AP-36449 Upgrade Elasticsearch/Kibana to 8.17.5
UPD: AP-36450 Update OS components
UPD: AP-36451 Update to syslog-ng 4.8.1-2 
UPD: AP-36453 Update geolocation data (DB-IP)
UPD: AP-36454 Update BrightCloud Threat Intelligence SDK to 5.37.1
UPD: AP-36455 Update miscellaneous Javascript libraries
UPD: AP-36459 Update to OpenSSL 3.0.16
UPD: AP-36460 Update to httpd 2.4.63
UPD: AP-36464 Update to jansson 2.14.1
UPD: AP-36465 Update to libtasn1 4.20.0
UPD: AP-36466 Update to jsoncons 1.3.2
UPD: AP-36467 Update to expat 2.7.1
UPD: AP-36470 Update to Redis 7.4.3
UPD: AP-36472 Update to libmaxminddb 1.12.2
UPD: AP-36473 Update to Protobuf 30.2
UPD: AP-36474 Update to Boost 1.88.0
UPD: AP-36476 Update to SQLite 3.49.2, SQLite-jdbc 3.49.1.0
UPD: AP-36477 Update to nghttp2 1.65.0
UPD: AP-36478 Update statsd_exporter to include newest golang/x/net module version (v0.39.0)
UPD: AP-36480 Update to PCRE2 10.45
UPD: AP-36481 Update to Tomcat 9.0.105 (add-on modules)
UPD: AP-36482 Update to Tomcat 10.1.41 (Configuration Center)
UPD: AP-36577 Update Spring to v6.2.6, Sprint Boot to v3.4.5, Spring Security v6.4.5
UPD: AP-36730 Update to OpenJDK 21.0.7.0.6-1.el9.alma.1