Changelog

The following lists show the changes from Airlock Gateway 8.4 to 8.5.

NEW: AD-119 Added new deny rule AS_030 to filter LDAP attacks
NEW: AD-258 Added new deny rule XSS_060 for prototype pollution in parameter names or JSON keys (CASE-36202)
NEW: AD-354 Added new deny rule SAN_130 to validate `expect` header
NEW: AD-389 Added new deny rule SAN_140 to block deprecated graphql content-types
NEW: AP-28742 Added REST endpoint to configure notification channels (CASE-30766)
NEW: AP-36708 Web listener: Limit the total size of the request line and all request headers to 32 KB
NEW: AP-36796 Support for unattended installation (PXE/ISO)
NEW: AP-36798 Kickstart config from ISO may be used for PXE
NEW: AP-36799 Allow setting SSH public key in unattended installation
NEW: AP-36806 Added new REST Endpoints to access all deny rules and groups (CASE-36239)
NEW: AP-36848 Default content type patterns and custom rules for content parsing can be managed in the Configuration Center and via REST API
NEW: AP-36869 The TLS group "X25519MLKEM768" (post quantum cryptography/PQC) is available and enabled
NEW: AP-36936 Bootloader files for PXE are now included in ISO
NEW: AP-37026 Added the front-end TLS group to the log message "WR-SG-TLS-SESS-START" (log field "front_tls_group"), to the environment cookie "AL_ENV_SSL_GROUP" and to the rewrite variable "%SSL_GROUP%"
NEW: AP-37058 Allow to configure native JSON type log fields via Expert Settings
NEW: AP-37112 Support ACME certificate retrieval via DNS-01 challenge

FIX: AD-112 Refined handling of globbing in UNIX deny rules to reduce false positives (CASE-35973)
FIX: AD-315 Reduced false positives of various deny rules
FIX: AD-364 Reduced false positives of deny rule SAN_040 (CASE-36472)
FIX: AD-401 Reduced false positives of deny rule PHP_004 (CASE-36586)
FIX: AP-30149 Configuration Center: Only consider mappings with locking enabled in "Pull Settings from Source Mapping" (CASE-36178)
FIX: AP-35471 Config diff now correctly handles deleted certificates in the Configuration Center (CASE-35348)
FIX: AP-36048 Corrected REST endpoint /system/status/sessions/
FIX: AP-36187 Mention the username in the details of the event EVENT_SY-C-CCLOGIN-OK
FIX: AP-36291 Eased a race condition when reconfiguring the firewall to allow access to the ACME endpoints
FIX: AP-36562 Sanitized entity names in the Configuration Center to prevent errors upon delete. (CASE-36131)
FIX: AP-36703 System hardening: Reduce the number of ext-apache threads
FIX: AP-36705 mod_reqtimeout now works correctly with a body timeout - previously, connections could be closed because of a body timeout even after the body had been sent (CASE-36192)
FIX: AP-36877 Title of Deny Rule exception panel in the Configuration Center now indicates the context of the exceptions
FIX: AP-36917 Deletion of an ICAP service in the Configuration Center now triggers an error message if it's still in use (CASE-36310)
FIX: AP-36972 Added Configuration Center user role "airlock-readonly-session-viewer-details" (CASE-36224)
FIX: AP-37038 Suppress "new models available" notification if Anomaly Shield is disabled (CASE-36300)
FIX: AP-37050 Anomaly Shield: Also support the old endpoint for Client Behavior analysis results for a smooth transition
FIX: AP-37082 Fixed listing of back-ends with default ports in REST API (CASE-36356, CASE-36417)
FIX: AP-37123 Re-enabled the option "FollowSymLinks" for ext-apache, this prevents the log message AH00670 (CASE-36386, CASE-36402)
FIX: AP-37425 Anomaly Shield: Optimized models for a smaller memory and disk footprint
FIX: AP-37520 Added missing field multipleSingleLineRegex on REST endpoint for default deny-rules
FIX: AP-37637 Support core dumps bigger than 1 GB (CASE-36558)
FIX: AP-37645 REST: Correctly report IDs of IP address lists in mapping relationships to blacklists and blacklist exceptions (CASE-36655)
FIX: AP-37651 Reduce logging during Cookie-Check in Log Only mode
FIX: AP-37656 Reload Security Gateway process on back-end client certificate change (CASE-36669)
FIX: AP-37661 Fixed Security Gateway crash on config reload if Out-of-band Checks with custom host header is configured
FIX: AP-37667 Removed hard session store size limit

CHG: AD-111 Improved and refined various UNIX, SQL, XSS and LDAP deny rules
CHG: AD-404 Reduced false positives of "Signature" and "Signature-Input" headers for problematic deny rules (CASE-36608)
CHG: AP-15979 Decreased the Apache I/O timeout from 300 seconds to 30 seconds
CHG: AP-16113 Removed deny rule SAN_010 from security levels basic and standard
CHG: AP-16437 Discard potential system secrets in 'Collect system log'
CHG: AP-19918 Enforce UTF-8 for JSON content
CHG: AP-33307 Enabled SNI for TLS connections to external syslog servers (CASE-33568)
CHG: AP-36704 Hardening of HTTP/2 defaults
CHG: AP-36795 Adjusted deny rule group processing order: Sanity is processed as the third group
CHG: AP-36880 The Add-On Tomcat is now an optional package and supports installation of Tomcat 9 or Tomcat 11
CHG: AP-36942 Prevent generic operationId naming in OpenAPI specification of the REST interface (CASE-36270)
CHG: AP-36981 Removed Microsoft mapping templates from Configuration Center
CHG: AP-37025 Anomaly Shield exclusions will affect the current request only, not the session
CHG: AP-37172 Stricter character set encoding normalization of request URL
CHG: AP-37224 Use JSON as default format for new log forward entries
CHG: AP-37274 Restrict access to REST interface to users with role airlock-administrator
CHG: AP-37276 Defined default request_timeout of 10s for kerberos environments
CHG: AP-37281 Added readline support to sqlite3 CLI
CHG: AP-37292 Disabled obsolescent TLS signature algorithms like SHA1 by default
CHG: AP-37585 Log messages SY-AA-AUTH-OK and SY-ALEC-48100 now use the term "role" instead of "credential"

UPD: AP-31461 Updated Bootstrap to 5.3.8
UPD: AP-36464 Updated jansson to 2.14.1
UPD: AP-36894 Updated Spring Security to 6.5.7
UPD: AP-37193 Updated cloud-init to 24.4
UPD: AP-37390 Updated syslog-ng to 4.10.2-2
UPD: AP-37392 Updated geolocation data (DB-IP)
UPD: AP-37393 Updated BrightCloud Threat Intelligence SDK to 5.38.1
UPD: AP-37399 Updated Kerberos to 1.22.1
UPD: AP-37400 Updated c-icap to 0.6.4
UPD: AP-37403 Updated nettle to 3.10.2
UPD: AP-37415 Updated nghttp2 to 1.68.0
UPD: AP-37418 Updated PCRE2 to 10.47
UPD: AP-37386 Updated httpd to 2.4.65
UPD: AP-37387 Updated libcurl to 8.17.0
UPD: AP-37388 Updated Elasticsearch/Kibana to 8.19.6
UPD: AP-37398 Updated OpenSSL to 3.5.4
UPD: AP-37404 Updated jsoncons to 1.4.3
UPD: AP-37405 Updated expat to 2.7.3
UPD: AP-37406 Updated libmicrohttp to 1.0.2
UPD: AP-37408 Updated Redis to 8.2.3
UPD: AP-37411 Updated Protobuf to 33.1
UPD: AP-37412 Updated Boost to 1.89.0
UPD: AP-37414 Updated SQLite to v3.51.0, SQLite-jdbc to v3.51.0.0
UPD: AP-37419 Updated available versions of the Tomcat instance for Add-on Modules to 9.0.112 and 11.0.14
UPD: AP-37420 Updated Tomcat to 11.0.14 (Configuration Center)