Changelog

Changelog Airlock Gateway 8.6

The following lists show the changes from Airlock Gateway 8.5 to 8.6.

New

NEW: AD-62 Added new deny rule SAN_150 to filter malformed referer headers
NEW: AP-2786 Support to explicitly set failover node to active state
NEW: AP-25508 Added configuration of allow rules to REST API (CASE-34804, CASE-35361, CASE-36311)
NEW: AP-17284 Apache Expert Setting "AirlockDiscardGetRequestBody" to control whether the body of GET/HEAD requests will be discarded (CASE-24235, CASE-31163, CASE-32164, CASE-32731, CASE-33191, CASE-35422, CASE-36509)
NEW: AP-35373 Show referencing configuration elements in IP address list detail view
NEW: AP-35374 Implemented expandable diff if configuration element is too large to be displayed
NEW: AP-35396 Show referencing configuration elements in certificate detail view
NEW: AP-36490 Add option to fail if references can not be resolved when importing a mapping using REST (CASE-36113)
NEW: AP-36565 The Apache Expert Setting "MDHttpProxy" can be set per MDomain (CASE-36131, CASE-36582)
NEW: AP-37093 Option to block dynamically blacklisted IPs directly on network level
NEW: AP-37358 Support RedHat OpenShift Virtualization as runtime environment
NEW: AP-37478 Added Anomaly Shield default rule for parameter probing
NEW: AP-37835 Added default response header actions for setting secure Cross-Origin-* headers
NEW: AP-37941 Exposed TLS signature algorithms in Configuration Center and REST
NEW: AP-38138 Show count of referencing configuration elements in certificate overview table
NEW: AP-38173 Show count of referencing configuration elements in IP address list overview table
NEW: AP-38214 The Apache Expert Setting "MDCACertificateFile" can be set per MDomain
NEW: AP-38215 Apache Expert Settings: The root CA for "MDHttpProxy" can be set with the new "MDHttpProxyCACertificateFile"
NEW: AP-38217 Added expert setting that allows decrypting passthrough cookies, to help migrating a cookie from encrypted to passthrough
NEW: AP-38224 REST API session authentication and termination endpoints no longer need explicit write path permissions
NEW: AP-38314 Added installed hotfixes information to REST API /system/status/node resource

Fixes

FIX: AD-419 Reduced false positives of various deny rules
FIX: AD-488 Reduced false positives of SQL deny rules (CASE-36612)
FIX: AD-490 Reduced false positives of XSS deny rules (CASE-36908)
FIX: AP-20929 Make sure the `entry_query` field of SUMMARY logs is still set when the usual request processing is not performed
FIX: AP-24687 Enabled CRL on IPv6 virtual hosts
FIX: AP-25443 No hostname check for Configuration Center Authentication via LDAPS if backendSSLVerifyHost is disabled (CASE-28449, CASE-29059, CASE-29105, CASE-29562)
FIX: AP-36052 Removed duplicate entry in REST API documentation
FIX: AP-36807 Improved ID descriptions in the REST API documentation (CASE-36239)
FIX: AP-37264 Correctly hide close button in warning dialogs
FIX: AP-37663 Fixed detail view of a terminated/non-existing session in session viewer
FIX: AP-37715 Send intermediate certificates during back-end mTLS-handshake (CASE-36711)
FIX: AP-37746 Ignore HTTP trailers in back-end responses, instead of generating an internal server error (CASE-36713)
FIX: AP-37770 Improved examples of file upload in REST API documentation (CASE-36731)
FIX: AP-37870 Corrected possible use of outdated ssh keys after activation
FIX: AP-37877 Stabilized merge of Anomaly Shield database during cluster sync (CASE-36820)
FIX: AP-37974 Prevent overriding of default patterns in deny rule exceptions over REST
FIX: AP-38025 Prevent overriding of default patterns in custom deny rules over REST
FIX: AP-38030 Fixed missing external account binding with ACME DNS-01 (CASE-36939)
FIX: AP-38053 Improved the validation of CRLs (CASE-36809)
FIX: AP-38151 Remove the faulty DoS protection of mod_http2 for better server-sent events/SSE support (CASE-37004)
FIX: AP-38168 SG Expert Setting "Request.Logging.Headers": Don't truncate logged headers after 400 characters
FIX: AP-38190 Stabilized failover behavior on activations with IP changes (CASE-36983, CASE-37102)
FIX: AP-38210 Added proper escaping of patterns in header allow/deny lists (CASE-37072)
FIX: AP-38218 Fixed documentation links in 'Client Certificate' detail view
FIX: AP-38254 Updated kernel packages to fix CVE-2026-31431 (CASE-37104, CASE-37108)
FIX: AP-38255 Corrected read-only users missing permissions for regex tester buttons on global deny-rule details page
FIX: AP-38272 Updated kernel packages to fix CVE-2026-43284
FIX: AP-38279 Correctly handle kernel hotfixes in updates (CASE-37127)
FIX: AP-38289 Updated kernel packages to fix CVE-2026-46300, CVE-2026-46333

Changes

CHG: AD-191 Improved filtering of content-disposition header in multipart bodies
CHG: AD-413 Improved and refined various UNIX and SQL deny rules
CHG: AP-1124 Check the name of encrypted cookies. Note that the length of encrypted cookie values may increase compared to the previous release of Airlock Gateway.
CHG: AP-17948 Set autocomplete=off for plaintext input fields storing account data in the Configuration Center
CHG: AP-25040 Increased BackendHostManagerMaxConcurrentRequestsToBadHosts from 1 to 3 to improve detection of GOOD back-ends despite long-running requests (CASE-30938, CASE-35884, CASE-36679, CASE-36962)
CHG: AP-28740 Removed restriction to use the same ICAP service multiple times (CASE-30765, CASE-36113)
CHG: AP-31776 Added virtual host information to Let's Encrypt Events (CASE-32306, CASE-37113, CASE-37114)
CHG: AP-34282 Improved policy learning for numeric IDs in paths
CHG: AP-35846 Optimized the back-end connect timeouts; new value: 4 seconds (CASE-35493)
CHG: AP-36202 Aligned versioning scheme with other Airlock products to always feature a patch version (8.6.0 instead of 8.6)
CHG: AP-36317 Set maximum connections per SG to number of backend hosts in use
CHG: AP-36803 Exclude "query" parameter from deny rules if it is interpreted as GraphQL
CHG: AP-37166 Use container on/off in API security tab of the mapping instead of enable checkboxes
CHG: AP-37279 Some regex errors are no longer logged with severity "error" if a deny rule exception applies
CHG: AP-37515 Removed support for Add-On Tomcat 9
CHG: AP-37721 Introduced dedicated roles for REST API access
CHG: AP-37800 Added support for ACME certificates via DNS-01 challenge for the Configuration Center
CHG: AP-37803 Improved handling of API keys in configuration center
CHG: AP-37889 Increased allowed header names length for multipart requests from 31 to 40 characters (CASE-36857)
CHG: AP-37940 Added a selection of PKCS algorithms (rsa_pkcs1_sha256/_sha384/_sha512) to the default TLS signature algorithms again to ensure broader TLSv1.2 compatibility
CHG: AP-38006 Added Clear-Site-Data header to response default headers allow list
CHG: AP-38035 Enabled redirect to HTTPS for new Virtual Hosts
CHG: AP-38045 Removed support for importing configurations older than Airlock Gateway 8.2
CHG: AP-38067 Disabled HTTP/0.9
CHG: AP-38427 Relaxed Anomaly Shield IP reputation defaults (CASE-36987, CASE-36975)

Updates

UPD: AL-37799 Updated Spring to v7, updated Spring Boot to v4, updated Spring Security to v7, updated to Jackson v3, updated to Jakarta EE 11
UPD: AP-38239 Updated OS components
UPD: AP-38240 Updated Anomaly Shield Python libraries
UPD: AP-37098 Updated Elasticsearch/Kibana to 9.4.2
UPD: AP-37887 Updated OpenSSL to version 3.5.7
UPD: AP-38033 Updated BrightCloud Threat Intelligence SDK to 5.38.2
UPD: AP-38216 Updated mod_md to 2.6.11
UPD: AP-38238 Updated geolocation data (DB-IP)
UPD: AP-38243 Updated statsd-exporter to v0.30.0
UPD: AP-38245 Updated to libmaxminddb 1.13.3
UPD: AP-38280 Updated Authentication Service to 2.6.7
UPD: AP-38310 Updated GraphQL validator libraries and dependencies
UPD: AP-38311 Updated allowlist for bot detection
UPD: AP-37738 Updated required version of Security World software for Entrust nShield for Linux x64 to 13.9.0