Release notes for Mividas Installer + VM
[1.8.9] - 2024-10-09
Added
- Add function to clean up old container images from the web gui server menu
- (internal) Display notice about custom versions (beta etc) for upgrades/offline export
Fixed
- Fix HTTP -> HTTPS redirect
- Fix building certificate chain during deploy when Intermediate but not Root CA is included in certificate file
- Store subject of Intermediate CA as name in the database, instead of Issuer, when importing CA-chain
- Always use service definition for the correct version when installing components in offline mode
- Fix conflicts when pinning image used in multiple components (e.g. postgres) in offline mode
- Abort offline installation in case of missing offline bundles
- Fix audit log max file number for new installation
- Fix upgrading specific Installer version from CLI
- Save snapshot queue reset-script in filesystem on upgraded installations
- Don't try to parse SAML claim names in URL-format as search+replace fields
- Use updated license flags as soon as possible, instead of after each deploy
Security
- Upgrade bind9-host, bind9-libs, e2fsprogs, hyperv-daemons, libcom-err2, libexpat1, libext2fs2, libgssapi-krb5-2, libk5crypto3, libkrb5-3, libkrb5support0, libsqlite3-0, libss2, libsystemd0, libudev1, libxml2, linux-image-5.10.0-30-cloud-amd64, linux-image-cloud-amd64, logsave, python3-pkg-resources, python3-setuptools, runc, shim-unsigned, systemd, systemd-sysv, systemd-timesyncd, traefik, udev
- Related CVEs: CVE-2021-36690, CVE-2022-1304, CVE-2022-2309, CVE-2022-43945, CVE-2022-48733, CVE-2023-27561, CVE-2023-28642, CVE-2023-40547, CVE-2023-40548, CVE-2023-50387, CVE-2023-50868, CVE-2023-52425, CVE-2023-7104, CVE-2024-1737, CVE-2024-1975, CVE-2024-27397, CVE-2024-36971, CVE-2024-36978, CVE-2024-37370, CVE-2024-37371, CVE-2024-38381, CVE-2024-38555, CVE-2024-38577, CVE-2024-38627, CVE-2024-39480, CVE-2024-39487, CVE-2024-4076, CVE-2024-40958, CVE-2024-41000, CVE-2024-41040, CVE-2024-41046, CVE-2024-41049, CVE-2024-41070, CVE-2024-41087, CVE-2024-41090, CVE-2024-41091, CVE-2024-42148, CVE-2024-42284, CVE-2024-42285, CVE-2024-42301, CVE-2024-42302, CVE-2024-42313, CVE-2024-43882, CVE-2024-44974, CVE-2024-44987, CVE-2024-44998, CVE-2024-44999, CVE-2024-45490, CVE-2024-45491, CVE-2024-45492, CVE-2024-46738, CVE-2024-46740, CVE-2024-46743, CVE-2024-46744, CVE-2024-46747, CVE-2024-46782, CVE-2024-46800, CVE-2024-46844, CVE-2024-6345
Changed
- Require confirmation when upgrading to another major version
- Stop writing cron events to audit logs
- Automatically reset expired Swarm-certificate for VMs that have been shutdown too long
- Pre-fill domain names in CSR-form
- Display timezone for log viewer fields
- Include digest information for each image in offline bundle-export
- Use CONNECT with HTTP/1.1 including Host-header when using HTTP(S) proxy
[1.8.8] - 2024-07-01
Fixed
- Increase timeout in load balancer (traefik) CVE mitigation that caused issue with large file uploads
- Truncate name of container secret if name of instance is too long
[1.8.7] - 2024-05-29
Added
- Add script to restore scheduled tasks after VM snapshot/backup-restore
Fixed
- Fix intermittent error message on dashboard about acquiring lock
- Fix SRV-lookup for LDAP servers
- Fix syntax of AD LDAP filter example in network tools
- Hide validation error alert for unfilled optional forms during installation
- Fix resetting fallback user password using
sudo cli component passwd
- Fix file permissions in upgrade container
- Freeze auditd rules for existing installations
- Fix starting ssh directly on boot during initial installation
Security
- Upgrade bsdutils, django, dnspython, fdisk, gunicorn, less, libblkid1, libexpat1, libfdisk1, libmount1, libsmartcols1, libuuid1, linux-kernel, gunicorn, mount, paramiko, sqlparse, traefik, tzdata, util-linux
- Related CVEs: CVE-2021-37600, CVE-2023-29483, CVE-2022-48624, CVE-2024-32487, CVE-2023-48795, CVE-2023-52425, CVE-2024-1135, CVE-2024-24680, CVE-2024-28085, CVE-2024-4340, CVE-2024-2961, DLA-3788-1
Changed
- Use pool for database connections
- Upgrade load balancer (traefik) to v2.11
- Use postgresql 16 for new installations of both Installer and components
- Improve cache handling for SAML metadata. Add HTTP PRoxy-support
- Set upper process limit for containers
- Disable routing for internal load balancer network on new installations
[1.8.6] - 2024-03-22
Fixed
- Fix locking issue during metadata update that sometimes causes long timeouts and overuse of database connections after enough user actions without restart. Run
sudo cli installer upgrade
from SSH to upgrade if that happens, or restart the server - Fix deploy of LDAPAdmin when using certificate
- Fix displaying certificate error message on screen
- Fix LDAP username attribute when using search+replace
Security
- Upgrade libuv1
- Related CVEs: CVE-2024-24806
[1.8.5] - 2024-03-05
Added
- Resolve LDAP servers in network tools test. Try to verify SSL-connection
- Add support for filtering log with until-filter
- Add support to disable SAML-login for installer using "cli installer disable_saml" and "cli installer restore_saml"
Fixed
- Fix fetching syslog in Logs-view
- Don't enable SAML SLO if upgrading from 1.8.3 or earlier
- Use more conservative upscaling of services to decrease risk of Out of memory-errors
- Increase global max memory limit to prevent VM scaling to increase potential memory usage too much in case of using 12+ GB of RAM
- Remove external version check-request from internal load balancer
- Fix unnecessary restarts of Installer-component
Security
- Upgrade hyperv-daemons, libglib2.0-0, libgnutls30, libperl5.32, linux-image-5.10.0-26-cloud-amd64, linux-image-cloud-amd64, perl-base, perl-modules-5.32, runc
- Related CVEs: CVE-2023-29499, CVE-2023-35827, CVE-2023-46813, CVE-2023-47038, CVE-2023-5178, CVE-2023-5717, CVE-2023-6040, CVE-2023-6531, CVE-2023-6817, CVE-2023-6931, CVE-2023-6932, CVE-2024-0567, CVE-2024-0646, CVE-2024-1086, CVE-2024-2162,
Changed
- Set flag in SAML SP-metadata about wanting assertions signed
- Use streaming console output for long-lasting commands
- Change console log-format
- Refresh session expiry on each request
- Include extra information about running services in log output
- Use logrotate for auditd-logs
- Limit redundant journald-log size
[1.8.4] - 2023-12-31
Added
- Add support for SAML login. See
/saml/metadata/
for SP metadata. - Display EULA in interface
- Add support to configure remote syslog server from onboarding wizard
- Add support to enable SNMP monitoring (new installations only for now)
- Add support to configure remote syslog server from onboarding wizard
- Add support to enable SNMP monitoring (new installations only for now)
Fixed
- Fix syntax in example AD LDAP-filter
- Fix permissions of uploads-folder if containers was started in wrong order
- Remove log files if log partition is full
- Fix permissions of uploads-folder if containers was started in wrong order
- Remove log files if log partition is full
- Fix sorting of syslog log lines
Security
- Upgrade django, libnghttp2-14, openssh-client, openssh-server, openssh-sftp-server, libpq5
- Related CVEs: CVE-2023-44487, CVE-2023-51385, CVE-2021-41617, CVE-2023-46695, CVE-2023-5869
Changed
- Use license key from uploaded file if both textarea and file is provided at the same time
- Automatically remove newline and spaces from license key before validation
- Use more memory for each worker when calculating max number of workers for VM-size
- Limit memory to max 50% of total VM memory for each service
- Change OOM score for database-containers
- Increase swap space for older VM-versions
- Change OOM score for database-containers
- Increase swap space for older VM-versions
[1.8.3] - [2023-10-31]
Added
- Add support to use smtp+tls for SMTP relay
- Add separate field for required LDAP-group for normal users
- Add support to set SAML claims to use for user/admin/superuser permission
- Add support to set SAML username claim, with support for search+replace
- Add support to force restart of services in log view
- Display disk space warnings on dashboard
- Display available Installer/VM-upgrades on dashboard
- Display if reboot is necessary on dashboard
- Allow specifying specific Installer version when upgrading from command line
- Add support to display syslog in web-UI
Fixed
- Fix updating component reference if converting between licensed products
- Keep currently installed component version in version select-box if it has been removed from global list
- Allow disabling SAML signing certificate
- Don't display certificates belonging to non-deployed components as active
- Fix update of overwritten dev-versions during deploy in offline mode
- Fix quoting of special characters in HTTP(S) Proxy authentication
- Fix system logs rotation-timer
- Upgrade libseccomp for Debian buster based installations to allow for bookwork based docker-images
- Fix setting static routes on second NIC if routes is configured later
Security
Upgrade bind9-host, bind9-libs, cpio, curl, hyperv-daemons, libc-bin, libc-l10n, libc6, libcurl4, libjson-c5, libncurses6, libncursesw6, libtinfo6, linux-image-5.10.0-23-cloud-amd64, linux-image-cloud-amd64, locales, ncurses-base, ncurses-bin, open-vm-tools, openssh-client, openssh-server, openssh-sftp-server, qemu-guest-agent
- Related CVEs: CVE-2021-32292, CVE-2021-38185, CVE-2022-39189, CVE-2023-1989, CVE-2023-20900, CVE-2023-2156, CVE-2023-29491, CVE-2023-3090, CVE-2023-31248, CVE-2023-3268, CVE-2023-3341, CVE-2023-3354, CVE-2023-3389, CVE-2023-3390, CVE-2023-35001, CVE-2023-35788, CVE-2023-3609, CVE-2023-3610, CVE-2023-3611, CVE-2023-3776, CVE-2023-3777, CVE-2023-38408, CVE-2023-4004, CVE-2023-40283, CVE-2023-4128, CVE-2023-4147, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208, CVE-2023-4244, CVE-2023-42753, CVE-2023-4622, CVE-2023-4623, CVE-2023-4911, CVE-2023-4921, CVE-2023-38325, CVE-2023-37920
Changed
- Automatically retry installation if dockerd times out
- Hide gunicorn version from Server-header
- Display additional disclaimer about LDAP user access
- Revert to old postgres version by default
- Auto-select only services that are running too many or too few instances in Log view
- Split CA certificates to multiple rows during import. Don't import duplicates
- Try to add missing CA-certificates to certificate chain if missing from component certificate file
- Remove name-field from CA import form. Automatically use subject
- Compress logs the first rotation
- Change default LDAP filter to not include disabled users when using AD
[1.8.2] - 2023-07-12
Added
- Add new TLS cipher option with modern ciphers plus two weak TLS 1.2-ciphers to allow for older firmware of external systems
- Add support for separate component containing only Mividas Scheduling Portal
- Allow converting between the same product families e.g. for testing development releases
- Add support for providing SAML certificate/key pair
- Add support for selecting TLS-mode and authentication method for external databases
Fixed
- Don't try to use broken/invalid server default certificate/private key-pairs
- Use default server timezone when parsing log time filter
- Fix help text of certificate textbox since adding support for importing encrypted private keys
- Run log rotation more often for container logs
- Discard some non-relevant kernel logs during container initialization and teardown
- Escape http proxy username/password in environment variables
- Use container service name in syslog
- Fix database dump using "cli"-command
Security
- Upgrade curl, linux kernel, openssl, containerd, sudo
- Upgrade redis, requests, setuptools, sentry-sdk
- Related CVEs: CVE-2023-25173, CVE-2022-32221, CVE-2023-0179, CVE-2023-1077, CVE-2023-1281, CVE-2023-1829, CVE-2023-1872, CVE-2023-32233, CVE-2023-0361, CVE-2022-29458, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-2650, CVE-2023-22809,
- Disable network routing for internal container services
- Set session expiration to 2h
- Fix issue in error reporting where the system tried to send a report of number of discarded error-messages to a remote server, due to that error reporting was disabled
Changed
- Change "Mividas Connect" to new product name "Mividas Identify"
- Remove TLS 1.0 from the most insecure TLS-cipher option
- Remove LDAP default server settings
- Pass host VM ca-certificates to containers
- Use postgres 13 for new installations
- Move swap file to the same partition as user data
- Increase default disk size to 200GB, increase log partition-size to 2.5GB
- Disable unattended installation of subset of debian security upgrades by default
[1.8.1] - 2023-01-15
Added
- Prepare SAML authentication settings for Mividas Core + Rooms
Fixed
- Fix home link from product details view
- Lock postgres version for LDAPAdmin deployed with old version of deploy file
- Stop re-deploying load balancer on installer upgrade if not necessary
- Remove warning about missing volumes when removing component
- Fix service deploy problems when using setting values (e.g. passwords) starting with quotes (")
- Fix host security update files when upgrading system using offline bundle
Changed
- Change deploy mode for some shared services to allow Installer upgrades in the future with less downtime
- Increase number of workers for each component based on available memory
- Always try to start Installer based on script from the currently running version when using other than the official latest version
- Encrypt API keys and passwords before saving to database
- Remove letsencrypt option from certificate config screen
- Limit access for logs and system files, fix some CIS benchmark warnings, enable console timeout
- Install host security upgrades just after upgrading Installer, stop docker from potentially being upgraded automatically
- Discard some recurring kernel log messages about virtual container network interfaces
- Allow more userdata in cloud-init config
Security
- Upgrade host packages for grub2, hyperv-daemons, libexpat1, libtasn1-6, libxml2, linux-image-cloud-amd64
- Related CVEs: CVE-2021-46848, CVE-2022-2601, CVE-2022-3524, CVE-2022-3565, CVE-2022-3594, CVE-2022-3775, CVE-2022-40303, CVE-2022-40304, CVE-2022-4139, CVE-2022-42896, CVE-2022-43680, CVE-2022-4378, CVE-2022-47518, CVE-2022-47519
- Limit system permissions for load balancer container, run more services with read only root file system
[1.8.0] - 2022-10-20
Added
- Add support to enable external database from license file
- Add support to importing and converting binary certificates (beta)
- Add support to export private keys with encryption, and importing encrypted keys
- Add support for external redis server
- Add support for enabling LDAP referral chasing
- Add support to lookup LDAP servers using SRV records
- Add more inline documentation for LDAP, SAML and SMS-settings
- Mark certificates in use in lists
- Add field for validating SSL handshake against remote port using network tools
- Validation of database and ldap settings when saving configuration
- Display information about last component metadata refresh time and add link to force refresh
- Add CLI command ("cli") with support to, among other things, reset passwords and dump database content
- Allow ICMP echo requests ("ping")
- Allow overriding dns when using DHCP
- Install traceroute
- Add support for EFI and Secure Boot (beta, new VM installations only)
Fixed
- Clear certificate existing CA chain when updating public key
- Fix TLS validation for LDAP test connection
- Validate line before removing volumes
- Fix version ordering for x.y.z-dev builds
- Fix permission to run ping in network tools
- Fix certificate chain warnings if CA lacks common name information
- Reset offline mode if online license validation was successful
- Increase length of ldap filter
- Remove warning in load balancer logs about SNI host
- Stop validating values in optional forms marked for deletion
- Fix offline export if "check for update"-checkbox is not set
- Fix offline export if any components are marked for uninstallation
- Remove console log warnings about HostSNI
- Set static routes after all interfaces are up
- Install systemd-timesyncd if the initial VM version did not include it
- Fix returning to menu after setting hostname
Security
- Upgrade django, openssl, libssl1.1, sqlite3
- Related CVEs: CVE-2022-28346, CVE-2022-28347, CVE-2022-0778
- Upgrade bind9-host, bind9-libs, curl, dpkg, grub-common, grub-pc, hyperv-daemons, linux-image-cloud-amd64, libc-bin, libtasn1-6, libssl1.1, openssl, qemu-guest-agent, rsyslog, zlib1g
- Related CVEs: CVE-2018-13405, CVE-2021-22945, CVE-2021-22946, CVE-2021-30560, CVE-2021-3697, CVE-2021-3999, CVE-2021-4197, CVE-2021-4206, CVE-2021-4207, CVE-2021-46828, CVE-2022-0358, CVE-2022-1012, CVE-2022-1158, CVE-2022-1292, CVE-2022-1353, CVE-2022-1586, CVE-2022-1587, CVE-2022-1652, CVE-2022-1664, CVE-2022-1679, CVE-2022-1729, CVE-2022-1786, CVE-2022-20368, CVE-2022-20422, CVE-2022-20566, CVE-2022-20568, CVE-2022-2068, CVE-2022-22576, CVE-2022-2327, CVE-2022-24903, CVE-2022-2509, CVE-2022-2585, CVE-2022-2588, CVE-2022-2602, CVE-2022-26353, CVE-2022-27404, CVE-2022-27405, CVE-2022-27406, CVE-2022-27666, CVE-2022-27775, CVE-2022-27781, CVE-2022-27782, CVE-2022-2795, CVE-2022-28733, CVE-2022-28734, CVE-2022-29155, CVE-2022-29162, CVE-2022-29581, CVE-2022-29582, CVE-2022-2959, CVE-2022-2977, CVE-2022-30594, CVE-2022-3080, CVE-2022-31676, CVE-2022-3176, CVE-2022-32207, CVE-2022-32250, CVE-2022-34918, CVE-2022-3625, CVE-2022-3635, CVE-2022-36946, CVE-2022-38177, CVE-2022-38178, CVE-2022-40674, CVE-2022-41222, CVE-2022-43750
Changed
- Only display first certificate chain warning, hide warning if three or more certificates are included
- Increase log verbosity for ldap tests
- Set ldap connection timeout
- List any unknown/not fully uninstalled container services
- Add pagination and search to certificate lists
- Use direct API for fetching service logs instead of subprocesses for better performance
- Escape special characters in authentication to external services
- Rotate log files more often
- Increase log file partition size (for new VMs)
- Decrease console log verbosity
- Change docker internal IP series to 100.64.10[3-5].0/16 to limit risk of conflicts (new VMs only)
- Change to GPT based partitions
- Add docker/-prefix to syslog tag, write container logs to separate files in /var/log/docker/
- Prepare for support for external syslog servers. Manual configuration should be moved to /etc/rsyslog.d/50-remote.conf
- Enable SSH login by default for new installation, enable fail2ban to lock logins after too many logins