5.0-3-0

Linux-Kernel
Local users processes had been able to gain unlimited access to the system.
The system will reboot automatically when the update procedure has been completed. Do not reboot the device yourself. In the
worst case this could turn the device unusable.
Minor bugfixes and improvements
5.0-2-12

Possible denial-of-service against DNS
With specifically crafted data packets the name server could have been crashed.
Minor bugfixes and improvements
5.0-2-11

DNS jammed
It still occured that DNS access was blocked for a longer periof of time after establishing an Internet dial-up connection
or while trying to stop or reconfigure network interfaces. The new name server release which is installed with this update
is expected to finally resolve the issue.

Possible denial-of-service against IPSec server
With specifically crafted certificates the IPSec server could have been crashed.
Minor bugfixes and improvements
5.0-2-10

F-Secure Antivirus
The contents of specially crafted ZIP and RAR archives wasn't scanned.
Minor bugfixes and improvements
5.0-2-9

Editing the configuration with Firefox
When switching from one tab on the administration interface to an other tab before the previous one had been loaded completely,
the configuration data on the previous tab might have been modified unnoticedly. Leaving the menu item with "Apply", the unintentional
changes got stored.
In particular the problem affected the firewall configuration screens. Hence we recommend an audit of the firewall ruleset.
Systems which have been configured with Internet Explorer are not affected.

Potential crash of IPSec server
A remote attacker could have crashed the IPSec server.

OpenSSL crypto library
With specially crafted certificates one could cause application to crash while printing certificate contents.

Logfile rotation
After the weekly rotation of logfiles it sometimes occured that the logger continued to write to the log of the previous week.
The current week's log remained empty.
Minor bugfixes and improvements
5.0-2-8

Availability of SMTP auth to internal clients
Outlook 2007 refuses to send emails if authentication has been enabled but the mail server doesn't offer it. A client which
sometimes delivers mail authenticated from the Internet, sometimes without authentication from the LAN, had to use different
profiles. Now this is no longer necessary. Once SMTP auth has been enabled for external clients, it is also offered to internal
clients.

ADSL fallback to ISDN dial-up line using the same account
When using the same credentials on an ADSL line and the ISDN fallback, the provider normally won't accept a simultaneous login
with both connections. Hence the process which tests the availability of the DSL line during fallback must consider the DSL
line to be up even if authentication fails. A new configuration switch enables this special behaviour.

Manually return from fallback to ADSL line
In the previous release 5.0-2.7 it was not possible to force switching back from fallback to ADSL by restarting the ADSL service.

DNS jammed
After establishing an Internet dial-up connection or while trying to stop or reconfigure network interfaces, DNS access was
sometimes blocked for a longer period of time.

Reverse proxy's import of purchased certificates
Depending on the certificate file's formatting, the certificate might have been stored in an invalid way.

Display contents of ARP cache in Monitoring menu

New versions of the Kaspersky signature updaters and the scan client
Minor bugfixes and improvements
5.0-2-7

Mail virusscan with Kaspersky Antivirus
Since release 5.0-2.5 it could have happened that an infected email was not detected, if the main contained both, infected
and not infected attachments.

Obtain name servers option
With dial-up connections, it is now possible to obtain the provider's DNS addresses.

Detailed breakdown of SPAM score for every mail
You can now get detailed information also for those mails which haven't been classified as SPAM. If enabled, the analysis
results will be inserted as an email header.

DNS jammed
While trying to stop or reconfigure the name server, it sometimes blocked all access for a longer period of time.

ADSL fallback now supports a second ADSL line, too

SOCKS proxy authentication didn't work
Minor bugfixes and improvements
5.0-2-6

Update for F-Secure Antivirus
With specially crafted archives it was possible to trigger a buffer overflow.

Signature updates of Kaspersky Antivirus
The update fixes problems with the signature update process some customers reported since the previous update. We also have
been able to speed up the update process again.
If you mirror Kaspersky signatures for scanners in your local network, please contact technical support.

SPAM folder and relay SPAM filter
Now the new SPAM folder which has been introduced by the previous update will also work when the relay SPAM filter is enabled.
Minor bugfixes and improvements
5.0-2-5

TIFF image library
A buffer underflow has been discovered in the TIFF library. The SPAM filter uses this library for its text recognition feature
(OCR).

New greylist operation modes
Greylisting is a very effective measure against SPAM. It can be used when inbound mail is received with SMTP and there's no
upstream relay, i.e. a DNS MX record points to the system. By design, greylisting will delay inbound mail. The three new operation
modes introduced with this release aim at a reduced number of delayed messages in order to grow the acceptance of greylisting.
In the mode with the least impact, an email has to pass greylisting only if its sender IP is listed in one of the well-known
DNS blacklist databases of dynamic IPs and SPAM senders. In this mode, greylisting should not affect normal operation in any
negative way. However do not expect better SPAM recognition either, as usually the SPAM filter would have considered the same
blacklists anyway. The major benefit is a reduced system load. A SPAM mail which has been defeated by greylisting doesn't
need to be analyzed by the virus scanner and the SPAM filter.
There's also a special mode for systems which have to accept any recipient address in its local domain. This may have been
configured on purpose (catch all mailbox) or because there's an internal mail server which doesn't support verification of
recipient addresses (e.g. Exchange 2000 and older). In this mode greylisting will take the sender address of each outbound
mail and permit it as recipient for inbound messages. In almost no time inbound mail to active addresses will no longer suffer
from delays, whereas mail to other recipients has to pass greylisting. This will particularly hit SPAM sent to random recipient
addresses.
Finally with the third new option, sender and recipient of each outbound mail will be taken, reversed and accepted for inbound
mail. So greylisting will not affect replies and any further message exchange between those addresses until the entry expires.
This mode should also be interesting for those who already use greylisting.

Increased default greylisting timeout
The default value of the parameter "Timeout after last use" has been increased from 5 to 20 days. Systems using the old default
of 5 days will automatically switch to 20 days. If a different value has been configured, no change will be made.

Extended ADSL fallback
For the case of trouble with the ADSL line, support for ethernet interfaces as fallback has been added. Furthermore the email
address for fallback notifications is configurable now.

New name server release
The new version includes optimizations of the security patch of release 5.0-2.3.

New release of Kaspersky Antivirus
The new version includes a major speedup of the signature update process.

Extended notification by mail client
The mail client notifies the local administrator by email when it encounters a problem while retrieving mails. The amount
of causes triggering such notification has been extended with this release.

Predefined IMAP / Webmail folder for SPAM
On request, mails which have been classified as SPAM can be delivered to a separate SPAM folder. This folder is accessible
to IMAP and webmail users. The new setting is configurable per user.

Configurable message format for classified SPAM
As before, an email which has been tagged as SPAM will by default contain a preview of the original contents and a detailed
breakdown of its SPAM score. The original message is enclosed as attachment. It is now possible to have the original contents
forwarded, too. The message headers will then contain more information on the score. To denote the mail as SPAM, a prefix
will still be added to the email subject.

SPAM filter signature database
The new signature set has been tuned with respect to performance.

Header match option for userdefined SPAM filter rules

Possible crash of the bzip2 compressor
Minor bugfixes and improvements
5.0-2-4

Firewall and slow name servers
Since the previous name server update, queries running for more than 30 seconds are intercepted by the firewall. On systems
with an enabled dynamic firewall, it could even happen that the name server was locked out completely. This updated increases
the firewall's timeout for UDP replies.

Web proxy stopps
If proxy authentication is enabled and a list of exceptions is defined, the web proxy exits from time to time. The problem
occured since release 5.0-2.0.
Minor bugfixes and improvements
5.0-2-3

Security update of the name server
A newly discovered flaw in the DNS protocol itself makes cache poisoning attacks probable again. With the new version, DNS
queries will be sent using random source ports. This measure is said to make attacks unlikely.

IDS stopped on permanent ADSL connections
After a hangup of a permanent ADSL connection, the Intrusion Detection has been stopped.

IPSec L2TP support for Windows Mobile
Up to now, connecting Windows Mobile clients was not straightforward, as Windows Mobile doesn't support PAP authentication.
It is now possible to store a fixed "system-ras" password in cleartext, so Windows Mobile clients can be authenticated using
CHAP or EAP MD5.

Terminate LDAP server via network
With a specially crafted packet it was possible to shutdown the LDAP server.

Mirroring McAfee signatures for local scanners
Some McAfee update servers offer signature files with a wrong capitalization. Local scanners will not be able to update from
the local mirror of such a server.
As the problem persists we decided to offer a workaround. After mirroring, copies of the signature files in various capitalizations
will be created.
Minor bugfixes and improvements
5.0-2-2

Security fix for the perl interpreter
A vulnerability has been reported related to the processing of UTF-8 characters.
Minor bugfixes and improvements
5.0-2-1

Temporary SMTP error while processing virus mails
Due to a software incompatibility in release 5.0-2.0, incoming virus mails will be rejected with a temporary error code. This
shouldn't be a problem with mails received by SMTP. However when retrieving mails from a POP3 server, it will finally end
up in retrieving virus mails only as in each poll a limited amount of emails per mailbox will be fetched.
Systems updated to 5.0-2.0 after 2008-06-10 are not affected.

SPAM score now in email subject
When tagging an email as SPAM, the SPAM filter now adds the SPAM score to the subject. Sorting emails by subject in your mail
client will sort SPAM mails by their score.

User details import from Active Directory
The Active Directory user import feature will now copy user deails such as email address and phone numbers, too.


