Firefox

  • Fixes for mfsa2018-08, also known as CVE-2018-5146, CVE-2018-5147.
  • Fixes for mfsa2018-07, also known as CVE-2018-5127, CVE-2018-5129, CVE-2018-5130, CVE-2018-5131, CVE-2018-5144, CVE-2018-5125, CVE-2018-5145.

Base System

  • Added support for UEFI Secure Boot.

    When booted with Secure Boot the downgrade to a firmware version older than 10.04.100 is locked.
  • When booted with Secure Boot the downgrade to a firmware version older than 10.04.100 is locked.
  • Fixed evince security issue CVE-2017-1000159.
  • Fixed bind9 security issue CVE-2017-3145.
  • Fixed glibc security issues CVE-2018-1000001, CVE-2017-16997, CVE-2017-15804, CVE-2017-15670, CVE-2017-1000409 and CVE-2017-1000408.
  • Fixed gdk-pixbuf security issues CVE-2017-6314, CVE-2017-6313, CVE-2017-6312 and CVE-2017-1000422.
  • Fixed webkit2gtk security issues CVE-2017-7156, CVE-2017-5753, CVE-2017-5715, CVE-2017-13870, CVE-2017-13866, CVE-2017-13856, CVE-2018-4096, CVE-2018-4088, CVE-2017-7165, CVE-2017-7161, CVE-2017-7160, CVE-2017-7153, CVE-2017-13885 and CVE-2017-13884.
  • Fixed poppler security issues CVE-2017-14976 and CVE-2017-1000456.
  • Fixed openssl security issues CVE-2017-3738 and CVE-2017-3737.
  • Fixed libxml2 security issues CVE-2017-16932 and CVE-2017-15412.
  • Fixed nvidia-graphics-drivers-384 security issue CVE-2017-5753.
  • Fixed openssh security issues CVE-2017-15906, CVE-2016-10012, CVE-2016-10011, CVE-2016-10010 and CVE-2016-10009.
  • Fixed libtasn1-6 security issues CVE-2018-6003 and CVE-2017-10790.
  • Fixed curl security issues CVE-2018-1000005 and CVE-2018-1000007.
  • Fixed libvorbis security issues CVE-2017-14633 and CVE-2017-14632.
  • Fixed wavpack security issue CVE-2016-10169.
  • Fixed cups security issue CVE-2017-18190.
  • Fixed sensible-utils security issue CVE-2017-17512.
  • Removed terminal start function from task manager menu bar.
  • Updated kernel to version 4.15.15
    • Fixed Meltdown (CVE-2017-5754) by PTI (page table isolation)
    • Fixed Spectre Variant 1 (CVE-2017-5753) by __user pointer sanitization
    • Fixed Spectre Variant 2 (CVE-2017-5715) by full generic retpoline
  • Fixed beep security issue CVE-2018-0492.
  • Added Intel Processor Microcode Updates to provide IBRS/IBPB/STIBP microcode support for Spectre Variant 2 (CVE-2017-5715) mitigation.

    Product Name

    CPU ID

    Platform ID

    Microcode Revision

    IGEL UD9-LX Touch 41, IGEL UD9-LX 40, IGEL UD6-LX 51, IGEL UD5-LX 50 Bay Trail

    30678

    0C

    0x836

    IGEL UD2-LX 40 Bay Trail

    30679

    0F

    0x90A

    IGEL UD5-LX 40 Sandy Bridge

    206A7

    12

    0x2D

Network

  • Disabled weak message authentication codes for SSH server and client as default. If problems occur change the default setting.

    Parameter

    Disable weak message authentication codes

    Registry

    network.ssh_client.disable_weak_macs

    Value

    enabled / disabled


    Parameter

    Disable weak message authentication codes

    Registry

    network.ssh_server.disable_weak_macs

    Value

    enabled / disabled


  • Disabled weak key exchange algorithms for SSH server and client as default. If problems occur, change the default setting.

    Parameter

    Disable weak key exchange algorithms

    Registry

    network.ssh_client.disable_weak_kexalgorithms

    Value

    enabled / disabled

    Parameter

    Disable weak key exchange algorithms

    Registry

    network.ssh_server.disable_weak_kexalgorithms

    Value

    enabled / disabled

  • Disabled weak hostkeys (server) and hostkey algorithms (client) for SSH server and client as default. If problems occur, change the default setting.

    Parameter

    Disable weak Hostkey algorithms

    Registry

    network.ssh_client.disable_weak_hostkey_algos

    Value

    enabled / disabled

    Parameter

    Disable weak Hostkeys

    Registry

    network.ssh_server.disable_weak_hostkeys

    Value

    enabled / disabled

  • Changed SMB protocol version default v1.0 to v2.0 for mounting windows shares to improve security.
  • Added the possibility to change the SMB protocol version for windows shares. The windows shares are configurable at IGEL Setup > Network > Network Drives > Windows Drive.

    Parameter

    SMB protocol version

    Registry

    network.smbmount.smb_version

    Range

    1.0 / 2.0 / 2.1 / 3.0

    When using a very old Windows file server, the change to version 1.0 is necessary.

RDP / IGEL RDP Client 2

  • Fixed RDP: CVE-2018-0886.

Java

  • Fixed in Oracle JRE 1.8U162 : CVE-2018-2638, CVE-2018-2639, CVE-2018-2633, CVE-2018-2627, CVE-2018-2637, CVE-2018-2634, CVE-2018-2582, CVE-2018-2641, CVE-2018-2618, CVE-2018-2629, CVE-2018-2603, CVE-2018-2657, CVE-2018-2599, CVE-2018-2581, CVE-2018-2602, CVE-2018-2677, CVE-2018-2678, CVE-2018-2588, CVE-2018-2663, CVE-2018-2675, CVE-2018-2579