Skip to main content
Version: 3.14.x.x LTS

Release notes

nevisProxy 3.14.3.29 LTS2019 - 16.8.2023

Changes and new features

  • UPGRADED: We upgraded to ModSecurity v3.0.10.
  • UPGRADED: We upgraded to nghttp2 1.55.1.
  • UPGRADED: We upgraded to OpenSSL 1.1.1u.

nevisProxy 3.14.3.28 LTS2019 - 17.5.2023

Changes and new features

  • UPGRADED: (Security) We upgraded to ModSecurity v3.0.9.
  • UPGRADED: We upgraded to Apache httpd 2.4.57.
  • UPGRADED: We upgraded to nghttp2/1.52.0.

nevisProxy 3.14.3.27 LTS2019 - 24.2.2023

Changes and new features

  • CHANGED: We fixed a typo in a NOTICE log message.
  • UPGRADED: We upgraded to OpenSSL 1.1.1t.
  • UPGRADED: We upgraded to nghttp2/v1.51.0.

nevisProxy 3.14.3.26 LTS2019 - 7.12.2022

Changes and new features

  • FIXED: Cookie names starting with $ and without a value are now allowed.

nevisProxy 3.14.3.25 LTS2019 - 16.11.2022

Changes and new features

  • FIXED: Keep-Alive did not work for HTTP/1.1 clients if HTTP/2.0 was also configured in navajo.xml.
  • UPGRADED: To OpenSSL 1.1.1s.
  • UPGRADED: To mod_setenvifplus/0.40.
  • UPGRADED: To mod_qos/11.72.

Notes

  • As of now, mod_qos works for the hypertext transfer protocol version 1.0 and 1.1 only. If you decide to use HTTP/2, you should only use the request level control directives of mod_qos.

nevisProxy 3.14.3.24 LTS2019 - 12.10.2022

Changes and new features

  • UPGRADED: ModSecurity is upgraded to v3.0.8.

nevisProxy 3.14.3.23 LTS2019 - 24.8.2022

Changes and new features

  • FIXED: A crash was possible when the configuration file of the ModSecurityFilter was modified while nevisProxy was running.

nevisProxy 3.14.3.22 LTS2019 - 17.8.2022

Changes and new features

  • NEW: We added the RequestFlag “PRUNE_ACCEPT_ENCODING“ to remove unsupported compression algorithms from the Accept-Encoding header.
  • FIXED: We fixed the bug where the DeflateFilter re-compressed some already compressed data.
  • FIXED: We fixed the bug where repeated response headers were lost when a HeaderValidationFilter was used.
  • UPGRADED: OpenSSL is upgraded to 1.1.1q.
  • UPGRADED: Apache is upgraded to httpd 2.4.54.

nevisProxy 3.14.3.21 LTS2019 - 18.5.2022

Changes and new features

  • FIXED: The custom SessionManagementFilter sometimes lost the child session when Custom.BindToParentSession.MaxSessionsPerParent was set. The issue is now fixed.
  • FIXED: We fixed the open redirect issue to an external website when the IdentityCreationFilter was mapped to `/`*.

This is a security fix for a medium severity issue (open redirect). From now on, redirects starting with // or / url-encode the second slash to avoid a redirect to a malicious page. Update your system according to your risk tolerance and processes.

  • FIXED: We fixed the possible NullPointerException if the tracegroup NPSession was set to DEBUG_HIGH.

Notes

Backward compatibility issues

Due to a security fix, redirects starting with '//' or '/\' url-encode the second slash to avoid a redirect to a malicious page.

nevisProxy 3.14.3.20 LTS2019 - 23.3.2022

Changes and new features

  • UPGRADED: to OpenSSL 1.1.1n.
  • UPGRADED: to nghttp 1.47.0.
  • UPGRADED: to Apache httpd/2.4.53.

nevisProxy 3.14.3.19 LTS2019 - 16.2.2022

Changes and new features

  • NEW: The HttpsConnectorServlet now supports OutboundProxyAuthorization.
  • FIXED: The cookies with empty value coming from the frontend were not handled correctly by the CookieManager. The issue is now fixed.
  • UPGRADED: To Apache httpd/2.4.52.
  • UPGRADED: To OpenSSL 1.1.1m.
  • UPGRADED: To ModSecurity version 3.0.6.

nevisProxy 3.14.3.17 LTS2019 - 15.11.2021

Changes and new features

  • UPGRADED: To Apache httpd 2.4.51.
  • UPGRADED: To mod_qos 11.68.
  • UPGRADED: To OpenSSL 1.1.1l.

nevisProxy 3.14.3.16 LTS - 25.6.2021

Changes and new features

  • NEW: The package now includes the nevisproxy_pkcs11 binary.
  • FIXED: A connection loss of the MariaDB server could result in a core dump. This bug has been fixed.
  • UPGRADED: Apache httpd, to version 2.4.48.
  • DEPRECATED: The MaxClientsPerIpAddr directive in the navajo.xml configuration file has been deprecated.

nevisProxy 3.14.3.15 LTS - 19.05.2021

Changes and new features

  • FIXED: The default for the required parameter SSLCheckPeerHostname.AllowWildcards was missing in all servlets that support TLS. This bug is fixed.
  • UPGRADED: The HTTP/2 handling library for frontend connections is upgraded.

nevisProxy 3.14.3.14 LTS - 8.4.2021

Changes and new features

  • FIXED: The bug where TLS-based session identification did not work with HTTP/2.

TLS identification will only work in a limited way if HTTP/2 is enabled. Take into account the following points (the list is not complete):

Generally, we recommend that you avoid using TLS identification with HTTP/2 or TLSv1.3.

  • UPGRADED: OpenSSL, to version 1.1.1k.

Notes

Backward-compatibility issue:

nevisProxy now supports SSL identification with HTTP/2. Because of this, nevisProxy may behave slightly differently in case of TLS identification. We recommend testing your new setup, to make sure it works as expected.

nevisProxy 3.14.3.13 LTS - 17.02.2021

Changes and new features

  • FIXED: The bug where the UnbluFilter handled compressed bodies incorrectly.

nevisProxy 3.14.3.12 LTS - 16.12.2020

Changes and new features

  • FIXED: The bug where the DelegatePostResendStatus parameter of the DelegationFilter did not always work correctly if a backend sent a redirect.
  • UPGRADED: OpenSSL, to version 1.1.1i (el7 package only).

Notes

  • This is the last LTS release that provides an el5 package. All future LTS releases only include an el7 package.
  • Backward compatibility issue: Due to a fix in the DelegatePostResendStatus parameter of the DelegationFilter, the behavior of the proxy may change. This applies to all cases where the backend responds with a status code other than "200" on resent requests. Contact support if this problem occurs.

nevisProxy 3.14.3.11 LTS - 18.11.2020

Changes and new features

  • NEW: The Lua session object contains two new methods: getLastTimeStamp and getSecondsUntilTimeout.
  • FIXED: The issue with the CacheFilter returning incomplete responses to the frontend. This is a follow-up fix.
  • FIXED: The bug where the parameter ResponseLogoutHeader of the IdentityCreationFilterwas ignored if an UnbluFilter was involved.
  • UPGRADED: OpenSSL, to version 1.1.1h (el7 package only).
  • UPGRADED: Apache httpd, to version 2.4.46.

nevisProxy 3.14.3.10 LTS - 19.08.2020

Changes and new features

  • CHANGED: It is now possible to set the parameter KeepAlive.ByClient to "false" for the WebSocketServlet.
  • FIXED: The bug where the WebsocketServlet closed the connection because the session was not updated.

nevisProxy 3.14.3.9 LTS - 3.6.2020

Changes and new features

  • CHANGED: The UnbluFilter integration for the Unblu server version 6 is now improved.
  • FIXED: The bug that caused a memory leak in OpenSSL 1.1.1 in combination with an EncryptionFilter (el7 package only).

nevisProxy 3.14.3.8 LTS - 20.5.2020

Changes and new features

  • FIXED: The bug where a ServletException could occur if your setup included a [SecurityRoleFilter].
  • FIXED: The issue with the memory leak in OpenSSL 1.1.1. (el7 package only).
  • UPGRADED: OpenSSL, to version 1.1.1g (el7 package only).

nevisProxy 3.14.3.7 LTS - 08.04.2020

Changes and new features

  • NEW: The Esauth4ConnectorServlet now includes the new parameter EnablePollTerminatedCalls.
  • FIXED: The ModSecurity bug related to target exclusions.

nevisProxy 3.14.3.6 LTS - 23.03.2020

Changes and new features

  • NEW: The contains the new parameter RenegotiateCookieOnAuthContinue.
  • CHANGED: The session reaper of the has been improved.
  • FIXED: The bug where the cached an incomplete response.
  • UPGRADED: mod_setenvifplus, to version 0.39.

Notes

Due to the upgrade of mod_setenvifplus to version 0.39, the attribute SetEnvIfCmpPlus does no longer silently ignore extra arguments. This new behavior will cause an error.

For security reasons, the IdentityCreationFilter now contains the new parameter RenegotiateCookieOnAuthContinue. The parameter is enabled by default to prevent session fixation attacks. The introduction of this parameter can lead to some backward compatibility issues, especially if parallel requests take place during the authentication phase. To avoid this, make sure that all the parallel requests that do not need authentication are not mapped to the IdentityCreationFilter.

nevisProxy 3.14.3.5 LTS - 24.02.2020

Changes and new features

  • FIXED: The bug in the mod_setenvifplus module that caused core dump (segmentation violation) to happen.

nevisProxy 3.14.3.4 LTS - 19.02.2020

Changes and new features

  • CHANGED: The session reaping in the [MysqlSessionStoreServlet] has been improved. See the further below for instructions.
  • UPGRADED: ModSecurity, to version 3.0.4.

Notes

  • Perform the next steps to activate the improved session reaping in the *[MysqlSessionStoreServlet]:
max_prepared_stmt_count=<number of instances> * <number of configured connections per instance> * 22;
 INSERT INTO conf (CACHENAME, PARAMETER, VALUE) VALUES ('session', 'REAPER', '0');

With this adaptation, the reaper will replace "0" with its own ID. This is to make sure that just one reaper is reaping at the same time.

If you used the provided SQL script sessionStoreSetup.sql to set up the database, the above entry is added automatically.

nevisProxy 3.14.3.3 LTS - 18.12.2019

Changes and new features

  • FIXED: The bug where the open connections to MariaDB were not always closed if session reaping was off.
  • FIXED: The bug that caused a buffer overflow when you used an instance created with an older nevisAdmin version (< 4.3).
  • FIXED: The bug where a password protected SSLClientKeyFile file in the HttpsConnectorServlet did not work as expected.

nevisProxy 3.14.3.2 LTS - 20.11.2019

Changes and new features

  • NEW: The [HttpConnectorServlet]includes the new parameter DNSCache.ttl.
  • NEW: The [HttpsConnectorServlet] includes the new parameter SSLCheckPeerHostname.AllowWildcards.
  • NEW: The [WebsocketServlet] includes the new parameter ProActive.
  • NEW: The [ModsecurityFilter] now supports logging rules.
  • NEW: The file navajo.xml now contains a variable-replacement mechanism for secret entries.
  • NEW: The configuration file [bc.properties] now contains the new bc property ch.nevis.navajo.AllowUnknownParameters.
  • NEW: Support of TLS 1.3 is now available (el7 package only).
  • CHANGE: The naming of the nevisProxy RPM file has been changed to be in line with the naming of all other NEVIS RPM files.
  • FIXED: The bug where the MariaDB session reaper did not switch the master and slave when the master went down.
  • FIXED: The bug where the query parameters were not passed on to nevisAuth for JSON requests.
  • FIXED: The bug where the command nevisproxy <instance> start could create an invalid symlink.
  • FIXED: The bug where the [WebsocketServlet] did not reuse the websocket connection.
  • FIXED: The bug where the [WebsocketServlet] ignored the parameter ConnectionRetries.
  • FIXED: The bug where the IsiwebOp tracegroup did not trace the IP address any longer. This bug occured since version 3.14.2.0.
  • FIXED: The bug where a [ModsecurityFilter] did not work as expected.
  • FIXED: The bug where sessions terminated by nevisAuth were not removed in nevisProxy when session reaping was disabled in the MySQLSessionStoreServlet (that is, when the servlet's attribute SessionReaping was set to "OFF").
  • FIXED: The but that caused a memory leak in the LuaFilter when the content-length header was modified by the configured Lua script. This bug was introduced in nevisProxy version 3.14.2.0.
  • UPGRADED: To Apache httpd 2.4.41.
  • UPGRADED: To OpenSSL version 1.1.1d (el7 package only).
  • DEPRECATED: The ModSecurity-based profiles for the [InputValidationFilter] with the ModSecurity Core Rule Set CRS.
  • DEPRECATED: The attribute RLIMIT_NOFILE in the Core section of the navajo.xml configuration file has been deprecated.
  • DEPRECATED: The has been deprecated.
  • REMOVED: Support for Apache httpd 2.2 is no longer available.
  • REMOVED: The automatic test of the certificates before starting the proxy.
  • PERFORMANCE: The performance issue with the [SessionManagementFilter]has been solved.

Notes

  • Due to the upgrade to OpenSSL version 1.1.1, you may encounter problems with client certificates. For more information, see Authentication with a client certificate with OpenSSL 1.1.1] tag of the file navajo.xml.
  • Due to the upgrade to OpenSSL version 1.1.1, CA certificates have to be issued as a "CA certificate", otherwise it is not possible anymore to verify host and user certificates. You can execute the following command to check if a CA certificate is valid:
openssl x509 -text -in <path to certificate> | grep "CA:TRUE"

If there is no output, the certificate is invalid. If valid, the following output appears:

[root@host]# openssl x509 -text -in caCert.pem |grep "CA:TRUE"
CA:TRUE
[root@host]