Release notes

nevisProxy 4.6.22 LTS2021 - 20.11.2024

Changes and new features

• FIXED: We fixed the possible ModSecurityFilter segmentation fault when DelegateFromTx parameter was configured. (NEVISPROXY-7362)
• UPGRADED: We upgraded to nghttp2 1.64.0. (NEVISPROXY-7353)
• UPGRADED: We upgraded to ModSecurity 3.0.13 for RHEL8 and SLES15 packages. (NEVISPROXY-7311)
• UPGRADED: We upgraded to OpenSSL version 3.0.15. (NEVISPROXY-7310)
• UPGRADED: We upgraded to Apache HTTP Server 2.4.62. (NEVISPROXY-7247)

nevisProxy 4.6.21 LTS2021 - 25.07.2024

Changes and new features

• UPGRADED: We upgraded to Apache HTTP Server version 2.4.61. (NEVISPROXY-7220)
• UPGRADED: We upgraded to OpenSSL 3.0.14. (NEVISPROXY-7188)
• UPGRADED: We upgraded to Lua 5.4.6. (NEVISPROXY-7147)
• UPGRADED: We upgraded to mod_qos v11.75. (NEVISPROXY-6705)

nevisProxy 4.6.20 LTS2021 - 26.06.2024

Changes and new features

• FIXED: We fixed a possible memory leak if SSLCheckPeerHostname.AllowWildcards was set to true in the HttpsConnectorServlet. (NEVISPROXY-7162)
• FIXED: We fixed the issue where the Navajo-based SSLCache ran out of entries. (NEVISPROXY-7142)
• UPGRADED: We upgraded nghttp2 to version 1.62.1. (NEVISPROXY-7156)

Notes

SSL Cache

With OpenSSL 3.0 the handling of the cache has changed and the navajo SSL cache may run out of entries earlier than with previous versions.

If neither an SSL based SessionManagementFilter nor the legacy SSL identification is configured, then you should use the apache based ssl cache (parameter SSLSessionCache in navajo.xml)

If an an SSL based SessionManagementFilter or the legacy SSL identification is configured then you may have to adapt the new parameters maxOldestEntriesToRemove and oldestEntriesToRemoveThreshold in the configured SSLCache in navajo.xml:

maxOldestEntriesToRemove

• type: Integer
• default: 10% of maxEntries
• the number of entries to remove if the configured oldestEntriesToRemoveThreshold has been reached

oldestEntriesToRemoveThreshold

• type: Integer
• default: 20480
• if the number of entries in the SSL cache reaches this threshold, the oldest entries (maximal maxOldestEntriesToRemove) will be removed.

nevisProxy 4.6.19 LTS2021 - 15.05.2024

Changes and new features

• UPGRADED: We upgraded zlib to 1.2.13. (NEVISPROXY-7121)
• UPGRADED: We upgraded nghttp2 to 1.61.0. (NEVISPROXY-7075)
• UPGRADED: We upgraded to Apache httpd/2.4.59. (NEVISPROXY-6880)

Notes

• The upgraded Apache version httpd/2.4.59 also contains the fix for the DH certificate bug.

nevisProxy 4.6.18 LTS2021 - 28.03.2024

Changes and new features

• FIXED: We fixed a potential crash when using a Navajo SSLCache with OpenSSL 3.0. (NEVISPROXY-7065)
• UPGRADED: We upgraded the SLES15 package to run on SLES15-SP3 and newer. (NEVISPROXY-7053)
• UPGRADED: We upgraded Xerces-C to version 3.2.5 (except for RHEL 7). (NEVISPROXY-7010)

Notes

RHEL7 package deprecation

The last release with RHEL7 (and SLES12) support will be in 2024 November. After that, only RHEL8 and SLES15 will be supported.

Backward compatibility issues

• For nevisproxy to run correctly, you need at least SP3 if running on SLES15. You can check the installed SP version on your SLES15 host by executing cat /etc/os-release. The version has to be 15.3 or more:

# cat /etc/os-release 
NAME="openSUSE Leap"
VERSION="15.3"

nevisProxy 4.6.17 LTS2021 - 21.02.2024

Changes and new features

• FIXED: We fixed the issue that the MariaDB database could be filled up when using a MultiLevelSessionStore.
• UPGRADED: We upgraded to OpenSSL 1.1.1x (OpenSSL 1.1. builds only).
• UPGRADED: We upgraded to OpenSSL 3.0.13.
• UPGRADED: We upgraded to ModSecurity v3.0.12.
• UPGRADED: We upgraded to nghttp2 1.59.0.

Notes

With some special configuration using the IdentityCreationFilter and the MultiLevelSessionStore the MariaDB may be filled up. In that case add the following unique key to the MariaDB based dynamic session management:

alter table attribute add constraint uc_id_name unique (ID, NAME);

IMPORTANT

Before adding the unique key be sure that all instances using this database have been upgraded to the latest LTS21 release. The command may fail if there are duplicated attributes. In that case you have to retry later. It's recommended to add this key while there is low load.

OpenSSL 1.1.1 support

This is the last LTS21 package to provide OpenSSL 1.1.1 based packages if needed. Starting from May 2024 only OpenSSL 3.0 based packages will be delivered for version 4.6.x and newer.

nevisProxy 4.6.16 LTS2021 - 15.01.2024

Changes and new features

• NEW: We added support for key logging of TLS-based backend connections
• FIXED: We fixed the issue where the Lua method response::addHeader overwrote the first header when called twice
• FIXED: We fixed the problem that the proxy could not start if an IP-address was configured in the ICAPFilter
• FIXED: The correct status code is now always sent back if a not allowed method is used in the request to the HttpConnectorServlet
• FIXED: We fixed the bug where the usrID was not traced correctly in the NProxyOP tracegroup
• FIXED: With the new parameter AllowRedirectOnAuthDone the SecurityRoleFilter handles now nevis.transfer.redirect on AUTH_DONE correctly
• UPGRADED: We upgraded to nghttp2 1.58.0
• UPGRADED: We upgraded to ModSecurity v3.0.11
• UPGRADED: We upgraded to OpenSSL 3.0.12
• UPGRADED: We upgraded libcurl to version 8.4

nevisProxy 4.6.15 LTS2021 - 15.11.2023

Changes and new features

• FIXED: The BackendConnectorServlet and HttpsConnectorServlet accept now a client certificate chain.
• UPGRADED: We upgraded to apr/1.7.4 and apr-util/1.6.3.
• UPGRADED: We upgraded to OpenSSL 3.0.11.
• UPGRADED: We upgraded OpenSSL 1.1 based packages to OpenSSL 1.1.1w.
• UPGRADED: We upgraded to nghttp2 /1.57.0.
• UPGRADED: We upgraded libcurl to version 8.3.
• UPGRADED: We upgraded to apache httpd/2.4.58.
• UPGRADED: The LTS21 packages are now delivered with OpenSSL 3.0 by default.

Notes

Backward compatibility issues

• OpenSSL 1.1.1 has been upgraded to OpenSSL 3.0 in this release. Old backends or frontends may not work anymore if they don’t support at least TLSv1.2. Read the Troubleshooting section on how to proceed in case of problems. Hardware HSMs have been tested with OpenSSL 3.0 internally. Customers with hardware HSM should verify their integrations work as expected before deploying into production. If old backends or frontends can’t be adapted or you experience issues with this upgrade OpenSSL 1.1.1 based packages will be available as well.

nevisProxy 4.6.14 LTS2021 - 16.8.2023

Changes and new features

• FIXED: We fixed a bug which prevented using a forward proxy with the WebSocketServlet.
• FIXED: We fixed the bug that a BackendConnectorServlet could not be used for a sidecall in Lua.
• CHANGED: We added the MariaDB error code 1927 to the default value of ConnectionErrorCodes parameter of the MySQLSessionStoreServlet.
• UPGRADED: We upgraded to ModSecurity v3.0.10.
• UPGRADED: We upgraded to nghttp2 1.55.1.
• UPGRADED: We upgraded to OpenSSL 1.1.1u.
• UPGRADED: We upgraded to mod_qos 11.74.

Notes

Backward compatibility issues

• The behavior using a forward proxy in the Http[s]ConnectorServlet has slightly changed.

nevisProxy 4.6.13 LTS2021 - 17.5.2023

Changes and new features

• NEW: We added the parameter KeepDeletedEntriesTimeout to the MultiLevelSessionStoreServlet.
• NEW: We added the parameter DNSCache.TTL to the ICAPFilter.
• FIXED: We fixed a Null-Pointer Exception ('dereferencing null holder') in the MultiLevelSessionStoreServlet.
• UPGRADED: (Security) We upgraded to ModSecurity v3.0.9.
• UPGRADED: We upgraded to Apache httpd 2.4.57.
• UPGRADED: We upgraded to nghttp2/1.52.0.

nevisProxy 4.6.12 LTS2021 - 24.2.2023

Changes and new features

• UPGRADED: We upgraded to OpenSSL 1.1.1t.

nevisProxy 4.6.11 LTS2021 - 15.2.2023

Changes and new features

• FIXED: Cookie names starting with \"$\" and without a value are now allowed.
• UPGRADED: We upgraded to nghttp2/v1.51.0.
• UPGRADED: We upgraded to mod_qos/11.73.

nevisProxy 4.6.10 LTS2021 - 16.11.2022

Changes and new features

• UPGRADED: We upgraded to OpenSSL 1.1.1s.

Notes

• As of now, mod_qos works for the hypertext transfer protocol version 1.0 and 1.1 only. If you decide to use HTTP/2, you should only use the request level control directives of mod_qos.

nevisProxy 4.6.9 LTS2021 - 28.10.2022

Changes and new features

• FIXED: Keep-Alive did not work for HTTP/1.1 clients if HTTP/2.0 was also configured in navajo.xml. We now fixed the issue.
• CHANGED: We improved the NOTICE message if the IP address changes in the DNSCache of the HttpConnectorServlet.
• UPGRADED: We upgraded mod_setenvifplus to 0.40.
• UPGRADED: We upgraded mod_qos to 11.72.
• UPGRADED: We upgraded ModSecurity to v3.0.8.

nevisProxy 4.6.8 LTS2021 - 12.10.2022

Changes and new features

• UPGRADED: We upgraded ModSecurity to v3.0.8, specifically to the EL& package only.

nevisProxy 4.6.7 LTS2021 - 24.8.2022

Changes and new features

• FIXED: A crash was possible when the configuration file of the ModSecurityFilter was modified while nevisProxy was running.

nevisProxy 4.6.6 LTS2021 - 17.8.2022

Changes and new features

• NEW: We added the RequestFlag “PRUNE_ACCEPT_ENCODING“ to remove unsupported compression algorithms from the Accept-Encoding header.
• FIXED: We fixed the bug where the DeflateFilter re-compressed some already compressed data.
• FIXED: We improved the TLS-based SessionManagementFilter when using a client certificate (session loss).
• FIXED: We fixed the bug where repeated response headers were lost when a HeaderValidationFilter was used.
• UPGRADED: OpenSSL is upgraded to 1.1.1q.
• UPGRADED: Apache is upgraded to httpd 2.4.54.

nevisProxy 4.6.5 LTS2021 - 22.4.2022

Changes and new features

• FIXED: gzipped responses were not handled correctly by the RewriteFilter. The issue is now fixed.
• FIXED: We fixed a possible core bug during the TLS renegotiation of frontend connections, which was introduced in nevisProxy 4.6.4.

A fix introduced with the previous release (4.6.4) may affect nevisProxy stability (core). Customers already on 4.6.4 are advised to migrate to this new version as soon as possible.

• FIXED: The custom SessionManagementFilter sometimes lost the child session when Custom.BindToParentSession.MaxSessionsPerParent was set. The issue is now fixed.
• FIXED: We fixed the open redirect issue to an external website when the IdentityCreationFilter was mapped to `/`*.

This is a security fix for a medium severity issue (open redirect). From now on, redirects starting with // or / url-encode the second slash to avoid a redirect to a malicious page. Update your system according to your risk tolerance and processes.

• FIXED: We fixed the possible NullPointerException if the tracegroup NPSession was set to DEBUG_HIGH.

nevisProxy 4.6.4 LTS2021 - 23.3.2022

Changes and new features

• FIXED: Now the RenegotiateSSL call is ignored for HTTP/2 and TLSv1.3, and no error is traced.
• FIXED: We improved the session creation if several filters were to create the session on the same request.
• UPGRADED: to OpenSSL 1.1.1n.
• UPGRADED: to nghttp 1.47.0.
• UPGRADED: to Apache httpd/2.4.53.

nevisProxy 4.6.3 LTS2021 - 16.2.2022

Changes and new features

• NEW: The HttpsConnectorServlet now supports OutboundProxyAuthorization.
• FIXED: The cookies with empty value coming from the frontend were not handled correctly by the CookieManager. The issue is now fixed.
• FIXED: The parameter SSLOpenSSLConfCmd of the HttpsConnectorServlet did not work correctly for certain use cases. The issue is now fixed.
• UPGRADED: To Apache httpd/2.4.52.
• UPGRADED: To OpenSSL 1.1.1m.
• DEPRECATED: The undocumented bc property ch.nevis.navajo.RestartAfterHsmError.

Notes

Due to the Apache upgrade to version 2.4.52, the functionality controlled by the undocumented bc property ch.nevis.navajo.RestartAfterHsmError does not work anymore, therefore the property is deprecated.

nevisProxy 4.6.2 LTS2021 - 13.12.2021

Changes and new features

• UPGRADED: To ModSecurity version 3.0.6.

nevisProxy 4.6.1 LTS2021 - 15.11.2021

Changes and new features

• NEW: We added the parameter SSLOpenSSLConfCmd in HttpsConnectorServlet.
• UPGRADED: To Lua 5.4.3 (rhel8/sles15 packages only).
• UPGRADED: To Apache httpd 2.4.51.
• UPGRADED: To mod_qos 11.68.
• UPGRADED: To OpenSSL 1.1.1l.