Skip to main content
Version: 4.6.x.x LTS

Release notes

nevisProxy 4.6.13 LTS2021 - 17.5.2023

Changes and new features

  • NEW: We added the parameter KeepDeletedEntriesTimeout to the MultiLevelSessionStoreServlet.
  • NEW: We added the parameter DNSCache.TTL to the ICAPFilter.
  • FIXED: We fixed a Null-Pointer Exception ('dereferencing null holder') in the MultiLevelSessionStoreServlet.
  • UPGRADED: (Security) We upgraded to ModSecurity v3.0.9.
  • UPGRADED: We upgraded to Apache httpd 2.4.57.
  • UPGRADED: We upgraded to nghttp2/1.52.0.

nevisProxy 4.6.12 LTS2021 - 24.2.2023

Changes and new features

  • UPGRADED: We upgraded to OpenSSL 1.1.1t.

nevisProxy 4.6.11 LTS2021 - 15.2.2023

Changes and new features

  • FIXED: Cookie names starting with \"$\" and without a value are now allowed.
  • UPGRADED: We upgraded to nghttp2/v1.51.0.
  • UPGRADED: We upgraded to mod_qos/11.73.

nevisProxy 4.6.10 LTS2021 - 16.11.2022

Changes and new features

  • UPGRADED: We upgraded to OpenSSL 1.1.1s.

Notes

  • As of now, mod_qos works for the hypertext transfer protocol version 1.0 and 1.1 only. If you decide to use HTTP/2, you should only use the request level control directives of mod_qos.

nevisProxy 4.6.9 LTS2021 - 28.10.2022

Changes and new features

  • FIXED: Keep-Alive did not work for HTTP/1.1 clients if HTTP/2.0 was also configured in navajo.xml. We now fixed the issue.
  • CHANGED: We improved the NOTICE message if the IP address changes in the DNSCache of the HttpConnectorServlet.
  • UPGRADED: We upgraded mod_setenvifplus to 0.40.
  • UPGRADED: We upgraded mod_qos to 11.72.
  • UPGRADED: We upgraded ModSecurity to v3.0.8.

nevisProxy 4.6.8 LTS2021 - 12.10.2022

Changes and new features

  • UPGRADED: We upgraded ModSecurity to v3.0.8, specifically to the EL& package only.

nevisProxy 4.6.7 LTS2021 - 24.8.2022

Changes and new features

  • FIXED: A crash was possible when the configuration file of the ModSecurityFilter was modified while nevisProxy was running.

nevisProxy 4.6.6 LTS2021 - 17.8.2022

Changes and new features

  • NEW: We added the RequestFlag “PRUNE_ACCEPT_ENCODING“ to remove unsupported compression algorithms from the Accept-Encoding header.
  • FIXED: We fixed the bug where the DeflateFilter re-compressed some already compressed data.
  • FIXED: We improved the TLS-based SessionManagementFilter when using a client certificate (session loss).
  • FIXED: We fixed the bug where repeated response headers were lost when a HeaderValidationFilter was used.
  • UPGRADED: OpenSSL is upgraded to 1.1.1q.
  • UPGRADED: Apache is upgraded to httpd 2.4.54.

nevisProxy 4.6.5 LTS2021 - 22.4.2022

Changes and new features

  • FIXED: gzipped responses were not handled correctly by the RewriteFilter. The issue is now fixed.
  • FIXED: We fixed a possible core bug during the TLS renegotiation of frontend connections, which was introduced in nevisProxy 4.6.4.

A fix introduced with the previous release (4.6.4) may affect nevisProxy stability (core). Customers already on 4.6.4 are advised to migrate to this new version as soon as possible.

  • FIXED: The custom SessionManagementFilter sometimes lost the child session when Custom.BindToParentSession.MaxSessionsPerParent was set. The issue is now fixed.
  • FIXED: We fixed the open redirect issue to an external website when the IdentityCreationFilter was mapped to `/`*.

This is a security fix for a medium severity issue (open redirect). From now on, redirects starting with // or / url-encode the second slash to avoid a redirect to a malicious page. Update your system according to your risk tolerance and processes.

  • FIXED: We fixed the possible NullPointerException if the tracegroup NPSession was set to DEBUG_HIGH.

nevisProxy 4.6.4 LTS2021 - 23.3.2022

Changes and new features

  • FIXED: Now the RenegotiateSSL call is ignored for HTTP/2 and TLSv1.3, and no error is traced.
  • FIXED: We improved the session creation if several filters were to create the session on the same request.
  • UPGRADED: to OpenSSL 1.1.1n.
  • UPGRADED: to nghttp 1.47.0.
  • UPGRADED: to Apache httpd/2.4.53.

nevisProxy 4.6.3 LTS2021 - 16.2.2022

Changes and new features

  • NEW: The HttpsConnectorServlet now supports OutboundProxyAuthorization.
  • FIXED: The cookies with empty value coming from the frontend were not handled correctly by the CookieManager. The issue is now fixed.
  • FIXED: The parameter SSLOpenSSLConfCmd of the HttpsConnectorServlet did not work correctly for certain use cases. The issue is now fixed.
  • UPGRADED: To Apache httpd/2.4.52.
  • UPGRADED: To OpenSSL 1.1.1m.
  • DEPRECATED: The undocumented bc property ch.nevis.navajo.RestartAfterHsmError.

Notes

Due to the Apache upgrade to version 2.4.52, the functionality controlled by the undocumented bc property ch.nevis.navajo.RestartAfterHsmError does not work anymore, therefore the property is deprecated.

nevisProxy 4.6.2 LTS2021 - 13.12.2021

Changes and new features

  • UPGRADED: To ModSecurity version 3.0.6.

nevisProxy 4.6.1 LTS2021 - 15.11.2021

Changes and new features

  • NEW: We added the parameter SSLOpenSSLConfCmd in HttpsConnectorServlet.
  • UPGRADED: To Lua 5.4.3 (rhel8/sles15 packages only).
  • UPGRADED: To Apache httpd 2.4.51.
  • UPGRADED: To mod_qos 11.68.
  • UPGRADED: To OpenSSL 1.1.1l.
Last updated on