Version 4.3.0 Release Notes

This release updates the kernel and OS, which includes numerous security, performance, and stability improvements.

This release allows you to block Windows script files, system files, and HTML Application files. Go to Configuration > Group Policy > Default Policy and cilck the Categories & Download Types tab to view file types and set actions.

The administrative web interface for this release supports TLS 1.2.

Support for YouTube for Schools has been removed as this service is no longer available.

Sandstorm Enhancements

You can now send files manually for testing by Sandstorm. In the Dashboard, click the Submit to Sandstorm tab, select a file or type the URL of a file, and click Submit. You can view the progress of the test in the Sandbox Activity Search page.

You can now select the data center to which you send files for analysis by Sandstorm. Go to Configuration > Global Policy > Sandstorm.

If you release a file before it is finished being analyzed by Sandstorm and if the file is later determined to be malicious, an alert is sent to all alert recipients. Go to System > Alerts & Monitoring and click the System Alerts tab.

Sandstorm reports are now retrieved using TLS 1.2.

Note: Support for earlier versions of TLS will be deprecated by Sandstorm. In order to be able to retrieve Sandstorm reports, you must upgrade your appliance.

Resolved Issues

Work Order # Description
NSWA-867 Fixed an issue in which policy tester result wouldn’t match the actual policy
NSWA-906 Fixed an issue in which CSS files were incorrectly identified
NSWA-927 Fixed an issue in which MP3 streaming media would not play correctly
NSWA-930 Fixed an issue in which large local site lists could cause the UI to time out
NSWA-934 Fixed an issue where trusted CA certificates were not refreshed after removing a trusted CA certificate
NSWA-935 Fixed an issue in which the download scan icon displayed the incorrect status on the patience page
NSWA-936 Made several improvements to the behavior of quota in SMA/SWA environments
NSWA-942 Vulnerability Fix: OPENSSL DROWN as described in CVE-2016-0800 and related CVEs
NSWA-947 Fixed an issue where some reports didn’t include HTTPS traffic when HTTPS scanning was disabled
NSWA-951 Winbindd configuration improvements
NSWA-953 Fixed an issue where the patience page wouldn’t display correctly in Firefox
NSWA-958 Vulnerability Fix: SAMBA Badlock as described in CVE-2016-2118, CVE-2016-0128, CVE-2015-5370, and CVE-2016-2110 to CVE-2016-2115
NSWA-975 Increased the maximum number of additional policies allowed
NSWA-977 Vulnerability Fix: Openssl as described in CVE-2016-2105 to CVE-2016-2109
NSWA-980 Vulnerability Fix: Fixed an issue where it was possible to evade quota settings
NSWA-982 Fixed a port conflict that could cause FTP backup to fail
NSWA-984 Additional file types not requiring Sandstorm analysis are now allowed through the proxy
NSWA-987 Vulnerability Fix: Manual backup archive can be accessed unauthenticated by brute force. This issue was identified by Gregory Draperi.
NSWA-988 Vulnerability Fix: Password hashes for administrators could be exposed on the users page. This issue was identified by Gregory Draperi.
NSWA-989 Vulnerability Fix: FTP over HTTP page could be leveraged for malicious redirection. This issue was identified by Gregory Draperi.
NSWA-990 Fixed an issue in which speed test upload results were slower than expected
NSWA-1144 Vulnerability Fix: CVE-2016-5696 TCP
NSWA-1145 Fixed an issue in which the SMAs connection to Liveconnect would fail
NSWA-1151 Vulnerability Fix: OPENSSL SWEET32 as described in CVE-2016-2183
NSWA-1208 Vulnerability Fix: CVE-2016-9554. Shell command injection vulnerabilities in the SWA UI. This issue was identified by Matt Bergin of KoreLogic.