THIS THREAD IS CLOSED AS v1.5.17 IS RELEASED - 11/14/2014
FIXED/CHANGED
- reduced attack surface on webserver - rc1
- upgrade failure on very old WS models. - rc1
- openssl upgraded - rc2
- lighttpd upgraded - rc2
- several packages patched for openssl upgrade -rc2
- frontend files now served with gzip'd encoding - rc2
ENHANCEMENTS
KNOWN ISSUES
- WEB UI issues when not at 100% Zoom on browser especially on VLAN TAB
- Some language templates need help
Released 8/9/2024
Further Information
This release (rc1) attempts to alleviate effects from an exploited security hole that has been taken advantage on our switch's. Details here: viewtopic.php?f=17&t=8066
Please bare with us as this may not entirely patch the hole, we are still working on continued enhancements that will prevent future abuse. However, based on the majority of reported effects from this issue. Namely, the FBI page, along with the increased CPU and memory usage on the switch causing packet loss - should be prevented with this release.
If you're suffering from this attack, please stay tuned here as more update's are planned as we continue to tighten our grip on the situation.
Also, feedback about your experience's with this version will help us continue the effort.
RC2 Upgrade
RC2 has an upgraded variant of openssl and lighttpd that should dramatically reduce the vulnerability of the switch. As it turns out, this version of openssl is much larger than the original and required many patches on different packages to make it all work. As a result, the frontend file's are now all served compressed, so you may need to clear the cache in your browser for the webui after upgrading. We also suggest that you bench test this version before upgrading switch's in the field just to be safe.
However, despite our effort's to make the switch as secure as possible. We suggest avoiding exposing the webui to the web at large either with Access Controls or by isolating your management vlan - if at all possible.
v1.5.17rcX Bug Reports and Comments
-
lligetfa - Associate
- Posts: 1191
- Joined: Sun Aug 03, 2014 12:12 pm
- Location: Fort Frances Ont. Canada
- Has thanked: 307 times
- Been thanked: 381 times
Re: v1.5.17rcX Bug Reports and Comments
Installed on my very old Board rev B after getting jiggy with the commandline since obviously the "upgrade failure on very old WS models" fix only applies after it is installed. I had to get jiggy with it each time to go from .12 to .14 and .16 as well.
I assume going forward, rc2 will install without needing to get jiggy with it.
EDIT:
One thing I noticed is this also fixed where the SFP cage now shows correctly for port 24. I have a cable in the RJ45 port 24 and on .16 the SFP cage showed as green whereas now it shows empty with an X.
I assume going forward, rc2 will install without needing to get jiggy with it.
EDIT:
One thing I noticed is this also fixed where the SFP cage now shows correctly for port 24. I have a cable in the RJ45 port 24 and on .16 the SFP cage showed as green whereas now it shows empty with an X.
-
Stephen - Employee
- Posts: 1030
- Joined: Sun Dec 24, 2017 8:56 pm
- Has thanked: 85 times
- Been thanked: 181 times
Re: v1.5.17rcX Bug Reports and Comments
Yeah, going forward you shouldn't have to do any trick's to upgrade that model again.
-
sirhc - Employee
- Posts: 7414
- Joined: Tue Apr 08, 2014 3:48 pm
- Location: Lancaster, PA
- Has thanked: 1608 times
- Been thanked: 1325 times
Re: v1.5.17rcX Bug Reports and Comments
For RC1, also note the index.html file can return but it is inert. As Stephen said this alleviates the symptoms and prevents THIS hack from running but not from being put there but if the file put there it will be ignored.
This release also will not prevent AVAST antivirus from refusing to load the login screen as we shill have not upgraded lighttpd far enough. AVAST is not detecting an infected site it simply refuses to talk to the current version of lightttpd as it has the vulnerability in it. You still have to either disable AVAST Web Scan under core or add the IP of the switch to the exception list.
We hope to have a better release soon that closes the vulnerability.
This release also will not prevent AVAST antivirus from refusing to load the login screen as we shill have not upgraded lighttpd far enough. AVAST is not detecting an infected site it simply refuses to talk to the current version of lightttpd as it has the vulnerability in it. You still have to either disable AVAST Web Scan under core or add the IP of the switch to the exception list.
We hope to have a better release soon that closes the vulnerability.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
-
lligetfa - Associate
- Posts: 1191
- Joined: Sun Aug 03, 2014 12:12 pm
- Location: Fort Frances Ont. Canada
- Has thanked: 307 times
- Been thanked: 381 times
Re: v1.5.17rcX Bug Reports and Comments
Stephen wrote: RC2 Upgrade
RC2 has an upgraded variant of openssl and lighttpd that should dramatically reduce the vulnerability of the switch. As it turns out, this version of openssl is much larger than the original and required many patches on different packages to make it all work. As a result, the frontend file's are now stored and compressed, so you may need to clear the cache in your browser for the webui after upgrading.
The page did not automatically reload after restarting so I opened it on a new tab and all was well. Also, Chrome no longer used the saved credentials and those needed to be manually re-entered.
EDIT: Also, the NTP time was correct on the status page but the last log entry was still showing Dec 31.
-
Stephen - Employee
- Posts: 1030
- Joined: Sun Dec 24, 2017 8:56 pm
- Has thanked: 85 times
- Been thanked: 181 times
Re: v1.5.17rcX Bug Reports and Comments
On initial boot up, it takes a bit for system time modification from ntp to be reflected in the logs. If you make a modification going forward. The logs should update to the correct time.
Here's a screenshot to show what I mean, I modified Port 3 just to show it updating the log with the correct time after ntp is set.
Here's a screenshot to show what I mean, I modified Port 3 just to show it updating the log with the correct time after ntp is set.
-
lligetfa - Associate
- Posts: 1191
- Joined: Sun Aug 03, 2014 12:12 pm
- Location: Fort Frances Ont. Canada
- Has thanked: 307 times
- Been thanked: 381 times
Re: v1.5.17rcX Bug Reports and Comments
Stephen wrote:On initial boot up, it takes a bit for system time modification from ntp to be reflected in the logs. If you make a modification going forward. The logs should update to the correct time.
Yes, later when I updated a downstream switch, the port bounce in the log showed the correct date/time. On the older firmware, the end of the log file always showed the correct date/time. It was just an observation.
-
mayheart - Experienced Member
- Posts: 162
- Joined: Thu Jan 15, 2015 1:42 pm
- Location: Canada
- Has thanked: 43 times
- Been thanked: 38 times
Re: v1.5.17rcX Bug Reports and Comments
No problem with this firmware on a DC/IDC/AC units and a Rev B. board.
Is there a time frame to ship this as a final version?
Is there a time frame to ship this as a final version?
-
sirhc - Employee
- Posts: 7414
- Joined: Tue Apr 08, 2014 3:48 pm
- Location: Lancaster, PA
- Has thanked: 1608 times
- Been thanked: 1325 times
Re: v1.5.17rcX Bug Reports and Comments
Soon as we get some more "hey works fine" feedback will close rc and release v1.5.17
So hey people don't just speak up when broken let us know it's fine.
So hey people don't just speak up when broken let us know it's fine.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
-
sakita - Experienced Member
- Posts: 206
- Joined: Mon Aug 17, 2015 2:44 pm
- Location: Arizona, USA
- Has thanked: 92 times
- Been thanked: 80 times
Re: v1.5.17rcX Bug Reports and Comments
Loaded 1.5.17rc2 on a WS-8-150-AC Board Rev F in my test rig. This is the switch connected to my laptop and 7 other devices (which includes devices that communicate with each other providing a little traffic).
The MAC Table page in the web UI wasn't showing all of the MAC addresses that were shown when issuing a "show mac table" command in the web UI Device Console. At one point there were no addresses on the MAC Table page but were on the Console. Flushing and refreshing didn't change anything... and then the list on the MAC Table page magically started displaying again but still not matching the full list shown by the Console.
I rolled it back to 1.5.17rc1 and the MAC Table page and Console now show the same list consistently.
The MAC Table page in the web UI wasn't showing all of the MAC addresses that were shown when issuing a "show mac table" command in the web UI Device Console. At one point there were no addresses on the MAC Table page but were on the Console. Flushing and refreshing didn't change anything... and then the list on the MAC Table page magically started displaying again but still not matching the full list shown by the Console.
I rolled it back to 1.5.17rc1 and the MAC Table page and Console now show the same list consistently.
Today is an average day: Worse than yesterday, but better than tomorrow.
Who is online
Users browsing this forum: No registered users and 3 guests