Version 4.0.3 Release Notes

Improvements

The 4.0.3 release resolves a number of issues, provides minor stability and performance improvements, and updates OpenSSL to address a potential vulnerability.

Note: All 4.0.x release contain updated cipher suites to further improve security of HTTPS communications. SSLv3 was disabled in the 3.9.2.1 release (October 2014) to protect against CVE-2014-3566 (POODLE). Subsequent updates have addressed CVE-2014-0160 (Heartbleed), CVE-2015-4000 (Logjam), and other OpenSSL vulnerabilities. If you have SSL scanning enabled, your outgoing connections will be made using TLS1.0 and not SSLv3. This may render some legacy websites unusable.

Resolved Issues

Work Order # Description
NSWA-617 Transparent SSL requests now authenticate correctly for eDirectory.
NSWA-614 Blocked images now display the correct placeholder.
NSWA-611 New iOS devices are now correctly identified.
NSWA-602 An issue has been resolved that could sometimes cause a certificate warning for Outlook users.
NSWA-601 HTTPS scanning with a custom root CA no longer causes certificate warnings.
NSWA-598 An issue has been resolved that, after upgrading from version 3.x to version 4.0.x, could affect load balancing between Sophos Management Appliances (SMA) and Sophos Web Appliances (SWA).
NSWA-595 An issue has been resolved that could, in certain cases, result in 413 errors from excessively long X-Safe-Search-Cookie headers.
NSWA-593 The correct policy is now applied when using the TMG/ForeFront server with the TMG plugin.
NSWA-581 An issue has been resolved that could block mp3 streaming from some sites.
NSWA-576 Clearing the cache in Configuration > Global Policy > General Options now works correctly.
NSWA-568, NSWA-521 Updates to SSL that address the following issues: CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792, CVE-2015-1791, and CVE-2014-8176.
NSWA-538 Non-search requests to Yahoo no longer appear in the Reports > Users > Users By Search Queries report.
NSWA-533 The policy test now correctly assesses policy when a user enters a valid IP address with a "255" in the address octet.
NSWA-513 HTTP response bodies that have been encoded more than once with deflate are now scanned correctly.
NSWA-509 When a site is blocked as Uncategorized, the block page now displays the correct reason.
NSWA-497 An erroneous warning that appeared in the Reports > Policy & Content > Categories report has been removed.
NSWA-483 Efficiency and performance of log processing and reporting for endpoints has been improved.