Version 4.0.4 Release Notes

Improvements

The 4.0.4 release resolves a number of issues, and provides minor stability and performance improvements.

Note: All 4.0.x release contain updated cipher suites to further improve security of HTTPS communications. SSLv3 was disabled in the 3.9.2.1 release (October 2014) to protect against CVE-2014-3566 (POODLE). Subsequent updates have addressed CVE-2014-0160 (Heartbleed), CVE-2015-4000 (Logjam), and other OpenSSL vulnerabilities. If you have SSL scanning enabled, your outgoing connections will be made using TLS1.0 and not SSLv3. This may render some legacy websites unusable.

Resolved Issues

Work Order # Description
NSWA-659 Addressed a performance issue when using Captive Portal authentication in transparent mode.
NSWA-630 Fully qualified domain names (FQDN) are now recorded for all log entries.
NSWA-628 Addressed an HTML content handling inconsistency in custom notification page messages. Note that this will limit the use of HTML or scripts to Advanced Notification Page templates. Discovered and reported by Daniel Compton of Info-Assure Ltd.
NSWA-627 Fixed directory traversal vulnerability in the Admin UI. Discovered and reported by Daniel Compton of Info-Assure Ltd.
NSWA-626 When HTTPS scanning is disabled, the full URL is now re-evaluated for policy reasons before the block page is sent.
NSWA-625 Resolved a caching issue that could sometimes prevent downloads from trusted domains.
NSWA-624 When using transparent mode with HTTPS scanning enabled, policy decisions are now based on the full URL.
NSWA-623 Sites that return invalid characters in HTTP headers now load correctly.
NSWA-618 An issue has been resolved that could affect user authentication with certain client applications.