Version 4.0.4 Release Notes

Improvements

The 4.0.4 release resolves a number of issues, and provides minor stability and performance improvements.

Note: All 4.0.x release contain updated cipher suites to further improve security of HTTPS communications. SSLv3 was disabled in the 3.9.2.1 release (October 2014) to protect against CVE-2014-3566 (POODLE). Subsequent updates have addressed CVE-2014-0160 (Heartbleed), CVE-2015-4000 (Logjam), and other OpenSSL vulnerabilities. If you have SSL scanning enabled, your outgoing connections will be made using TLS1.0 and not SSLv3. This may render some legacy websites unusable.

Resolved Issues

Work Order #	Description
NSWA-659	Addressed a performance issue when using Captive Portal authentication in transparent mode.
NSWA-630	Fully qualified domain names (FQDN) are now recorded for all log entries.
NSWA-628	Addressed an HTML content handling inconsistency in custom notification page messages. Note that this will limit the use of HTML or scripts to Advanced Notification Page templates. Discovered and reported by Daniel Compton of Info-Assure Ltd.
NSWA-627	Fixed directory traversal vulnerability in the Admin UI. Discovered and reported by Daniel Compton of Info-Assure Ltd.
NSWA-626	When HTTPS scanning is disabled, the full URL is now re-evaluated for policy reasons before the block page is sent.
NSWA-625	Resolved a caching issue that could sometimes prevent downloads from trusted domains.
NSWA-624	When using transparent mode with HTTPS scanning enabled, policy decisions are now based on the full URL.
NSWA-623	Sites that return invalid characters in HTTP headers now load correctly.
NSWA-618	An issue has been resolved that could affect user authentication with certain client applications.