Riverbed has just announced an important update to its Interceptor software.
One of the nicest features is the added RAID alarm command, as well as a fix for unexpected reboots when fragmented packets are taken in by the Riverbed device.
Based on the latter alone, I’d be updating ASAP.
Oh, and also of note: “20042 Fixed a security problem where an attacker can cause scripts to be inserted into logs and executed when the logs are viewed through the web interface.”
To download, navigate to the Riverbed Interceptor Support site, and login.
Changes from version 1.1.1 of the Riverbed Interceptor software to 1.1.2:
Fixed between 1.1.1 and 1.1.2:
- 14009 Fixed watchdog timeouts and deadlocks under heavy disk use.
- 15467 Fixed previous page and next page links on logging page so that logging filters are retained.
- 16184 Patched MIT KRB5 for security advisory 2007-002.
- 17938 Fixed problem where Interceptor does not come out of bypass after heavy traffic that caused going into bypass is stopped.
- 18054 Updated libpng for security advisories CVE-2006-5793, CVE-2007-2445, CVE-2007-5269.
- 18287 RBT-Proto port label no longer includes port 135.
- 18382 Enhance system diagnostics to provide additional RAID information for drive failures.
- 19093 Fixed problem where appliance was unable to communicate if link went down and then came back up after a multiple of 39 days of uptime.
- 19145 Added “raid alarm silence” command.
- 19288 Updated tzdata to 2007g for New Zealand changes to daylight time.
- 19632 Updated Apache web server to 2.0.61 to fix security problems CVE-2007-3847, CVE-2007-1863, CVE-2006-5752, CVE-2007-3304.
- 20029 Fixed handling of RST packets when there is is a NAT entry setup, a case of fixed target rules or probe caching.
- 20030 Fixed problem where Interceptor peers GRE the packets to an incorrect inpath interface.
- 20042 Fixed a security problem where an attacker can cause scripts to be inserted into logs and executed when the logs are viewed through the web interface.
- 20047 Fixed a minor kernel memory leak in link state propagation.
- 20074 Removed “[mgmtd.WARNING]: No state info found for inpath1_0.” from logs when link state propagation is disabled.
- 20170 Fixed problem where Interceptor appliance may miscount expired half-open connections on Steelhead appliance, resulting in no longer directing traffic to the Steelhead appliance.
- 20456 Fixed client hang due to dropping of RST packets when a neighbor goes down and server channel purges NAT entries.
- 20502 Fixed problem where Steelhead and Interceptor appliances may block traffic due to the Steelhead appliance using a different neighbor protocol version.
- 20521 Fixed “load balance rule edit rulenum 2 description my_description” command, which previously tried to validate the description as an integer from 1 to 65535.
- 20805 Interceptor logs half-open connections that exceed a threshold set by the “redirect max-half-open” command.
- 20865 Fixed crash in “NeighborClientChannel::state_read_write” when neighbor Steelhead is disconnected and reconnected.
- 20866 Added “redirect max-half-open” command to set the maximum number of half-open connections for a Steelhead appliance.
- 20921 Fixed a crash in RedirectClient::passthrough .
- 21044 Fixed handling of Automatic Peering alarm after the misconfiguration is fixed.
- 21273 Interceptor now properly cleans up redirect entries when connectivity a peer is lost.
- 21308 Adding a load balancing rule now automatically removes the included Steelhead appliance from the default.
- 21620 Interceptors now check all inpath addresses of buddy while checking if a connection entry belongs to a buddy.
- 22026 Fixed link up/down due to “tx hang” issue in network driver.
- 22205 In double interception with a stateful firewall, Interceptor now probes responses to the WAN gateway.
- 22285 In double intercept setup, the Interceptor no longer incorrectly redirects some packet arriving from the WAN side.
- 22359 Fixed a double free bug that can be triggered by adding a rule, creating a connection using this rule, and then immediately deleting the rule before the Interceptor learns the remote Steelhead.
- 22596 Updated tzdata from 2007g to 2007k for time zone changes in various countries, particularly Argentina’s adoption of daylight time.
- 22657 Fixed unexpected reboots that may occur when there are fragmented packets.
- 23906 Handle some situations where a state inspection firewall is between the client and interceptor appliance.