Release Notes

Version5.1.1
Release date28 Feb 2023
ScopeProduct maintenance

Making sure to check out the Release Notes

New Features, Improvements and Enhancements

Details
Security hardening

As a regular security practice, we upgraded 3rd party dependencies and development framework to prevent critical vulnerabilities:

  • Upgraded OpenSSL 3.0.8
  • Upgraded Curl on Linux 7.88.0
  • Upgraded Protobuf 3.21.11
Session policies

Add more setting option about Session policies in Setting > Security

  • Toggle (switch on / off) for duplicate sessions enablement.
  • Toggle (switch on / off) for cross IP sessions enablement.

Add health check API

Determining MetaDefender ICAP Server's readiness to process upcoming requests based on pre-defined criteria / policy that configurable by administrators. Allowing native support for a large pool of MetaDefender instances (load balancer in autoscaling groups. or liveness probe in Kubernetes, etc.) Expects to return HTTP(S) 200 Successful only when all pre-configured conditions met.

More details at Health Check API Configuration

UI enhancementAllow search by the user in User Management

Bug Fixes

Details
Unable connect with MetaDefender Core on Debian OS with TLS enabled
  • MetaDefender ICAP Server v5.1.0 can not connect to MetaDefender Core when enabling TLS secure connection.
Product stability improvement
  • Import/export feature.
  • Improve search users result with special character input (e.g: "+").

Known Limitations

Details
Stability issues on Red Hat / CentOS with its kernel version 372

Since MetaDefender ICAP Server 5.1.0 might not be able to work properly with Red Hat /Cent OS with its kernel 372.

The vendor Red Hat has already fixed issues with latest kernel version 425

MetaDefender ICAP Server's NGINX web server will not start if using weak cipher suites for HTTPS

On MetaDefender ICAP Server 5.1.0 or newer, OpenSSL 1.x is replaced by OpenSSL 3.x within the product and other dependencies (NGINX) as a security improvement, and prevent known vulnerabilities found on OpenSSL 1.x

NGINX's OpenSSL 3.x on MetaDefender ICAP Server has the enforcement in place to reject all weak cipher suites. It only accepts "HIGH" encryption cipher suites https://www.openssl.org/docs/man1.1.1/man1/ciphers.html (MD5 and SHA1 hashing based will not be accepted as well).

As a result, if you already configured MetaDefender ICAP Server for HTTPS connection, but using a weak SSL cipher with your certificate, then MetaDefender ICAP Server will not be able to start due to NGINX's OpenSSL 3.x enforcement.

no_proxy configurationFrom MD ICAP Server 5.1.0, no_proxy setting must support CIDR for IP address, refer to No Proxy configuration
Connect with MD Core with TLS on Debian OS

MetaDefender ICAP Server v5.1.0 on Debian OS must execute 2 bellows command to connect with MetaDefender Core via TLS enable.

sudo mkdir -p /etc/pki/tls/certs/

sudo ln -s /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt

This issue has already fixed with MetaDefender ICAP Server v5.1.1
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Archived Release Notes
On This Page
Release NotesNew Features, Improvements and EnhancementsBug FixesKnown Limitations