Release Notes

Version5.8.0
Release date20 March 2025
ScopeFocused on new functionalities, enhancements and bug fixes

Making sure to check out the Release Notes and documentation:

  1. PostgreSQL Database Deployment Options
  2. Installation
  3. Upgrade to MetaDefender ICAP Server v5.7.0 or newer

OPSWAT will discontinue support for CentOS 7 and RHEL 7 with the release of MD ICAP Server version 5.9.0.

MD ICAP Server v5.8.0 is the last version with support for these OS versions.

New Features, Improvements and Enhancements

Details
New OS support: Rocky Linux 9

We are introducing Rocky Linux 9.4 support as a replacement for CentOS 7 starting with the next version release (ICAP v5.9.0)

We will also provide a new Docker image based on the official Rocky Linux repository (MD ICAP Server Rocky Linux image)

Support user login for nested AD groupsWhen you enable the checkbox "Nested Group Login" for Active Directory, direct or indirect remote users who are members of added AD group can login to MD ICAP Server successfully and will inherit the roles and rights of corresponding AD group.
Email notification

Registered users will receive email notification about licensing expiration. This feature can be enabled by administrator (refer to: Email Notification)

  • License is expired
  • License is about to expire
  • License is lost

Security enhancements

Upgraded third-party libraries for vulnerability fixes:

  • Curl v8.9.1 (Linux)
  • OpenSSL v3.4.1
  • NGINX v1.26.3
  • Libxml2 v2.12.10
Support secure TCP syslogSecure TCP syslog (TLS) is now supported (refer to Configuration file)
Usability enhancements/changes
  • Support Active Directory Domain Controller
  • Download the User list under User Management

  • Support custom scope and keys for OIDC mapping (prior support mapping was from given keys only)
  • Support the flag to disable revocation server checking in case TLS is enabled on Windows in offline or environment which is protected by firewall/proxy (the flag: global/curlsslopt_revoke_best_effort) refer to Configuration file
  • Add more options for decoding base64 content encoded (e.g: data is not base64 data), Block/Scan without Decoding or Allow request without scan) - Default option will be Blocked.

  • Increase processing speed of multipart requests

Bug Fixes

Details
Minor Fixes

  • ICAP parser did not allow custom http method on MD ICAP v5.7.0.

  • Fixed crash issues in cases:

    • Unenroll to OCM incase very highloading
    • Receive many empty files when data tricking enable

  • Addressed various UI cosmetics issues and minor bugs.

Known Limitations

Details
Proxy configurationHTTPS proxy configuration is currently not supported.
SAML directory (SSO integration) limitation

In MetaDefender ICAP Server v5.5.0, users cannot create a new SAML directory via the web UI.

  • Workaround: Use the REST API to create the SAML directory.
  • Impact: Existing SAML directories are not affected when upgrading to MetaDefender ICAP Server v5.5.0
  • Resolution: This issue is resolved in MetaDefender ICAP Server v5.5.1 or newer.
Stability issues on Red Hat/CentOS with kernel version 372

MetaDefender ICAP Server 5.1.0 or newer may encounter stability issues on Red Hat /Cent OS systems running kernel version 372.

Solution: Red Hat has addressed this issues in the latest kernel version 425

MetaDefender ICAP Server's NGINX web server fails to start with weak cipher suites for HTTPS

In MetaDefender ICAP Server v5.1.0 or newer, OpenSSL 1.x has been replaced with OpenSSL 3.x within the product and other dependencies to enhance security and address vulnerabilities.

NGINX's OpenSSL 3.x on MetaDefender ICAP Server has the enforcement in place to reject all weak cipher suites. The web server only accepts "HIGH" encryption cipher suites https://www.openssl.org/docs/man1.1.1/man1/ciphers.html (MD5 and SHA1 hashing based are also not accepted).

As a result, if you already configured MetaDefender ICAP Server for HTTPS using a weak SSL cipher with your certificate, the server will not start due to NGINX's OpenSSL 3.x enforcement.

no_proxy configurationStarting with MetaDefender ICAP Server v5.1.0, the no_proxy setting must support CIDR for IP addresses. For more details, refer to No Proxy configuration
Connect to MetaDefender Core with TLS on Debian OS

MetaDefender ICAP Server v5.1.0 on Debian OS must execute the two following commands to enable TLS when connecting to MetaDefender Core.

sudo mkdir -p /etc/pki/tls/certs/

sudo ln -s /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt

Resolution: This issue is fixed in MetaDefender ICAP Server v5.1.1

TLS 1.3 is not supported on Windows Server 2012TLS 1.3 is not supported on Windows Server 2012 due to limitations with Schannel SSP. Reference
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Archived Release Notes
On This Page
Release NotesNew Features, Improvements and EnhancementsBug FixesKnown Limitations