Ubiquiti UniFi Security Gateway Firmware Release Notes: 4.4.50-4.4.51

Official Release Notes

Features

  • Added firmware support for netconsole configuration provisioned by the controller (using config under Settings–>Site).

Improvements

  • If IDS/IPS signature update fails for any reason an alert is now sent to the controller with information about the problem. Other improvements also made to signature update process.
  • Now limits permitted SSH MAC algorithms to OpenSSH’s most recent defaults, disabling some older options.
  • Switched speed test to speed.ui.com
  • Now supports latest hardware revision of USG3.
  • Changed certificate generation parameters for USG’s local web UI so it creates and maintains certificates in accordance with new requirements in macOS Catalina and iOS 13.
  • 4.4.51
    • PPPoE client security update fixes a vulnerability that allows an attacker on the same broadcast domain as your WAN to crash the pppd process, potentially allowing remote code execution.

Bugfixes

  • Fixed GeoIP signature updates.
  • Fixed crash in guest redirector service where a host header is missing in the request.
  • No longer makes unifi resolve to 127.0.0.1 when USG goes into self-run.
  • IDS/IPS signature updates triggered during bootup are delayed until internet connectivity is established.
  • Changed DDNS client configuration format to ensure credentials and hostname are used only with the associated provider.

Ubiquiti UniFi Security Gateway Firmware Release Notes: 4.4.36-4.4.44

Official Release Notes

Since 4.4.41

  • Added compatibility check for some newly-manufacturer USG Pro systems so they upgrade successfully.
  • Made kernel security updates for NFLX-2019-001: TCP-based remote denial of service vulnerabilities.
    • These are relevant to the source/destination of TCP connections, not intermediate network devices like the role typically played by the USG.

Since 4.4.36

  • Fixed config application and changes for QoS Tag setting on WAN. Previously config changes may have resulted in a commit error or not been applied until reboot.
  • Fixed a problem with IPsec VPNs with multi-WAN in load balance mode.
  • Now offer more prominent warning upon SSH login that config changes made locally will be removed by controller upon next provision.
  • Removed logging of ALIEN drops from IDS/IPS because of log spam and performance issues. May return as a configurable option in the future.
  • It is unclear whether this has been fixed or whether they are simply noting that the problem exists: in circumstances where multiple alerts are generated in a short period of time (in IDS/IPS) the utmdaemon process may not de-allocate the memory allocated to handling those alerts which will lead to memory utilization increasing for each alert and only decreasing with a reboot.
  • A DHCP WAN bug with GeoIP has been fixed. In some configurations, GeoIP filtering could block DHCP requests from the USG leaving it unable to obtain an IP from the ISP. This DHCP traffic is now always permitted regardless of GeoIP location.
  • Omitted sensitive data in ‘show tech-support’ output.
  • Increased maximum dnsmasq DHCP leases to 1 million. Previously was set to dnsmasq’s default of 1000, much less than USG is capable of.
  • Fixed “soft lockup” crashes. Increased watchdog threshold so normal, expected conditions don’t cause a crash. This is primarily applicable to the USG3 when under extreme CPU load, usually from IDS/IPS and heavy traffic loads.
  • Fixed use of OSPF and ‘passive-interface default.’
  • Reduced delay in host-table stats in informs. Reports guests as expired faster, as well as reflecting other client statistic faster in some cases.
  • Added backend functionality to IPS for upcoming controller feature.
  • Fixed USG-XG-8 ethernet driver bug on copper interface with VLAN tagging. Previously at 1500 MTU the largest passable frame was 1496 with 802.1Q tag. Now 1500 MTU plus VLAN tag. Did not impact SFP+ ports.
  • Fixed speed test servers with port in URL. Tis was leading to speed tests not working.
  • Fixed three denial of service vulnerabilities (CVE-2019-12106, CVE-2019-12108, CVE-2019-12019) in miniupnpd. Where UPnP is enabled (disabled by default), hosts on the LAN can crash the UPnP service. There is no potential impact beyond making UPnP stop functioning until reboot.

Ubiquiti UniFi Security Gateway Release Notes: 4.4.36

Official Release Notes

Since 4.4.34

  • No longer clears IPs from DHCP WAN interface in PREINIT of a forced renewal

Since 4.4.29

  • Load Balancing
    • Fixed route metrics not being properly updated, primarily experienced upon fail back
    • Fixed problem that caused one or both WANs to be marked down and stuck in this state
    • Fixed crash in ubnt-util when WAN was down for extended period
  • IDS/IPS
    • Fixed utmdaemon high CPU usage (caused “heartbeat missed” for some)
    • Added missing signatures
    • Suricata version string corrected to reflext correct version
    • Patch for CVE-2018-18956 DoS vulnerability in Suricata
    • Reduced frequency of lookups to ips1.unifi-ai.com for cloud connectivity.
    • Adjusted config for USG3 and USG Pro to decrease CPU/memory usage.
  • Now if no interface is found with “description WAN”, assume that the default interface for that hardware platform (config_network_wan) is included in the inform. Prevents a INFORM_ERROR
  • Speed test updates so as not to get stuck on non-responsive server
  • USG-XG-8 Only: With UF-RJ45-1G SFPs, pass through the copper link state to the SFP+ port.

Since 4.4.28

  • Fixed crash in speed test.
  • Restore logging of specific error conditions from controller.
  • Fixed image/css path issue introduced in 4.4.28 local web UI.
  • Upgraded Suricata to 4.0.5.

Ubiquiti UniFi Security Gateway Release Notes: 4.4.21, 4.4.22

4.4.21 to 4.4.22

See official release notes.

  • Fixed commit error that was generated when multiple provisions were made of the same configuration.
  • Fixed regression in local web UI introduced in 4.4.21.
  • Fixed potential loop in signature fetching for IDS/IPS.
  • Improved dnsmasq reloading, increased sacalability of hostfile-update feature.
  • Fixed application of config changes on running system in source-validation/uRPF.
  • Updated tzdata (time zones) to version 2018d.
  • USG-XG-8 Only
    • Interface speed is now sent to LCM (display).

4.4.18 to 4.4.21

See official release notes.

  • Added back end port remapping in 5.8.x and newer controller versions.
  • Fixed premature expiring of TCP connection states for long-lived idle connections.
  • Made back end improvements to RADIUS server that remove character restrictions on passwords (‘ and ” now usable).
  • IDS/IPS was upgraded to Suricata 4.0.4 which provides minor performance and back end improvements as well as some bug fixes.
  • CPU utilization had increased in 4.4.18 for gathering statistics, mcad, and ubnt-util, brought back down to normal levels.
  • Resolved a memory leak in mcad.
  • Made back end improvements for dnsmasq, specifically DHCP server handling of hostnames of DHCP reservations.
  • dnsmasq is no longer limited to /8, /16, and /24 networks.
  • Disabled deprecated SSh ciphers.
  • Removed “noccp” from xl2tpd configuration, there should be no reason to disable and some Windows L2TP clients require it.
  • Removed offload scheduler due to performance degradations in some configurations which utilized rate limiting user groups.
  • Fixed a hung connection issue with FTP by importing an FTP contrack fix, only occurred with unusual formatting of 227 message.
  • Fixed use of external guest portal through USG.
  • USG-XG-G Only
    • Updated LCM firmware.
    • Updated Bluetooth back end.
    • Upgraded kernel version to resolve high/growing CU usage from migration processes.
    • Allow disabling of autonegotiation on eth0 port.

Ubiquiti UniFi Security Gateway Release Notes: 4.3.49, 4.3.60, 4.4.12, 4.4.18

From 4.4.12 to 4.4.18

  • Official release notes are here.

From 4.4.8 to 4.4.12

  • Official release notes are here.
  • Fixed crash in “mcad” when there were DHCP leases with hardware addresses longer than an actual MAC address.
  • Included more packages with debug symbols available to help diagnose crashes from submitted core files.
  • Fixed crash in ubnt-util.
  • Fixed crash in “redirector”.
  • Removed GeoIP back end because of variety of problems, will be reintroduced once these issues are fixed.
  • Fixed DHCPv6 client problem causing renewal failures in some circumstances.
  • Made DDNS back end updates in preparation for expanding DDNS support in controller.
  • L2TP VPN permitted encryption algorithms tightened to remove weak ciphers.
  • Made additions to UnIFi reporting back end for IPv6.
  • USG-XG-8 Specific
    • Made several display-related fixes and improvements.
    • Made improvements to fan control to reduce noise reduction when fans are operating at low speeds.
    • Made additions to Bluetooth backend.

From 4.3.49 to 4.3.60

  • Official release notes are here.
  • Implemented route metric changing on load-balance status changes.
    • Fixes WAN failover issues with L3 adopted USGs and improves multi-WAN failover functionality generally.
  • Fixed multi-WAN regressions in 4.3.46 to 4.3.49 picked up from EdgeRouter 1.9.7.
  • Implemented new local web UI on USG.
    • Fixes a variety of long-standing bugs with old UI and adds ability to configure LAN IP and DHCP server.
  • Updated ISC DHCP version.
    • May fix problems in some edge cases with multiple DHCP WANs and recovery after ethernet link loss.
  • Added back end for custom host-uniq for PPPoE.
  • Implemented fixes for some uses of multiple routing tables (only impacts some config.gateway.json VPN configurations).

From 4.3.48 to 4.3.49

  • Official release notes are here.
  • Updated additional load-balance components from latest EdgeRouter which fixed part of multi-WAN regressions in 4.3.46-4.3.48.
  • Fixed source NAT over-matching from port-foreward hairpin-nat.
    • Previously all traffic sourced from the LAN subnet leaving the LAN interface would be translated, now narrowed to match only port forward hairpin traffic.
  • Send PADT on PPPoE disconnect which fixes an edge case where PPPoE fails to reconnect when an ISP is using a buggy PPPoE relay that doesn’t detect loss of PPP session.
  • Added contiguous option to back end for firewall rule schedules.
  • Removed unnecessary character restrictions on site to site IPsec pre-shared keys.
  • Fixed “dpi.dpi_pktinfo_send(): failure to send UGW wevent” log spam.