LANDESK Patch News Bulletin: LANDESK has Provided an Update for CSA 4.3 - (Patch 175) 27-JAN-2016

Version 1

    LANDESK Security and Patch News

     

    Headlines 

    • (27 January 2016) LANDESK has provided an update for the Cloud Service Appliance version 4.3 - CSA patch 175 This patch addresses the following issues.  

     

    Defects fixed:

    259337   Web servers advertise software type and version.

    2559935   Certificate Signing Requests with international characters

    270746,270746   Still supporting SSL, TLS 1.0 + 1.1, and RC4 ciphers

    263929   CSR entry form does not enforce mandatory fields

    188743   Messages log file gobbles up disk space

     

     

    Details:

    259337:
    PCI compliance requires that the CSA does not advertise web server software names and versions. These properties were removed from the CSA's HTTP response headers.

    259935:
    Non-ASCII characters in most of the CSR entry fields caused the creation of the CSR to silently fail, or the characters to be garbled.  With the fix, international characters are correctly packaged into the CSR.

    270746:
    The CSA still allowed clients to establish HTTPS session using SSL3, TLS 1.0 and TLS 1.1 protocols, and also offered up a variety of RC4 cipher protocol flavors.
    The fix is reducing the set of allowable protocols ad ciphers as follows:
     

     

      • The cipher set now defines a more explicit list of allowable ciphers, explicitly excluding RC4 and other weak ciphers.

     

      • All versions of TLSv1.x, disallow SSL2, SSL3.

     

    263929:

    The Certificate Signing Request form now requires that most fields are filled in.

     

    188743:
    The CSA will now more aggressively roll /var/log/messages, and compress the rotated log files.  The fix adds a logrotate config file which runs daily and rolls the file if it has grown over 10MB, with a maximum of 10 log files. The customer can modify the config file if those settings do not satisfy their needs.

     

     

    Each new CSA patch release will be a cumulative release of new and previous updates. There is no longer for prerequisite patch installs.

     

    New Vulnerabilities  

    • Vulnerability ID – GSB431_175


    Changed Vulnerabilities  

    • Vulnerability ID – N/A


    New Patch Downloads  

    • GSB431_175.tar.gz


    Where to Send Feedback

    At LANDESK, we are constantly striving to improve our products and services and hope you find these changes reflective of our ongoing commitment to listen to you—our partners and customers—in providing the best possible solutions to meet your needs now and in the future.  Please continue to provide feedback by contacting our local support organization.

     

    Best regards,

    LANDESK Product Support

     

     

    Copyright © 2016 LANDESK Software.  All rights reserved. LANDESK is either a registered trademark or trademark of LANDESK Software, Ltd. or its affiliated entities in the United States and/or other countries. Other names or brands may be claimed as the property of others.

     

     

    Information in this document is provided for information purposes only.  The information presented here is subject to change without notice.  This information is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including any implied warranties and conditions of merchantability or fitness for a particular purpose. LANDESK disclaims any liability with respect to this document and LANDESK has no responsibility or liability for any third party products of any content contained on any site referenced herein.  This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. For the most current product information, please visit http://www.LANDESK.com