ERM release notes

This section lists the new features, changes in functionality, fixed issues and security improvements in the Pexip Enhanced Room Management (ERM) product and installer.

ERM product changelog

This section lists the new features and changes in the ERM product.

Version 1.0.2

Added

  • Historic People count for Cisco devices
  • Initial support for repeating/persistent provisioning of endpoints
  • Include number of seats in system Excel export
  • Add support for automatic cleanup/redaction of debug logs and call statistics, set through backend admin (beta)
  • Start storing sensor data from touch panels - temperature, noise level
  • Add support to set overridden address book for a specific endpoint
  • Display all tasks that will be repeated in provision dialog
  • Display warning if dial settings/system name have been changed on system
  • Apply dial settings from chained provisioning service
  • Fix saving setting to automatically adding incoming endpoints
  • Display warning if passive provision events have stopped coming in while live events still are
  • Display information about CA certificate validation in Dashboard provisioning widget
  • Add option to validate SSL-connection to systems (require trusted CA in installer)
  • Add API endpoint filter for online and warning-status
  • Display hostname and MAC-address on system dashboard
  • Add support to match LDAP user to a customer using DN path (using "dn" as matching field in installer)

Fixed

  • Use inline pagination in backend admin to allow updating calendar connections for large room lists
  • Fix room list sync for rooms with invalid email address as name
  • Make sure to stop non-finished concurrent status updates when task timeout is reached
  • Fix updating dial info for Webex systems
  • Fix potential lock race condition during object update
  • Don't set passive system to online status when displaying cached status data
  • Allow connecting Proxy client to separate ERM hostname
  • Use correct help text for active screen - branding logo field
  • Fix browser freeze-up when setting zero-value in required, number-based command arguments
  • Handle connection error during re-activationg of HttpFeedback slot
  • Fix logging for background tasks
  • Don't display system meeting status in list except for when in head count view
  • Fix endpoint API data type for warning about missing live events
  • Only allow .cop.sgn and .pkg-files in firmware upload

Changed

  • Use secure flag for cookies
  • Use ed25519 cipher for Proxy tunnel for new deployments
  • Connect to external systems in the following order (if set): API host, hostname, IP instead of API host, IP, hostname
  • Retry failed API-requests to video systems
  • Use Monday as first day of week in date picker dropdown
  • Stop display uuid in call history for spark/webex-calls
  • Hide non-approved proxy clients for non-admin users
  • Include created provision task id in API response
  • Use file upload for CA root certificate setting
  • Display information about TlsVerify on dashboard
  • Stop trying to connect to incoming endpoints using external remote IP if internal IP connection failed
  • Only fill SIP proxy password value when default password is set
  • Don't pass default SIP proxy-password or Proxy client password to non-admin
  • Return HTTP 403 when proxy registration fails
  • Use debian ca-certificates instead of Mozilla as default trusted CA list
  • Hide permissions from user backend admin due to not being used elsewhere
  • Use locally stored call history for active endpoints as well if system could not be contacted
  • Increase concurrency when updating active endpoint status
  • Stop allowing proxy connections without password by default for new installation
  • Brute force lockout for proxy client registration attempts
  • Remove deprecated SSH algorithms for proxy client tunnels

Version 1.0.1

Added

  • Add support to bulk provision saved dial settings from ERM to endpoints
  • Add support to bulk provision chained passive provisioning
  • Display loading errors on dashboard
  • Support for getting provisioning data from external passive provisioning server
  • Display license information on Dashboard
  • Display call history from local call statistics for passive endpoints
  • Support for syncing external sources to nested subgroup (delimited by >)
  • Merge folders with the same name from multiple sources in addressbook search
  • Add API endpoint to force addressbook sync
  • Log TMS address book sync error, force UTF-8 encoding

Fixed

  • Fix database initialization if using FQDN with over 100 characters
  • Fix translation in policy views and macro dialog
  • Don't display full html page as error message if raw error is passed to frontend
  • Strip XML namespace from chained passive provision services using tandberg CUIL namespace
  • Better connection/response error-handling when updating endpoint status
  • Better error handling of disconnecting participants in ongoing meeting list
  • Fix using prefilled default SIP proxy password when bulk-provisioning endpoint dial settings
  • Fix saving endpoints if changing it from backend admin
  • Fix freetext search for address book items in root folder
  • Fix rescheduling tasks for next night when last task in particular timezone had errors
  • Better error handling for connection errors when updating call statistics from previously offline endpoints
  • Reset user session if currently selected customer is removed
  • Remove console log for missing favicon
  • Remove console warning in organization tree view
  • Fix endpoint proxy-client empty password in multi-tenant ERM installations
  • Prefill default sip proxy settings when provisioning multiple endpoints
  • Bulk provisioning missing endpoint device aliases to Pexip Infinity
  • Remove empty columns from endpoint debug view error log
  • Use password input for new password field in provisioning view
  • Better error message on chained provisioning errors

Security

  • Upgrade libgmp, zlib1g, libssl, libexpat, gzip, liblzma5
  • Upgrade django
  • Related CVEs: CVE-2022-0778 CVE-2021-43618 CVE-2018-25032 CVE-2022-23852 CVE-2022-25235 CVE-2022-25236 CVE-2022-25313 CVE-2022-25315 CVE-2022-22818 CVE-2022-23833 CVE-2022-1271

Changed

  • Increase log verbosity for ldap logins
  • Allow multiple reverse proxy/load balancer hops when resolving client ip
  • Log firmware version when called endpoint commands fail
  • Don't set endpoint status to "in call" when display endpoint status until call is connected
  • Always display mac address and serial field in endpoint form to be able to replace it with a new one
  • Open endpoint web admin interface in new window
  • Set default passive provision heartbeat to 7 minutes (activated endpoint still use < 1 min)
  • Display password indicator in provision dialog if default sip proxy password is set
  • Only allow selecting one endpoint when filtering statistics instead of silently ignoring extra ones
  • Disable change password functionality for passive endpoints - not supported
  • Hide add new organization unit from system list, empty groups are hidden

ERM Installer changelog

This section lists the new features and changes in the ERM installer.

Version 1.0.7

Added

  • Support for Hyper-V 2016 and later environments
  • Add support to enable external database from license file
  • Add support to importing and converting binary certificates (beta)
  • Add support to export private keys with encryption, and importing encrypted keys
  • Add support for external redis server
  • Add support for enabling LDAP referral chasing
  • Add support to lookup LDAP servers using SRV records
  • Add more inline documentation for LDAP-settings
  • Mark certificates in use in lists
  • Add field for validating SSL handshake against remote port using network tools
  • Validation of database and LDAP settings when saving configuration
  • Display information about last component metadata refresh time and add link to force refresh

Fixed

  • Clear certificate existing CA chain when updating public key
  • Fix TLS validation for LDAP test connection
  • Validate line before removing volumes
  • Fix version ordering for x.y.z-dev builds
  • Fix permission to run ping in network tools
  • Fix certificate chain warnings if CA lacks common name information
  • Reset offline mode if online license validation was successful
  • Increase length of LDAP filter
  • Remove warning in load balancer logs about SNI host
  • Stop validating values in optional forms marked for deletion
  • Fix offline export if "check for update"-checkbox is not set
  • Fix offline export if any components are marked for uninstallation
  • Remove console log warnings about HostSNI
  • Fix installing multiple ERM on the same VM without getting 500 error
  • Fix home link from product details view
  • Lock postgres version for LDAPAdmin deployed with old version of deploy file
  • Stop re-deploying load balancer on installer upgrade if not necessary
  • Remove warning about missing volumes when removing component
  • Fix service deploy problems when using setting values (e.g. passwords) starting with quotes (")

Security

  • Upgrade django, openssl, libssl1.1, sqlite3
  • Related CVEs: CVE-2022-28346, CVE-2022-28347, CVE-2022-0778
  • Limit system permissions for load balancer container, run more services with read only root file system

Changed

  • Only display first certificate chain warning, hide warning if three or more certificates are included
  • Increase log verbosity for LDAP tests
  • Set LDAP connection timeout
  • List any unknown/not fully uninstalled container services
  • Add pagination and search to certificate lists
  • Use direct API for fetching service logs instead of subprocesses for better performance
  • Escape special characters in authentication to external services
  • Change deploy mode for some shared services to allow Installer upgrades in the future with less downtime
  • Increase number of workers for each component based on available memory
  • Always try to start Installer based on script from the currently running version when using other than the official latest version
  • Remove letsencrypt option from certificate

ERM OS

Added

  • Add CLI command ("cli") with support to, among other things, reset passwords and dump database content
  • Allow ICMP echo requests ("ping")
  • Allow overriding DNS when using DHCP
  • Install traceroute
  • Add support for EFI and Secure Boot (beta, new VM installations only)

Fixed

  • Fix host security update files when upgrading system using offline bundle
  • Set static routes after all interfaces are up
  • Install systemd-timesyncd if the initial VM version did not include it
  • Fix returning to menu after setting hostname

Security

  • Upgrade host packages for bind9-libs, curl, dpkg, grub-common, grub-pc, grub2, hyperv-daemons, libc-bin, libexpat1, libssl1.1, libtasn1-6, libxml2, linux-image-cloud-amd64, linux-image-cloud-amd64 bind9-host, openssl, qemu-guest-agent, rsyslog, zlib1g
  • Related CVEs: CVE-2021-22945, CVE-2021-22946, CVE-2021-30560, CVE-2021-3697, CVE-2021-3999, CVE-2021-4197, CVE-2021-4206, CVE-2021-4207, CVE-2021-46828, CVE-2021-46848, CVE-2022-0358, CVE-2022-1012, CVE-2022-1158, CVE-2022-1292, CVE-2022-1353, CVE-2022-1586, CVE-2022-1587, CVE-2022-1652, CVE-2022-1664, CVE-2022-1679, CVE-2022-1729, CVE-2022-1786, CVE-2022-20368, CVE-2022-20422, CVE-2022-20566, CVE-2022-20568, CVE-2022-2068, CVE-2022-22576, CVE-2022-2327, CVE-2022-24903, CVE-2022-2509, CVE-2022-2585, CVE-2022-2588, CVE-2022-2601, CVE-2022-2602, CVE-2022-26353, CVE-2022-27404, CVE-2022-27405, CVE-2022-27406, CVE-2022-27666, CVE-2022-27775, CVE-2022-27781, CVE-2022-27782, CVE-2022-2795, CVE-2022-28733, CVE-2022-28734, CVE-2022-29155, CVE-2022-29162, CVE-2022-29581, CVE-2022-29582, CVE-2022-2959, CVE-2022-2977, CVE-2022-30594, CVE-2022-3080, CVE-2022-31676, CVE-2022-3176, CVE-2022-32207, CVE-2022-32250, CVE-2022-34918, CVE-2022-3524, CVE-2022-3565, CVE-2022-3594, CVE-2022-3625, CVE-2022-3635, CVE-2022-36946, CVE-2022-3775, CVE-2022-38177, CVE-2022-38178, CVE-2022-40303, CVE-2022-40304, CVE-2022-40674, CVE-2022-41222, CVE-2022-4139, CVE-2022-42896, CVE-2022-43680, CVE-2022-43750, CVE-2022-4378, CVE-2022-47518, CVE-2022-47519, CVE-2018-13405

Changed

  • Limit access for logs and system files, fix some CIS benchmark warnings, enable console timeout
  • Install host security upgrades just after upgrading Installer, stop docker from potentially being upgraded automatically
  • Discard some recurring kernel log messages about virtual container network interfaces
  • Allow more userdata in cloud-init config
  • Rotate log files more often
  • Increase log file partition size (for new VMs)
  • Decrease console log verbosity
  • Change docker internal IP series to 100.64.10[3-5].0/16 to limit risk of conflicts (new VMs only)
  • Change to GPT based partitions
  • Add docker/-prefix to syslog tag, write container logs to separate files in /var/log/docker/
  • Prepare for support for external syslog servers. Manual configuration should be moved to /etc/rsyslog.d/50-remote.conf
  • Enable SSH login by default for new installation, enable fail2ban to lock logins after too many logins

Version 1.0.6

Added

  • Add support for deployment as a cloud service in Microsoft Azure and Google Cloud Platform.
  • Add support to override DNS entries for specific hosts
  • Warn about missing CA/Intermediaries from certificate chain
  • Add support for trusting load balancers using whole networks
  • Support validating SSL CA trust against external server using network tools
  • Improve error message when trying to browse to invalid FQDN/using IP to access services
  • Add info about using offline mode until CA has been trusted when using HTTPS proxy
  • Add support to export manually upgraded Installer version
  • Add support to test HTTP requests in network tools
  • Add choice to either uninstall component or remove it completely
  • Display shortcuts to importing offline bundles when running in offline mode
  • Display notice about required re-deploy after configuration change
  • Display notice about required re-deploy after CA-change
  • Validate uploaded private key/certificate and display warnings for mismatches
  • Use global CA trust instead of dedicated CA bundle file for each component
  • Support to remove not installed products from list

Fixed

  • Fix upgrading Installer from CLI before setting license key
  • Remove warning from load balancer logs about missing port
  • Clearer error display of some forms visible in separate tabs
  • Allow using domain names using leading digits
  • Fix subject alt names in CSR generation, use meaningful filename
  • Limit number of characters for fqdn-based service name and remove trailing special characters
  • Don't try to output ldap metadata result
  • Apply custom CA settings directly after save
  • Fix offline bundle export of Installer
  • Fix registry name for offline upgrades
  • Use trusted custom CA in Installer as well as components
  • Fix change password success message/redirect

Security

  • Upgrade gzip
  • Upgrade zlib1g, libssl
  • Upgrade libexpat
  • Related CVEs: CVE-2022-1271, CVE-2021-43618, CVE-2018-25032, CVE-2022-23852 CVE-2022-25235 CVE-2022-25236 CVE-2022-25313 CVE-2022-25315

Changed

  • Indent each individual certificate in certificate bundle
  • Display full chain in certificate textarea
  • Separate general server settings form from network related settings
  • Use separate virtual network for Installer load balancer
  • Redirect to certificate details view after generating new certificate
  • Include CSR generation in form header
  • Replace self-signed server default certificate if component certificate uses the same FQDN
  • Increase max length of LDAP filter
  • Display select all-checkbox at top of Log view as well as at bottom
  • Prepare offline export and display log before file download
  • Improve help texts for CA certificates
  • Pre-populate server IP/hostname on first boot