ERM release notes

This section lists the new features, changes in functionality, fixed issues and security improvements in the Pexip Enhanced Room Management (ERM) product and installer.

For details of earlier releases see our previous documentation.

ERM product changelog

This section lists the new features and changes in the ERM product.

Version 2.0.0

Note that all new installations of ERM are now deployed with a 200 GB disk. For existing installations we recommend that you manually increase your disk size to 200 GB — see Increasing disk size from 100 GB to 200 GB on an ERM instance for details.

Added

  • Polycom support for Trio, HDX, Group and Studio X.
  • Welcome message for new installations.
  • Support for automatic upgrade to target firmware version.
  • New system defaults templates view to configure base settings to specific models.
  • New firmware overview showing conflicts to models firmware target version.
  • Provision base settings from the system provisioning tab.
  • "View provisioning settings" on the system dashboard and provisioning tab.
  • Import configurations via text or file.
  • Compare configurations to the latest provisioning, base configuration, templates or other system.
  • Text import option for commands and configurations in the system provisioning tab.
  • Support for updating existing configuration and command templates.
  • Better notification about license device limits.
  • Auto-detecting product type when adding new devices.
  • Display warnings on dashboard if background server is down or delayed.
  • Add support to send DTMF tones from system call control for Cisco systems.
  • Add support to save inventory ID, service tags and notes in edit form.
  • Add support to save metadata to be used by external systems.
  • Add serial number and email address to bulk import form.

Fixed

  • Fix manually adding call statistics server in backend admin.
  • Only use temporary subfolder on filesystem for uploaded firmware, and revert to memory storage of other temporary files to prevent increasing data build-up. Old files will be automatically removed.
  • Fix dates in Excel call statistics export filename.
  • Fix updating SIP display-name for Cisco TC-systems.
  • Update last check timestamp in case if system is in authentication error-state.
  • Mark endpoints value as not required in statistics API-endpoint.
  • Redact some extra possible password/private key formats from queue information and trace log.
  • Fix updating dial info for Webex systems.
  • Fix indicators for room analysis in provision tab.

Security

  • Check if user is valid in LDAP database every 10 minutes.
  • Lower session cookie expiration value.

Changed

  • General performance improvements.
  • Icon for external manager service in the system list.
  • Message to manually add provisioning settings if not found in the system provisioning tab.
  • Improved notifications in the system provisioning tab.
  • Fixed input widths in bulk import form.
  • Sort system list with title as default.
  • Redirect 404 systems to the system list.
  • Show the created date in approve new systems list.
  • Better notifications in provisioning dialog when multiple systems are selected.
  • Better validation and error handling in upload firmware dialog.
  • Better validation and error handling in statistics filter form.
  • Better validation and error handling in head count filter form.
  • Automatically switch to review tab in the system provisioning tab when loading configurations or commands.
  • Better loading template indicator in the system provisioning tab.
  • Add required to template name in save new template dialog.
  • Reset initial values in template picker when closing dialog.
  • Update the firmware list after updating an existing entry.
  • Better support of Booleans in argument input.
  • Reset group title when adding new address book group.
  • Better support for the "home" button in sub-views.
  • Settings view split into different tabs.
  • System default settings moved to Admin > System default.
  • Include manual installation instructions for address book configuration.
  • Always enable changing volume from the system dashboard.
  • Always allow mute/unmute from the system dashboard.
  • Ignore empty values on select all configurations.
  • Change the queue insight widget on the main dashboard to display pending and queued actions.
  • Only show 3 system warnings and errors on the system dashboard, with the option to show all.
  • Always scroll the page to the top when changing the route.
  • Use manufacturer and model name for systems without title.
  • Show alert for inactivity after 5 minutes in call control.
  • Simplified system dashboard for systems without manufacturer.
  • Added a "Retrieve call history" button to the system dashboard instead of automatically loading.
  • Edit and remove buttons enabled on the system dashboard even if the system is not fully loaded.
  • Check all HttpFeedbackEvent-slots for Failed-status.
  • Reset queued task status after 20 minutes (instead of 60 minutes).
  • Cancel queued tasks belonging to deleted systems.
  • Use H.323 gatekeeper password for Pexip endpoints.
  • Allow exporting call statistics report as excel using API-authentication.
  • Use correct widgets for ID-fields in API example-forms.
  • Try to provision large macros without "Transpile: yes" if it looks to be transpiled already.
  • Try to activate provisioned macros again after at least 10 seconds if Macro runtime was unresponsive.
  • Reset form fields after adding new address book group.
  • Reset form fields after adding new address book sync-source.
  • Change all reports to XML-based Excel format, resize columns to better fit width, change to time-based format for durations.
  • Add a summary sheet to Excel call report.
  • Warn about low disk space when there is less than 20 GB of free space.
  • Try to display correct fields when navigating to a single API view using the web browser.
  • Stop displaying the load indicator when enough data is available.
  • Display error-messages if any information fails to load.
  • Don't display call history until button is pushed.
  • Reset online status for systems with in call-status after 4 hours without feedback.
  • Allow changing serial number.
  • Add help texts to the room analysis report form.
  • Reset firmware form when pressing cancel.
  • Display call history in correct timezone.
  • Change edit address book tab labels.
  • Log LDAP user attributes if customer matching is enabled, but no fields did match.
  • Match permission flags using LDAP parent group as well as exact DN.
  • Group large clusters in dashboard widgets.
  • Update provider status in background.
  • Use a more visible popup to remind about license expiry.
  • Resize columns in Excel exports.
  • Disable calendar bookings in passive mode if using RoomOS 10.19.x - firmware bug causes system crash.
  • Include the number of seats in system Excel export.
  • Limit number of incoming endpoints from a single IP.
  • Separate warning for changed system name and SIP/H.323 info.
  • Add column with name of endpoint in statistics debug export.

Version 1.1.1

Added

  • Add API endpoint to export all active warnings to excel file `/json-api/v1/endpoint/export_warnings/`.

Fixed

  • Fix error/warning message handling for provisioning tasks that made all errors display as ModuleNotFound.
  • Fix removing last digit from configuration/command text inputs without clearing selection.
  • Remove additional "s" that was added when selecting items for Status-report.
  • Add handling for "command not found"-responses.

Security

  • Upgrade certifi and reportlab.
  • Related CVEs: CVE-2023-37920, CVE-2023-33733.

Changed

  • Reset queued provisioning tasks that have not been able to run for 20 minutes, to give priority to systems that are online.
  • Display note about minimum firmware requirements to install .cop.sha512 images.
  • Ignore redacted values (e.g. passwords) when selecting all configurations.
  • Display notice in backup view about missing passwords.
  • Display notice in address book view about manual groups.
  • Display notice if trying to change password for (unsupported) passive systems.

Version 1.1.0

Added

  • Add support to upgrade Cisco devices with SHA512 Cisco firmware.
  • Display system name and direct links in call statistics page.
  • Display systems without any call data during the report time period in Excel export. Add API-endpoint to extract the same list.
  • Include personal email-address in system Excel export.

Fixed

  • Fix indicator for room analytics status in provisioning dialog.
  • Set timeout value for TMS sync API-requests. Improved handling for failed requests.
  • Reset error messages in call statistics-view on new form submission.
  • Convert call history timestamps to local time on system details page.
  • Reset "in call"-status for inactive systems.
  • Fix provision status indicator in case of failed response.

Security

  • Fix ACL check that allowed non-authenticated users to initiate page requests waiting on external API calls.
  • Mitigations for older versions: Block access to /setup/* after initialization (automatically added in Installer load balancer after re-deploy).
  • Upgrade cryptography certifi, django-environment, libcrypto1.1, libssl1.1, paramiko, pyopenssl, redis, sentry-sdk, sqlparse, urllib3.
  • Related CVEs: CVE-2022-23491, CVE-2022-23491, CVE-2022-24302, CVE-2022-24302, CVE-2023-0286, CVE-2023-0286, CVE-2023-23931, CVE-2023-23931, CVE-2023-28117, CVE-2023-28117, CVE-2023-28858, CVE-2023-28858, CVE-2023-28859, CVE-2023-28859.
  • Lower session expiration to 5 days of inactivity.
  • Automatically log out users if relevant LDAP-account has been disabled.

Changed

  • Stop auto-reloading system details page after 10 minutes of inactivity.
  • Allow case-insensitive search of participants in call statistics-report.
  • Allow exporting call statistics using API-authentication (Basic Auth).

ERM Installer changelog

This section lists the new features and changes in the ERM installer.

Version 1.0.8

Changed

Version 1.0.7

Added

  • Support for Hyper-V 2016 and later environments.
  • Add support to enable external database from license file.
  • Add support to importing and converting binary certificates (beta).
  • Add support to export private keys with encryption, and importing encrypted keys.
  • Add support for external redis server.
  • Add support for enabling LDAP referral chasing.
  • Add support to lookup LDAP servers using SRV records.
  • Add more inline documentation for LDAP-settings.
  • Mark certificates in use in lists.
  • Add field for validating SSL handshake against remote port using network tools.
  • Validation of database and LDAP settings when saving configuration.
  • Display information about last component metadata refresh time and add link to force refresh.

Fixed

  • Clear certificate existing CA chain when updating public key.
  • Fix TLS validation for LDAP test connection.
  • Validate line before removing volumes.
  • Fix version ordering for x.y.z-dev builds.
  • Fix permission to run ping in network tools.
  • Fix certificate chain warnings if CA lacks common name information.
  • Reset offline mode if online license validation was successful.
  • Increase length of LDAP filter.
  • Remove warning in load balancer logs about SNI host.
  • Stop validating values in optional forms marked for deletion.
  • Fix offline export if "check for update"-checkbox is not set.
  • Fix offline export if any components are marked for uninstallation.
  • Remove console log warnings about HostSNI.
  • Fix installing multiple ERM on the same VM without getting 500 error.
  • Fix home link from product details view.
  • Lock postgres version for LDAPAdmin deployed with old version of deploy file.
  • Stop re-deploying load balancer on installer upgrade if not necessary.
  • Remove warning about missing volumes when removing component.
  • Fix service deploy problems when using setting values (e.g. passwords) starting with quotes (").

Security

  • Upgrade django, openssl, libssl1.1, sqlite3.
  • Related CVEs: CVE-2022-28346, CVE-2022-28347, CVE-2022-0778.
  • Limit system permissions for load balancer container, run more services with read only root file system.

Changed

  • Only display first certificate chain warning, hide warning if three or more certificates are included.
  • Increase log verbosity for LDAP tests.
  • Set LDAP connection timeout.
  • List any unknown/not fully uninstalled container services.
  • Add pagination and search to certificate lists.
  • Use direct API for fetching service logs instead of subprocesses for better performance.
  • Escape special characters in authentication to external services.
  • Change deploy mode for some shared services to allow Installer upgrades in the future with less downtime.
  • Increase number of workers for each component based on available memory.
  • Always try to start Installer based on script from the currently running version when using other than the official latest version.
  • Remove letsencrypt option from certificate.

ERM OS

Added

  • Add CLI command ("cli") with support to, among other things, reset passwords and dump database content.
  • Allow ICMP echo requests ("ping").
  • Allow overriding DNS when using DHCP.
  • Install traceroute.
  • Add support for EFI and Secure Boot (beta, new VM installations only).

Fixed

  • Fix host security update files when upgrading system using offline bundle.
  • Set static routes after all interfaces are up.
  • Install systemd-timesyncd if the initial VM version did not include it.
  • Fix returning to menu after setting hostname.

Security

  • Upgrade host packages for bind9-libs, curl, dpkg, grub-common, grub-pc, grub2, hyperv-daemons, libc-bin, libexpat1, libssl1.1, libtasn1-6, libxml2, linux-image-cloud-amd64, linux-image-cloud-amd64 bind9-host, openssl, qemu-guest-agent, rsyslog, zlib1g.
  • Related CVEs: CVE-2021-22945, CVE-2021-22946, CVE-2021-30560, CVE-2021-3697, CVE-2021-3999, CVE-2021-4197, CVE-2021-4206, CVE-2021-4207, CVE-2021-46828, CVE-2021-46848, CVE-2022-0358, CVE-2022-1012, CVE-2022-1158, CVE-2022-1292, CVE-2022-1353, CVE-2022-1586, CVE-2022-1587, CVE-2022-1652, CVE-2022-1664, CVE-2022-1679, CVE-2022-1729, CVE-2022-1786, CVE-2022-20368, CVE-2022-20422, CVE-2022-20566, CVE-2022-20568, CVE-2022-2068, CVE-2022-22576, CVE-2022-2327, CVE-2022-24903, CVE-2022-2509, CVE-2022-2585, CVE-2022-2588, CVE-2022-2601, CVE-2022-2602, CVE-2022-26353, CVE-2022-27404, CVE-2022-27405, CVE-2022-27406, CVE-2022-27666, CVE-2022-27775, CVE-2022-27781, CVE-2022-27782, CVE-2022-2795, CVE-2022-28733, CVE-2022-28734, CVE-2022-29155, CVE-2022-29162, CVE-2022-29581, CVE-2022-29582, CVE-2022-2959, CVE-2022-2977, CVE-2022-30594, CVE-2022-3080, CVE-2022-31676, CVE-2022-3176, CVE-2022-32207, CVE-2022-32250, CVE-2022-34918, CVE-2022-3524, CVE-2022-3565, CVE-2022-3594, CVE-2022-3625, CVE-2022-3635, CVE-2022-36946, CVE-2022-3775, CVE-2022-38177, CVE-2022-38178, CVE-2022-40303, CVE-2022-40304, CVE-2022-40674, CVE-2022-41222, CVE-2022-4139, CVE-2022-42896, CVE-2022-43680, CVE-2022-43750, CVE-2022-4378, CVE-2022-47518, CVE-2022-47519, CVE-2018-13405.

Changed

  • Limit access for logs and system files, fix some CIS benchmark warnings, enable console timeout.
  • Install host security upgrades just after upgrading Installer, stop docker from potentially being upgraded automatically.
  • Discard some recurring kernel log messages about virtual container network interfaces.
  • Allow more userdata in cloud-init config.
  • Rotate log files more often.
  • Increase log file partition size (for new VMs).
  • Decrease console log verbosity.
  • Change docker internal IP series to 100.64.10[3-5].0/16 to limit risk of conflicts (new VMs only).
  • Change to GPT based partitions.
  • Add docker/-prefix to syslog tag, write container logs to separate files in /var/log/docker/.
  • Prepare for support for external syslog servers. Manual configuration should be moved to /etc/rsyslog.d/50-remote.conf.
  • Enable SSH login by default for new installation, enable fail2ban to lock logins after too many logins.