ERM release notes

This section lists the new features, changes in functionality, fixed issues and security improvements in the Pexip Enhanced Room Management (ERM) product and installer.

ERM product changelog
ERM Installer changelog

ERM product changelog

This section lists the new features and changes in the ERM product.

Version 2.0.0

Note that all new installations of ERM are now deployed with a 200 GB disk. For existing installations we recommend that you manually increase your disk size to 200 GB — see Increasing disk size from 100 GB to 200 GB on an ERM instance for details.

Added

Polycom support for Trio, HDX, Group and Studio X
Welcome message for new installations
Support for automatic upgrade to target firmware version
New system defaults templates view to configure base settings to specific models
New firmware overview showing conflicts to models firmware target version
Provision base settings from the system provisioning tab
"View provisioning settings" on the system dashboard and provisioning tab
Import configurations via text or file
Compare configurations to the latest provisioning, base configuration, templates or other system
Text import option for commands and configurations in the system provisioning tab
Support for updating existing configuration and command templates
Better notification about license device limits
Auto-detecting product type when adding new devices
Display warnings on dashboard if background server is down or delayed
Add support to send DTMF tones from system call control for Cisco systems
Add support to save inventory ID, service tags and notes in edit form
Add support to save metadata to be used by external systems
Add serial number and email address to bulk import form

Fixed

Fix manually adding call statistics server in backend admin
Only use temporary subfolder on filesystem for uploaded firmware, and revert to memory storage of other temporary files to prevent increasing data build-up. Old files will be automatically removed
Fix dates in Excel call statistics export filename
Fix updating SIP display-name for Cisco TC-systems
Update last check timestamp in case if system is in authentication error-state
Mark endpoints value as not required in statistics API-endpoint
Redact some extra possible password/private key formats from queue information and trace log
Fix updating dial info for Webex systems
Fix indicators for room analysis in provision tab

Security

Check if user is valid in LDAP database every 10 minutes
Lower session cookie expiration value

Changed

General performance improvements
Icon for external manager service in the system list
Message to manually add provisioning settings if not found in the system provisioning tab
Improved notifications in the system provisioning tab
Fixed input widths in bulk import form
Sort system list with title as default
Redirect 404 systems to the system list
Show the created date in approve new systems list
Better notifications in provisioning dialog when multiple systems are selected
Better validation and error handling in upload firmware dialog
Better validation and error handling in statistics filter form
Better validation and error handling in head count filter form
Automatically switch to review tab in the system provisioning tab when loading configurations or commands
Better loading template indicator in the system provisioning tab
Add required to template name in save new template dialog
Reset initial values in template picker when closing dialog
Update the firmware list after updating an existing entry
Better support of Booleans in argument input
Reset group title when adding new address book group
Better support for the "home" button in sub-views
Settings view split into different tabs
System default settings moved to Admin > System default
Include manual installation instructions for address book configuration
Always enable changing volume from the system dashboard
Always allow mute/unmute from the system dashboard
Ignore empty values on select all configurations
Change the queue insight widget on the main dashboard to display pending and queued actions
Only show 3 system warnings and errors on the system dashboard, with the option to show all
Always scroll the page to the top when changing the route
Use manufacturer and model name for systems without title
Show alert for inactivity after 5 minutes in call control
Simplified system dashboard for systems without manufacturer
Added a "Retrieve call history" button to the system dashboard instead of automatically loading
Edit and remove buttons enabled on the system dashboard even if the system is not fully loaded
Check all HttpFeedbackEvent-slots for Failed-status
Reset queued task status after 20 minutes (instead of 60 minutes)
Cancel queued tasks belonging to deleted systems
Use H.323 gatekeeper password for Pexip endpoints
Allow exporting call statistics report as excel using API-authentication
Use correct widgets for ID-fields in API example-forms
Try to provision large macros without "Transpile: yes" if it looks to be transpiled already
Try to activate provisioned macros again after at least 10 seconds if Macro runtime was unresponsive
Reset form fields after adding new address book group
Reset form fields after adding new address book sync-source
Change all reports to XML-based Excel format, resize columns to better fit width, change to time-based format for durations
Add a summary sheet to Excel call report
Warn about low disk space when there is less than 20 GB of free space
Try to display correct fields when navigating to a single API view using the web browser
Stop displaying the load indicator when enough data is available
Display error-messages if any information fails to load
Don't display call history until button is pushed
Reset online status for systems with in call-status after 4 hours without feedback
Allow changing serial number
Add help texts to the room analysis report form
Reset firmware form when pressing cancel
Display call history in correct timezone
Change edit address book tab labels
Log LDAP user attributes if customer matching is enabled, but no fields did match
Match permission flags using LDAP parent group as well as exact DN
Group large clusters in dashboard widgets
Update provider status in background
Use a more visible popup to remind about license expiry
Resize columns in Excel exports
Disable calendar bookings in passive mode if using RoomOS 10.19.x - firmware bug causes system crash
Include the number of seats in system Excel export
Limit number of incoming endpoints from a single IP
Separate warning for changed system name and SIP/H.323 info
Add column with name of endpoint in statistics debug export

Version 1.1.1

Added

Add API endpoint to export all active warnings to excel file `/json-api/v1/endpoint/export_warnings/`

Fixed

Fix error/warning message handling for provisioning tasks that made all errors display as ModuleNotFound
Fix removing last digit from configuration/command text inputs without clearing selection
Remove additional "s" that was added when selecting items for Status-report
Add handling for "command not found"-responses

Security

Upgrade certifi and reportlab
Related CVEs: CVE-2023-37920, CVE-2023-33733

Changed

Reset queued provisioning tasks that have not been able to run for 20 minutes, to give priority to systems that are online
Display note about minimum firmware requirements to install .cop.sha512 images
Ignore redacted values (e.g. passwords) when selecting all configurations
Display notice in backup view about missing passwords
Display notice in address book view about manual groups
Display notice if trying to change password for (unsupported) passive systems

Version 1.1.0

Added

Add support to upgrade Cisco devices with SHA512 Cisco firmware
Display system name and direct links in call statistics page
Display systems without any call data during the report time period in Excel export. Add API-endpoint to extract the same list.
Include personal email-address in system Excel export

Fixed

Fix indicator for room analytics status in provisioning dialog
Set timeout value for TMS sync API-requests. Improved handling for failed requests
Reset error messages in call statistics-view on new form submission
Convert call history timestamps to local time on system details page
Reset "in call"-status for inactive systems
Fix provision status indicator in case of failed response

Security

Fix ACL check that allowed non-authenticated users to initiate page requests waiting on external API calls
Mitigations for older versions: Block access to /setup/* after initialization (automatically added in Installer load balancer after re-deploy)
Upgrade cryptography certifi, django-environment, libcrypto1.1, libssl1.1, paramiko, pyopenssl, redis, sentry-sdk, sqlparse, urllib3,
Related CVEs: CVE-2022-23491, CVE-2022-23491, CVE-2022-24302, CVE-2022-24302, CVE-2023-0286, CVE-2023-0286, CVE-2023-23931, CVE-2023-23931, CVE-2023-28117, CVE-2023-28117, CVE-2023-28858, CVE-2023-28858, CVE-2023-28859, CVE-2023-28859
Lower session expiration to 5 days of inactivity
Automatically log out users if relevant LDAP-account has been disabled

Changed

Stop auto-reloading system details page after 10 minutes of inactivity
Allow case-insensitive search of participants in call statistics-report
Allow exporting call statistics using API-authentication (Basic Auth)

Version 1.0.2

Added

Historic People count for Cisco devices
Initial support for repeating/persistent provisioning of endpoints
Include number of seats in system Excel export
Add support for automatic cleanup/redaction of debug logs and call statistics, set through backend admin (beta)
Start storing sensor data from touch panels - temperature, noise level
Add support to set overridden address book for a specific endpoint
Display all tasks that will be repeated in provision dialog
Display warning if dial settings/system name have been changed on system
Apply dial settings from chained provisioning service
Fix saving setting to automatically adding incoming endpoints
Display warning if passive provision events have stopped coming in while live events still are
Display information about CA certificate validation in Dashboard provisioning widget
Add option to validate SSL-connection to systems (require trusted CA in installer)
Add API endpoint filter for online and warning-status
Display hostname and MAC-address on system dashboard
Add support to match LDAP user to a customer using DN path (using "dn" as matching field in installer)

Fixed

Use inline pagination in backend admin to allow updating calendar connections for large room lists
Fix room list sync for rooms with invalid email address as name
Make sure to stop non-finished concurrent status updates when task timeout is reached
Fix updating dial info for Webex systems
Fix potential lock race condition during object update
Don't set passive system to online status when displaying cached status data
Allow connecting Proxy client to separate ERM hostname
Use correct help text for active screen - branding logo field
Fix browser freeze-up when setting zero-value in required, number-based command arguments
Handle connection error during re-activationg of HttpFeedback slot
Fix logging for background tasks
Don't display system meeting status in list except for when in head count view
Fix endpoint API data type for warning about missing live events
Only allow .cop.sgn and .pkg-files in firmware upload

Changed

Use secure flag for cookies
Use ed25519 cipher for Proxy tunnel for new deployments
Connect to external systems in the following order (if set): API host, hostname, IP instead of API host, IP, hostname
Retry failed API-requests to video systems
Use Monday as first day of week in date picker dropdown
Stop display uuid in call history for spark/webex-calls
Hide non-approved proxy clients for non-admin users
Include created provision task id in API response
Use file upload for CA root certificate setting
Display information about TlsVerify on dashboard
Stop trying to connect to incoming endpoints using external remote IP if internal IP connection failed
Only fill SIP proxy password value when default password is set
Don't pass default SIP proxy-password or Proxy client password to non-admin
Return HTTP 403 when proxy registration fails
Use debian ca-certificates instead of Mozilla as default trusted CA list
Hide permissions from user backend admin due to not being used elsewhere
Use locally stored call history for active endpoints as well if system could not be contacted
Increase concurrency when updating active endpoint status
Stop allowing proxy connections without password by default for new installation
Brute force lockout for proxy client registration attempts
Remove deprecated SSH algorithms for proxy client tunnels

Version 1.0.1

Added

Add support to bulk provision saved dial settings from ERM to endpoints
Add support to bulk provision chained passive provisioning
Display loading errors on dashboard
Support for getting provisioning data from external passive provisioning server
Display license information on Dashboard
Display call history from local call statistics for passive endpoints
Support for syncing external sources to nested subgroup (delimited by >)
Merge folders with the same name from multiple sources in addressbook search
Add API endpoint to force addressbook sync
Log TMS address book sync error, force UTF-8 encoding

Fixed

Fix database initialization if using FQDN with over 100 characters
Fix translation in policy views and macro dialog
Don't display full html page as error message if raw error is passed to frontend
Strip XML namespace from chained passive provision services using tandberg CUIL namespace
Better connection/response error-handling when updating endpoint status
Better error handling of disconnecting participants in ongoing meeting list
Fix using prefilled default SIP proxy password when bulk-provisioning endpoint dial settings
Fix saving endpoints if changing it from backend admin
Fix freetext search for address book items in root folder
Fix rescheduling tasks for next night when last task in particular timezone had errors
Better error handling for connection errors when updating call statistics from previously offline endpoints
Reset user session if currently selected customer is removed
Remove console log for missing favicon
Remove console warning in organization tree view
Fix endpoint proxy-client empty password in multi-tenant ERM installations
Prefill default sip proxy settings when provisioning multiple endpoints
Bulk provisioning missing endpoint device aliases to Pexip Infinity
Remove empty columns from endpoint debug view error log
Use password input for new password field in provisioning view
Better error message on chained provisioning errors

Security

Upgrade libgmp, zlib1g, libssl, libexpat, gzip, liblzma5
Upgrade django
Related CVEs: CVE-2022-0778 CVE-2021-43618 CVE-2018-25032 CVE-2022-23852 CVE-2022-25235 CVE-2022-25236 CVE-2022-25313 CVE-2022-25315 CVE-2022-22818 CVE-2022-23833 CVE-2022-1271

Changed

Increase log verbosity for ldap logins
Allow multiple reverse proxy/load balancer hops when resolving client ip
Log firmware version when called endpoint commands fail
Don't set endpoint status to "in call" when display endpoint status until call is connected
Always display mac address and serial field in endpoint form to be able to replace it with a new one
Open endpoint web admin interface in new window
Set default passive provision heartbeat to 7 minutes (activated endpoint still use < 1 min)
Display password indicator in provision dialog if default sip proxy password is set
Only allow selecting one endpoint when filtering statistics instead of silently ignoring extra ones
Disable change password functionality for passive endpoints - not supported
Hide add new organization unit from system list, empty groups are hidden

ERM Installer changelog

This section lists the new features and changes in the ERM installer.

Version 1.0.8

Changed

All new installations of ERM are now deployed with a 200 GB disk.

For existing installations we recommend that you manually increase your disk size to 200 GB — see Increasing disk size from 100 GB to 200 GB on an ERM instance for details.

Version 1.0.7

Added

Support for Hyper-V 2016 and later environments
Add support to enable external database from license file
Add support to importing and converting binary certificates (beta)
Add support to export private keys with encryption, and importing encrypted keys
Add support for external redis server
Add support for enabling LDAP referral chasing
Add support to lookup LDAP servers using SRV records
Add more inline documentation for LDAP-settings
Mark certificates in use in lists
Add field for validating SSL handshake against remote port using network tools
Validation of database and LDAP settings when saving configuration
Display information about last component metadata refresh time and add link to force refresh

Fixed

Clear certificate existing CA chain when updating public key
Fix TLS validation for LDAP test connection
Validate line before removing volumes
Fix version ordering for x.y.z-dev builds
Fix permission to run ping in network tools
Fix certificate chain warnings if CA lacks common name information
Reset offline mode if online license validation was successful
Increase length of LDAP filter
Remove warning in load balancer logs about SNI host
Stop validating values in optional forms marked for deletion
Fix offline export if "check for update"-checkbox is not set
Fix offline export if any components are marked for uninstallation
Remove console log warnings about HostSNI
Fix installing multiple ERM on the same VM without getting 500 error
Fix home link from product details view
Lock postgres version for LDAPAdmin deployed with old version of deploy file
Stop re-deploying load balancer on installer upgrade if not necessary
Remove warning about missing volumes when removing component
Fix service deploy problems when using setting values (e.g. passwords) starting with quotes (")

Security

Upgrade django, openssl, libssl1.1, sqlite3
Related CVEs: CVE-2022-28346, CVE-2022-28347, CVE-2022-0778
Limit system permissions for load balancer container, run more services with read only root file system

Changed

Only display first certificate chain warning, hide warning if three or more certificates are included
Increase log verbosity for LDAP tests
Set LDAP connection timeout
List any unknown/not fully uninstalled container services
Add pagination and search to certificate lists
Use direct API for fetching service logs instead of subprocesses for better performance
Escape special characters in authentication to external services
Change deploy mode for some shared services to allow Installer upgrades in the future with less downtime
Increase number of workers for each component based on available memory
Always try to start Installer based on script from the currently running version when using other than the official latest version
Remove letsencrypt option from certificate

ERM OS

Added

Add CLI command ("cli") with support to, among other things, reset passwords and dump database content
Allow ICMP echo requests ("ping")
Allow overriding DNS when using DHCP
Install traceroute
Add support for EFI and Secure Boot (beta, new VM installations only)

Fixed

Fix host security update files when upgrading system using offline bundle
Set static routes after all interfaces are up
Install systemd-timesyncd if the initial VM version did not include it
Fix returning to menu after setting hostname

Security

Upgrade host packages for bind9-libs, curl, dpkg, grub-common, grub-pc, grub2, hyperv-daemons, libc-bin, libexpat1, libssl1.1, libtasn1-6, libxml2, linux-image-cloud-amd64, linux-image-cloud-amd64 bind9-host, openssl, qemu-guest-agent, rsyslog, zlib1g
Related CVEs: CVE-2021-22945, CVE-2021-22946, CVE-2021-30560, CVE-2021-3697, CVE-2021-3999, CVE-2021-4197, CVE-2021-4206, CVE-2021-4207, CVE-2021-46828, CVE-2021-46848, CVE-2022-0358, CVE-2022-1012, CVE-2022-1158, CVE-2022-1292, CVE-2022-1353, CVE-2022-1586, CVE-2022-1587, CVE-2022-1652, CVE-2022-1664, CVE-2022-1679, CVE-2022-1729, CVE-2022-1786, CVE-2022-20368, CVE-2022-20422, CVE-2022-20566, CVE-2022-20568, CVE-2022-2068, CVE-2022-22576, CVE-2022-2327, CVE-2022-24903, CVE-2022-2509, CVE-2022-2585, CVE-2022-2588, CVE-2022-2601, CVE-2022-2602, CVE-2022-26353, CVE-2022-27404, CVE-2022-27405, CVE-2022-27406, CVE-2022-27666, CVE-2022-27775, CVE-2022-27781, CVE-2022-27782, CVE-2022-2795, CVE-2022-28733, CVE-2022-28734, CVE-2022-29155, CVE-2022-29162, CVE-2022-29581, CVE-2022-29582, CVE-2022-2959, CVE-2022-2977, CVE-2022-30594, CVE-2022-3080, CVE-2022-31676, CVE-2022-3176, CVE-2022-32207, CVE-2022-32250, CVE-2022-34918, CVE-2022-3524, CVE-2022-3565, CVE-2022-3594, CVE-2022-3625, CVE-2022-3635, CVE-2022-36946, CVE-2022-3775, CVE-2022-38177, CVE-2022-38178, CVE-2022-40303, CVE-2022-40304, CVE-2022-40674, CVE-2022-41222, CVE-2022-4139, CVE-2022-42896, CVE-2022-43680, CVE-2022-43750, CVE-2022-4378, CVE-2022-47518, CVE-2022-47519, CVE-2018-13405

Changed

Limit access for logs and system files, fix some CIS benchmark warnings, enable console timeout
Install host security upgrades just after upgrading Installer, stop docker from potentially being upgraded automatically
Discard some recurring kernel log messages about virtual container network interfaces
Allow more userdata in cloud-init config
Rotate log files more often
Increase log file partition size (for new VMs)
Decrease console log verbosity
Change docker internal IP series to 100.64.10[3-5].0/16 to limit risk of conflicts (new VMs only)
Change to GPT based partitions
Add docker/-prefix to syslog tag, write container logs to separate files in /var/log/docker/
Prepare for support for external syslog servers. Manual configuration should be moved to /etc/rsyslog.d/50-remote.conf
Enable SSH login by default for new installation, enable fail2ban to lock logins after too many logins

Version 1.0.6

Added

Add support for deployment as a cloud service in Microsoft Azure and Google Cloud Platform.
Add support to override DNS entries for specific hosts
Warn about missing CA/Intermediaries from certificate chain
Add support for trusting load balancers using whole networks
Support validating SSL CA trust against external server using network tools
Improve error message when trying to browse to invalid FQDN/using IP to access services
Add info about using offline mode until CA has been trusted when using HTTPS proxy
Add support to export manually upgraded Installer version
Add support to test HTTP requests in network tools
Add choice to either uninstall component or remove it completely
Display shortcuts to importing offline bundles when running in offline mode
Display notice about required re-deploy after configuration change
Display notice about required re-deploy after CA-change
Validate uploaded private key/certificate and display warnings for mismatches
Use global CA trust instead of dedicated CA bundle file for each component
Support to remove not installed products from list

Fixed

Fix upgrading Installer from CLI before setting license key
Remove warning from load balancer logs about missing port
Clearer error display of some forms visible in separate tabs
Allow using domain names using leading digits
Fix subject alt names in CSR generation, use meaningful filename
Limit number of characters for fqdn-based service name and remove trailing special characters
Don't try to output ldap metadata result
Apply custom CA settings directly after save
Fix offline bundle export of Installer
Fix registry name for offline upgrades
Use trusted custom CA in Installer as well as components
Fix change password success message/redirect

Security

Upgrade gzip
Upgrade zlib1g, libssl
Upgrade libexpat
Related CVEs: CVE-2022-1271, CVE-2021-43618, CVE-2018-25032, CVE-2022-23852 CVE-2022-25235 CVE-2022-25236 CVE-2022-25313 CVE-2022-25315

Changed

Indent each individual certificate in certificate bundle
Display full chain in certificate textarea
Separate general server settings form from network related settings
Use separate virtual network for Installer load balancer
Redirect to certificate details view after generating new certificate
Include CSR generation in form header
Replace self-signed server default certificate if component certificate uses the same FQDN
Increase max length of LDAP filter
Display select all-checkbox at top of Log view as well as at bottom
Prepare offline export and display log before file download
Improve help texts for CA certificates
Pre-populate server IP/hostname on first boot