ERM release notes

This section lists the new features, changes in functionality, fixed issues and security improvements in the Pexip Enhanced Room Management (ERM) product and installer.

ERM product changelog

This section lists the new features and changes in the ERM product.

Version 2.0.0

Note that all new installations of ERM are now deployed with a 200 GB disk. For existing installations we recommend that you manually increase your disk size to 200 GB — see Increasing disk size from 100 GB to 200 GB on an ERM instance for details.

Added

  • Polycom support for Trio, HDX, Group and Studio X
  • Welcome message for new installations
  • Support for automatic upgrade to target firmware version
  • New system defaults templates view to configure base settings to specific models
  • New firmware overview showing conflicts to models firmware target version
  • Provision base settings from the system provisioning tab
  • "View provisioning settings" on the system dashboard and provisioning tab
  • Import configurations via text or file
  • Compare configurations to the latest provisioning, base configuration, templates or other system
  • Text import option for commands and configurations in the system provisioning tab
  • Support for updating existing configuration and command templates
  • Better notification about license device limits
  • Auto-detecting product type when adding new devices
  • Display warnings on dashboard if background server is down or delayed
  • Add support to send DTMF tones from system call control for Cisco systems
  • Add support to save inventory ID, service tags and notes in edit form
  • Add support to save metadata to be used by external systems
  • Add serial number and email address to bulk import form

Fixed

  • Fix manually adding call statistics server in backend admin
  • Only use temporary subfolder on filesystem for uploaded firmware, and revert to memory storage of other temporary files to prevent increasing data build-up. Old files will be automatically removed
  • Fix dates in Excel call statistics export filename
  • Fix updating SIP display-name for Cisco TC-systems
  • Update last check timestamp in case if system is in authentication error-state
  • Mark endpoints value as not required in statistics API-endpoint
  • Redact some extra possible password/private key formats from queue information and trace log
  • Fix updating dial info for Webex systems
  • Fix indicators for room analysis in provision tab

Security

  • Check if user is valid in LDAP database every 10 minutes
  • Lower session cookie expiration value

Changed

  • General performance improvements
  • Icon for external manager service in the system list
  • Message to manually add provisioning settings if not found in the system provisioning tab
  • Improved notifications in the system provisioning tab
  • Fixed input widths in bulk import form
  • Sort system list with title as default
  • Redirect 404 systems to the system list
  • Show the created date in approve new systems list
  • Better notifications in provisioning dialog when multiple systems are selected
  • Better validation and error handling in upload firmware dialog
  • Better validation and error handling in statistics filter form
  • Better validation and error handling in head count filter form
  • Automatically switch to review tab in the system provisioning tab when loading configurations or commands
  • Better loading template indicator in the system provisioning tab
  • Add required to template name in save new template dialog
  • Reset initial values in template picker when closing dialog
  • Update the firmware list after updating an existing entry
  • Better support of Booleans in argument input
  • Reset group title when adding new address book group
  • Better support for the "home" button in sub-views
  • Settings view split into different tabs
  • System default settings moved to Admin > System default
  • Include manual installation instructions for address book configuration
  • Always enable changing volume from the system dashboard
  • Always allow mute/unmute from the system dashboard
  • Ignore empty values on select all configurations
  • Change the queue insight widget on the main dashboard to display pending and queued actions
  • Only show 3 system warnings and errors on the system dashboard, with the option to show all
  • Always scroll the page to the top when changing the route
  • Use manufacturer and model name for systems without title
  • Show alert for inactivity after 5 minutes in call control
  • Simplified system dashboard for systems without manufacturer
  • Added a "Retrieve call history" button to the system dashboard instead of automatically loading
  • Edit and remove buttons enabled on the system dashboard even if the system is not fully loaded
  • Check all HttpFeedbackEvent-slots for Failed-status
  • Reset queued task status after 20 minutes (instead of 60 minutes)
  • Cancel queued tasks belonging to deleted systems
  • Use H.323 gatekeeper password for Pexip endpoints
  • Allow exporting call statistics report as excel using API-authentication
  • Use correct widgets for ID-fields in API example-forms
  • Try to provision large macros without "Transpile: yes" if it looks to be transpiled already
  • Try to activate provisioned macros again after at least 10 seconds if Macro runtime was unresponsive
  • Reset form fields after adding new address book group
  • Reset form fields after adding new address book sync-source
  • Change all reports to XML-based Excel format, resize columns to better fit width, change to time-based format for durations
  • Add a summary sheet to Excel call report
  • Warn about low disk space when there is less than 20 GB of free space
  • Try to display correct fields when navigating to a single API view using the web browser
  • Stop displaying the load indicator when enough data is available
  • Display error-messages if any information fails to load
  • Don't display call history until button is pushed
  • Reset online status for systems with in call-status after 4 hours without feedback
  • Allow changing serial number
  • Add help texts to the room analysis report form
  • Reset firmware form when pressing cancel
  • Display call history in correct timezone
  • Change edit address book tab labels
  • Log LDAP user attributes if customer matching is enabled, but no fields did match
  • Match permission flags using LDAP parent group as well as exact DN
  • Group large clusters in dashboard widgets
  • Update provider status in background
  • Use a more visible popup to remind about license expiry
  • Resize columns in Excel exports
  • Disable calendar bookings in passive mode if using RoomOS 10.19.x - firmware bug causes system crash
  • Include the number of seats in system Excel export
  • Limit number of incoming endpoints from a single IP
  • Separate warning for changed system name and SIP/H.323 info
  • Add column with name of endpoint in statistics debug export

Version 1.1.1

Added

  • Add API endpoint to export all active warnings to excel file `/json-api/v1/endpoint/export_warnings/`

Fixed

  • Fix error/warning message handling for provisioning tasks that made all errors display as ModuleNotFound
  • Fix removing last digit from configuration/command text inputs without clearing selection
  • Remove additional "s" that was added when selecting items for Status-report
  • Add handling for "command not found"-responses

Security

  • Upgrade certifi and reportlab
  • Related CVEs: CVE-2023-37920, CVE-2023-33733

Changed

  • Reset queued provisioning tasks that have not been able to run for 20 minutes, to give priority to systems that are online
  • Display note about minimum firmware requirements to install .cop.sha512 images
  • Ignore redacted values (e.g. passwords) when selecting all configurations
  • Display notice in backup view about missing passwords
  • Display notice in address book view about manual groups
  • Display notice if trying to change password for (unsupported) passive systems

Version 1.1.0

Added

  • Add support to upgrade Cisco devices with SHA512 Cisco firmware
  • Display system name and direct links in call statistics page
  • Display systems without any call data during the report time period in Excel export. Add API-endpoint to extract the same list.
  • Include personal email-address in system Excel export

Fixed

  • Fix indicator for room analytics status in provisioning dialog
  • Set timeout value for TMS sync API-requests. Improved handling for failed requests
  • Reset error messages in call statistics-view on new form submission
  • Convert call history timestamps to local time on system details page
  • Reset "in call"-status for inactive systems
  • Fix provision status indicator in case of failed response

Security

  • Fix ACL check that allowed non-authenticated users to initiate page requests waiting on external API calls
  • Mitigations for older versions: Block access to /setup/* after initialization (automatically added in Installer load balancer after re-deploy)
  • Upgrade cryptography certifi, django-environment, libcrypto1.1, libssl1.1, paramiko, pyopenssl, redis, sentry-sdk, sqlparse, urllib3,
  • Related CVEs: CVE-2022-23491, CVE-2022-23491, CVE-2022-24302, CVE-2022-24302, CVE-2023-0286, CVE-2023-0286, CVE-2023-23931, CVE-2023-23931, CVE-2023-28117, CVE-2023-28117, CVE-2023-28858, CVE-2023-28858, CVE-2023-28859, CVE-2023-28859
  • Lower session expiration to 5 days of inactivity
  • Automatically log out users if relevant LDAP-account has been disabled

Changed

  • Stop auto-reloading system details page after 10 minutes of inactivity
  • Allow case-insensitive search of participants in call statistics-report
  • Allow exporting call statistics using API-authentication (Basic Auth)

Version 1.0.2

Added

  • Historic People count for Cisco devices
  • Initial support for repeating/persistent provisioning of endpoints
  • Include number of seats in system Excel export
  • Add support for automatic cleanup/redaction of debug logs and call statistics, set through backend admin (beta)
  • Start storing sensor data from touch panels - temperature, noise level
  • Add support to set overridden address book for a specific endpoint
  • Display all tasks that will be repeated in provision dialog
  • Display warning if dial settings/system name have been changed on system
  • Apply dial settings from chained provisioning service
  • Fix saving setting to automatically adding incoming endpoints
  • Display warning if passive provision events have stopped coming in while live events still are
  • Display information about CA certificate validation in Dashboard provisioning widget
  • Add option to validate SSL-connection to systems (require trusted CA in installer)
  • Add API endpoint filter for online and warning-status
  • Display hostname and MAC-address on system dashboard
  • Add support to match LDAP user to a customer using DN path (using "dn" as matching field in installer)

Fixed

  • Use inline pagination in backend admin to allow updating calendar connections for large room lists
  • Fix room list sync for rooms with invalid email address as name
  • Make sure to stop non-finished concurrent status updates when task timeout is reached
  • Fix updating dial info for Webex systems
  • Fix potential lock race condition during object update
  • Don't set passive system to online status when displaying cached status data
  • Allow connecting Proxy client to separate ERM hostname
  • Use correct help text for active screen - branding logo field
  • Fix browser freeze-up when setting zero-value in required, number-based command arguments
  • Handle connection error during re-activationg of HttpFeedback slot
  • Fix logging for background tasks
  • Don't display system meeting status in list except for when in head count view
  • Fix endpoint API data type for warning about missing live events
  • Only allow .cop.sgn and .pkg-files in firmware upload

Changed

  • Use secure flag for cookies
  • Use ed25519 cipher for Proxy tunnel for new deployments
  • Connect to external systems in the following order (if set): API host, hostname, IP instead of API host, IP, hostname
  • Retry failed API-requests to video systems
  • Use Monday as first day of week in date picker dropdown
  • Stop display uuid in call history for spark/webex-calls
  • Hide non-approved proxy clients for non-admin users
  • Include created provision task id in API response
  • Use file upload for CA root certificate setting
  • Display information about TlsVerify on dashboard
  • Stop trying to connect to incoming endpoints using external remote IP if internal IP connection failed
  • Only fill SIP proxy password value when default password is set
  • Don't pass default SIP proxy-password or Proxy client password to non-admin
  • Return HTTP 403 when proxy registration fails
  • Use debian ca-certificates instead of Mozilla as default trusted CA list
  • Hide permissions from user backend admin due to not being used elsewhere
  • Use locally stored call history for active endpoints as well if system could not be contacted
  • Increase concurrency when updating active endpoint status
  • Stop allowing proxy connections without password by default for new installation
  • Brute force lockout for proxy client registration attempts
  • Remove deprecated SSH algorithms for proxy client tunnels

Version 1.0.1

Added

  • Add support to bulk provision saved dial settings from ERM to endpoints
  • Add support to bulk provision chained passive provisioning
  • Display loading errors on dashboard
  • Support for getting provisioning data from external passive provisioning server
  • Display license information on Dashboard
  • Display call history from local call statistics for passive endpoints
  • Support for syncing external sources to nested subgroup (delimited by >)
  • Merge folders with the same name from multiple sources in addressbook search
  • Add API endpoint to force addressbook sync
  • Log TMS address book sync error, force UTF-8 encoding

Fixed

  • Fix database initialization if using FQDN with over 100 characters
  • Fix translation in policy views and macro dialog
  • Don't display full html page as error message if raw error is passed to frontend
  • Strip XML namespace from chained passive provision services using tandberg CUIL namespace
  • Better connection/response error-handling when updating endpoint status
  • Better error handling of disconnecting participants in ongoing meeting list
  • Fix using prefilled default SIP proxy password when bulk-provisioning endpoint dial settings
  • Fix saving endpoints if changing it from backend admin
  • Fix freetext search for address book items in root folder
  • Fix rescheduling tasks for next night when last task in particular timezone had errors
  • Better error handling for connection errors when updating call statistics from previously offline endpoints
  • Reset user session if currently selected customer is removed
  • Remove console log for missing favicon
  • Remove console warning in organization tree view
  • Fix endpoint proxy-client empty password in multi-tenant ERM installations
  • Prefill default sip proxy settings when provisioning multiple endpoints
  • Bulk provisioning missing endpoint device aliases to Pexip Infinity
  • Remove empty columns from endpoint debug view error log
  • Use password input for new password field in provisioning view
  • Better error message on chained provisioning errors

Security

  • Upgrade libgmp, zlib1g, libssl, libexpat, gzip, liblzma5
  • Upgrade django
  • Related CVEs: CVE-2022-0778 CVE-2021-43618 CVE-2018-25032 CVE-2022-23852 CVE-2022-25235 CVE-2022-25236 CVE-2022-25313 CVE-2022-25315 CVE-2022-22818 CVE-2022-23833 CVE-2022-1271

Changed

  • Increase log verbosity for ldap logins
  • Allow multiple reverse proxy/load balancer hops when resolving client ip
  • Log firmware version when called endpoint commands fail
  • Don't set endpoint status to "in call" when display endpoint status until call is connected
  • Always display mac address and serial field in endpoint form to be able to replace it with a new one
  • Open endpoint web admin interface in new window
  • Set default passive provision heartbeat to 7 minutes (activated endpoint still use < 1 min)
  • Display password indicator in provision dialog if default sip proxy password is set
  • Only allow selecting one endpoint when filtering statistics instead of silently ignoring extra ones
  • Disable change password functionality for passive endpoints - not supported
  • Hide add new organization unit from system list, empty groups are hidden

ERM Installer changelog

This section lists the new features and changes in the ERM installer.

Version 1.0.8

Changed

Version 1.0.7

Added

  • Support for Hyper-V 2016 and later environments
  • Add support to enable external database from license file
  • Add support to importing and converting binary certificates (beta)
  • Add support to export private keys with encryption, and importing encrypted keys
  • Add support for external redis server
  • Add support for enabling LDAP referral chasing
  • Add support to lookup LDAP servers using SRV records
  • Add more inline documentation for LDAP-settings
  • Mark certificates in use in lists
  • Add field for validating SSL handshake against remote port using network tools
  • Validation of database and LDAP settings when saving configuration
  • Display information about last component metadata refresh time and add link to force refresh

Fixed

  • Clear certificate existing CA chain when updating public key
  • Fix TLS validation for LDAP test connection
  • Validate line before removing volumes
  • Fix version ordering for x.y.z-dev builds
  • Fix permission to run ping in network tools
  • Fix certificate chain warnings if CA lacks common name information
  • Reset offline mode if online license validation was successful
  • Increase length of LDAP filter
  • Remove warning in load balancer logs about SNI host
  • Stop validating values in optional forms marked for deletion
  • Fix offline export if "check for update"-checkbox is not set
  • Fix offline export if any components are marked for uninstallation
  • Remove console log warnings about HostSNI
  • Fix installing multiple ERM on the same VM without getting 500 error
  • Fix home link from product details view
  • Lock postgres version for LDAPAdmin deployed with old version of deploy file
  • Stop re-deploying load balancer on installer upgrade if not necessary
  • Remove warning about missing volumes when removing component
  • Fix service deploy problems when using setting values (e.g. passwords) starting with quotes (")

Security

  • Upgrade django, openssl, libssl1.1, sqlite3
  • Related CVEs: CVE-2022-28346, CVE-2022-28347, CVE-2022-0778
  • Limit system permissions for load balancer container, run more services with read only root file system

Changed

  • Only display first certificate chain warning, hide warning if three or more certificates are included
  • Increase log verbosity for LDAP tests
  • Set LDAP connection timeout
  • List any unknown/not fully uninstalled container services
  • Add pagination and search to certificate lists
  • Use direct API for fetching service logs instead of subprocesses for better performance
  • Escape special characters in authentication to external services
  • Change deploy mode for some shared services to allow Installer upgrades in the future with less downtime
  • Increase number of workers for each component based on available memory
  • Always try to start Installer based on script from the currently running version when using other than the official latest version
  • Remove letsencrypt option from certificate

ERM OS

Added

  • Add CLI command ("cli") with support to, among other things, reset passwords and dump database content
  • Allow ICMP echo requests ("ping")
  • Allow overriding DNS when using DHCP
  • Install traceroute
  • Add support for EFI and Secure Boot (beta, new VM installations only)

Fixed

  • Fix host security update files when upgrading system using offline bundle
  • Set static routes after all interfaces are up
  • Install systemd-timesyncd if the initial VM version did not include it
  • Fix returning to menu after setting hostname

Security

  • Upgrade host packages for bind9-libs, curl, dpkg, grub-common, grub-pc, grub2, hyperv-daemons, libc-bin, libexpat1, libssl1.1, libtasn1-6, libxml2, linux-image-cloud-amd64, linux-image-cloud-amd64 bind9-host, openssl, qemu-guest-agent, rsyslog, zlib1g
  • Related CVEs: CVE-2021-22945, CVE-2021-22946, CVE-2021-30560, CVE-2021-3697, CVE-2021-3999, CVE-2021-4197, CVE-2021-4206, CVE-2021-4207, CVE-2021-46828, CVE-2021-46848, CVE-2022-0358, CVE-2022-1012, CVE-2022-1158, CVE-2022-1292, CVE-2022-1353, CVE-2022-1586, CVE-2022-1587, CVE-2022-1652, CVE-2022-1664, CVE-2022-1679, CVE-2022-1729, CVE-2022-1786, CVE-2022-20368, CVE-2022-20422, CVE-2022-20566, CVE-2022-20568, CVE-2022-2068, CVE-2022-22576, CVE-2022-2327, CVE-2022-24903, CVE-2022-2509, CVE-2022-2585, CVE-2022-2588, CVE-2022-2601, CVE-2022-2602, CVE-2022-26353, CVE-2022-27404, CVE-2022-27405, CVE-2022-27406, CVE-2022-27666, CVE-2022-27775, CVE-2022-27781, CVE-2022-27782, CVE-2022-2795, CVE-2022-28733, CVE-2022-28734, CVE-2022-29155, CVE-2022-29162, CVE-2022-29581, CVE-2022-29582, CVE-2022-2959, CVE-2022-2977, CVE-2022-30594, CVE-2022-3080, CVE-2022-31676, CVE-2022-3176, CVE-2022-32207, CVE-2022-32250, CVE-2022-34918, CVE-2022-3524, CVE-2022-3565, CVE-2022-3594, CVE-2022-3625, CVE-2022-3635, CVE-2022-36946, CVE-2022-3775, CVE-2022-38177, CVE-2022-38178, CVE-2022-40303, CVE-2022-40304, CVE-2022-40674, CVE-2022-41222, CVE-2022-4139, CVE-2022-42896, CVE-2022-43680, CVE-2022-43750, CVE-2022-4378, CVE-2022-47518, CVE-2022-47519, CVE-2018-13405

Changed

  • Limit access for logs and system files, fix some CIS benchmark warnings, enable console timeout
  • Install host security upgrades just after upgrading Installer, stop docker from potentially being upgraded automatically
  • Discard some recurring kernel log messages about virtual container network interfaces
  • Allow more userdata in cloud-init config
  • Rotate log files more often
  • Increase log file partition size (for new VMs)
  • Decrease console log verbosity
  • Change docker internal IP series to 100.64.10[3-5].0/16 to limit risk of conflicts (new VMs only)
  • Change to GPT based partitions
  • Add docker/-prefix to syslog tag, write container logs to separate files in /var/log/docker/
  • Prepare for support for external syslog servers. Manual configuration should be moved to /etc/rsyslog.d/50-remote.conf
  • Enable SSH login by default for new installation, enable fail2ban to lock logins after too many logins

Version 1.0.6

Added

  • Add support for deployment as a cloud service in Microsoft Azure and Google Cloud Platform.
  • Add support to override DNS entries for specific hosts
  • Warn about missing CA/Intermediaries from certificate chain
  • Add support for trusting load balancers using whole networks
  • Support validating SSL CA trust against external server using network tools
  • Improve error message when trying to browse to invalid FQDN/using IP to access services
  • Add info about using offline mode until CA has been trusted when using HTTPS proxy
  • Add support to export manually upgraded Installer version
  • Add support to test HTTP requests in network tools
  • Add choice to either uninstall component or remove it completely
  • Display shortcuts to importing offline bundles when running in offline mode
  • Display notice about required re-deploy after configuration change
  • Display notice about required re-deploy after CA-change
  • Validate uploaded private key/certificate and display warnings for mismatches
  • Use global CA trust instead of dedicated CA bundle file for each component
  • Support to remove not installed products from list

Fixed

  • Fix upgrading Installer from CLI before setting license key
  • Remove warning from load balancer logs about missing port
  • Clearer error display of some forms visible in separate tabs
  • Allow using domain names using leading digits
  • Fix subject alt names in CSR generation, use meaningful filename
  • Limit number of characters for fqdn-based service name and remove trailing special characters
  • Don't try to output ldap metadata result
  • Apply custom CA settings directly after save
  • Fix offline bundle export of Installer
  • Fix registry name for offline upgrades
  • Use trusted custom CA in Installer as well as components
  • Fix change password success message/redirect

Security

  • Upgrade gzip
  • Upgrade zlib1g, libssl
  • Upgrade libexpat
  • Related CVEs: CVE-2022-1271, CVE-2021-43618, CVE-2018-25032, CVE-2022-23852 CVE-2022-25235 CVE-2022-25236 CVE-2022-25313 CVE-2022-25315

Changed

  • Indent each individual certificate in certificate bundle
  • Display full chain in certificate textarea
  • Separate general server settings form from network related settings
  • Use separate virtual network for Installer load balancer
  • Redirect to certificate details view after generating new certificate
  • Include CSR generation in form header
  • Replace self-signed server default certificate if component certificate uses the same FQDN
  • Increase max length of LDAP filter
  • Display select all-checkbox at top of Log view as well as at bottom
  • Prepare offline export and display log before file download
  • Improve help texts for CA certificates
  • Pre-populate server IP/hostname on first boot