Reference13r2:Release Notes Security
From innovaphone-wiki
This is the Security 13r2 Release Notes Document. It is an extract of the 13r2 Release Notes showing only the security fixes made (this mechanism was introduced with 13r2SR12). It can be used by security sensitive customers to decide whether an update of the innovaphone structure is needed with a new Service Release.
Service Releases are planned for the second Monday each month.
Please see the disclaimer before using the information presented here!
Contents |
Security 13r2
13r2 Service Release 12 (136349)
124576 - Protection against theoretical XSS possibility in pbx_appclient_popup.htm
URLs given in the "url" parameter are now filtered for javascript code.
13r2 Service Release 13
124821 - Potential restart on some special login requests to Advanced UI
Maybe caused by an attack
124652 - TLS: Possibility to disable client-initiated renegotiation
Renegotation can now be disabled in the TLS settings.
- Applies to TLS 1.0, TLS 1.1 and TLS 1.2 in the firmware. TLS 1.3 does not support renegotiation.
- Renegotiation could be used by attackers to cause additional CPU load on servers.
Advanced UI:
- New flag IPx / TLS / Disable renegotiation
Config lines:
- config change TLS0 /no-renegotiation
- config change TLS6 /no-renegotiation