Software Update: Sophos XG Firewall 17.5 MR12 / 18.0 GA-Build379

Sophos has released new versions of its XG Firewall with 17.5 MR12 and 18.0 GA-Build379 as version numbers. This software runs on physical hardware as well as in a soft appliance for VMware, Hyper-V, Xen and KVM delivered. In addition to the paid variants for businesses, Sophos offers this firewall for home use at no cost, such as on this page can be read. For the various image and update files you can visit the MySophos Portal. The announcements for these releases are as follows:

XG Firewall 17.5 MR12 Released

Hi XG Community!

We’ve released XG Firewall 17.5 MR12. Initially, the firmware will be available by manual download from the Licensing Portal. We will gradually release the firmware via auto-update to customers.

Note: The upgrade from version 17.5 MR12 to 18.0 will follow soon.

news

  • Security Release
  • Fixes SQL injection vulnerability and malicious code execution in XG Firewall/SFOS detailed out in KBA135412

Note: Hotfix referenced in KBA135412 is NOT required for 17.5 MR12 as CVE-2020-12271 has been fixed in this release version.

Issues Resolved

  • NC-59408 [API Framework, UI Framework] SQLi prevention in hybrid request – ORM fields and mode parameters (CVE-2020-12271)
  • NC-58898 [Email] Potential RCE through heap overflow in awarrensmtp (CVE-2020-11503)
  • NC-59300 [Email] Blind pre-auth SQLi in spxd on port 8094
  • NC-59454 [UI Framework] Enable apache access logs

XG Firewall 18.0 GA-Build379 Released

Hi XG Community!

We’ve released XG Firewall 18.0 GA-Build379. Initially, the firmware will be available by manual download from the Licensing Portal. We will gradually release the firmware via auto-update to customers.

Security Release

  • Fixes SQL injection vulnerability and malicious code execution in XG Firewall/SFOS detailed out in KBA135412

Important note

  • This is a security release for v18 GA; incremental to the previous GA release 18.0 GA-Build354
  • We will soon have a re-release of v18 MR1 to support SD-RED devices and upgrade from v17.5 MR11/ MR12
  • You can upgrade from SFOS 17.5 (MR6 to MR10) to this release 18.0 GA-Build379
  • Hotfix referenced in KBA135412 is NOT required for 18.0 GA-Build379 as CVE-2020-12271 has been fixed in this release version

Issues Resolved in XG Firewall 18.0 GA-Build379

  • NC-59408 [API Framework, UI Framework] SQLi prevention in hybrid request – ORM fields and mode parameters (CVE-2020-12271)
  • NC-58898 [Email] Potential RCE through heap overflow in awarrensmtp (CVE-2020-11503)
  • NC-59300 [Email] Blind pre-auth SQLi in spxd on port 8094
  • NC-59454 [UI Framework] Enable apache access logs

Version number 17.5 MR12 / 18.0 GA-Build379
Release status Final
Website Sophos
Download https://www.sophos.com/en-us/mysophos
License type Freeware/Paid
Comments
Loading...