Information about the IMPEX 4.1.4 security release
Release date: 2024-11-15
This releases fixes a information leak possibility in the ICC server. During an internal audit it was discovered that some implemented code objects only checked for an authenticated user before allowing read access. This could allow a station to get read access to certain resources it should not have access to.
We have fixed this and now require admin user access for even read access to some resources.
The resources a station could access that it should not have was:
- SMTP, NTP, DNS, Syslog and LDAP settings in the ICC
This release also does a database audit on start, removing any non-staff users not associated with a station or an existing registration attempt.
A fix is also included for customers having problems with stations freezing up. We had fixed this in an earlier release but another package upgrade was interfering with the original fix.