Impex release information
Information about the IMPEX release 5.8.0
Release Type: general
The IMPEX 5.8.0 release
5.8.0 is a release focused on security hardening, operational visibility, and report quality.
On the security side, the station switches from RSA to Ed25519 for report signing, the icc-helper service is now accessible only via a Unix socket with peer credential verification, and Jinja2 autoescape is enforced across all report templates.
The ICC gains better operational visibility: a new collapsible pane in the Operations view shows notes collected during the scan, such as encrypted archive unlocking events, and PDF and CSV reports now include file type and group metadata. Operators can also now allowlist files directly from the quarantine view. The udev rules toggle has been made more deliberate — disabling it now requires confirmation and stations display a persistent warning while the rules are off.
On the station, the scan summary view gains an on-demand print receipt button, available regardless of the ICC default configuration but only if a printer is attached.
The most significant bug fixes address two regressions from 5.7.0: device and file filter rules using recursive set-includes were evaluated incorrectly, and file filter exceptions were not visible in file listings. Additionally, scan imports from the station are now performed in a single transaction, preventing dangling objects in the database if the import is interrupted.
Station fixes
- Multiple robustness fixes from internal code reviews
- The 7z encrypted archive engine was not always enabled when it should be
- Fixed an issue where some CD readers caused spurious filesystem removal events that confused the USB media handler, causing the device to disappear immediately after being detected
- In a recent release, more user-friendly error messages were introduced. A bug in that implementation caused errors with no user-friendly message to be shown only as “Error”, without the underlying error message.
- When transferring from BitLocker to BitLocker, the filesystem in the target partition was not specified, showing only “BitLocker”
- Fixed the logout button not being clickable
Station changes
- Switch to an internal Ed25519 SSH implementation for signing reports. This requires the station to generate new signing keys to replace the old RSA keys. The new signing keys are signed by the ICC, so any existing signature verification chain should still work but may need adjustment depending on how it is implemented.
- Bump the JavaScript web framework used in the frontend to React 19.2.4
- Add button touch feedback to the new buttons introduced in 5.7.0
- The internal impexd service that communicates with the ICC was heavily refactored with stronger typing. This will make it easier and less risky to add new functionality in the future.
- If a printer is attached, a print receipt button is now shown on the scan summary view. This button appears even if “print receipt” is turned off in the ICC configuration, which is useful when receipts are not always needed but the option to print one is still wanted.
- Gin-gonic removed from all Go services (brokerd, storaged, avd, icc-helper, sensorsd) — replaced with the Go standard net/http library. This removes an external HTTP framework dependency and reduces the attack surface.
- We switched the frontend from using google-chrome to chromium which comes with the upstream Linux distribution that we base Sysctl Linux on.
ICC fixes
- Device and file filter rules with recursive set-includes were broken in 5.7.0 after a refactor; this has been fixed
- Fixed the engine password view to allow adding a password without a description
- File filter exceptions were not showing in file listings; this was a regression in 5.7.0
- Import a scan, its files, and metadata from the station in a single transaction to avoid import errors, such as metadata leaving dangling scan objects in the database
ICC changes
- A new collapsible pane is now shown in the Operations view with operational notes — additional information collected during the scan, such as whether an encrypted archive was unlocked before scanning.
- Security: The icc-helper service has been locked down to listen only on a Unix socket and to allow only trusted peers to connect (using the kernel’s SO_PEERCRED functionality)
- Security: Add stronger validation of SSH station keys before signing them
- Upgrade the browser JavaScript framework from Angular 19 to Angular 21
- Add file type and group metadata to ICC reports (PDF and CSV)
- Use a unique random secret key per installation for the ICC Signify signing key
- Enable autoescape on all Jinja2 templates used for report rendering
- Turning off udev rules now requires confirmation. Station cards will show a warning icon while udev rules are disabled, as they are part of the kiosk protection services.
- Add a button to quickly allowlist files within the quarantine
Information
Operating system packages
General packages updates
Online Documentation
Further details and configuration guidance are available in the official documentation:
https://sysctl.se/impex/documentation/
SBOM
Each ISO and VHD release has a software bill of materials (SBOM), to make introspection of the release easy to integrate with a number of security tools.
Update Instructions
For networked Impex stations this release will be automatically installed as part of the regular update process. No manual steps are required from administrators or users. The system will apply the update seamlessly in the background, ensuring that the latest fixes are in place without any interruption to normal operations.
For standalone Impex stations, your organisation needs to download the update from portal.sysctl.se in accordance with the update instructions in chapter “USBProtect in offline mode” in the Impex USB Protect user manual.
Links
Sysctl portal
https://portal.sysctl.se/
Documentation for offline patching
https://sysctl.se/impex/documentation/usb-protect-user-manual/#updates-and-patching
Sysctl rss/atom
https://sysctl.se/feed.xml