IGEL Linux ========== Version 5.11.400 Release date 2017-08-30 Last update of this document 2017-08-28 The online Release Notes can be found at http://edocs.igel.com/index.htm#14351.htm Registry keys of parameters are listed there. Supported devices: IZ2-RFX, IZ2-HDX, IZ2-HORIZON IZ3-RFX, IZ3-HDX, IZ3-HORIZON UD2-LX 40, UD2-LX 31, UD2-LX 30 UD3-LX 50, UD3-LX 42, UD3-LX 41, UD3-LX 40, UD3-LX 31 UD5-LX 50, UD5-LX 40, UD5-LX 30 UD6-LX 51 UD9-LX Touch 41, UD9-LX 40, UD9-LX Touch 31, UD9-LX 30 UD10-LX Touch 10, UD10-LX 10 ============================================================================= Security Fixes: ============================================================================= - Fixed kernel security issue CVE-2017-1000364. - Security fix for Secure Shadowing: do not accept weak SSL ciphers anymore. As the RC4 cipher is not accepted anymore, this change fixes Bar Mitzvah attacks (CVE-2015-2808). - Added possibility to configure minimal allowed ssh cipher security. New registry keys: * network.ssh_client.minimal_encryption_level (defaults to 128bit) possible range 128bit, 192bit or 256bit * network.ssh_server.minimal_encryption_level (defaults to 128bit) possible range 128bit, 192bit or 256bit - Updated preinstalled CA certificate package to ubuntu artful version 20161130+nmu1. The list of newly supported and removed certificates can be found at online Release Notes (edocs.igel.com). ============================================================================= Versions: ============================================================================= Clients: - Citrix Access Gateway Standard Plug-in 4.6.3.0800 - Citrix HDX Realtime Media Engine 2.2.100-949 - Citrix Receiver 12.1.8.250715 - Citrix Receiver 13.3.2.366713 - Citrix Receiver 13.5.0.10185126 - Dell vWorkspace Connector for Linux 8.6.1 - Ericom PowerTerm 12.0.1.0.20170219.2-_dev_-34574 - Ericom PowerTerm 9.2.0.6.20091224.1-_rc_-25848 - Ericom Webconnect 5.6.0.4000-rel.20413 - Evidian AuthMgr 1.4.6132 - Evince PDF Viewer 2.30 - FabulaTech USB for Remote Desktop 5.1.3 - Firefox 45.6.0 - IBM iSeriesAccess 7.1.0-1.0 - IBM iAccess Client Solutions 1.1.5.0 - IGEL Legacy RDP Client 1.0 - IGEL RDP Client 2.2 - Imprivata OneSign ProveID Embedded - Leostream Java Connect 3.0.57.0 - NCP Secure Client (Enterprise) 3.25-rev23310-i686 - NX Client 5.2.11 - Open VPN 2.3.2 - Oracle JRE 1.8.0_141 - Parallels 2X Client 15.5.2.16129 - Remote Viewer 4.0 for RedHat Enterprise Virtualization Desktops - Systancia AppliDis 4.0.0.14 - Thinlinc Client 4.7.0-5280 - ThinPrint Client 7.0.78 - Totem Media Player 2.30.2 - Nimboxx VERDE Client 8.0.0-rel.25568 - VMware Horizon client 4.5.0-5650368 - Voip Client Ekiga 4.0.1 - CREALOGIX CLX.Giromat 1.1.0b3 Dictation: - Driver for Grundig Business Systems dictation devices - Diktamen Extensions for dictation 1.1 - Nuance Audio Extensions for dictation 7.47.0 - Driver for Olympus dictation devices - Legacy Philips Speech driver 5.0.10 - Philips Speech driver 12.4.10 Signature: - signotec VCOM Daemon 2.0.0 - Softpro/Kofax Citrix Virtual Channel 3.1.33.2 - StepOver TCP Client 1.0.2 Smartcard: - PKCS#11 Library A.E.T SafeSign 3.0.93 - PKCS#11 Library Athena IDProtect 623.07 - PKCS#11 Library cryptovision sc/interface 6.6.3 - PKCS#11 Library Gemalto IDPrime 1.2.1 - PKCS#11 Library SecMaker NetID 6.6.0.30 - PKCS#11 Library ASIP Sante cryptolibcps 5.0.9 - Reader Driver ACS CCID 1.1.1 - Reader Driver HID Global Omnikey CCID 4.0.5.5 - Reader Driver Identive / SCM Microsystems CCID 5.0.35 - Reader Driver MUSCLE CCID 1.4.25 - Reader Driver Omnikey CCID legacy-3.6.0 - Reader Driver Omnikey RFID legacy-2.7.2 - Reader Driver REINER SCT cyberJack 3.99.5final.SP09 - Reader Driver Gemalto / SafeNet eToken 8.1.0-4 - Reader Driver SCM Microsystems CCID Legacy 5.0.21 - Reader Driver SCM Microsystems SDI011 5.0.18 - Resource Manager PC/SC Lite 1.8.21 System Components: - Graphics Driver INTEL 2.99.917+git20160706-1ubuntu1 - Graphics Driver ATI/RADEON 7.8.0-1 - Graphics Driver ATI/AMDGPU 1.2.0-1 - Graphics Driver VIA 5.76.52.92-009-005f78-20150730 - Graphics Driver VIA Legacy 5.75.32.87a-59172 - Graphics Driver VESA 2.3.4-0ubuntu1~trusty1 - Input Driver Evdev 2.9.0-1ubuntu2~trusty1 - Input Driver eGalax 2.5.2107 - Input Driver Synaptics 1.8.2-1ubuntu1~trusty1 - Input Driver Wacom 0.25.0-0ubuntu1.1~trusty1 - Kernel 4.4.35 #59.80-ud-r1829 - Xorg X11 Server lts-wily-1.17.4 - Xorg Xephyr lts-wily-1.17.4 ============================================================================= Known Issues: ============================================================================= [Citrix] - Videos encoded with the rare combination H.264/MP3 won't play sound [VMware Horizon] - On UD3 50/IZ3 50 accelerated H.264 decoding is only possible for blast sessions with screen heights up to 1152 pixels due to hardware limitations. If sessions exceed 1152 pixel height, the GL-Basic rendering engine is used instead. - The new on-insertion feature is only working if the client drive mapping is switched off. Client drive mapping can be disabled at TC Setup under Sessions -> RDP -> RDP Global -> Mapping -> Drive mapping. [Evidian] - Active Directory users with a password containing special characters may have problems to authenticate with the configured session. Known special characters which results in errors are: ` (grave accent, ASCII code 96) ´ (acute accent, ASCII code 239) [Universal MultiDisplay] - While updating the UMD slave devices from 5.10.100 or older firmwares there will be screen flickering and corruptions until the update is finished. [RDP/IGEL RDP Client 2] - EVOR video redirection does not work reliably: Workaround the issue by disabling Sessions -> RDP -> RDP Sessions -> [session name] -> Multimedia -> Enable Video Redirection or by disabling: Sessions -> RDP -> RDP Global -> Multimedia -> Enable Video Redirection. ============================================================================= IGEL Linux 5.11.400 ============================================================================= New features: ============================================================================= [Citrix Receiver 13] - Integrated Citrix Receiver 13.5.0. This is the default version now. Citrix Receiver version 13.4.2 was removed. Available Citrix Receiver versions: 12.1.8, 13.3.2, 13.5.0 (default) - Added Multi Media Stream (for browser and selfservice sessions) to be used when connecting to a multi stream ICA enabled server. Configuration can be done with parameter "Multi-Stream ICA" at TC Setup under Sessions -> Citrix -> HDX Global -> Options. Only supported with Citrix Receiver 13.5.0. (registry key: ica.module.allowmultistream) [VMware Horizon] - Updated VMware Horizon Client to version 4.5.0-5650368 - Added setup page for USB Redirection: Sessions -> Horizon Client -> Horizon Client Global -> USB Redirection - Added the following parameters to modify the USB-redirection behavior: * Automatically connect at startup (registry key: vmware.view.usb-autoconnect-at-start-up): If enabled, USB devices are redirected at start-up (i.e. when client connects to the desktop). If disabled, USB devices are not redirected, but listed as available in the VMware menubar. (default: enabled) * Automatically connect when inserted (registry key: vmware.view.usb-autoconnect-on-insert): If enabled, USB devices are redirected on insertion of the device. If disabled, USB devices are listed as available in the VMware menubar. (default: enabled) [Firefox] - Updated Flash Player download URL to version 26.0.0.151 [Smartcard] - New SecMaker Net iD version 6.6.0.30. - Enhanced IGEL Smartcard to support Remote Desktop Web Access sessions. - New version of PC/SC Lite smart card resource manager 1.8.21 [Base system] - Added possibility to perform an automatic update on shutdown. This new feature can be enabled at TC Setup under System -> Update -> Firmware Update with parameter "Automatic Update Check On Shutdown" (registry key: update.autoupdate_on_shutdown). This feature automatically checks the firmware version on the configured update source during shutdown process and invokes a firmware update if the version differs from the active version. - It is now possible to upgrade Samsung TC2 to IGEL Linux 10. See the particular section in eDocs for more information. - Updated preinstalled CA certificate package to ubuntu artful version 20161130+nmu1. - Updated TC Setup to version 5.7.5. [Driver] - Added support for 3DConnexion SpaceMouse Wireless Pro. [Java] - Updated Oracle JRE to version 1.8U141. - Added JCE Unlimited Strength Jurisdiction Policy. ============================================================================= Resolved issues: ============================================================================= [Citrix] - The TC Setup configuration page 'Options' under Sessions -> Citrix -> Citrix StoreFront now gets deactivated if Citrix Receiver 13 is active. - Improved sound in Citrix ICA sessions by using high quality sound format as default. The audio bandwith usage can be lowered at TC Setup under Sessions -> Citrix -> HDX Global -> Options -> Audio Bandwidth Limit in StoreFront sessions. (registry key: ica.wfclient.audiobandwidthlimit) [Citrix Receiver 13] - Added the following parameter to control the method used for hiding server side windows when switching between workspaces on client: * ica.wfclient.twiwshidewindowtype: 1 - Hide server side windows by minimizing them (default) 2 - Hide server side windows by moving them to the right-bottom corner outside of the screen. [RDP/IGEL RDP Client 2] - Improved COM Port Mapping: fixed waiting for event character. - Fixed connection issues with installed root CA certificate and a gateway connection-broker. The obsolete certificate acknowledge dialog for connections redirected from a trusted connection-broker is skipped now (RDP-8 compliance). - Fixed RDP client screen update issues for desktop sessions and improved the screen update performance. - Fixed printer mapping: a mapped printer is set as default printer inside the session if and only if it is the default printer on the thin client. Before this fix the first mapped printer was set as default printer. [RD Web Access] - Fixed RD web access sessions not recognizing smartcards. - Fixed resize of Excel columns when published via RD web access. [VMware Horizon] - Fixed input language synchronization of PCoIP sessions. [Network] - Improved adoption of hostname from DHCP lease. [WiFi] - Improved WiFi connection establishment with Broadcom chips. [genucard VPN] - Fixed running into a too short timeout during rekeying and displaying an incorrect message about the rekeying result. - Added german translation for WiFi power error message and disabled the message getting shown when no WiFi scan is in progress. - Reactivated the internet disconnect button when a VPN connection is established. - Set the minimum size of the WiFi connection dropdown to two elements. - Fixed an issue with too short connection timeouts. This mostly occurred when establishing a WiFi connection. [Smartcard] - Added the following parameter to keep smart cards powered on after insertion. This might help in cases where powering on the card after a power off fails. * scard.pcscd.poweron (default: disabled) - Fixed Active Directory log on with smart card: in some cases the sporadic error message "Unknown smart card." appeared. [Base system] - Fixed buddy update server functionality of devices with little free space on the local storage (e.g. Flash-Card or SSD smaller than 2GB). If the new parameter update.ftpd.provide_deactivated_services is disabled, the buddy update server won't provide deactivated features. (default: enabled) - Fixed kernel security issue CVE-2017-1000364. [Driver] - 3DConnexion SpaceMouse Wireless is now also usable while connected via USB for charging. [X11 system] - Fixed Spice desktop not being displayed on VIA based hardware. - Added the following parameter to force a X server reconfiguration: * x.xserver0.force_reconfig (default: false) - Fixed X server crashes on VIA based hardware. - Fixed x11vnc lags and freezes on VIA based hardware. - Fixed VIA driver for VX900 based devices. The IGEL devices UD2 30/31 (D210), IZ2 30/31 (D210) and UD3 30/31 (M310) automatically use the VIA fallback driver since the new driver does not support these devices reliably enough at the moment. To disable the automatic fallback feature, disable registry key x.drivers.via.fallback_vx855_auto_use (default: enabled). [Windowmanager] - Fixed high memory consumption of taskbar when a image background is set. [Audio] - Fixed sound output over DisplayPort in IGEL UD devices. - Fixed audio jack detection in IGEL UD2 (D220). - Fixed input and output recognizing for Sennheiser USB headsets. [TC Setup (Java)] - Fixed an issue where the Linux 10 upgrade file couldn't be selected via local file browser within TC Setup in certain situations. [Remote Management] - Fixed issue with Secure Shadowing by applying the JCE Unlimited Strength Jurisdiction Policy files and thus enabling higher strength encryption than the Oracle JRE uses by default. - Security fix for Secure Shadowing: do not accept weak SSL ciphers anymore. As the RC4 cipher is not accepted anymore, this change fixes Bar Mitzvah attacks (CVE-2015-2808). Due to the higher security demands Secure Shadowing with Java 6 based UMS version 4.07.100 and 4.08.100 is not supported anymore. Secure Shadowing is supported with UMS 5 and UMS 4.09.100. Only accept encryption ciphers with more then 128bit key length (disables AES128). - Added the following parameters to configure minimal allowed ssh cipher security: * network.ssh_client.minimal_encryption_level Possible range 128bit, 192bit or 256bit (default: 128bit) * network.ssh_server.minimal_encryption_level Possible range 128bit, 192bit or 256bit (default: 128bit)