• Fix disclosed security issue. (see here for more information)

• Improve GeoIP DB updates.
• Update CA certificates bundle.

Bugfixes

• Fix issues caused by the DST Root CA X3 certificate expiration. (Update CA certificates bundle)
• Fix DNS server and gateway IP assignment for the DHCP server in the local web UI.

Additional information

Reminder: the local UI is only to be used when the network changes sever connectivity between USG and the Network Application instance managing it. Once connectivity from USG to its Network Application is restored, you must force provision USG. All configuration must be done in the Network Application, the local web UI is only for purposes of establishing or re-establishing connectivity to it.

• Update dnsmasq to v2.84. Patches vulnerabilities in CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686 and CVE-2020-25687. Of these, only the ones related to DNS cache poisoning possibilities are relevant to controller-generated configurations (25684 through 25686).
• Patch for crash in miniupnpd.
• Missing packages added to GPL source archive.

Additional information

dnsmasq deprecated the crypto library currently used by USG for DNSSEC purposes. This does not impact any controller-generated configuration, and is all but unused on USG in general, but if you have DNSSEC enabled in config.gateway.json, you will need to remove that and force provision USG.

• Fixed certificate issue preventing users from seeing information about blocked or detected threats.
• IPsec - Security updates for strongswan. (CVE-2015-3991, CVE-2015-4171, CVE-2017-9022, CVE-2017-9023, CVE-2017-11185, CVE-2018-10811)

The PPPoE client security update fixes a vulnerability that allows an attacker on the same broadcast domain as your WAN to crash the pppd process, and may allow code execution on the system. Attempts at code execution are extremely unlikely to succeed from what is currently known, particularly since many attempts are likely to be required, and each attempt will crash pppd leaving you disconnected from the Internet until rebooting USG. The same broadcast domain requirement means compromising your DSL modem or ISP's equipment is required to even attempt to do so. It is not exploitable from the Internet, nor from internal networks. While the immediate risk is minimal, we recommend all PPPoE users upgrade as soon as practical, in case a reliable code execution exploit is developed and ISPs and/or DSL modems start getting compromised to exploit it.

Bugfixes

• Properly handle RADIUS server user passwords containing quotes and backslashes.
• Update PPPoE client with CVE-2020-8597 security patch.

The changes listed here are those since v4.4.44, the last stable release.

New features

• Adds firmware support for netconsole configuration provisioned by controller (using config under Settings, Site). Supported in controller versions >= 5.12.2. 

Improvements

• If IDS/IPS signature update fails for any reason, an alert is sent to the controller including information about the problem. Other general improvements to signature update process.
• Limit permitted SSH MAC algorithms to OpenSSH’s most recent defaults, disabling some older options. This will break compatibility with some very outdated SSH clients, but such clients likely have bigger problems than limited supported MAC algorithms and should no longer be used in any case.
• Switch speed test to speed.ui.com
• Support latest hardware revision of USG3.
• Changed certificate generation parameters for USG's local web UI so it creates and maintains certificates in accordance with the new requirements in macOS Catalina and iOS 13. On the first bootup using this version, it will create a new certificate.

Bugfixes

• Fix GeoIP signature updates. Updated URL used so they work in general, and fixed bugs in the script that would make updates fail in some edge cases.
• Fix crash in guest redirector service where a host header is missing in the request.
• Do not make unifi resolve to 127.0.0.1 when USG goes into self-run. Fixes problems where USG itself, and/or other UniFi devices behind USG, end up stuck in disconnected state in certain configurations.
• IDS/IPS signature updates triggered during bootup are delayed until Internet connectivity is established. This fixes cases where people were seeing signature updates during the post-upgrade reboot not working until the next scheduled update a few hours later.
• Change DDNS client configuration format to ensure credentials and hostname are used only with the associated provider. Previously where more than one provider was configured on a specific WAN, and one of those had a custom server defined, if a provider server returned an error code the client would retry using the other DDNS provider’s credentials and hostname. This is because of a quirk in ddclient which treats configuration options defined on their own line as global options for the interface rather than being specific to a particular hostname. 

• Add compatibility check support for some newly-manufactured USG Pro systems so they upgrade successfully.
• Kernel security updates for NFLX-2019-001 TCP-based remote denial of service vulnerabilities. Note these are relevant to the source and/or destination of TCP connections, not intermediate network devices like the typical role of USG.
• Upgrade OpenSSL to 1.0.1t-1+deb8u11. Fixes CVE-2019-1559 security vulnerability.
• Fix potential authorization bypass vulnerabilities in strongSwan (CVE-2018-16151, CVE-2018-16152, CVE-2018-17540).