Release Notes

McAfee® Email Gateway Appliance Patch 7.0.4 Contents About this release New features Resolved issues Installation - incremental package Installation - full images Known issues Find product documentation

About this release This document contains important information about the current release. We strongly recommend that you read the entire document. Release build - MEG-7.0.4-2795.100 (built: 2013-11-05) Purpose This release adds new features and fixes problems that were reported in previous releases. New features (total: 3, new: 0) Vulnerabilities (total: 9, new: 7) Medium severity issues (total: 12, new: 1) Low severity issues (total: 52, new: 44) Rating High Priority — McAfee rates this release as a high priority for all environments to avoid a potential business impact. This update should be applied as soon as possible. For more information about ratings, refer to McAfee KnowledgeBase article KB51560. Packaging This release is available in the form of: an incremental update package a set of installable images

New features This release includes these new features. Add a configuration file option to generate audit copies only for emails that were delivered and not for those that were blocked. (Reference: KB56323. Supersedes: 7.0h894243, 7.0h903899.) The option for enforcing TLS based on the sender domain (see KB76588) can now be overridden with a higher priority IP based rule which allows plain text SMTP conversations. (Reference: KB78090. Supersedes: 7.0h873230, 7.0h878182, 7.0h882667, 7.0h894243, 7.0h903899.) Add an option for the Sender Policy Framework (SPF) check to reject email from any domain which does not exist (authoritative NXDOMAIN DNS response from the parent domain). (Reference: KB78097. Supersedes: 7.0h878182, 7.0h882667, 7.0h894243, 7.0h903899.) For details, see the online help within the appliance user interface.

Resolved issues Vulnerabilty Address a possible remote command injection vulnerability by correctly sanitizing the parameters of one of the remote procedure calls used by the user interface to control the appliance. (Medium severity. Reference: KB79280.) Update the BIND package used on the appliance to address vulnerabilities CVE2013-2266, CVE-2013-4854. (Medium severity. Reference: KB77954, KB78979. Supersedes: 7.0h903899.) Update the Oracle Outside In library used on the appliance to address vulnerabilities CVE-2013-2393, CVE-2013-3776, CVE-2013-3781. (Medium severity. Reference: KB78509, KB79090. Supersedes: 7.0h903899.) Vulnerability CVE-2012-4929 has been identified in SSL/TLS secure communication protocols if compression is used. Update the openssl package to disable compression. (Low severity. Reference: KB77915.) Disallow HTTP OPTIONS verb and suppress file and line information in error messages to prevent possible information disclosure. (Low severity. Reference: KB79119.) Update the libcurl package on the appliance to address vulnerability CVE-20131944. (Low severity. Reference: KB79319.) Update the keepalived package on the appliance to address a signal handling vulnerability which could allow a local user to elevate privileges. (Low severity. Reference: KB78658.) Update the appliance Linux kernel to address CVE-1999-0524. (Low severity. Reference: KB78229.) Correct parameter sanitization for remote procedure calls loading strings in the user interface, to address a cross-site scripting vulnerability.

(Low severity. Reference: KB78444.) Operating system Update ssh session management to ensure that processes spawned by an ssh session are killed when the ssh connection closes, to prevent them being left running and consuming system resources. (Medium severity. Reference: KB78358. Supersedes: 7.0h894243, 7.0h903899.) Correct a fault in the appliance kernel which would cause a reboot after about 208 days of uptime. (Low severity. Reference: KB77265.) Update the kernel igb driver to the latest release, to address a problem causing the network interfaces on some appliances to lock up occasionally. (Low severity. Reference: KB77838.) Amend the Minimum Escalation Report (MER) generation script to handle configurations including very long lists. Previously lists, such as email permitted recipients, with very many entries could cause MER generation to fail. (Low severity. Reference: KB77910.) Correct a problem in setting passwords for the McAfee Agent which caused AV updates to fail after rebooting the appliance, in cases where a proxy server requiring a password was used for updates. (Low severity. Reference: KB77849.) Update the appliance configuration to disable Secure Socket Layer version 2 as it is insecure. (Low severity. Reference: KB79384.) Networking Update the SMTP proxy to prevent excessive CPU usage when GTI feedback is enabled. (Low severity. Reference: KB78394.) The appliance can be configured to use McAfee Global Threat Intelligence (GTI) for message reputation and feedback, and to use a proxy for HTTPS traffic. GTI connects using the HTTPS port (443) but is blocked by some HTTPS proxies. A new configuration file setting has been added which, by default, disables use of proxy to connect to GTI since that may not work. (Low severity. Reference: KB78732. Supersedes: 7.0h894243, 7.0h903899.) Email Amend SMTP conversation logging to eliminate proxy failures when handling some emails with logging enabled. (Medium severity. Reference: KB78823. Supersedes: 7.0h894243, 7.0h903899.) The DomainKeys Identified Mail (DKIM) RFC 6376 provides for signature checking to be limited to an initial length of the email body, allowing a zero body length limit where the body is completely unsigned. Update the appliance DKIM verification to handle such an unsigned body correctly. (Medium severity. Reference: KB78063. Supersedes: 7.0h878182, 7.0h882667, 7.0h894243, 7.0h903899.) Improve group handling in the SMTP proxy, to address a performance problem when the configuration includes very long lists. (Medium severity. Reference: KB78023. Supersedes: 7.0h873230, 7.0h878182, 7.0h882667, 7.0h894243, 7.0h903899.) Added a configuration file option, enabled by default, to suppress forwarding SMTP client EHLO commands in transparent mode if the onward server does not support Transport Layer Security (TLS). Some servers which do not support

TLS will return a permanent error response to such EHLO commands. (Low severity. Reference: KB79126.) Correct a problem that caused segmentation fault in the SMTP proxy if 'Remove any Received-From headers to obscure network information' and address masquerading were both enabled. (Low severity. Reference: KB79130.) Improve the TLS certificate processing speed on the appliance to avoid gateway timeout errors in the user interface on applying changes after importing large TLS lists. (Low severity. Reference: KB78103.) Compliance filtering on the appliance ignores words contained within HTML tags. Update the content type identification to ensure that HTML is consistently identified as such, to prevent false compliance detections. (Low severity. Reference: KB77912.) Correct the appliance certificate generation to address a certificate chain error causing failures of incoming SMTP over TLS connections. (Low severity. Reference: KB78163.) Fix an issue where imported certificate and key files that did not end with a blank line would cause the generation of certificate chains to fail. (Low severity. Reference: KB78132.) The appliance offers a Secure Web Mail facility for users to read and reply to email. Amend the reply email 'From:' header to contain the user's address, rather than the appliance postmaster. (Low severity. Reference: KB78267.) Email address masquerading allows the domain names in email headers to be changed selectively, and normally operates on the domain part of mailbox@domain email addresses. Add a configuration file option to specify headers for which bare domain names, without a mailbox part, will also be masqueraded. (Low severity. Reference: KB78953.) Correct an error where a timeout during TLS negotiation could cause a mail to be rejected by the appliance with a 5xy error code causing a mail bounce. (Low severity. Reference: KB79366.) Correct an error where the Sender Policy Framework (SPF) library could return an NXDOMAIN (non-existent status) for a valid domain when the SPF record for the domain has entries that are non existent and if SPF_FailOnNXDomain / PRA_FailOnNXDomain is enabled in the SMTP configuration. (Low severity. Reference: KB79079.) Amend the POP3 to handle a UIDL command with the optional message number specified, which produces only a single line response. Previously the proxy would wait for a multi-line list response (as for a UIDL with no message parameter) and time out. (Low severity. Reference: KB79258.) Update the Sender Policy Framework (SPF) library on the appliance to respect the processing limit for DNS lookups per SPF check specified in RFC 4408. (Low severity. Reference: KB79502.) Correct a fault which prevented message search displaying emails which were blocked, if one of the secondary actions was also “Deliver message using encryption” and if none of the encryption methods (S/MIME, PGP or SWM) was chosen. (Low severity. Reference: KB78261. Supersedes: 7.0h894243, 7.0h903899.) The appliance can send bounce messages (also known as Non-Delivery Reports or NDRs) to the sender of undeliverable email. Provide an option to make the bounce message format conform to RFC 3464, for better compatibility with other email software.

(Low severity. Reference: KB77957. Supersedes: 7.0h873230, 7.0h878182, 7.0h882667, 7.0h894243, 7.0h903899.) Content scanning The appliance offers content scanning into the text of certain file types by means of a third party plugin. Update this plugin to resolve issues which caused the SMTP proxy to consume system resources to excess when particular attachment files were scanned. (Medium severity. Reference: KB78816. Supersedes: 7.0h894243, 7.0h903899.) Update the message decomposition plugin to correct a filename filtering failure with the offending file in a zip attached to an email attached to another email. (Low severity. Reference: KB78431.) Update the anti-spam engine and appliance code to stop the SMTP proxy hanging in an infinite loop when processing certain emails. (Low severity. Reference: KB79117.) Update content filtering to detect executable binary files attached to email as plain text by the sending email client. (Low severity. Reference: KB79485.) The appliance offers content scanning into the text of certain file types by means of a third party plugin. Update this plugin to resolve issues which caused the SMTP proxy to fail with a segmentation violation when particular attachment files were scanned. (Low severity. Reference: KB78123, KB78666, KB78687, KB79050, KB79051, KB79069, KB79257, KB79546, KB79549, KB79550. Supersedes: 7.0h894243, 7.0h903899.) The appliance offers content scanning into the text of certain file types by means of a third party plugin. Update this plugin to address false detections when particular emails were scanned. (Low severity. Reference: KB79545, KB79548.) User interface The appliance 'Email Senders and Recipients' user interface offers a facility to import a list of users into a group. Correct a fault which prevented such a change being saved unless other changes were made at the same time. (Medium severity. Reference: KB78210. Supersedes: 7.0h894243, 7.0h903899.) Prevent the virtual host IP addresses on remote appliances from being overwritten by configuration push when managing multiple appliances with logical virtual hosting enabled. (Medium severity. Reference: KB78302. Supersedes: 7.0h882667, 7.0h894243, 7.0h903899.) Update the user interface to address an issue in Internet Explorer 8 compatibility mode, which caused the 'Policy Rules' option to be absent from the 'Rule Type' menu when adding a rule to a policy. (Low severity. Reference: KB77840.) Password management policies can be configured using the appliance user interface. Correct a fault which caused the admin password to be reset when configuration was pushed or restored if password expiry had been configured. (Low severity. Reference: KB77531.) Correct a fault in the user interface for secure web mail client user accounts which, when the list extended to more than one page, caused deleting a user on a later page to delete the corresponding entry on the first page. (Low severity. Reference: KB78386.) When modifying inherited file filtering rules, create a copy to modify, breaking the inheritance so that the parent policy is not affected.

(Low severity. Reference: KB79114.) The appliance administrator can create additional user interface accounts with custom roles. Amend the replication process so that such added users can login on the failover device of a blade or cluster system. (Low severity. Reference: KB77886.) Amend some inaccurately translated text strings in the user interface. (Low severity. Reference: KB77989, KB78401, KB78541.) Correct the user interface for configuration push so that it works for appliances listed on the second and subsequent pages of the display (which shows 10 per page). (Low severity. Reference: KB79320.) Correct a fault which could cause UTF-8 encoding errors in the ui_settings.xml file with resulting error messages in the user interface status window. (Low severity. Reference: KB79158.) Update the configuration system to eliminate spurious policy configuration nodes that interfered with the correct inheritance of routing settings. (Low severity. Reference: KB79476.) Update the configuration push mechanism to preserve the host and domain names on the secondary appliance. The only attribute that will be modified during the configuration push is the virtual host id. (Low severity. Reference: KB78862. Supersedes: 7.0h894243, 7.0h903899.) Correct a conversion error which caused MER and Network tests to fail with MQM off-box quarantine enabled and default proxy settings configured. (Low severity. Reference: KB78858. Supersedes: 7.0h894243, 7.0h903899.) Correct a user interface issue where, following upgrade from version 5.6, deleting one policy would cause other policies to be deleted. (Low severity. Reference: KB77941. Supersedes: 7.0h878182, 7.0h882667, 7.0h894243, 7.0h903899.) Configuration Correct a problem where audit emails could get stuck in the appliance's deferred queue with a "442 Unable to determine IP address for delivery" error if the scan result of the original email resulted in an encrypted delivery and an off-box encryption server was configured. (Medium severity. Reference: KB79029. Supersedes: 7.0h903899.) Correct a fault which caused the same relay to be used for delivery to multiple recipients of an email when the policies for some recipients specified a different relay from the others. (Medium severity. Reference: KB78735. Supersedes: 7.0h894243, 7.0h903899.) Disable the 'Add Policy' button in the user interface while the policy list is loading. When there is a large number of policies the list can take some time to load, and it was possible to corrupt the policy list by attempting to add to it before it was completely loaded. (Low severity. Reference: KB78161.) Correct a fault in the user interface for editing policy groups which, when the list extended to more than one page, caused selecting an entry on a later page to edit the corresponding position on the first page. (Low severity. Reference: KB78131.) Reporting Apply a locking mechanism to log rotations to prevent corruption of the saved log files when two rotation operations were scheduled to run at the same time. (Low severity. Reference: KB77675.) The appliance has the facility to send syslog files off-box, to another syslog

server. Update the appliance syslog configuration to use separate queues for off-box servers, to prevent an unresponsive off-box server blocking syslog entirely. (Low severity. Reference: KB77980.) Update the SMTP proxy to always log the email subject in the reports database, correcting the case where this was not done if the email had an attachment. (Low severity. Reference: KB78299.) Improve the efficiency of database queries for email report filtering, to address a problem with queries on a large database taking so long as to cause a user interface gateway timeout. (Low severity. Reference: KB79292.) Correct an error where incorrect numbers of attachments were being reported while processing HTML based or signed emails. (Low severity. Reference: KB79536, KB79538.) The appliance can generate notification emails which may include alert data substitution tokens. Correct a fault which caused HTML escape sequences to appear in the subject of such emails, rather than the correct plain text characters. (Low severity. Reference: KB78734. Supersedes: 7.0h894243, 7.0h903899.) Issues resolved in previous releases For information on issues resolved in earlier releases not included above, consult their release notes: Patch 7.0.1 (see KnowledgeBase article KB74045) Patch 7.0.2 (see KnowledgeBase article KB75327) Patch 7.0.3 (see KnowledgeBase article KB76745)

Installation - incremental package The incremental update package may be installed on a running appliance with the least possible disruption of service. In due course this package, or one superseding it, will be made available for download and install with the appliance auto-update system. For information on using auto-update refer to KnowledgeBase article KB74923. Installation requirements You must have the following McAfee Email Gateway software installed on the appliance you intend to update with this package: Version 7.0 Patch 7.0.1 Patch 7.0.2 Patch 7.0.3 Superseded releases The incremental package incorporates and supersedes the following earlier releases: Hotfix 7.0h873230 Hotfix 7.0h878182

Hotfix 7.0h882667 Hotfix 7.0h894243 Hotfix 7.0h903899 Actions on installation At the end of the installation process the following actions will occur automatically: The user interface will log off. The appliance will reboot. Task To install this package: 1. Create a temporary directory on a computer on your network which can access your McAfee Email Gateway appliance 2. Download the MEG-7.0.4-2795.100.zip file, and save it to the temporary directory. 3. Open your internet browser, and log on to the McAfee Email Gateway appliance. If installing on a Content Security Blade Server, go first to the Failover Management blade to do the following steps, then repeat them on the Management blade (the content scanning blades will be updated automatically). If installing on an appliance cluster the steps must be done on all the appliances in the cluster, starting with the Failover Management appliance, then the Management appliance, then the remainder. If installing on an appliance managed by ePolicy Orchestrator, follow the procedure in KnowledgeBase article KB79376. 4. On the navigation bar, select System | Component Management | Package Installer. 5. Under Manual Package Install, click Update from file. 6. In the Import package window, click Browse, find the location of the file "MEG-7.0.4-2795.100.zip", click Open, and then click OK. A window displays the package description. 7. Click OK to install the package. Upon completion of the installation the actions noted above will be performed automatically. 8. Clear the browser cache. 9. Log on to the McAfee Email Gateway appliance, then click About the appliance to check that "7.0.4-2795.100" is displayed.

Installation - full images Installable images are available for the various types of appliance. For information on installing these images refer to KnowledgeBase article KB71956. When using this method to upgrade an existing appliance, there may be an option to install software while retaining the existing operational data (option "c", "d", or "e" on

the install menu). This option is available where one of the following compatible versions is already installed: This release or any superseded releases, but not any later release other than hotfixes Version 5.6 with 5.6p1 or later releases Superseded releases The installable images incorporate and supersede the following earlier releases: Version 7.0 Patch 7.0.1 Hotfix 7.0h753669 Hotfix 7.0h758342 Hotfix 7.0h759601 Hotfix 7.0h764779 Hotfix 7.0h778488 Hotfix 7.0h788861 Hotfix 7.0h793047 Patch 7.0.2 Hotfix 7.0h806047 Hotfix 7.0h812250 Hotfix 7.0h818949 Hotfix 7.0h820052 Patch 7.0.3 Hotfix 7.0h873230 Hotfix 7.0h878182 Hotfix 7.0h882667 Hotfix 7.0h894243 Hotfix 7.0h903899

Known issues For a list of known issues in this release, refer to McAfee KnowledgeBase article KB77694.

Find product documentation McAfee provides the imformation you need during each phase of product implementation, from installation to daily use and troubleshooting. After a product is released, information about the product is entered into the McAfee online KnowledgeBase. Task 1. go to the McAfee Technical Support ServicePortal at https://mysupport.mcafee.com. 2. Under Self Service, access the type of information you need: To Access... Do this...

User documentation

KnowledgeBase

1. Click Product Documentation 2. Select a product, then select a version 3. Select a product document Click Search the KnowledgeBase for answers to your product questions. Click Browse the KnowledgeBase for articles listed by procuct and version.

Copyright © 2013 McAfee, Inc. Do not copy without permission. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.