ID: 136
Name: TCPIP_Updates_752
Version: 1.15
Dependences: 131, 130
Description: Version 1.0@@@Added APIs to allow users to limit the amount of heap the TCP/IP stack is allowed to allocate.  Set the default limit to be half the heap. (Case 40091)@@@Version 1.01@@@Added static IPv6 gateway (Case 40603, 40112)@@@Allow DNS servers received in DHCPv6. Depricated DNSAddServer  (Case 41347, 41248, 41349)@@@Fixed a crash when passing a long hex string to getaddrinfo() or xbsGetAddr() (Case 41637)@@@Version 1.02@@@Added API to enable routing ICMP replies@@@Version 1.03@@@Report correct Ethernet link speed in SNMP ifSpeed  (Case 41612)  Requires SNMP fix v1.05.@@@Version 1.04@@@In IAM loop, waiting until tfCheckOpenInterface completes, only while it returns TM_EINPROGRESS, otherwise with different error we loop forever. (NETOS-3)  Required by BSP fix v1.05.@@@Version 1.05@@@Reduced and cleaner dialog.  Still issues with reset on Connect ME.  (NPI-51)@@@Remove ANY Encryption type for WPA Enterprise 802.1X.  Reduced the IAM spew when receiving an IP address. (NPI-51)@@@Fixed a bug in DHCP INFORM where DHCP INFORM ack is not handled.  (NETOS-46)@@@Commented TM_6_DEBUG_DHCP to disable logging to a file. (NETOS-44)@@@Removed Country Code, 802.11 options, Wireless Network type, and channel from the NET+OS Project.  Updated HTML and Pbuilder hooks to move the mixed mode encryption under the WPA-PSK authentication mechanism. (NETOS-29, NETOS-35, NETOS-36)@@@Fixed a apparent memory loss problem, caused by incorrect accounting of treck_current_memory_usage, which was losing 4 bytes on every actual free().@@@Moved it to tfKernelMalloc and tfKernelFree to be both on the same level and account for every actual malloc() and free() by Treck, using 4 extra bytes of memory.  (NETOS-39)@@@Updated Copyright for 2013. (NETOS-52, NPI-51)@@@Updated to include setting the dhcpParams.isEnabled when updating the staticParams.isEnabled setting. (NETOS-54, NPI-51)@@@Version 1.06@@@Set default renew time and rebinding time to be 3600 seconds and 7200 seconds respectively if the renew time and/or rebinding time are 0 in replied option information from the DHCPV6 server. (NETOS-89)@@@Version 1.07@@@Four new APIs are added to provide options to change the TM_IP_REASSEMBLY behavior.  The Treck stack is currently configured to handle one 8k ping reassemble at a time. With the Redpine 3.2.12 release, the wifi driver passes aggregated frames to treck stack aggressively, resulting treck stack dropping the frames which exceeds maximum number of IP datagrams waiting to be reassembled (currently 5). With these four new APIs, the user can increase the maximum size of an IP datagram waiting to be reassembled, the maximum number of IP datagrams waiting to be reassembled, the maximum number of IP datagrams that we will track that are too big to be reassembled, and the fragment reassembly timeout, it is the time to live for fragments waiting in the reassembly queue in seconds. Requires BSP V1.10.@@@Version 1.08@@@The descriptions in the interfaces MIB were switched. This was caused by the SNMP virtual table init function accessing the device list directly instead of by index. .Changed the way the device list is accessed in naSnmpinitVertualInterfaceTable(). Refactored the name of the loopback interface from LOOPBACK to lo. (NETOS-198)  Requires SNMP fix v1.09@@@Version 1.09@@@Malformed DNS responses could provoke crashes and unexpected behaviour. This fix avoids these errors from happening by checking the sizes of the queries and RRs in the response. (NETOS-231)@@@Version 1.10@@@Fixed TCP hangups during SYN flood attacks (NETOS-256)@@@Version 1.11@@@Security Fixes@@@Researchers from JSOF (www.jsof-tech.com), have found vulnerabilities within in the Treck TCPIP, IPv4, IPv6, DHCP, DHCPv6 and DNS products.@@@Digi products have integrated parts of the products above. In reviewing Digi products with these vulnerabilities, we have rated and consider the vulnerabilities a high level risk.@@@We recommend that customers immediately review and deploy the latest firmware associated with this release note to protect their devices.@@@At time of release of this firmware, there is no known in the wild exploit of these vulnerabilities.@@@Digi internal scoring of the vulnerabilities is a CVSSv3.0 Score of 7.4.@@@We have broken down the attack vector in a CVSS v3.0 attack profile.@@@The profile is listed below.@@@Attack Vector - Network@@@Attack Complexity - High@@@Privileges Required - None@@@User Interaction - None@@@Scope - Unchanged@@@Confidentiality - High@@@Integrity - High@@@Availability - High@@@Digi will be coordinating a public disclosure of the vulnerabilities with JSOF that is tentatively set for May 14th, 2020. We are also working with the Cert Coordination Center and have been assigned VU 257161 pertaining to these issues.@@@Digi will also be publishing continued updates on this information on the security alerts page at www.digi.com@@@Many thanks to the researchers Moshe Kol and Shlomi Oberman of JSOF for reporting these vulnerabilities. (NPIX-1141)@@@Version 1.12@@@Remove MS SYNC from TRECK Stack to stop security scanners giving a false positive for RIPPLE20 vulnerabilities VU257161 ( NETOS-279, NDS-1104)@@@Verson 1.13@@@Treck vulnerability fixes for CVE-2020-27336, CVE-2020-27337, CVE-2020-27338 ( NETOS-296)@@@Version 1.14@@@IANA option size check fix.  (NETOS-317)@@@Version 1.15@@@Treck vulnerability fix for CVE-2020-11901@@@@@@@@@
@@@Treck TCPIP, IPv4, IPv6, DHCP, DHCPv6 and DNS products. @@@Digi products have integrated parts of the products above. In reviewing Digi products 
@@@with these vulnerabilities, we have rated and consider the vulnerabilities a high level 
@@@risk. We recommend that customers immediately review and deploy the latest firmware 
@@@associated with this release note to protect their devices. At time of release of this 
@@@firmware, there is no known in the wild exploit of these vulnerabilities.@@@Digi's internal scoring of the vulnerabilities is a CVSSv3.0 Score of 7.4.  @@@We have broken down the attack vector in a CVSS v3.0 attack profile. The profile is 
@@@listed below.@@@Attack Vector - Network@@@Attack Complexity - High@@@Privileges Required - None@@@User Interaction - None@@@Scope - Unchanged@@@Confidentiality - High@@@Integrity - High@@@Availability - High@@@Digi will be coordinating a public disclosure of the vulnerabilities with JSOF that is 
@@@tentatively set for May 14th, 2020.  We are also working with the Cert Coordination 
@@@Center and have been assigned VU 257161 pertaining to these issues. Digi will also be 
@@@publishing continued updates on this information on the security alerts page at 
@@@www.digi.com@@@Many thanks to the researchers Moshe Kol and Shlomi Oberman of JSOF for reporting these 
@@@vulnerabilities. (NPIX-1141)@@@
@@@risk. We recommend that customers immediately review and deploy the latest firmware associated with this release note to protect their devices. At time of release of this 
@@@firmware, there is no known in the wild exploit of these vulnerabilities.@@@Digi's internal scoring of the vulnerabilities is a CVSSv3.0 Score of 7.4.  @@@We have broken down the attack vector in a CVSS v3.0 attack profile. The profile is listed below.@@@Attack Vector - Network@@@Attack Complexity - High@@@Privileges Required - None@@@User Interaction - None@@@Scope - Unchanged@@@Confidentiality - High@@@Integrity - High@@@Availability - High@@@Digi will be coordinating a public disclosure of the vulnerabilities with JSOF that is tentatively set for May 14th, 2020.  We are also working with the Cert Coordination 
@@@Center and have been assigned VU 257161 pertaining to these issues. Digi will also be publishing continued updates on this information on the security alerts page at 
@@@www.digi.com@@@Many thanks to the researchers Moshe Kol and Shlomi Oberman of JSOF for reporting these vulnerabilities. (NPIX-1141)@@@
@@@risk. We recommend that customers immediately review and deploy the latest firmware associated with this release note to protect their devices. At time of release of this 
@@@firmware, there is no known in the wild exploit of these vulnerabilities.@@@Digi's internal scoring of the vulnerabilities is a CVSSv3.0 Score of 7.4.  @@@We have broken down the attack vector in a CVSS v3.0 attack profile. The profile is listed below.@@@Attack Vector - Network@@@Attack Complexity - High@@@Privileges Required - None@@@User Interaction - None@@@Scope - Unchanged@@@Confidentiality - High@@@Integrity - High@@@Availability - High@@@Digi will be coordinating a public disclosure of the vulnerabilities with JSOF that is tentatively set for May 14th, 2020.  We are also working with the Cert Coordination 
@@@Center and have been assigned VU 257161 pertaining to these issues. Digi will also be publishing continued updates on this information on the security alerts page at 
@@@www.digi.com@@@Many thanks to the researchers Moshe Kol and Shlomi Oberman of JSOF for reporting these vulnerabilities. (NPIX-1141)@@@
@@@risk. We recommend that customers immediately review and deploy the latest firmware associated with this release note to protect their devices. At time of release of this 
@@@firmware, there is no known in the wild exploit of these vulnerabilities.@@@Digi's internal scoring of the vulnerabilities is a CVSSv3.0 Score of 7.4.  @@@We have broken down the attack vector in a CVSS v3.0 attack profile. The profile is listed below.@@@@@@
Minidescription: TCPIP Updates since the release of NET+OS 7.5.2
platformversion: 7.5
Revision: 2
platform: netos
Relevance: CRITICAL
Filename: TCPIP_Updates_752_136.dipk
Date: 11/08/2023
Type: fix
Target: environment
neededfiles: none
rootfs: none
Size: 48984kb
Installedsize: 109075kb
Checksum: 599cecbd0be389f969d3ce65ae79dd65
