Barracuda Spam Firewall Release Notes - Version 6.1.5

Please Read Before Updating

Before installing any firmware version, be sure to make a backup of your configuration and read all release notes that apply to versions more recent than the one currently running on your system.

Note that updating to this release may cause you to lose any patches that have been installed by Barracuda Networks Technical Support onto your system. Please check the version details below to verify that the bug number for your issue is marked as fixed in the version that you are trying to install (or an earlier one) prior to installing.

Do not manually reboot your system at any time during an update, unless otherwise instructed by Barracuda Networks Technical Support. Depending on your current firmware version and other system factors, the update process could take up to 10 minutes. If the process takes longer, please contact Technical Support for further assistance.

Before updating, BE SURE TO TAKE THE BARRACUDA SPAM FIREWALL OFFLINE. This will ensure that the inbound queue is emptied and all messages are scanned before the update process begins. See the BASIC > Administration page for the Offline button.

Updating to Version 6.x

WARNING: After clicking the Apply Now on the ADVANCED > Firmware Update page, the progress bar may appear to time out and the administrator may need to manually return to the login screen after 5 minutes if it doesn't load automatically in the browser.

• When updating from firmware version 5.1.3.004 or later:
  • Make extra sure that you have a recent backup of your configurations, since backups taken from firmware versions earlier than 4.1 will NOT restore properly with version 6.x or later.
  • Once you have updated to version 6.x, Barracuda Networks does not recommend reverting to an older firmware version.
  • The Microsoft IE6 browser is supported ONLY for end-user pages in the web interface, which include the following:
    • QUARANTINE INBOX > Quarantine Inbox
    • PREFERENCES > Whitelist/Blacklist
    • PREFERENCES > Quarantine Settings
    • PREFERENCES > Spam Settings
    • PREFERENCES > Password
• When updating from firmware versions earlier than 5.1.3.004:
  • You must be running firmware version 5.1.3.004 before updating to version 6.x, to ensure that all components are properly updated. If you are running on firmware version 3.x, you may need to make multiple firmware updates before you will be able to update to firmware 6.x.
  • Configuration backups from firmware versions earlier than 4.1 will NOT restore properly with version 6.x.

Firmware Version 6.1

What's New in Version 6.1

• Email Categorization
  • This feature gives administrators an additional way to decide what to do with various types of emails from senders on the Barracuda Reputation Whitelist. These emails are separated into different categories such as Transactional, Corporate and Marketing, each of which can have a different delivery action associated with it.
• Extended Malware Protection (Available on model 600 and higher)
  • An additional layer of deep message scanning is available as Extended Malware Protection leveraging a third-party scanner. This feature is only available with a subscription. Contact your local Barracuda Networks Sales Reseller to purchase this subscription.
• Barracuda Outlook Add-in (Available on some models)
  Note: To run version 6.1.4.001 of the Barracuda Spam Firewall firmware, you must update your Barracuda Outlook Add-in to version 6.1.11 or later (see the USERS > User Features page).

Fixed in Version 6.1

Version 6.1.5.003

Web Interface

• Fix: SSLv3 has been disabled in the Web interface to mitigate CVE-2014-3566 (SSL POODLE). [BNSF-22788]

Mail Processing

• Enhancement: New setting on ADVANCED > Email Protocol page to allow or disallow SSLv2 and SSLv3 for incoming SMTP connections. Setting to Yes provides for greater compatibility with older mail servers. Set to No to mitigate the recently reported SSL POODLE [CVE-2014-3566] issue. [BNSF-22788]
• Fix: Resolved an issue in the encryption module that affected transmission of outbound messages over a TLS connection to some types of mail servers. [BNSF-22782]

Version 6.1.5.001

Mail Processing

• Feature: Added support for Perfect Forward Secrecy in the following two scenarios: [BNSF-21503]
  • When sending SMTP traffic over a TLS connection. To configure SMTP over TLS, see Enable SMTP over TLS/SSL on the ADVANCED > Email Protocol page.
  • When using HTTPS access for the Barracuda Spam Firewall web interface. This requires using properly configured SSL certificates. See the ADVANCED > Secure Administration page to configure certificates.
  • Note: Perfect Forward Secrecy is always on and offered to clients.

Barracuda Appliance Control

• Fix: From the Barracuda Appliance Control interface, clicking on a message in the Message Log properly renders the Message Details popup window and message information. [BNSF-22666]

Version 6.1.4.001:

Mail Processing

• Enhancement: Improved concurrent processing performance of the Barracuda Spam Firewall 900. [BNSF-21877]
• Enhancement: Improved message body scanning. [BNSF-21891]
• Enhancement: Optimized performance of Barracuda Reputation Blocklist resource utilization, update, and lookup. [BNSF-22036]
• Enhancement: Header filters can now be applied to the Received header added by the Barracuda Spam Firewall. [BNSF-22101]
• Enhancement: Improved performance of recipient verification lookup when Local Database is not in use. [BNSF-22185]
• Enhancement: Improved resource utilization for scoring and attachment scanning. [BNSF-22266]
• Enhancement: Valid and Explicit Recipients no longer require the primary email address to be listed twice on the ADVANCED > Explicit Users page (at the global level) or the USERS > Valid Recipients page (at the domain level). [BNSF-22357]
• Enhancement: Improved memory performance with attachment processing. [BNSF-22362]
• Fix: In clustered environments, Per-User Quarantine accounts now support special characters such as apostrophes, for example. [BNSF-16814]
• Fix: Archiving of encrypted messages handles TLS-based connections correctly. [BNSF-21150]
• Fix: Plain text footers are not duplicated if the footer is multi-line. [BNSF-21376]
• Fix: Resolved issue which could prevent statistics and Message Log from updating. [BNSF-21848]
• Fix: Quarantined messages with multi-byte characters in the headers can now be delivered. [BNSF-21964]
• Fix: PTR record analysis now properly handles Trusted Forwarders when a connection is made. [BNSF-22196]
• Fix: Resolved intermittent logging issue which, at times, used disk space on the firmware partition. [BNSF-22201]
• Fix: Now all messages from a whitelisted IP address in a single session are whitelisted. Previously only the first message was whitelisted. [BNSF-22205]
• Fix: Resolved long delay for display of BASIC > Status and ADVANCED > Energize Updates pages when offline updates are used. [BNSF-22258]
• Fix: Improved performance when Energize Updates are applied on a Barracuda Spam Firewall appliance under heavy System Load. [BNSF-22300, BNSF-22398]
• Fix: Outbound quarantine now works on the Barracuda Spam Firewall 100 and 200. [BNSF-22351]

Reporting

• Fix: Email Encryption Details report columns are correctly labeled. [BNSF-22095]

Web Interface

• Enhancement: Password values changed via the Support Tunnel are now masked from Syslog output. [BNSF-22018]
• Enhancement: Added Russian translations to NDR templates. [BNSF-22323]
• Enhancement: Included Icelandic translations for end user pages in the web interface. [BNSF-22358]
• Fix: Resolved case sensitivity issue when domain names are referenced in various settings. [BNSF-21358]
• Fix: Web interface no longer displays "Temporarily Unavailable" if an invalid character set attribute is detected. [BNSF-22180, BNSF-22240]

Backup

• Fix: When restoring a backup to a new Barracuda Spam Firewall, upgraded to the most recent firmware, you are no longer required to do a Reload to prevent an "Invalid Domain" response. [BNSF-20703]
• Fix: Resolved issue which could prevent backup jobs from completing. [BNSF-21915]
• Fix: Backups can now be restored if the web browser is configured for Japanese character sets. [BNSF-22364]

Barracuda Outlook Add-in

• Fix: The Barracuda Spam Firewall now returns error messages when appropriate from the Barracuda Outlook Add-in and Exchange Antivirus Add-in. [BNSF-22220]
• Fix: The Barracuda Outlook Add-in now properly detects the custom HTTPS port. [BNSF-22382]

Security

• Fix: resolved the following vulnerabilities:
• Medium - High severity vulnerability: insufficient authorization [BNSEC-4517 / BNSF-21063]
• Medium - High severity vulnerability: non-persistent XSS, unauthenticated [BNSEC-1251 / BNSF-20597]
• Low severity vulnerability: unauthenticated, remotely exploitable, information disclosure [BNSEC-3421 / BNSF-21649]

Version 6.1.3.001:

Virtualization

• Feature: Added support for virtual deployment in Microsoft Azure. [BNSF-22130]

Version 6.1.2.003:

Mail Processing

• Fix: Prevent the Spam Intent Category in Intent Analysis from defaulting to Off on upgrade. If a previous upgrade has occurred, please see the Intent Categories table for Spam in the Intent Analysis section of the BASIC > Spam Checking page and verify the setting. [BNSF-21927]

Version 6.1.2.002:

Security

• Fix: Resolved the following vulnerability:
  • Medium severity: Updated OpenSSL to address the issues reported in OpenSSL's security advisory dated 2014-06-05 [BNSEC-4499 / BNSF-22245]

Version 6.1.2.001:

Mail Processing

• Enhancement: Improved DLP detection algorithms for birth dates. [BNSF-21396]
• Enhancement: Improved handling of unusually formatted emails. [BNSF-21407]
• Fix: Messages were erroneously blocked by attachment type when whitelisted by the sender. [BNSF-20505]
• Fix: Messages with certain malformed headers now appear correctly in the message log. [BNSF-21305]
• Fix: Resolved issues with malformed headers from Trusted Forwarders. [BNSF-21897, BNSF-21906]
• Fix: Multiple messages in a single session are no longer encrypted after a message encrypted via the Outlook Add-in. [BNSF-21955]
• Fix: Per-User Scoring is no longer used when disabled. [BNSF-21800]

Web Interface

• Feature: Added ability to submit Email Categories for incorrect or uncategorized messages. [BNSF-21700]
• Feature: Added support for Europe/Busingen timezone. [BNSF-21988]
• Enhancement: Improved memory handling and performance of the Web Interface after long periods of time. [BNSF-22142, BNSF-22155]
• Fix: Resolved sporadic issue where BASIC > Status page would fail to load. [BNSF-21994, BNSF-22184]
• Fix: Deprecated timezones are not correctly updated when restored from a backup. [BNSF-21770, BNSF-21836]
• Fix: Restored the PRI facility field to Syslog. [BNSF-22044]
• Fix: Messages can now be delivered from any box in a cluster. [BNSF-22083]

Backup

• Fix: Resolved intermittent scenario in which Restore would fail if a previous backup or restore had failed. [BNSF-21257]
• Fix: Scheduled Backups Destination can now be changed from Cloud. [BNSF-21286]

Cloud Control

• Fix: The Cloud Control status chart now shows the correct date for the status bars. [BNSF-21842]

Security

• High severity vulnerability: unauthenticated, remotely exploitable, HTTP header injection [BNSEC-1168 / BNSF-20796]

Version 6.1.1.001:

Virtualization

• Feature: Added support for virtual deployment in Amazon Web Services. [BNSF-21875]

Version 6.1.0.003:

Mail Processing

• Enhancement: Improved processing of attachment filenames. [BNSF-21995]

Web Interface

• Fix: Bulk editing the list of domains no longer omits certain domains. [BNSF-21742]
• Enhancement: Added support for localized web interface for Email Categorization. [BNSF-22029]

Version 6.1.0.001:

Mail Processing

• Feature: Email Categorization. Messages from Barracuda-verified senders (including those on the Barracuda Reputation Whitelist) are categorized to allow the administrator another way to determine what action to take on various types of emails. Actions for each Category may be configured from the BLOCK/ACCEPT > IP Reputation page. [BNSF-21615]
• Feature: An additional layer of malware detection has been added with the Extended Malware feature. [BNSF-21662]
• Enhancement: Per-Domain whitelisting and blocklisting of IP addresses now honors Trusted Forwarder status. [BNSF-13907]
• Fix: Improved processing of messages with very long URLs. [BNSF-21779]
• Fix: Improved handling of Received headers containing missing IP addresses. [BNSF-21793]

Web Interface

• Feature: The Message Log now contains the IP address of the destination server. [BNSF-21404]
• Feature: The Message Debug Identifier has been added to the Queue Managment for easier tracing of messages. [BNSF-21405]
• Fix: Changing the character set in the Message Viewer now shows the message rather than the login page. [BNSF-21348]
• Fix: APIs now properly account for colons in regex values. [BNSF-21522]
• Fix: Adding valid recipients is now logged to the GUI syslog. [BNSF-21536]
• Fix: Explicit users are not supported by the list_valid_recipient_aliases API call. [BNSF-21768]

Reporting

• Fix: LDAP Failure notification report now accounts for case changes in domains. [BNSF-17538]

Security

• Fix: Resolved the following vulnerabilities:
  • High severity: Authentication bypass [BNSEC-3188 / BNSF-21585]
  • Medium - High severity: Requires authentication; security control bypass [BNSEC-3208 / BNSF-21593]
  • Medium severity: Requires authentication; denial of service [BNSEC-3297 / BNSF-21598]
  • Medium severity: Unauthenticated; information disclosure [BNSEC-3259 / BNSF-21596]
  • Medium severity: Requires authentication; security control bypass [BNSEC-3198 / BNSF-21591]
  • Low severity: Unauthenticated; remotely exploitable; information disclosure [BNSEC-3421 / BNSF-21649]
  • Low severity: Non-persistent XSS; requires authentication; remotely exploitable [BNSEC-3287 / BNSF-21597]

Firmware Version 6.0

What's New in Version 6.0

• Cloud Services
  • Cloud Protection Layer (CPL) - Now provides an integrated Message Log together with messages processed by the Barracuda Spam Firewall.
  • Backups to the Cloud - New option to back up to the Barracuda Cloud with the same backup features as always, configurable from the ADVANCED > Backup page. Use your Barracuda Customer Account credentials to connect. If you don't have an account, you can create one following instructions in this Barracuda TechLibrary article: Create a Barracuda Networks Account, or create one from the ADVANCED > Cloud Control page.
• Encryption
  • More reports detailing number of encrypted emails sent, number of encrypted emails opened by recipients, policies that triggered encryption action and number of recalled messages.
• Message Privacy
  • Governance, Risk Management and Compliance (GRC) - The GRC role is used as a way to provide governance, risk management and compliance to email content. The GRC only has access to Outbound Quarantine logs via the web interface and has the job of reviewing the messages in the log, determining which ones should be delivered or rejected based on policy. The administrator can enable or disable the GRC account at any time. Configure on the BASIC > Administration page.
  • Message Log Privacy - To protect email privacy, you can enable the Secondary Authorization feature to require a password before the Admin, Domain Admin, Helpdesk or GRC roles can view entries or email message contents across the system (including the global Message Log, per-domain Message Logs, queue management, outbound quarantine and quarantine inboxes). Configure on the BASIC > Administration page.
• SSL Certificates
  • Certificate installation is now greatly simplified by parsing the type of certificate uploaded and prompting for missing information.
  • Supports PKCS12, X.509(PEM), and Chain certificate(.crt) formats.
  • Users can now remove unused certificates from the system.
• Barracuda Outlook Add-in (Available on some models)
  • The Barracuda Outlook Add-in supports Outlook 2003, Outlook 2007, Outlook 2010 and 2013. Support for Outlook XP is no longer available.
    Note: To run version 6.0.2.001 of the Barracuda Spam Firewall firmware, you must update your Barracuda Outlook Add-in to version 6.0.40 or later (see the USERS > User Features page).

Version 6.0.2.002:

Mail Processing

• Enhancement: Multi-level intent analysis consistently handles timeouts. [BNSF-21731]
• Fix: PTR record analysis now honors Trusted Forwarder status; i.e. IP addresses are checked until and including the first IP that is not a trusted forwarder. [BNSF-21559]

Web Interface

• Fix: Converted time zones per new 2013 DST settings. [BNSF-21277].
  The following time zones have been converted:
  • Antarctica/South Pole, Amundsen-Scott Station, South Pole. New Time Zone: Antarctica/McMurdo
  • America/Montreal Eastern Time - Quebec - most locations. New Time Zone: Toronto
  • America/Shiprock Mountain Time, Navajo. New Time Zone: America/Denver America/Shiprock

Version 6.0.2.001:

Mail Processing

• Enhancement: Improved Sender Policy Framework (SPF) algorithms for increased accuracy. [BNSF-18114, BNSF-20387, BNSF-20523, BNSF-20558, BNSF-20883, BNSF-21068, BNSF-21118]
• Enhancement: Hard SPF detection failures are now enabled by default. [BNSF-17929]
• Enhancement: Inbound mail from a Trusted Relay source is now subject to Recipient Verification (if configured) to prevent sending email to an invalid user for the domain. [BNSF-20482].
• Enhancement: Mail Journaling can now be configured to only journal Quarantined messages on delivery. [BNSF-19388]
• Enhancement: Multi-level intent analysis performs better with slow web servers. [BNSF-20003]
• Enhancement: Improved disk space management. [BNSF-20543, BNSF-21026, BNSF-21339, BNSF-21308]
• Enhancement: Improved recovery of services that are in an inconsistent state. [BNSF-20656, BNSF-20802, BNSF-20898]
• Enhancement: Improved real-time detection for multilevel intent analysis. [BNSF-20733]
• Enhancement: Improved attachment detection and filtering. [BNSF-19488]
• Enhancement: Optimized analysis of messages with compressed files (.tgz, .rar, .zip). [BNSF-21147]
• Enhancement: Improved DLP detection algorithms for message contents and attachments, including those for identifying dates, credit card information, and data in Excel files. [BNSF-21094, BNSF-21354, BNSF-20736, BNSF-21272]
• Enhancement: Added default German NDR texts. [BNSF-21058]
• Fix: The Create Password email can now be sent to users with spaces in the UID. [BNSF-14773]
• Fix: Block Sender Verify is no longer disabled when Block Empty Sender is enabled. [BNSF-14977]
• Fix: PTR record analysis is now performed when mail is received from a Trusted Forwarder. [BNSF-19257]
• Fix: All messages in a single SMTP session are now whitelisted when sent from a whitelisted IP address. [BNSF-19779, BNSF-20562]
• Fix: Improved whitelist setting interactions between a primary account and its LDAP or Valid Recipient alias. [BNSF-20592, BNSF-21453]
• Fix: Improved detection of UPS tracking numbers previously mis-identified as Social Security Numbers. [BNSF-19577]
• Fix: Outbound Quarantine messages could be delivered to the Inbound Quarantine address with the Inbound Quarantine tag when using Global Quarantine. [BNSF-20032]
• Fix: Resolved issue processing messages with headers including ports with IP addresses. [BNSF-20524]
• Fix: Messages blocked due to file type now report as banned rather than accepted. [BNSF-20525]
• Fix: Whitelist properly takes precedence over quarantine rules that are based on EmailReg settings. [BNSF-20934]
• Fix: Resolved issue in which, in rare circumstances, per-user quarantine files could be written as zero bytes when in a clustered environment. [BNSF-20991]
• Fix: Spam analysis conditions which could prevent unusual messages from being processed. [BNSF-20994, BNSF-20997]

Web Interface

• Enhancement: Improved web interface performance when displaying a large number of users or domains. [BNSF-18336]
• Enhancement: Reduced time to reload system configurations when there are a large number of domains. [BNSF-20145]
• Enhancement: Single Sign-On now honors Valid Recipient alias linking. [BNSF-19754]
• Enhancement: Improved support for Internet Explorer 9 and 10 and Firefox 23 and Safari. [BNSF-19525, BNSF-19837, BNSF-19978, BNSF-20259, BNSF-21324, BNSF-21244]
• Enhancement: Manual Backups now show the correct status without requiring a manual refresh. [BNSF-19836]
• Enhancement: Improved detection of malformed character sets when displaying unicode messages. [BNSF-20503]
• Enhancement: Added 3 new methods to API to list, add and delete Valid Recipients. [BNSF-20605]
• Enhancement: The SMTP port is now excluded from synchronization across systems in a cluster. [BNSF-20561]
• Enhancement: Option for the Helpdesk role to view message headers (configured on the BASIC > Administration page). [BNSF-21204]
• Enhancement: Web Syslog contents now include the year, usernames, troubleshooting commands, and configuration changes made by Barracuda Technical Support. May require a restart of your syslog clients in order to receive the additional data. [BNSF-20990, BNSF-21206, BNSF-21207, BNSF-21431, BNSF-21504]
• Enhancement: Updated translations. [BNSF-19999, BNSF-20000, BNSF-20217, BNSF-20325, BNSF-20862, BNSF-21123, BNSF-21418]
• Fix: Time zone updates for Israel per new 2013 DST settings. [BNSF-21277]
• Fix: Journaling to the Barracuda Message Archiver now accepts an IP address. [BNSF-13505]
• Fix: Corrected handling of unicode characters in user whitelists. [BNSF-13751]
• Fix: Reduced time to log into the web interface when the update server is not reachable. [BNSF-18333]
• Fix: Improved handling of special characters such as '$' in the LDAP password for Single Sign-On users. [BNSF-19396]
• Fix: All users are now able to view quarantine messages when a device is removed from a cluster. [BNSF-19567]
• Fix: Viewing message bodies in a clustered environment no longer results in an error for some messages. [BNSF-21449]
• Fix: Searching the outbound quarantine from a user's account no longer forces a logout. [BNSF-19775]
• Fix: Repaired erroneous validation of the Message Log's Time Range filters. [BNSF-20218]
• Fix: Repaired Time Range searches of Outbound messages in the Message Log. [BNSF-21273]
• Fix: Message Log filter errors are now properly encoded. [BNSF-19968]
• Fix: The Barracuda Spam Firewall Vx now displays the correct expiration date for Energize Updates subscriptions. [BNSF-20076]
• Fix: The SNMP agent starts correctly on the Barracuda Spam Firewall Vx. [BNSF-19478]
• Fix: Graceful shutdown via the power button now works in all cases. [BNSF-20706]
• Fix: The "ping" command works as expected with IPv6. [BNSF-20726]
• Fix: Performance statistics are now displayed when viewing the BASIC > Status page in the web interface page for the Chinese locale. [BNSF-21156]

Backup

• Enhancement: FTP backups now attempt both active and passive mode. [BNSF-7762]
• Fix: SMB shares are now always unmounted after a backup. [BNSF-19249]
• Fix: Repaired display of backup files available via FTP. [BNSF-21332]

Cloud Control

• Feature: The ADVANCED > Queue Management page is now available from Barracuda Cloud Control. [BNSF-19534]
• Fix: Errors restoring backups are now propagated to the top level of the Barracuda Cloud Control tree. [BNSF-19534]
• Fix: Repaired links for running/completed tasks. [BNSF-20186, BNSF-20194]

Barracuda Outlook Add-in

This firmware version requires update of your Barracuda Outlook Add-in (see the USERS > User Features page) to version 6.0.40 or later.

• Enhancement: Classification buttons are now available for public folders. [BNSF-20670]
• Enhancement: The Alternate URL was removed from the ADM configuration in favor of auto-provisioning. [BNSF-20670]
• Fix: The property page now shows correctly in Outlook 2003 and 2007. [BNSF-21300]
• Fix: The Add-in no longer fails to start if a localization is unavailable. [BNSF-21492]

Exchange Antivirus

• Enhancement: Improved handling of corrupted virus definition updates. [BNSF-20648]
• Fix: The Exchange Antivirus Agent now starts for all localized versions of Microsoft Exchange. [BNSF-19315]

Security

• Fix: Resolved the following vulnerabilities:
  • High severity: Persistent XSS; unauthenticated; remotely exploitable. [BNSEC-2590]
  • High severity: Authentication bypass. [BNSEC-2625]
  • High severity: Information disclosure. [BNSEC-2816]
  • Medium severity: Unauthenticated; information disclosure. [BNSEC-1658]
  • Medium severity: Information disclosure. [BNSEC-2814]
  • Low - Medium severity: Persistent XSS; unauthenticated; authentication bypass. [BNSEC-2563]
  • Low severity: Persistent XSS; requires authentication; remotely exploitable. [BNSEC-220]
  • Low severity: Non-persistent XSS; requires authentication; remotely exploitable. [BNSEC-1052]

Fixed in Version 6.0

Version 6.0.0.029:

Mail Processing

• Enhancement: Improved real-time detection of malformed attachments. [BNSF-21142].

Security

• Fix: Resolved the following vulnerabilities:
  • High severity: Persistent XSS; unauthenticated; remotely exploitable. [BNSEC-1550 / BNSF-20929]
  • High severity: Persistent XSS; unauthenticated; remotely exploitable. [BNSEC-1650 / BNSF-20943]
  • Medium - High severity: Non-persistent XSS; unauthenticated [BNSEC-1251 / BNSF-20597]
  • Low - High severity: Persistent XSS; requires authentication. [BNSEC-391 / BNSF-19756]
  • Low - High severity: Non-persistent XSS; requires authentication [BNSEC-1068 / BNSF-20228]
  • Low - High severity: Requires authentication; information disclosure. [BNSEC-1706 / BNSF-20955]
  • Medium severity: Information disclosure. [BNSEC-107 / BNSF-17460]
  • Low - Medium severity: Unauthenticated; information disclosure. [BNSEC-1746 / BNSF-20978]
  • Low severity: Persistent XSS; requires authentication. [BNSEC-220 / BNSF-18321]
  • Low severity: Persistent XSS; requires authentication. [BNSEC-1702 / BNSF-20953]
  • Low severity: Non-persistent XSS; requires authentication. [BNSEC-1152 / BNSF-20394]
  • Low severity: Requires authentication; information disclosure. [BNSEC-1160 / BNSF-20396]
  • Low severity: [BNSEC-1383 / BNSF-20817]

Version 6.0.0.028:

Mail Processing

• Enhancement: Access to updated Barracuda Real Time Systems (BRTS). The updated BRTS is significantly faster and leverages additional lookups and faster detection operations. with this BRTS update, the Barracuda Spam Firewall can adapt to spam faster and more accurately. [BNSF-20859]

Barracuda Outlook Add-in

This firmware version requires update of your Barracuda Outlook Add-in (see the USERS > User Features page) to version 6.0.21 or later.

Web Interface

• Fix: Firmware updates no longer fail to show progress in some cases. [BNSF-20790]

Version 6.0.0.027:

Web Interface

• Fix: The Search button returns the correct result set the first time it is clicked when using the 'Time' search filter. [BNSF-20591]
• Fix: Time zone updates for Chile and Paraguay per new 2013 DST settings. [BNSF-20522]

Version 6.0.0.019:

• Fix: Message Log search actions that exceed a certain processing duration now display a partial result set to avoid a timeout. [BNSF-20110]

Version 6.0.0.018:

Security

• Fix: Reflective cross-site scripting issue on the ADVANCED > Troubleshooting page. [BNSEC-1088]

Mail Processing

• Enhancement: Per-User Allows and Block lists now check envelope from and header from. [BNSF-17727]
• Enhancement: Improved performance for Realtime Intent Analysis. [BNSF-20002]
• Fix: Attachment content filtering does not cause a spike in CPU usage. [BNSF-17216]
• Fix: Rejected mail retrieved from a a POP3 server is now marked for deletion. [BNSF-19035]
• Fix: Filename attachment filters with some special characters block mail as expected. [BNSF-19831]
• Fix: Rate control is no longer applied excessively to POP accounts. [BNSF-19745]
• Fix: Filename attachment filters with some special characters do not always block mail. [BNSF-19831]
• Fix: Rate control was overapplied to POP accounts. [BNSF-19745]

Cloud Control

• Enhancement: Rate Control and Trusted Forwarder settings are now synchronized with and used by CPL unless overridden in CPL-specific settings. [BNSF-20094]

Web Interface

• Enhancement: Improved Internet Explorer and Safari compatibility. [BNSF-19811, BNSF-19837, BNSF-19570]
• Enhancement: SSL 2.0 has been disabled. [BNSF-19872]
• Enhancement: The Auditor role has been renamed GRC, as it is intended as a way to provide governance, risk management and compliance to email content. [BNSF-19916]
• Enhancement: Improved character display for various pages. [BNSF-19881]
• Fix: Bulk Edit does not properly store the "&" character. [BNSF-18342]
• Fix: The Message Log could fail to display in rare circumstances. [BNSF-19684]
• Fix: Message log filtering is no longer case sensitive. [BNSF-19955]
• Fix: The correct branding image is now properly used when changing images for the Encryption service. [BNSF-20019]
• Fix: The web interface no longer shows Temporarily Unavailable upon delivering a message from per-user quarantine. [BNSF-20075]
• Fix: Searching the quarantine message log no longer logs out the user from the web interface. [BNSF-19775]
• Fix: The correct branding image is now properly used when changing images for the Encryption service. [BNSF-20019]
• Fix: Searching the quarantine message log no longer logs the user out. [BNSF-19775]

Add-in

• Fix: The correct error message is shown if Copy (www.copy.com) cannot be contacted by the Barracuda Spam Firewall. [BNSF-19847]

Version 6.0.0.015

• Fix: Resolved issue with potential SSH access to unit when not deployed behind a firewall. To completely disable remote support functionality, contact Barracuda Networks Technical Support. Reported by Stefan Viehböck, SEC Consult Vulnerability Lab (https://www.sec-consult.com). [BNSEC-767]

Version 6.0.0.007:

Backup

• Feature: Improved backup web interface. [BNSF-19325]
• Enhancement: Backup files are deleted upon successful completion of a backup. [BNSF-18628]
• Enhancement: Restoring a backup no longer restores Advanced Network information. [BNSF-18957]
• Enhancement: Configuration backups are now encrypted. [BNSF-19496]
• Fix: Backup does not fail if there are special characters in the login name or password. [BNSF-14472]
• Fix: SMB mounts are now automatically dismounted after a backup. [BNSF-14625]
• Fix: Restoring a backup configuration now immediately processes mail for domains without requiring a Reload. [BNSF-19350]

Mail Processing

• Enhancement: Disabling SMTP Over TLS at the system level no longer rejects domains which are required by the Domain-level Force TLS settings. [BNSF-17474]
• Enhancement: Spoof Protection now looks at headers in addition to the envelope content. [BNSF-17679, BNSF-15997]
• Enhancement: Whitelisted messages are now flagged as whitelisted if Trusted Forwarders are configured on the BASIC > IP Configuration page. [BNSF-17943]
• Enhancement: Active directory default LDAP filter has been modified to reduce AD CPU load. [BNSF-17993]
• Enhancement: Improved HIPAA medical term detection in email content. [BNSF-18390]
• Enhancement: Malicious URL scanning now correctly scans all HTML attachments. [BNSF-18564]
• Enhancement: TNEF files are now scanned for viruses. [BNSF-18921]
• Enhancement: Added the ability to exempt email addresses and domains from encryption from the BASIC > Administration page. [BNSF-18949]
• Enhancement: Improved recipient verification performance if no Explicit Users are defined. [BNSF-19048]
• Enhancement: Improved false positive detection for DLP settings. [BNSF-18738, BNSF-19321, BNSF-19946]
• Enhancement: TLS can now be required for all incoming domains from the Per Domain ADVANCED > Email Protocol page. [BNSF-19738]
• Fix: Duplicate X-Barracuda-IPDD header lines are no longer added. [BNSF-15751]
• Fix: Duplicate X-Barracuda-Registry header lines are no longer added. [BNSF-19829]
• Fix: The Queue Management timestamp now matches the message log timestamp in all cases. [BNSF-19149]
• Fix: Improved processing performance for large multipart text emails. [BNSF-19644]
• Fix: Attachment filter now correctly detects video file types with altered extensions. [BNSF-18977]
• Fix: LDAP routing will now enable alias rewriting if username/password are not set. [BNSF-19114]
• Fix: SPF IPv6 record lookups work as expected. [BNSF-19500]
• Fix: URL inspection now correctly handles UTF-8 characters. [BNSF-19575]
• Fix: Improved process monitoring of front end scanning engine. [BNSF-19675]
• Fix: Appliance remains offline after a firmware update if it is already in offline mode. [BNSF-18941, BNSF-19705]
• Fix: Rate control settings for POP accounts are now applied correctly. [BNSF-19745]

Cloud Control

• Enhancement: Added Users and Advanced pages to Barracuda Cloud Control administration. [BNSF-16098, BNSF-16288]
• Enhancement: Passwords are masked in syslog output. [BNSF-16498]
• Fix: Unicode characters can now be added to tables through the Barracuda Cloud Control. [BNSF-18087]

Reporting

• Fix: Report performance has been optimized. [BNSF-16599, BNSF-17853]
• Fix: Queue details now include the To address. [BNSF-17127, BNSF-18516]
• Fix: LDAP failures are now sent to all email addresses when addresses include Unicode characters. [BNSF-18491]
• Fix: Traffic reports are no longer sorted in reverse order. [BNSF-18673]

Web Interface

• Feature: Improved syslog performance [BNSF-18033]
• Feature: Destination Mail Servers can now be defined using an MX record. [BNSF-19358]
• Enhancement: Syslog now logs 'Guest' logins. [BNSF-18102]
• Enhancement: Improved web performance. [BNSF-18378]
• Enhancement: Improved search performance of message log in a clustered environment. [BNSF-17385, BNSF-18734]
• Fix: Clustering is now removed from Running Tasks when complete. [BNSF-9554]
• Fix: Changing the hostname or destination mail server now takes immediate effect. [BNSF-17616, BNSF-19279]
• Fix: Adding a new domain now takes effect immediately without requiring a Reload. [BNSF-17673]
• Fix: Resolved false notification of "old static routes on your system". [BNSF-17963]
• Fix: Domain Admins can now set an end user to the Helpdesk role. [BNSF-18843]
• Fix: Message log could fail to display under some circumstances. [BNSF-18921]
• Fix: The Troubleshooting Telnet Utilities no longer omits the connection banner when telnetting to a mail server. [BNSF-19163]
• Fix: Product tips no longer expand to the entire browser width. [BNSF-19669]
• Fix: Message Log is no longer sorted based on the Queue Management sort. [BNSF-16315]
• Fix: Product tips now properly expire [BNSF-19661]

Barracuda Outlook Add-in

• Feature: Outlook Add-in now supports Outlook 2013. [BNSF-19535]
• Fix: Outlook Add-in no longer creates user accounts if quarantine is set to Global. [BNSF-18883]

Firmware Version 5.1

What's New in Version 5.1

• Exchange Antivirus
  • The new Barracuda Networks Exchange Antivirus Agent runs as a Windows service on your Microsoft Exchange server and enables it to scan internal email for viruses. From the ADVANCED > Exchange Antivirus page you can download the add-in and view associated email statistics once it is installed and running.
• IPv6
  • New IPv6 support provides email receipt and delivery over IPv6 networks.
  • Email can be redirected by policy to an IPv6 network/server.
• Encryption
  • The Barracuda Microsoft Outlook Add-In now features a Send Encrypted button for sending encrypted emails.
  • Encrypted messages display as such in the Message Log with 'Outlook Add-in' as the Reason.
  • Administrators can upload a logo that will be displayed when recipients log into the Barracuda Message Center to retrieve encrypted messages.
  • Outgoing email notifications to recipients of encrypted messages can be customized using the per-domain ADVANCED > Encryption page.
• Barracuda Control Center
  • Improved Barracuda Control Center integration.
• Web Interface
  • Sender Domain and Sender Email filters are now combined on one page titled Sender Filters.
  • Simplified process for replacing failed units in a clustered system in a production environment.
  • The Explicitly Accepted Users and the Valid Recipients lists are now synchronized across clustered systems.
• Mail Processing
  • The Deep Header Scan setting for use with Trusted Forwarder IP addresses has been removed from the Web interface, as this functionality is now part of the Trusted Forwarder feature.
  • Sender Based Rate Control for outbound messages now counts number of recipients per sender as opposed to number of connections from the sender. The requirement for 5 unique sender email addresses before beginning rate control has been removed.
  • SNMP MIB extended to provide objects for additional mail and performance statistics, as well as statistics on encrypted, blocked, quarantined and tagged messages based on spam, custom policy, virus, etc. Includes outbound mail.
  • Multiple line regular expressions are supported for header filtering.
  • With HIPAA predefined filters, two or more terms are now needed to trigger an action with a message.
  • SMTP auth failures are logged in the Message Log for outbound mail only.

Fixed in Version 5.1

Version 5.1.3

The 5.1.3 firmware series was developed in parallel to the 6.0.x firmware series, and as such all fixes in 5.1.3 may not be in or even apply to the 6.0.x firmware. Relevant fixes from 5.1.3 will have been included starting with the 6.0 firmware series, so to prevent possible confusion the list of specific changes that went into 5.1.3 are not listed here. However, a complete list may be found in the release notes for the latest 5.1.3 release (5.1.3.007).

Version 5.1.2

Version 5.1.2.005:

• Enhancement: The Link Domains feature, configured on the BASIC > Quarantine page, and the per-domain Unify Email Aliases option, configured on the USERS > LDAP Configuration page at the domain level, are mutually exclusive and can no longer be enabled at the same time. These settings affect how and where user quarantined mail is delivered.

  Important:

  No changes are automatically made to existing settings after updating, so make sure to verify that both of these settings are not enabled at the same time. If both options were enabled prior to updating, and one is then disabled, that setting cannot be re-enabled without disabling the other setting. Please see the online help for both settings to understand what each feature does and decide which configuration works best for your organization. [BNSF-17401]
• Enhancement: If using Single Sign-On, users can now log in with either an alias or with their primary email address. If the per-domain Unify Email Aliases option is set to Yes, then when a user logs in with an alias, that user will be directed to the primary account. [BNSF-18377]
• Fix: When an LDAP user logs into the Barracuda Spam Firewall for the first time and uses an email alias to log in, a duplicate account will no longer be created if they already have a primary account. [BNSF-18839, BNSF-19406]

Version 5.1.2.004:

• Fix: Improved configuration data lookup for mail flow performance. [BNSF-19025, BNSF-18462]

Version 5.1.2.003:

• Fix: Resolved high CPU loads that could occur with certain operations. [BNSF-19361]

Version 5.1.2.002:

• Enhancement: Improved per-domain recipient blocklisting. [BNSF-18462]
• Enhancement: Improved disk space monitoring. [BNSF-18998]
• Enhancement: The product web interface does not reveal version information to unauthenticated users. [BNSF-18437]
• Enhancement: Improved IPv6 message handling.
• Enhancement: Updated Polish translation of web interface.
• Enhancement: Updated Czech translation of web interface.
• Enhancement: Improved SPF checking for email from ipv6 networks. [BNSF-19110]
• Enhancement: Improved help text for the USERS > User Features page.
• Enhancement: Improved security for web interface login. [BNSF-19105]
• Enhancement: Improved internal process monitoring for mailflow, mitigating intermittent interruption to mail processing for firmware version 5.1.1.005 and higher. [BNSF-18984]
• Enhancement: Improved handling of large XLS files for attachment content filtering. [BNSF-18955]
• Enhancement: Improved process monitoring for secure web interface access over HTTPS. [BNSF-19070]
• Enhancement: Improved Barracuda Cloud Control connectivity. [BNSF-19129]
• Fix: Changes to the per-domain recipient whitelist now take immediate effect. [BNSF-19025]
• Fix: Changes to outbound mail trusted relay settings now take immediate effect, precluding 'Invalid Domain' errors. [BNSF-19156]
• Fix: Anonymous binding is allowed for LDAP routing/alias rewriting. [BNSF-19114]
• Fix: Relay Using Trusted Host/Domain (configured on the BASIC > Outbound page) works as expected. [BNSF-19193]
• Fix: Improved recognition of Japanese credit card numbers in Predefined Filters (BLOCK/ACCEPT > Content Filtering). [BNSF-18979]
• Fix: Inbound mail going to subdomains no longer mis-categorized as outbound mail. [BNSF-18960]
• Fix: The User Features Override table in the USERS > User Features help page now renders in widths appropriate to the amount of content to display in each column. [BNSF-17930]
• Fix: Bounce messages will not be inspected (so not blocked as 'invalid') when received from a trusted relay source. [BNSF-17564]
• Fix: Improved analysis of bounce messages (NDR) from MS-Exchange when receiving messages from a trusted forwarder. [BNSF-13370]
• Fix: Resolved potential 'Range Header' security issue [CVE-2011-3192]. Reported by Ben Williams, NGSSecure. [BNSF-18920]
• Fix: Messages no longer being blocked for internal domains hosted by the Barracuda Spam Firewall with reason of Invalid Domain. [BNSF-19111]

Version 5.1.1

Version 5.1.1.006:

• Enhancement: Improved spam fingerprint/ZeroHour virus protection accuracy.
• Enhancement: Support for recently changed time zone/daylight savings times including Moscow, Pacific/Pohnpei and Chile. [BNSF-18449, BNSF-17613, BNSF-18467]
• Enhancement: Updated Czech and Chinese translations in web interface.
• Fix: Mail for a specific domain is not rejected with 'invalid domain' message unless appropriate. [BNSF-17673]
• Fix: Rare circumstance no longer incorrectly causing messages to be deferred due to Rate Control. [BNSF-18059]
• Fix: Improved mail processing for large messages.
• Fix: Messages which are not in password protected archives are no longer being incorrectly blocked as such. [BNSF-18514]
• Fix: Outbound mail from a trusted relay is not blocked as an invalid domain. [BNSF-18475]
• Fix: Resolved reflective cross-site scripting issue. Thanks to Ben Williams of NGS-Secure. [BNSF-18434]
• Fix: Quarantine messages now sync properly across a cluster. [BNSF-18563]
• Fix: Traffic Summary report and BASIC > Status page more accurately represent inbound and outbound traffic. [BNSF-18631]
• Fix: Trusted Forwarders listed in SPF records pass SPF checks as expected. [BNSF-18122]

Version 5.1.1.004:

• Enhancement: Improved Queue Management performance. [BNSF-16951]
• Fix: When Unify Email Alias option is set to No on the per-domain USERS > LDAP Configuration page, both the primary and alias email addresses are able to log into the corresponding Quarantine accounts. [BNSF-18318]
• Fix: The Message Log renders properly in IE version 7. [BNSF-18301]
• Fix: Performance Statistics render as expected on the BASIC > Status page. [BNSF-17446]
• Fix: The message source of the message in the Message Log view shows all the normal headers including the Barracuda Spam Firewall's own Received line. [BNSF-17842]
• Fix: Indexed searching in the Message Log for only inbound or only outbound messages works as expected. [BNSF-17968]
• Fix: Users can whitelist an email address for which they have blocklisted the domain. [BNSF-17935]
• Fix: When sending a message to the Barracuda Spam Firewall from a Trusted Relay IP address, and Recipient Verification is configured, and the recipient is not a valid user in the domain as configured on the Barracuda Spam Firewall, the message is blocked as expected. [BNSf-17905]
• Fix: If more than one LDAP server IP address is configured, Single Sign-On allows valid logins as expected. [BNSF-17990]
• Fix: The Quarantine digest contains proper formatting without unreferenced images. [BNSF-17853]
• Fix: Quarantine notification show a single blue bar indicating messages in quarantine instead of multiple bars. [BNSF-17884]
• Fix: LDAP user passwords which include the % character are accepted as valid when doing an LDAP Test. [BNSF-17904]
• Fix: False positives no longer occuring for Social Security numbers in docx files. [BNSF-17721]

Version 5.1.0

Version 5.1.0.013:

• Fix: Sending an email to a domain immediately after adding it to the Barracuda Spam Firewall takes immediate effect. [BNSF-17673]
• Fix: Performance Statistics now render properly on the BASIC > Status page when there are multiple system fans present in the Barracuda Spam Firewall hardware. [BNSF-17779]
• Fix: Message Log and statistics updates are more efficient. [BNSF-17717]
• Fix: Single Domain Admin role restrictions are properly applied. [BNSF-17168]

Version 5.1.0.012:

• Enhancement: For outbound sender-based rate control, removed requirement for 5 unique sender email addresses before beginning rate control.
• Fix: Resolved clustering synchronization issue.
• Fix: The checkbox control now renders properly on all web interface pages in newer versions of Firefox and Opera browsers.
• Fix: Changing the Key Size or other options on the ADVANCED > Secure Administration page doesn't cause the web interface to reset.
• Fix: When configuring the Barracuda Spam Firewall Vx, the consconf utility does correct input checking.
• Fix: Outbound sender-based rate control now sends back 450 and 550 responses to the sending mail server, and consequently mail servers running Microsoft Exchange now take the correct actions.