FIRMWARE RELEASE NOTE ====================== Products affected: Q1645/-LE Release date: 2019-08-26 Release type: Production Firmware version: 8.40.3 Preceding release: 8.40.2.2 -------------------------------------------------------------------------------- Upgrade instructions ==================== Upgrade the firmware according to the instructions given at https://www.axis.com/ca/en/support/tecnical-notes/how-to-upgrade or howtoupgrade.txt, which is included in the firmware folder. NOTE ==================== For latest information about Axis Cybersecurity, see https://www.axis.com/se/sv/support/product-security. Corrections in 8.40.3 since 8.40.2.2 ===================================== 8.40.3:C01 General minor improvements to the 8.40 LTS platform. 8.40.3:C02 Removed the root users default password in factory defaulted firmware. The password of the root user must be set first in order to initialize VAPIX and ONVIF interfaces to allow further configuration. This change only affects products in its factory defaulted state, products that are already deployed in production systems are not affected by this update until factory defaulted. 8.40.3:C03 Update libssh2 to version 1.9.0 to increase overall minimum cyber security level. This update includes correction for CVE-2019-13115. Corrections in 8.40.2.2 since 8.40.2.1 ======================================= 8.40.2.2:C01 General minor improvements to the 8.40 LTS platform. 8.40.2.2:C02 Corrected the following kernel vulnerabilities to increase overall minimum cyber security level (collectively known as "TCP SACK PANIC"): CVE-2019-11477, CVE-2019-11478, CVE-2019-11479. 8.40.2.2:C03 Updated wpa-supplicant to version 2.8 and hostapd to version 2.8 to increase overall minimum cyber security level. The following security vulnerabilites are included (collectively known as "Dragonblood"): CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, CVE-2019-9498, CVE-2019-9499. 8.40.2.2:C04 Corrected an issue that caused problems accessing devices via O3C/Axis Guardian using Microsoft Edge browser. 8.40.2.2:C05 Improved the certificate management system: It is now possible to upload PKCS#12 certificates with a total size of 102400 bytes. The previous limit was 1/10 of it. 8.40.2.2:C06 Corrected an issue that caused some users not to be displayed in the webGUI's user list on rare occasions. 8.40.2.2:C07 Improved the certificate management system: added support for certificate IDs with long names. 8.40.2.2:C08 Updated openSSL to version 1.1.1c to increase overall minimum cyber security level. 8.40.2.2:C09 Added support for TLSv1.3. 8.40.2.2:C10 Corrected security vulnerability in Systemd CVE-2019-6454 to increase overall minimum cyber security level. 8.40.2.2:C11 Improved the certificate management system: added system log information for failing certificate upload. 8.40.2.2:C12 Corrected an issue that caused SMB connection problems to NetApp NAS configured for SMBv2. 8.40.2.2:C13 Corrected an issue that caused cropped image streams not to be shown correctly on rare occasions. 8.40.2.2:C14 Updated libssh2 to version 1.8.2 due to that version 1.8.1 broke publickey-userauth requests. 8.40.2.2:C15 Corrected an issue that caused view areas, set in the web GUI, not to be preserved after changing camera resolution. Corrections in 8.40.2.1 since 8.40.2 ===================================== 8.40.2.1:C01 General minor improvements to the 8.40 LTS platform. 8.40.2.1:C02 Updated Apache to version 2.4.39 to increase overall minimum cyber security level. 8.40.2.1:C03 Improved robustness of the O3C client. 8.40.2.1:C04 Updated OpenSSL to version 1.1.1b to increase overall minimum cyber security level. 8.40.2.1:C05 Updated OpenSSH to version 7.9p to increase overall minimum cyber security level. 8.40.2.1:C06 Corrected an issue when changing resolution while cropping a streamed image with the VAPIX parameter croppos. 8.40.2.1:C07 Added information about Certificate ID to the Installed Certificates section in the server report. Corrections in 8.40.2 since 8.40.1.2 ===================================== 8.40.2:C01 General minor improvements to the 8.40 LTS platform. 8.40.2:C02 Added information about WI-FI networks within range to the server report. 8.40.2:C03 Corrected the following security vulnerabilities to increase overall minimum cyber security level: CVE-2019-3855, CVE-2019-3856, CVE-2019-3857, CVE-2019-3858, CVE-2019-3859, CVE-2019-3860, CVE-2019-3861, CVE-2019-3862, CVE-2019-3863. 8.40.2:C04 Corrected security vulnerability CVE-2019-0217 in Apache to increase overall minimum cyber security level. 8.40.2:C05 Corrected security vulnerability CVE-2017-16544 in BusyBox to increase overall minimum cyber security level. 8.40.2:C06 Corrected an issue that caused a viewer user to not be able to obtain the list of image resolution properties via param.cgi. 8.40.2:C07 Corrected an issue in the Web-GUI that prevented to upload a Client Certificate or CA certificate using the Edge browser. 8.40.2:C08 Updated pre-installed Mozilla CA-certificates to versions available at 20190122. 8.40.2:C09 Added GOP Length option to the Stream Profile Settings. 8.40.2:C10 Corrected the following vulnerabilities in order to increase overall minimum cybersecurity level: CVE-2018-16864, CVE-2018-16865, CVE-2018-16866. 8.40.2:C11 Updated OpenSSL to version 1.0.2r to increase overall minimum cyber security level. 8.40.2:C12 Corrected an issue with timestamps in the RTCP Sender Report that could cause RTSP recordings/playbacks not to work correctly in some video players using the Live555 library such as VLC and ffmpeg. Corrections in 8.40.1.2 since 8.40.1.1 ======================================= 8.40.1.2:C01 General minor improvements to the 8.40 LTS platform. 8.40.1.2:C02 Corrected an issue in the web GUI when creating a preset position and the language was set to German. 8.40.1.2:C03 Corrected an issue that could cause the camera to get unresponsive when two clients are streaming over multicast using the same streaming parameters. 8.40.1.2:C04 Upgraded Apache to version 2.4.38 to increase overall minimum cyber security level. 8.40.1.2:C05 Updated label for P-Iris lenses from CBC to Computar in the iris drop down list. 8.40.1.2:C06 Corrected an issue with Always Multicast over IPv6. 8.40.1.2:C07 Corrected an issue that caused factory default settings to not be applied correctly when upgrading from a firmware version prior to 6.20. 8.40.1.2:C08 Corrected an issue in the web GUI that caused IO Port values to be displayed incorrectly. 8.40.1.2:C09 Corrected an issue that caused Recorded Guard Tour not to work properly on rare occasions. 8.40.1.2:C10 Improved re-connection behavior to AVHS server. The time between failed connection attempts will now gradually increase until a hard limit is reached. 8.40.1.2:C11 Corrected an issue that could cause corrupted overlays when using BMP images as overlay. 8.40.1.2:C12 Corrected an issue that prevented usage of the same port for two different multicast streams. 8.40.1.2:C13 Corrected an issue that caused IR cut filter to not work properly when Synchronize IR Illumination was turned off. 8.40.1.2:C14 Corrected an issue that could cause foggy snapshot images on rare occasions. 8.40.1.2:C15 Corrected an issue when cropping a streamed image with the VAPIX parameter croppos. 8.40.1.2:C16 Improved list.cgi to display all installed applications (no longer limited to 8). 8.40.1.2:C17 Corrected an issue with pre-installed applications using startmode set to "never". 8.40.1.2:C18 Corrected an issue that could cause an incorrect error message when testing HTTP recipient. 8.40.1.2:C19 Corrected an issue that could cause corrupted video recordings when UserData or TriggerData are enabled. 8.40.1.2:C20 Improved stability in the httptest.cgi. 8.40.1.2:C21 Corrected an issue that caused an HTTP-recipient based action rule to fail when the response from the server excluded the textual phrase (Example: HTTP 200). This will work now. 8.40.1.2:C22 Added Firmware Recovery (Firmware Rollback) information to the server report. Corrections in 8.40.1.1 since 8.40.1 ===================================== 8.40.1.1:C01 Corrected an issue that produced corrupted JPEG file data while the image itself was good. 8.40.1.1:C02 Corrected an issue that prevented the user from uploading a certificate that contains "Bag Attributes" before and after the actual certificate content. 8.40.1.1:C03 Corrected an issue that prevented the user from receiving the correct recording list in AXIS Companion in combination with view areas or multi-sensor products. 8.40.1.1:C04 Corrected an issue in the ACAP framework that could cause ACAPs to freeze on rare occasions. 8.40.1.1:C05 Patched the following security vulnerabilities to increase overall minimum cyber security level: CVE-2018-10876, CVE-2018-10877, CVE-2018-10878, CVE-2018-10879, CVE-2018-10880, CVE-2018-10881, CVE-2018-10882, CVE-2018-10883. 8.40.1.1:C06 Updated to OpenSSL version 1.0.2p to increase overall minimum cyber security level. 8.40.1.1:C07 Updated Apache to version 2.4.35 to increase overall minimum cyber security level. 8.40.1.1:C08 Patched security vulernability CVE-2018-17182 to increase overall minimum cyber security level. 8.40.1.1:C09 Corrected an issue that caused upload of Axis People Counter via curl to fail in rare occations. 8.40.1.1:C10 Corrected an issue that could cause incorrect snapshot resolutions on view areas. New features in 8.40.1 ================================================================================ 8.40.1:F1 Renamed "Browser Stream Statistics" to "Client Stream Information". The Client Stream Information are available in the web-interface of the camera. 8.40.1:F2 Added support for ONVIF Audio Backchannel. 8.40.1:F3 Updated apache webserver to version 2.4.33 to increase overall minimum cyber security level. 8.40.1:F4 AXIS Video Motion Detection 4.2.5 is now pre-installed. 8.40.1:F5 AXIS Motion Guard and Fence Guard 2.1.4 are now pre-installed. 8.40.1:F6 AXIS Loitering Guard 2.1.4 is now pre-installed. 8.40.1:F7 Updated help files with more detailed information about SMB and Certificate support in AXIS products. 8.40.1:F8 Added a new section "Snapshot of current CPU utilization" that prints information about CPU utilization and memory consumption of processes in the server report. 8.40.1:F9 Changed the default timeout of HTTP-Recipient based action rules from 10s to 120s to compensate for unstable networks or slow clients. After the timeout is reached, the action rule will be re-tried. 8.40.1:F10 Modified the access rights for serial-port connected cameras to increase overall minimum cyber security level. Features in 8.30.1 ================================================================================ 8.30.1:F1 Added the possibility for the user to share anonymous usage data with AXIS developers. 8.30.1:F2 Added support for AES-XTS-512 256-bit SD card encryption. 8.30.1:F3 Prepared support for signed firmware to increase overall cyber security level. It is planned that the product will only accept AXIS security-signed firmware starting in Q1/Q2 2019 and onwards. 8.30.1:F4 Added support for automatically negotiating the preferred SMB protocol version with SMB 2.1 or higher in order to increase the overall minimum cybersecurity level. Please refer to the follwing FAQ for more information -> https://www.axis.com/support/faq/FAQ116392. In case SMB 1.0 or SMB 2.0 is required due to compatibility issues, we recommend setting the Extra Mount Options in PlainConfig -> Storage to a specific version"vers=x.y" (e.g vers=1.0 or vers=2.0). Please note that there are two Storage groups that are related to a mounted network share (normally Storage S1 and Storage S2) and both of them need to have the correct version in Extra Mount Options. 8.30.1:F5 Added support for ONVIF Audio Backchannel with support for G711 and G726 audio codec. Cameras are able to retrieve audio while sending an audio capable video stream with metadata in the same RTSP session. 8.30.1:F6 Updated OpenEmbedded to version Poky Rocko to increase overall cyber security level. 8.30.1:F7 Updated the maximum number of recipients for action rules to 20 from 10. 8.30.1:F8 Changed the default setting of SRTP to disabled in order to reduce the number of ports opened by default. 8.30.1:F9 AXIS Motion Guard and Fence Guard 2.1.3 are now pre-installed. 8.30.1:F10 AXIS Loitering Guard 2.1.3 is now pre-installed. 8.30.1:F11 AXIS Video Motion Detection 4.2.4 is now pre-installed. 8.20.1:F1 The possibility to edit scripts in camera has been disabled per default in order to increase minimum cyber security level. 8.20.1:F2 Added support for polygon privacy masks. 8.20.1:F3 Changed the default audio bitrate to 32 kbps. 8.20.1:F4 Updated AXIS Video Motion Detection to version 4.2.1. 8.20.1:F5 Changed the default input audio gain from 30 dB to 45 dB. 8.20.1:F6 Updated NTP server (openntpd) to version 6.2p3. 8.20.1:F7 Updated Fence- and Motion-Guard to version 2.1 with support for burnt-in alarm overlay support. 8.20.1:F8 Added support for showing hidden resolutions via API. The parameter Properties.Image.ShowSuboptimalResolutions has been added which will, when enabled, show all of the products supported resolutions. Corrections in 8.40.1 ================================================================================ 8.40.1:C1 Corrected an issue that resets the barrel distortion correction settings after updating the camera. 8.40.1:C2 Corrected an issue with incorrect handling of ACAPs after camera boot. 8.40.1:C3 Corrected an issue that prevented the user from formatting SD cards and the web- interface to show incorrect information about network share status in Settings -> System -> Storage. 8.40.1:C4 Added selection boxes for disabling TLSv1.0 and TLSv1.1 in Settings -> System -> PlainConfig -> HTTPS to enforce the highest possible TLS version for HTTPS-based connections. 8.40.1:C5 Corrected an issue that could cause a network share to become read-only. 8.40.1:C6 Corrected an issue that prevented the overlay to show the correct state of inputs when toggling. 8.40.1:C7 Corrected an issue in the ACAP framework that caused installed ACAPs to become unresponsive and the Apps tab not to be shown correctly. 8.40.1:C8 Corrected an issue that let the network share test under Events -> Recipient fail when a NAS was connected that only supports SMB 1.0 or SMB 2.0. 8.40.1:C9 Corrected an issue that caused AXIS Perimeter Defender or SafeZoneEdge to stop working after a firmware upgrade. 8.40.1:C10 Corrected an issue that caused the certificate signing request not to have an LF (alt. CR-LF) every 64th character causing the certificate considered not being valid e.g. when using symantec certificates. 8.40.1:C11 Corrected an issue that prevented the user from creating a Recipient when a "-" sign was present in the host name. 8.40.1:C12 Corrected an issue that could cause the configuration file upload from ADM to camera to fail. 8.40.1:C13 Corrected an issue that prevented the user to export recordings in the desired time range. 8.40.1:C14 Corrected an issue that prevented the camera to switch between Day/Night mode on rare occasions. 8.40.1:C15 Patched security vulnerability CVE-2018-5390 to increase overall minimum cyber security level. 8.40.1:C16 Patched security vulernability CVE-2018-14526 to increase overall minimum cyber security level. Corrections in 8.30.1 ================================================================================ 8.30.1.1:C1 Corrected an issue that caused the web-interface to show either none or wrong information about the network share status after mounting a share in Settings -> System -> Storage. Previously the user needed to refresh the browser page via F5 in order to get the correct information shown. 8.30.1.1:C2 Corrected an issue that caused AXIS Perimeter Defender or SafeZoneEdge to stop working after a firmware upgrade. 8.30.1.1:C3 Corrected an issue in the ACAP framework that caused installed ACAPs to become unresponsive on rare occasions and the Apps tab to not be shown correctly. 8.30.1.1:C4 #Affected Products #M5525-E Corrected an issue that prevented the camera from finding good focus on rare occasions. 8.30.1:C1 Corrected an issue that could display wrong possible maximum FPS in Settings -> Image. 8.30.1:C2 Corrected an issue that could cause the camera to get stuck in night mode when WDR setting changed. 8.30.1:C3 Corrected an issue that let the I/O API respond with an incorrect port number. 8.30.1:C4 Corrected an issue that caused the camera to become unresponsive on rare occasions when running ACAPs without specified ApplicationId. 8.30.1:C5 Increased user awareness when converting legacy overlays to dynamic overlays. A restart of ongoing recordings is required after overlay conversion. 8.30.1:C6 Corrected an issue with the Axis event handling interface when deactivating events. 8.30.1:C7 Updated OpenSSL to version 1.0.2o to increase overall minimum cyber security level. 8.20.1.1:C1 #Affected Products #Q6124-E #Q6125-LE #Q6155-E Support for new encoder chip hardware for Q61-Series. 8.20.1.1:C2 #Affected Products #P3228-LV #P3227-LVE #P3228-LVE Corrected an issue that caused the camera to not switch the IR Cut Filter setting in rare occasions. Note that a powercycle of the camera is required after the upgrade. 8.20.1.1:C3 #Affected Products #P1447-LE #P1448-LE #P1367 #P1368-E #Q1645 #Q1647 Improved noise reduction tuning for dark scenes. 8.20.1:C1 Corrected an issue that made it necessary for the user to refresh manually the storage configuration page in the web-interfce to be updated e.g. when a storage has been disconnected from the camera. 8.20.1:C2 Corrected critical vulnerability ACV-128401. 8.20.1:C3 Corrected an issue with the AXIS event handler registration for ADP partners. 8.20.1:C4 Corrected an issue that caused the camera to become unreachable via link local address in the network when connecting client was in another subnet. 8.20.1:C5 Corrected an issue that caused the camera to stop streaming in rare occasions. 8.20.1:C6 Corrected an issue that made it necessary to login twice when connecting to the web-interface using Microsoft Edge. 8.20.1:C7 Corrected an issue that prevented trigger data to be inserted in every I-frame and when motion detection triggers. 8.20.1:C8 Corrected an issue when testing multiple email recipients. 8.20.1:C9 Corrected an issue where e-mail recipients could be wrongly formatted. 8.20.1:C10 Corrected an issue that prevented the user from taking image snapshots in H264 when using the Safari web browser. 8.20.1:C11 Corrected an issue that prevented the use of the whole sensor width for some aspect ratios. 8.20.1:C12 Corrected an issue that could cause synchronization to AVHS to fail. Known Bugs/Limitations ================================================================================ 8.40.3:L1 It is recommend to refresh the browser with F5 after doing a FW upgrade from FW 6.xx to 8.xx or higher in order to show all the new settings in the web- interface. 8.30.1.1:L1 When using the Edge or Firefox web browser automatic license installation doesn't work as expected. 8.30.1.1:L2 Some parts of the web-interface may not be fully translated. 8.30.1.1:L3 It is not possible to update the product using Genetec 5.7 SR2. Genetec will provide a patch in 5.7 SR3. 8.30.1.1:L4 There is only one available pre-installed audio clip (Camera clicks). 8.20.1.1:L1 When downgrading a firmware the static IP configuration is lost. Axis recommends to perform a factory reset after downgrading. 8.20.1.1:L2 When using an iOS device and Chrome or Safari web browser it is not possible to switch from viewer to administrator or operator. Supported AXIS VAPIX API Image Resolutions for Q1645/-LE ================================================================================ Resolution Exceptions ========== ========== 1920x1080 1400x1050 1440x960 1280x960 1280x720 1024x768 800x600 854x480 800x450 720x480 640x480 672x448 640x360 480x360 480x320 320x240 320x180 240x180 240x160 160x120 768x576 1) 720x576 1) 704x576 1) 704x480 1) 704x288 1) 704x240 1) 480x270 1) 384x288 1) 352x288 1) 352x240 1) 192x144 1) 176x144 1) 176x120 1) 1) Not visible in web user interface