A security-related fix was made to prevent a Cross-Site Scripting (XSS) attack through the PAN-OS session browser (CVE-2018-9335).

Fixed an issue where PA-7000 Series firewalls caused slow traffic over IPSec VPN tunnels because the firewalls reordered TCP segments during IPSec encryption when the tunnel session and inner traffic session were on different dataplanes.

A security-related fix was made to prevent denial of service (DoS) to the management web interface (CVE-2018-8715).

Fixed an issue where firewalls configured for User-ID redistribution did not redistribute IP address-to-username mappings due to a memory leak.

Fixed an issue where enabling jumbo frames (Device > Setup > Session) reduced throughput because:

The firewalls hardcoded the maximum segment size (TCP MSS) within TCP SYN packets and in server-to-client traffic at 1,460 bytes when packets exceeded that size. With this fix, the firewalls no longer hardcode the TCP MSS value for TCP sessions.
PA-7000 Series firewalls hardcoded the maximum transmission unit (MTU) at 1,500 bytes for the encapsulation stage when tunneled clear-text traffic and the originating tunnel session were on different dataplanes. With this fix, the firewalls use the MTU configured for the interface (Network > Interfaces > <interface> > Advanced > Other Info) instead of hardcoding the MTU at 1,500 bytes.

Fixed an issue on firewalls in an active/passive high availability (HA) configuration where the management server on the passive firewall restarted because it exceeded the virtual memory limit during HA synchronization.

Fixed an issue on PA-7000 Series firewalls where one or more dataplanes did not pass traffic when you ran several operational commands (from any firewall user interface or from the Panorama management server) while committing changes to device or network settings or while installing a content update.

Fixed an issue where the GlobalProtect agent failed to establish a TCP connection with the GlobalProtect gateway when TCP SYN packets were set with unsupported congestion notification flag bits (ECN or CWR).

A security-related fix was made to prevent a local privilege escalation vulnerability that allowed administrators to access the password hashes of local users (CVE-2018-9334).

Fixed an issue on PA-7000 Series firewalls in a high availability (HA) configuration where the HA3 link did not come up after you upgraded to PAN-OS 7.1.14, 7.1.15, or 7.1.16.

A security-related fix was made to prevent a local privilege escalation vulnerability that could potentially result in the deletion of files (CVE-2018-9242).

Fixed an issue where the firewall could not authenticate to a hardware security module (HSM) partition when the partition password contained special characters.

Fixed an issue where commit validation failed on firewalls after you disabled the option to Share Unused Address and Service Objects with Devices on the Panorama management server, assigned the firewalls to a template stack, and pushed an interface configuration that referenced an address object instead of an address that you typed.

Fixed an issue where the firewall rebooted because the User-ID process (useridd) restarted several times when endpoints, while requesting services that could not process HTTP 302 responses (such as Microsoft update services), authenticated to Captive Portal through NT LAN Manager (NTLM) and immediately disconnected.

Fixed an issue on PA-3000, PA-5000, and PA-7000 Series firewalls where heavy IPv6 traffic caused session offloading to fail, which reduced throughput.

Fixed an issue where the firewall dataplane restarted while processing traffic after you enabled SSL Inbound Inspection decryption but not SSL Forward Proxy decryption.

Fixed an issue on the Panorama management server where, after you renamed an object in a device group, a commit error occurred because policies in the child device groups still referenced the object by its old name.

Fixed an issue where the firewall took longer than expected to collect group mapping information from Active Directory groups that had circular nesting (Device > User Identification > Group Mapping Settings > <group_mapping_configuration> > Group Include List).

Fixed an issue where only administrators with the superuser dynamic role could run the show logging-status CLI command. With this fix, the command is available to administrators with dynamic or custom roles that have the privileges associated with the following role types: superuser, superreader, deviceadmin, devicereader (Device > Admin Roles > <admin_role_profile> > Command Line).

Fixed an issue where administrators could not log in to the firewall web interface due to the root partition running out of disk space because management logs continued growing without the firewall ever deleting them.

Fixed an issue where the Panorama web interface and CLI displayed a negative value for the Log Storage capacity (Panorama > Collector Groups > <Collector_Groups > General).

Fixed an issue on PA-7000 Series, PA-5000 Series, and PA-3000 Series firewalls in an active/passive high availability (HA) configuration where manually restarting the dataplane caused the all_pktproc process to stop responding.

Fixed an issue where the Panorama M-100 appliance stopped responding while one job for deploying a software or content update was still in progress when another update deployment job started (Panorama > Device Deployment).

Fixed an issue where, when available swap space approached the maximum capacity on a firewall, the masterd process restarted multiple processes without successfully reducing swap usage because it did not restart the process that triggered the high usage. With this fix, masterd reduces swap usage when necessary by restarting the process that uses the highest combination of physical memory and swap space.