Fixed an issue on PA-3000 Series firewalls where the mprelay process stopped responding when processing IPv6 neighbor discovery updates.

Fixed an issue on PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls where Captive Portal was inaccessible for traffic on Secure HTTP (https) websites when SSL decryption was enabled and users were behind a proxy server.

A security-related fix was made to prevent HTTP Header Injection in the Captive Portal.

Fixed an issue where the firewall revealed part of a password in cleartext on the command-line interface (CLI) and management server (mgmtsrvr) log when an administrator attempted to set a password that exceeded the maximum number of characters (31) using the CLI. With this fix, the firewall reports an error when an administrator attempts to set a password that contains more than 31 characters without revealing any part of the actual password.

Fixed an issue where a firewall sent packets out of order when the sending rate was too high.

Fixed an issue where QSFP+ interfaces (13 and 14) on a PA-7000-20GQ-NPC Network Processing Card (NPC) unexpectedly flapped when the card was booting up.

Fixed an issue where the request system external-list show type ip name <EDL_name> CLI command did not display external dynamic list entries after you restarted the management server (mgmtsrvr) process.

Fixed an issue where the management server (mgmtsrvr) process on the firewall restarted when you pushed configurations from the Panorama management server.

Fixed an issue where the firewall applied the wrong checksum when a re-transmitted packet in a NAT session had different TCP flags, which caused the recipient to drop those packets.

Fixed an issue where the firewall displayed a continue-and-override response page when users tried to access a URL that the firewall incorrectly categorized as unknown because it learned the URL field as an IP address.

Fixed an issue where some ICMP Type 4 traffic was not blocked as expected after you created a deny Security policy rule with custom App-ID for ICMP Type 4 traffic.

Fixed a rare issue on PA-7000 Series firewalls where 20GQ NPC QSFP+ ports didn't link up (during online insertion and removal (OIR), link-state change, or boot up events) and became unrecoverable until the NPC was restarted.

A security-related fix was made to address a Cross-Site Scripting (XSS) vulnerability in the PAN-OS response to a GlobalProtect gateway (CVE-2018-10139).

A protocol-related fix was made to address a bug in the OSPF protocol.

Fixed an issue in a bi-directional User-ID redistribution configuration where the User-ID (useridd) process stopped responding when same IP address was continually associated with different usernames, which caused the IP address-to-username mapping to continually sync between firewalls.

Fixed an issue where expiration of the Captive Portal browser-session cookie was set incorrectly on the browser to 24 hours by default. With this fix, the Captive Portal browser-session cookie expires when the browser session is terminated.