Functionality was added to enable, via the
CLI, the removal of key exchange algorithms used by SSH.
Use
debug system ssh-kex-prune cipher [diffie-hellman-group1-sha1 diffie-hellman-group-exchange-sha1 .. ]
to enable
removal of specified key exchanges.
Use
debug system ssh-kex-prune none
to
enable addition of key exchanges.
PAN-159135
Fixed an issue where the firewall rejected
SAML Assertions, which caused user authentication failure when the
Validate Identity
Provider Certificate
was enabled in the SAML Server
Profile in vsys3 or above.
PAN-158988
Fixed an issue with HTTP Header Insertion
where the payload was truncated when processing a segmented TCP
stream and when the client retransmitted the packet with the same
sequence number that was previously received segmented.
PAN-158844
Adds additional debugging to be used in
identifying the malformed references causing process crashes during
FQDN refresh.
PAN-158638
Fixed an issue where the firewall returned
the following error message when attempting to request a device
certificate using a one-time password (OTP):
invalid ocsp response sig-alg
.
PAN-156240
A fix was made to address an issue where
a cryptographically weak pseudo-random number (PRNG) was used during
authentication to the PAN-OS interface. As a result, attackers with
the capability to observe their own authentication secrets over
a long duration on the firewall had the ability to impersonate another
authenticated web interface administrator’s session (CVE-2021-3047).
PAN-155009
Fixed an issue on the firewall where executing
the
request system bootstrap-usb prepare
CLI
command returned a server error.
PAN-154114
A fix was made to address a vulnerability
related to information exposure through log files in PAN-OS where
secrets in PAN-OS XML API requests were logged in cleartext in the
web server logs when the API was used incorrectly (CVE-2021-3036).
PAN-153213
Fixed a rare issue where TCP packets randomly
dropped due to reassembly failure.
PAN-152648
Fixed an issue where multiple all_pktproc processes
stopped responding, which caused the dataplane to restart.
PAN-152098
Fixed an issue where the Policy Optimizer
for some device groups showed incorrect data with a
-
character
in the rule usage column.
PAN-151458
Fixed an issue on firewalls with high availability
active/active configurations where GlobalProtect gateways timed
out on-demand connections. This occurred because the
Inactivity Logout
timer
did not reset.
PAN-150998
Fixed an issue where, when deploying a VM-Series
firewall on VMware NSX that had been assigned a serial number that
was used by a previously deactivated firewall, the new firewall
was deployed in a deactivated or partially deactivated state.
PAN-150852
Fixed an issue with SMTP that occurred when
attachment file names were longer than the allocated buffer. If
the file name was longer than the buffer and Layer 7 inspection
was enabled, the file was dropped, which caused session errors and
an email to not be sent.
PAN-150798
(
PA-7000 Series firewalls only
)
Fixed an issue where Network Processing Cards (NPC) took longer
than expected or failed to boot.
PAN-150023
A fix was made to address an issue where
an improper authentication vulnerability enabled a Security Assertion
Markup Language (SAML) authenticated user to impersonate any user
in the GlobalProtect portal and GlobalProtect gateway when they
were configured to use SAML authentication (CVE-2021-3046).
PAN-149641
Fixed an issue where firewalls stopped refreshing
IP tag information when configured with the
VM Information Sources
feature
with a VMWare vCenter Server.
PAN-149339
Fixed an issue where, when an ECMP route
changed, the flow table in the offload engine was not updated.
PAN-147783
Checks were added to help prevent the dataplane
from restarting.
PAN-147781
A fix was made to address an issue where
an OS command argument injection vulnerability in the PAN-OS web
interface enabled an authenticated administrator to read any arbitrary
file from the file system (CVE-2021-3045).
PAN-147254
jQuery was updated to 3.5.1.
PAN-147221
Improved QoS scheduling for Bidirectional
Forwarding Detection (BFD) and BGP to address the internal handling
of BGP and BFD packets under high resource constraints
PAN-145733
Fixed an issue where the
SNMP INDEX
for
panZoneTable
on
the
PAN-COMMON-MIB.my
file did not
work as expected, which led to entries in
panZoneTable
not
being uniquely identified.
PAN-144975
Fixed an intermittent issue where a high
traffic load in a Layer 2 deployment caused SNMP and Panorama health
monitoring failures.
PAN-136347
Fixed an issue wherer DNS proxy TCP connections
were processed incorrectly, which caused a process (
dnsproxy
)
to stop responding.
PAN-136073
Fixed an issue where the High Speed Chassis
Interconnect (HSCI) port flapped continuously after an upgrade or
reboot.
PAN-132035
Fixed an issue on Panorama appliances in
an active/passive HA configuration where a managed firewall generated
high priority alerts that it failed to connect to the passive Panorama
appliance's User-ID agent server. This issue occurred because the
firewall was only able to connect to one Panorama User-ID server
at a time, and it connected only to the active Panorama appliance's
User-ID server.
PAN-131474
A fix was made to address a vulnerability
related to information exposure through log files in PAN-OS where
the connection details for a scheduled configuration export were
logged in system logs (CVE-2021-3037).
PAN-128042
Fixed an issue where the dynamic address
group failed due to a process (devsrvr) not being synced
with another process (useridd).
PAN-124579
Fixed an issue where a process (all_task_3) restarted,
which caused the tunnels to reset.