• Since last week, multiple exploits in the widely used bash-shell were discovered. While we don't use the bash shell in any direct way where it would be exposed to the outside world, it is used by the DHCP client service running for the WAN modules. There is an unconfirmed possible attack vector, in that if an attacker would be able to run a compromised DHCP server connected to a Viprinet WAN Ethernet module, and if this Ethernet module would be configured to use DHCP, the router could be made to execute code using manipulated DHCP options.
  
  This release incorporates all published patches to bash and to our knowledge fixes all known vulnerabilities.
  
  Until you have updated, disabling DHCP on WAN Ethernet modules and instead using static IP configured would also close the potential attack vector.
  
  To the best of our knowledge, there is no attack vector for VPN Hubs, and no attack vector with any other of our router or VPN services. 
• VDSL modules would always return “No answer received from modem” when checking module info
• CDMA450 modules had several problems with resetting and switching from/back to power saving mode. All of these issued have been fixed.
• In very rare cases, SIM initialization could fail for our LTE modules due to a Qualcomm bug. A work-around makes sure this no longer happens.
• By creating invalid port forwarding entries, you could create a port forwarding of doom which would lock you out of the router. You no longer can shoot yourself in the foot this way.
• If you would create a routing rule where all options would have been set to “Ignore” you would effectively create a default route, potentially locking yourself out of the router. This way of shooting yourself in the foot also no longer works.

• Default congestion control now is cubic, default autotuning Hybrid. There have been significant improvements to the Hybrid autotuning mode.
• Full support for final version of VDSL modules.
• A new HTTPS CA database is now used, which includes support for various CA's customers have requested.

• Managed SIMs got disabled after an hour of the activation server being unreachable, while they are meant to be disabled after 24 hours.
• When a VPN Client disconnected and a different client user later connected with the IP of the previous user getting re-used, this could cause to the VPN Hub crashing and rebooting.
• Access Point Settings were missing the option to configure administrative rights.
• On router startup, the error message “The tunnel password for the tunnel contains illegal characters” was printed to the log.
• If two or more WAN modules were power-cycled exactly at the same time, sometimes the modules would not come back, with a router reboot needed to get back the modules.
• TKIP is now disabled for HT clients on 5XX WLAN AP in 802.11n.
• Manual firmware updates may now also be uploaded if the automatic firmware check resulted in the “UpdatesAvailable” status.
• All 51X routers have their configuration files now marked as compatible to each other. Before 511, 512 and 513 weren't allowed to use 510 configuration and vice versa.
• Fixed Hub 5000/5010 picture size in web interface.
• If the SSH CLI was activated, a connection flood to port 22 could be used to run a DoS attack against the router.

• It is now possible to configure DNS servers for VPN Client groups. If done so, the VPN Client will use these DNS servers instead of using the Hub's DNS. This allows the VPN Client to be used in combination with a Domain controller, so VPN Client users can become part of a Windows domain.
• The new “4G Europe II” module is now supported.
• The CLI now supports ping, traceroute and moduleinfo tools (similar to what you can use in the web interface).

• Fixed race condition that caused update scripts to sometimes get called twice when starting them manually.
• Very big (100MB+) local update packages are now supported.
• Fixed the bug that offline firmware uploads are sometimes aborted, resulting in corrupted firmware uploads getting rejected. This happened if there was just 100ms without data getting sent during the upload. It mostly happened with the new web interface and when doing updates remotely.
• The distribution of system load on multi-core Hubs has been improved.
• Changed maintenance contract warning start to March 2015.
• Several improvements for LTE status reporting.
• Fixed a bug that caused OptimalLatencyBelow not to be displayed in monitoring API and -tool. 
• IP address of a replaced device in Hub hotspare mode is now shown in the new web interface.
• Several bug fixes for the channel congestion notification system.
• The SIM traffic reporting could end up in a state where it never committed its values to the accounting server.

• Using multiple of the new 4G modules could completely block the router in case the module had been unable to read home network information from the SIM.
• Network name display for some carriers (e.g. T-Mobile) was broken for the 4G Europe II module.
• Under very rare circumstances, corrupted SSL data could cause the Hub 5010 to crash and reboot.
• 4G modules used in a stacking slave for some mobile networks have been unable to connect.
• Under rare conditions WWAN modules may fail to read the IMSI and Home MCC/MNC from the SIM, causing Automatic APN Detection to fail.
• APN Database entries updated for AT&T USA, Rogers and Telus Canada.

• The license manager available in RuggedVPN is now also available in the classic firmware.
• The SupportID that is needed to register a router for the upcoming Viprinet Lifetime Maintenance System is now displayed.

• A rare crash bug on VPN Hubs caused by outdated VPN Clients connecting was fixed.
• In a node stacking setup, stacked Nodes would never share LAN routes.
• Fix for GPS not updating speed and heading.
• All products should be displaying CPU and System core temperature now. Please note that for some products a different temperature sensor deeper inside the CPU is now used. This may cause your CPU temperature to jump up by 10-20°C. This is not a problem and not a defect.
• QOS rules only matching on TOS did get ignored in the past.
• Updated all warning popups in regards of missing maintenance contract and RuggedVPN. We'd like to apologize for any confusion caused by these nag screens in previous firmware releases.
• When a classic router was connecting to a RuggedVPN Hub, under very rare circumstances traffic could have been blocked for QoS classes using BondingTCPOptimizer on the classic node.
• In the past, changing "Enabled mobile technologies" sometimes did not work, especially when executed on a module that right now has a data connection open. It now should always work.

A valid Warranty extension license that has not expired is now also counted for "Under Maintenance Contract". If your router still has Warranty left you therefore now are able to upgrade to RuggedVPN even if you haven't yet converted your Warranty license to a Viprinet Lifetime Maintenance contract. For warranty extensions we now also display how much days are left on it.

• A rare crash bug on VPN Hubs caused by outdated VPN Clients connecting was fixed.
• After router boot, a stacking master node could fail to bind its communication socket under rare circumstances, causing stacking slaves not to be able to connect to the master, which in turn would cause a split brain situation.
  In this worst case, the stacking master will now instead reboot to resolve this split brain.
• In very rare circumstances two stacking nodes right now being in a split conflict while at the exact same time reconnecting to a Hub with the tunnel previously having been disconnected for less than 3 minutes could cause the Hub to crash.
• In SNMP, vpnRouterCPULoad was exported as string instead of integer as it should be.
• For VDSL Modules the sync speed reported in the log ("Synched Downstream/Upstream Rate") was swapped. The actual values used were correct, so this is a display issue only.
• In case a VPN Hub had an invalid DNS resolver configuration, doing the DNS reverse lookup for incoming channel connections could take very long. In case of a lot of channels reconnecting, this could delay any connects to complete for a very long time. Now, incoming channel connections are no longer reverse-resolved.

• It is now allowed to upgrade from Classic to RuggedVPN without a maintenance license in place. A warning will be shown when doing so. Please note that RuggedVPN still requires a VLM subscription. However, you no longer have to do the VLM registration first before installing RuggedVPN firmware, but can do this after installing the RuggedVPN firmware.
• After installation of RuggedVPN, the router will keep working for 14 days. If no VLM license has been installed (or if the router hasn't been downgraded to Classic firmware) by then, the device will cease operation. This also allows our customers to trial RuggedVPN firmware.
• This Cutting Edge firmware introduces full support for Northern European LTE 450 modules.

• Licenses will now be deleted if instructed by the license server, and the online license deactivation function also is available now.
• Fixed bug that caused the device MCC/MNC not getting re-read in case the first read failed. This sometimes caused the APN auto detection to fail.
• Resetting or reconnecting an LTE module can cause the router's internal timer to get out of sync for up to two seconds. Due to this, channels will behave strangely: You can see high latency, channel stalls etc. This problem is now fixed. Reconnecting or resetting an LTE module no longer should affect other channels.
• Due to the Anti-DDoS connection limiter not being initialized correctly, in all previous firmware releases sometimes the config data transfers between active and Hotspare Hubs could fail with an SSL error.
• The maintenance license type "Iron" which will be used in OEM projects is now supported 
• It is now allowed to upgrade from Classic to RuggedVPN without a maintenance  license in place - now also works with old web interface
• Added missing "Deactivate" button for license manager
• A pre-existing config file from a previous RuggedVPN install will now be removed when doing a factory reset.
• There was a way to close SSH CLI connections without the connection limiter knowing. This could cause an IP getting locked out of the CLI forever after too many reconnects.
• License manager will now always use the right interface to do license activations and de-activations. Before it only worked if the default route was on a VPN Tunnel.
• The connection limiter / DDoS protection has been changed. HTTP, VPN, SSH, Stacking and Hotspare connections are now counted individually per IP.

• The license manager available in RuggedVPN is now also available in the classic firmware.
• The SupportID that is needed to register a router for the upcoming Viprinet Lifetime Maintenance System is now displayed.
• It is now allowed to upgrade from Classic to RuggedVPN without a maintenance license in place. A warning will be shown when doing so. Please note that RuggedVPN still requires a VLM subscription.  However, you no longer have to do the VLM registration first before installing RuggedVPN firmware, but can do this after installing it. After installation of RuggedVPN, the router will keep working for 14 days. If no VLM license has been installed (or if the router hasn't been downgraded to Classic firmware) by then, the device will cease operation. This also allows our customers to trial RuggedVPN firmware.
• This firmware introduces full support for Northern European LTE 450 modules.

• Using multiple of the new 4G modules could completely block the router in case the module had been unable to read home network information from the SIM.
• Network name display for some carriers (e.g. T-Mobile) was broken for the 4G Europe II module.
• Under very rare circumstances, corrupted SSL data could cause the Hub 5010 to crash and reboot.
• 4G modules used in a stacking slave for some mobile networks have been unable to connect.
• Under rare conditions WWAN modules may fail to read the IMSI and Home MCC/MNC from the SIM, causing Automatic APN Detection to fail.
• APN Database entries updated for AT&T USA, Rogers and Telus Canada.
• A rare crash bug on VPN Hubs caused by outdated VPN Clients connecting was fixed.
• In a node stacking setup, stacked Nodes would never share LAN routes.
• Fix for GPS not updating speed and heading.
• All products should be displaying CPU and System core temperature now. Please note that for some products a different temperature sensor deeper inside the CPU is now used. This may cause your CPU temperature to jump up by 10–20°C. This is not a problem and not a defect.
• QOS rules only matching on TOS did get ignored in the past.
• Updated all warning popups in regards of missing maintenance contract and RuggedVPN. We'd like to apologize for any confusion caused by these nag screens in previous firmware releases.
• When a classic router was connecting to a RuggedVPN Hub, under very rare circumstances traffic could have been blocked for QoS classes using BondingTCPOptimizer on the classic node.
• In the past, changing “Enabled mobile technologies” sometimes did not work, especially when executed on a module that right now has a data connection open. It now should always work.
• After router boot, a stacking master node could fail to bind its communication socket under rare circumstances, causing stacking slaves not to be able to connect to the master, which in turn would cause a  split brain situation. In this worst case, the stacking master will now instead reboot to resolve this split brain.
• In very rare circumstances two stacking nodes right now being in a split conflict while at the exact same time reconnecting to a Hub with the tunnel previously having been disconnected for less than 3 minutes could cause the Hub to crash.
• In SNMP, vpnRouterCPULoad was exported as string instead of integer as it should be.
• For VDSL Modules the sync speed reported in the log (“Synched Downstream/Upstream Rate”) was swapped. The actual values used were correct, so this is a display issue only.
• In case a VPN Hub had an invalid DNS resolver configuration, doing the DNS reverse lookup for incoming channel connections could take very long. In case of a lot of channels reconnecting, this could delay any connects to complete for a very long time. Now, incoming channel  connections are no longer reverse-resolved.  
• Licenses will now be deleted if instructed by the license server, and the online license deactivation function also is available now.
• Fixed bug that caused the device MCC/MNC not getting re-read in case the first read failed. This caused the APN auto detection to sometimes fail.
• Resetting or reconnecting an LTE module can cause the router's internal timer to get out of sync for up to two seconds. Due to this, channels will behave strangely – you can see high latency, channel stalls etc. This problem  is now fixed. Reconnecting or resetting an LTE module no longer should affect other channels.
• Due to the Anti-DDoS connection limiter not being initialized correctly, in all previous firmware releases sometimes the config data transfers between active and Hotspare Hubs could fail with an SSL error.
• The maintenance license type “Iron” which will be used in OEM projects is now supported 
• A pre-existing config file from a previous RuggedVPN install will now be removed when doing a factory reset
• There was a way to close SSH CLI connections without the connection limiter knowing. This could cause an IP getting locked out of the CLI forever after too many reconnects.
• License manager will now always use the right interface to do license activations and de-activations. Before it only worked if the default route was on a VPN Tunnel.
• The connection limiter / DDoS protection has been changed. HTTP, VPN, SSH, Stacking and Hotspare connections are now counted individually per IP.

• It is now possible to configure DNS servers for VPN Client groups. If done so, the VPN Client will use these DNS servers instead of using the Hub's DNS. This allows the VPN Client to be used in combination with a Domain controller, so VPN Client users can become part of a Windows domain.
• The new “4G Europe II” module is now supported.
• The CLI now supports ping, traceroute and moduleinfo tools (similar to what you can use in the web interface).

• Fixed race condition that caused update scripts to sometimes get called twice when starting them manually.
• Very big (100MB+) local update packages are now supported.
• Fixed the bug that offline firmware uploads are sometimes aborted, resulting in corrupted firmware uploads getting rejected. This happened if there was just 100ms without data getting sent during the upload. It mostly happened with the new web interface and when doing updates remotely.
• The distribution of system load on multi-core Hubs has been improved.
• Changed maintenance contract warning start to March 2015.
• Several improvements for LTE status reporting.
• Fixed a bug that caused OptimalLatencyBelow not to be displayed in monitoring API and -tool. 
• IP address of a replaced device in Hub hotspare mode is now shown in the new web interface.
• Several bug fixes for the channel congestion notification system.
• The SIM traffic reporting could end up in a state where it never committed its values to the accounting server.

• Since last week, multiple exploits in the widely used bash-shell were discovered. While we don't use the bash shell in any direct way where it would be exposed to the outside world, it is used by the DHCP client service running for the WAN modules. There is an unconfirmed possible attack vector, in that if an attacker would be able to run a compromised DHCP server connected to a Viprinet WAN Ethernet module, and if this Ethernet module would be configured to use DHCP, the router could be made to execute code using manipulated DHCP options.
  
  This release incorporates all published patches to bash and to our knowledge fixes all known vulnerabilities.
  
  Until you have updated, disabling DHCP on WAN Ethernet modules and instead using static IP configured would also close the potential attack vector.
  
  To the best of our knowledge, there is no attack vector for VPN Hubs, and no attack vector with any other of our router or VPN services. 
• VDSL modules would always return “No answer received from modem” when checking module info
• CDMA450 modules had several problems with resetting and switching from/back to power saving mode. All of these issued have been fixed.
• In very rare cases, SIM initialization could fail for our LTE modules due to a Qualcomm bug. A work-around makes sure this no longer happens.
• By creating invalid port forwarding entries, you could create a port forwarding of doom which would lock you out of the router. You no longer can shoot yourself in the foot this way.
• If you would create a routing rule where all options would have been set to “Ignore” you would effectively create a default route, potentially locking yourself out of the router. This way of shooting yourself in the foot also no longer works.